Closing The Perception-Vs.-Reality Gap In CGMP Quality Culture And Compliance
By Grant Mordue
When a regulatory inspection identifies a non-compliance and the response from the firm is insufficient, the agency
concludes that management is not able to adequately understand and remediate the situation. A formal warning and market action may be the result; however, this will typically come many months after the conclusion of the inspection. Therefore, what did the inspection miss that could have identified the management failings at that time? Most inspections (and audits) take a “bottom-up” approach and examine operational compliance, rather than the corporate and site culture and the capability of the management.
This article is the first in a two-part series on how to demonstrate a high level of current good manufacturing practice (CGMP) compliance during inspections by implementing a strong quality culture; driving the open, transparent communication of risks; and establishing effective quality risk management and quality management review. Here in Part 1, we focus on how inspections can become more effective via a “top-down” approach, to assess the quality culture and the upwards communication of risks and concerns. Part 2 explains how firms can become more capable in their proactive management of quality and CGMP compliance.
The Importance Of A Top-down Quality Culture
A successful quality culture across all parts of an organization can significantly reduce the risk of non-compliance with the requirements of CGMP, leading to successful regulatory inspections and a switch from a reactive to a proactive approach to continuous compliance and inspection readiness.
One topical example of relevance is that across the pharmaceutical manufacturing and supply world of CGMP compliance, data integrity concerns have been a hot topic for a number of years. The design of an electronic data management system might provide a means for someone to manipulate data and hence turn non-compliant data into compliant data. However, when thinking about how a quality culture can influence data integrity, it’s important to differentiate between the means and the intent. The system, whether electronic or paper-based, might by design present the means for data and results manipulation; however, if the quality culture in place throughout an organization ensures that there would never be the intent, the risk of actual data manipulation is small.
Management might have the expectation and belief that their firm is compliant and that there would never be the intent to manipulate data or deliberately become non-compliant for financial or personal gain. However, if a gap exists between this belief and reality, this gap represents a high risk of non-compliance, resulting in inspection and audit observations (and potentially warnings and penalties) as well as complaints, deviations, and costly downtime associated with investigations and remediation.
To close the gap, it’s important that management openly wants to be informed about quality and CGMP compliance risks and concerns and that all personnel feel relaxed, safe, and able to openly communicate risks and concerns for acknowledgement, assessment, and action accordingly. If management adversely reacts and “shoots the messenger” this will open the gap even wider and leave the firm exposed to damaging non-compliance and regulatory citation.
A successful quality culture should be evident to anyone as soon as they step into a company or onto a site. An appropriately written and signed quality statement should be visible at locations throughout the company, both in full and in summary. Signed by the head of the company and by the head of quality, this endorsement that quality and CGMP compliance are foundations of the business and must not be overlooked by anyone, provides a strong reference point for the delivery of the behaviors required.
A key behavior is the open and transparent communication of quality and CGMP compliance risks and concerns from the operational areas upward to senior management.
The Upward Communication Of Risks And Concerns
If the CEO is asked to describe the top three quality and CGMP compliance risks currently across their company, will the answer come from:
- reference to the last informal conversation with the head of quality or another colleague, or
- reference to a visible register of the risks, ranked and rated from critical to minor, which the CEO owns and receives on a regular basis?
Any CEO who tries to defend their position when questioned by a regulatory authority about a critical non-compliance by stating that they “didn’t know about the problem” has confirmed beyond doubt, that they were disconnected from the reality of compliance across their company. The authority will require remediation to fix this, quite often overseen by an external consultant.
A quality risk management system must exist to formally report, log, assess, and objectively score and rank and rate all risks and non-compliances. The generation of a basic risk priority number (RPN) output can be sufficient, although the scoring criteria applied should avoid a simple 1 to 3 scale and use at least 5 discriminating criteria to ensure sufficient differentiation between the different levels of risk.
For example, the RPN = Consequence of the non-compliance x Frequency of the non-compliance.
For the consequence, a scale of 1 to 3 might use, e.g.:
1 = minor non-compliance/observation/deviation,
2 = major non-compliance/observation/deviation, and
3 = critical non-compliance/observation/deviation.
However, the aim is to detect and remediate/prevent a non-compliance at the earliest opportunity; therefore, a score of 3 should not happen and would indicate that management has failed. Therefore, only 1 and 2 become viable scores and do not provide enough differentiation.
If a scale of 1 to 5 is used, e.g.:
1 = minor non-compliance that is not directly out of compliance with written regulations (the non-compliance would typically lead to a verbal statement at the end of an inspection).
2 = minor non-compliance that is directly out of compliance with written regulations (the non-compliance would typically lead to a single form 483 entry or a minor written observation at the end of an inspection).
3 = major non-compliance (the non-compliance would typically lead to a form 483 with multiple entries or become multiple minor observations at the end of an inspection).
4 = potentially multiple major non-compliances (the non-compliance would typically connect to a systemic failure with a connection to multiple topics and potentially become multiple major observations at the end of an inspection).
5 = potentially critical non-compliance (the non-compliance connects to multiple systemic failures and/or potentially impacts marketed product and is likely to become an escalation point during a regulatory inspection).
Again, a score of 5 should be prevented by the effective use of scores of 1 to 4 and the appropriate action. This scale provides a better differentiation of non-compliance than the simple 1 to 3 scale shown above.
The probability score typically connects to how often the non-compliance presents itself. A scale of 1 to 5 would typically relate to 1 = annually/once each year, 2 = monthly, 3 = weekly, 4 = daily and 5 = continuously.
The risk register ranking and rating should be used to ensure that the top risks become visible to senior management and that the actions required to mitigate the top risks are prioritized and monitored to ensure completion.
Measure, Review, And Improve
The existence of an appropriate quality culture and risk management and communication process is only part of a successful quality management system (QMS). The ability to objectively and accurately measure, review, and continuously improve quality and CGMP compliance is also required. The system for measurement, review, and improvement is often formalized in a quality management review (QMR) system with related meetings and formalized content and outputs.
The QMR meeting, sometimes referred to as a Quality Council, is an essential opportunity to use carefully gathered inputs and data to promote discussion and the agreement on actions, which will correct any non-compliance and prevent additional non-compliance in the future. To reinforce the quality culture, the QMR must be sufficiently frequent, e.g., each month, and attended by senior management who can take ownership of the data and the prioritization of the completion of the required actions.
Successive QMRs throughout each year should be concluded by the formal issue of a quality plan, which looks forward 12 to 36 months and lists the prioritized investments and actions to continuously improve quality and CGMP compliance in the months ahead.
If an inspection takes a top-down approach and evaluates the existence and effectiveness of the quality culture and management systems and practices, a more accurate determination of the capability of the management could be determined, without the need for the evaluation of responses to non-compliances and the issuance of warnings, etc.
Part 2 of this two-part article shares best practices for collecting objective, accurate inputs for QMR meetings.
Grant Mordue is the director of Pro-Active GMP Consulting Ltd., a UK-based consultancy founded in April 2020 to help companies to successfully implement a proactive level of quality management and CGMP compliance. Mordue has more than 30 years of management experience across the CGMP compliance of manufacturing and supply operations at local (national) and global levels, including the management of regulatory inspections. He has a BSc (Hons) degree in applied chemistry and is a Chartered Chemist and Member of the Royal Society of Chemistry in the UK. You can connect with him on LinkedIn.