Risky Business

July 1, 2004
Industry Debates Whether FDA's Risk-based Approach Will Ease Its Compliance Burden

By Angelo De Palma, Ph.D., Contributing Editor

In August, 2002, the U.S. Food and Drug Administration launched the first major overhaul of pharmaceutical current Good Manufacturing Practices (cGMPs) in a quarter-century. Pharmaceutical cGMPs for the 21st Century: A Risk-Based Approach outlined the agency's vision for a new approach to manufacturing and compliance based on risk analysis, improved process understanding and quality system methodologies.

FDA's use of the "R-word" represents a philosophic shift, an admission, even, that risk management may be used to the industry's advantage, enabling higher quality drugs to be made more efficiently. Industry views this as a healthy development in the evolution of cGMPs. After all, who--in an industry dominated by scientists and engineers--would argue against a policy that encourages science and reason?

But two years after FDA announced its directive, many in industry remain unclear about how risk-based validation will accomplish its goals. Pharmaceutical manufacturers' reliance on tried and true methods is, after all, based on the fact that these methods work.

Indeed, risk has always guided pharmaceutical firms' compliance with cGMPs--at least to some degree. Over time, however, pharmaceutical manufacturing has become so risk-averse that some companies and inspectors won't tolerate any deviation from standard operating procedure, however minor or distant from mission-critical manufacturing steps. "The compliance we have now is blind compliance," says Ken Leiper, a U.K. based consultant and longtime Glaxo veteran. "We've stopped people from thinking."

And simply providing a framework for managing and justifying risk may not prove enough encouragement for passionately risk-averse companies--at least not immediately, says Subbu Vis, senior project manager at Valimation (San Jose, Calif.). The full benefit of risk analysis, with respect to process innovation, may not be apparent for another five or six years, he says. "The situation certainly won't turn around overnight."

Accountability Shift

FDA equates high risk with those activities, equipment and systems that are most likely to affect pharmaceutical quality, and ultimately consumer safety. Manufacturers must balance those risks against the risks of batch failures, accidents, and the consequences of audits by the Environmental Protection Agency or the Occupational Safety and Health Administration.

Ultimately, all such risks reduce to potential economic liability, estimated roughly by the severity or potential cost of an event taking place times the likelihood of its occurrence. Rather than dictate acceptable risk levels or how companies are required to mitigate them, FDA is trusting sponsors to figure it out for themselves. "It's up to manufacturers to determine those risk levels and deal with them," says Ken Kovacs, regulatory compliance services manager at Rockwell Automation (Milwaukee). For its part, in assessing risk-based validation, FDA promises greater enforcement consistency and predictability.

FDA's idea is that the industry's rigid, change-adverse practices will melt a bit, as companies warm to the freedoms and responsibilities implied by its new policy. "Replacing the old guidelines with a risk-based framework puts more accountability on vendors and manufacturers," says Tom Donnelly, validation manager at Octagon Research Solutions (King of Prussia, Pa.). "Instead of FDA dictating, and companies interpreting, every minute detail of the regulation, the agency now allows users to determine the risk they're willing to live with," he says.

FDA's announcement legitimized risk as a valid force for change in pharmaceutical manufacturing and as a means of managing simultaneous or sequential risks (for example, in research, manufacturing and financial arenas). "This will lead to a synergistic approach where risks are amalgamated and the full universe of risk is addressed in more disciplined fashion," notes Alex Abramov, area leader with Ernst and Young (Iselin, N.J.). This should also help eliminate compliance gaps that expose manufacturers to over-zealous auditors. "Regulators lose confidence in validation plans that lack a centralized umbrella for handling all risks," Abramov explains. "They start to dig deeper and uncover other problems."

Smarter, Holistic Validation

In a best-case scenario, a risk-based approach to validation and compliance allows for smarter validation. "A well-executed risk-based approach provides justification for a validation strategy," says Gretel Eubanks, global quality assurance director for validation and quality systems at Solvay Pharmaceuticals, Inc. (Marietta, Ga.), "It's more than simply a laundry list of validation deliverables that may or may not add value to the customer."

Risk-based approaches help companies rationalize their validation plans to regulators, and ultimately provide understanding of manufacturing processes. "By contrast, routine validation, especially when done through contractors, offers little scientific insight into what goes on in a process, or how a process works," says Edward A. Tomlinson, managing director for life sciences at BearingPoint (MacLean, Va.).

Risk assessment may help eliminate redundant compliance activities--for example when thermometer calibration is performed both on a regular schedule, and then as part of a manufacturing suite validation. "Depending on how you calibrate, data may be usable for both validation and calibration," says Shaun McCormack, vice president at BioMetics, Inc. (Waltham, Mass.). "If you validate every year, your need to calibrate may be less of a risk and vice versa. You may be able to extend one or the other activity."

Risk-based compliance should also allow manufacturers to re-examine older, more holistic validation approaches, rather than fixating on individual components. "That's how it was done before computer system validation became big in the 1990s," Kovacs says. Before computing emerged as a separate validatable activity, people looked at controls, equipment qualification, everything combined. As validation evolved during the 1980s and 1990s, software took on its own qualification requirements, which eventually morphed into full-blown validation. "Now manufacturers ask, "Why not do equipment and control validation together?" If you can make a good risk-based argument for combining validations in this way, you'll at least have a good argument for the regulators," he says.

When it announced its position on risk-based validation FDA also dangled the carrot of process innovation before drug manufacturers. For years, industry had maintained that adopting new technologies, or even amending existing processes, simply wasn't worth the effort required for validation/revalidation or the potential for increased regulatory exposure. Now, armed with scientific data and risk-analysis spreadsheets, companies may be better able to justify going out on a limb.

Consistency Needed

Given the complexity of pharmaceutical regulation, it will take work from both manufacturers and regulators to realize full-fledged risk-based validation and compliance.

As FDA promises more even-handed enforcement, manufacturers must assure consistency among in-house risk assessors. Validation groups that are not in sync may oversimplify, over-complicate, or disagree on pivotal risk issues within a validation plan, warns Gretel Eubanks. Assuring that different groups receive similar training will go a long way towards neutralizing subjectivity and variability. "Having trained, expert teams execute validation methodology reduces the potential for inconsistent interpretation," she notes, "and the tendency to reduce sound validation to "validation-by-numbers."

Risk-based strategies will not permit companies simply to wave off what they consider to be low-risk activities. At some level they must make the case, both internally and to auditors, that they've considered the science, examined the risks, and arrived at an appropriate conclusion. Sometimes, notes Shaun McCormack, it comes down to how one defines "risk" and "critical," and how well regulators' views mesh with those of manufacturers.

And of course, there is always the risk of over-validation of low-risk operations. "The risk-based approach has the potential of becoming just as convoluted as the system in place today," McCormack warns. "It can be taken to the extreme just like any other compliance issue. The trick will be to narrow the extremes between simply stating "no impact" and over-validating."

When executed correctly, risk-based validation and compliance impose more rigorous standards of documentation, and a higher regulatory burden and cost, for critical activities. The up-side is that front-loading validation lessens the regulatory onus downstream, resulting in fewer surprises.

Finally, there's the potential that risk-based approaches will increase, rather than decrease or maintain constant, total validation effort. In their zeal to validate critical activities thoroughly, manufacturers might even go overboard on non-critical systems. "It's possible to over-validate based on a well-intentioned, risk-based validation philosophy," says Rockwell's Kovacs.

"Scope creep" defeats the intent of risk-based approaches by spawning more validation where less is justified. One form of scope creep mentioned by Kovacs and others is horizontal creep emanating from GMPs out to non-FDA concerns such as environmental or workplace regulations. Any risk-based methodology worth doing needs to include such activities.

Scope creep has already arrived for some suppliers, altering relationships up and down the supply chain. Under a risk-based approach, critical operations and equipment are specified microscopically by virtue of their potential bottom-line impact. "Customers expect a very high level of traceability, from materials down to construction," says Len Goren, senior vice president at Sartorius BBI Systems (Bethlehem, Pa.). Through its acquisition of bioreactor manufacturer B. Braun Biotech, Sartorius finds itself at the top of the risk list for any bioprocess using its fermentation and cell culture equipment. "It has reached the point where the expectations we place on our suppliers are as stringent as those between drugmakers and Sartorius."

Sartorius found that risk-based compliance called for examining every shipment, every component, from dozens of suppliers. Such scrutiny, Goren notes, has caused significant heartburn among Sartorius' suppliers and sub-suppliers, who must now trace their own supply chains back to raw materials.

Start Risk Analysis Early

Although risk-based compliance sounds like a no-brainer, it won't come about automatically. Companies need to adopt risk-based approaches from the earliest planning stage through distribution, says Duncan Bishop, associate director at Cambridge Consultants, Ltd. (Cambridge, U.K.). "You need to anticipate what validation issues are going to be, then design around them all the way from beginning to end."

Risk- and science-based approaches need to be deployed from the top-down. "It must be management-driven because people at lower levels don't have the power to implement," says Valimation's Vis. Smaller contract manufacturers may be the first to test the waters, since they need flexibility to service multiple customers. However, even contractors are risk-averse, since one disaster can send business plummeting.

Reading and understanding the intent of regulation, rather than trying to follow the letter of the law, is usually more defensible within a risk-based environment. "Regulations are written by committees of attorneys," notes Tomlinson. If you try to argue the letter of the regulation with an auditor you'll probably lose, and in the process make him or her more aggressive."

Pharmaceutical manufacturers can learn from other industries, particularly medical devices, where companies routinely use failure mode analysis to engineer an appropriate level of risk into all products. "With proper risk analysis and documentation of the validation rationale while maintaining validation status--we're not talking about cutting corners here--companies can be much more flexible in changing processes and adopting new technologies," observes Alex Abramov.

We've a Ways to Go Yet

Not everyone is completely comfortable--or even understands--FDA's new position on risk. "I don't get it," says H. Michael Koplove, Ph.D., vice president of biopharmaceutical operations at Wyeth Pharmaceuticals (Andover, Mass.). "Who's taking the risk? Who's telling whom what needs to be done?"

Companies have measured risk against validation effort for decades, he argues. In the nearly two years since FDA announced its new position, Koplove sees no changes in how companies operate "What information has the agency really given us that allows us to respond differently than we did in the past? I haven't seen anything suggesting that FDA will judge our compliance activities any differently than it always has," he says.

The interpretations of individual inspectors can diverge significantly from FDA's guidances, Koplove argues. "I have not noticed one iota of difference in how people in industry think. I haven't heard anyone say, "Gee, now we can do this differently because of risk-based compliance. I am going to wait for someone else to go first," he says.

"Companies always have and always will have to show that their systems are doing what they're supposed to be doing," Koplove concludes. "If we were validating correctly a year ago, then why would we validate more or less than that today?"