Quality Oversight and Lean QA – two terms that have been making the rounds for years: the American FDA demands the principle of quality oversight. But what does that mean? And who must have an overview of quality processes? How does this requirement agree with European regulations? A streamlining of quality systems is often called for, but the trend tends to be quite the opposite in practice: with bloated processes and documentation that go far beyond the intended aim. What do lean quality concepts look like? Where is it best to get started with “weight loss” processes?
In the following, you can read a summary of the questions and answers that arose during the discussion at our GMP conference, the GMP-BERATER Tage 2017. GMP inspector Dr Rainer Gnibl and Ruven Brandes, Head of Technology and Compliance Support for technical QA at WDT, responded to questions from interested GMP Publishing customers.
The term ‘quality oversight’ comes from the USA and takes account of the American idea of a QA department. Production and Quality Control are not always managed as independent operations there, but often fall under the umbrella of QA (quality assurance). This type of structure necessitates an additional, overarching review, especially when too many deviations or OOS occur. However, the American regulations make no reference to quality oversight as an operation within a company. The expression was instead coined by a mention in deficiency statements (483 observations). A “lack of quality overview” is often claimed if, for instance, the senior management is not or only insufficiently involved in quality processes.
In the EU regulations, the term is mentioned in connection with the validation life cycle: in accordance with Annex 15 “Qualification and Validation”, chapter 1.3, there should be appropriate “quality oversight” throughout the whole validation life cycle. Responsibility for this should lie with QA. With regard to change management, quality oversight is only referred to indirectly by references to ICH Q10 “Pharmaceutical Quality System”, chapter 3.2.3. Here, too, the aim is a suitable science- and risk-based assessment of changes. Quality Assurance should in turn assume responsibility for this.
In Europe, Quality Control (QC) operates independently of Production. There are also separate control mechanisms, such as e.g. batch documentation created by Manufacturing, which is reflected in the PQR (Product Quality Review) and checked by the Qualified Person (QP) or QA.
Quality oversight is thus provided if a GMP-controlled quality system has been implemented that corresponds to the European regulations and depicts validation life cycles in accordance with the applicable Annex 15 (oversight reviews by management, product quality review, etc.). If all product and process-related reviews are present, no further requirements can be referenced or derived from them.
Lean QA is not only understood to mean the reduction or purging of documents. Lean QA must run through the entire company and be supported by the senior management. It can only succeed with interaction between all of the departments during planning and implementation, such as together with the Qualification and Validation teams. Simple example: why are all of the in-process controls and specification parameters required during the validation phase usually listed in Product Quality Reviews (PQRs)? Only the critical parameters are required by law. If some parameters have proven to be non-critical, they no longer have to and should not appear in the PQR. Deciding this for every single parameter naturally requires very good product and process knowledge. Incidentally, it is possible to learn from other industries here, such as from the aviation industry. ISO 9001, which applies there, contains many suggestions that can be transferred to the pharmaceutical industry.
People like to respond to uncertainty with formalism. The result is sometimes too many documents that are too extensive. SOPs are often viewed as the only means of providing employees with information and thus contain many explanations that should actually be conveyed in training sessions. But:
It is not advised to use operating instructions as internal SOPs. They are often not formulated in language that is understandable to the user, or, especially for more complex systems or devices, do not describe all of the user-specific possibilities or go far beyond the specific use.
Which document requires a signature by QA? Does a signatory confirm formal criteria? Or content-related criteria? Or, as a provocative question: what do the respective signatures do? Do they ultimately help the patient? Clear answer: the “signature problem” is often homemade. Only a few signatures are explicitly required by the authorities (QA or Head of Production). The validation master plan, in which the signature regulation is set down, is crucial. A critical, transparent assessment helps here, too. If you discover over time that certain steps are not risky, the signing rules can be revised.
During an inspection, what are most interesting are the QA plans, which define the handling of adverse events such as deviations, changes or complaints, i.e. change management, deviation and complaints management. Experience shows that an event is followed by an escalation procedure in companies, which generally turns out to be a de-escalation process. Only then does risk management begin and it is re-evaluated. Numerous systems and functions are involved, the system often becomes unnecessarily bloated. Risk analyses should not only be created when a deviation occurs but precise risk assessments for possible deviations should also be employed in advance. This then saves time and resources each time deviations are processed.
EU GMP Guidelines Online, www.eu-gmp-leitfaden.de, Maas & Peither AG, Schopfheim
Freelance Science Journalist