Regulation and Risk Management

October 1, 2003
Jill Wechsler

Jill Wechsler is ACT's Washington Editor

Applied Clinical Trials

FDA plans to rewrite rules governing electronic records while offering new policies to encourage risk-based regulatory approaches to application review and inspections.

For the past year, Food and Drug Administration officials have been highlighting the importance of relating regulations and enforcement actions to product risk. FDA Commissioner Mark McClellan has stressed the need to spur medical product innovation by minimizing regulatory hurdles for new therapies that offer important benefits. He noted in a speech at the National Press Club in August that there are almost 3000 investigational drugs under development, including many “far more sophisticated products than ever before.” Even with additional resources, FDA cannot apply equally stringent oversight to the thousands of medical products it approves and inspects.

In a five-part strategic action plan unveiled 20 August 2003 (www.fda.gov/oc/mcclellan/strategic.html), McClellan reiterated the need to use “efficient, science-based risk management” to reduce public health threats. The overarching goal is to devote more resources and stricter rules to higher-risk products and processes, and to reduce oversight for situations presenting lower health risks. A key element of the plan is to apply risk management to achieve more timely and efficient review and approval of new products. This involves improving FDA’s internal review processes and issuing more guidance for industry to clarify development pathways for new therapies, particularly for emerging technologies such as genomics and combination products.

Rewriting 21 CFR 11

In September, McClellan followed up by announcing several new policies related to FDA’s campaign to update good manufacturing practice (GMP) requirements for human and animal drugs and biologics. In addition to new guidances for managing postapproval changes and for ensuring the quality of sterile drugs produced by aseptic processing, FDA unveiled a final guidance that aims to clarify policies for implementing 21 CFR 11 electronic records and electronic signatures (GMP progress report, guidances and other documents available at

www.fda.gov/cder/gmp/index.htm

).

More importantly, FDA also said it would start over in this area by launching a formal rulemaking process to revise 21 CFR 11 regulations, an initiative that will take several years to accomplish. The main task is to revise the preamble to the rule to clarify its scope and intent, explains Janet Woodcock, Director of the Center for Drug Evaluation and Research.

FDA has been struggling for years to set standards and rules for how regulated companies should ensure the integrity of electronic records and signatures that replace paper documents required by FDA for a broad range of purposes. The regulation applies to all electronic records maintained or transmitted to meet FDA requirements, including those related to clinical research, laboratory testing, and application submissions.

The agency adopted final regulations implementing 21 CFR 11 in March 1997 as a way to encourage firms to submit data electronically to the agency. Unfortunately, the new rule generated loud complaints from industry about confusion and high implementation costs. Issues came to a head recently as FDA inspectors began to cite firms for noncompliance during GMP inspections, and companies indicated they would go back to paper-based record systems to avoid such problems.

In response, FDA launched a broad review of the regulation and computer validation issues as part of its risk-based regulatory initiative. Last February the agency withdrew five earlier guidances on specific 21 CFR 11 components and issued a draft policy announcing its intent to adopt a more relaxed enforcement posture for this complex policy (see ACT View from Washington, April 2003). FDA said it would use “enforcement discretion” in applying 21 CRF 11 and that “merely incidental” use of computers would not trigger regulation requirements.

The September document offers similar advice for firms to follow while the rewrite goes on. The final guidance reiterates that FDA does not intend to strictly enforce compliance with requirements for validating computerized systems, for maintaining computer-generated, time-stamped audit trails, and for ensuring future access to records and to copies of records. FDA also will use discretion in calling for legacy systems (those operational before 20 August 1997) to meet 21 CFR 11 requirements. Companies must continue to maintain and submit electronic information that meets requirements in predicate rules, such as those requiring controls on access to electronic record systems and written policies and system checks to ensure the integrity of electronic records and data. Additional guidance may be issued on specific issues during the lengthy rule-writing process.

Risk and compliance

FDA officials are working to clarify 21 CFR 11 and offer new policy guidance as part of its broader effort to encourage industry to adopt new technologies and modern information systems. The aim is to encourage firms to comply more readily with FDA regulations and reduce the need for oversight and enforcement action.

FDA’s risk-based approach to regulation is moving forward in the compliance area where staffers are developing risk-based models for selecting sites for inspection based on specific risk factors linked to manufacturing process, type of product, and the compliance history of a particular site. McClellan emphasizes that FDA is serious about prosecuting individuals and organizations that break the law, particularly those involved in “more sophisticated and large-scale criminal activity” that threatens public health. At the same time, he acknowledges that FDA lacks resources to inspect every manufacturing plant and clinical site.

Thus the agency is looking to set priorities based on risk factors for a range of regulatory policies. A first step announced in September involves reducing the number of mandatory inspection categories for preapproval inspections to focus on more high-risk products and processes. It now will be up to district field office managers to decide if a preapproval inspection is needed for every product on the list of top-200 most prescribed prescription drugs or for all narrow-therapeutic-range therapies. The change aims to give district offices more flexibility and also provide additional resources for more high-risk preapproval and postapproval manufacturing inspections.

FDA also announced plans to form a special cadre of highly trained field staff to inspect pharmaceutical facilities and to include more drug review specialists in plant inspections. Another initiative involves establishing a program to discuss and resolve scientific and technical disputes related to GMP issues. These changes currently do not apply to bioresearch monitoring programs that oversee clinical investigators and institutional review boards, but the agency plans to extend some risk-based approaches to those areas.

The concept of risk management, explains Woodcock, explicitly acknowledges that “some things are more important than others”—in the laboratory, in the plant, and in the clinical area (see “What Is ‘Risk?’” sidebar). This approach will be particularly important as industry moves away from the 1990’s manufacturing model geared toward big, blockbuster production and towards development of more drugs tailored to individuals, Woodcock commented earlier this year. Small subject populations will require more flexibility in testing and production methods, and “we’re all going to have to change.”