Risk Management through Electronic Enforcement FDA Regulatory and Compliance Symposium Managing Risks – From Pipeline to Patient

Life Science Manufacturing Realities? WHAT WE HAVE: A collection of manufacturing assets, products and technologies, that continue to be insufficient, and are by design, incapable of meeting the new challenges. “We’ve had a few problems scaling up from the lab” Source: Medical Manufacturing, New Technology Imperative, James Bradburn, IBM Life Sciences © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Probability of the occurrence of harm and the Introduction Probability of the occurrence of harm and the severity of that harm. Potential source of harm Hazard Risk Hazard

Definitions Hazard Potential source of harm Risk Probability of the occurrence of harm and the severity of that harm Risk Analysis Systematic use of available information to identify hazards and estimate risk. Risk Evaluation Based on the risk analysis, a judgment of whether a risk is acceptable based on societal values. Risk Assessment Process of completing risk analysis and risk evaluation. Risk Control Process through which decisions are reached and protective measures are implemented for reducing or maintaining risks within specified levels. Residual Risk Risk remaining after protective measures have been taken. Risk Management Systematic application of management policies, procedures, and practices toward analyzing, evaluating, and controlling risk. © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Time to focus on Operational Excellence Basics The cost of nonconformance extends beyond the direct costs of quarantining, recall and rework, and fines to the destruction of brand equity. Compliance strategy needs to be centrally developed and coordinated—it cannot be delegated to individual manufacturing sites. The silos of quality and manufacturing must be broken down, and a tighter integration of technology is required to sense, correct, prevent, and report effectively on manufacturing nonconformance events. This problem is endemic to the pharma and life science industry. Disconnects exist between different parts of the manufacturing product supply, regulatory, and commercial functions. This is primarily a business process problem, as process requirements and written procedures are not consistent throughout the organization. But many pharma and life science organizations still have not reengineered their processes and organizational structures, relying on inconsistent and manually enforced compliance processes. Source: AMR Research, Compliance Trouble at Boston Scientific: An Isolated Incident or Part of a Growing Industry Liability?, February 09, 2006; Hussain Mooraj, Colin Masson, Roddy Martin © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Multiple Compliance Fronts Sarbanes Oxley Regulatory Affairs Ex Com Management of Regulatory Compliance SEC 21 CFR Part 11 HIPAA OIG EPA FDA Chief Compliance Officer CIO / IT QA/QC cGMP CAPA Source: AMR Research, Compliance Webinar, Roddy Martin, Joseph Vinhais, May 2004 © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Who are the stake holders? How do you drive Governance and Compliance into Manufacturing? Drive Compliance Time to Market Share Holder Value © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Synchronizing change, execution, and enforcement Compliance and process improvement are both based on following documented processes.  Three mechanisms need to be coordinated: Execute process —Train employees on the process, assess their performance, and, if necessary, take steps to improve their performance and adherence to it by improving training or other actions. Enforce controls —Compliance adds a duty to control the process actively, perhaps by technical means, such as workflow.  Companies must also audit the results to ensure that the controls work and detect any changes in the process, systems, or people that affect compliance.  In addition, companies must constantly evaluate the controls to see if they are in fact meeting the desired control objectives. Change process —For both compliance and business improvement purposes, companies need to evaluate their processes constantly and look for ways to improve them.  This starts a new cycle of process design, followed by a project to implement the changed process. Source: AMR Research, 2003 © 2006 Brooks Software FDA Regulatory and Compliance Symposium

FDA’s 5 Part Strategic Plan cGMP Compliance Quality System Facilities & Equipment system Materials System Production System Packaging & Labeling System Laboratory Control System FDA’s 5 Part Strategic Plan Pharmaceuticals cGMPs for the 21st Century A Risked-Based Approach Efficient Science-Based Risk Management Patient & Consumer Safety Better Informed Customers Counterterrorism A Strong FDA Quality Systems-based Inspections Management Responsibility Design Control CAPA Production and Process Control Records/Document Change Controls Materials Controls Facilities & Equipment Controls Medical Devices ISO 14971, Application of Risk Management to Medical Devices © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Global Medical Devices - Quality System Requirements Source: ISO13485:2003 – An Overview (Bangkok, Thailand, June 2005), Gunter Frey, GHTF SG3 © 2006 Brooks Software FDA Regulatory and Compliance Symposium

ICH Q9 Quality Risk Management © 2006 Brooks Software FDA Regulatory and Compliance Symposium

EU14971:2003 Corporate Risk Management Program Implementation of Risk Control Measures Culture on Risk Communication RM Policy An Integrated Risk Management Process (for all phases of the life of the product) Training Of Personnel Post Production Monitoring Risk Graph Residual Hazard Cause Verification Effectiveness Source: ASQ Biomedical 09 December 2004, Alfred M. Dolan © 2006 Brooks Software FDA Regulatory and Compliance Symposium

GAMP 4 and Part 11 The GAMP 4 Risk Model for Electronic Records and Electronic Signatures (ERES) Identify the electronic records and signatures Step 1 Assess impact of records and signatures Step 2 Low impact Medium impact High impact Identify generic hazards Identify generic & specific hazards Step 3 Assess severity & likelihood Assess probability of detection Consider risks Derive risk priority Select good IT practice Select generic controls Select generic & specific controls Step 4 Periodic review and evaluation Step 5 Source: FDANews, 2005 © 2006 Brooks Software FDA Regulatory and Compliance Symposium

GHTF Risk Management Activities in Design & Development © 2006 Brooks Software FDA Regulatory and Compliance Symposium

How risk management can be integrated into the CAPA process Source: GHTF. 2005 © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Aligning Risk Management Tools Risk Analysis Intended Purpose Identification Hazard Identification Risk Estimation Risk Evaluation Risk Acceptability Decision Risk Control Options analysis Implementation Residual Risk Evaluation Overall Risk Acceptance Post-production Information Post-production experience Systemic Procedures Identification of new Hazards Change Control & Feedback Loop Risk Assessment Management Preliminary Hazard Analysis Fault Tree Analysis Functional Analysis Tolerability of Risk Cost-Benefit Analysis Socio/Ethical Analysis FMECA HACCP HAZOP PAT Six Sigma SPC CAPA Complaint Mgmt. © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Risk Chart for Communicating Internal Risk Management Activities Source: GHTF. 2005 © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Site Risk Potential (SRP)

Desired State Product quality and performance achieved and assured by design of effective and efficient manufacturing processes Product specifications based on mechanistic understanding of how formulation and process factors impact product performance Continuous "real time" assurance of quality Source: The Process Analytical Technology Initiative: PAT and the Pharmacopeias, Ajaz S. Hussain, Ph.D. Deputy Director Office of Pharmaceutical Science CDER, FDA © 2006 Brooks Software FDA Regulatory and Compliance Symposium

product quality attributes can be accurately and reliably predicted Know your processes! all critical sources of variability identified and explained variability managed by the process product quality attributes can be accurately and reliably predicted product specifications based on understanding of how formulation and process factors impact product performance Source: PDA, PAT & Risk Based Initiatives, Implementation Issues: C. Cambell © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Process Variation - Seven (7) M’s Management Materials Methods Man Medium Machine Measurement Input Process Output Source: PDA, The Harmonized PAT Solution: Application of Risk-Based Tools & PAT Strategies in Pharmaceutical Product Manufacture: J. Priem © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Sources of Variability N P U T S (x) Machine - Equipment Method - Process Medium - Environment Materials Measurement Man - People Inputs to the process control variability of the output Output y = f(x) y Variability - source of the “Process” risks to the product Spec Limit Percent Defects per Opportunity (traditionally PPM) +/- 1 sigma 30.23 697,700 +/- 2 sigma 69.13 308,700 +/- 3 sigma 93.32 (most companies) 66,810 +/- 4 sigma 99.379 6,210 +/- 5 sigma 99.97670 233 +/- 6 sigma (near perfect) 99.9997 (top companies) 3.4 Example 50 Products X 10 Operations 10 Orders per Year 10 Lots/Batches/Units per Order 12 Months (30 days per order) 10 Transactions per Unit per Operation = 6,000,000 Transactions per year Source: Risk Reduction in Pharmaceutical Manufacturing using Process Analytical Technology, Brian Davies, Thermo Electron Corporation © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Evaluation of Process Steps Work Processes Abnormal Normal Non Value Add Unnecessary Necessary Eliminate Reduce Value Add Flow eliminate the abnormal and the unnecessary non- value added tasks reduce the non-value added but necessary, e.g. regulatory place the value-added processes into a natural sequence © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Identifying value added and non-value added Value-Stream Mapping Identifying value added and non-value added Value-creating tasks: Actions necessary for making products, such as welding or drilling. Incidental work: Actions necessary to make products, but that don’t create value from the customer’s standpoint. Such actions include reaching for a tool or clamping fixture. Waste: Actions that (a) create no value from the customer’s perspective and (b) can be eliminated from a process; e.g. walking to get tools that can be positioned within reach of a worker. In a typical company, the greatest percentage of time is spent on tasks that are pure waste. Source: Lean Advisors Inc. Source: Manufactures Get Lean to Trim Waste, William Leventon, Medical Device & Diagnostic Industry, September 2004 © 2006 Brooks Software FDA Regulatory and Compliance Symposium

PAT Conceptual Framework Incoming Materials. Specifications Relevant to “Process-ability” Incoming material attributes used to predict/adjust optimal processing parameters within established bounds (more flexible bounds) PAC PCCP LT CM IT Direct or inferential assessment of quality and performance (at/on-line) Control of process critical control points (PCCP). Process end point (PEPs’) range based on “performance” attributes. PEP’s Chemometrics (CM) and IT Tools for “real time” control and decisions At-line In/On-Line Process Analytical Chemistry Tools Laboratory or other tests Development/Optimization/Continuous Improvement (DOE, Evolutionary optimization, Improved efficiency) Multivariate Systems Approach Risk Classification and Mitigation Strategies Source: ACPS, Process Analytical Technologies (PAT) Sub-Committee Report: T. Layloff, Ph.D © 2006 Brooks Software FDA Regulatory and Compliance Symposium

PAT Example Raw Material Dispensing Granulation Drying Milling Mixing Tabletting Coating Strength Purity Quality Identity Potency Failure Mode Cause Effect Ishikawa Criticality Matrix FMECA DOE Multivariate Analysis SPC Source: ISPE-Boston, Feb. 2005 © 2006 Brooks Software FDA Regulatory and Compliance Symposium

FDA’s SRP Hierarchy (Sept. 04) Site Risk Potential Top Level Components Product Process Facility CD1 CD2 CP1 CP2 CF1 CF1 Categories of Risk Factors Risk Factors (quantitative or qualitative variables) Dosage form; intrinsic chemical properties Measuring; mixing; compression; filling Poor cGMP compliance history © 2006 Brooks Software FDA Regulatory and Compliance Symposium

cGMP Impact Assessments Physical Risk cGMP Impact Assessments Systems & Components Direct Indirect Non Critical Non Critical gep gep gep comm. comm. + + gmp qual. Source: PDA, PAT & Risk Based Initiatives, Implementation Issues: C. Cambell © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Functional Safety: safety-related systems Functional Risk IEC Functional Safety: safety-related systems Class-I Class-II Class-III Class-IV Intolerable Risk cannot be justified except in extraordinary circumstances Undesirable Tolerable only if risk reduction is impracticable or the costs are grossly disproportionate to the improvement gained Tolerable Tolerable if the cost of the risk reduction would exceed the improvement gained Negligible Tolerable if the cost of the risk reduction would exceed the improvement gained Source: PDA, PAT & Risk Based Initiatives, Implementation Issues: C. Cambell © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Priority f (class, detection) Process Risk Probability Risk Class High Impact Medium Low Impact 3 2 1 Low Risk Class Risk Priority High Detection Medium Low 3 M H 2 L 1 Class f (probability, impact) Priority f (class, detection) Source: PDA, PAT & Risk Based Initiatives, Implementation Issues: C. Cambell © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Risk Integration Physical Risk Functional Risk Process Risk SRP Standard Components Standard Operations Standard Parameters Physical Risk Functional Risk Process Risk H M L C N II I III IV SRP Mitigation Plan Source: PDA, PAT & Risk Based Initiatives, Implementation Issues: C. Cambell © 2006 Brooks Software FDA Regulatory and Compliance Symposium

? Risk Dividend C N I II III H M L X IQ OQ PQ PV PAT QA DQ FDA Process Risk Functional Physical ? Source: PDA, PAT & Risk Based Initiatives, Implementation Issues: C. Cambell © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Electronic Enforcement

Execution Systems Orchestrate Production Machine Line Plant Enterprise Set points Equipment Product & process data definitions Production Orders Execution System Controls Parameters ERP Product & process data definitions Status Data Readings Production Status Inventory Picklist People Shop Packet Consumption Work Status Traceability PAC PCCP CM IT PEP’s PAT PLM/EDM Manufacturing Process Product & process data definitions Source: IBM Life Sciences, James Bradburn © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Align Enterprise Applications (change, execution, and enforcement) PLM ERP Financials BOM Order Fulfillment Inventory CRM Enterprise Manufacturing Compliance Risk Management “File” Operational/Transactional Control Service Oriented Architecture & Integration Framework QMS AQP Auditing Training Inspection Test NCR (CAR, SCARs) CAPA Complaints Manufacturing Execution Batch Control Line Monitoring Weigh & Dispense Material Flow & Lot Tracing Container Management Reporting, Metrics/KPIs Data Collection, Alarms & Escalations Process Control Statistical WIP Tracking Equipment Process Planning Work Order Management MBOM Work Instructions & Procedures Operator Tracking Process & Equipment Optimization Layer Automation and Data Capture Raw Material Machining Cleaning Assembly Testing Packaging © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Paper Trail begins, Notifications to appropriate parties Existing Regulatory Process Control REGULATION Client Reporter CRM Sys. Paper Trail begins, Notifications to appropriate parties Complaint Submission Process Acknowledgement Letter to Customer Issue a CAPA to Plant Review Edit/ Close Regulatory Submission ( Such as 30 day MDR 5 day MDR, Summary) Complaint Coordinator Process Complaint Coordinator Plant Complaint Coordinator Closure Letter To Client SOP Initiate Containment Action Root Cause Analysis CAPA Process Request for CAPA Plan Review Plan Approved? Implementation Implement & Sign-Off Verify Effectiveness Close PROCEDURE CORPORATE POLICY © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Electronic Enforcement © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Regulatory/Compliance “Process” Management Orchestrate Manufacturing Compliance Framework Decide Sense Start jobs based upon: Web service external event Web service start job request Repository updates (filtered) from MES, MCS or other data sources Scheduled start Respond Multiple workflow paths depending on event Run Rules and Reports for decision support Context filtering and evaluation Synchronization with multiple start events or wait for events Multiple responses possible depending on flow path Execute web service calls to external systems such as MES, ERP, CAPA and others Execute email, logging, exporting SQL, external applications, and other executions © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Sources GHTF, Implementation of risk management principles and activities within a Quality Management System, May 20, 2005 FDANews, Introduction to GAMP Good Practice Guide: A Risk-Based Approach to E-Record Compliance, Per Olsson FDA, A Risk-Based Approach to Pharmaceutical Current Good Manufacturing Practices (cGMP) for the 21st Century PAT & Risk-Based Initiatives: Implementation Issues; PDA New England - 08 Dec 2004, Cliff Campbell B.E., C.Eng The Harmonized PAT Solution: Application of Risk-Based Tools & PAT Strategies in Pharmaceutical Product Manufacture; PDA New England – 08 Dec 2004, Jeffrey A. Priem Process Analytical Technologies (PAT) Sub-Committee Report ACPS Meeting 21 October 2002, Tom Layloff, Ph.D. Risk Management, From Basic to Advanced; RAPS – 11 October 2004, Kevin P. Bassett; Matthias M. Buerger; Oliver P. Christ Importance and Impact of ISO 13485:2003, RAPS – 13 October 2004, Ed Kimmelman, JD Risk Management of Medical Devices: Implementation, ASQ Biomedical 09 December 2004, Alfred M. Dolan Implementation of Risk Management Principles within a Quality Management System, 09 December 2004, Kimberly Trautman ISO 14971:2000, Essentials 1st Edition, A practical handbook for implementing the ISO 14971 Standards for medical devices, Canadian Standards Association IEE Tolerability of Risk Framework hsc36, Health and Safety Briefings - October 2000 FDA, A perspective on Risk Analysis for the GMP Initiative - April 2003, H. Gregg Claycamp, Ph.D., CHP Risk Reduction in Pharmaceutical Manufacturing using Process Analytical Technology, Brian Davies Risk-Based Method for Prioritizing cGMP Inspections – September 2004, Department of Health and Human Services U.S. Food and Drug Administration Pharmaceutical Manufacturing: New Technology Opportunities – 16 November 2001, G.K.Raju, Ph.D PAT Progress Report: 13 April 2004 ACPS Meeting, Ajaz S. Hussain, Ph.D. Deputy Director Office of Pharmaceutical Science CDER, FDA Guidance for Industry, PAT - A Framework for Innovative Pharmaceutical Manufacturing and Quality Assurance DRAFT GUIDANCE Process Analytical Technology (PAT): What’s in a name? – 09 April 2004, D. Christopher Watts, Ph.D. Office of Pharmaceutical Science, CDER, FDA © 2006 Brooks Software FDA Regulatory and Compliance Symposium

Thank You Joseph Vinhais Joseph.vinhais@brooks.com 978.262.7868 http://lifesciences.brookssoftware.com