organizational learning from perfect storms fda regulatory ... · most consent decrees require a...

© 2007 Quantic The Quantic Group, Ltd., All Rights Reserved

The Quantic GroupSM

Organizational Learning from Perfect Storms

FDA Regulatory & Compliance Symposium at Harvard, Cambridge, Mass

Claudio PincusOwen Richards

Dan PincusTim Oswald

August 24, 2007

Rev 07

1© 2007 The Quantic Group, Ltd., All Rights Reserved

Copyright 2007, The Quantic Group, Ltd.

This document contains and refers to methodologies that are a Trade Secret of The Quantic Group, Ltd. and are presented with the purpose of describing Quantic’s capabilities or experiences. These Methodologies remain the exclusive property of The Quantic Group, Ltd.

Contact Claudio Pincus, PresidentThe Quantic Group, Ltd.5N Regent Street Suite 502Livingston, NJ [email protected] 992 0505


Introduction Perfect Storms

Over 20 years, many major companies have been cited and fined for GMP and related regulatory actions

Product is deemed adulterated even though within specifications

Due to unforeseen forces, “good people” get blindsided

Industry has been far more injured by manufacturing issues than other issues


What we’ve seen

Management has in most cases demonstrated surprise, or has been blindsided by situations they did not see.

“We honestly didn’t know we had this problem.”


Examine the Causes of Blinding

This paper attempts to define the “blind spots” for management

We will not address people acting with malicious intent


The Cost of Failure is $30+ Billion

Cost of Non-Compliance

Discontinuation of ProductsProduct lost market shareLate new product introductionReputationFines

Consent Decrees require major remediation and interventions over long periods of time

Very few Consent Decrees have been vacated


Consent Decree Contents

Most Consent Decrees include Management Controls

Third party to assess corporate operations and site management capabilities to ensure compliance

Establish policiesEmpowerment of Quality UnitCreation of Quality SystemsEvaluate adequacy of organizational skills and numbers

The third party evaluates data, interviews, communications, performance reviews, metrics, and incentives for the organization and reports to FDA


Imposes Outside Oversight

Most Consent Decrees require a third party to review and certify investigations and batch disposition as a surrogate for the Quality Unit

This action, de facto, is a declaration that there is no trust by FDA of the decision ability of the Quality Unit until certification


Implications for Management Controls

IntrusiveChallenges past behavior and decisions“Adequate” is open to interpretation

Therefore,organizational effectiveness for compliance is key for determining adequacy


FDA Sends a Compounding Message

A. The QUALITY ASSURANCE UNIT failed to follow written procedures, which require oversight and review responsibilities

B. Company failed to have a QUALITY CONTROL UNIT adequate to perform its functions and responsibilities

C. Company failed to establish procedures for MANAGEMENT with executive responsibility to review the suitability and effectiveness of the quality system to ensure that the system satisfies the requirements


CASE 1

A company merged years ago and created standardized processes for all factories

Self-assessment reports confirmed that changes were implementedAfter the merger, one factory grew from a focused one product, US Market, high volume factory to multiple presentations and many other products for Global supply

District FDA had considered the site a model factory 10 years ago

An FDA audit, with new auditors, determined that there were major management and operational compliance gaps

The company suffered because of misperceptions by management of the consistency in applying new policies, and the acceptance of new processes, procedures and systems


CASE 2

The company received a 483; Operations and management knew that the site had antiquated technology but believed it was adequate for biological production

All previous discussions regulators were science-focused, and positive,

Knew that the technology and facilities were out of date with similar facilities

FDA changed its audit approach with Team Biologics, and cited major gapsThe company had relied on the FDA to define the acceptable state of compliance, and did not remain current with FDA and industry standards

Company convinced that they were in compliance – with the “old” standards


CASE 3

The company created a decentralized global network of factories allowing each region to interpret and implement processes against broad global quality standards

They relied heavily on corporate auditors to evaluate sitesReported risk to the compliance office

Sites were rewarded based on comprehensive performance metricsincluding financial, customer and compliance metrics;

The compliance metric was “Number of 483 observations received”Investment was made commensurate to the future role of the factory

Factories with lower roles received less investmentThe decentralized factories moved products without regard to compliance capabilityThere was no central Quality Leader

Strong empowerment and accountabilities were expected from each site operation

FDA realized that the sites were no longer compliant, that products and processes were transferred between the sites with very different procedures, and that management did not have an adequate estimation of needs to ensure compliance


CASE 4

Company supported the integration of biologicals and the pharmaceutical business; Created a single centralized management process with one set of policies and procedures

Management did not appreciate the resistance to changeThere were changes in the regulatory inspectorate and major improvements by peersManagement was not informed that FDA had changed to a “Team Biologics” approach The biologicals employees believed that their products were scientifically different and therefore regulators interpreted the GMP based on science instead of manufacturing process and QA controls (Pharm GMPs)

Management did not recognize, nor was informed of, the risk to ‘cultural compliance’, and resistance to change


Culture of Compliance

“The Bus”


Conclusions about the Culture of Compliance

Culture of compliance is the group dynamic of knowing Why you comply, and What principles we rely on

Culture leads to celebration of “good” behaviorGroup self-enforcement

Community provides feedback to leadersRecognizing leaders, teachers, and mentors

Creates continuous learningValues are reinforced and clarified over timeApply values and mission to achieve agreement in specific situations

When outsiders enforce procedures, they may enforce whether they apply or notProcedures prescribe actions

Rules replace values when people forget why


From the Bus Story

Culture Expected behaviorSelf EnforcementContinuous learningReward and peer pressure

Leadership Message clarity and repetitionMentor and develop peopleRole of adults, parents and teachers

Management Create policiesEstablish proceduresAudit and EnforcementIncentives

Power Authority of outsidersInterventionInterpretation of the rulesPunishment



Organizational effectiveness for compliance is achieved

by knowledge of why, what to do and how to comply

andwhen deficiencies are detected

predictable and consistent correction occurs



What groupings of tools do we have to influence the agreement as to the Why/What to do questions vs. the How to questions?

Leadership Tools

Cultural Tools

ManagementToolsPower Tools

Exte

nt to

whi

ch p

eopl

e ag

ree

on W

hy a

nd W

hat t

o do

Bro

ad C

onse

nsus

No

Con

sens

us

Adapted from C. Christensen, M. Marx, H. Stevenson, The Tools of Cooperation and Change, Harvard Business Review

Extent to which people agree on How to

Broad ConsensusNo Consensus


Culture Discussion (+)

Culture is the set of behaviors that are known to the group,

which celebrates right behavior and

self-corrects wrong behaviors

Positives

The organization can continuously learn and self correct“we hire the best and rotate them, starting in Quality”“Manufacturing controls itself, and does not rely on QA to catch mistakes”

Culture is systemic


Culture Discussion (-)

The group fails to remember the ways to perform the behaviors or replaces the group decisions with procedures

NegativesDifficult to change

“GMP do not apply to vaccines”“OTC can not compete under such an interpretation”“The merger failed and we no longer comply because we did not agree on new processes”We will change the culture in Puerto Rico for them to accept newprocedures”

Mergers and new management often need to change culture but fail toDecentralized companies have multiple compliance positionsChange is very difficult especially when imposed from the outsideDifferent regulatory authorities create different culture (FDA v. EU) and can be difficult to integrate

Compliance failures occur when management does not recognize resistance to change


Leadership (+)

The actions and messages management takes to enable the organization to reach agreement on What to do & WhyPositive

Credo, vision and mission statementsThe patient is our customer and not the regulatorCompliance is declared as a competitive advantage

Get products approved fasterSingle message of compliance

Compliance is not a derivative of qualityWe shall not rely on the government to defineRecognize that compliance must equally be satisfied in times of growth or declineYou can always be more efficient, but not more than compliant


Leadership (-)

Actions that attempt but fail to create success Negative

Assumes that our employees will do “noble” work just because it is a medicine for a patientMessages are not supported by deeds – No Walk the Talk

People can “spot the fake”, but corporations try to have both ways

There is conflict between the budget and the compliance goalsDoes not realize that compliance takes investmentRewards are not commensurate with resultsAtmosphere of intimidation and retributionAssume that any new system changes will incorporate compliance at the same level (or better) – Ignore the learning curve, no interim controlsMistakes compliance as only science or facility/operational or QADoes not recognize that compliance is perishable

Over time operations are no longer aligned or adjusted


Power (+)

Internal

Often organizations recognize the compliance deficiencies and create temporary organizations focused on the situation –Provides attention, importance, urgency and interim controls

External

Regulatory action often results in a third party intervention as a surrogate to management and the Quality Unit in critical productcompliance decisions


Power (-)

GMP/GxP assumes knowledge and controls at the lowest level of involvement by personnel to ensure repeatability and consistent right decisions

Does not result in a learning organization

Difficult to scale to the whole organization

Disenfranchises the workers

Relies on the “power” of testing Quality into the product, because of lack of control in GMP processes


Management (+)

Create consistent and well defined processes, procedures and organizations designed to achieve compliance, quality and business requirements

The new ‘Quality Management System’ provides assurance that each and every operation can implement compliant practices on a consistent basis

GMPS of the 21st Century are based on Quality Systems and Risk Management concepts

Management controls are defined in several Consent Decrees, including the responsibility to create policies, establish a Quality Unit and the controls necessary to ensure site compliance


Management (-)

ProceduresIn place vs. In useOver reliance on proceduresSystems = Process+ Procedures+ Organization Effectiveness+ Decision Process

AuditsCorporate vs. Organizational KnowledgeReliance on FDARoot Cause vs. LearningFocus on Science vs. Facilities vs. QA

Risk and the Compliance OfficeRisk vs. SeveritySystem FailuresGMPs of the 21st Century Empowerment vs. EnforcementPerishable Compliance

MetricsRight the First TimeQuality vs. ComplianceLeanIncremental Deterioration


Good Assessments consider both In-Place & In-Use

Most reports to management on operational compliance describe the “in place” processes and procedures

Often management is blind to the poor “in use” complianceFDA Focuses first on In-Use then In-PlaceEMEA focuses first on In-Place then In-Use

Companies need a continuous In-Place/In-Use evaluation/redesign


Internal Audits

Audits only detect a small number of gaps and noncompliance trends

Operations knows 80% of gapsAudits focus on in place v. in useAuditors only visit a site at a point in time and at best detect a small percentage of gapsRisk analysis is performed with limited data

Needs a total disclosure process and incentivize operations to declare compliance risks


Regulatory Audits

Relying on regulatory audits has blinded management to the true state of compliance

Regulators do not certify sitesDo not profess to be comprehensiveDependent on inspectorsFocus on outputs before assessing process and organization

The commonly used compliance metric of number of 483 observations is a very poor predictor of future compliance


Root Cause vs. Organizational Learning

Most deviation investigational processes end with the identification of “root cause”

Seldom does the event create a process for institutional learningMistakes are often repeatedManagement assumes that the organization has learned

Recognize and reward systemic learning by investigational teams; follow up on implementation of CAPA


Tensions between Science, Facilities and QA

Different emphasis is placed on key elements of compliance by different groups and individuals

This results in an incorrect assessment of the overall state of compliance

For example, too much focus may be given to scientific aspects of quality, neglecting the facility elements or the QA Processes

Management can get blinded by not recognizing an organizational bias towards or away from one aspect of the Quality Unit focus

Science

QA ProcessFacilities


Risk

Risk evaluations are performed with data from internal and external sources; classification of risk often confuses risk with severity; it discounts as “minor” a great number of frequently occurring gaps that are indicative of a system failure

Change the risk evaluation process to assess system performance

Risk = Severity * Frequency

No system

System Failure

Performance Failure

Severity

Frequency


GMPs of the 21st

Century

The new FDA GMPs of the 21st Century initiative and ICH expect increasing investment in product/process knowledge based on risk parameters as well as a comprehensive quality system

Great opportunity for industry to become more agile and flexibleCompete with less FDA oversightIntroduce new technologies

It could backfire if failures are not detected because of lack of investment in knowledge


Compliance is Perishable

With time, organizations, facilities and programs lose capabilities

Continuous investment is needed just to maintain current compliance

Often management gets blindsided when past investments have depreciated, and they do not recognize the magnitude of investment to maintain current compliance


Views on Right the First Time

Right the first time is a major metric fro efficiency and compliance, however they have different meanings

If management relies on a six-sigma based definition as a measure of compliance, they will have a false sense of security

Efficiency

Right the First Time is a goal of Six Sigma initiatives that seek to optimize the return to shareholders

When not right is measured in wasted $, time, or opportunity

Compliance

Right the First Time is a demonstration of product and process knowledge

A measure of repeatability

When not right, requires investigation and correction to safeguard the patient


Lean

Lean programs drive operational efficiency, often reducing the control points in use to ensure compliance

Management has been told that Lean results in efficient, effective and therefore compliance operations

Often, lean programs are not based on product and process knowledge

Knowledge Control Improvement Lean


Incremental Deterioration

Over time, factories are not compliance because they have undergone many changes; Neither the equipment, facilities, procedures, systems nor organizations are adequate for current demands of products and regulators

New products require different technologiesNew markets require satisfaction of different regulatorsDeviations result in changes to SOPsLean programs result in fewer controls

Management needs a “zero” baseline assessment of the total operational capabilities


Summary of a perfect storm

Good companies get blinded to compliance risk, and pay severe penalties

Leadership Misperception of agreement that people will follow change; belief that people will act nobly and comply

Provide clear, simple and achievable goals that enable intrinsic motivation

Compliance is perishable; Factories often reach total compliance failure due to substantial change to product mix and markets

Provide continuous investment and reinforcement

Management Overly rely on procedures; confuse procedure with systems; assume in place is in use

Apply holistic quality systems approaches

Overly rely on audits; read an absence of negative as acceptance by auditor

Expect Operations to evaluate and disclose

Culture Failure to realize resistance to change; esp. after mergers, reorganizations, new strategies, new policy or procedure, new capital investment, new systems

Build on the strengths of the existing culture


Questions?


Thank you,ClaudioOwen

organizational learning from perfect storms fda regulatory ... · most consent decrees require a...

Documents