The same dynamic tension exists in the industry, which has strong altruistic, legal, and financial reasons to take a very conservative stand on safety, but which needs to control costs and hence avoid unnecessary and nonrequired regulatory affairs and compliance actions. Meeting the FDA’s stringent requirements assures safety and efficacy; exceeding those same standards adds to cost without improving quality.

The situation is made all the more complex by the purposeful lack of specificity in FDA regulations, guidelines, and requirements. Because the agency is responsible for such a broad range of products produced under varying technologies with differing controls, very tight standards are not possible (or would be counterproductive). Instead the FDA provides general principles; relies on the industry to be self-regulated; and assigns to itself the responsibility of checking, confirming, and approving that self-regulation. A company that eliminates the quality control/quality assurance processes is not in compliance, regardless of product quality; self-regulation is a key principle of operation.

As a result, many companies find themselves imposing regulatory requirements in access of FDA guideline and intent; find themselves expanding submissions evidence in excess of requirements; find themselves adding inefficient post process quality controls; find themselves in a product delay situation, scrambling to retrofit regulatory controls after an FDA audit of their poorly planned internal controls; and generally find themselves significantly overspending on regulatory affairs and compliance in a frustrating effort to insulate themselves potential FDA criticism.

These regulatory and compliance overexpenditures fall into eight categories, which in turn lead to eight cost reduction strategies. First, many organizations are unclear on the operational (as opposed to the formal) definitions of actual FDA requirements and regulations. While they understand the written word in guidance documents, they may not have access to the field interpretation of those requirements—that is, access to what is actually expected by FDA investigators and reviewers. The result is often unnecessary or misdirected expensive actions.

Second, many companies take a passive or reactive position to a forthcoming FDA review or visit. Instead of performing their own independent (credible expert) audit, correcting deficiencies, and providing a reviewer or investigator with a report demonstrating compliance, they choose to “roll the dice” and see what the FDA finds. The result is likely to be costly product launch delays, negative publicity, and expensive post hoc corrections.

Third, few organizations are fully aware of the FDA’s Quality by Design (QbD) initiative, which can reduce regulatory review times and expenses by building in and documenting quality controls and assurance, rather than restructuring or retesting while a product sits in quarantine awaiting approval and release. QbD reduces the number of submissions required (by using a Design Space concept to define product specification ranges rather than minimums); introduces a Risk Assessment to evaluate the necessity of production modifications; and utilizes a Process Analytical Technology (PAT) approach to automating quality controls.¹

Fourth, many organizations are using outmoded human resource models to staff up for regulatory projects more effectively outsourced. An IND application specialist, for example, may be the most efficient person to head a new research submissions team, but wouldn’t be kept occupied in all but the largest organization. Hiring instead a submissions generalist assures full workforce utilization, but steps away form maximal expertise and efficiency. Using a highly experienced, focused, and expert outsource specialist team not only is more effective but brings a regulatory credibility and familiarity that can save significantly on unnecessary remediation: The expert team knows exactly what is required, and the FDA has confidence in their assurances.

Fifth, the submission areas permit paper or electronic transmission of documents. Use of a proven electronic technology speeds the review process and encourages greater agency cooperation. But many companies lack the expertise to employ electronic submissions systems or, even worse, rely on kludged or modified hyperlink systems that can frustrate reviewers and slow the review process.

Sixth, many companies redundantly submit regulatory documents and rely on auditing visits from both FDA (United States) and EMEA (Europe). While the regulations in place at these two agencies are not identical, there is sufficient overlap to permit development of strategies that will lead to common documents and evidence to satisfy both organizations, significantly reducing costs.

Seventh, many companies lack experience or fear reprisal standby passively during FDA visits, afraid to exert normal and appropriate managerial control of the process. The most common results of this passivity is suspicion on the part of the FDA, a misunderstanding of roles on both sides, and a lack of productive exchange of recommendations and information.

Finally, too many organizations lack the skills, tools, or expertise to try and prioritize regulatory initiatives, and they find themselves treating all guidelines as equal and applying all recommendations to all situations. Without a risk assessment to provide a rational justification for analysis, time, energy, and dollars are spent in insignificant areas and issues better used where a control makes a real difference.

These sight strategic considerations lead to clear cost reduction recommendations that can maintain product safety (and FDA acceptance of that quality) while improving public access through cost controls. Together they outline a comprehensive strategy for cost reduction in regulatory affairs and compliance.

The result is analogous to a blind high jumper: Unable to see exactly where the bar is positioned, the jumper extends just a bit extra to be certain to clear the line. As a result, the bar is “raised” artificially without ever being moved upward. If other jumpers follow suit, the effective result will be norm in excess of the established height: When we are not certain what the FDA really requires, the entire industry jumps just a little higher, and the new raised position becomes the norm that investigators and reviewers grow to expect.

The cost reduction strategy is to base regulatory standards and expectations—in the self-regulation of the organization and perhaps the outsider auditor confirming—not on the vague requirements of the FDA guidelines but on the operational definitions. The real standards as used by the industry and applied by the agency are more difficult to determine but more cost effective to reach. With experience, access to norms established through the industry, and analysis of FDA findings (and 483s), it is possible to develop a strategic operational definition of real-world requirements and, hence, to shave the actual bar to a whisker-width.

Consider the testing of software used in document control to assure compliance with 21 CFR Part 11. How large a data sample should be used for the testing? The original guidance that accompanied the first draft of requirement suggests a sample size of 200. The final document makes no mention of recommended sample size. At least one FDA spokesperson has recommended a sample size of 50 cases.² The Center for Professional Advancement course of System Validation proposes a formula for test samples based upon a combination of risk assessment and pathway analysis.³ Yet an examination of common practices in the field (and general FDA acceptance would lead to a sample size of 10–15 data cases.⁴ Without a thorough understanding, most companies are likely to conduct more tests—at greater expense—than is necessary.

Costs can be effectively controlled through operational, practical definitions of actual requirements and through the understanding of those requirements to provide the FDA with assurances of effective self-regulation. That self-regulatory quality assurance will provide confidence in product and data, as well as confidence of conformity with compliance expectations.

Most FDA investigations follow a “systems approach.”⁵ The FDA team first asks for an inventory of all systems—functional activities—in place at the facility. A manufacturing facility, for example, may have a warehouse management activity, an inventory control system, a quality testing unit, and so on. In all facilities a quality assurance or control system is required.

The FDA will then select from the list the quality system and one or more additional systems (based on previous issues in a “for cause” investigation; or upon a random selection, or upon the team’s observations at other sites). Each of the selected systems will be examined according to the general criteria of the GMPs (GLPs, GCPs, etc.), the organization’s own Standard Operating Procedures, and the company’s self-regulation. The result of the visit will be a summary report (possibly in the form of a 483 report) recommending or requiring remediation; a scrambling by the organization to add on controls or corrections to implement those remediation; and a great deal of internal strife.

But there is an alternative that is less traumatic, is more effective, and avoids the expensive emergency corrective actions.

Well in advance of any scheduled FDA visit (and in advance of any unanticipated visit) the company implements its own audit program. In what amounts to a series of mock-FDA audits, all systems are reviewed. Based upon the results of those reviews, a “building quality in” program is designed, replacing expensive emergency responses with cost-controlled quality planning. Once the plan is completed and all significant problems are remediated, a final audit report is generated, filed, and updated periodically.

When the FDA arrives and requests a list of systems, the team is provided not only with the list but also with a highly credible audit report. While there is no de jure guaranteed acceptance of that report, de facto results based on more than 40 audits over the past five years suggest that the FDA team is likely (current record: 43/43) to accept the report, review it, and move on to other visit issues.

The key, of course, lies in the credentials of the auditors. For maximum assurance they should meet three criteria: independence (not reporting to the facility manager; if consultants, fee not based on project result), expertise (education, training, and research credentials), and experience (previous familiarity with similar systems in multiple settings).

A major blood processing industry, for example, found that a series of FDA unannounced visits to their multiple production sites were disrupting operations, generating negative publicity, and (as the sites struggled to implemented patchwork changes) adding significantly to cost. They instead brought in a team of independent auditors who developed specific criteria appropriate to the organization’s operations; trained key site managers in those criteria; provided advice as the centers implemented appropriate changes; conducted audits; and issued a comprehensive report summarizing and testifying to appropriate compliance with all regulations and guidelines. As a result, the FDA replaced its unannounced visits with periodic reviews of the audit reports, and the organization significantly reduced its compliance expenses.

Risk assessment refers to an identification of the potential danger of system failure in any of the process phases or parts. The risk assessment is based upon categorization of potential failure as high risk (direct impact on human health and safety); medium risk (only indirect impact on human health and safety); or low risk (remote or no impact on human health and safety). These risk severity levels are further mitigated by probability measures, estimating the likelihood of occurrence of the potential problem. Taken together, the severity and probability risk factors provide a prioritization of oversight and (inversely) a flexibility of control levels: A low risk factor might lead to only a periodic monitoring of performance and a wide range of acceptable performance levels. In contrast, a high-risk element would result in constant monitoring and tightly defined range of acceptance performance (the design space).

That range of acceptability is related to the design space, an analysis of the detailed design elements and the flexibility of performance of those elements. Much as a statistical analysis may test again a range of .05 or .001, or even a tighter tolerance level, the design space analysis results in the determination of the appropriate tolerance levels of quality controls and system performance.

The monitoring of those controls and elements is defined as process analytical technology (PAT). PAT has two critical elements⁷: continuous (rapid, multiple discrete) monitoring and cybernetic (self-correcting) monitoring. A PAT system has continuous monitoring points built into the process; and whereever practical, those monitoring points can adjust parameters (temperature, pressure, etc.) if they exceed norms.

The norms, and their acceptable ranges, are established by the design space analysis. The control points to be continuously and cybernetically monitored are defined by the risk assessment. Together, these three elements—PAT, design space, and risk assessment—provide a clear operational definition of system quality control and assurance.

That clarity can lower costs in two important ways. First, building QbD into a system is relatively inexpensive because it is conceptually designed into the original system plans. In fact, by determining what issues are low risk, and hence have loose tolerances and require little monitoring, the QbD approach may lower original plan costs. More importantly, though, building in is generally less expensive than adding on: If a QbD analysis results in eliminating the need to rework a system at a later date, savings are likely to be significant.

Second, a well-designed QbD system lowers regulatory costs, since it reduces the number of submissions (within design space tolerances, new amendments are not required), lowers the time required for NDA, ANDA, and BLA reviews⁸ by the FDA, and is likely to reduce remediations and changes requir...