In a firmly post-pandemic world, regulators such as the Medicines and Healthcare products Regulatory Agency (MHRA) have increased the frequency and depth of in-person inspections of pharmaceutical companies. We have seen an increase in the frequency with which the MHRA has identified critical deficiencies and escalated inspection findings for consideration of enforcement action. This, of course, can have serious consequences for companies, and at the very least, leads to time and resources being spent on responding to the inspection findings and coordinating with the regulatory authorities.
Post-pandemic, preparing for inspections and investigations should be a priority for pharmaceutical companies. It is important that companies have clear policies in place around inspections and prepare teams for how to respond to the authorities during inspections. Being back in the workplace is a valuable opportunity for advanced planning and consideration of policies and procedures; embedding good practices throughout the organisation could be the crucial difference the next time a regulator comes knocking.
MHRA's approach to inspections
The MHRA adopts a risk-based methodology when identifying which systems or facilities to inspect, and the type of inspection that is required. For example, of the 32 pharmacovigilance inspections it conducted in 2021/22, nearly half were for cause: five inspections were initiated for cause to assess the resolution of critical findings from previous inspections, nine were triggered for cause due to intelligence received, and 18 were routine inspections conducted in accordance with the standard inspection schedule. All 32 inspections had major findings, and a minority had critical findings. Common findings included issues with respect to data management and data integrity, all of which impact on effective risk management within the organisation.
Similar trends are seen in other GxP ('good practice') areas. For example, for good clinical practice (GCP) inspections, a focus of critical findings has been on data integrity. There has been a focus on software validation particularly in GCP and GDP inspections, with a focus on whether the software has been appropriately validated for the specific use and whether the software could impact the review of the data by the authorities.
In terms of the outcome of inspections, we have seen an increase of inspection findings being escalated to the IAG (Inspection Action Group). This group advises the MHRA on regulatory action that may be required in response to an inspection, including action that impacts relevant licences that are in place. It is no secret that the MHRA has reduced its capacity over recent years, and this may have had an impact on inspection outcomes. However, it is also likely that an increased attendance in the workplace has led to more opportunities for employees to observe and report any concerns about misconduct and violations of the required standards.
Enforcement powers
The MHRA has a number of enforcement tools at its disposal, ranging from re-inspections to ensure no repeated violations, to warning letters, to criminal prosecution. A variety of factors are taken into account when considering adequate enforcement, such as actual or potential harm caused to patients, whether violations are prevalent throughout the business or an isolated incident, and whether the company had policies and procedures in place to detect and prevent breaches.
In any event, companies should assume that the MHRA will share inspection findings with other competent authorities, such as the US Food and Drug Administration and the Japanese Pharmaceutical and Medical Devices Agency, causing potential cross-border consequences and follow-on inspections. Even if the company is able to de-escalate the issues, increased regulatory scrutiny is likely for a period of time.
In practice, formal enforcement action is rare, and the MHRA prefers to "work towards compliance", rather than restrict operations or impose sanctions. To date, the MHRA has never brought a prosecution against a corporate entity for GxP compliance, but has pursued criminal liability in respect of individuals. However, prosecution of individuals can have adverse consequences for the company in terms of reputational damage, and companies will need to carefully manage any resultant fall-out.
Preparation for inspections
Whether an inspection is routinely scheduled or unannounced, practical steps to prepare should always be in place, such as ensuring that data is up-to-date, easily accessible, secure, and comprehensive for inspector use. Employees should be regularly trained on regulatory requirements and workplace policies, as well as having specific training on their roles and responsibilities during inspections.
With scheduled inspections, further preparation may be completed, such as preparing a conference room, making sure key individuals will be available to assist, briefing all staff, and planning a site visit for the inspectors. If the inspectors consent, it is helpful to have a designated person record as much information as possible about the inspection, such as the questions asked and answers provided. Ideally, copies will be retained of any material the inspectors take, and someone will accompany the inspectors at all times. If the inspectors are amenable, it is useful to end an inspection with a meeting to summarise findings, address any issues, and determine the next steps, including timeframes and further information that will need to be provided.
With respect to "for cause" inspections, which can take place with little to no notice, the MHRA has powers to compel evidence and interview witnesses. Company representatives can request to attend witness interviews, although, it is likely that such attendance will be limited to observation. However, if the MHRA suspects criminal liability on the part of individuals, it may conduct interviews under caution, such that any evidence given may be used as part of a subsequent criminal prosecution. Generally, company representatives would not be permitted to attend these interviews.
Legal teams should be clear that their role is to advise the company. As such, it may be necessary to consider whether employees should be offered their own independent legal advice, and legal teams should ensure they do not provide advice to employees in their individual capacities, as this could create conflict in representation between company and employee.
Internal investigations
In most circumstances, it is preferable for grievances and concerns to be investigated internally, rather than for the regulator to become immediately involved. Many companies now have clear whistleblowing policies in place to enable concerns to be raised, triaged, and then investigated.
Reporting obligations should be considered when conducting an internal investigation, to ensure that the regulator is adequately informed of findings. For many GxP obligations, there are regulatory reporting timelines that arise when the company becomes aware of the non-compliance. Therefore, there may be regulatory obligations even as the investigation is ongoing and the factual matrix has not yet been established. In many cases, the MHRA is amenable to a collaborative approach to the issues, enabling the internal investigation to continue alongside regulatory enquiries, with the company keeping the regulator abreast of progress and findings. However, this should be considered on a case-by-case basis.
Privilege protocols must also be considered. Whilst interactions with regulators are not legally privileged, privilege may attach to the internal investigation or to documents that may be requested during the inspection. To obtain legal privilege in the investigation, the legal team will need to be involved in the matter as early as possible. Generally, privilege should be sought over advice to the company, such as on the risks or likelihood of enforcement, reporting requirements, or regarding remedial action.
In some cases, it may be appropriate to provide a limited waiver of privilege for certain parts of the internal documentation. Waiving privilege may result in gaining credit for the company, and could be something that is taken into account when the regulatory considers whether enforcement action should be taken. Again, this should be considered on an individual basis.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
