By Barbara Unger, Unger Consulting Inc.
This is the second of two articles focusing on the nexus of data governance/data integrity and contracted manufacturing and testing activities in the pharmaceutical industry. Part 1 addressed FDA warning letter enforcement actions and discussed things that can go awry in these relationships related to data governance and data integrity. In Part 2, we turn our attention to health authority GMP guidance on contractual relationships and best practices that should be considered in this area. Please note that these articles are not meant to address the full scope of activities necessary to ensure a sound relationship with a CDMO, but rather they focus narrowly on data governance and data integrity.
Regulatory Guidance on Data Integrity Responsibilities
We return to discuss how to review our contractor’s data in a manner that we are confident releasing the product for either clinical trial use or commercial distribution. In terms of regulations, 21 CFR 200.10 addresses contract facilities used by pharmaceutical firms. It states “The Food and Drug Administration … regards extramural facilities as an extension of the manufacturer’s own facility.” The FDA guidance on Contract Manufacturing Arrangements for Drugs: Quality Agreements states contract laboratories must “employ adequate controls to ensure that data and test results are reliable and maintained in accordance with CGMP requirements. It is the owner’s responsibility to review this information from the contract facility to decide whether to approve or reject product for release and distribution.” This does not provide much detail on how data is to be reviewed in support of lot release. The FDA clearly states firms are responsible for activities and data generated by their contract manufacturer/laboratory.
Chapter 7 of the EU GMP guidelines addresses outsourced activities. For additional detail, the European Medicines Agency (EMA) Questions and Answers: Good Manufacturing Practice added a section on data integrity in August 2016. Questions 19, 20, and 23 specifically address a company’s responsibility regarding data integrity for GMP activities contracted out to another company. The EMA responses to questions 19 and 20 are most relevant. The questions ask, “What are my company’s responsibilities relating to data integrity for GMP activities contracted out to another company?” and “How can a recipient (contract giver) build confidence in the validity of documents such as Certificate of Analysis (CoA) provided by a supplier (Contract acceptor)?” The responses state:
“Data integrity requirements should be incorporated into the company’s contractor/vendor qualification/assurance program and associated procedures.
In addition to having their own data governance systems, companies outsourcing activities should verify the adequacy of comparable systems at the contract acceptor. The contract acceptor should apply equivalent levels of control to those applied by the contract giver.
Formal assessment of the contract acceptor’s competency and compliance in this regard should be conducted in the first instance prior to the approval of a contractor, and thereafter verified on a periodic basis at an appropriate frequency based on risk.”
“The recipient should have knowledge of the systems and procedures implemented at the supplier for the generation of the CoA. Arrangements should be in place to ensure that significant changes to systems are notified and the effectiveness of these arrangements should be subjected to periodic review.
Data related to activities which are outsourced are routinely provided as summary data in a report format (e.g. CoA). These summary documents are reviewed on a routine basis by the contract acceptor and therefore the review of data integrity at the contract acceptor site on a regular periodic basis (e.g. during on-site audit) takes on even greater significance, in order to build and maintain confidence in the summary data provided.”
Best Practices for Data Integrity Oversight at Contracted Sites
“Adequate oversight” by the product sponsor is a multi-faceted approach, so let me propose that it consists of the following:
To ensure sponsors can trust the data generated by their contract manufacturers and laboratories, multiple activities are necessary. The sponsor must conduct adequate due diligence evaluations and meet qualification criteria. Periodic oversight must be described and in place, and the sponsor should document and justify the data upon which they will base lot-release decisions. The justification should include the firm’s reasons for believing the data provided by the contract site is trustworthy and how this is ensured on an ongoing basis. On-site periodic audits take on heightened importance in review of original data because the sponsor firm will not generally review original lot specific data. Rather, they will base their decisions on certificates of analysis supplemented by specific information agreed to in the quality agreement or contractual arrangement.
Many firms have eliminated having a person in the plant for economic reasons; perhaps this approach should be reconsidered. It may be useful to have a person in the plant evaluating processing and raw data for the first few lots manufactured to develop an additional level of confidence in the contractor’s operations, at which point this could potentially be discontinued. For those that do routinely have a person in the plant during manufacture and testing, this person might also be responsible for review of selected original data in both manufacturing and the laboratory on a lot-by-lot basis.
Lasting success in this area depends on a comprehensive approach and activities that must be ongoing throughout the duration of the contract. In my opinion, enforcement actions against sponsors, in addition to the contract sites, will most effectively help to resolve this issue and ensure appropriate due diligence and oversight is provided by the contractor. All parties must be held accountable to make changes. Citing only one of the partners will not necessarily result in changes in practice among sponsors.
About the Author:
Barbara Unger formed Unger Consulting, Inc. in December 2014 to provide GMP auditing and regulatory intelligence services to the pharmaceutical industry, including auditing and remediation in the area of data management and data integrity. Her auditing experience includes leadership of the Amgen corporate GMP audit group for APIs and quality systems. She also developed, implemented, and maintained the GMP regulatory intelligence program for eight years at Amgen. This included surveillance, analysis, and communication of GMP related legislation, regulations, guidance, and industry compliance enforcement trends. Barbara was the first chairperson of the Rx-360 Monitoring and Reporting work group (2009 to 2014) that summarized and published relevant GMP and supply chain related laws, regulations, and guidance. She also served as the chairperson of the Midwest Discussion Group GMP-Intelligence sub-group from 2010 to 2014. Barbara is currently the co-lead of the Rx-360 Data Integrity Working Group.
Before Amgen, Barbara worked for the consulting firm Don Hill and Associates, providing regulatory and quality services to the pharmaceutical industry, and for Eli Lilly and Company in quality and CMC regulatory affairs positions. She began her career in the pharmaceutical / device industry with Hybritech Inc. and received a bachelor's degree in chemistry from the University of Illinois at Urbana-Champaign. You can contact Barbara at firstname.lastname@example.org.