Guest Column | December 4, 2017

Best Practices For Data Integrity Oversight At Your Contract Manufacturer

By Barbara Unger, Unger Consulting Inc.

This is the second of two articles focusing on the nexus of data governance/data integrity and contracted manufacturing and testing activities in the pharmaceutical industry. Part 1 addressed FDA warning letter enforcement actions and discussed things that can go awry in these relationships related to data governance and data integrity. In Part 2, we turn our attention to health authority GMP guidance on contractual relationships and best practices that should be considered in this area. Please note that these articles are not meant to address the full scope of activities necessary to ensure a sound relationship with a CDMO, but rather they focus narrowly on data governance and data integrity. 

Regulatory Guidance on Data Integrity Responsibilities

We return to discuss how to review our contractor’s data in a manner that we are confident releasing the product for either clinical trial use or commercial distribution. In terms of regulations, 21 CFR 200.10 addresses contract facilities used by pharmaceutical firms. It states “The Food and Drug Administration … regards extramural facilities as an extension of the manufacturer’s own facility.” The FDA guidance on Contract Manufacturing Arrangements for Drugs: Quality Agreements  states contract laboratories must “employ adequate controls to ensure that data and test results are reliable and maintained in accordance with CGMP requirements. It is the owner’s responsibility to review this information from the contract facility to decide whether to approve or reject product for release and distribution.” This does not provide much detail on how data is to be reviewed in support of lot release. The FDA clearly states firms are responsible for activities and data generated by their contract manufacturer/laboratory.

Chapter 7 of the EU GMP guidelines addresses outsourced activities. For additional detail, the European Medicines Agency (EMA) Questions and Answers: Good Manufacturing Practice added a section on data integrity in August 2016. Questions 19, 20, and 23 specifically address a company’s responsibility regarding data integrity for GMP activities contracted out to another company. The EMA responses to questions 19 and 20 are most relevant. The questions ask, “What are my company’s responsibilities relating to data integrity for GMP activities contracted out to another company?” and “How can a recipient (contract giver) build confidence in the validity of documents such as Certificate of Analysis (CoA) provided by a supplier (Contract acceptor)?” The responses state:

“Data integrity requirements should be incorporated into the company’s contractor/vendor qualification/assurance program and associated procedures.

In addition to having their own data governance systems, companies outsourcing activities should verify the adequacy of comparable systems at the contract acceptor. The contract acceptor should apply equivalent levels of control to those applied by the contract giver.

Formal assessment of the contract acceptor’s competency and compliance in this regard should be conducted in the first instance prior to the approval of a contractor, and thereafter verified on a periodic basis at an appropriate frequency based on risk.”


“The recipient should have knowledge of the systems and procedures implemented at the supplier for the generation of the CoA. Arrangements should be in place to ensure that significant changes to systems are notified and the effectiveness of these arrangements should be subjected to periodic review.

Data related to activities which are outsourced are routinely provided as summary data in a report format (e.g. CoA). These summary documents are reviewed on a routine basis by the contract acceptor and therefore the review of data integrity at the contract acceptor site on a regular periodic basis (e.g. during on-site audit) takes on even greater significance, in order to build and maintain confidence in the summary data provided.”

Best Practices for Data Integrity Oversight at Contracted Sites

“Adequate oversight” by the product sponsor is a multi-faceted approach, so let me propose that it consists of the following:

  • The sponsor firm should document and justify the data and summaries on which it will make lot-release decisions. The justification can include reliance on features mentioned in the remainder of this section.
  • Rigorous due diligence should be performed in the qualification of a contract manufacturer or contract laboratory. Major concerns in selection of a contractor should be whether their data is trustworthy and whether the firm has adequate GMP controls in place to address how both laboratory and manufacturing data are generated, processed, reviewed, approved, and archived. Elements of such due diligence:
    • There should be a deep dive into the computer system validation and controls including, but not limited to, adequate user specifications and configuration and testing of them. Changes to validated systems must be under change control, and periodic evaluations should be conducted to ensure the computerized systems remain in a state of control.
    • Systems should be validated for their intended purpose and procedures, and processes must be in place to permit identification of altered or deleted data.
    • Access should be limited to authorized individuals, and privileges within the system should be role-based. Deletion of data should be limited, and where data is changed, the existing data must not be obscured.
    • Data should be reviewed in the medium in which it is collected. For most laboratory instruments, this means review of electronic data and the associated critical metadata (audit trails). Data reviewers should be adequately trained, and the process should be driven by appropriately detailed SOPs to ensure consistency among reviewers.
    • Finally, data should be backed up, archived, retained, and retrievable through a defined retention period.
  • A quality agreement should be implemented to document roles and responsibilities. Several industry trade organizations have developed and published templates for these agreements. These include IPEC, Society of Chemical Manufacturers and Affiliates (SOCMA), and Rx-360. In addition to the general features addressed in these templates, the following should be considered:
    •  A requirement regarding data governance or a requirement that the partner must ensure the trustworthiness of their data, both paper and electronic, consistent with CGMP requirements.
    • It should state that the contract giver is permitted to review electronic data during their periodic audits, technical visits, or during manufacture/testing if they have a person in the plant.
    • Where data is transferred between the sponsor and their contract site, the agreement should specify how this is done to protect the integrity of the information. For example, is email appropriate, or do the firms set up a specific secure electronic link for this information.
  • The sponsor should routinely evaluate their contract sites for health authority inspections or other enforcement actions.
    • Monitoring warning letters alone is not sufficient. Firms should seek to obtain form 483s from all FDA inspections, including sites of the contract manufacturer where they do not have product. Frequently, problems are systemic, and evaluation of all inspections conducted at the firm’s sites can provide an early warning that something may be amiss.
    • Firms should monitor FDA import alerts and recalls. Firms that purchase and then distribute products made from intermediates, API, or dosage forms from sites that are under U.S. import alert are responsible for their noncompliant actions. Reference is made to the March 2, 2017 warning letter issued to Lumis Global Pharmaceuticals and the warning letter to Aztex Enterprises.
    • Firms should also be informed of all health agency inspections of the contract site and be informed of their findings, outcomes, and recommendations. In addition to including some of these requirements in the quality agreement, the firm should monitor actions in this area where information is available. It is painful for firms to find out their U.S. contract site can no longer export products into the European Union when they read of the posting on the Eurda noncompliance website. At least three sites based in the U.S. were the subject of this type of action in the past two years.
  • Ongoing oversight and partnership is fostered through technical meetings, sound and open communication, and periodic on-site audits and visits.


To ensure sponsors can trust the data generated by their contract manufacturers and laboratories, multiple activities are necessary. The sponsor must conduct adequate due diligence evaluations and meet qualification criteria. Periodic oversight must be described and in place, and the sponsor should document and justify the data upon which they will base lot-release decisions. The justification should include the firm’s reasons for believing the data provided by the contract site is trustworthy and how this is ensured on an ongoing basis. On-site periodic audits take on heightened importance in review of original data because the sponsor firm will not generally review original lot specific data. Rather, they will base their decisions on certificates of analysis supplemented by specific information agreed to in the quality agreement or contractual arrangement.

Many firms have eliminated having a person in the plant for economic reasons; perhaps this approach should be reconsidered. It may be useful to have a person in the plant evaluating processing and raw data for the first few lots manufactured to develop an additional level of confidence in the contractor’s operations, at which point this could potentially be discontinued. For those that do routinely have a person in the plant during manufacture and testing, this person might also be responsible for review of selected original data in both manufacturing and the laboratory on a lot-by-lot basis.

Lasting success in this area depends on a comprehensive approach and activities that must be ongoing throughout the duration of the contract. In my opinion, enforcement actions against sponsors, in addition to the contract sites, will most effectively help to resolve this issue and ensure appropriate due diligence and oversight is provided by the contractor. All parties must be held accountable to make changes. Citing only one of the partners will not necessarily result in changes in practice among sponsors.

About the Author:

Barbara Unger formed Unger Consulting, Inc. in December 2014 to provide GMP auditing and regulatory intelligence services to the pharmaceutical industry, including auditing and remediation in the area of data management and data integrity. Her auditing experience includes leadership of the Amgen corporate GMP audit group for APIs and quality systems. She also developed, implemented, and maintained the GMP regulatory intelligence program for eight years at Amgen. This included surveillance, analysis, and communication of GMP related legislation, regulations, guidance, and industry compliance enforcement trends. Barbara was the first chairperson of the Rx-360 Monitoring and Reporting work group (2009 to 2014) that summarized and published relevant GMP and supply chain related laws, regulations, and guidance. She also served as the chairperson of the Midwest Discussion Group GMP-Intelligence sub-group from 2010 to 2014. Barbara is currently the co-lead of the Rx-360 Data Integrity Working Group.

Before Amgen, Barbara worked for the consulting firm Don Hill and Associates, providing regulatory and quality services to the pharmaceutical industry, and for Eli Lilly and Company in quality and CMC regulatory affairs positions. She began her career in the pharmaceutical / device industry with Hybritech Inc. and received a bachelor's degree in chemistry from the University of Illinois at Urbana-Champaign. You can contact Barbara at