© 2011 IBM Corporation Outsourcing Compliance Challenges James F. McCormack, Ph.D. Vice President, Life Science Compliance Global Technology Services

© 2011 IBM Corporation

Outsourcing Compliance ChallengesOutsourcing Compliance Challenges

James F. McCormack, Ph.D.Vice President, Life Science ComplianceGlobal Technology Services


What We’ll DiscussWhat We’ll Discuss

Compliance Challenges With Data Integrity Supply Chain Integrity IT Outsourcing


Data IntegrityData Integrity


Proposed Rule - Proposed Rule - Reporting Information RegardingFalsification of Data

19-Feb-2010; 75 FR 7412 Proposes to amend its regulations to require sponsors to report

information indicating that any person has, or may have, engaged in the falsification of data in the course of reporting study results, or in the course of proposing, designing, performing, recording, supervising, or reviewing studies that involve human subjects or animal subjects conducted by or on behalf of a sponsor or relied on by a sponsor.

A sponsor would be required to report this information to the appropriate FDA center promptly, but no later than 45 calendar days after the sponsor becomes aware of the information.

The requirement for a sponsor to report any confirmed or possible information regarding falsification of data would be ongoing and cover the periods before and after study completion, including after the review, approval, or authorization of the affected product or labeling.



Background Impetus for the rule was a clinical investigator (CI) that fabricated data in 91

trials conducted for 47 sponsors Sponsors that learned of the falsification retained the CI, but excluded the

data from the clinical database Current regulations only require sponsors to report to FDA the reasons for

terminating the involvement of a CI in a trial The proposed regulation is intended to close “loop-holes” in current

regulations and protect the integrity of the preclearance review process and the welfare of human clinical trial subjects



“Falsification” means creating, altering, recording, or omitting data in such a way that the data do not represent what actually occurred Creating data that were never obtained (e.g., making up data or results and

recording or reporting them; reporting enrollment in a study of a subject who did not exist; forging the signature on an informed consent form)

Altering data by replacing original data with something different that does not accurately reflect study conduct or results (e.g., changing a laboratory measurement to a less extreme deviation from normal)

Recording or obtaining data from a specimen, sample, or test whose origin is not accurately described or in a way that does not accurately reflect the data (e.g., changing the date of a specimen, sample, or test; adding a substance not called for in the study to a specimen or sample; identifying a specimen, sample, or test as coming from a specific subject when it came from a source other than the subject)

Omitting data that were obtained and would be appropriate for recording based on study design and conduct (e.g., not recording exclusionary medical history or prohibited concomitant medications or treatments; omitting data so that a statistical analysis yields a result that would not have been obtained had all data been analyzed)


Supply Chain IntegritySupply Chain Integrity



Congressional Hearing 14-Sep-2011 Senate Committee on Health, Education, Labor, and Pensions

− Testimony from:

• Deborah Autor, J.D., Deputy Commissioner for Global Regulatory Operations and Policy

• Allan Coukell, BScPharm, Director of Medical Programs, Pew Health Group, The Pew Charitable Trusts

• Marcia Crosse, Ph.D., Director, Health Care, United States Government Accountability Office

• Mr. Gordon Johnston, Senior Advisor For Regulatory Sciences Generic Pharmaceutical Association

• Kendra Martello, J.D., Assistant General Counsel, PhRMA

• Martin VanTrieste, R.Ph., Senior Vice President of Quality, Amgen


Supply Chain IntegritySupply Chain Integrity Pew Health Group White Paper - After Heparin: Protecting Consumers from the

Risks of Substandard and Counterfeit Drugs− Ensure meaningful oversight and quality management of globalized pharmaceutical

manufacturing• Require 21st-century quality systems to protect drug safety through statute and

regulation• Strengthen industry oversight of contract manufacturers and suppliers• Enhance documentation and transparency of upstream manufacturing supply

chains through legal requirements• Improve testing standards

− Eliminate barriers to FDA oversight• Increase FDA oversight of overseas manufacturing• Ensure adequate FDA resources• Improve the FDA’s infrastructure and tracking systems• Strengthen oversight of drugs and bulk drug substances at import• Empower the FDA with regulatory authorities it needs to fulfill its mission• Strengthen the FDA’s enforcement ability through stronger penalties and clearer

accountability for industry• Improve FDA access to information from other regulatory bodies and industry

− Secure pharmaceutical distribution• Improve drug distribution security through a federal serialization and verification

system• Strengthen wholesaler regulation and oversight


Source: Pew Health Group “After Heparin: Protecting Consumers from the Risks of Substandard and Counterfeit Drugs

Pharmaceutical Supply ChainPharmaceutical Supply Chain


Globalization of ManufacturingGlobalization of Manufacturing










Causes for ConcernCauses for Concern

Material suppliers in China Heparin adulterated with oversulfated chondroitin sulfate (OSCS) to cut costs

resulting in alleged deaths in US Mislabeled diethylene glycol as glycerin incorporated into cough syrup

resulting in deaths of adults and children in Panama, Haiti and Nigeria Melamine incorporated into infant formula in China resulted in 6 infant deaths

and thousands sickened Melamine incorporated into pet food in US resulting in death or harm to

thousands of pets

GMP facilities in India Significant GMP violations Alleged falsification of stability data Alleged falsification of batch records FDA invoked AIP against one manufacturer



Congressional Hearing 14-Sep-2011 Senate Committee on Health, Education, Labor, and Pensions

− General Consensus

• Industry has principal responsibility for supply chain integrity and quality

• FDA needs to increase foreign inspections and inspect based on risk

• FDA needs additional authority to:

» Refuse admission, destroy product at the border, and require information (burden of proof on FDA)

» Mandate recalls and detain drugs» Share information with other national regulatory agencies

• FDA needs to modernize drug registration and listing

• Unique facility identification

• Track and trace technology


Warning Letter ExamplesWarning Letter Examples

Yag-Mag Labs Private Limited (PRC) - API manufacturer Batch records were written months after the batches were manufactured and

released for shipment Residues and corrosion on processing equipment, materials and processing

equipment exposed to the outside elements without adequate protection; poorly identified and leaking piping; recessed ground-level floor susceptible to flooding and observed with substantial standing water; and inadequate unsanitary restroom facilities

Performed manufacturing operations without written procedures for change control, out-of-specification test results, laboratory deviations, investigation of production discrepancies or deviations, consumer complaint handling, or annual product reviews

Starting material (b)(4), internal lot (b)(4) had come from an unknown supplier via a distributor without product label or manufacturer information



Nanjing Maohai Biotech Co. (PRC) - API manufacturer The material is released without adequate review of laboratory control

records [from contract laboratory]. The results used for release are summary results accepted via text messaging, e-mail, or phone. Contract laboratories are an extension of your operations and, as such, your quality unit is responsible for all data acquired at the contract laboratories you choose to use.

The quality unit fails to thoroughly investigate and resolve all quality-related complaints.

The firm did not evaluate the suppliers of (b)(4), (b)(4) and (b)(4), all used in the manufacturing process of (b)(4). The firm currently accepts certificates of analysis (COA) from unevaluated suppliers in lieu of testing each batch of an incoming component to ensure conformity with the established specifications.



Pharmaceutical Company Jelfa SA (Poland) - Finished Pharmaceutical Manufacturer The firm failed to thoroughly investigate the failure of a batch or any of its

components to meet its specifications. No investigation of the manufacturing process and facility controls was performed following failed sterility tests.

The firm did not establish appropriate written procedures designed to prevent microbiological contamination of drug products. During the aseptic filling of two injection batches on filling line employees were observed following poor aseptic techniques.

The quality control unit did not adequately exercise its responsibilities to approve procedures or specifications that may impact the identity, strength, quality, and purity of the drug product. Repeat citations from prior inspections indicated that the quality control unit is not exercising its responsibilities, and may not have the appropriate authority to carry out its responsibilities.

“This inspection identified other worrisome deficiencies […] includ[ing], but not limited, to: inadequate vendor qualification of your API suppliers”



Ningbo Smart Pharmaceutical Co. Ltd. (PRC) - API Manufacturer The QCU unit failed to ensure that materials were appropriately tested and

the results were reported. The QCU approved the release of four batches of material without data to support that the test for organic volatile impurities (OVI) met release specifications. Certificates of Analysis stated that OVI levels conformed to specifications, but the inspection found that no testing was done.

The QCU released API lots to the U.S. without assuring that all required tests were performed. The QCU also failed to detect that the COAs stated that OVI results conformed to specifications, although the test was not performed.

“It is essential that your firm only report results to customers when you have actually performed the analysis.”


IT OutsourcingIT Outsourcing


IT OutsourcingIT Outsourcing

Presentation by Bob Tollefsen, National Expert Investigator – Computerized Systems to SQA 22-Sep-2011 Emphasized that FDA’s objective is to ensure the integrity of records that are

used to support research and marketing permits Issues with IT and electronic recordkeeping will be enforced through

predicate rules Reviewed several GMP cases where flaws in computerized systems resulted

in problems with data integrity and product quality Expressed concern with outsourcing regulated activities to organizations that

traditionally have not operated in a regulated environment Expressed the expectation for the relationships will be specified in a written

agreement and that service providers have a viable quality management system in place.

FDA is forming a working group to review FDA’s authority over IT service providers, approaches to monitoring, and topics for guidance (e.g., Cloud Computing)


21 CFR Part 1121 CFR Part 11

Possible revision ? July 2010 FDA published press release stating intent to increase

enforcement profile of part 11 Goals

− Inspections will assess industry understanding and compliance

− Inspections will assess how industry is ensuring the integrity of electronic records

− FDA will assess data integrity and computerized system validation of inspectional observations since 2007

− Determine next steps FDA will take appropriate action to enforce part 11 for issues observed during

inspections that do not fall under enforcement discretion discussed in Scope and Application Guidance, i.e., required by predicate rules

Part 11 was always intended to be enforced through predicate rule requirements



Noven Pharmaceuticals, Inc. – Finished Pharmaceutical Manufacturer “Your firm has failed to exercise appropriate controls over computer or related

systems to assure that changes in master production and control records, or other records, are instituted only by authorized personnel [21 C.F.R § 211.68(b)].For example, your firm has failed to periodically conduct back-up procedures for the (b)(4) Server, Equipment (b)(4) (Building (b)(4), Room (b)(4)) since August 2010. [January 2011 inspection] This server was used to store, back-up, and/or archive raw test data from computer systems (Software: (b)(4)) controlling and monitoring (b)(4) High-performance liquid chromatography (HPLC) systems in accordance to SOP, (b)(4), titled, “(b)(4).” During the inspection, the (b)(4) server was observed as being tagged out-of-service since February 2009.In your response, your firm states that you have revised your procedure to include the implementation and installation of qualified (b)(4) backup software on (b)(4) server to allow for remote backup. Your response, however, is inadequate because you fail to adequately address whether you were able to recover the critical data not backed-up between August 2010 and when you first implemented the daily backup process. Your firm has yet to indicate whether HPLC raw data records could be retrieved for the duration of time that the (b)(4) server was not backing-up the HPLC system data.”



Signal Medical Corporation – Device Manufacturer “Failure to validate computer software for its intended use according

to an established protocol, as required by 820.820.70(i). Your firm uses the (b)(4) for in-process and final product testing for the (b)(4) and the (b)(4). Your firm conducted software validation for the (b)(4) and the results are included in the Software Validation Report, dated February 11, 2010. The (b)(4). The validation compared the measurement of the (b)(4) with the optical comparator and the air gage for the femoral knee on the (b)(4). However, your firm uses the (b)(4) for conducting a surface a (b)(4) during the (b)(4). The (b)(4) is used for measuring the top profile on the (b)(4) during manufacturing. The software validation of the (b)(4) did not address (b)(4).”



Noli R. Zosa, M.D. – Clinical Investigator You failed to prepare and maintain adequate and accurate case histories that

record all observations and other data pertinent to the investigation on each individual administered the investigational drug [21 CFR 312.62(b)].

Protocol #433 stated the following:

Clinical data will be entered into electronic Case Report Forms (eCRFs). Data on eCRFs must correspond to and be supported by source documentation maintained at the investigational site, unless the site makes direct data entry for which no other original or source documentation is maintained. In such cases, the site should document which eCRFs are subject to direct data entry and should have in place procedures to obtain and retain copies of the information submitted by direct data entry. FDA’s investigation found that there was no source documentation at your site to corroborate data entered into the eCRF for any of the enrolled subjects, nor did we find documentation regarding which eCRFs were subject to direct data entry, or which procedures were in place to obtain and retain copies of information submitted by direct data entry. The following items, for example, were not found in subjects’ files: ophthalmologist assessment reports, visual acuity assessment reports, laboratory reports, subjects’ medical charts, bacterial and viral culture laboratory reports for all culture samples collected, and subject’s worksheets documenting daily administration of study drug. Therefore, we are unable to verify the accuracy of the data submitted to the sponsor.


Questions?Questions?

Documents

© 2011 IBM Corporation Outsourcing Compliance Challenges James F. McCormack, Ph.D. Vice President, Life Science Compliance Global Technology Services