The Food and Drug Administration over the last few months has issued a steady stream of draft guidance providing early insight into the agency’s expectations concerning a broad range of issues affecting pharmaceutical companies. It’s the proposed scope of the FDA’s authority that has the industry up in arms, however.

Data integrity, good manufacturing practices (GMPs), and quality metrics are just a few of the topics garnering attention from the FDA these days. Together, the guidance provides a wealth of information for pharmaceutical companies on how to proactively prepare for an FDA inspection, but they would create new compliance burdens, as well.

One particular draft guidance that has elicited a significant amount of concern among the industry is the FDA’s “Request for Quality Metrics,” which effectively would create burdensome new recordkeeping obligations on pharmaceutical companies. For the first time ever, companies would be required to provide quality metrics to the FDA to be used by the agency to further develop its risk-based inspection scheduling.

On June 27, 2016, the FDA issued a companion document to the draft guidance intended “to ensure clear expectations for industry on the submission of quality metric data,” the FDA said. Many industry stakeholders, however, have argued that the FDA is grossly underestimating the time, investment, and reporting burden that the guidelines would impose, especially on companies with complex and extensive supply chains.

One of the most contentious areas of debate concerns the amount of new data companies would have to gather. According to the FDA, drug manufacturers already collect quality metrics as part of the process validation lifecycle and pharmaceutical quality system (PQS) assessment, but several companies and industry trade groups argue that the agency’s assertion is not exactly accurate.

“While it is true that manufacturers collect metrics as part of process validation, they do not currently collect all of the data FDA is requesting.”
Teva Pharmaceuticals

“While it is true that manufacturers collect metrics as part of process validation, they do not currently collect all of the data the FDA is requesting,” Teva Pharmaceuticals wrote in a comment letter. For example, most manufacturers don’t collect metrics based on the number of lots attempted, as requested by the draft guidance. “In addition, while manufacturers collect information based on the number of lots rejected, they do not distinguish between rejections that are ‘specification-related’ and those that are not,” Teva said.

Furthermore, as some stakeholders have argued, each company tracks quality metrics differently. For example, a drug manufacturer’s enterprise resource planning (ERP) data structure may not allow for identification of lots specifically manufactured for the U.S. market, as required by the draft guidance.

“The costs to industry to restructure ERP systems to accommodate such segmentation of quality metrics data will be significant,” the Pharmaceutical Research and Manufacturers of America (PhRMA), an industry trade group, wrote in a comment letter. “Collecting and organizing metrics data from a network of sites involved in the supply chain will also present significant challenges.”

Disagreement and uncertainty also swarm around who will collect, consolidate, and report the quality metrics data. Several members of the Pharma & Biopharma Outsourcing Association (PBOA), a trade association representing contract manufacturing organizations (CMO) and contract development and manufacturing organizations (CDMO), expressed concerned about the ramifications of reporting on a site-specific basis.

Cook Pharmica, as a CDMO that does not own the license rights or production rights to any of the products produced at the facility, noted that it’s responsible at times for sub-contracting suppliers and other service providers such as contract laboratories. In these situations, Cook Pharmica recommended collecting and reviewing data from those sources and forwarding it to the license holder for ultimate submission to the FDA.

“This approach aligns with contractual obligations and ensures each license holder has appropriate visibility and accountability for their products’ data,” Cook Pharmica stated in a comment letter. “Should the FDA require CDMOs to report metrics at the site level directly to the FDA, this would result in a significant burden.”

Not all drug makers agreed with this approach. Pharmaceutical giant Sanofi commented that it favors reporting metrics by site, segregated by product. “Sanofi sites should not be held responsible for submitting quality metrics data for CMOs and contract laboratories,” its comment letter stated. “These establishments should submit their own data for the activities in which these are engaged in.”

Other industry stakeholders expressed concern about the lack of clarification as to how the FDA intends to use or interpret the metrics to further its regulatory agenda, and just as many companies dispute the scope of the FDA’s authority to request such metrics in the first place. According to the FDA, Section 704(a)(4) of the Food, Drug, and Cosmetic Act gives the agency broad authority to request a wide range of records “in advance or in lieu of” an inspection. “This section does not, however, grant FDA investigators the authority to compel manufacturers to generate records not already in their files,” Abbott Laboratories challenged in a comment letter.


Below are the questions contained in the FDA’s “Data Integrity and Compliance With CGMP” guidance, which is accompanied by non-binding recommendations.

Please clarify the following terms as they relate to CGMP records:

What is “data integrity”?

What is “metadata”?

What is an “audit trail”?

How does FDA use the terms “static” and “dynamic” as they relate to record formats?

How does FDA use the term “backup” in § 211.68(b)?

What are the “systems” in “computer or related systems” in § 211.68?

When is it permissible to exclude CGMP data from decision making?

Does each workflow on our computer system need to be validated?

How should access to CGMP computer systems be restricted?

Why is FDA concerned with the use of shared login accounts for computer systems?

How should blank forms be controlled?

How often should audit trails be reviewed?

Who should review audit trails?

Can electronic copies be used as accurate reproductions of paper or electronic records?

Is it acceptable to retain paper printouts or static records instead of original electronic records from stand-alone computerized laboratory instruments, such as an FT-IR instrument?

Can electronic signatures be used instead of handwritten signatures for master production and control records?

When does electronic data become a CGMP record?

Why has the FDA cited use of actual samples during “system suitability” or test, prep, or equilibration runs in warning letters?

Is it acceptable to only save the final results from reprocessed laboratory chromatography?

Can an internal tip regarding a quality issue, such as potential data falsification, be handled informally outside of the documented CGMP quality system?

Should personnel be trained in detecting data integrity issues as part of a routine CGMP training program?

Is the FDA investigator allowed to look at my electronic records?

How does FDA recommend data integrity problems identified during inspections, in warning letters, or in other regulatory actions be addressed?
Source: Data Integrity and Compliance with CGMP

Concerns about the security and privacy of the quality metrics to be collected by the FDA also pose concerns, “namely protection of trade secrets and commercial or financial information which could harm the competitive posture or business interests of a company,” Cook Pharmica wrote.

The FDA said it is still wading through the flood of comments it has received. Companies may submit comments at any time, but are encouraged to send their submissions by Sept. 26, 2016, before the agency begins work on the final version of the guidance.

Data integrity


In addition to its quality metrics guide, the FDA also issued draft guidance in April on data integrity and compliance with current good manufacturing practices (CGMP). It is the first guidance the FDA has ever issued specifically focused on data integrity, driven in part by the FDA’s stated concern that it has observed in recent years an “increasing number of CGMP violations involving data integrity during CGMP inspections.”

Structured in a question-and-answer format, the draft guidance provides some initial insight into what FDA expects to see during an inspection. “The FDA is not just looking for evidence of data deletion or manipulation,” says James Johnson, former associate chief counsel for enforcement in the FDA’s Office of the Chief Counsel and now a partner at Hogan Lovells. Rather, the agency is now spending a significant amount of time assessing whether companies have implemented proper controls and oversight to ensure data integrity and good documentation practice, he says.

In the context of data integrity, the overall message is loud and clear: “If you don’t have adequate controls and oversight to ensure data integrity, you’re going to have a problem with the FDA,” Johnson says. The FDA does not need to establish that a drug is actually deficient to prevail in a GMP case, he says.

Given the FDA’s focus on GMPs, including the integrity of GMP data (completeness, consistency, and accuracy), it’s important for a company’s quality department to have open channels of communication with the legal, compliance, and regulatory departments, and for all of these groups to work in a coordinated way, says Rebecca McKnight, of counsel at law firm DLA Piper. Historically, many compliance departments in the pharmaceutical industry have been more focused on compliance risks presented by sales rep activities, including the potential for so called “off-label” promotion, and inappropriate financial relationships with healthcare professionals. Often GMP issues were left primarily to the quality organization.

This is in large part because a quality system has built-in—and, in fact, required— processes for auditing, investigation, and resolution of problems identified. “There may be times when issues come to light, however, where it’s really important to have not only your quality organization handling it, but also to have a communication flow to legal, compliance, and regulatory so there is not a silo effect,” McKnight adds. It may be that some of the safeguards that flow out of the compliance program can be applied to data integrity compliance, she says.

“There may be broader-reaching issues where the legal, compliance, and regulatory—and even human resources—departments really need to be involved to address matters fully and systemically throughout the organization.”

Furthermore, McKnight believes the human element of GMP compliance and data integrity should not be ignored, nor should the potential for unintended consequences. “We live in challenging economic times, and personnel feel a great deal of pressure to meet benchmarks, quotas, and metrics in the workplace, in order to keep their jobs and do well within their company.”

If FDA moves forward with its Quality Metrics initiative, McKnight sees the potential for even greater pressure on personnel to demonstrate that they are consistently successfully meeting quality standards. Such positive quality metrics could mean FDA would be showing up to inspect the company less frequently, which most companies would likely consider a good thing, given the stress and personnel-hours associated with inspections. “This pressure could be a positive thing if it drives continuous improvement and a commitment to quality, but I think it will be more important than ever to clearly communicate to employees that the company’s data must absolutely meet FDA’s standards for data integrity,” she says.

In that aspect, it’s important that senior leaders in the company foster the message that while quality metrics are important, data integrity is never optional, McKnight adds. “You need to be honest and transparent, within the company and with FDA, if there are quality failures throughout the process, even if it means—for an employee, acknowledging and addressing areas for improvement, and—for the company, facing more inspections and taking potentially costly steps to improve quality processes.”