A quality agreement is a comprehensive written agreement between parties involved in the contract manufacturing of drugs that defines and establishes each party’s manufacturing activities in terms of how each will comply with current good manufacturing practices (CGMP).¹ With the increased attention to data integrity by regulatory authorities, including the U.S. Food and Drug Administration (FDA)² and the UK’s Medicines and Healthcare products Regulatory Agency (MHRA),³ sponsors of contract manufacturing operations are focusing more on the elements of data integrity in their supplier quality agreements. Indeed, smart suppliers will become fully prepared to respond to this trending emphasis on data integrity.

MHRA focuses on data integrity
In its March 2018, “‘GXP’ Data Integrity Guidance and Definitions,” the MHRA reinforces good documentation (ALCOA) and data integrity practices, and goes on to discuss data governance measures needed to ensure that data is complete, consistent, enduring and available throughout the lifecycle (ALCOA+).

Keep in mind, MHRA’s guidance “…primarily addresses data integrity and not data quality since the controls required for integrity do not necessarily guarantee the quality of the data generated.”

The supplier quality agreement is a golden opportunity to lay out such controls related to the elements of data integrity and how they will be put into practice in a quality approach. The agreement is also an opportunity to define and delineate the division of responsibilities related to data integrity practices throughout the lifecycle of data between a sponsor and supplier.

Clearly influenced by the latest MHRA data integrity guidance, one major pharmaceutical company recently changed the data integrity definition in its quality agreement:

FROM: “Supplier shall maintain and assure the accuracy and consistency of data over its entire lifecycle.”

TO: “Supplier shall ensure that the accuracy, completeness, consistency, trustworthiness, and reliability of product records and data are maintained and retained throughout their entire lifecycle. Data integrity principles shall apply to all forms of data storage—non-electronic (paper) and electronic. Data shall be collected and maintained in a secure manner, so that they are attributable, legible, contemporaneously recorded, original (or a true copy) and accurate. Data integrity shall be ensured by the use of appropriate quality and risk management systems, including adherence to sound scientific principles and good documentation practices.”

But, does this even go far enough? The quality agreement can specify details related to data integrity characteristics and controls of product records in areas such as document control, sample and material management, analytical methods and testing, deviations and change control, and other important functions delineating technical and communication responsibility between sponsor and supplier.

FDA quality agreement case study
In its November 2016, “Contract Manufacturing Arrangements for Drugs: Quality Agreements Guidance for Industry,” FDA illustrates a case study about unreliable data in laboratory records and test results:

“In this scenario, an owner contracts with a facility for analytical testing services. The contract facility repeatedly reports passing results in its CGMP records when actual analyses indicated failures. The contract facility also fails to report accurate results to the owner, who is the finished drug product manufacturer. When FDA inspects the owner, it finds that despite having a written procedure requiring a site audit of contract facilities every two years, the owner has not audited the analytical testing facility.”

This example illustrates a failure of the sponsor and supplier relationship, where a quality agreement could have set forth sponsor expectations and supplier responsibilities related to data integrity controls around CGMP records, as well as how communication and auditing of such records should take place.

For example, a quality agreement between these organizations might set out that supplier procedures are in place to ensure that all data is attributable, legible, contemporaneous, original and accurate “plus” complete, consistent, enduring, and available whether documented in a laboratory notebook or generated electronically. Further, the agreement might state that supplier testing records will be “second person reviewed” and approved by a member of a designated “data review group” to confirm completeness and compliance with all procedures, specifications and regulatory requirements. And carrying out its part, the sponsor might agree to regularly update, review, and communicate to the supplier its updated procedures reflecting data integrity practices in support of the product and supplier processes, thereby creating a cohesive quality environment between the two.

Additionally, a quality agreement between these organizations might set out that investigations and internal auditing should be carried out examining parameters such as data integrity, including calculations; robustness of procedures to uncover data integrity issues, confirmatory test results designed to rule out data integrity issues; and documented training with a focus on data integrity all as the responsibility of the supplier. And, the sponsor might agree to continual communication with the supplier about audit and investigation results and reviews of supplier data integrity quality metrics. Of course, the agreement should also set out that the sponsor will carry out its own periodic audit with a focus on data integrity elements and practices in no less than two year intervals—as stated in the case study. And of course, the sponsor must follow through and verify data integrity controls are working.

Going beyond the case study mishap, the quality agreement should additionally delineate the record retention responsibilities of the two parties and plans for a handoff between supplier and sponsor when this required milestone takes place.

Warning letters
Such failures result in FDA Warning Letters to contracted facilities such as, “…please note that as a contract testing laboratory, it is your responsibility to ensure the integrity of the data generated and that all test results be properly documented, maintained, and reported.” Related to this sort of warning letter, FDA notes that achieving compliant contract drug manufacturing without a written quality agreement is difficult. And FDA routinely requests and reviews evidence of quality agreements—or the lack of quality agreements. These reviews include looking at elements such as data integrity controls as evidenced by FDA’s highlighting of a data integrity case in its quality agreement guidance.

Other important data integrity elements based on GMP principals that the FDA is concerned about which can be addressed in quality agreements include, but are not limited to:

• How should access to CGMP computer systems and shared login accounts for computer systems be restricted?;
• How should blank forms be controlled?; and
• How often should audit trails be reviewed?

Data integrity in the cloud
Related to data integrity, MHRA states in its latest guidance on the topic, “Where ‘cloud’ or ‘virtual’ services are used, attention should be paid to understanding the service provided, ownership, retrieval, retention and security of data.” As with the quality agreement, here is an opportunity to ensure data integrity principals are agreed upon. MHRA goes further to state that, “…responsibilities of the contract giver and acceptor should be defined in a technical agreement or contract. This should ensure timely access to data, including metadata and audit trails, to the data owner and regulatory authorities upon request. Contracts with providers should define responsibilities for archiving and continued readability of the data throughout the retention period.” It may be even more important to conclude that a “technical agreement or contract” must contractually specify the expanded data integrity elements we have been discussing with such “cloud” or “virtual” service providers.

All said, it is important to keep in mind that no matter how good a quality agreement is, it cannot exempt owners of a drug product or contract facility from statutory or regulatory responsibilities to comply with applicable CGMP, regardless of whether the quality agreement or other contracts specifically attempt to bind those CGMP and related data integrity requirements.⁴ 

References

1. https://www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/UCM353925.pdf.
2. https://www.fda.gov/downloads/drugs/guidances/ucm495891.pdf.
3. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/687246/MHRA_GxP_data_integrity_guide_March_edited_Final.pdf.
4. https://www.fda.gov/downloads/Drugs/GuidanceComplianceRegulatoryInformation/Guidances/UCM353925.pdf.

---

Robert Marohn
ClinLogic, LLC

Robert Marohn consults with organizations on all aspects of developing and implementing comprehensive quality information technology policy/procedures, frameworks, computer system validation, and data integrity plans and programs. He has worked in the life science industry for over twenty years. He served as the Chief Information Officer of Worldwide Clinical Trials for eight years. He holds a Master of Science in the Management of Technology from Georgia Institute of Technology. He can be reached at rmarohn@clinlogic.com.