1. The Business Case for Supplier Quality and the DQSA
Enforcement and Administrative Actions Resulting from Inadequate Oversight and Control of Suppliers
Jacqueline R. Berman, Esq.
Associate
Morgan, Lewis & Bockius LLP

2. Obligations and Why You Should Care
Supplier Quality
Obligations and Why You Should Care

4. Current Legal Landscape
Current Good Manufacturing Practices
FFDCA § 501
Automatic adulteration if fail to comply with cGMPs
Implementation of oversight and controls over manufacturing
Selected Regulations
21 C.F.R. § (b) (Contract manufacturers an extension of manufacturer’s own facility)
21 C.F.R. § (Quality unit ultimate authority for product quality)
21 C.F.R. § (Incoming inspection and testing)
21 C.F.R. § (Component records)

5. Potential Regulatory Consequences of Poor Supplier Quality Control
Adverse Inspectional Findings
Warning Letters
Product Recalls
Cessation of Manufacturing
Seizure
Injunction
Criminal Actions
False Claims Act Actions
Government Contracting

6. Warning Letter Examples
Greer Laboratories Inc. (4/21/2014)
Failure to establish reliability of supplier’s certificate of testing through validation
Sanquin Plasma Products (8/29/2013)
Failure to perform incoming testing on supplier components
Jabones Pardo S.A. (8/22/2013)
Failure to perform incoming testing, failure to establish reliability of supplier’s analyses, failure to conduct identity test when relying on supplier analyses

7. New Focus on Data Integrity
Trifarma S.p.A. (7/7/2014)
Failure to maintain complete data
Failure to prevent unauthorized access or change to data/prevent data omission
Tianjin Zhongan Pharmaceutical Co., Ltd (6/10/2014)
Failure to maintain appropriate documentation to record manufacturing operations performed on individual pieces of equipment

8. New Consequences of Inadequate Supplier Controls
Inadequate supplier controls will require additional product oversight beginning January 2015

9. Selected DQSA Requirements
Specifics will depend on role in the supply chain
Some requirements more administrative/procedural
Record keeping and information transfer
Product identifier
Authorized trading partners
Other requirements related to supplier quality
Suspect and illegitimate product identification, investigation, quarantine, and notification
Requests for information
Returned products

10. Some DQSA Practical Implications
DQSA compliance obligations will substantially affect contractual provisions in sales and related documents
Current commercial terms likely affected
New contracts for outsourced functions requiring supplier controls
New SOPs
Training and Auditing
Potential False Claims Act claims arising out of certifications

11. Selecting and Working with Third Parties
Lori F. Hirsch
Managing Counsel
Merck Sharp & Dohme Corp.
December 9, 2014

12. Why utilize Third Parties?
Need for specialized capabilities
Product lifecycle management
Market access
Cost optimization

13. Selecting a Mate

14. Things to consider before you enter a Marriage
1. Don't marry the person you think you can live with. Marry the one you can't live without! 2. Don't marry someone who has characteristics that you feel are intolerable! 3. Do not marry impulsively! 4. Make sure that each partner has an iron-willed determination to make it work!

15. Effective Due Diligence is Essential!
Qualifications – does the third party have the ability to do what you need them to do?
Experience – does the third party have the right experience to do what you need them to do?
Expectations – have you clearly defined what the third party will do, including expectations, standards, etc.
Compliance – does the third party understand cGMPs and have appropriate systems, processes and people?
Capacity – does the third party have available capacity?
Culture – does the culture at the third party match your company’s culture?
Determination – are you both determined to make this relationship work?

16. Some Due Diligence Areas
Manufacturing capabilities - facilities, processes, systems and people
Management team who are experienced and competent, including quality personnel
Communication skills
Regulatory agency experience and history
Understanding of Quality System/GMP requirements 
Willingness to provide access to the manufacturing site, as needed, including management visits and audits.

17. Realities of Working with a Third Party
A company retains accountability for the acts or omissions of the third party.
Despite the fact that control has been surrendered to the third party
Only the third party has the direct access to the contracted activity.
A company has limited monitoring and influence.
Critical to select the right third party.

18. Commercial Agreement The “what”
Contract must be clear as to roles, responsibilities and obligations.
Remember: terms will often be interpreted, several years later, by people not party to the original negotiations.
Consider cultural and language differences.
Terms should be explicit, where possible.
Dispute resolution/escalation defined.
Process for changes should be defined.

19. Quality Agreement The “How”
The Quality Agreement should be standalone.
Allows the quality provisions to be changed from time to time without opening the entire agreement.
Should include such things as:
Rights to visit during manufacturing of Companies’ products, audits, etc.
Requirements for prior approval of any changes to the third party’s facility, equipment, materials or components
Notification of any out-of-specification (OOS) test results and stability failures
The ability to evaluate any deviations and/or investigations as well as the review of manufacturing batch records
Recall decisions and regulatory notifications.

20. And, the marriage begins . . .

21. Are you ready to manage the relationship?
Do you have the right people with the right skills to manage these third party relationships in a way that ensures patient safety and security of supply?
Increasingly, these relationships are the subject of regulatory scrutiny.

22. On-going oversight Meeting Company’s expectations
Oversight of manufacturing processes
Site visits
Performance/Quality Metrics
Periodic Review of Manufacturing and Quality records, including test data
Escalation Process for managing supplier deviations

23. Calibrated Quality Oversight Model
Introduce risk-based management to the Third Party Quality Oversight Process
Define process for determining level of Quality oversight
Recognize and leverage the development, operational and compliance capabilities of Third Parties
Objective assessment that drives consistent management of Third Parties
Assessment consistency across the life cycle of the Third Party relationship (identify, select, manage)
Goal
Drivers

24. Quality Oversight Business Process
Monitoring
Qualification/
Quality
Agreement
Quality
Oversight
Coordination Oversight
Communication
Calibrated
Oversight
QA/QC

25. Calibrated Quality Oversight Model
Process
Determine appropriate level of oversight based on:
Quality Systems implementation
Contracted activity (e.g. API vs. sterile pharmaceutical)
Technology ownership and complexity
Historical experience / knowledge of third party
Performance (metrics, relationship)
Compliance performance / history
Process Utilizes Assessment Tool
Defined criteria consistently applied
Information repository for ongoing assessment
Results in Recommendation Memo
Ongoing Assessment

26. Assessment Design
Strategic Quality Risk Management Model requires assessment of risk for …
FDA Six Systems (30 Sub-systems)
Quality Management
Facilities & Equipment
Materials
Production
Packaging & Labeling
Laboratory Control
Two additional assessment elements
Technology Complexity & Ownership
Compliance
To provide the users with guidance on . . .
Degree of presence in the third party’s facility.
Responsibility for control of starting materials.
Level of review/oversight on planned and unplanned (deviations) changes.
Level of review of batch documents.
Responsibility for product testing.
Responsibility for release of product for “further processing.”

27. Quality Oversight Levels
RISK ASSESSMENT LEVEL
PRODUCT TESTING
OPERATIONS
RAW MATERIALS
DEVIATION MANAGEMENT
PRODUCT RELEASE
HIGH
All testing by Company– third party is not eligible for inclusion in the reduced testing program
Full time presence of Company overseeing third party operations
Materials supplied and cleared by Company
All deviations/ changes reviewed and approved by Company
Release by Company
MEDIUM
All testing by receiving sites.
Third party is not eligible for inclusion in the reduced testing program
Companies’ personnel only present at critical stages (e.g. validations)
Company specifies sources but third party may clear for use
Only designated changes (listed in Quality Agreement appendix) are approved by Company and deviations are reviewed by Company
LOW
Third party is eligible for inclusion in the reduced testing program
No Company presence other than routine audits and visits
Materials sourced and controlled by third party unless otherwise specified in the Quality Agreement
Company reviews deviations and changes as defined in the Quality Agreement

29. Questions

30. Current Challenges with Data Integrity and Managing Suppliers
A Changing, Global Environment
Roy Sturgeon
President
Lachman Consultants
Westbury, NY 11590
©2014 Lachman Consultant Services, Inc. All rights reserved.

31. Legal Notice
The information displayed on these presentation slides is for the sole private use of the attendees of the seminar at which these slides were presented. Lachman Consultant Services, Inc. (“Lachman Consultants”) makes no representations or warranties of any kind, either express or implied, with respect to the contents and information presented. All original contents, as well as the compilation, collection, arrangement and assembly of information provided on these presentation slides, including but not limited to the analysis and examination of information herein, are the exclusive property of Lachman Consultants protected under copyright and other intellectual property laws. These presentation slides and the content and information contained herein may not be displayed, distributed, reproduced, modified, transmitted, used or reused, without the express written permission of Lachman Consultants.

32. Agenda Supplier Quality Management Process
Data Integrity and 21 CFR Part 211
Potential Regulatory Consequences
Laboratory Audit Methodology
Proactive Action Plan

33. Has Something Changed? Requires Proactive Management of CMOs
Increased Use of CMOs, Globally

34. Supplier Quality Management
ICH Q8, Q9, Q10
Global IT Systems
Conformance to Applications
Supplier Qualification
Quality Agreements
Performance Metrics/Trend Evaluation
Communication/ Management Notification
Audits
Global
cGxP Compliance
Detection  Prevention

35. Critical Success Factor-Supplier Quality
Management-Data Integrity Detection

36. Integrity
A Hierarchy of Drivers. Digital image. Web. 24 Nov <

37. GMP Regulatory Requirements for Data
Integrity Per 21CFR 211
Instruments must be qualified and fit for purpose [§ (b), §211.63]
Software must be validated [§211.63]
Any calculations used must be verified [§211.68(b)]
Data generated in an analysis must be backed up [§211.68(b)]
Reagents and reference solutions are prepared correctly with appropriate records [§ (c)]
Methods used must be documented and approved [§ (a)]
Methods must be verified under actual conditions of use [§ (a)(2)]
Data generated and transformed must meet the criterion of scientific soundness [§ (a)]
Test data must be accurate and complete and follow procedures [§ (a)]
Data and the reportable value must be checked by a second individual to ensure accuracy, completeness and conformance with procedures [§ (a)(8)]

38. Potential Regulatory Consequences of Fraud
Stop Production/Distribution … some or all products based on nature of evidence and results of ongoing District and Company/3rd-party audits
“Voluntary” Recall (Class II) of affected products
Downgrade Therapeutic Equivalence Rating … promptly changed the product’s therapeutic equivalence rating to “not equivalent”, thereby becoming non-interchangeable and without a market
Withdraw ANDA Approval … initiated administrative proceedings to withdraw ANDA approval … unless “voluntarily” withdrawn
Suspension of Future Approvals … OGD continued review of pending ANDAs, supplements and annual reports for products not directly implicated; however, final approval withheld based on general integrity concerns (“Alert List”)
Application Integrity Policy … CDER Director notifies company that all NDA/ANDA reviews have been suspended pending the company’s compliance with the conditions of the AIP

39. What to Look for When Assessing Suppliers?
Fraud - The Big Three:
Altered Data
Overwriting of data in chromatography data systems
Manipulation of integrations to achieve a passing result
Omitted Data
Selective reporting of data for release decisions
Undocumented Sample Trial Injections
Manufactured Data
Creation of replacement or dummy weight tapes

40. Audit Methodology Use the element of surprise:
Visit laboratory areas as soon as possible and unannounced if possible.
Spend the majority of the audit time in the laboratory before conducting the more methodical lab systems audit (SOP reviews etc.)
Shift direction of coverage at times when possible rather than following the sequence of unit operations.
Target for review difficult or complex methods and systems in the lab, and those associated with deviations, OOS investigations, complaints, FARs, etc.
As each area in the lab is examined, interview an analyst and/or supervisor. The purpose is to look for evidence of improper data handling, documentation and other practices, and whether the analyst/supervisor have adequate understanding of relevant GMP practices.

41. Audit Methodology (Cont’d)
As soon as possible, visit the laboratory (or other target area) to observe operations and identify targets of interest for immediate evaluation.
Areas that should be targeted include
Raw data vs. reports vs. sample/instrument logs vs. other forms of secondary documentation
Identification and control of samples, aliquots, and standards
Contemporaneous entries versus delayed or back-dating
Condition and control of instrumentation;
Suitability of the lab environment;
Applicable Part 11 requirements; and
Rigor of QC/QA independent data review procedures and practices

42. Computer Systems & Electronic Records
Audit Methodology:
Computer Systems & Electronic Records
Determine if standalone and networked systems are subject to Part 11 controls. Initially, target standalone instruments to determine nature of testing performed and data being stored, potential for overwriting data, backup practices, audit trails, access privileges, password protection, data review practices, etc.
For standalone systems, check
Nature of data stored and, who has access, how the system is being used
If any application programs reside on the system, such as Word, Access or Excel, and if so, check for unauthorized storage of data, reports, production or test records, SOPs, etc. If these programs exist, ask the user to log onto the system and open document folders

43. Computer Systems & Electronic Records (cont’d)
Audit Methodology:
Computer Systems & Electronic Records (cont’d)
Check procedures for granting user privileges and whether approvals are documented.
Check whether privileges are updated when employees change position or terminate their employment.
Check on use of individual Passwords, User IDs, Electronic Signatures, and verify they are not being shared.
Check on frequency of system back-ups, whether at appropriate intervals (e.g., immediate, daily).

44. Computer Systems & Electronic Records (cont’d)
Audit Methodology:
Computer Systems & Electronic Records (cont’d)
Ask users to log onto networked and standalone systems, and check audit trail functions
Verify that the audit trail function cannot be overridden or turned off.
Determine if electronic data can be modified, overwritten or deleted from network or standalone systems.
Determine if QC or other units have the ability to modify or delete data.
Determine the role of the IT coordinator in managing electronic data.
Determine who has the ability to make changes to hardware/software configurations in standalone and networked systems and whether changes are being documented and approved in accordance with change control procedures, and are appropriately validated.

45. Lab Documentation Practices
Audit Methodology:
Lab Documentation Practices
Review documents, logs and records on lab benches, desktops, shelves, etc., especially those that are in use, to determine if entries appear to be complete, contemporaneous and, where possible, consistent with instrument outputs and settings.
Carefully examine laboratory balance weight tapes. Are all tapes and type on tapes the same or similar color? For a particular set of related weighings, are the elapsed times even possible (Six weight determinations on an analytical balance in 60 seconds.)? Are the weights recorded “too good to be true” (four weight determinations exactly the same in 60 – 120 second time period)?
Open drawers, lockers and physical folders to look for test reports, raw data, obsolete SOPs and test methods, and handwritten entries on docs indicative of not directly entering data into official records (e.g., instrument parameters; weights; results; etc.)

46. Lab Documentation Practices (cont’d)
Audit Methodology:
Lab Documentation Practices (cont’d)
Examine waste containers to determine whether contents include original data, instrument output, test records, test reports, etc. 
Determine where documents intended for shredding are stored; examine documents that are pending shredding. There should be no routine access to paper shredders in the laboratory.
Observe from a distance whether analysts and supervisors appear to be making contemporaneous entries into records.

47. Audit Methodology: Sample Custody
Look for samples in drawers, lockers, refrigerators and other locations where storage of samples is unexpected.
Look for samples, aliquots and vials that are not adequately labeled. 
Open refrigerators and freezers to evaluate conditions, settings, samples, vials, etc., and look for inadequate sample identification and/or storage conditions.
Test and stability sample reconciliation.

48. Audit Methodology: Training Program
Review overall adequacy of the training program (e.g., individual employee training records, curricula, training schedules, course content, assessments).
Check training records of individual employees who are associated with manufacturing deviations, and with deficiencies identified during the course of the audit.
Check training program and training records for temporary/contract employees.
Review training programs and records of employee training related to computer security (e.g., Part 11 requirements, password use, user access, record retention, change control, use of PCs/standalone computers).
Review the training program and procedures for Good Documentation Practices to determine if the issues of Authenticity and Falsification data are adequately and forcefully addressed.

49. Data Integrity Audit Interviews
Audit Methodology:
Data Integrity Audit Interviews
Examples of Interview Questions:
What is this record, and what is being entered?
What is the source of the information that is being entered?
When and How was the information determined?
How soon after the information is determined are the entries made?
What source documentation or instrument outputs support these entries?
How do you become aware of missing or mistaken entries after the fact?
How do you correct missing or mistaken entries?
What are the applicable procedures for preparing this documentation?
Are the procedures clear and consistent with actual practice?
Have you been trained on the current procedures?
Do you and the other analysts use the same practices?
Is there anything else you would like to explain?

50. When Evaluating Data Integrity Findings
Points to Consider
When Evaluating Data Integrity Findings
What systems are deficient or require improvement in the findings presented in the following section?
Is the finding a case of Data Integrity or bad Laboratory practices/GMP non-compliance? Or both?
What is the potential impact of the finding?
If incidence of GMP compliance, how could it potentially impact the integrity of the data?
For each finding, what action might be taken?

51. Preparation of Proactive Action Plan
Based on the information presented, it should be possible to prepare a proactive Action Plan for Data Integrity
Action Plan starts with an outline of planned activities by system, especially in the laboratory
Identification of lab systems requiring enhancements can be identified by auditing the high risk areas discussed today.
Most difficult area to audit is the identification of trial injections, if any. Typically, this requires a focused dedicated forensic assessment of chromatography data systems and audit trails.

52. Preparation of Proactive Action Plan (Cont’d)
Plan would take the form of System by System listing of areas (using the laboratory as an example), including but not limited to:
Chromatography Data Systems – Security & Controls
Standalone Instruments
Balance Usage
Sample custody and reconciliation
Chromatographic Data – Trial Injections
For each system the gaps identified by the recommended assessment and the associated action steps to address the gaps should be documented, along with the resources assigned to corrective and preventative actions.

53. Thank You! Frances M. Zipp President Westbury, NY 11590 516-222-6222