U.S. FDA Continues Data Integrity Focus A Review of U.S. Regulations on cGMP and Data Integrity

The U.S. FDA continues to inspect pharmaceutical facilities for compliance with cGMP regulations, and as a result of these inspections, has issued numerous warning letters citing several significant violations involving data integrity.

During 2018 alone, FDA issued 56 warning letters, and as of the end of May 2019, the Agency has issued 13. Of these 13 letters, the majority (six) were issued to pharmaceutical facilities located in India, two issued to facilities in China, and the remainder issued to facilities in Taiwan, Canada, France, Spain and Singapore.

If after several inspections, cGMP violations are not corrected, and there is a reasonable likelihood of serious health consequences resulting from the manufacture of a drug product, FDA in collaboration with the Civil Division of the U.S. Department of Justice, may file a complaint against a drug manufacturer under the U.S. Food, Drug, and Cosmetic Act (FDCA) or the Federal Claims Act (FCA) to extract substantial penalties for such cGMP violations.

Two Conflicting Legal Verdicts

One such complaint was filed against Ranbaxy USA, Inc., a subsidiary of Indian generic pharmaceutical manufacturer Ranbaxy Laboratories Ltd, alleging that Ranbaxy falsified stability testing data and intentionally departed from the stability testing protocols it disclosed to FDA.

On May 13, 2013, the U.S. Department of Justice announced that Ranbaxy pled guilty to seven felony counts arising out of the manufacture and distribution of adulterated drugs and agreed to pay a criminal fine and forfeiture totaling $150 mill. Ranbaxy also agreed to settle civil false claims and state law claims for $350 mill. arising out of Medicare and Medicaid reimbursement for such drugs.

The consent decree required Ranbaxy to comply with data integrity requirements before FDA would resume reviewing drug applications containing any data or information from three Ranbaxy facilities in India. The consent decree also prevented Ranbaxy from manufacturing drugs at four facilities for introduction into the United States, until such drugs could be manufactured at those facilities in compliance with applicable quality standards. In addition, FDA withdrew its tentative approval of two ANDAs which it had previously granted to Ranbaxy because the compliance status of one or more of the facilities referenced in the applications was unacceptable to support tentative approval.

While the Ranbaxy case highlights the Justice Department’s willingness to use both the FDCA and the FCA to impose substantial penalties on drug manufacturers as a means of penalizing cGMP violations, a recent decision in Rostholder v. Omnicare (745 F.3d 694 (4^th Cir.2004)) limits the use of the FCA by private individuals to bring actions in the name of the government alleging FCA violations.

In Rostholder, a private individual sought to bring claims under the FCA, alleging that Omnicare, a provider of pharmacy services, knowingly or recklessly violated cGMP regulations causing some drugs to be adulterated and ineligible for reimbursement and that any reimbursement for the drugs was “false or fraudulent” under the FCA. The Court rejected the argument, on the basis that a defendant is liable under the FCA only where it has made a false statement or engaged in a fraudulent course of conduct, and drugs are eligible for reimbursement under Medicare and Medicaid so long as they have been approved by FDA. The FCA does not expressly bar reimbursement for drugs manufactured in violation of cGMP regulations because compliance with cGMP regulations is not a requirement for reimbursement under Medicare and Medicaid.

In view of Rostholder, the Justice Department now faces significant obstacles in using cGMP violations as a basis for substantial civil liability under the FCA. Despite Rostholder, the Justice Department continues to bring non-FCA related actions against pharmaceutical companies for violations of cGMP regulations and the FDA continues to issue warning letters.

Data Integrity Codified

CGMP regulations are codified at Title 21 of the Code of Federal Regulations and set the minimum requirements for the methods, facilities, and controls used in manufacturing, processing and packing of a drug product.

The cGMP regulations at 21 CFR § 211 and § 212 set the cGMP requirements with respect to data integrity:

• § 211.68 requires that “backup data are exact and complete” and “secure from alteration, inadvertent erasures, or loss” and that “output from the computer … be checked for accuracy”
• § 212.110(b) requires that data be “stored to prevent deterioration or loss”
• §§ 211.100 and 211.160 require that certain activities be “documented at the time of performance” and that laboratory controls be “scientifically sound”
• § 211.180 requires that records be retained as “original records,” or “true copies,” or other “accurate reproductions of the original records”
• §§ 211.188, 211.194, and 212.60(g) require “complete information,” “complete data derived from all tests,” “complete record of all data,” and “complete records of all tests performed”
• §§ 211.22, 211.192, and 211.194(a) require that production and control records be “reviewed” and that laboratory records be “reviewed for accuracy, completeness, and compliance with established standards”
• §§ 211.182, 211.186(a), 211.188(b) (11), and 211.194(a)(8) require that records be “checked,” “verified,” or “reviewed”).

As noted in several of the warning letters, any failure to meet these cGMP regulations can amount to a data integrity failure and a violation of cGMP regulations.

So, in light of these, what are best practices for cGMP compliance?

“Since data is central to drug manufacturing, maintaining the integrity of that data to be in compliance with cGMP regulations has always been central to everything the pharmaceutical industry does to support the quality, safety and efficacy of a drug product,” says Anil Sawant, PhD, Senior Vice President, Global Quality Compliance, Merck & Co.

In December 2018, the FDA released its guidance “Data Integrity and Compliance with Drug cGMP – Questions and Answers – Guidance for Industry.” This guidance recommends that pharmaceutical companies follow this guidance to ensure compliance with best practices for cGMP compliance.

According to Karen Takahashi, senior policy advisor in the FDA’s Office of Pharmaceutical Quality, a pharma company should follow flexible and riskbased strategies to prevent and detect data integrity issues. A pharma company is required to employ strategies to ensure the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be attributable, legible, and contemporaneously recorded, whether as an original or a true copy, and accurate.

This means, she explains, that a pharma company should employ strategies for the design, operation, and monitoring of systems and controls based on risk to patient, process, and product. Risk assessments should include an evaluation of data criticality, control mechanisms, and the impact on product quality and to ensure complete, consistent, and accurate data when there are higher risk consequences.

Takahashi also emphasizes a pharma company should approach quality culture according to what works for that company. What works in one company or in a given situation may not work in other instances. A pharma company must have a management with executive responsibility that will create a quality culture where employees understand that data integrity is an organizational core value and feel empowered to identify and promptly report real and potential data integrity issues and make recommendations for operational improvement. In the absence of management support of a quality culture, quality systems can break down and lead to cGMP noncompliance.

To ensure the integrity of data, FDA follows a multilayered approach which starts with setting clear and appropriate expectations of manufacturers and applicants regarding data integrity. Multiple experts evaluate application content before approval and when certain changes are made after approval. FDA also conducts onsite inspections and testing as needed, conducts ongoing surveillance of manufacturing activities, and responds to reports of quality problems.

Conclusion

With the ongoing prospect of regulatory actions, it behooves a drug manufacturer to follow certain best practices to be in compliance with cGMP regulations.

“The pharmaceutical industry must continue to introduce procedures, policies, and share data integrity best practices via technical reports especially as the industry continues to automate, digitize, and introduce new manufacturing technologies. This will go a long way in providing assurance that a pharma company will ensure the integrity of the data throughout the cGMP data lifecycle,” concludes Sawant.