By John Avellanet, Managing Director, Cerulean Associates LLC

February’s news that a pharmaceutical firm received a complete response letter from the FDA due to records management irregularities at a contract manufacturer should be no news at all. For those of us who have long argued that basic record-keeping practices underlie nearly every aspect of FDA compliance, the failure of a CMO to implement good records retention practices is not surprising. Records retention and management is not typically thought of as part and parcel of FDA compliance.

And when it comes to contract organizations, whether pharmaceutical manufacturers or clinical sites, far too often the assumption remains that having standard operating procedures (SOPs) and training on those SOPs are the two key ingredients to complying with FDA requirements. But how true is this? In all the inspections and audits I’ve handled, I’ve yet to see the inspector or auditor ask only to see a firm’s SOPs and training presentations. The bulk of any inspection or third-party audit always revolves around one item: records. To put it more crassly, having an SOP only sparks the question, “So what?” You have to show proof that you complied with those SOPs. And that’s all about records – what you kept, what you did not, how you verified records were complete and accurate, what your retention rules are, and so on.

When it comes to handling contract service providers, I’ve seen many companies try to adopt the same approach used in their quality agreements for change control — the generic clause “inform us of all changes.” Just as this change control clause is essentially unenforceable, so too are any clauses asking a CMO to “make sure all records have integrity” or “make sure all records are FDA-compliant.” And unenforceable contracts are not worth the paper they are written on.

There are, ultimately, two choices to avoid records issues with CMOs:

1. Write a contract that specifically spells out how your CMO is to retain records, what records it is to retain, what oversight and reviews of records your CMO is to conduct, by whom, how often, and so on. In other words, require in the contract that the CMO implement all the aspects of what you believe go into a good records retention program for FDA compliance, and then audit that regularly with dedicated records review due diligence; OR
2. Expect your CMO to already have an FDA-compliant records management program in place and conduct your on-site due diligence and quality system audits to verify compliance with this as it relates to records relevant to your product and company.

Frankly, both of these choices are a lot easier to state than to actually perform. In the case of a detailed contract, unless your view of what a good FDA-compliance records management program entails is similar to the viewpoint of your CMO, this will be an overly onerous — and thus overly costly — contractual set of obligations. The second choice, auditing your CMO to a set of basic record standards is certainly more viable, particularly if you have more than one CMO, but requires the ability to go beyond the typical quality system due diligence checklist based solely on FDA regulations. You need to audit records integrity, records retention and ownership, record reviews — e.g., who reviews the batch records to ensure they are complete and accurate? — and the CMO’s own internal records audits. This type of supplier due diligence speaks to broader FDA expectations, not just the written regulations (many of which are more than two decades old).

The FDA has its own acronym for what it expects when it looks at records: ALCOA. Or to quote FDA’s Deb Autor, director of the Office of Compliance, “Records must be Attributable, Legible, Contemporaneous, Original, and Accurate.” Firms need to retain the right information the right way, and they need to put in place proactive controls to prevent the loss of record integrity. That’s what the FDA inspects for and that’s what your on-site audits of your CMOs and other critical vendors must look for.

Final Thoughts

Records retention and management may be seen by some as “new” requirements. Nothing could be further from the truth. Records always have proved compliance or lack thereof. And when it comes to CMOs and other suppliers, your job is to make sure the right information is being retained with integrity for the right amount of time.

Are you ready?

(To respond to John’s Expert Opinion or to submit your own, please send us an e-mail)

John Avellanet is a private consultant and founder of the FDA compliance intelligence and lean quality system advisory newsletter, SmarterCompliance™. He is the author of the book, Get to Market Now (2010) and a contributing author to the book Best Practices in Biotechnology Business Development (2008). He can be directly reached through his independent advisory firm, Cerulean Associates LLC, on the web at http://www.Ceruleanllc.com, or through his blog at http://www.ComplianceZen.com.