In May 2013, the FDA published a draft guidance long sought by industry. Contract Manufacturing Arrangements for Drugs: Quality Agreements describes the agency’s current expectations for firms that outsource the production of drugs subject to current Good Manufacturing Practice (cGMP) regulations. The draft guidance comes five months after the European Union’s new cGMP regulations went into effect.

How does the FDA’s draft guidance stack against the rules now enforced by the European Medicines Agency (EMA)? Can we comply with both or are there gaps enough that risks abound?

Guidance Scope
Pharmaceutical, biotechnology and veterinary medicines firms have long pushed FDA to publish guidelines on how outsourcing of regulatory responsibilities should be set up and documented. The calls for this guidance became even more strident after the European Union (EU) published its draft version of the revised cGMP regulations that formally went into effect at the end of January 2013.

At 12 pages long, FDA’s draft guidance is longer than the EU’s revised cGMP rules governing contractual relationships, Chapter 7 of the cGMPs. While a cursory glance at the draft guidance might lead one to think the guidance focuses strictly on contract manufacturing of finished product, early on, the FDA clarifies that this guidance applies to any organization involved in “processing, packing, holding, labeling operations, testing, and operations of the Quality Unit” when it comes to making “active pharmaceutical ingredients (APIs or drug substances, or their intermediaries), finished drug products, combination products, and biological drug products” intended for commercial sale and/or distribution.¹ As is made clear in examples provided throughout the guidance, the list of contracted suppliers for whom a firm should have quality agreements includes not only manufacturing facilities, but also contracted laboratories involved in cGMP activities, contracted warehousing and distribution facilities involved in cGMP activities, information technology (IT) vendors hosting cGMP-related data (these often fall under the phrase “operations of the Quality Unit” as such data includes quality control data, release information, etc.), and any other such suppliers of cGMP-related services and products.

The broad scope of the draft guidance becomes clear upon full review, and dovetails precisely with the opening statement of the EU cGMP Chapter 7: Outsourced Activities, “Any activity covered by the GMP Guide that is outsourced should be appropriately defined, agreed and controlled in order to avoid misunderstandings which could result in a product or operation of unsatisfactory quality.”² FDA too notes that Quality Agreements are intended to “assure drug quality, safety, and efficacy” (thus their application to other suppliers other than contract manufacturers and API makers).³

Responsibility v. Accountability
While the EU cGMP Chapter 7: Outsourced Activities defines the roles of the two parties in a contract as the “Contract Giver” and the “Contract Acceptor,” the FDA has taken a more nuanced approach. To FDA, the Contract Giver is the drug product “Owner,” while the Contract Acceptor is the “Contracted Facility.” Part of this approach has to do with FDA’s ability to rely upon well-established, nationwide product liability rules in the U.S.: regardless of who gave or accepted a contract, the organization that “owns” the product introduced into commerce is accountable under U.S. law. Here’s one way to think of it — if you own the intellectual property or the trademark or the market license, you are the product Owner to FDA.

The second reason for FDA’s more nuanced approach is that the agency must also be able to enforce cGMP requirements on those suppliers whose activities would fall under cGMP regulation regardless of the existence of a “Contract Giver.” Because some suppliers to the industry, such as API makers and contract manufacturers, already fall under FDA regulations, some in the pharmaceutical and biologics industry had hoped to simply transfer their own accountability for cGMP compliance to a contracted facility; in other words, they wanted to outsource regulatory compliance to a supplier.

Instead, FDA’s draft Quality Agreement guidance has made clear the product Owner retains ultimate accountability for both compliance and drug quality, safety, and efficacy: “Final product release of finished goods for distribution must be carried out by the Owner and cannot be delegated to a Contracted Facility under the cGMP regulations or any terms of the Quality Agreement (21 CFR 211.22(a)).”⁴ FDA is clearly stating that outsourcing accountability is not only illegal, but that if companies try to get around this by mutually negotiating a transfer of accountability in a Quality Agreement, this will also be held by the agency as a violation of the Food, Drug and Cosmetic Act (FDCA).

In the days leading up to the draft guidance’s publication, FDA emphasized the inability of firms to delegate accountability by issuing five Warning Letters to firms for trying to do just this: Natures Health Options,⁵ Body Systems,⁶ Gucorell,⁷ Pristine Bay,⁸ and Entrenet Nutritionals.⁹ In each of these Warning Letters, FDA cites the Park Doctrine (from United States v. Park, 1975) to hold the firms and their management accountable for criminal wrongdoing even though they delegated cGMP work task responsibilities to their suppliers through contracts.

To the FDA, the Contracted Facility is only responsible for completing the actual work tasks as delegated by the product Owner. The product Owner is accountable for the compliance of those work tasks and for the quality, safety, and efficacy of any resulting drug product.

In other words, it is the company officers of the product Owner who are liable for any violations of the cGMP and FDCA occurring during the production of their drug, irrespective of who — a product Owner’s own employees or a supplier’s employees at a Contracted Facility — actually violated the law or regulation. To those with familiarity with the Park Doctrine or product liability litigation, this should come as no surprise.

That said, the FDA draft guidance makes clear that a Contracted Facility which would normally also have to comply with the cGMPs and the FDCA may still potentially be in trouble for allowing an unsafe or ineffective product to be produced at their facility or a non-compliant process to continue to be followed: “A Quality Agreement does not exempt Contracted Facilities from cGMP requirements related to the operations they perform . . . because, regardless of the allocation of responsibilities in the Quality Agreement, the Contracted Facility cannot essentially agree to manufacture under non-cGMP conditions.”¹⁰

Thus, the FDA would be able to issue two Warning Letters: one to the product Owner for breaking the cGMPs and the FDCA, and one to the Contract Facility for complicity.

Technically, the EU revised cGMP Chapter 7: Outsourced Activities also identifies ultimate accountability as lying with FDA’s product “Owner” (the EU’s “Contract Giver”), “The Contract Giver is ultimately responsible. . . ”¹¹

Role of the Quality Unit
For small companies and so-called virtual pharma firms, FDA’s insistence on product Owner accountability comes at a heavy price. Many such virtual pharmas have entirely outsourced their Quality Unit to suppliers; this is integral to their current business model and will entail some changes. Having a contract manufacturer produce a drug product batch, quality control check the batch, and then release the batch, all without knowledgeable, informed input and approval from the product Owner, is clearly problematic under the draft guidance: “Owners are ultimately responsible for approving or rejecting drug products manufactured, processed, packed, or held under contract by another company. . . . [F]inal product release of finished goods for distribution must be carried out by the Owner and cannot be delegated. . . ”¹² How will a small or virtual pharma, which may have no knowledgeable quality professional, be able to review and release finished drug product without reliance on the contract manufacturer’s personnel?

The EU rules rely upon the role of the independent Qualified Person (QP) under the Contract Giver to release each batch of product. FDA does not have this QP concept, although one could read aspects of the draft guidance, particularly the Quality Unity responsibilities section, as inching toward assigning the roles of the EU’s QP to the Quality Unit.

One means for a small or virtual pharma to comply with the draft guidance and the EU’s revised cGMP regulations is for the product Owner to hire an independent individual or organization to serve as a Qualified Person so as to not rely solely upon the Contracted Facility’s internal Quality Unit. For FDA compliance purposes, there are many ways in which this independent Quality Unit could be achieved — periodic sampling and testing of finished product through separately contract laboratories, frequent onsite audits that always review production and batch release processes and records, and so on. The key is that the product Owner is not allowed to outsource finished product release to the same Contract Facility that made the finished product.

Defining a Quality Agreement
In the new draft guidance, FDA defines a Quality Agreement as establishing “the obligations and responsibilities of the Quality Unites of each of the parties involved…. The Quality Agreement should clarify which of the cGMP activities are to be carried out by each party per applicable regulations….”¹³ The impetus for Quality Agreements comes from several cGMP guidelines published by the International Conference on Harmonization (ICH), specifically Q7: Good Manufacturing Practice Guide for Active Pharmaceutical Ingredients (2000), Q9: Quality Risk Management (2005), and Q10: Pharmaceutical Quality System (2008). The EU’s revised cGMP Chapter 7: Outsourced Activities specifically cites the ICH Q10 guideline as a driving reason for the revision of Chapter 7 and the controls therein.

FDA recommends that Quality Agreements should not be mixed into commercial or business agreements covering issues such as pricing, liability, and so on. And just as a confidentiality agreement is usually severable from a commercial agreement, although still incorporated by reference, so too should a quality agreement be severable from any other contractual agreements.

FDA is not stating that a Quality Agreement is only between quality departments at the product Owner and the Contracted Facility; indeed, FDA has cited firms in FDA-483s for creating such “gentlemen’s agreements” as being non-enforceable and non-binding.¹⁴ Instead, the agency is making clear that it sees a Quality Agreement as a legally-binding contractual document on par with a stand-alone mutual non-disclosure agreement or a commercial contract. In this vein, the agency references its use of income tax information from the U.S. Internal Revenue Service (IRS) to help determine the Quality Agreements it expects to see between a product Owner and its commercial suppliers.¹⁵ Thus, for a product Owner with six different suppliers falling under the scope of the Quality Agreement guidance, FDA would expect the firm to have six different commercial contracts and six corresponding Quality Agreements, all mutually negotiated and legally executed by officers of each company. Given the relationship of a Quality Agreement to product liability and compliance with the FDCA as revised by the Food and Drug Administration Safety and Innovation Act (FDASIA), understand that Quality Agreements are legally binding contracts that FDA investigators will expect to see during inspections.

Likewise, the EU revised Chapter 7: Outsourced activities points out that contractual agreements on activities under the cGMP, not just the regulated processes themselves, are “. . . subject to inspection by the competent authorities.”¹⁶

Quality Agreement Structure
In the draft guidance, FDA recommends that a Quality Agreement contain five core elements:

1. Purpose and scope
2. Terms (including effective and termination dates)
3. Provisions for dispute resolution
4. Responsibilities for the product Owner versus the Contracted Facility
5. Managing change and revisions.¹⁷

Buried throughout the section discussing these elements (section IV of the draft guidance), FDA alludes to a further un-numerated critical element that is likely to be the source of future FDA-483 observations and Warning Letters if not addressed adequately: Plans for handling deviation investigations (i.e., corrective and preventative actions, or CAPAs). Because CAPAs are a high priority target during inspections, consider “Handling and communicating deviations” a sixth core element. Expect to see FDA investigators examine deviations at a Contracted Facility to see if blame can be assigned to the product Owner for poor supplier oversight, introduction of an adulterated product into interstate commerce, and violating the tenets of the Park Doctrine (along with expectations stemming from United States v. Dotterweich, 1943).

FDA devotes several pages in the guidance to discussing delegation of work task responsibility and managing change. Aside from ensuring product Owner accountability and examining how deviations are communicated, investigated, and resolved under a Quality Agreement, responsibilities for work task completion and change management are the two areas most likely to draw FDA investigator scrutiny.

Delegation Clarity
As discussed earlier, the Contracted Facility (e.g., the Contract Acceptor) is only responsible for carrying out the outsourced work tasks. The product Owner (e.g., Contract Giver) retains accountability for compliance and product quality, safety, and efficacy. FDA expects to see this clearly spelled out in the Quality Agreement. The agency suggests that one method is to track the subparts of the cGMP regulation and list who is responsible for what activity under each subpart.18 This is similar to the current Good Clinical Practice (cGCP) approach for documenting responsibility and delegation of clinical trial activities. In delegating clinical trial activities, many firms take a simple grid approach and this can be applied to a Quality Agreement as well, with a result that might look like Table 1.




















Throughout its discussion of responsibilities, FDA identifies many items the product Owner should incorporate into an audit of a potential Contracted Facility including cross-contamination controls, traceability controls, equipment maintenance, and environmental monitoring. Likewise, the EU’s revised cGMP Chapter 7: Outsourced activities identifies several similar areas of concern which should be expected to come under inspection scrutiny: “The Contract should describe clearly who undertakes each step of the outsourced activity, e.g. knowledge management, technology transfer, supply chain, subcontracting, quality and purchasing of materials, testing and releasing materials, undertaking production and quality controls (including in-process controls, sampling and analysis).”¹⁹

Change Control Clarity
FDA expects a Quality Agreement to clearly identify specific types of changes in which the product Owner must be involved. FDA is not a fan of all-encompassing, blanket “all changes” phrasing, as this leaves far too much open to interpretation.

FDA expects a Quality Agreement to identify three types of changes:

1. Changes that require product Owner review and approval prior to the change
2. Changes that require product Owner notification only
3. Changes that do not require involvement or notification.²⁰

In all cases, such changes should only be those that fall within scope of the outsourced activities delegated from the product Owner to the Contracted Facility. And in the case of changes not requiring either Owner review/approval or notification, FDA expects such changes to present little to no risk to product quality, safety or efficacy, or to regulatory compliance. As an example, FDA expects that the product Owner will have some degree of input into review and approval of a Contracted Facility’s standard operating procedures (SOPs) and policies that directly relate or otherwise govern the delegated work tasks. In this vein, FDA suggests that product Owners give serious consideration to “. . . adopting the terms and procedures used by Contracted Facilities in order to reduce the likelihood of misinterpretation and personnel error during actual manufacturing.”²¹ In other words, FDA has recognized an inconvenient reality: rather than encouraging standardization and control, the more a product Owner foists its own SOPs onto suppliers, the greater the likelihood of error, the more deviation investigations, and more change controls that will be necessitated, thus driving down product quality, safety, and efficacy, and reducing compliance. Thus, the suggestion to adopt a supplier’s own SOPs while retaining change involvement for those SOPs that directly impact or govern the delegated work tasks.

The EU’s revised cGMP Chapter 7: Outsourced Activities only alludes to the need for change to be managed and controlled, “The Contract Acceptor should not make unauthorized changes, outside the terms of the Contract, which may adversely affect the quality of the outsourced activities for the Contract Giver.”²² Thus, complying with FDA’s draft guidance on controlling changes will also ensure compliance with the EU’s change control expectations in its revised cGMP on outsourcing regulated activities.

Five “Hidden” Requirements
First, as part of supplier selection, a product Owner needs to conduct a risk review to determine the type and extent of controls to be associated with a supplier (e.g., Contracted Facility) and thus the degree of detail necessitated in a Quality Agreement.²³ This stems from FDA’s interpretation of how firms should be implementing the ICH guidelines. Those aware of the Purchasing Controls section of 21 CFR 820.50 will note similiarity in this guidance’s expectation of risk-based supplier oversight.

Second, the records resulting from all outsourced activities —batch records, incoming materials acceptance, analytical test results, etc. — belong to the product Owner. Thus, care needs to be given to ensure the right records (either from or at the supplier) are retained for the right length of time under the right conditions to ensure long-term integrity. Proper records retention and integrity falls in line with FDA recordkeeping requirements and helps mitigate some of the risks associated with product liability litigation. Within the “Documentation” subsection of the draft guidance is the expectation that firms have an SOP to make and maintain certified copies of cGMP-required records.²⁴ This SOP and others associated with good FDA recordkeeping and data integrity are essential controls to make sure are addressed in the Quality Agreement.

Third, cGMP-related records — if kept digitally — are to “be stored in such a manner as to maintain their traceability, reliability and integrity throughout the required recordkeeping timeframes…”²⁵ In other words, the Quality Agreement should identify and document how the product Owner and the Contracted Facility will ensure the compliance of any digital records with 21 CFR 11 Electronic Records; Electronic Signatures (e.g., Part 11).

Fourth, an appendix within the Quality Agreement should incorporate many elements normally found in a drug master file. Specifically, this should include “. . . product/component specifications, defined manufacturing operations, including batch numbering processes. . . ”²⁶ Those familiar with drug master file contents, quality by design, or even device master records will recognize FDA’s intent: verifying that the Contracted Facility and product Owner have agreed upon and documented critical product quality attributes (CQAs) and critical process quality parameters (CPPs). FDA’s guidance subtly encourages a further march toward full implementation of quality by design.

Fifth, the Quality Agreement must document the ability of the product Owner to audit the Contracted Facility and its relevant outsourced cGMP activities: “Quality Agreements should also provide for Owners to evaluate and audit Contracted Facilities to ensure cGMP compliance for the specific operations occurring at the contract sites…”²⁷ At first glance, this requirement might seem to imply that the product Owner has to assume liability for the overall cGMP compliance of a supplier. However, careful reading identifies that this auditing for compliance is specific to those operations actually outsourced to a supplier. Whether this also carries with it an expectation that ‘implementing processes’ such as training are also technically “outsourced” (even if not specified in a contract) will only be clear once FDA begins to inspect and enforce using the final guidance.

All five of these “hidden” requirements are either stated outright or are otherwise implied in the EU’s revised cGMP Chapter 7: Outsourced Activities. That supplier controls are to be based upon an evaluation of the risk of the supplier and its impact to product quality, safety, and efficacy is captured early on: “The Contract Giver is ultimately responsible to ensure processes are in place to assure the control outsourced activities. These processes should incorporate risk management principles…”²⁸ Documentation and records are addressed in subsection 7.16: “All records related to the outsourced activities, e.g. manufacturing, analytical and distribution records, and reference samples, should be kept by, or be available to, the Contract Giver.”  Note that the EU regulations go further and require that such record types should also be delineated in the “relevant procedures of the Contract Giver”²⁹ (i.e., the SOPs of the product Owner should identify the types of records produced by following the procedure).³⁰ And the integrity of electronic records is embedded as compliance with Annex 11 in sections 7.8 and 7.10: “The Contract Giver should be responsible for reviewing and assessing the records and results related to the outsourced activities. He should also ensure . . . that all products and materials [including data] delivered to him by the Contract Acceptor have been processed in accordance with GMP and the marketing authorization,”³¹ and, “The Contract Acceptor should ensure that all products, materials and knowledge delivered to him are suitable for their intended purpose.”³²  Quality by Design and drug master file elements are incorporated by definition into the phrase “all information and knowledge necessary” found repeatedly in the revised Chapter 7. And lastly, in terms of auditing, the EU regulations specify that the “Contract should permit the Contract Giver to audit outsourced activities performed by the Contract Acceptor or his mutually agreed subcontractors.”³³

Finally, recognize that in one area, FDA’s guidance does not go as far as the EU regulations: subcontracting. The EU regulations unequivocally state, “The Contract Acceptor should not subcontract to a third party any of the work entrusted to him under the Contract without the Contract Giver’s prior evaluation and approval of the arrangements. Arrangements made between the Contract Ac-ceptor and any third party should ensure that information and knowledge, including those from assessments of the suitability of the third party, are made available in the same way as between the original Contract Giver and Contract Acceptor.”³⁴

FDA simply states, “The Contracted Facility should notify the Owner of changes, including but not limited to, raw materials and starting materials and their suppliers. . . .”³⁵ This may work for general tier 2 and further suppliers, but is insufficient to protect product Owners from suppliers who turn to shadow facilities and shady subcontractors. It is a surprising omission from an agency increasingly worried about the pharma supply chain.

Final Thoughts
Given the intent of a solid Quality Agreement — “. . . to delineate responsibilities and assure the quality, safety, and effectiveness of drug products…” — a well-crafted Quality Agreement is worth its weight in gold.³⁶ This is especially true in light of the FDA guidance’s clear similarity to the EU’s revised cGMP regulation Chapter 7: Outsourced Activities. Whether the guidance document will be enough, or will require more FDA Warning Letters and product seizures, remains to be seen. The suggestions and analyses in this article should help you avoid trouble and inefficiencies by making the most of the guidance and the new EU rules. Are you ready? 

References

1. FDA, Guidance for Industry – Contract Manufacturing Arrangements for Drugs: Quality Agreements, draft guidance, May 2013, p. 1.
2. European Commission, Health and Consumers Directorate-General, Good Manufacturing Practice for Medicinal Products for Human and Veterinary Use, Chapter 7: Outsourced Activities, June 2012, p. 1.
3. FDA, Guidance for Industry – Contract Manufacturing Arrangements for Drugs: Quality Agreements, draft guidance, May 2013, p. 1.
4. Ibid, p. 6.
5. FDA Warning Letter dated April 2, 2013, at http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2013/ucm351946.htm, accessed on 21 August 2013.
6. FDA Warning Letter dated April 8, 2013, at http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2013/ucm351883.htm, accessed on 21 August 2013.
7. FDA Warning Letter dated April 24, 2013, at http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2013/ucm352011.htm, accessed on 21 August 2013.
8. FDA Warning Letter dated April 26, 2013, at http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2013/ucm350469.htm, accessed on 21 August 2013.
9. FDA Warning Letter dated May 8, 2013, at http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2013/ucm351662.htm, accessed on 21 August 2013.
10. FDA, Guidance for Industry – Contract Manufacturing Arrangements for Drugs: Quality Agreements, draft guidance, May 2013, p. 10.
11. European Commission, Health and Consumers Directorate-General, Good Manufacturing Practice for Medicinal Products for Human and Veterinary Use, Chapter 7: Outsourced Activities, June 2012, §7.4, p. 1.
12. FDA, Guidance for Industry – Contract Manufacturing Arrangements for Drugs: Quality Agreements, draft guidance, May 2013, p. 6.
13. Ibid, pp. 4-5.
14. Speeches by Hidee Molina and Kim Trautman as cited in “Current FDA Supplier Control Expectations,” Smarter-Compliance™ newsletter, Vol 5, Issues 9-10, 2011, pp. 5, 10.
15. FDA, Guidance for Industry – Contract Manufacturing Arrangements for Drugs: Quality Agreements, draft guidance, May 2013, p. 5.
16. European Commission, Health and Consumers Directorate-General, Good Manufacturing Practice for Medicinal Products for Human and Veterinary Use, Chapter 7: Outsourced Activities, June 2012, §7.13, p. 2.
17. FDA, Guidance for Industry – Contract Manufacturing Arrangements for Drugs: Quality Agreements, draft guidance, May 2013, pp. 4-9.
18. Ibid, p. 5.
19. European Commission, Health and Consumers Directorate-General, Good Manufacturing Practice for Medicinal Products for Human and Veterinary Use, Chapter 7: Outsourced Activities, June 2012, §7.15, pp. 2-3.
20. FDA, Guidance for Industry – Contract Manufacturing Arrangements for Drugs: Quality Agreements, draft guidance, May 2013, pp. 8-9.
21. Ibid, p. 5.
22. European Commission, Health and Consumers Directorate-General, Good Manufacturing Practice for Medicinal Products for Human and Veterinary Use, Chapter 7: Outsourced Activities, June 2012, §7.12, p. 2.
23. FDA, Guidance for Industry – Contract Manufacturing Arrangements for Drugs: Quality Agreements, draft guidance, May 2013, pp. 3-4.
24. Ibid, p. 8.
25. Ibid, p. 8.
26. Ibid, p. 7.
27. Ibid, p. 6.
28. European Commission, Health and Consumers Directorate-General, Good Manufacturing Practice for Medicinal Products for Human and Veterinary Use, Chapter 7: Outsourced Activities, June 2012, §7.4, p. 1.
29. Ibid, §7.16, p. 3.
30. Ibid.
31. Ibid, §7.8, p. 2.
32. Ibid, §7.10, p. 2.
33. Ibid, §7.17, p. 3.
34. Ibid, §7.11, p. 2.
35. FDA, Guidance for Industry – Contract Manufacturing Arrangements for Drugs: Quality Agreements, draft guidance, May 2013, p. 9.
36. Ibid, p. 12.

---

John Avellanet is an award-winning FDA compliance expert known for his business-savvy advice and trusted expertise. He serves as the IRO for a multi-million dollar consent decree and was the lead author of several certification courses for the US Regulatory Affairs Professional Society. His most recent book, Get to Market Now! Turn FDA Compliance into a Competitive Edge in the Era of Personalized Medicine, was featured at BIO 2011. He can be directly reached through his independent FDA consulting and quality systems firm, Cerulean Associates LLC, on the web at http://www.Ceruleanllc.com.