Data Integrity Emerges as an Excipients Issue

Published on: 
Pharmaceutical Technology, Pharmaceutical Technology-09-01-2016, Volume 2016 Supplement, Issue 3
Pages: s20-s22, s34

IPEC consultant Irwin Silverstein discusses third-party audits and regulatory compliance issues facing suppliers and their customers.

The past few years have seen, not only the introduction of major supply-chain regulations in the United States and Europe, but changes in the way that pharmaceutical excipients manufacturing sites are evaluated to assess regulatory compliance. Manufacturers can now choose to undergo third-party audits to show that their excipient manufacturing operations comply with current good manufacturing practice (cGMP) regulations. Irwin Silverstein, consultant to the International Pharmaceutical Excipients Council (IPEC), shared his views with 
Pharmaceutical Technology.

Are mandates needed to drive standardization?

PharmTech: Has the pharmaceutical industry fully embraced the idea of standards for ensuring that excipient manufacturers follow cGMPs? 

Silverstein: Excipient makers still seem to be developing plans to meet the standard. I’m not sure how many pharmaceutical users expect their suppliers to comply. 

In addition, there is still some confusion about the differences between requirements for standards under the American National Standards Institute’s (ANSI) 363 vs EXCiPACT. In my personal opinion, there won’t be a lot of motivation for manufacturers to get certified, or to attempt to demonstrate compliance with cGMP standards, if certification is not made a regulatory mandate.

PharmTech: How many companies are standardizing?

Silverstein: When IPEC ran the International Pharmaceutical Excipient Auditing group IPEA (now part of NSF International), I would have expected all companies certified by IPEA as complying with cGMPs to embrace the standards. 

I’m not sure of the exact number, but I would think that, by now, the seven sites that IPEA had certified in the US would be in substantial compliance with the ANSI standard.

More facilities are being certified to EXCiPACT. Expectations for both certifications are essentially the same. Even companies in the US are now choosing to be certified by EXCiPACT, and these are not US-based subsidiaries of European firms, but US companies, which must pay to fly auditors over from Europe for the certification. Despite FDA’s support for standards, certification with ANSI hasn’t yet gained wide industry acceptance. 

FMD readiness

PharmTech: Can you comment on the industry’s readiness for European regulations under the Falsified Medicines Directive (FMD)? How are manufacturers and customers responding?  Where do you see gaps?

Silverstein: From what I’ve heard, customers are still somewhat confused about the role that excipient manufacturers should play. The regulations call for risk assessments, which require collaboration between manufacturers and customers, and, so far, I’m hearing that there hasn’t been that much contact between the two groups. 

If you manufacture pharmaceuticals for sale in Europe, whether you make the product in Europe or elsewhere, you have to comply with terms of the FMD for excipients.  Compliance requires that users perform a risk assessment of each excipient and excipient supplier, as well as separate risk assessments of each excipient’s role in the formulations in which it is used. Based on these two risk assessments, supplier quality indicators, and evidence that the supplier meets cGMPs, customers are supposed to get an idea of the extent to which the supplier should implement cGMPs. The supplier’s role is nothing more than supplying the information that customers need for the risk assessments. This type of information would include product data and specifics about grade and quality (e.g., whether ingredients are derived from animals, or whether the material was produced in a dedicated or multi-use facility, using dedicated or multi-use equipment). 

Their only obligation is to ensure that this information is sent to each pharmaceutical manufacturer customer, for each excipient they sell to them. They can meet this requirement by reviewing and updating their product information packages, and including all the information that will be needed for customers to be able to perform the required risk assessments.

When pharmaceutical manufacturers have determined their suppliers’ level of cGMP compliance, they are supposed to notify suppliers of any gaps through revised quality agreements. If many of these risk assessments had been completed, there would have been more agreements stipulating the degree of cGMP compliance expected. 

The apparent lack of information sharing involving users, manufacturers, and suppliers does not support the idea that excipient suppliers and customers have been aggressively implementing FMD requirements. Yet regulators, notably the United Kingdom’s Medicines and Health products Regulatory Agency (MHRA), have said that they will enforce this rule rigorously and would cite violating companies, as FDA would with a 483.  Even the threat of regulatory action doesn’t seem to be enough to motivate some suppliers.

The FMD’s intent is to require site visits, where customers audit supplier sites. Given the resources available, regulators have had to allow provisions for qualified third-party audits. 


As time goes on, there is a strong likelihood that suppliers will rush to certification, since European regulators will allow use of certification as a component of the risk assessment. Excipient manufacturers have too many customers to be able to collaborate with more than a very significant few. 

Third-party audits

PharmTech:  Regulators have voiced support and acceptance of third-party audits, in lieu of on-site inspections and audits by customers.  Why aren’t more companies adopting this approach?

Silverstein: Everyone seems to have reached the conclusion that third-party audit and certification is essential to meet expectations for on-site inspections. However, third-party audits will only become the norm when pharmaceutical manufacturers that rely on certification are confident that the audits will be accepted by regulators.

Big Pharma is cautious, and some companies may be afraid to rely on certification when they can send their own people out to inspect excipient manufacturers. They can do this because they are major customers for these excipient suppliers.  Smaller companies, however, and especially generic pharmaceutical manufacturers, don’t buy enough from these excipient suppliers to be able to do an audit onsite, so many of them continue to buy from uncertified manufacturers and suppliers. 

Lack of excipient cGMP certification does not mean that the excipient manufacturer is not complying either with the IPEC GMP guide or the standard, only that there is no independent verification. The question is how much emphasis is being placed on supplier qualification at these smaller firms.

Data integrity for excipients

PharmTech:  Data integrity has become a major compliance issue for API suppliers. Is it also a problem for excipient suppliers? What should their customers be focusing on, in vetting their quality systems and capability?  

Silverstein: ANSI 363 notes, in clause on computer systems, that provisions are to be made to ensure the maintenance of data integrity. Other clauses include portions that discuss data integrity for paper records.

Excipient manufacturers should perform a gap assessment analyzing their procedures and practices against requirements in FDA’s draft guidance on data integrity and the World Health Organization’s (WHO) guidance to get an idea of how well they are complying.

Data integrity is likely to be a key topic at IPEC meetings in September. IPEC has also added more training on data integrity in its general training programs, including its Level 1 course, which is geared to hourly employees. We wanted to reinforce basic best practices, such as the need to use unique passwords and not share them.

We also see the need to drive home the idea that any data that are written on paper and then transferred into a computer database, including chromatograms, must be retained in paper form as backup and must also include metadata.  Workers need to know how to maintain audit trails and ensure that they are working. We’re now planning to take this training to the next level, with a Level 2 course for supervisors.

It’s important to remember that data integrity does not only involve computers, but also paper documentation. Excipient manufacturers must examine the issue from various angles to ensure that they meet requirements when audited by a regulator, customer, or third-party auditor.

If any manufacturer complains that they lack the resources to be able to do this, the only resource that excipient manufacturers need is the wherewithal to do a gap assessment.  Requirements are spelled out nicely in the WHO guidance on data integrity. If pharma firms are using computers that are validated and that comply with 21 Code of Federal Regulations (CFR) Part 11 requirements, and being used correctly, they have established the right foundation for protecting data integrity.  

Excipient manufacturers can have problems establishing this foundation, however, since chemical companies often use legacy systems. Pharma is only one of their many industry customers, so many excipient manufacturers’ legacy systems are not Part 11-compliant.  

If you replace a programmable logic controller at a chemical plant, you need to ensure its safe operation. If you’re using a legacy system that has been running without incident for 30 years, but has no audit trails, there’s no incentive for an excipient manufacturer to invest in Part 11-compliant equipment. This is why training is so important. 

Article Details

Pharmaceutical Technology
Vol. 40
APIs, Excipients, and Manufacturing Supplement
September 2016
Pages: s20-s22, s34



When referring to this article, please cite it as A. Shanley, "Data Integrity Emerges as an Excipients Issue," APIs, Excipients, and Manufacturing 2016 Supplement to Pharmaceutical Technology 40 (9) 2016.