Offshore Supplier Quality: Trust, But Verify

Published on: 
Pharmaceutical Technology, Pharmaceutical Technology-08-01-2016, Volume 2016 Supplement, Issue 2
Pages: s40–s44

Training and mock audits are the key to preventing data integrity issues with partners offshore, but the process must start at home. Compliance consultant John Avellanet shares best practices and ways to minimize costs.

For the past few years, data integrity problems, mainly at facilities outside the United States and Europe, have dominated pharma compliance news. Of the 25 warning letters that FDA issued between May 2015 and May 2016, 78% pointed to data integrity issues, and most of them were found at contract manufacturing facilities in India and China (1). Considering the fact that 40% of the pharmaceuticals sold in the US, and 80% of the APIs, are manufactured offshore (2), any misunderstandings can translate into serious quality problems, placing patients at risk.

The most flagrant failures to maintain data integrity include the following (3):

  • Hiding failed quality test results

  • Retesting and reintegrating test samples until they pass quality tests

  • Changing dates and time stamps

  • Completing batch records after hours.

FDA inspection notes suggest that operators and technicians at some facilities in developing countries may misunderstand the basic purpose of an inspection, and react with fear and panic to inspector requests. For instance, in March 2015, at Zhejiang Hisun Pharma in China, when an operator removed a memory stick from a computer and the inspector asked for it, he turned and ran away (4). In prior inspections in India, when inspectors approached staffers, they tore up paper documentation or poured samples down the drain (5).

Pharmaceutical companies have been taking steps to shore up training and to verify quality management at offshore supplier sites.  However, it can be difficult to get senior management’s support or a large budget for the work required. In addition, even seasoned employees may have problems making the leap from understanding good documentation practices to grasping how those practices extend to data integrity, and how both play out in the digital world. Pharma compliance expert John Avellanet, principal of Cerulean Associates, LLC, recently shared best practices in an interview with Pharmaceutical Technology.

Assessing a global problem

PharmTech: Why are we seeing so many data integrity issues at facilities abroad?

Avellanet: The reasons are, in part, cultural. In the US and Western Europe, we are used to being inspected by regulatory agencies as well as independent third parties such as the International Organization for Standardization (ISO). 
In addition, in some regions there can be a tendency to think in terms of rigid cultural constraints about information, as in ‘Don’t tell the people in management about a problem, not only becuse they could fire you, but because they might be from a different culture, or a different social class, etc.’ I admit that often it’s hard for me to realize what assumptions underlie the Western way of just doing plain old business. You can train someone for 365 days a year on the importance of informing his or her supervisor if a mistake is made or spotted, but if the individual’s entire culture says ‘People from your walk of life shouldn’t make waves or you’ll get in trouble,’ your training is falling on deaf ears.

However, cultural issues are not the only root cause, which is really two-fold: There’s culture and there is money. Culturally, these contract companies in various places around the globe may not be used to doing business outside of their regions, so they don’t know what to expect, or what the basic norms and minimal requirements are for firms from the US or Western Europe. At the same time, US and European firms are looking to reduce spending, so the second root cause factor is cost.

PharmTech: Is there a fundamental misunderstanding of what constitutes data integrity in a digital world, even at companies in the US and the European Union?

Avellanet: The problems really start at the sponsor companies. It is difficult to translate the good documentation practices that we have all grown up with into good electronic data practices. How do you translate ‘Don’t sign, except in blue or black ink,’ in the digital world? You’ll still have quality and purchasing staff at sponsors who don’t really understand best practices, since they are outside of their comfort zone of knowledge and activity. They’ve grown up in a paper and ink world. When they have to go out to monitor contract service partners, they usually aren’t given anything specific associated with data integrity to check against (i.e., beyond just having policies and procedures required for data integrity, and internal audit requirements). This information often isn’t being gathered, or isn’t even known by the sponsor firm, which is why firms in the US and EU are also getting into trouble because of poor supplier oversight.

There is no point discussing audit trail reviews when people still don’t understand why data integrity is so important for safe or efficacious product. What has helped educate people is the fact that regulators are issuing more warning letters and guidance documentation, and getting the word out that this is serious and foundational.

Management has not always grasped the importance of data integrity, but now they are starting to realize that data integrity issues can jeopardize time and money (i.e., the bottom line) in both the short and the long term.

Supplier qualification audits, even for critical suppliers, are still dealing with traditional things (e.g., training and corrective actions and preventive actions [CAPA]), stuff that you would have been asking about 40 years ago. Sponsors have to train their people to ask more specific data integrity questions during audits.

PharmTech: Is there a fear of micromanaging suppliers?

Avellanet: There may be, but I always say ‘trust your people, but verify their work.’ If people don’t know what to do, they can make mistakes without realizing it.

For example, if I receive a shipment from an API supplier, I need to test it for strength and quality. A number of firms will take samples and run tests on the lab systems to ensure that those systems can pick up on any problems, but they’ll do it from the systems suitability angle. FDA has already said that this is a big no no, but unless people learn that this is a bad thing to do, and why, as well as what to do instead, they will continue to do it.

PharmTech: Do companies take too much for granted where data integrity is concerned?

Avellanet: The problem is that people over 30 at pharma companies may often still think in terms of paper. At some point, someone may say ‘I’m going to run seven tests and just print out and keep the ones that passed, rather than the other four that failed,’ without realizing that, in the digital age, that is actually a problem. We have the tools and techniques now to see, quickly, that you didn’t keep all the data associated with these failing tests. What’s going on?

We have supervisors trusting their people not to do this, but, all too often, the supervisor isn’t periodically verifying that their people haven’t fudged data, or haven’t fully included all data, even the failing results.  The quality department wants to trust people but is so focused on quality systems that they may not have the resources or knowledge to go back to double check that supervisors are working correctly or checking the audit trails of their people in the lab or on the production floor.

I always suggest breaking the problem down into smaller pieces. Supervisors, for instance, needn’t look at each lab tech’s work every day or every week. Just take one hour a month, go in and take each person’s lab notebook and look at the audit trails and files they generate. Generally, it will take about five minutes to spot problems.

PharmTech: In the end, who is most responsible for data integrity, or does it require a multi-disciplinary approach?


Avellanet: In the old days, you could have the quality guy go and look at the basics (e.g., blue or black ink signatures). But in the digital age, quality alone cannot do this. It also requires IT and records management staff, since archiving and long-term data storage are so critical.

You’ve got to have an IT person in the room to explain that nightly backups result in records being overwritten every 30 days.  You don’t want to have an eye-opening moment when FDA asks for a batch record from two years ago, or calibration records from seven years ago, and you can’t find them in your digital archives because now that calls into question the controls that you have on all of your digital data, both current and historical.

Getting past paper

PharmTech: Are there specific problems to keep in mind?

Avellanet: In the past, people would simply print out and file paper records. They don’t do that anymore, so where are those old electronic files today? How do you know that they haven’t become corrupted? Let’s say you need information on an adverse event from 10 years ago. On paper, that wasn’t a problem but it is for electronic data.

If you created an adverse event file in Word Perfect nine years ago, you won’t be able to open it in MS Word today. Think about the most popular word processing software on the planet when FDA wrote 21 Code of Federal Regulations (CFR) Part 11. It was Word Perfect. Now, it’s Microsoft Word. Today’s Word cannot open Word Perfect files.  How do you maintain ‘legibility’ when you can’t even open the file?

All too often, we are still thinking in terms of paper, when the reality is that we have massive databases full of huge amounts of data.  How do you find a specific data point or mine that data to find trends? Where do you draw the line of ‘Okay, this is enough data to trend. Is it last year’s data on adverse events, or the past five years’ worth, or the past 10 years worth?’ Long ago the decision was easy. It would have been a nightmare to try to trend five years worth of data on paper, but now you can do it in 30 seconds with the right database system and data mining tools in place. At this point, most companies don’t have that kind of system in place. They can’t do everything, so the challenge is how to streamline and simplify what they can do so that it can fit within their current quality system.

For example, in the labs, you want your supervisor, on a quarterly basis, to pick one analyst and match what he or she has put in the notebook vs. what he or she did on a particular machine. For instance, what were the high-performance liquid chromatography (HPLC) runs, and which one passed versus what was recorded? Just doing this once a quarter with one analyst will give an idea of performance. Ideally, you’d do it every week but this is the real world of budget and resource limits. I’d roll that into my supervisor’s self-assessment of their lab functionality and their personnel effectiveness. If a lab is working on an especially high-risk project (e.g., product release), then this should be done once a month rather than quarterly.

The next rule of thumb is to audit the lab to ensure that the supervisor is doing periodic reviews. You need to know where this is being documented and how often, and have the supervisor walk you through it. So, rather than set up something completely unique, build it into your current internal audit that the quality assurance department should already be doing once a year in the lab. Double check that logbook versus audit trail comparisons were being made by the supervisor. It’s maybe five minutes of extra work for something that you are already doing.

In manufacturing environments, problems can occur, for instance, when the computer is at one end of the floor and the production equipment with the display unit is on the other end. If technicians or operators write information down on pieces of paper to enter it in the computer later, be sure that they hold on to that paper, instead of throwing it away after they’ve entered it into the computer. It should become part of the overall batch record, including operator name, date, shift number, and lot. You need to ensure that people are doing this and that the manufacturing supervisor spot checks and ensures that they are doing that, dating and signing the records. If you run five lines, but only have four papers filed, something is wrong.

PharmTech: Is there a fundamental problem with the way that pharma companies are handling training?

Avellanet: As a former FDA inspector used to say, people have to understand that, for you, an inspection is a big deal. For the inspector, it’s just another day at the office. When you do supplier qualifications in another country, ask to look at the training that they provide people for preparing for inspections. Do they say things like ‘have good data integrity?’ or do they go into the details of what’s expected in real world situations at the company?  It’s easy to stand up at a conference and pronounce ‘Thou shalt always,’ but, back in the real world, where I don’t have the money for a new HPLC with all the bells and whistles and I have to work with this HPLC or FTIR that has no audit trail capability on it, what should I do?  That’s what you should be looking for at your suppliers.  How did they address those real-world issues with their real-world equipment that they are using for you and your data?


Setting clear expectations

PharmTech: How can companies get suppliers’ staffers over any fear of inspections?

Avellanet: I always suggest that companies, first develop a data integrity program, and distill the main points into a 30-minute training course for critical suppliers (e.g., API suppliers and contract manufacturing organizations).

This training should be given to the management team at that supplier, especially if it is a critical supplier. It sends the message: these are our expectations, this is what regulators are demanding, you are generating data for us and we are going to audit you based on this.

So you set the expectations and ensure that the contract sets them, and outlines the procedures, training, and records required to show that you do this. Then you say that you will be back within a certain time frame to audit.

If you have all the records to show that you did this, your team will not be blamed for any problems at that supplier that lead to warning letters. Then you can say, with a clear conscience, ‘We were clear in our documented expectations. The fact that the supplier chose not to fulfill those expectations is not my fault.’  It will be your responsibility, however, if you continue to do business with that supplier, or if you don’t put in mitigating controls of your own.

But, by far, the most important group to train in data integrity is senior managers, since they own the money. Perform a data integrity gap analysis and training for your own company, then use it as a baseline for supplier training and to help them focus their efforts.

Planning for mock audits

PharmTech: How important are mock audits, and should they be unannounced?

Avellanet: Mock audits are really important. Instead of having an expert audit your suppliers, it may be cheaper to have your own operations audited, see what is being asked, and then use that to build a framework for auditing your suppliers. You can do a ‘train the auditor’ type of workshop or have your four top auditing experts follow the expert around, so that the outside expert runs the first two audits, but your own people do the last two.

It is particularly important to focus on behavioral issues and the presence or lack of sustainable proactive controls. For example, questions to ask include: Is the lab supervisor periodically checking his or her supervisors’ work? Is everyone in the lab having his or her work checked on at least once or twice a year? These audits are particularly important for API suppliers, since they may feel removed from your internal processes than contract manufacturers.

PharmTech: How long should each audit run?

Avellanet: Generally, if things are going well, it should take two days. If things aren’t going that well, then it is important to develop prioritized ‘to do’ lists, both short- and long-term, and spend a third day planning remedial efforts.

In general, I’d never recommend more than three days for a data integrity audit, in part because a data integrity audit (where you’re just looking at data integrity controls and effectiveness) is so much more detailed than a quality systems audit and you’re looking for things across multiple documents and systems that may not link up. 

PharmTech: How do you prioritize what to focus on?

Avellanet: It’s best to look at typical high-risk areas for standard operating procedures and activities. Inspectors at the United Kingdom’s Medicines and Healthcare products Regulatory Agency (MHRA) have found these general areas to be the most critical:

  • Batch release data from manufacturing

  • Long-term stability data

  • Pharmacovigilance and complaint handling

  • Data that come from automated processes associated with direct product production and testing.

Then it will be important to look at training records. .  Once you know there are data integrity issues, parse out what they are and whether they can be combined so that one remediation task can fix several issues.

PharmTech: How should the ‘inspector’ interact with staff during the audit?

Avellanet: There are two styles: good cop, where you tell people what they should look for and ask them to tell you if they don’t have relevant procedures in place, and bad cop, where you rake people over the coals because you don’t trust what they’re going to tell you.

By and large, people don’t want either the good cop or bad cop approach, but, instead, they want an audit that helps them figure out their performance gaps and, even more importantly, how to remediate them. You don’t need to hear what your problems are, but various control options that you can use to fix or mitigate each one. Rememver that the perfect fix for one company may not work for your firm.

Unannounced audits bring a sense of urgency, but only after the company has responded to an initial gap analysis.

PharmTech: How long should you monitor each supplier?

Avellanet: In an ideal world, this could be done in six months, but, in reality, it will generally take two to three years. You focus first on high-risk areas with high-level project plans, and then go after low hanging fruit.

Generally, for suppliers with remediation issues, audits should be done after 30 days, 90 days, then six months, 18 months, and two years. After that point, a follow-up assessment should be done within the next two or three years to ensure that operations remain on course.

If you have a ton of sites to oversee, it may be a good idea to group similar sites together and hire experts to perform gap assessments at each of, say, four types of sites for a baseline reading. The follow up can then be done at one of the sites in each category. Get project leaders for the other similar sites on the phone and extend the results from that site to them. This approach gives you the most bang for the buck and helps ensure that people are on the right track.


1. D. Farquhar et al., “International Pharmaceutical Supply Chain Imperiled Like Never Before,” Webinar sponsored by Dechert LLP and Hyman Phelps and McNamara, June 22, 2016.
2. H. Sklamberg, Counterfeit Drugs: Fighting Illegal Supply Chains; Hearing Before the House Committee on Energy and Commerce, Feb. 27, 2014.
3. P. Katz, Speech to PDA, March 16, 2016.
4. A. Edney, “Chinese Drug Ingredient Supplier Draws 61 Complaints of Flaws,”, January 12, 20016.
5. A. Gaffney, “Warning Letter to Wockhardt Details Extraordinary Failures, Efforts to Deceive FDA Inspectors,”, July 23, 2013.

Article Details

Pharmaceutical Technology Outsourcing Resources Supplement
Pages: s40–s44


When referring to this article, please cite it as A. Shanley “Offshore Supplier Quality: Trust, But Verify," Pharmaceutical Technology Outsourcing Resources Supplement 2016.