he Annual Report also highlights the Office of Compliance’s efforts to enforce the Drug Supply Chain Security Act (DSCSA) over the past fiscal year. These efforts include requesting and ordering recalls, issuing warning letters, and ramping up its efforts to oversee drug-related imports. Protecting the drug supply chain is a persistent priority for the FDA (and other federal authorities) as well, so this is also likely to remain an active area for enforcement in 2024.Drug Manufacturing ComplianceIn its FY2023 Annual Report, the Office of Compliance highlights several efforts to enforce drug manufacturers’ compliance obligations. It also identifies the most common citations in warning letters issued in connection with Current Good Manufacturing Practice (CGMP) violations. These were:Responsibilities of a Quality Control Unit (21 CFR 211.22) – 48 warning lettersControl and Testing of Components, Containers, and Closures (21 CFR 211.84) – 47 warning lettersWritten Procedures; Deviations (21 CFR 211.100) – 30 warning lettersProduction Record Review (21 CFR 211.192) – 16 warning lettersEquipment Cleaning and Maintenance (21 CFR 211.67) – 9 warning lettersHere, too, the scope and breadth of the Office of Compliance’s enforcement efforts indicates that this is a significant focus. With this in mind, as we move through 2024, drug manufacturers should invest the time and effort necessary to ensure that their operations are fully CGMP compliant.Drug Compounding ComplianceAs the Annual Report explains, over the past decade, the FDA has “released more than 60 policy documents, including 27 final guidance documents and three final rules,” related to drug compounding. While many of these efforts have targeted specific compliance concerns within the compounding field, the scope of the FDA’s efforts in this area make clear that compounding compliance broadly is a persevering concern for the FDA and CDER’s Office of Compliance. The Annual Report also notes that the Office of Compliance sent 11 wa

gov/regulatory-information/search-fda-guidance-documents/data-integrity-and-compliance-drug-cgmp-questions-and-answers-guidance-industry; Data Integrity and Compliance with Drug CGMP: Questions and Answers, U.S. Dep’t of Health and Human Services, Food and Drug Administration, Center for Drug Evaluation and Research, Center for Biologics Evaluation and Research, and Center for Veterinary Medicine (Dec. 2018), available athttps://www.fda.gov/media/119267/download. [12] 21 C.F.R. § 211.68(b). [13] 21 C.F.R. § 211.100(b). [14] 21 C.F.R. § 212.110(b).

FDA found the manufacturer’s 483 response to be inadequate as it failed to provide a comprehensive and retrospective assessment of all over-the-counter products which had been manufactured with components that had not been adequately tested to ensure adherence to quality attribute specifications. Failure to establish adequate written procedures for production and process control (21 CFR 211.100 (a) and (b)): Drug manufacturers failed to establish an adequate process validation program to evaluate the soundness of design and state of control of a process throughout the lifecycle of the drug product. FDA explained that one particular manufacturer’s procedure did not require an investigation and identification of root causes when products failed to meet quality requirements, and allowed for repeat testing and adjustments until the manufacturer achieved passing results.

Complete, consistent, and accurate data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA).” Under footnote 5, the agency’s stated support for the proposition that ALL data for drug manufacturing should be “contemporaneously recorded” is the regulatory requirements at 21 CFR 211.100(b) and 21 CFR 211.160(a), which granted, do provide that documentation take place “…at the time of performance…”.However, these regulatory provisions are very narrowly tailored and refer specifically to, in the first instance, production and process control functions and, in the second instance, laboratory controls. The agency does not cite to any additional regulatory authority for the general notion enunciated in the answer to question 1(a) that ALL data must be contemporaneously recorded.Later in the document, in response to question 1(c) the guidance states: “CGMP-compliant record-keeping practices prevent data from being lost or obscured and ensure that activities are documented at the time of performance (see §§ 211.68, 211.100, 211.160(a), 211.188, and 211.

The draft guidance goes on to say that, in such instances, industry must document the data at the time of performance to create a record in compliance with the cGMP provisions. Yet, in support of this proposition, FDA cites to two regulatory provisions (21 CFR 211.100(b) and 21 CFR 211.160(a)) that, on their face, cannot reasonably be interpreted to apply to all records required to be kept under 21 CFR Part 211. This is fodder for another day, and perhaps a future blog posting.On the question of whether an internal tip regarding a quality issue, such as potential data falsification, can be handled informally outside the documented cGMP quality system, the answer in the draft guidance is a firm “no,” again despite the paucity of regulatory language that speaks to this issue.On the related question as to whether facility personnel need to be trained to detect data integrity issues as part of a routine cGMP training program, the agency is somewhat more circumspect, stating that training to detect data integrity issues “…is consistent with the personnel requirements…” under 21 CFR 211.25 and 21 CFR 212.10, though the agency does not go so far as to call it a “requirement” under the regulations.