Common Data Integrity Points of Failure: 3rd Party Management

What is the challenge?

Regulated companies typically outsource or employ a third party to simplify a process or reduce risk.
For example, when moving manufacturing components off-site the company will bring in teams of experts to support the project. However, it is important to remember that even when contracting experts with GMP responsibilities, the parent company retains a responsibility for maintaining data integrity. In fact, extra care is often required to ensure that ‘out of sight’ does not become ‘out of mind’.

How are 3rd party data integrity concerns regulated?

Regulators are increasing focus on the parent company’s responsibility for data integrity, as evidenced by recent FDA warning letters citing failures to conduct independent qualification of contracted laboratories[1],[2]. In each of these cases, it was insufficient for the company to simply state that they lacked the technical knowledge, or that the third party could regulate itself – a clear misunderstanding of accountability by the parent company. In the recent concept paper on revisions to Annex 11 (EMA and PIC/S), two proposed updates emphasize regulation for cloud suppliers, clarifying that clear validation documents must be available during inspection. This is consistent with EMA’s draft guidance[3] focusing computerized systems and data integrity in clinical operations and underlines that the EMA is also emphasizing further contractor responsibility.

How can this problem be solved?

In these situations, both parties should have implemented strategies to establish accountability. At the onset, companies construct a well-written quality agreement, which outlines the roles of each party, expectations, and data integrity duties. A quality agreement is a separate document from commercial contracts and is dedicated to outlining how each party will comply with CGMP, and which of the parties will carry out specific CGMP activities. Importantly, quality agreements cannot be used to absolve either party from complying with CGMP and can be reviewed during inspections. Importantly, a well-written quality agreement is just the first step, as it can only outline the best intentions. Ongoing audits, data review, and training are also needed at different stages of operation in order to verify that steps are followed, and data integrity is maintained throughout the project lifecycle.


Figure: Lifecycle considerations for maintaining data integrity through third parties

What should the Quality Agreement cover

According to the FDA’s “Contract Manufacturing Arrangements for Drugs: Quality Agreements Guidance for Industry” a quality agreement should act to outline relevant GxP responsibilities and roles for each party. It does not need to describe each step of a process or serve as an itemized checklist of all elements. Rather, it is most impactful when it is clear and easily understood by all parties. In general, roles should be defined for all activities covering how controls will be handled, internal and external audits, communication of outcomes, and how deviations will be handled.  It is also important to clarify how and when data will be transferred or retained, as there are special challenges in outsourced data. For example, could data be manipulated during transfer to show positive outcomes? Does data need to be retained for longer than the contractor agreement? How will these issues be pre-emptively addressed?

Quality agreements should be tailored to the task. For example, when involving manufacturing activities, roles and responsibilities surrounding quality control and data management, audits (including audits of the raw data and metadata), inspections, and how findings will be communicated should be outlined in the quality agreement. For facility management, the agreement should define which party validates, qualifies, and/or maintains equipment and systems throughout the life cycle.

When establishing a quality agreement with a SaaS provider, a similar approach should be applied, to focus on regulatory challenges. The ISPE Quality Agreements for SAAS solutions[4] ) recommend thinking about underlying infrastructure that might lack oversight, software updates/changes outside of the regulated company, responsibilities to ensure data confidentiality, availability and integrity. An example list of responsibilities put together by ISPE can be found here[5]:


In conclusion, a quality agreement written at the onset of a project is a key first step for mitigation of data integrity risks when contracting third parties. This combined with verification through audits and review help ensure data integrity off-site.

Do you need help with third party management?
GxP-CC can support you in creating quality agreements with all relevant data integrity requirements, supporting or leading audits with experienced auditors with expertise in data integrity, data governance and IT security, or support your training through workshops and training programs on third party management, data integrity, cloud compliance and cybersecurity. Contact us today to get started.


You Might Also Like:
Join Our Team
Reach your full potential while making a powerful impact.
Learn More
Contact Us
Let’s find the best solution for your compliance needs.
Learn More