In 2012, the Food and Drug Administration Safety and Innovation Act (FDASIA) inserted a statement into Section 501(a)(2)(B)of the Food, Drug and Cosmetic Act that expanded the meaning of current good manufacturing practice (cGMP): “For purposes of paragraph (a)(2)(B), the term ‘current good manufacturing practice’ includes the implementation of oversight and controls over the manufacture of drugs to ensure quality, including managing the risk of and establishing the safety of raw materials, materials used in the manufacturing of drugs, and finished drug products.” This insertion, which enhanced the meaning of cGMP for the first time since 1962, wasn’t widely acknowledged in trade press coverage of the FDASIA and the full implications of the insertion aren’t yet readily apparent.

FDASIA’s legislative history tells us that one intention was to require drug manufacturers to employ adequate controls over the materials they purchase. FDASIA’s sponsor Sen. Tom Harkin (D-IA) said in his remarks urging passage, “[FDASIA] modernizes FDA’s goal of drug supply chain authority … this bill enhances our ability to ensure the integrity of that drug supply chain from where they get the raw materials to where they put it together in this country.” Fair enough. Most would agree that the hazards of unsafe materials justify the need for effective controls and oversight by manufacturers, and most companies are well aware of their responsibility to oversee safety and quality of materials used for manufacturing.

 FDA’s web page describing FDASIA promises that requirements of the enhanced 501(a)(2)(b)will be reflected in revised CGMP regulations. FDA’s 2014 Regulatory Agenda targets November for issuing a proposed rule. However, enforcement has already begun, and virtual companies are a target.

FDA’s May 2013 Draft Guidance on Contract Manufacturing Arrangements for Drugs: Quality Agreements (here) cited FDASIA’s enhanced 501(a)(2)(B)wording as authority for the guidance. This draft Guidance challenges companies to improve quality oversight for contractors, but none are more challenged than virtual companies. Such a company may hold an NDA, but have no manufacturing facilities and may never physically possess any article of drug. Nevertheless, FDA will hold a virtual company responsible for having caused the introduction of an adulterated drug into interstate commerce if it contracts for and markets a drug product made for it by a third party, but does not operate a quality system in compliance with cGMP to provide adequate oversight and control over the contractor. Under this concept, it would make no difference whether or not the contractor (that is, the actual manufacturer) happens to be in full compliance with cGMP – the virtual company would be out of compliance simply for failing to have the systems needed to provide the assurance.

FDA’s clear expectation, expressed in a number of ways, is that the virtual company (the Owner, in the terminology of FDA’s Guidance) shares responsibility with the contracted manufacturing organization (CMO) for compliance. Contracted facilities have long been considered “an extension of the manufacturer’s own facility” as expressed in 21CFR 200.10, but what this requires in practice for virtual companies is somewhat uncertain. A virtual company clearly is expected to have a quality unit with adequate authority and responsibility, and a minimum requirement is for the Owner (virtual company) to perform final release to market of each batch. As the FDA draft Guidance explains, the Owner should conduct a risk review that evaluates the extent of controls required for the particular supplier. This should include determining the key performance indicators it believes necessary to control, and to develop systems for oversight. For a virtual company, this would include use of periodic compliance audits of CMOs, as well as review and approval of certain batch and process documentation; for example, batch records and certificates of analysis, manufacturing deviation and laboratory investigations, change control, continuous process verification, and annual product reviews. Obviously, this requires adequate technical resources and product knowledge on the part of the virtual company.

FDA revealed its philosophy in a 2012 Warning Letter to a virtual company, in which FDA expressed its position that a virtual company has ultimate responsibility to demonstrate effective quality leadership by participating with contract manufacturers in the design, implementation, and monitoring for quality.

Although analysis of FDA’s draft Guidance would be too complex for this discussion, some key points of contention as reflected in comments to the draft are important to mention. In the FDA draft Guidance, the Owner is described as the party that introduces or causes the introduction of the drug into interstate commerce, whether or not the drug is covered by an NDA. This definition appeared overly broad to some commenters. Comments suggested, for example, that the term “Owner” should not include distributors (including private-label distributors) who may have no product knowledge or expertise and who may receive products in good faith under a guarantee as provided in Section 303(c) of the Food, Drug and Cosmetic Act. If FDA accepts this input, a final Guidance must find a way to define Owner in such a way that pure distributors are treated differently from virtual companies and others that were (we believe) the intended audience for the Guidance. Another interesting comment pointed out that the Food, Drug and Cosmetic Act provides FDA authority to conduct inspections of facilities where drugs are manufactured, processed, packed, or held, which would seem not to include virtual companies where none of those things take place. That fact apparently will not stop FDA from conducting cGMP inspections at virtual company offices.

A twist not addressed by any comment is the inconsistency between FDA’s long-standing policy in 21CFR 200.10 that FDA doesn’t consider validation studies to be trade secrets that may be withheld by a contracted facility, versus FDA’s practice of allowing certain validation information to be filed in the closed sections of DMFs where it is not available to Owners. The limitation on access to closed portions of DMFs will further complicate implementation of the draft guidance which says, for example, that the Owner is jointly responsible with the contracted laboratory for assuring that methods are validated.