Outsourcing Spectroscopic Analysis?

Outsourcing Spectroscopic Analysis?

April 1, 2019

In the current data-integrity–centric world, is outsourcing your spectroscopy work a good idea? To answer this question, one must consider several factors.

If a laboratory does not have the workload, spectrometer, or the resources for a spectroscopic analysis, then contract analysis is the way to go. But is outsourcing a universal panacea in the current data integrity-centric world? Are you feeling lucky?

The topic of this month's column is outsourcing analytical work to a third party, typically a contract organization such as a Contract Research Organization (CRO). It can also encompass outsourcing the whole analytical workload to a bioanalytical laboratory (non-clinical and clinical development studies) or quality control laboratory (when the whole manufacturing process is outsourced to a Contract Manufacturing Organization [CMO]). Managing contract analysis was one of my roles when I had a real job working in the pharmaceutical industry, rather than as a consultant to this industry. Outsourcing work sounds great. You send off the samples, put your feet up, relax, and wait for the report to come back, but let's look at the reality. All organizations outsource analytical work, so we can't be wrong? Right? Well, let's see....

There may be several reasons for outsourcing analytical work to a CRO:

  • Lack of capacity or expertise in your laboratory

  • Insufficient workload to justify purchase of a specific instrument

  • Company policy when a development project reaches a particular phase

  • Your organization is virtual, and therefore all work is performed by third parties

But is outsourcing a universal panacea, as it is pervasive throughout the pharmaceutical industry? Let us explore what is the situation in the data integrity environment that many of us now have to work in:

  • Is the CRO or CMO's scientific and regulatory knowledge adequate?

  • Do you know how the laboratory works?

  • Do you have the confidence in the staff?

  • Do the staff have the culture, training, and ethics to ensure the integrity of your data?

  • Who owns the data from the work?

  • Where will the records be stored?

  • Who is responsible, and who is accountable, for the work?

It all boils down to whether a pharmaceutical company should just accept a summary report, or if due diligence requires that the electronic records be reviewed by them as well. It all depends on the sponsor's approach to the management of regulatory and business risk.

Regulatory Perspective

The US Good Laboratory Regulations (GLR) (21 CFR 58) (1) and Good Manufacturing Practice (GMP) (21 CFR 211) (2) originated in the 1970s, when outsourcing was in its infancy, and therefore there is no mention of the concept in either regulation, the implication being that all work is covered, regardless of where and who performs it. In contrast, the proposed Good Laboratory Practice (GLP) update (3) has more mentions of contract analysis, and proposes a clear definition of roles and responsibilities between the sponsor and the CRO(s) involved in the study.

European GMP has updated Chapter 7, and retitled it "Outsourcing," to reflect the greater increase in extended supply chains (4), where there are two roles:

  • Contract giver (sponsor)

  • Contract acceptor (CRO)

It is clear from Chapter 7, and also the proposed GLP Update, that the contract giver or sponsor is responsible, and accountable, for the work performed by any third party, as we shall soon see.

Data Integrity Guidance on Outsourcing

There has been a tsunami of regulatory guidance documents issued by regulatory authorities and industry bodies since 2015. This WHO guidance document has Section 7 focused on the data integrity issues when outsourcing work (5), and Table I gives the first sentence from each clause. Please note that there is much more information than presented in the table, and readers are encouraged to read the whole section. There is also more detailed advice from the Pharmaceutical Inspection Cooperation Scheme (PIC/S) in Section 10 of PI-041 Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments (6).

Let's see when the wrong CRO is chosen, either because price was a major factor, or lack of due diligence in the selection process.


Do You Feel Lucky?

There have been two major data integrity cases involving CROs: Cetero and Semler. Imagine your company has submitted a New Drug Application (NDA)to the FDA containing bioequivalence data generated by Cetero Research. The study compares the absorption and distribution of your generic version of a drug and the ethical version. Your application has been accepted by the FDA, but later you receive a letter (7), stating:

“The pervasiveness and egregious nature of the violative practices by Cetero has led FDA to have significant concerns that the bioanalytical data generated at Cetero from April 1, 2005 to June 15, 2010, as part of studies submitted to FDA in New Drug Applications (NDA) and Supplemental New Drug Applications (sNDA) are unreliable.

FDA has reached this conclusion for three reasons:

(1) the widespread falsification of dates and times in laboratory records for subject sample extractions,

(2) the apparent manipulation of equilibration or “prep” run samples to meet pre-determined acceptance criteria, and

(3) lack of documentation regarding equilibration or “prep” runs that prevented Cetero and the Agency from determining the extent and impact of these violations.”

Whoa! Outsourcing is supposed to save money. What was a financial panacea has now turned into a financial disaster. The impacted studies had to be repeated in a different CRO; for more information on the falsification, see the untitled FDA letter (8).

Studies carried out at Semler Research Private Limited were also found to contain falsified bioequivalence data that resulted an untitled letter, and sponsor companies having to repeat bioanalytical studies (9,10).

The issue here is clear that the selection of a contract facility is not a mere box ticking exercise, but one where adequate due diligence must be performed. This is to ensure that a selected facility has an equivalent approach to data integrity as a sponsor. Outsourcing analytical work is not a passive “contract and forget” approach, but requires, according to that well-known data integrity expert Ronald Reagan, a “trust, but verify” approach. Yes, we trust you, but we will verify what you are doing.

Assessment of a CRO

Supplier assessment is a key requirement of GXP regulations and regulatory expectations for outsourcing (5,12). It is important that due diligence is exercised to ensure that the work will be carried out to your specifications and analytical procedures, and that this results in an acceptable analytical report. Some typical areas for assessment are facilities, Quality Management System (QMS), scientific and regulatory knowledge, staff training, qualification and validation of instruments and software, together with record keeping practices.

Initial Selection of a Contract Facility

The primary selection criteria are the ability to deploy your validated analytical procedure (or for CRO to use their method), the spectroscopic technique to be used, and the skills required to perform the work. To be fair to CROs, the sponsor definition of validation may vary from a minimal effort and a one page report to a full validation following ICH Q2(R1) (13). Secondary criteria may also be applicable, such as location, facilities, analysis price, recommendations from colleagues, or placement of previous work with the facility. From these criteria, a list of candidates can be reduced to one or two.

Assessment of the Laboratory

As you may be time limited on site, it is essential to prepare for the assessment. You will need to get information about the following items to read:

  • Quality management system overview including any certifications, such as GXP certificate, ISO 17025 certification with scope of certification and methods within the scope

  • List of policies and procedures

  • Data governance covering areas such as management leadership in data integrity and review of the QMS, company ethics, progress towards an open culture, and assessment of processes and systems with current remediation approaches

  • Data integrity procedures and training

  • Site Master File (if a GMP facility)

  • Data integrity initiatives at the CRO

Initial Assessment of Data Integrity

On-site, you need to follow an agenda to ensure you cover all areas, and to make the best use of time. Remember that audits sample, and you will not have time to go into too much detail, unless a problem is found that needs to be understood in more detail. We will now look at some of the topics we need to cover from a data integrity perspective. Ask specifically about what approaches there are for these topics, such as ensuring data integrity.

  • What is the role of senior management in data integrity?

  • How can an analyst admit a mistake or raise a compliance concern?

  • How have computerized systems been assessed for data integrity and how are any issues being remediated (by procedural, or technical means)?

  • Has assessment of paper processes been undertaken?

  • How are blank forms controlled and reconciled?

  • How are second person reviews conducted, and how are audit trails reviewed?

  • If work is subcontracted, how are the third parties controlled, and how does the CRO ensure that their approach to data integrity is acceptable?

  • What quality oversight is there to ensure data integrity (for example, audits and investigations)?

Control of Electronic Records

One important area to look at is controls for the generation, interpretation, reporting, and storage of electronic records. This will not be a static audit, but will require the auditor to walk around the laboratory, and view the systems themselves. In particular:

  • What are the controls to prevent users going around the back of the application to delete records and time travel to repeat any analysis? These must be investigated and verified by seeing them in operation.

  • Procedural controls are not unreliable and inconsistent. What the auditor needs to see is that the available technical controls are specified, implemented, and validated with whatever procedural controls are required, such as separation of roles in the system, electronic records protection, and audit trails being turned on.

  • There should also be an on-going plan to replace older data systems with networked data systems, together with progress against the plan.

If client confidentiality may be cited as refusing to show these systems, this is a clear indicator that the CRO does not have an effective system for handling confidential information and hiding the sponsor's identity. If the CRO does not show you the technical controls for ensuring data integrity, what are the options?

Walk away.

Walking away is cheap, compared with the cost of non-compliance if there are data integrity issues that are found later. What is the cost of finding a new supplier compared with repeating a bioequivalence study, or a product recall, due to data integrity issues? Minimal.


Reporting the Assessment

At the end, there will be a written report, with the overall assessment of the facilities, infrastructure, scientific, and technical competence, and the data integrity status of the organization. Together with the report, there may be a list of findings (against regulations or procedures) and recommendations (opportunities for improvement).

Depending on the overall findings and CAPA responses to the findings by the CRO, a decision will be made to use the laboratory or not. If you go ahead, we can go to the next stage of the process outlined in Figure 1, which is negotiating the agreement that will include how data integrity must be included.

Figure 1: Overview of data integrity assessment, agreement, and monitoring work at a contract laboratory (11). Note: QMS = quality management system; DI = data integrity.

Agreements Must Include Data Integrity

The next stage of the process is to ensure that work is agreed jointly in a technical or quality agreement or contract. Apart from the usual terms and conditions of such documents, which are out of the scope of this column, there is the need to ensure that data integrity is included in these documents, and that roles and responsibilities are defined adequately between the two parties.

The sponsor must:

  • Provide to the laboratory robust and accurately written analytical procedures and technical information, with records and examples

  • Provide troubleshooting advice, if required, when transferring, establishing or running a procedure

  • For routine analytical work, the sponsor needs access to all records to verify the work was performed correctly

  • The right to audit remotely and on-site (including for cause where necessary), to assess the analytical work and the integrity of any data

The CRO must:

  • Define original records and raw data as electronic where a computerized system is involved, and link any paper printouts with the underlying records

  • Provide accurate, complete, and reliable documentation throughout the analysis that meet attributable, legible, contemporaneous, original, and accurate (ALCOA)+ principles (5,6)

  • Perform effective second person review of all work, from sampling to reportable result (as applicable to the work)

  • Provide adequate QA oversight of the analysis

  • Generate monitoring and trending results for communication to the sponsor

  • Notify the sponsor when out of expectation (OOE), out of trend (OOT), and out of specification (OOS) results are found. The sponsor should be informed, or involved (depending on the agreement terms), in any laboratory investigations.

  • Permit remote and on-site audits of the work performed, including review of electronic records

These needs and responsibilities to be included in agreements and contracts between the two parties.

Who Owns the Data?

In the past, when paper records were generated by a CRO, it was easy to determine where the records would be stored either short-term or long-term. This was a simple matter of moving piles of cellulose from one location to another. Now there is more of a problem, as there are both paper and electronic records. Paper from the manual stages of the analytical process is simple, but far more problematic are the electronic records, as typically these need the application that generated them to open and view them.

When there are different systems at the two sites, then it would make sense to keep the records with the laboratory where they were generated for the record retention period. However, depending on the time of retention, there may be one or two upgrades of software involved. What does the agreement say about this? Probably nothing. What needs to be included in the agreement is the due diligence of the CRO to inform the sponsor that software will be upgraded, and that the results from a standard data set come to the same decision before and after the upgrade (4). Software validation and data migration are essential components in ensuring that the data are still readable, and maintain the same content and meaning.

In all cases, storage of the records must be part of any agreement or contract, and include what happens in case of inspection at the contract giver's site to determine how access to the electronic records will be achieved.

On-Going Monitoring of Work and Audits

It is important to monitor the work being carried out at a CRO, including data integrity aspects to assure themselves that the agreement is being followed. If this is not undertaken, it may be because of a sponsor's attitude that they have confidence in the CRO. However, realize that you cannot outsource analysis and forget about it; the work must be monitored. This takes time and effort within the sponsor's organization, but is an essential corollary of outsourcing. Alternatively, consider the alternative. Would you prefer a Cetero or Semler scenario?

Monitoring can be one of three types:

  • Remote monitoring of results and associated data

  • Remote audit

  • On-site audit including for cause audits

Monitoring the Results

The type of monitoring undertaken by the sponsor will depend on the nature of analytical work undertaken by the contract laboratory. For bioanalytical work, it may be checks of the standard curves and back calculated concentration values, monitoring the results from the three concentrations of quality control samples, viewing blank injections, plasma concentration versus time profiles, and incurred sample reanalysis results. In contrast, quality control monitoring may be looking at the chromatograms and individual values from aliquots, as well as the reportable results and trending these over time and batch, and impurity profiles between batches, among other factors.

Actively monitoring outsourced analytical work means that trends or issues could be identified, discussed with the contract laboratory, and rectified before they become major problems. Equally so, the contract facility should also be monitoring and discussing with the sponsor the same issues if they are monitoring the work correctly.


Remote Assessment of Work Packages

Following on from the monitoring of results is the remote assessment of work packages, such as the review of the whole of the analytical batch or study records. This can be a combination of video conferencing and direct access via a secure internet link between the CRO and sponsor. Electronic records, including the metadata and audit trails, can be reviewed remotely. Access can be via a link where a member of the contract laboratory staff operates the data system following the requests of the sponsor's representative. Paper records can be reviewed remotely via video link, or scanned, with the scans then verified as true copies by electronic signature, and viewed at the sponsor site. However, it is the approach to sponsor's due diligence that is the basis for ensuring work is carried out correctly. Any findings identified remotely can be documented, and CAPAs generated by the contract laboratory.

The main issue is that the sponsor needs confirmation that the data integrity of the analytical results is acceptable, and that they can rely on the results to take decisions. There would typically be more audits early in a contractual relationship between a sponsor and CRO, with the number and frequency reduced over time as the two organizations become confident with working together.

On-Site Audits

On site audits come in two forms: regular scheduled audits or for cause audits. The latter is the audit of a specific batch or batches due to a problem, such as an increase in serious adverse events associated with a product batch. In either case, the approach is usually the same:

  • Access to the electronic records and paper records for all systems to check the work has been done correctly, and data integrity is assured

  • Ensuring procedures have been followed and there have been no attempts at short cuts, copying data from one batch to another, or other poor data management practices. An area of focus is where procedural controls have been used to remediate data vulnerabilities in processes or computerized systems.

  • Audit of one or more work packages

  • Checking the effectiveness of previous CAPAs. This may not be applicable to a for cause audit.

  • Look for work that is too perfect, not enough exceptions, or containing documentation errors

  • Look at the time that data was collected or processed. Late at night or on the weekends can lead to increased opportunity to manipulate data in negative ways.

Out of these audits may come findings and recommendations for the contract laboratory to act upon and generate CAPAs.

Trusted Partner or Scum of the Earth?

From my experience, the attitude of people who use CROs fall into one of two camps. Either contractors are a necessary evil and are the scum of the earth, or those that take a more reasonable approach that a CRO is an extension of their own laboratory and are a trusted partner. Personally, I have always taken the latter approach, as the work they are doing is on my behalf. Why would I treat the laboratory and their staff any different to my own analysts? In my experience, you will always get more out of people if they are treated right, rather than have a poor sponsor attitude and reputation that precedes you before you walk through the door.

Aspects of being a trusted partner are honesty and openness. A CRO should be able to discuss data integrity issues with prospective and current sponsors. Discussion of poor data management practices found, and how they are working to resolve them, is a major plus from the author's perspective. Finding out that a CRO has hidden data integrity violations is a case for running away.


You may be thinking that contracting analytical work is a major problem. Far from it; if handled correctly, the process should be considered as an extension of your own laboratory, and a collaborative process. If handled wrongly, it can be a millstone hanging around an organization's neck for a decade or so. Approach using contract facilities with your eyes open with a "trust, but verify" attitude, especially when it comes to data integrity.


I would like to thank Kevin Roberson for his helpful review comments in preparation of this column.


(1) 21 CFR 58 Good Laboratory Practice for Non-Clinical Laboratory Studies. (Food and Drug Administration: Washington, DC, 1978).

(2) 21 CFR 211 Current Good Manufacturing Practice for Finished Pharmaceutical Products. (Food and Drug Administration: Sliver Spring, MD, 2008).

(3) 21 CFR Parts 16 and 58 Good Laboratory Practice for Nonclinical laboratory Studies; Proposed Rule. Federal Register 81(164), pp. 58342-58380 (2016).

(4) Compliance Policy Guide CPG Sec. 130.300 FDA Access to Results of Quality Assurance Program Audits and Inspections. 2007; Available from: http://www.fda.gov/ICECI/ComplianceManuals/CompliancePolicyGuidanceManual/ucm073841.htm.

(5) WHO Technical Report Series No.996 Annex 5 Guidance on Good Data and Records Management Practices. (World Health Organization: Geneva, Switzerland, 2016).

(6) PIC/S PI-041-3 Good Practices for Data Management and Integrity in Regulated GMP / GDP Environments Draft. (Pharmaceutical Inspection Cooperation Scheme, Geneva, Switzerland, 2018).

(7) FDA Letter to ANDA Sponsors Conducting Bioequivalence Studies at Cetero Research. 2011; Available from: http://www.fda.gov/downloads/drugs/drugsafety/ucm267907.pdf.

(8) Cetero Research Untitled Letter (11-HFD-45-07-02). (Food and Drug Administration: Silver Springs, MD, 2011).

(9) Notification to Pharmaceutical Companies: Clinical and Bioanalytical Studies Conducted by Semler Research Are Unacceptable. 2016; Available from: https://www.fda.gov/Drugs/DrugSafety/ucm495778.htm.

(10) FDA Untitled Letter: Semler Research Center Private Limited. (Food and Drug Administration: Silver Spring, MD, 2016).

(11) R.D. McDowall, Data Integrity and Data Governance: Practical Implementation in Regulated Laboratories. (Royal Society of Chemistry, , Cambridge, United Kingdom, 2019).

(12) EudraLex - Volume 4 Good Manufacturing Practice (GMP) Guidelines, Chapter 7 Outsourced Activities. (European Commission: Brussels, Belgium, 2013).

(13) ICH Q2(R1) Validation of Analytical Procedures: Text and Methodology. (International Conference on Harmonization: Geneva, Switzerland, 2005).

R.D. McDowall is the director of R.D. McDowall Limited and the editor of the "Questions of Quality" column for LCGC Europe, Spectroscopy's sister magazine. Direct correspondence to: SpectroscopyEdit@MMHGroup.com