Originally Published MDDI November 2005
FDA wields a powerful tool called the Application Integrity Policy list. Device manufacturers need to be aware of this list and avoid being placed on it.
Hyman, Phelps, McNamara P.C.
In the late 1980s, a scandal involving generic drug companies shook FDA. A number of such drug manufacturers were found to have submitted fraudulent records and violated FDA rules. Some FDA employees had been offered bribes or gratuities in return for favorable treatment. Congressional hearings and criminal prosecutions ensued, and FDA's credibility was badly damaged.
Generic drug manufacturers, not device companies, committed these misdeeds. Yet the repercussions of these actions are directly affecting the device industry. In 1991, FDA issued a policy that today is ensnaring device companies as well as drug firms.
Given the ungainly title of “Fraud, Untrue Statements of Material Facts, Bribery, and Illegal Gratuities,” this policy established a powerful—but still relatively unknown—FDA enforcement tool: the Application Integrity Policy (AIP).1 The basic premise of AIP is simple: If FDA determines that a company's applications are not reliable, the agency will not perform substantive review of any of the company's applications until confidence in the data is restored. Significantly, even though this policy was triggered by misconduct committed by the generic drug industry, it applies equally to device manufacturers. As of September 13, the FDA Web site shows nine device manufacturers on the AIP list.
Although AIP has been in place for 14 years, most device companies know very little about it. Even experienced regulatory personnel often learn about AIP the hard way—when their company is placed on the list. Ironically, although the misconduct of generic drug companies was the catalyst for AIP, there are currently far more device companies than pharmaceutical companies on the AIP list. The AIP list is available online at www.fda.gov/ora/compliance_ref/aiplist.html. Given the potentially devastating effect of such placement, companies should be aware of this mechanism.
There are three basic questions that manufacturers need answered: What is AIP and how does it work? What can companies do to reduce the risk of being placed on the list? And how could the implementation of the AIP process be improved?
What Is AIP?
The Federal Food, Drug, and Cosmetic Act (FD&C Act) provides FDA with a number of enforcement tools. For example, it can seek to enjoin device companies and individuals, prosecute companies and individuals who violate the law, and seize devices. FDA also can issue a warning letter and try to impose civil penalties of up to $1 million.2 The FD&C Act authorizes other FDA actions as well, such as requiring a company to recall its devices.
In contrast to these enumerated authorities, the power to place a firm on the AIP list is not expressly granted by law. Strictly speaking, FDA does not consider AIP to be an enforcement mechanism. Rather, the agency has concluded that it can defer review of a company's future applications based on its determination that the integrity of these applications cannot be assured. Whether FDA has the authority to decline to review any submissions by a company is open to debate. Whatever legal authority may exist is implicit, not explicit. While FDA may be on strong grounds to refuse to review a submission from the company that is determined to be tainted, it is much more difficult to perceive a statutory basis to decline to review other submissions which meet all criteria for approval or clearance. For example, the FD&C Act permits FDA to withdraw a premarket approval (PMA) application that contains false information.3 The FD&C Act does not, however, imply that FDA can suspend the review of a PMA because an entirely different application contains questionable data.
Once a company is placed on the AIP list, FDA will not complete its review of pending applications nor will it accept new applications until the agency is satisfied with the basic integrity of the submission. (A notable exception is when FDA decides the submission could have a significant effect on public health.) The burden for a listed company—the inability to get any FDA reviews for a year or longer—can far exceed the effect of FDA's invocation of some of its statutory enforcement tools.
FDA's criteria for placing a firm on the AIP list are elastic. AIP may be invoked “[w]hen FDA finds, based on fraudulent data in an application, that the data in the application are unreliable.” This standard does not necessarily mean that there has been a formal determination of fraudulent behavior. AIP can be invoked if FDA finds “that the criteria for approval cannot be met because of unresolved questions regarding reliability of data.”1
According to its internal procedures, the decision to invoke AIP against a company is predicated by FDA finding “evidence of a pattern or practice of wrongful conduct that raises a significant question about the reliability of data.”4 This “pattern or practice” can relate to a single submission. FDA officials have stipulated that the relevant information be carefully evaluated before AIP is invoked.
Under most circumstances, companies will be inspected before being placed on the AIP list. Therefore, when responding to an FDA-483 that raises the sorts of issues that could trigger invocation of AIP (e.g., findings that challenge the accuracy of data or a company's integrity), companies must be aware of the possibly heightened stakes when writing their response. This is equally true for responses to FDA-483s by a firm's clinical investigators.
While AIP can cover all pending and future applications, the agency can also invoke the policy against a single application. If the agency determines that a particular application is suspect, but that invoking the full rigors of AIP against the company is inappropriate or not supportable, FDA can place an integrity hold on one or more applications. Although FDA does not publish a list of integrity holds, CDRH reportedly uses this authority frequently.
If CDRH decides to invoke AIP (or an integrity hold), the company learns of this action through a letter. AIP listing requires no prior notice to the firm, and generally there is none. There is no advance opportunity to contest invocation of AIP. Once a company is listed, FDA will not hold a hearing or convene a meeting to permit the decision to be challenged. If a company did challenge AIP, the issue of FDA's basis of authority would be likely to be critical.
After being put on the list, except in unusual circumstances, a firm will not be able to receive any other approvals or clearances until AIP is revoked. This ban applies not only to 510(k)s and PMAs, but also to investigational device exemptions, supplements, and amendments.4
Getting Off the AIP List
Unfortunately, getting off the list is much harder than getting on. A company may be listed if only a handful of employees “are inadequately trained, perform work incompetently, repeatedly fail to follow the firm's Standard Operating Procedures (SOPs), or are untrustworthy as it relates to the application or the approval process.”4 Revocation is a slow multistep process that requires the efforts of numerous individuals. Reportedly, no device company has escaped the list in less than a year, and it can take longer.5
After receiving an AIP letter, a company will usually need to retain an independent auditor acceptable to FDA. Companies should choose experienced auditors who understand the regulatory process. The auditor is responsible for conducting one or more audits, e.g., a system audit and audits of clinical trial sites. The company must commit to allowing the auditor “freedom to conduct an independent and adequate audit.”4 The auditor must tender a draft audit plan to FDA for the agency's approval before beginning the audits.
Once FDA approves the audit plan, the independent audit can begin. Audit findings usually consist of one or more reports. The general principle that FDA does not seek audit reports is inapplicable here: these reports are sent simultaneously to FDA and the company. Unlike other situations, when it comes to AIP, device companies have no opportunity to comment on or correct a report before the document is submitted to the agency. Also, because audit reports are sent to FDA, companies may find it much more difficult to protect them from being obtained during discovery in the event of litigation. The ability to protect any documents attached to audit reports may also be undermined.
Once placed on the AIP or integrity hold lists, a firm should begin to develop a corrective action plan (CAP). This CAP must address multiple elements, including the following:
• A commitment to assure safety, efficacy, and quality.
• A description of corporate ethics and compliance programs.
• Procedures for effectively communicating to employees the firm's SOPs, including ethics and QA programs, and the employees' regulatory responsibilities.
• The steps being taken to address current wrongful acts and to prevent future occurrences. Such steps include ensuring the implementation of the CAP, consistently enforcing standards through disciplinary mechanisms, designating a high-level employee responsible for implementation of the CAP, and identifying individuals who were or may have been involved in the wrongful acts, and removing them from positions of substantive authority.4
The CAP cannot consist simply of commitments to draft new SOPs or promises of future conduct. Rather, the CAP must contain the full text of the principal SOPs and other key documents implementing the CAP so that FDA can evaluate these materials. In the course of developing its corrective actions, the company will need to go beyond simply drafting new procedures. For example, the company should consider how to improve its culture of compliance, e.g., improving its compliance policy, training employees on that policy, designating a compliance officer, etc. The CAP needs to evaluate the root causes of the deviations that led to AIP listing, and explain what the firm has done to address these problems. Companies need to show CDRH that they have made meaningful changes, not just cosmetic ones.
Device companies often want to submit early draft CAPs to CDRH to get preliminary feedback. CDRH discourages this. While willing to give general guidance on the content of a CAP, center officials do not want to spend time critiquing a preliminary document, particularly since the CAP may need to be substantially revised to address the auditor's findings. CDRH officials, however, may agree to comment on a draft CAP later in the process.
Generally the final CAP cannot be submitted to CDRH before the company receives the auditor's reports. The CAP must show that the company has addressed the issues identified by the auditor, FDA, and the company itself. To demonstrate that effective, corrective actions have been implemented, the CAP should describe systematic actions that go beyond the specific issues that gave rise to AIP listing.
The manufacturer can and should draft the bulk of the CAP prior to receipt of the audit reports. That way, unless the reports identify issues not already addressed in the CAP, the company can immediately submit its CAP to save time. Because many of the findings in the reports will be expected, and many of the corrective actions can be implemented in anticipation of the reports, the CAP can be prepared prior to receipt of the reports.
FDA does grant exceptions for companies on the AIP list, allowing them to submit an application if it is “for a product intended or expected to provide a significant scientific break-through . . . is medically necessary, or is otherwise critically needed.”4 This is a high threshold that will not routinely be surmounted.
CDRH evaluates the audit reports and the final CAP. Multiple agency personnel review the documents. The reviews can be quite painstaking and thorough. If CDRH questions the CAP, the company should respond fully and in detail. When procedures need to be modified, it is best to send the revised SOPs, not a description of the text or a commitment to make a change.
After the final CAP is approved, CDRH issues an inspection assignment to the local district office. The office is expected to conduct its inspection within 60 days. The inspection will focus on verifying that the company “conducted a credible and adequate internal review designed to identify all instances of wrongful acts;” that the company's CAP “has been submitted and executed and . . . any ongoing obligations have a timetable for completion;” and that “questionable applications have been withdrawn.”4
Inexplicably, these inspections are not always preannounced. After completion of the inspection, the district will recommend in writing whether AIP should be lifted. Reportedly, every device company that has gotten to the point of an inspection has been removed from the list. Center officials will then evaluate the pertinent information, prepare internal documentation, and then obtain signoffs from the necessary officials. The welcome news of AIP's revocation is delivered in the same manner as the invocation—via a letter from the center.
Avoiding the List
Being placed on the AIP list is painful and costly. Because of the variety of events that can trigger AIP, there is no simple, surefire set of preventative measures. Worse, the misconduct of a few rogue employees can result in AIP (or an integrity hold) being invoked against the entire company. There are, however, some steps companies can take that help reduce the risks. Heeding these precautions will also help reduce other regulatory and business risks.
• Adopt meaningful ethics policies. A culture of compliance may sound cliché, but companies should try to instill these values in employees. This means that consequences must be attached to unethical or violative conduct. A successful ethical policy must come from and be practiced by senior management.
• Do not tolerate fraud. If company officials learn that fraud, intentional misstatements, or other violations of regulatory obligations have occurred in regulatory communications or files, they must act swiftly and decisively.
• Appoint a compliance officer. This person should have the authority to take meaningful steps to ensure employee compliance. Encourage employees to contact this person if they are aware of misconduct. Institute mechanisms for anonymous reporting. A company that self-identifies wrongful conduct and aggressively corrects it may be able to avoid invocation of AIP (or other severe sanctions), even if FDA learns of the behavior.
• Adequately train employees. Sometimes employees will engage in wrongful behavior out of ignorance rather than malice. For example, they may backdate a document because that really was the date the work was done. A properly trained employee fully appreciates the elements of good clinical practice (GCP). Training also should include the company's ethics policies.
• Ensure that the clinical, regulatory, and quality functions have adequate resources. Understaffing can contribute to flawed clinical studies or erroneous submissions. Keep in mind, however, that simply having enough bodies to fill out the organization chart is not enough; personnel need to be skilled, trained, and sufficiently budgeted.
• Maintain an effective audit program.6 Detecting isolated fraudulent conduct will be difficult, even with the best audit program. However, a thorough audit program may enable the company to identify and fix systemic deficiencies before they result in conduct that triggers AIP. Companies that are unaware of serious flaws, or are aware but let them fester, are at higher risk of AIP invocation.
• Engage senior management in the process of ensuring FDA compliance. Attending the periodic management review may be enough to comply with the letter of the quality system regulation, but management disinterest can adversely affect regulatory compliance.7
• Devote resources and skills to comply with GCP for clinical investigations. Investigators shouldn't be selected just because they are well-known or potential customers. Trained monitors are essential, and if problems are identified during the course of the study, adequate follow-up action must be initiated. Ignoring monitoring reports that suggest that the data are untrustworthy increases the chances of being placed on the AIP list.
Such suggestions are hardly exhaustive. Nor are these measures unique to AIP—they also reduce the odds of other enforcement sanctions. However, a company that neglects these elements will increase the likelihood of appearing on CDRH's AIP list or facing an integrity hold.
Improving the AIP Process
The AIP process is a powerful tool for FDA. Whether it is legal, however, may be questioned. The FD&C Act provides criteria for rejecting applications, but not for refusing even to accept them for review. The lack of advance notice or any opportunity to challenge an AIP listing raises potential constitutional due process issues, and the vague standards may also be constitutionally suspect. The AIP process also does not follow the procedural protections of the Administrative Procedure Act.7
The structure of the FD&C Act gives device companies procedural and substantive protections before FDA can take administrative action. For example, a PMA holder has the chance to contest the proposed withdrawal of a PMA, civil penalties are preceded by an opportunity for a hearing, and there is even a right to a hearing before FDA issues a mandatory device recall order.2 Yet AIP involves no prior notice or a procedure to contest imposition of AIP once it has occurred. Nevertheless, despite these potential legal vulnerabilities, AIP remains intact and active, and unchallenged by industry.
Since the program is unlikely to be terminated soon, there are some ways that FDA could improve the process.
FDA should give prior notice to companies. This is not a radical concept. For example, before imposing civil penalties, mandating a recall, or disqualifying an investigator, the target is given a chance to present its side.2 Time is not of the essence before AIP is invoked; a week's delay will not hurt the public. But letting the company present its position and provide supplemental facts will make the process fairer and may result in better decision-making. Given the effect of AIP (on the company, its employees, and the patients who will be delayed in getting access to the company's new devices), it seems reasonable for FDA to give companies the chance to explain, correct, or mitigate.
To most people in industry, AIP is an enigma. Industry awareness is startlingly low. While the policy itself and FDA's implementing procedures are available on FDA's Web site, these documents are somewhat opaque. It would be helpful if FDA provided a clearer description of the AIP process and exactly what companies need to do to get off the AIP list.
Removal from the AIP list is neither quick nor easy. Some of the delay is understandable because it is a multistep process. Certain steps, such as identifying an independent auditor, submitting an audit plan, scheduling and conducting an audit, and then writing up reports, will inevitably take some time. However, some of the delay is attributable to the time it takes FDA to conduct the various reviews needed under the AIP process. These reviews can take weeks, or even longer. It is not a criticism of people responsible for AIP to say this. Still, FDA needs to look to ways to accelerate its review of AIP-related submissions, including increasing staffing and resources. Once an acceptable CAP is submitted, FDA should give high priority to completing the remaining steps—all of which are in FDA's control—and revoking AIP.
FDA should develop and publish policies on how to address important, recurring subjects that are not currently covered in the policy. There are still some unanswered questions such as: Does an AIP listing apply to the parent company? To a sister company? To an affiliated company? Will the district's inspection be announced? To provide clarity, consistency, and transparency, the policies for these and other issues should be spelled out.
FDA should take into consideration whether future submissions are likely to raise credibility issues in light of the company's current practices. AIP is based on actions that have already occurred, but do not necessarily reflect current corporate practice. If the company has already implemented effective corrections, e.g., through new procedures, personnel, and training, AIP's effect is primarily punitive. Enabling the company to describe its corrective actions before AIP is invoked would ensure that the agency learns of relevant information before it decides whether AIP is appropriate.
FDA should also rely more heavily on the results of the independent audit and the CAP in deciding whether to end an AIP listing. FDA reviews and approves the auditor and the auditor's plan. The auditor's report is submitted directly to FDA, and then the company submits a detailed CAP that addresses FDA's findings and the auditor's findings. Yet months can elapse from the time the CAP is approved to the time an inspectional assignment is written and sent to the district, an inspection takes place, a report written by the district and is reviewed, and final CDRH documentation is generated. If the auditor finds that the company has resolved the issues and the CAP is adequate, then FDA should revoke the listing immediately. Waiting for a corroborative FDA inspection can add months to the company's tenure on the list, without any corresponding benefit.
FDA should reassess its AIP process, which was developed in the wake of a scandal involving generic drugs. It is understandable that the agency would not want to review submissions from a company that has been found to have knowingly submitted fraudulent data. Yet even a company that FDA deems to be a malefactor is entitled to due process and a chance to present its side, and AIP is invoked without any formal findings having been presented to the company. The agency should reevaluate whether the policy should even be kept. If it is retained, FDA should implement steps to make the process fairer, more predictable, faster, and less burdensome.
Although the AIP listing is not considered to be a formal enforcement sanction, its effect on companies can be severe. The best advice is found in an old aphorism: An ounce of prevention is worth a pound of cure. However, if prevention fails, and a device company receives a letter placing it on the AIP list, the company needs to promptly develop a plan designed to result in a second, much more welcome letter, as soon as possible.
1. Federal Register, 56 FR:46191, September 10, 1991.
2. U.S. Code, 21 U.S.C. 332–334, 336.
3. U.S. Code, 21 U.S.C. 360.
4. Application Integrity Policy; available from Internet: www.fda.gov/ora/compliance_ref/aip_procedures/AIPprocedures2004_0304.pdf.
5. E Basile and M Lee, “How to Respond to FDA's Application Integrity Policy,” FDLI Update 4 (Sept./Oct. 2005).
6. Jeffrey Gibbs, “Compliance Auditing,” MX 2, no. 3 (2002): 74–80.
7. 21 CFR 820.20.
8. U.S. Code, 5 U.S.C. 551.
Copyright ©2005 Medical Device & Diagnostic Industry