A 2025 Retrospective for Investigations of a Dog

If the history of pharmaceutical quality management were written as a geological timeline, 2025 would hopefully mark the end of the Holocene of Compliance—a long, stable epoch where “following the procedure” was sufficient to ensure survival—and the beginning of the Anthropocene of Complexity.

For decades, our industry has operated under a tacit social contract. We agreed to pretend that “compliance” was synonymous with “quality.” We agreed to pretend that a validated method would work forever because we proved it worked once in a controlled protocol three years ago. We agreed to pretend that “zero deviations” meant “perfect performance,” rather than “blind surveillance.” We agreed to pretend that if we wrote enough documents, reality would conform to them.

If I had my wish 2025 would be the year that contract finally dissolved.

Throughout the year—across dozens of posts, technical analyses, and industry critiques on this blog—I have tried to dismantle the comfortable illusions of “Compliance Theater” and show how this theater collides violently with the unforgiving reality of complex systems.

The connecting thread running through every one of these developments is the concept I have returned to obsessively this year: Falsifiable Quality.

This Year in Review is not merely a summary of blog posts. It is an attempt to synthesize the fragmented lessons of 2025 into a coherent argument. The argument is this: A quality system that cannot be proven wrong is a quality system that cannot be trusted.

If our systems—our validation protocols, our risk assessments, our environmental monitoring programs—are designed only to confirm what we hope is true (the “Happy Path”), they are not quality systems at all. They are comfort blankets. And 2025 was the year we finally started pulling the blanket off.

The Philosophy of Doubt

(Reflecting on: The Effectiveness Paradox, Sidney Dekker, and Gerd Gigerenzer)

Before we dissect the technical failures of 2025, let me first establish the philosophical framework that defined this year’s analysis.

In August, I published “The Effectiveness Paradox: Why ‘Nothing Bad Happened’ Doesn’t Prove Your Quality System Works.” It became one of the most discussed posts of the year because it attacked the most sacred metric in our industry: the trend line that stays flat.

We are conditioned to view stability as success. If Environmental Monitoring (EM) data shows zero excursions for six months, we throw a pizza party. If a method validation passes all acceptance criteria on the first try, we commend the development team. If a year goes by with no Critical deviations, we pay out bonuses.

But through the lens of Falsifiable Quality—a concept heavily influenced by the philosophy of Karl Popper, the challenging insights of Deming, and the safety science of Sidney Dekker, whom we discussed in November—these “successes” look suspiciously like failures of inquiry.

The Problem with Unfalsifiable Systems

Karl Popper famously argued that a scientific theory is only valid if it makes predictions that can be tested and proven false. “All swans are white” is a scientific statement because finding one black swan falsifies it. “God is love” is not, because no empirical observation can disprove it.

In 2025, I argued that most Pharmaceutical Quality Systems (PQS) are designed to be unfalsifiable.

The Unfalsifiable Alert Limit: We set alert limits based on historical averages + 3 standard deviations. This ensures that we only react to statistical outliers, effectively blinding us to gradual drift or systemic degradation that remains “within the noise.”
The Unfalsifiable Robustness Study: We design validation protocols that test parameters we already know are safe (e.g., pH +/- 0.1), avoiding the “cliff edges” where the method actually fails. We prove the method works where it works, rather than finding where it breaks.
The Unfalsifiable Risk Assessment: We write FMEAs where the conclusion (“The risk is acceptable”) is decided in advance, and the RPN scores are reverse-engineered to justify it.

This is “Safety Theater,” a term Dekker uses to describe the rituals organizations perform to look safe rather than be safe.

Safety-I vs. Safety-II

In November’s post “Sidney Dekker: The Safety Scientist Who Influences How I Think About Quality,“ I explored Dekker’s distinction between Safety-I (minimizing things that go wrong) and Safety-II (understanding how things usually go right).

Traditional Quality Assurance is obsessed with Safety-I. We count deviations. We count OOS results. We count complaints. When those counts are low, we assume the system is healthy.
But as the LeMaitre Vascular warning letter showed us this year (discussed in Part III), a system can have “zero deviations” simply because it has stopped looking for them. LeMaitre had excellent water data—because they were cleaning the valves before they sampled them. They were measuring their ritual, not their water.

Falsifiable Quality is the bridge to Safety-II. It demands that we treat every batch record not as a compliance artifact, but as a hypothesis test.

Hypothesis: “The contamination control strategy is effective.”
Test: Aggressive monitoring in worst-case locations, not just the “representative” center of the room.
Result: If we find nothing, the hypothesis survives another day. If we find something, we have successfully falsified the hypothesis—which is a good thing because it reveals reality.

The shift from “fearing the deviation” to “seeking the falsification” is a cultural pivot point of 2025.

The Epistemological Crisis in the Lab (Method Validation)

(Reflecting on: USP <1225>, Method Qualification vs. Validation, and Lifecycle Management)

Nowhere was the battle for Falsifiable Quality fought more fiercely in 2025 than in the analytical laboratory.

The proposed revision to USP <1225> Validation of Compendial Procedures (published in Pharmacopeial Forum 51(6)) arrived late in the year, but it serves as the perfect capstone to the arguments I’ve been making since January.

For forty years, analytical validation has been the ultimate exercise in “Validation as an Event.” You develop a method. You write a protocol. You execute the protocol over three days with your best analyst and fresh reagents. You print the report. You bind it. You never look at it again.

This model is unfalsifiable. It assumes that because the method worked in the “Work-as-Imagined” conditions of the validation study, it will work in the “Work-as-Done” reality of routine QC for the next decade.

The Reportable Result: Validating Decisions, Not Signals

The revised USP <1225>—aligned with ICH Q14(Analytical Procedure Development) and USP <1220> (The Lifecycle Approach)—destroys this assumption. It introduces concepts that force falsifiability into the lab.

The most critical of these is the Reportable Result.

Historically, we validated “the instrument” or “the measurement.” We proved that the HPLC could inject the same sample ten times with < 1.0% RSD.

But the Reportable Result is the final value used for decision-making—the value that appears on the Certificate of Analysis. It is the product of a complex chain: Sampling -> Transport -> Storage -> Preparation -> Dilution -> Injection -> Integration -> Calculation -> Averaging.

Validating the injection precision (the end of the chain) tells us nothing about the sampling variability (the beginning of the chain).

By shifting focus to the Reportable Result, USP <1225> forces us to ask: “Does this method generate decisions we can trust?”

The Replication Strategy: Validating “Work-as-Done”

The new guidance insists that validation must mimic the replication strategy of routine testing.
If your SOP says “We report the average of 3 independent preparations,” then your validation must evaluate the precision and accuracy of that average, not of the individual preparations.

This seems subtle, but it is revolutionary. It prevents the common trick of “averaging away” variability during validation to pass the criteria, only to face OOS results in routine production because the routine procedure doesn’t use the same averaging scheme.

It forces the validation study to mirror the messy reality of the “Work-as-Done,” making the validation data a falsifiable predictor of routine performance, rather than a theoretical maximum capability.

Method Qualification vs. Validation: The June Distinction

I wrote “Method Qualification and Validation,” clarifying a distinction that often confuses the industry.

Qualification is the “discovery phase” where we explore the method’s limits. It is inherently falsifiable—we want to find where the method breaks.
Validation has traditionally been the “confirmation phase” where we prove it works.

The danger, as I noted in that post, is when we skip the falsifiable Qualification step and go straight to Validation. We write the protocol based on hope, not data.

USP <1225> essentially argues that Validation must retain the falsifiable spirit of Qualification. It is not a coronation; it is a stress test.

The Death of “Method Transfer” as We Know It

In a Falsifiable Quality system, a method is never “done.” The Analytical Target Profile (ATP)—a concept from ICH Q14 that permeates the new thinking—is a standing hypothesis: “This method measures Potency within +/- 2%.”

Every time we run a system suitability check, every time we run a control standard, we are testing that hypothesis.

If the method starts drifting—even if it still passes broad system suitability limits—a falsifiable system flags the drift. An unfalsifiable system waits for the OOS.

The draft revision of USP <1225> is a call to arms. It asks us to stop treating validation as a “ticket to ride”—a one-time toll we pay to enter GMP compliance—and start treating it as a “ticket to doubt.” Validation gives us permission to use the method, but only as long as the data continues to support the hypothesis of fitness.

The Reality Check (The “Unholy Trinity” of Warning Letters)

Philosophy and guidelines are fine, but in 2025, reality kicked in the door. The regulatory year was defined by three critical warning letters—Sanofi, LeMaitre, and Rechon—that collectively dismantled the industry’s illusions of control.

It began, as these things often do, with a ghost from the past.

Sanofi Framingham: The Pendulum Swings Back

**(Reflecting on: Failure to Investigate Critical Deviations and The Sanofi Warning Letter)**

The year opened with a shock. On January 15, 2025, the FDA issued a warning letter to Sanofi’s Framingham facility—the sister site to the legacy Genzyme Allston landing, whose consent decree defined an entire generation of biotech compliance and of my career.

In my January analysis (“Failure to Investigate Critical Deviations: A Cautionary Tale“), I noted that the FDA’s primary citation was a failure to “thoroughly investigate any unexplained discrepancy.”

This is the cardinal sin of Falsifiable Quality.

An “unexplained discrepancy” is a signal from reality. It is the system telling you, “Your hypothesis about this process is wrong.”

The Falsifiable Response: You dive into the discrepancy. You assume your control strategy missed something. You use Causal Reasoning (the topic of my May post) to find the mechanism of failure.
The Sanofi Response: As the warning letter detailed, they frequently attributed failures to “isolated incidents” or superficial causes without genuine evidence.

This is the “Refusal to Falsify.” By failing to investigate thoroughly, the firm protects the comfortable status quo. They choose to believe the “Happy Path” (the process is robust) over the evidence (the discrepancy).

The Pendulum of Compliance

In my companion post (“Sanofi Warning Letter”), I discussed the “pendulum of compliance.” The Framingham site was supposed to be the fortress of quality, built on the lessons of the Genzyme crisis.

The failure at Sanofi wasn’t a lack of SOPs; it was a lack of curiosity.

The investigators likely had checklists, templates, and timelines (Compliance Theater), but they lacked the mandate—or perhaps the Expertise —to actually solve the problem.

This set the thematic stage for the rest of 2025. Sanofi showed us that “closing the deviation” is not the same as fixing the problem. This insight led directly into my August argument in “The Effectiveness Paradox“: You can close 100% of your deviations on time and still have a manufacturing process that is spinning out of control.

If Sanofi was the failure of investigation (looking back), Rechon and LeMaitre were failures of surveillance (looking forward). Together, they form a complete picture of why unfalsifiable systems fail.

Reflecting on: Rechon Life Science and LeMaitre Vascular

Philosophy and guidelines are fine, but in September, reality kicked in the door.

Two warning letters in 2025—Rechon Life Science (September) and LeMaitre Vascular (August)—provided brutal case studies in what happens when “representative sampling” is treated as a buzzword rather than a statistical requirement.

Rechon Life Science: The Map vs. The Territory

The Rechon Life Science warning letter was a significant regulatory signal of 2025 regarding sterile manufacturing. It wasn’t just a list of observations; it was an indictment of unfalsifiable Contamination Control Strategies (CCS).

We spent 2023 and 2024 writing massive CCS documents to satisfy Annex 1. Hundreds of pages detailing airflows, gowning procedures, and material flows. We felt good about them. We felt “compliant.”

Then the FDA walked into Rechon and essentially asked: “If your CCS is so good, why does your smoke study show turbulence over the open vials?”

The warning letter highlighted a disconnect I’ve called “The Map vs. The Territory.”

The Map: The CCS document says the airflow is unidirectional and protects the product.
The Territory: The smoke study video shows air eddying backward from the operator to the sterile core.

In an unfalsifiable system, we ignore the smoke study (or film it from a flattering angle) because it contradicts the CCS. We prioritize the documentation (the claim) over the observation (the evidence).

In a falsifiable system, the smoke study is the test. If the smoke shows turbulence, the CCS is falsified. We don’t defend the CCS; we rewrite it. We redesign the line.

The FDA’s critique of Rechon’s “dynamic airflow visualization” was devastating because it showed that Rechon was using the smoke study as a marketing video, not a diagnostic tool. They filmed “representative” operations that were carefully choreographed to look clean, rather than the messy reality of interventions.

LeMaitre Vascular: The Sin of “Aspirational Data”

If Rechon was about air, LeMaitre Vascular (analyzed in my August post “When Water Systems Fail“) was about water. And it contained an even more egregious sin against falsifiability.

The FDA observed that LeMaitre’s water sampling procedures required cleaning and purging the sample valves before taking the sample.

Let’s pause and consider the epistemology of this.

The Goal: To measure the quality of the water used in manufacturing.
The Reality: Manufacturing operators do not purge and sanitize the valve for 10 minutes before filling the tank. They open the valve and use the water.
The Sample: By sanitizing the valve before sampling, LeMaitre was measuring the quality of the sampling process, not the quality of the water system.

I call this “Aspirational Data.” It is data that reflects the system as we wish it existed, not as it actually exists. It is the ultimate unfalsifiable metric. You can never find biofilm in a valve if you scrub the valve with alcohol before you open it.

The FDA’s warning letter was clear: “Sampling… must include any pathway that the water travels to reach the process.”

LeMaitre also performed an unauthorized “Sterilant Switcheroo,” changing their sanitization agent without change control or biocompatibility assessment. This is the hallmark of an unfalsifiable culture: making changes based on convenience, assuming they are safe, and never designing the study to check if that assumption is wrong.

The “Representative” Trap

Both warning letters pivot on the misuse of the word “representative.”

Firms love to claim their EM sampling locations are “representative.” But representative of what? Usually, they are representative of the average condition of the room—the clean, empty spaces where nothing happens.

But contamination is not an “average” event. It is a specific, localized failure. A falsifiable EM program places probes in the “worst-case” locations—near the door, near the operator’s hands, near the crimping station. It tries to find contamination. It tries to falsify the claim that the zone is sterile, asceptic or bioburden reducing.

When Rechon and LeMaitre failed to justify their sampling locations, they were guilty of designing an unfalsifiable experiment. They placed the “microscope” where they knew they wouldn’t find germs.

2025 taught us that regulators are no longer impressed by the thickness of the CCS binder. They are looking for the logic of control. They are testing your hypothesis. And if you haven’t tested it yourself, you will fail.

The Investigation as Evidence

(Reflecting on: The Golden Start to a Deviation Investigation, Causal Reasoning, Take-the-Best Heuristics, and The Catalent Case)

If Rechon, LeMaitre, and Sanofi teach us anything, it is that the quality system’s ability to discover failure is more important than its ability to prevent failure.

A perfect manufacturing process that no one is looking at is indistinguishable from a collapsing process disguised by poor surveillance. But a mediocre process that is rigorously investigated, understood, and continuously improved is a path toward genuine control.

The investigation itself—how we respond to a deviation, how we reason about causation, how we design corrective actions—is where falsifiable quality either succeeds or fails.

The Golden Day: When Theory Meets Work-as-Done

In April, I published “The Golden Start to a Deviation Investigation,” which made a deceptively simple argument: The first 24 hours after a deviation is discovered are where your quality system either commits to discovering truth or retreats into theater.

This argument sits at the heart of falsifiable quality.

When a deviation occurs, you have a narrow window—what I call the “Golden Day”—where evidence is fresh, memories are intact, and the actual conditions that produced the failure still exist. If you waste this window with vague problem statements and abstract discussions, you permanently lose the ability to test causal hypotheses later.

The post outlined a structured protocol:

First, crystallize the problem. Not “potency was low”—but “Lot X234, potency measured at 87% on January 15th at 14:32, three hours after completion of blending in Vessel C-2.” Precision matters because only specific, bounded statements can be falsified. A vague problem statement can always be “explained away.”

Second, go to the Gemba. This is the antidote to “work-as-imagined” investigation. The SOP says the temperature controller should maintain 37°C +/- 2°C. But the Gemba walk reveals that the probe is positioned six inches from the heating element, the data logger is in a recessed pocket where humidity accumulates, and the operator checks it every four hours despite a requirement to check hourly. These are the facts that predict whether the deviation will recur.

Third, interview with cognitive discipline. Most investigations fail not because investigators lack information, but because they extract information poorly. Cognitive interviewing—developed by the FBI and the National Transportation Safety Board—uses mental reinstatement, multiple perspectives, and sequential reordering to access accurate recall rather than confabulated narrative. The investigator asks the operator to walk through the event in different orders, from different viewpoints, each time triggering different memory pathways. This is not “soft” technique; it is a mechanism for generating falsifiable evidence.

The Golden Day post makes it clear: You do not investigate deviations to document compliance. You investigate deviations to gather evidence about whether your understanding of the process is correct.

Causal Reasoning: Moving Beyond “What Was Missing”

Most investigation tools fail not because they are flawed, but because they are applied with the wrong mindset. In my May post “Causal Reasoning: A Transformative Approach to Root Cause Analysis,” I argued that pharmaceutical investigations are often trapped in “negative reasoning.”

Negative reasoning asks: “What barrier was missing? What should have been done but wasn’t?” This mindset leads to unfalsifiable conclusions like “Procedure not followed” or “Training was inadequate.” These are dead ends because they describe the absence of an ideal, not the presence of a cause.

Causal reasoning flips the script. It asks: “What was present in the system that made the observed outcome inevitable?”

Instead of settling for “human error,” causal reasoning demands we ask: What environmental cues made the action sensible to the operator at that moment? Were the instructions ambiguous? Did competing priorities make compliance impossible? Was the process design fragile?

This shift transforms the investigation from a compliance exercise into a scientific inquiry.

Consider the LeMaitre example:

Negative Reasoning: “Why didn’t they sample the true condition?” Answer: “Because they didn’t follow the intent of the sampling plan.”
Causal Reasoning: “What made the pre-cleaning practice sensible to them?” Answer: “They believed it ensured sample validity by removing valve residue.”

By understanding the why, we identify a knowledge gap that can be tested and corrected, rather than a negligence gap that can only be punished.

In September, “Take-the-Best Heuristic for Causal Investigation” provided a practical framework for this. Instead of listing every conceivable cause—a process that often leads to paralysis—the “Take-the-Best” heuristic directs investigators to focus on the most information-rich discriminators. These are the factors that, if different, would have prevented the deviation. This approach focuses resources where they matter most, turning the investigation into a targeted search for truth.

CAPA: Predictions, Not Promises

The Sanofi warning letter—analyzed in January—showed the destination of unfalsifiable investigation: CAPAs that exist mainly as paperwork.

Sanofi had investigation reports. They had “corrective actions.” But the FDA noted that deviations recurred in similar patterns, suggesting that the investigation had identified symptoms, not mechanisms, and that the “corrective” action had not actually addressed causation.

This is the sin of treating CAPA as a promise rather than a hypothesis.

A falsifiable CAPA is structured as an explicit prediction: “If we implement X change, then Y undesirable outcome will not recur under conditions Z.”

This can be tested. If it fails the test, the CAPA itself becomes evidence—not of failure, but of incomplete causal understanding. Which is valuable.

In the Rechon analysis, this showed up concretely: The FDA’s real criticism was not just that contamination was found; it was that Rechon’s Contamination Control Strategy had no mechanism to falsify itself. If the CCS said “unidirectional airflow protects the product,” and smoke studies showed bidirectional eddies, the CCS had been falsified. But Rechon treated the falsification as an anomaly to be explained away, rather than evidence that the CCS hypothesis was wrong.

A falsifiable organization would say: “Our CCS predicted that Grade A in an isolator with this airflow pattern would remain sterile. The smoke study proves that prediction wrong. Therefore, the CCS is false. We redesign.”

Instead, they filmed from a different angle and said the aerodynamics were “acceptable.”

Knowledge Integration: When Deviations Become the Curriculum

The final piece of falsifiable investigation is what I call “knowledge integration.” A single deviation is a data point. But across the organization, deviations should form a curriculum about how systems actually fail.

Sanofi’s failure was not that they investigated each deviation badly (though they did). It was that they investigated them in isolation. Each deviation closed on its own. Each CAPA addressed its own batch. There was no organizational learning—no mechanism for a pattern of similar deviations to trigger a hypothesis that the control strategy itself was fundamentally flawed.

This is where the Catalent case study, analyzed in September’s “When 483s Reveal Zemblanity,” becomes instructive. Zemblanity is the opposite of serendipity: the seemingly random recurrence of the same failure through different paths. Catalent’s 483 observations were not isolated mistakes; they formed a pattern that revealed a systemic assumption (about equipment capability, about environmental control, about material consistency) that was false across multiple products and locations.

A falsifiable quality system catches zemblanity early by:

Treating each deviation as a test of organizational hypotheses, not as an isolated incident.
Trending deviation patterns to detect when the same causal mechanism is producing failures across different products, equipment, or operators.
Revising control strategies when patterns falsify the original assumptions, rather than tightening parameters at the margins.

The Digital Hallucination (CSA, AI, and the Expertise Crisis)

(Reflecting on: CSA: The Emperor’s New Clothes, Annex 11, and The Expertise Crisis)

While we battled microbes in the cleanroom, a different battle was raging in the server room. 2025 was the year the industry tried to “modernize” validation through Computer Software Assurance (CSA) and AI, and in many ways, it was the year we tried to automate our way out of thinking.

CSA: The Emperor’s New Validation Clothes

In September, I published “Computer System Assurance: The Emperor’s New Validation Clothes,” a critique of the the contortions being made around the FDA’s guidance. The narrative sold by consultants for years was that traditional Computer System Validation (CSV) was “broken”—too much documentation, too much testing—and that CSA was a revolutionary new paradigm of “critical thinking.”

My analysis showed that this narrative is historically illiterate.

The principles of CSA—risk-based testing, leveraging vendor audits, focusing on intended use—are not new. They are the core principles of GAMP5 and have been applied for decades now.

The industry didn’t need a new guidance to tell us to use critical thinking; we had simply chosen not to use the critical thinking tools we already had. We had chosen to apply “one-size-fits-all” templates because they were safe (unfalsifiable).

The CSA guidance is effectively the FDA saying: “Please read the GAMP5 guide you claimed to be following for the last 15 years.”

The danger of the “CSA Revolution” narrative is that it encourages a swing to the opposite extreme: “Unscripted Testing” that becomes “No Testing.”

In a falsifiable system, “unscripted testing” is highly rigorous—it is an expert trying to break the software (“Ad Hoc testing”). But in an unfalsifiable system, “unscripted testing” becomes “I clicked around for 10 minutes and it looked fine.”

The Expertise Crisis: AI and the Death of the Apprentice

This leads directly to the Expertise Crisis. In September, I wrote “The Expertise Crisis: Why AI’s War on Entry-Level Jobs Threatens Quality’s Future.” This was perhaps the most personal topic I covered this year, because it touches on the very survival of our profession.

We are rushing to integrate Artificial Intelligence (AI) into quality systems. We have AI writing deviations, AI drafting SOPs, AI summarizing regulatory changes. The efficiency gains are undeniable. But the cost is hidden, and it is epistemological.

Falsifiability requires expertise.
To falsify a claim—to look at a draft investigation report and say, “No, that conclusion doesn’t follow from the data”—you need deep, intuitive knowledge of the process. You need to know what a “normal” pH curve looks like so you can spot the “abnormal” one that the AI smoothed over.

Where does that intuition come from? It comes from the “grunt work.” It comes from years of reviewing batch records, years of interviewing operators, years of struggling to write a root cause analysis statement.

The Expertise Crisis is this: If we give all the entry-level work to AI, where will the next generation of Quality Leaders come from?

The Junior Associate doesn’t review the raw data; the AI summarizes it.
The Junior Associate doesn’t write the deviation; the AI generates the text.
Therefore, the Junior Associate never builds the mental models necessary to critique the AI.

The Loop of Unfalsifiable Hallucination

We are creating a closed loop of unfalsifiability.

The AI generates a plausible-sounding investigation report.
The human reviewer (who has been “de-skilled” by years of AI reliance) lacks the deep expertise to spot the subtle logical flaw or the missing data point.
The report is approved.
The “hallucination” becomes the official record.

In a falsifiable quality system, the human must remain the adversary of the algorithm. The human’s job is to try to break the AI’s logic, to check the citations, to verify the raw data.
But in 2025, we saw the beginnings of a “Compliance Autopilot”—a desire to let the machine handle the “boring stuff.”

My warning in September remains urgent: Efficiency without expertise is just accelerated incompetence. If we lose the ability to falsify our own tools, we are no longer quality professionals; we are just passengers in a car driven by a statistical model that doesn’t know what “truth” is.

My post “The Missing Middle in GMP Decision Making: How Annex 22 Redefines Human-Machine Collaboration in Pharmaceutical Quality Assurance” goes a lot deeper here.

Annex 11 and Data Governance

In August, I analyzed the draft Annex 11 (Computerised Systems) in the post “Data Governance Systems: A Fundamental Shift.”

The Europeans are ahead of the FDA here. While the FDA talks about “Assurance” (testing less), the EU is talking about “Governance” (controlling more). The new Annex 11 makes it clear: You cannot validate a system if you do not control the data lifecycle. Validation is not a test script; it is a state of control.

This aligns perfectly with USP <1225> and <1220>. Whether it’s a chromatograph or an ERP system, the requirement is the same: Prove that the data is trustworthy, not just that the software is installed.

The Process as a Hypothesis (CPV & Cleaning)

(Reflecting on: Continuous Process Verification and Hypothesis Formation)

The final frontier of validation we explored in 2025 was the manufacturing process itself.

CPV: Continuous Falsification

In March, I published “Continuous Process Verification (CPV) Methodology and Tool Selection.”
CPV is the ultimate expression of Falsifiable Quality in manufacturing.

Traditional Validation (3 Batches): “We made 3 good batches, therefore the process is perfect forever.” (Unfalsifiable extrapolation).
CPV: “We made 3 good batches, so we have a license to manufacture, but we will statistically monitor every subsequent batch to detect drift.” (Continuous hypothesis testing).

The challenge with CPV, as discussed in the post, is that it requires statistical literacy. You cannot implement CPV if your quality unit doesn’t understand the difference between Cpk and Ppk, or between control limits and specification limits.

This circles back to the Expertise Crisis. We are implementing complex statistical tools (CPV software) at the exact moment we are de-skilling the workforce. We risk creating a “CPV Dashboard” that turns red, but no one knows why or what to do about it.

Cleaning Validation: The Science of Residue

In August, I tried to apply falsifiability to one of the most stubborn areas of dogma: Cleaning Validation.

In “Building Decision-Making with Structured Hypothesis Formation,“ I argued that cleaning validation should not be about “proving it’s clean.” It should be about “understanding why it gets dirty.”

Traditional Approach: Swab 10 spots. If they pass, we are good.
Hypothesis Approach: “We hypothesize that the gasket on the bottom valve is the hardest to clean. We predict that if we reduce rinse time by 1 minute, that gasket will fail.”

By testing the boundaries—by trying to make the cleaning fail—we understand the Design Space of the cleaning process.

We discussed the “Visual Inspection” paradox in cleaning: If you can see the residue, it failed. But if you can’t see it, does it pass?

Only if you have scientifically determined the Visible Residue Limit (VRL). Using “visually clean” without a validated VRL is—you guessed it—unfalsifiable.

To: Jeremiah Genest
From: Perplexity Research
Subject: Draft Content – Single-Use Systems & E&L Section

Here is a section on Single-Use Systems (SUS) and Extractables & Leachables (E&L).

I have positioned this piece to bridge the gap between “Part III: The Reality Check” (Contamination/Water) and “Part V: The Process as a Hypothesis” (Cleaning Validation).

The argument here is that by switching from Stainless Steel to Single-Use, we traded a visible risk (cleaning residue) for an invisible one (chemical migration), and that our current approach to E&L is often just “Paper Safety”—relying on vendor data that doesn’t reflect the “Work-as-Done” reality of our specific process conditions.

The Plastic Paradox (Single-Use Systems and the E&L Mirage)

If the Rechon and LeMaitre warning letters were about the failure to control biological contaminants we can find, the industry’s struggle with Single-Use Systems (SUS) in 2025 was about the chemical contaminants we choose not to find.

We have spent the last decade aggressively swapping stainless steel for plastic. The value proposition was irresistible: Eliminate cleaning validation, eliminate cross-contamination, increase flexibility. We traded the “devil we know” (cleaning residue) for the “devil we don’t” (Extractables and Leachables).

But in 2025, with the enforcement reality of USP <665> (Plastic Components and Systems) settling in, we had to confront the uncomfortable truth: Most E&L risk assessments are unfalsifiable.

The Vendor Data Trap

The standard industry approach to E&L is the ultimate form of “Compliance Theater.”

We buy a single-use bag.
We request the vendor’s regulatory support package (the “Map”).
We see that the vendor extracted the film with aggressive solvents (ethanol, hexane) for 7 days.
We conclude: “Our process uses water for 24 hours; therefore, we are safe.”

This logic is epistemologically bankrupt. It assumes that the Vendor’s Model (aggressive solvents/short time) maps perfectly to the User’s Reality (complex buffers/long duration/specific surfactants).

It ignores the fact that plastics are dynamic systems. Polymers age. Gamma irradiation initiates free radical cascades that evolve over months. A bag manufactured in January might have a different leachable profile than a bag manufactured in June, especially if the resin supplier made a “minor” change that didn’t trigger a notification.

By relying solely on the vendor’s static validation package, we are choosing not to falsify our safety hypothesis. We are effectively saying, “If the vendor says it’s clean, we will not look for dirt.”

USP <665>: A Baseline, Not a Ceiling

The full adoption of USP <665> was supposed to bring standardization. And it has—it provides a standard set of extraction conditions. But standards can become ceilings.

In 2025, I observed a troubling trend of “Compliance by Citation.” Firms are citing USP <665> compliance as proof of absence of risk, stopping the inquiry there.

A Falsifiable E&L Strategy goes further. It asks:

“What if the vendor data is irrelevant to my specific surfactant?”
“What if the gamma irradiation dose varied?”
“What if the interaction between the tubing and the connector creates a new species?”

The Invisible Process Aid

We must stop viewing Single-Use Systems as inert piping. They are active process components. They are chemically reactive vessels that participate in our reaction kinetics.

When we treat them as inert, we are engaging in the same “Aspirational Thinking” that LeMaitre used on their water valves. We are modeling the system we want (pure, inert plastic), not the system we have (a complex soup of antioxidants, slip agents, and degradants).

The lesson of 2025 is that Material Qualification cannot be a paper exercise. If you haven’t done targeted simulation studies that mimic your actual “Work-as-Done” conditions, you haven’t validated the system. You’ve just filed the receipt.

The Mandate for 2026

As we look toward 2026, the path is clear. We cannot go back to the comfortable fiction of the pre-2025 era.

The regulatory environment (Annex 1, ICH Q14, USP <1225>, Annex 11) is explicitly demanding evidence of control, not just evidence of compliance. The technological environment (AI) is demanding that we sharpen our human expertise to avoid becoming obsolete. The physical environment (contamination, supply chain complexity) is demanding systems that are robust, not just rigid.

The mandate for the coming year is to build Falsifiable Quality Systems.

What does that look like practically?

In the Lab: Implement USP <1225> logic now. Don’t wait for the official date. Validate your reportable results. Add “challenge tests” to your routine monitoring.
In the Plant: Redesign your Environmental Monitoring to hunt for contamination, not to avoid it. If you have a “perfect” record in a Grade C area, move the plates until you find the dirt.
In the Office: Treat every investigation as a chance to falsify the control strategy. If a deviation occurs that the control strategy said was impossible, update the control strategy.
In the Culture: Reward the messenger. The person who finds the crack in the system is not a troublemaker; they are the most valuable asset you have. They just falsified a false sense of security.
In Design: Embrace the “Elegant Quality System“ (discussed in May). Complexity is the enemy of falsifiability. Complex systems hide failures; simple, elegant systems reveal them.

2025 was the year we stopped pretending. 2026 must be the year we start building. We must build systems that are honest enough to fail, so that we can build processes that are robust enough to endure.

Thank you for reading, challenging, and thinking with me this year. The investigation continues.

The Taxonomy of Clean: Why Confusing Microbial Control, Aseptic, and Sterile is Wrecking Your Contamination Control Strategy

If I had a dollar for every time I sat in a risk assessment workshop and heard someone use “aseptic” and “sterile” interchangeably, I could probably fund my own private isolator line. It is one of those semantic slips that seems harmless on the surface—like confusing “precision” with “accuracy”—but in the pharmaceutical quality world, these linguistic shortcuts are often the canary in the coal mine for a systemic failure of understanding.

We are currently navigating the post-Annex 1 implementation landscape, a world where the Contamination Control Strategy (CCS) has transitioned from a “nice-to-have” philosophy to a mandatory, living document. Yet, I frequently see CCS documents that read like a disorganized shopping list of controls rather than a coherent strategy. Why? Because the authors haven’t fundamentally distinguished between microbial control, aseptic processing, and sterility.

If we cannot agree on what we are trying to achieve, we certainly cannot build a strategy to achieve it. Today, I want to unpack these terms—not for the sake of pedantry, but because the distinction dictates your facility design, your risk profile, and ultimately, patient safety. We will also look at how these definitions map onto the spectrum of open and closed systems, and critically, how they apply across drug substance and drug product manufacturing. This last point is where I see the most confusion—and where the stakes are highest.

The Definitions: More Than Just Semantics

Let’s strip this back. These aren’t just vocabulary words; they are distinct operational states that demand different control philosophies.

Microbial Control: The Art of Management

Microbial control is the baseline. It is the broad umbrella under which all our activities sit, but it is not synonymous with sterility. In the world of non-sterile manufacturing (tablets, oral liquids, topicals), microbial control is about bioburden management. We aren’t trying to eliminate life; we are trying to keep it within safe, predefined limits and, crucially, ensure the absence of “objectionable organisms.”

In a sterile manufacturing context, microbial control is what happens before the sterilization step. It is the upstream battle. It is the control of raw materials, the WFI loops, the bioburden of the bulk solution prior to filtration.

Impact on CCS: If your CCS treats microbial control as “sterility light,” you will fail. A strategy for microbial control focuses on trend analysis, cleaning validation, and objectionable organism assessments. It relies heavily on understanding the microbiome of your facility. It accepts that microorganisms are present but demands they be the right kind (skin flora vs. fecal) and in the right numbers.

Sterile: The Absolute Negative

Sterility is an absolute. There is no such thing as “a little bit sterile.” It is a theoretical concept defined by a probability—the Sterility Assurance Level (SAL), typically 10⁻⁶.

Here is the critical philosophical point: Sterility is a negative quality attribute. You cannot test for it. You cannot inspect for it. By the time you get a sterility test result, the batch is already made. Therefore, you cannot “control” sterility in the same way you control pH or dissolved oxygen. You can only assure it through the validation of the process that delivered it.

Impact on CCS: Your CCS cannot rely on monitoring to prove sterility. Any strategy that points to “passing sterility tests” as a primary control measure is fundamentally flawed. The CCS for sterility must focus entirely on the robustness of the sterilization cycle (autoclave validation, gamma irradiation dosimetry, VHP cycles) and the integrity of the container closure system.

Aseptic: The Maintenance of State

This is where the confusion peaks. Aseptic does not mean “sterilizing.” Aseptic processing is the methodology of maintaining the sterility of components that have already been sterilized individually. It is the handling, the assembly, and the filling of sterile parts in a sterile environment.

If sterilization is the act of killing, aseptic processing is the act of not re-contaminating.

Impact on CCS: This is the highest risk area. Why? Because it involves the single dirtiest variable in our industry: people. An aseptic CCS is almost entirely focused on intervention management, first air protection, and behavioral controls. It is about the “tacit knowledge” of the operator—knowing how to move slowly, knowing not to block the HEPA flow. If your CCS focuses on environmental monitoring (EM) data here, you are reacting, not controlling. The strategy must be prevention of ingress.

Drug Substance vs. Drug Product: The Fork in the Road

This is where the plot thickens. Many quality professionals treat the CCS as a monolithic framework, but drug substance manufacturing and drug product manufacturing are fundamentally different activities with different contamination risks, different control philosophies, and different success criteria.

Let me be direct: confusing these two stages is the source of many failed validation studies, inappropriate risk assessments, and ultimately, preventable contamination events.

Drug Substance: The Upstream Challenge

Drug substance (the active pharmaceutical ingredient, or API) is typically manufactured in a dedicated facility, often from biological fermentation (for biotech) or chemical synthesis. The critical distinction is this: drug substance manufacturing is almost always a closed process.

Why? Because the bulk is continuously held in vessels, tanks, or bioreactors. It is rarely exposed to the open room environment. Even where additions occur (buffers, precipitants), these are often made through closed connectors or valving systems.

The CCS for drug substance therefore prioritizes:

Bioburden control of the bulk product at defined process stages. This is not about sterility assurance; it is about understanding the microbial load before formulation and the downstream sterilizing filter. The European guidance (CPMP Note for Guidance on Manufacture) is explicit: the maximum acceptable bioburden prior to sterilizing filtration is typically ≤10 CFU/100 mL for aseptically filled products.
Process hold times. One of the most underappreciated risks in drug substance manufacturing is the hold time between stages—the time the bulk sits in a vessel before the next operation. If you haven’t validated that microorganisms won’t grow during a 72-hour hold at room temperature, you haven’t validated your process. The pharmaceutical literature is littered with cases where insufficient attention to hold time validation led to unexpected bioburden increases (50-100× increases have been observed).
Intermediate bioburden testing. The CCS must specify where in the process bioburden is assessed. I advocate for testing at critical junctures:
- At the start of manufacturing (raw materials/fermentation)
- Post-purification (to assess effectiveness of unit operations)
- Prior to formulation/final filtration (this is the regulatory checkpoint)
Equipment design and cleanliness. Drug substance vessels and transfer lines are part of the microbial control landscape. They are not Grade A environments (because the product is in a closed vessel), but they must be designed and maintained to prevent bioburden increase. This includes cleaning and disinfection, material of construction (stainless steel vs. single-use), and microbial monitoring of water used for equipment cleaning.
Water systems. The water used in drug substance manufacturing (for rinsing, for buffer preparation) is a critical contamination source. Water for Injection (WFI) has a specification of ≤0.1 CFU/mL. However, many drug substance processes use purified water or even highly purified water (HPW), where microbial control is looser. The CCS must specify the water system design, the microbial limits, and the monitoring frequency.

The environmental monitoring program for drug substance is quite different from drug product. There are no settle plates of the drug substance itself (it’s not open). Instead, EM focuses on the compressor room (if using compressed gases), water systems, and post-manufacturing equipment surfaces. The EM is about detecting facility drift, not about detecting product contamination in real-time.

Drug Product: The Aseptic Battlefield

Drug product manufacturing—the formulation, filling, and capping of the drug substance into vials or containers—is where the real contamination risk lives.

For sterile drug products, this is the aseptic filling stage. And here, the CCS is almost entirely different from drug substance.

The CCS for drug product prioritizes:

Intervention management and aseptic technique validation. Every opening of a sterile vial, every manual connection, every operator interaction is a potential contamination event. The CCS must specify:
- Gowning requirements (Grade A background requires full body coverage, including hood, suit, and sterile gloves)
- Aseptic technique training and periodic requalification (gloved hand aseptic technique, GHAT)
- First-air protection (the air directly above the vial or connection point must be Grade A)
- Speed of operations (rapid movements increase turbulence and microbial dispersion)
Container closure integrity. Once filled, the vial is sealed. But the window of vulnerability is the time between filling and capping. The CCS must specify maximum exposure times prior to closure (often 5-15 minutes, depending on the filling line). Any vial left uncapped beyond this window is at risk.
Real-time environmental monitoring. Unlike drug substance manufacturing, drug product EM is your primary detective. Settle plates in the Grade A filling zone, active air samplers, surface monitoring, and gloved-hand contact plates are all part of the CCS. The logic is: if you see a trend in EM data during the filling run, you can stop the batch and investigate. You cannot do this with end-product sterility testing (you get the result weeks later). This is why parametric monitoring of differential pressures, airflow velocities, and particle counts is critical—it gives you live feedback.
Container closure integrity testing. This is critical for the drug product CCS. You can fill a vial perfectly under Grade A conditions, but if the container closure system is compromised, the sterility is lost. The CCS must include:
- Validation of the closure system during development
- Routine CCI testing (often helium leak detection) as part of QC
- Shelf-life stability studies that include CCI assessments

The key distinction: Drug substance CCS is about upstream prevention (keeping microorganisms out of the bulk). Drug product CCS is about downstream detection and prevention of re-contamination (because the product is no longer in a controlled vessel, it is now exposed).

The Bridge: Sterilizing Filtration

Here is where the two meet. The drug substance, with its controlled bioburden, passes through a sterilizing-grade filter (0.2 µm) into a sterile holding vessel. This is the handoff point. The filter is validated to remove ≥99.99999999% (log 10) of the challenge organisms.

The CCS must address this transition:

The bioburden before filtration must be ≤10 CFU/100 mL (European limit; the FDA requires “appropriate limits” but does not specify a number).
The filtration process itself must be validated with the actual drug substance and challenge organisms.
Post-filtration, the bulk is considered sterile (by probability) and enters aseptic filling.

Many failures I have seen involve inadequate attention to the state of the product at this handoff. A bulk solution that has grown from 5 CFU/mL to 500 CFU/mL during a hold time can still technically be “filtered.” But it challenges the sterilizing filter, increases the risk of breakthrough, and is frankly an indication of poor upstream control. The CCS must make this connection explicit.

From Definitions to Strategy: The Open vs. Closed Spectrum

Now that we have the definitions, and we understand the distinction between drug substance and drug product, we have to talk about where these activities happen. The regulatory wind (specifically Annex 1) is blowing hard in one direction: separation of the operator from the process.

This brings us to the concept of Open vs. Closed systems. This isn’t a binary switch; it’s a spectrum of risk.

The “Open” System: The Legacy Nightmare

In a truly open system, the product or critical surfaces are exposed to the cleanroom environment, which is shared by operators.

The Setup: A Grade A filling line with curtain barriers, or worse, just laminar flow hoods where operators reach in with gowned arms.
The Risk: The operator is part of the environment. Every movement sheds particles. Every intervention is a roll of the dice.
CCS Implications: If you are running an open system, your CCS is working overtime. You are relying heavily on personnel qualification, gowning discipline, and aggressive Environmental Monitoring (EM). You are essentially fighting a war of attrition against entropy. The “Microbial Control” aspect here is desperate; you are relying on airflow to sweep away the contamination that you know is being generated by the people in the room.

This is almost never used for drug substance (which is in a closed vessel) but remains common in older drug product filling lines.

The Restricted Access Barrier System (RABS): The Middle Ground

RABS attempts to separate the operator from the critical zone via a rigid wall and glove ports, but it retains a connection to the room’s air supply.

Active RABS: Has its own onboard fan/HEPA units.
Passive RABS: Relies on the ceiling HEPA filters of the room.
Closed RABS: Doors are kept locked during the batch.
Open RABS: Doors can be opened (though they shouldn’t be).

CCS Implications: Here, the CCS shifts. The reliance on gowning decreases slightly (though Grade B background is still required), and the focus shifts to intervention management. The “Aseptic” strategy here is about door discipline. If a door is opened, you have effectively reverted to an open system. The CCS must explicitly define what constitutes a “closed” state and rigorously justify any breach.

The Closed System: The Holy Grail

A closed system is one where the product is never exposed to the immediate room environment. This is achieved via Isolators (for drug product filling) or Single-Use Systems (SUS) (for both drug substance transfers and drug product formulation).

Isolators: These are fully sealed units, often biodecontaminated with VHP, operating at a pressure differential. The operator is physically walled off. The critical zone (inside the isolator) is often Class 5 or better, while the surrounding room can be Class 7 or Class 8.
Single-Use Systems (SUS): Gamma-irradiated bags, tubing, and connectors (like aseptic connectors or tube welders) that create a sterile fluid path from start to finish. For drug substance, SUS is increasingly the norm—a connected bioprocess using Flexel or similar technology. For drug product, SUS includes pre-filled syringe filling systems, which eliminate the open vial/filling needle risk.

CCS Implications:

This is where the definitions we discussed earlier truly diverge, and where the drug substance vs. drug product distinction becomes clear.

Microbial Control (Drug Substance in SUS): The environment outside the SUS matters almost not at all. The control focus moves to:

Integrity testing (leak testing the connections)
Bioburden of the incoming bulk (before it enters the SUS)
Duration of hold (how long can the sterile fluid path remain static without microbial growth?)
A drug substance process using SUS (e.g., a continuous perfusion bioreactor feeding into a SUS train for chromatography, buffer exchange, and concentration) can run in a Grade C or even Grade D facility. The process itself is closed.

Sterile (Isolator for Drug Product Filling): The focus is on the VHP cycle validation. The isolator is fumigated with vaporized hydrogen peroxide, and the cycle is validated to achieve a 6-log reduction of a challenge organism. Once biodecontaminated, the isolator is considered “sterile” (or more accurately, “free from viable organisms”), and the drug product filling occurs inside.

Aseptic (Within Closed Systems): The “aseptic” risk is reduced to the connection points. For example: In a SUS, the risk is the act of disconnecting the bag when the process is complete. This must be done aseptically (often with a tube welder).

In an isolator filling line, the risk is the transfer of vials into and out of the isolator (through a rapid transfer port, or RTP, or through a port that is first disinfected).

The CCS focuses on the make or break moment—the point where sterility can be compromised.

The “Functionally Closed” Trap

A word of caution: I often see processes described as “closed” that are merely “functionally closed.”

Example: A bioreactor is SIP’d (sterilized in place) and runs in a closed loop, but then an operator has to manually open a sampling port with a needle to withdraw samples for bioburden testing.
The Reality: That is an open operation in a closed vessel.
CCS Requirement: Your strategy must identify these “briefly open” moments. These are your Critical Control Points (CCPs) (if using HACCP terminology). The strategy must layer controls here:
- Localized Grade A air (a laminar flow station or glovebox around the sampling port)
- Strict behavioral training (the operator must don sterile gloves, swab the port with 70% isopropyl alcohol, and execute the sampling in <2 minutes)
- Immediate closure and post-sampling disinfection

I have seen drug substance batches rejected because of a single bioburden sample taken during an open operation that exceeded action levels. The bioburden itself may not have been representative of the bulk; it may have been adventitious contamination during sampling. But the CCS failed to protect the process during that vulnerable moment.

The “So What?” for Your Contamination Control Strategy

So, how do we pull this together into a cohesive document that doesn’t just sit on a shelf gathering dust?

Map the Process, Not the Room

Stop writing your CCS based on room grades. Write it based on the process flow. Map the journey of the product.

For Drug Substance:

Where is it synthesized or fermented? (typically in closed bioreactors)
Where is it purified? (chromatography columns, which are generally closed)
Where is it concentrated or buffer-exchanged? (tangential flow filtration units, which are closed)
Where is it held before filtration? (hold vessels, which are closed)
Where does it become sterile (filtration through 0.2 µm filter)

For Drug Product:

Where is the sterile bulk formulated? (generally in closed tanks or bags)
Where is it filled? (either in an isolator, a RABS, or an open line)
Where is it sealed? (capping machine, which must maintain Grade A conditions)
Where is it tested (QC lab, which is a separate cleanroom environment)

Within each of these stages, identify:

Where microbial control is critical (e.g., bioburden monitoring in drug substance holds)
Where sterility is assured (e.g., the sterilizing filter)
Where aseptic state is maintained (e.g., the filling room, the isolator)

Differentiate the Detectors

For Microbial Control: Use in-process bioburden and endotoxin testing to trend “bulk product quality.” If you see a shift from 5 CFU/mL (upstream) to 100 CFU/mL (mid-process), your CCS has a problem. These are alerts, not just data points.
For Aseptic Processing: Use physical monitoring (differential pressures, airflow velocities, particle counts) as your primary real-time indicators. If the pressure drops in the isolator, the aseptic state is compromised, regardless of what the settle plate says 5 days later.
For Sterility: Focus on parametric release concepts. The sterilizing filter validation data, the VHP cycle documentation—these are the product assurance. The end-product sterility test is a confirmation, not a control.

Justify Your Choices: Open vs. Closed, Drug Substance vs. Drug Product

For Drug Substance:

If you are using a closed bioreactor or SUS, your CCS can focus on upstream bioburden control and process hold time validation. Environmental monitoring is secondary (you’re monitoring the facility, not the product).
If you are using an open process (e.g., open fermentation, open harvesting), your CCS must be much tighter, and you need extensive EM.

For Drug Product:

If you are using an isolator or SUS (pre-filled syringe), your CCS focuses on biodecontamination validation and connection point discipline. You can fill in a lower-grade environment.
If you are using an open line or RABS, your CCS must extensively cover gowning, aseptic technique, and real-time EM. This is the higher-risk approach, and Annex 1 is explicitly nudging you away from it.

Explicitly Connect the Two Stages

Your CCS should have a section titled something like “Drug Substance to Drug Product Handoff: The Sterilizing Filtration Stage.” This section should specify:

The target bioburden for the drug substance bulk prior to filtration (typically ≤10 CFU/100 mL)
The filter used (pore size, expected log-reduction value, vendor qualification)
The validation data supporting the filtration (challenge testing with the actual drug substance, with a representative microbial panel)
The post-filtration process (transfer to sterile holding tank, aseptic filling)

This handoff is where drug substance “becomes” sterile, and where aseptic processing “begins.” Do not gloss over it.

One final point, because I see this trip up good quality teams: your CCS must specify how data is collected, stored, analyzed, and acted upon.

For drug substance bioburden and endotoxin data:

Is trending performed monthly? Quarterly?
Who reviews the data?
At what point does a trend prompt investigation?
Are alert and action levels set based on historical facility data, not just pharmacopeial guidance?

For drug product environmental monitoring:

Are EM results reviewed during the filling run (with rapid methods) or after?
If a grow is seen, what is the protocol? Do you stop the batch?
Are microorganisms identified to species? If not, how do you know if it’s a contamination event or just normal flora?

A CCS is only as good as its data management infrastructure. If you are still printing out EM results and filing them in binders, you are not executing Annex 1 in its intended spirit.

Conclusion

The difference between microbial control, aseptic, and sterile is not academic. It is the difference between managing a risk, maintaining a state, and assuring an absolute.

When we confuse these terms, we get “sterile” manufacturing lines that rely on “microbial control” tactics—like trying to test quality into a product via settle plates. We get risk assessments that underestimate the “aseptic” challenge of a manual connection because we assume the “sterile” tube will save us. We get drug substance processes that are validated like drug product processes, with unnecessary Grade A facilities and excessive EM, when a tight bioburden control strategy would be more effective.

Worse, we get a single CCS that tries to cover both drug substance and drug product with the same language and the same controls. These are fundamentally different manufacturing activities with different risks and different control philosophies.

A robust Contamination Control Strategy requires us to be linguistically and technically precise. It demands that we move away from the comfort of open systems and the reliance on retrospective monitoring. It forces us to acknowledge that while we can control microbes in drug substance and assure sterility through sterilization, the aseptic state in drug product filling is a fragile thing, maintained only by the rigor of our design, the separation of the operator from the process, and the discipline of our decisions.

Stop ticking boxes. Start analyzing the process. Understand where you are dealing with microbial control, aseptic processing, or sterility assurance—and make sure your CCS reflects that understanding. And for the love of quality, stop using a single template to describe both drug substance and drug product manufacturing.

Pseudo Science Bingo Card

For years, I’ve half-joked about keeping a bingo card handy whenever I attend a training session, watch a business presentation, or sit through yet another organizational development initiative. It’s a game that writes itself: every Myers-Briggs mention, every invocation of the mythical 70:20:10 rule, every earnest reference to “learning styles” represents a square on an ever-expanding card of pseudoscience masquerading as organizational wisdom.

Here’s a version of the card I’m feeling right now.

Equipment Lifecycle Management in the Eyes of the FDA

The October 2025 Warning Letter to Apotex Inc. is fascinating not because it reveals anything novel about FDA expectations, but because it exposes the chasm between what we know we should do and what we actually allow to happen on our watch. Evaluate it together with what we are seeing for Complete Response Letter (CRL) data, we can see that companies continue to struggle with the concept of equipment lifecycle management.

This isn’t about a few leaking gloves or deteriorated gaskets. This is about systemic failure in how we conceptualize, resource, and execute equipment management across the entire GMP ecosystem. Let me walk you through what the Apotex letter really tells us, where the FDA is heading next, and why your current equipment qualification program is probably insufficient.

The Apotex Warning Letter: A Case Study in Lifecycle Management Failure

The FDA’s Warning Letter to Apotex (WL: 320-26-12, October 31, 2025) reads like a checklist of every equipment lifecycle management failure I’ve witnessed in two decades of quality oversight. The agency cited 21 CFR 211.67(a) equipment maintenance failures, 21 CFR 211.192 inadequate investigations, and 21 CFR 211.113(b) aseptic processing deficiencies. But these citations barely scratch the surface of what actually went wrong.

The Core Failures: A Pattern of Deferral and Neglect

Between September 2023 and April 2025—18 months—Apotex experienced at least eight critical equipment failures during leak testing. Their personnel responded by retesting until they achieved passing results rather than investigating root causes. Think about that timeline. Eight failures over 18 months means a failure every 2-3 months, each one representing a signal that their equipment was degrading. When investigators finally examined the system, they found over 30 leaking areas. This wasn’t a single failure; this was systemic equipment deterioration that the organization chose to work around rather than address.

The letter documents white particle buildup on manufacturing equipment surfaces, particles along conveyor systems, deteriorated gasket seals, and discolored gloves. Investigators observed a six-millimeter glove breach that was temporarily closed with a cable tie before production continued. They found tape applied to “false covers” as a workaround. These aren’t just housekeeping issues—they’re evidence that Apotex had crossed from proactive maintenance into reactive firefighting, and then into dangerous normalization of deviation.

Most damning: Apotex had purchased upgraded equipment nearly a year before the FDA inspection but continued using the deteriorating equipment that was actively generating particles contaminating their nasal spray products. They had the solution in their possession. They chose not to implement it.

The Investigation Gap: Equipment Failures as Quality System Failures

The FDA hammered Apotex on their failure to investigate, but here’s what’s really happening: equipment failures are quality system failures until proven otherwise. When a leak happens , you don’t just replace whatever component leaked. You ask:

Why did this component fail when others didn’t?
Is this a batch-specific issue or a systemic supplier problem?
How many products did this breach potentially affect?
What does our environmental monitoring data tell us about the timeline of contamination?
Are our maintenance intervals appropriate?

Apotex’s investigators didn’t ask these questions. Their personnel retested until they got passing results—a classic example of “testing into compliance” that I’ve seen destroy quality cultures. The quality unit failed to exercise oversight, and management failed to resource proper root cause analysis. This is what happens when quality becomes a checkbox exercise rather than an operational philosophy.

BLA CRL Trends: The Facility Equipment Crisis Is Accelerating

The Apotex warning letter doesn’t exist in isolation. It’s part of a concerning trend in FDA enforcement that’s becoming impossible to ignore. Facility inspection concerns dominate CRL justifications. Manufacturing and CMC deficiencies account for approximately 44% of all CRLs. For biologics specifically, facility-related issues are even more pronounced.

The Biologics-Specific Challenge

Biologics license applications face unique equipment lifecycle scrutiny. The 2024-2025 CRL data shows multiple biosimilars rejected due to third-party manufacturing facility issues despite clean clinical data. Tab-cel (tabelecleucel) received a CRL citing problems at a contract manufacturing organization—the FDA rejected an otherwise viable therapy because the facility couldn’t demonstrate equipment control.

This should terrify every biotech quality leader. The FDA is telling us: your clinical data is worthless if your equipment lifecycle management is suspect. They’re not wrong. Biologics manufacturing depends on consistent equipment performance in ways small molecule chemistry doesn’t. A 0.2°C deviation in a bioreactor temperature profile, caused by a poorly maintained chiller, can alter glycosylation patterns and change the entire safety profile of your product. The agency knows this, and they’re acting accordingly.

The Top 10 Facility Equipment Deficiencies Driving CRLs

Genesis AEC’s analysis of 200+ CRLs identified consistent equipment lifecycle themes:

Inadequate Facility Segregation and Flow (cross-contamination risks from poor equipment placement)
Missing or Incomplete Commissioning & Qualification (especially HVAC, WFI, clean steam systems)
Fire Protection and Hazardous Material Handling Deficiencies (equipment safety systems)
Critical Utility System Failures (WFI loops with dead legs, inadequate sanitization)
Environmental Monitoring System Gaps (manual data recording, lack of 21 CFR Part 11 compliance)
Container Closure and Packaging Validation Issues (missing extractables/leachables data, CCI testing gaps)
Inadequate Cleanroom Classification and Control (ISO 14644 and EU Annex 1 compliance failures)
Lack of Preventive Maintenance and Asset Management (missing calibration records, unclear maintenance responsibilities)
Inadequate Documentation and Change Control (HVAC setpoint changes without impact assessment)
Sustainability and Environmental Controls Overlooked (temperature/humidity excursions affecting product stability)

Notice what’s not on this list? Equipment selection errors. The FDA isn’t seeing companies buy the wrong equipment. They’re seeing companies buy the right equipment and then fail to manage it across its lifecycle. This is a crucial distinction. The problem isn’t capital allocation—it’s operational execution.

FDA’s Shift to “Equipment Lifecycle State of Control”

The FDA has introduced a significant conceptual shift in how they discuss equipment management. The Apotex Warning Letter is part of the agency’s new emphasis on “equipment lifecycle state of control” . This isn’t just semantic gamesmanship. It represents a fundamental understanding that discrete qualification events are not enough and that continuous lifecycle management is long overdue.

What “State of Control” Actually Means

Traditional equipment qualification followed a linear path: DQ → IQ → OQ → PQ → periodic requalification. State of control means:

Continuous monitoring of equipment performance parameters, not just periodic checks
Predictive maintenance based on performance data, not just manufacturer-recommended intervals
Real-time assessment of equipment degradation signals (particle generation, seal wear, vibration changes)
Integrated change management that treats equipment modifications as potential quality events
Traceable decision-making about when to repair, refurbish, or retire equipment

The FDA is essentially saying: qualification is a snapshot; state of control is a movie. And they want to see the entire film, not just the trailer.

This aligns perfectly with the agency’s broader push toward Quality Management Maturity. As I’ve previously written about QMM, the FDA is moving away from checking compliance boxes and toward evaluating whether organizations have the infrastructure, culture, and competence to manage quality dynamically. Equipment lifecycle management is the perfect test case for this shift because equipment degradation is inevitable, predictable, and measurable. If you can’t manage equipment lifecycle, you can’t manage quality.

Global Regulatory Convergence: WHO, EMA, and PIC/S Perspectives

The FDA isn’t operating in a vacuum. Global regulators are converging on equipment lifecycle management as a critical inspection focus, though their approaches differ in emphasis.

EMA: The Annex 15 Lifecycle Approach

EMA’s process validation guidance explicitly requires IQ, OQ, and PQ for equipment and facilities as part of the validation lifecycle. Unlike FDA’s three-stage process validation model, EMA frames qualification as ongoing throughout the product lifecycle. Their 2023 revision of Annex 15 emphasizes:

Validation Master Plans that include equipment lifecycle considerations
Ongoing Process Verification that incorporates equipment performance data
Risk-based requalification triggered by changes, deviations, or trends
Integration with Product Quality Reviews (PQRs) to assess equipment impact on product quality

The EMA expects you to prove your equipment remains qualified through annual PQRs and continuous data review having been more explicit about a lifecycle approach for years.

PIC/S: The Change Management Imperative

PIC/S PI 054-1 on change management provides crucial guidance on equipment lifecycle triggers. The document explicitly identifies equipment upgrades as changes that require formal assessment, planning, and implementation controls. Critically, PIC/S emphasizes:

Interim controls when equipment issues are identified but not yet remediated
Post-implementation monitoring to ensure changes achieve intended risk reduction
Documentation of rejected changes, especially those related to quality/safety hazard mitigation

The Apotex case is a PIC/S textbook violation: they identified equipment deterioration (hazard), purchased upgraded equipment (change proposal), but failed to implement it with appropriate interim controls or timeline management. The result was continued production with deteriorating equipment—exactly what PIC/S guidance is designed to prevent.

WHO: The Resource-Limited Perspective

WHO’s equipment lifecycle guidance, while focused on medical equipment in low-resource settings, offers surprisingly relevant insights for GMP facilities. Their framework emphasizes:

Planning based on lifecycle cost, not just purchase price
Skill development and training as core lifecycle components
Decommissioning protocols that ensure data integrity and product segregation

The WHO model is refreshingly honest about resource constraints, which applies to many GMP facilities facing budget pressure. Their key insight: proper lifecycle management actually reduces total cost of ownership by 3-10x compared to run-to-failure approaches. This is the business case that quality leaders need to make to CFOs who view maintenance as a cost center.

The Six-System Inspection Model: Where Equipment Lifecycle Fits

FDA’s Six-System Inspection Model—particularly the Facilities and Equipment System—provides the structural framework for understanding equipment lifecycle requirements. As I’ve previously written, this system “ensures that facilities and equipment are suitable for their intended use and maintained properly” with focus on “design, maintenance, cleaning, and calibration.”

The Interconnectedness Problem

Here’s where many organizations fail: they treat the six systems as silos. Equipment lifecycle management bleeds across all of them:

Production System: Equipment performance directly impacts process capability
Laboratory Controls: Analytical equipment lifecycle affects data integrity
Materials System: Equipment changes can affect raw material compatibility
Packaging and Labeling: Equipment modifications require revalidation
Quality System: Equipment deviations trigger CAPA and change control

The Apotex warning letter demonstrates this interconnectedness perfectly. Their equipment failures (Facilities & Equipment) led to container-closure integrity issues (Packaging), which they failed to investigate properly (Quality), resulting in distributed product that was potentially adulterated (Production). The FDA’s response required independent assessments of investigations, CAPA, and change management—three separate systems all impacted by equipment lifecycle failures.

The “State of Control” Assessment Questions

If FDA inspectors show up tomorrow, here’s what they’ll ask about your equipment lifecycle management:

Design Qualification: Do your User Requirements Specifications include lifecycle maintenance requirements? Are you specifying equipment with modular upgrade paths, or are you buying disposable assets?
Change Management: When you purchase upgraded equipment, what triggers its implementation? Is there a formal risk assessment linking equipment deterioration to product quality? Or do you wait for failures?
Preventive Maintenance: Are your PM intervals based on manufacturer recommendations, or on actual performance data? Do you have predictive maintenance programs using vibration analysis, thermal imaging, or particle counting?
Decommissioning: When equipment reaches end-of-life, do you have formal retirement protocols that assess data integrity impact? Or does old equipment sit in corners of the cleanroom “just in case”?
Training: Do your operators understand equipment lifecycle concepts? Can they recognize early degradation signals? Or do they just call maintenance when something breaks?

These aren’t theoretical questions. They’re directly from recent 483 observations and CRL deficiencies.

The Business Case: Why Equipment Lifecycle Management Is Economic Imperative

Let’s be blunt: the pharmaceutical industry has treated equipment as a capital expense to be minimized, not an asset to be optimized. This is catastrophically wrong. The Apotex warning letter shows the true cost of this mindset:

Product recalls: Multiple ophthalmic and oral solutions recalled
Production suspension: Sterile manufacturing halted
Independent assessments: Required third-party evaluation of entire quality system
Reputational damage: Public warning letter, potential import alert
Opportunity cost: Products stuck in regulatory limbo while competitors gain market share

Contrast this with the investment required for proper lifecycle management:

Predictive maintenance systems: $50,000-200,000 for sensors and software
Enhanced training programs: $10,000-30,000 annually
Lifecycle documentation systems: $20,000-100,000 implementation
Total: Less than the cost of a single batch recall

The ROI is undeniable. Equipment lifecycle management isn’t a cost center—it’s risk mitigation with quantifiable financial returns.

The CFO Conversation

I’ve had this conversation with CFOs more times than I can count. Here’s what works:

Don’t say: “We need more maintenance budget.”

Say: “Our current equipment lifecycle risk exposure is $X million based on recent CRL trends and warning letters. Investing $Y in lifecycle management reduces that risk by Z% and extends asset utilization by 2-3 years, deferring $W million in capital expenditures.”

Bring data. Show them the Apotex letter. Show them the Tab-cel CRL. Show them the 51 CRLs driven by facility concerns. CFOs understand risk-adjusted returns. Frame equipment lifecycle management as portfolio risk management, not engineering overhead.

Practical Framework: Building an Equipment Lifecycle Management Program

Enough theory. Here’s the practical framework I’ve implemented across multiple DS facilities, refined through inspections, and validated against regulatory expectations.

Phase 1: Asset Criticality Assessment

Not all equipment deserves equal lifecycle attention. Use a risk-based approach:

Criticality Class A (Direct Impact): Equipment whose failure directly impacts product quality, safety, or efficacy. Bioreactors, purification skids, sterile filling lines, environmental monitoring systems. These require full lifecycle management including continuous monitoring, predictive maintenance, and formal retirement protocols.

Criticality Class B (Indirect Impact): Equipment whose failure impacts GMP environment but not direct product attributes. HVAC units, WFI systems, clean steam generators. These require enhanced lifecycle management with robust PM programs and performance trending.

Criticality Class C (No Impact): Non-GMP equipment. Standard maintenance practices apply.

Phase 2: Lifecycle Documentation Architecture

Create a master equipment lifecycle file for each Class A and B asset containing:

User Requirements Specification with lifecycle maintenance requirements
Design Qualification including maintainability and upgrade path assessment
Commissioning Protocol (IQ/OQ/PQ) with acceptance criteria that remain valid throughout lifecycle
Maintenance Master Plan defining PM intervals, spare parts strategy, and predictive monitoring
Performance Trending Protocol specifying parameters to monitor, alert limits, and review frequency
Change Management History documenting all modifications with impact assessment
Retirement Protocol defining end-of-life triggers and data migration requirements

As I’ve written about in my posts on GMP-critical systems, documentation must be living documents that evolve with the asset, not static files that gather dust after qualification.

Phase 3: Predictive Maintenance Implementation

Move beyond manufacturer-recommended intervals to condition-based maintenance:

Vibration analysis for rotating equipment (pumps, agitators)
Thermal imaging for electrical systems and heat transfer equipment
Particle counting for cleanroom equipment and filtration systems
Pressure decay testing for sterile barrier systems
Oil analysis for hydraulic and lubrication systems

The goal is to detect degradation 6-12 months before failure, allowing planned intervention during scheduled shutdowns.

Phase 4: Integrated Change Control

Equipment changes must flow through formal change control with:

Technical assessment by engineering and quality
Risk evaluation using FMEA or similar tools
Regulatory assessment for potential prior approval requirements
Implementation planning with interim controls if needed
Post-implementation review to verify effectiveness

The Apotex case shows what happens when you skip the interim controls. They identified the need for upgraded equipment (change) but failed to implement the necessary bridge measures to ensure product quality while waiting for that equipment to come online. They allowed the “future state” (new equipment) to become an excuse for neglecting the “current state” (deteriorating equipment).

This is a failure of Change Management Logic. In a robust quality system, the moment you identify that equipment requires replacement due to performance degradation, you have acknowledged a risk. If you cannot replace it immediately—due to capital cycles, lead times, or qualification timelines—you must implement interim controls to mitigate that risk.

For Apotex, those interim controls should have been:

Reduced run durations to minimize stress on failing seals.
Increased sampling plans (e.g., 100% leak testing verification or enhanced AQLs).
Shortened maintenance intervals (replacing gaskets every batch instead of every campaign).
Enhanced environmental monitoring focused specifically on the degrade zones.

Instead, they did nothing. They continued business as usual, likely comforting themselves with the purchase order for the new machine. The FDA’s response was unambiguous: A purchase order is not a CAPA. Until the new equipment is qualified and operational, your legacy equipment must remain in a state of control, or production must stop. There is no regulatory “grace period” for deteriorating assets.

Phase 5: The Cultural Shift—From “Repair” to “Reliability”

The final and most difficult phase of this framework is cultural. You cannot write a SOP for this; you have to lead it.

Most organizations operate on a “Break-Fix” mentality:

Equipment runs until it alarms or fails.
Maintenance fixes it.
Quality investigates (or papers over) the failure.
Production resumes.

The FDA’s “Lifecycle State of Control” demands a “Predict-Prevent” mentality:

Equipment is monitored for degradation signals (vibration, heat, particle counts).
Maintenance intervenes before failure limits are reached.
Quality reviews trends to confirm the intervention was effective.
Production continues uninterrupted.

To achieve this, you need to change how you incentivize your teams. Stop rewarding “heroic” fixes at 2 AM. Start rewarding the boring, invisible work of preventing the failure in the first place. As I’ve written before regarding Quality Management Maturity (QMM), mature quality systems are quiet systems. Chaos is not a sign of hard work; it’s a sign of lost control.

Conclusion: The Choice Before Us

The warning letter to Apotex Inc. and the rising tide of facility-related CRLs are not random compliance noise. They are signal flares. The regulatory expectations for equipment management have fundamentally shifted from static qualification (Is it validated?) to dynamic lifecycle management (Is it in a state of control right now?).

The FDA, EMA, and PIC/S have converged on a single truth: You cannot assure product quality if you cannot guarantee equipment performance.

We are at an inflection point. The industry’s aging infrastructure, combined with the increasing complexity of biologic processes and the unforgiving nature of residue control, has created a perfect storm. We can no longer treat equipment maintenance as a lower-tier support function. It is a core GMP activity, equal in criticality to batch record review or sterility testing.

As Quality Leaders, we have two choices:

The Apotex Path: Treat equipment upgrades as capital headaches to be deferred. Ignore the “minor” leaks and “insignificant” residues. Let the maintenance team bandage the wounds while we focus on “strategic” initiatives. This path leads to 483s, warning letters, CRLs, and the excruciating public failure of seeing your facility’s name in an FDA press release.
The Lifecycle Path: Embrace the complexity. Resource the predictive maintenance programs. Validate the residue removal. Treat every equipment change as a potential risk to patient safety. Build a system where equipment reliability is the foundation of your quality strategy, not an afterthought.

The second path is expensive. It is technically demanding. It requires fighting for budget dollars that don’t have immediate ROI. But it allows you to sleep at night, knowing that when—not if—the FDA investigator asks to see your equipment maintenance history, you won’t have to explain why you used a cable tie to fix a glove port.

You’ll simply show them the data that proves you’re in control.

Choose wisely.