Vendor Qualification – more than just an audit

There is an ongoing trend in the pharmaceutical industry to outsource activities to external vendors. When such outsourcing affects GMDP-activities, and is therefore related to EU Good Manufacturing Practice (GMP) or Good Distribution Practice (GDP), defined regulatory requirements must be respected in the process of outsourcing.

One of the main misunderstandings that I observe in my role as an auditor and GxP-consultant is that outsourcing of activities does not mean abdication of legal responsibility. On the contrary. The outsourcing party retains full legal responsibility for the outsourced activity and also takes responsibility for the selection, qualification, control, and management of its vendor. The vendor takes the responsibility toward the outsourcing party.

Another misconception is evident with the vendor qualification itself. The execution of an audit for the qualification (and subsequent re-qualification) of a vendor for outsourced GMDP-activities is a regulatory requirement. However, a vendor audit alone is not sufficient for a compliant or effective vendor qualification. This requires more efforts.

The following discussion is based on the requirements on outsourcing activities as described in the current EU Guidelines on Good Manufacturing Practice (EU GMP-Guidelines¹) and Good Distribution Practice of medicinal products for human use (EU GDP-Guidelines²), however, there are similar regulations containing comparable requirements within or outside of the EU and for adjoining regulated areas (e.g. Good Clinical Practice).

Taking a stepwise approach is key to a successful vendor qualification for outsourced GxP activities.

User requirement specification

Vendor qualification should start with careful consideration and a precise definition from the pharmaceutical company on the activities it plans to outsource.

All requirements for the outsourced activities and for capabilities and qualifications of a potential vendor should be specified and documented, with the necessary level of detail, and tailored to the respective outsourcing project as a user requirement specification. This also should include the underlying regulatory requirements, which must be assessed at this stage.

The criteria defined as user requirements will differ according to the type of vendor and the requested activities, but they must always focus on evidence of the vendor’s legality, suitability, and competence. All departments involved, or affected, by the outsourcing project should contribute to the definition of the user requirements. General internal needs could also be included, such as a code of ethics, environmental and social responsibility policies, acceptance of data protection requirements, among others.

Vendor pre-selection

To support pre-selection of vendor candidates, it is important to gather sufficient information about them. Such information can be gathered by different means, for example, from relevant public databases, the vendor’s website, from a voluntary disclosure by the vendor, and from a questionnaire reflecting the user requirement specifications that is completed by the vendor on request from the outsourcing company. Internal experience from previous collaborations with the vendor, even if in other areas, or trusted references from the company’s network might also provide important information.

The vendor’s legal authorization to carry out certain activities is also required in some areas, such as  Manufacturing and Import Authorization (MIA) or Wholesale Distribution Authorization (WDA). Proof of these authorizations, as well as information on the most recent GMDP-compliance status (e.g. GMDP-certificates or GMDP non-compliance reports) can be retrieved from official websites of local competent authorities or from the EudraGMDP database³.

The UK health authority, the MHRA, frequently publishes information about impaired supply chain integrity due to insufficient supplier qualification. The agency has observed, for example, an increasing number of falsified supplier identity and/or supplier licenses. To counter this, they strongly recommend that pharmaceutical companies do not rely only on a single source to obtain information on a supplier, but rather use several sources and check the information for consistency^4,5. The same advice may apply for vendor qualifications.

All information gathered during vendor selection and qualification should be documented and matched against the defined user requirement specifications. A shortlist of vendors can now be developed in cooperation with the appropriate stakeholders, for example from quality, supply chain, regulatory affairs, R&D, commercial, and management board, as applicable.

Risk classification early on

The EU GMP-Guidelines, as well as the EU GDP-Guidelines, require that the outsourcing party has incorporated processes in their Quality Management System to control and monitor outsourcing activities. These processes should include Quality Risk Management principles. There are several options when implementing risk management principles into the process of outsourcing and vendor qualification.

A risk classification can be done early in the vendor qualification process to roughly categorize the vendors and derive a high-level risk classification. Subsequent qualification activities can then be applied to the vendors according to this risk classification. This early risk classification process should be complemented later by an overall vendor risk assessment at the end of the qualification process as described further down. Alternatively, the entire risk qualification can be done later in the vendor qualification process.

Qualification Audit

For outsourcing GMDP-activities, the GMP- and GDP-guidelines require a qualification audit to obtain further evidence on the suitability and GMDP compliance of a potential vendor or to identify gaps that require further considerations or actions. Each audit should be tailored to the respective vendor, the outsourced activities and, if applicable, to any specific requirements of the outsourcing party. Furthermore, the audit should include an assessment of how the vendor manages and controls its own subcontractors, if relevant, for the outsourced activities.

The outcome of the audit is documented in an audit report. Observations should be covered by a CAPA plan (Corrective and Preventive Action plan) provided by the vendor and based on a root cause analysis. It is the responsibility of the outsourcing party to monitor the implementation of the agreed CAPA plan by the vendor and to define which actions must be completed before outsourced activities can begin.

Quality Technical Agreement

The delimitation of all tasks and responsibilities of the outsourcing party (as contract giver) and the vendor (as contract acceptor) should be described in detail, and in writing,  in a Quality Technical Agreement (QTA). Technical aspects should be drawn up by competent persons who are suitably knowledgeable in related outsourced activities, the related regulatory requirements and the marketing authorization. A QTA may be part of a master service agreement or it may be accompanied by a commercial agreement. Should any discrepancies appear between the content of the QTA and accompanying agreements, the provisions of the QTA should prevail.

Establishing an efficient QTA is often seen as time-consuming and is therefore often given limited emphasis. However, the QTA is essential to avoid misunderstanding or disputes between the parties that may affect product integrity and efficient collaboration with the vendor. As a matter of course, the QTA must be kept up to date during the entire collaboration.

Vendor risk assessment

A vendor risk assessment in the final stages of the qualification process should include all available information compiled on a specific vendor, including information gathered during the audit or obtained during development of the QTA.

A commonly used risk assessment tool is the FMEA-analysis (failure mode and effect analysis). This method correlates the severity of potential failures with the probability of occurrence and the probability of detection and derives a quantifiable relative risk score. However, other risk assessment tools, as laid out in ICH Q9⁶, can also be used.

An advantage of a late risk assessment is that the time for the next re-qualification of the vendor and the related re-qualification audit can be defined based on the outcome of the initial qualification exercise and risk assessment.

Vendor approval

The final step in the vendor qualification process is the assessment by the respective responsible functions ahead of the written vendor approval (or refusal). Only approved vendors should be used to perform outsourced activities and no outsourced activity should start prior to documented vendor approval.

Performance monitoring

While the vendor qualification consumes substantial resources, these efforts need to continue with the monitoring of the vendor’s performance in routine business. The definition and regular evaluation of key performance indicators (KPI) and/or regular reporting on defined topics may be helpful, just as it is with regular trend analyses on issues such as deviations and complaints.

A key success factor for a fruitful and efficient collaboration with vendors is to build well-defined and trusted communication. Regular contact and exchange of information will help to flag any upcoming changes or issues early on and facilitate the handling or resolution of these.

Re-qualification

A risk-based approach determines the frequency for the obligatory vendor re-qualification. This should include a re-qualification audit and the assessment of the vendor performance in routine business as well as areas for improvement, and results in a confirmation (or refusal) as an approved vendor. A re-qualification audit must also be performed after changes that impact the outsourced activities.

Outsourcing vendor qualification

Effective vendor management requires far more than just an audit. It requires a company’s focus, continuous effort and resources.  Due to the demand on time and resources, pharmaceutical companies are increasingly outsourcing vendor qualification assessments, parts of them, or even shift entire vendor management programs to external service providers. The sponsor company receives all agreed key information in a condensed way from its external service provider, such as audit reports and CAPAs, and is actively involved in signing QTAs and approving vendors. However, it can shift the burden of coordination and all background routine business to its external provider.

Easing the burden

The outsourcing of GMDP activities to external vendors is practiced by many pharmaceutical companies for many reasons.  As the outsourcing party remains legally responsible for the outsourced activities, it is in their direct interest to minimize the risk for GMDP non-compliances of the vendor. A vendor qualification audit is just one of several aspects in the vendor risk assessment and qualification process that needs to be applied to successfully select, qualify and control a suitable and competent vendor. As effective vendor management requires a company’s focus, continuous effort and resources, outsourcing defined vendor management activities or entire vendor management programs to competent and experienced service providers makes good business sense.