Regulatory agencies hold firms responsible for delivering high quality products that meet all established requirements and specifications. Suppliers and vendors (most recently referred to as “outsourced materials and services”) play a key role in meeting GMP mandates, and it is a firm’s responsibility to make sure vendors/suppliers are meeting specifications for the supplied materials, components, equipment and/or services. For many years, this was considered to be an “internal GMP compliance” responsibility, managed by internal controls in most cases.

Even when the regulators demanded that users treat suppliers as an “extension” of their company, most companies did not have a “systematic” approach to evaluate, approve, monitor and control outsourced materials and services. For over 30 years, the industry has focused on internal GMP compliance but during recent years, the U.S. FDA has been working aggressively in the area of outsourcing management following specific events such as the Heparin case from 2008. Another factor is the globalization of our industry—more than 80% of our APIs come from outside the United States and most of our materials as well. There is a need for an effective plan, with clear and agreed-upon requirements for evaluation of suppliers/service providers including risk assessments which should include adequate resources to deal with outsourcing monitoring and controls. This area should also be addressed utilizing a continuous “lifecycle” concept—plan, do/implement, verify/monitor and act. Another reason to assign adequate resources to this system is the fact that, based on my own industry experience and discussions with colleagues and customers, the majority of the “quality problems” in a process/facility can be attributed to outsourcing issues—materials, components and services; either the quality standards are not the same, or supplier control and variation is causing issues in our own quality that we might not have projected. In 2013, the FDA published the draft guideline, Contract Manufacturing Arrangements for Drugs: Quality Agreements, focusing on the documented and agreed upon responsibilities of the “Owner” and the “Contracted Facility.” A key component is the level of quality oversight from the owner of the drug product before, during contract negotiation and after the signed agreement is in place. This new draft guideline by the FDA is the first step in providing more specific requirements.

Understanding that contract manufacturing/packaging/sterilization and testing services are critical and are clearly required to follow the drug GMPs, the question is—are these outsourced activities the only ones that require a formal Quality Agreement? There are other outsourcing activities that should have the same level of formality, communication and documentation requirements such as excipients, primary packaging components and aseptic manufacturing process material suppliers, e.g., the single-use container manufacturers. The other aspect is—the Quality Agreement is important but it is only one step in the lifecycle approach to outsourcing management. Many companies have implemented procedures for selection, approval and qualification of suppliers and vendors but, in many cases, these were not being implemented effectively or formally documented. Making these programs part of a risk-based quality systems approach that the FDA and other regulatory agencies have come to expect from industry is critical. ICH Q10 and other Quality Management guidance documents also discuss the controls required over outsourced activities in general but not providing clear expectations on what the system needs to include and/or address. ICH Q10 states in Section 2.7 on Management of Outsourced Activities and Purchased Materials: “The pharmaceutical quality system, including the management responsibilities described in this section, extends to the control and review of any outsourced activities and quality of purchased materials. The pharmaceutical company is ultimately responsible to ensure processes are in place to assure the control of outsourced activities and quality of purchased materials. These processes should incorporate quality risk management.”

The reasons to focus our efforts in the area of outsourcing management are varied.

• As mentioned before, the rapid globalization of outsourcing providers leads to supply chains becoming potentially very complicated and spread out due to cost pressures, use of brokers and intermediaries and the purchase of ingredients from emerging markets which are not truly experienced with GMPs or very recently exposed to it. In addition, the “economically motivated adulteration” of our raw materials by the suppliers (criminal acts) is more common, as discussed in 2010 by Edwin Rivera-Martinez (1).
• EU/U.S. regulatory oversight and continued demand for users (contract givers?) to step up their QMS controls—this implies that the user must demand a formal QMS approach by their suppliers/outsourcing.
• Business risks—company’s revenue, impact market share, increased production cost and possible recalls which could have a detrimental effect on the brand image and reputation. As mentioned earlier, the effects of the supplied material quality has been considered in our industry as a major source of our own internal quality issues.
• Cost of supplier quality is seen as having limited ROI, thus the need to measure and track cost of poor supplier quality and implications.

The question is then—what are the elements of an “outsourcing management” subsystem within the company’s Quality Management Systems? The elements will include the following (based on Deming’s principles of Plan-Do-Check-Act):

• Planning—define requirements to be agreed upon (Quality Agreement) with the selected supplier/outsourcing provider
  • Categorization of providers—based on risk to product quality
• Suppliers—type of material/service and factors such as certifications, inspections, experience
• Materials/Service—Impact to product quality
• Do—Select/evaluate/audit/approve outsourcing provider using risk assessments as a basis. Document requirements and agreements in a contract or Quality Agreement.
  • Risk-based decision to rely on supplier testing/data—testing in-house every batch or monitoring
• Test data comparison—criteria
• Method/equipment comparison
• Training
• Foreign providers as a risk factor— location, local regulatory oversight, traceability, increased risk of illicit activities, personnel turnover, etc.
• Verify—collect samples, monitor results, establish feedback loop. Establish frequency for re-assessments of each provider.
• Act—deviations, nonconformances, trending of collected data, etc.

During my meetings with personnel from numerous companies, I always ask “do your providers have to meet GMPs?” Surprisingly, most of them believe that most (if not all) of our providers have to meet our drug GMPs. In reality, only suppliers of APIs (through the global application of the ICH Q7 guideline for API GMPs) and those considered to be contract manufacturers/packagers/testing services must meet our drug GMPs. The majority of them (materials except API, packaging components, calibration services, and many others) do not have to meet GMPs but they usually have their own Quality Management System. The key will be to evaluate their systems and even help them improve these systems because, in the end, it will result in our own benefit.

Some best practices that I have seen in our industry include:

• Use of automated data collection and analysis—some companies are establishing network communications with their providers to be able to communicate data instantly and evaluate the impact as quick as possible
• Measure Cost of Poor Supplier Quality (CPSQ)
• Cost recovery included in contracts —provider will be made responsible for effect of their own quality on our processes/product quality
• Effective use of audits—not only as a checklist item
• Use of metrics and scorecards—establish and agree on metrics and frequency of analysis as a team
• Include monetary incentives for good quality
• Visits that go both ways. These allow the provider to understand your needs and for you to understand how to better support them to improve their systems.

A recent survey conducted by Porsche Consulting GmbH in 2013, “Operational Excellence in the Pharmaceutical Industry,” showed that 67% of respondents will enforce supplier management and integration into their operation. We need to remember that our goal is not to become the provider’s quality function but to treat each other as a valued partner working toward a common goal.

Reference

1. Rivera-Martinez, E. “Globalization and the Pharmaceutical Industry in 2010.” Presented at the 2010 PDA/FDA Joint Regulatory Conference, Washington, DC, September 2010.

About the Author

Miguel Montalvo, has over 30 years of valuable experience in the areas of cGMP compliance, quality systems and validation functions/responsibilities.

Hear more about this topic from Miguel at the PDA TRI course, ”Application of a Quality Systems Approach to Pharmaceutical CGMPs,” following the 2014 PDA/FDA Joint Regulatory Conference, Sept. 11–12. To learn more, visit www.pda.org/pdacourses2014.