Outsourcing is a critical process in the pharmaceutical industry. Supplier (including vendors and external service providers) qualification is more than auditing since a whole series of quality assurance measures and activities are required as per requirements of applicable legislation related to manufacturing and distribution of medicinal products. Supplier qualification can be seen as a risk assessment tool. It should provide an appropriate level of confidence that suppliers are able to supply consistent quality of materials, components, and services in compliance with regulatory requirements. An integrated supplier qualification process should also identify and mitigate the associated risks of products, materials, and services.
Requirements are wide-ranging and complex. There are Directives and Regulations for medicinal drug products for human, veterinary use and investigational medicinal drug products, several standards and national and international guidance documents that provide direction and lay out the framework for successfully implementing, maintaining, and sustaining an effective and robust quality management system, regardless of company type or size or the products and services it provides, requiring the use of risk-based thinking to manage suppliers.
In the table below is the list of different Directives / Regulations and Standards that define supplier qualification expectations (list is not comprehensive):
EudraLex – Volume 4 – Good Manufacturing Practice (GMP) guidelines – Part I
Chapter 5 (Production) – 5.27, 5.29, 5.45
Chapter 7 (Outsourced activities)
ISO 9001:2015 Quality management systems – Requirements
Clauses 8.4.1 and 8.4.2
ISO 13485:2016 Medical devices — Quality management systems — Requirements for regulatory purposes
US FDA 21 CFR 820 Quality system regulation
820.50 Purchasing controls
GHTF/SG3/N17:2008 – Quality Management System – Medical Devices – Guidance on the Control of Products and Services Obtained from Suppliers
Clauses 3.1 and 3.1.4
ICH guideline Q9 on quality risk management, EMA/CHMP/ICH/24235/2006
II.5 Quality risk management as part of materials management
Directive 2001/83/EC on the Community code relating to medicinal products for human use
Article 8, 46, 46 b
Supplier qualification and approval steps
Pre-selection step (supplier screening)
Before starting the process of selecting a supplier the outsourcing requirements should be determined. A business case should be prepared describing current situation, the need and rationale, scope of activities/services and expected benefit. Once the business case is approved supplier screening, identification and selection process is initiated. A high-level selection of potential suppliers, services and assessment of their capabilities should be performed, and objective evidence documented. Based on the outcome of this initial step list of potential candidates is established for continuation of the supplier qualification and approval process. Assessment of business, technical, operational capabilities, and quality systems of potential suppliers should at least include business reference check, required licenses, authorizations to perform services, business continuity plan (patient risk due to interrupted supply/services), business KPI‘s (financial stability, liquidity) and general quality assessment – type of quality management system (QMS) utilized, willingness to have quality agreement in place, …
Evaluation and qualification steps
When a supplier has been identified, in-depth evaluation is performed to qualify the candidate before final qualification step that consists of due diligence audit (on-site or questionnaire) and establishment of contracts (supply, distribution, quality assurance) can be executed. Initial risk assessment (QRA) to identify potential risks of using a supplier and define necessary action for the mitigation of identified risks should be conducted with the evaluation step as well. Evaluation is performed against a defined set of selection criteria, based on the material, product, or services to be provided by supplier and the intended use. The results of all evaluation and any corrective actions must be documented and archived such that all actions executed in conjunction with the evaluation are coherent and traceable.
Once a top candidate is identified, a thorough audit should be planned and executed either on or off-site, depending on the nature of the product or service provided. Both critical and noncritical supplier roles deserve thorough auditing, but critical roles should be subjected to an on-site audit with predetermined items requiring verification. Acceptance or rejection of a supplier candidate should ultimately be determined after reviewing the results of the audit.
Routine monitoring and control
Approved suppliers must be adequately monitored and controlled to ensure that they continue to meet required standards and regulatory requirements as defined in the contracts. The main purpose of the routine monitoring is to verify the trust placed in suppliers, aim for a constant quality of the service or product, and ensure a good and steady relationship. Routine evaluation of suppliers to determine the overall quality and business risks is normally conducted by cross-functional teams and through defined KPI’s used for monitoring and periodic evaluation of the state of control of a contractor.
In some cases, it might be determined that the supplier no longer fully meets the requirements or identified risks are inherent (e.g., due to the nature of supplier, single provider, ….). Such suppliers are considered as high-risk suppliers and risk assessment must be performed to assess the risks, determine actions required to mitigate risks, additional controls. In case risks cannot be mitigated, possibility to exit the business with supplier should be evaluated along with identification of alternative suppliers and aligned with both business and quality.