We in GCP have inherited our processes for qualifying vendors from GMP. 21 CFR Part 211, Current Good Manufacturing Practice for Finished Pharmaceuticals, describes how manufacturers should be organized, constructed, equipped, proceduralized, even clothed. If a sponsor can verify, via a rigorous audit, that a contract manufacturer adheres to these requirements, the sponsor has a baseline assurance of quality - in other words, they are reasonably certain that the supplier has the appropriate quality infrastructure to manufacture investigational product. 

Due to the differences between manufacturing and clinical trials, qualification audits of GCP vendors frequently provide very little assurance of quality. Today we will look at qualification of full-service Contract Research Organizations - vendors who typically perform project management, site monitoring, data management, and statistical analysis services for clinical trials.

Most large Contract Research Organizations have a sufficiently robust quality management system to pass an audit. Because ICH GCP E6 R2 is so general and most CROs have hundreds of procedures, it's rare to find a clear deviation from GCP during a CRO qualification audit. Yet most sponsors continue to commit auditors for a week or more scrutinizing a CRO's SOP development processes, training requirements, data center construction, electronic data capture system validation documentation, etc. to "check the box" that will demonstrate due diligence to FDA come inspection time. 

Is that effort any guarantee of quality? Generally, no. We have worked on studies where the CRO met the sponsor's expectations, but the opposite is all too common. Some of these studies represent spectacular failures of the study's quality management system - see this recent case, or this investigator warning letter  - that lead the sponsor to switch to a "rescue CRO." More often, it's just a steady pattern of miscommunication that leaves sponsor and vendor locked in a miserable relationship.

For this reason, we've been experimenting with a new risk-based approach to vendor qualification, one that focuses less on infrastructure qualification and more on potential pitfalls in the future relationship between the sponsor and vendor.  Think of it this way:  Traditional qualification is like reading a potential mate's Tinder bio.  Risk-based qualification is more like a first date.

Risk-based qualification focuses less on the quality infrastructure (i.e., SOPs, training, data center) and more on the processes that are likely to be deviate from the sponsor's expectations. Risk-based qualification can be less expensive that traditional qualification, because the auditor is not reviewing SOPs or conducting interviews for relatively low-risk topics. To "check the box," the CRO can fill out a questionnaire about their quality infrastructure while relationship risks are explored in a more traditional audit format. 

For example, oversight of subcontractors can be risky when working with CROs, who may not have the expertise to oversee a specialty vendor like a laboratory or IRT vendor. Vendor oversight SOPs typically include only high-level statements regarding subcontractor qualification and oversight. Technically, these SOPs "check the box" to meet GCP requirements, but a risk-based qualification audit looks deeper. If the sponsor plans to have the CRO subcontract with a specialty laboratory, the auditor may need to interview the Project Manager to ask what the team typically looks for when they review lab specifications, how they track samples, and how they interface with the lab's QA department in the event of a problem. If the answers are not satisfactory, then the sponsor can be prepared to mitigate the risk - request a more experienced PM, or work with the CRO to develop a detailed oversight plan, or contract with the lab directly. 

An audit, like a first date, can reveal a lot about the future relationship.  Do interviewees appear knowledgeable about their own SOPs? Do they seem open to working collaboratively with sponsors, or defensive about responding to questions? No CRO is perfect, of course, just like no sponsor is perfect, but this type of audit can give you important information about how to mitigate both sets of imperfections to strengthen the team.

Risk-based qualification is not appropriate for every vendor.  In the next post in this series, we'll describe situations where full qualification is important and how gaps in a traditional quality infrastructure can be addressed.