The Future of GCP QA Part 14:  Every Day a Tiny Audit

The Future of GCP QA Part 14: Every Day a Tiny Audit

Denise Lacey
5 minute read

Listen to article
Audio generated by DropInBlog's Blog Voice AI™ may have slight pronunciation nuances. Learn more

We've started to look at elements of the Pharmaceutical Quality System, developed for drug manufacturing, to see how well they support the GCP environment.  In our last post, we considered SOPs.  Today, we look at vendor qualification. 

As we learned in our Mars/Venus post, manufacturing qualification activities - questionnaires and audits - look  closely at the facility's SOPs, subcontractor qualification and oversight processes, and system validation documentation.  A risk assessment determines whether a vendor is qualified via questionnaire or audit as well as the frequency of requalification. Vendors with direct impact on participant safety and product quality are audited and requalified more frequently.

We take a similar approach to clinical trial vendors.  It's not wrong, necessarily - we can learn a lot from looking at a vendor's SOPs, subcontracting processes, and systems, and we certainly should take risk into account when determining how to qualify and how frequently to requalify a vendor. But GCP is different. Rather than a supply chain, we utilize a supply and services web, frequently working alongside our service providers. If we adopt GMP processes and criteria for qualifying our vendors, we fail to account for some of the risk while spending lots of time and money on activities that address relatively low risk. 

First, let's talk about the initial risk assessment. Using the GMP approach for assessing risk, any CRO would be considered high risk because of their potential impact on participant safety and data integrity. We would argue that vendor qualification activities should be based on the risk that the vendor is not qualifiable, in addition to the risk to participant safety and data integrity. For large, well-established CROs, a qualification audit to determine whether they are qualified to conduct a clinical trial is a check-the-box exercise. The chance that an auditor will find something that actually disqualifies them from study participation is miniscule. Do we need a check-the-box exercise to qualify a CRO when we're going to be working with alongside them day in and day out? We could qualify these vendors via questionnaire, even though their WORK is high risk, and reserve audits for vendors who are at risk of not being qualified, based on these factors: 

  • Experience:  Does the vendor lack experience in the types of activities that they are being asked to perform?  Will they be subcontracting tasks to any vendors that lack sufficient experience?  For example, if we are working with a well-established IRT vendor, but we have asked them to integrate with another system in order to perform some type of dosing calculations that they typically don't do, this would raise the risk. 
  • Organizational churn:  Has the vendor been acquired within the past two years, or have they acquired the business unit that is involved in the study in the past two years?  Churn can impact the organization's ability to deliver services as SOPs change, units are restructured, and computer systems are consolidated. 
  • Known issues:  Has the vendor received an FDA Warning Letter or inspection findings, been subject to a cyber attack or legal action, or experienced any quality issues that could potentially impact participant protection or data integrity?

This is not to say that qualification audits have no value.  On the contrary, we believe the qualification audits we conduct are EXTREMELY valuable - but that's because we've moved our focus from assessing compliance to assessing risk. Of course non-compliance increases risk, but we don't stop there - we assess other practices that are technically compliant but still increase risk.  Our typical qualification audit report of a large, well-established CRO generates zero to a few findings but includes a long list of detailed operational risks for the sponsor to take into consideration as they oversee the vendor.  For example, we might point out that the CRO permits hiring site monitors with no experience, or the CRO's processes do not require them to notify the sponsor of a potential serious breach until it's been assessed internally.  These types of issues are not deviations from regulations or GCP, but they raise the risks for the sponsor that can be mitigated if the sponsor is aware of them.  

With that in mind, let's consider requalification. In GMP, vendors are qualified initially and then requalified at a standard frequency based on risk. In between those audits, there are few touchpoints with the vendor--primarily the sponsor reviews batch records and is informed of deviations and quality issues and their resolution.  In GCP, by contrast, the sponsor is working alongside the vendor nearly every day. If we're concerned at any point about whether the vendor is still qualified to do their job, we can open the TMF or EDC system or pick up the phone and ask questions to see how they are actually doing that job. Every day is like a tiny little audit! It's still important to take a periodic look at changes to their quality management system, but in a GCP environment, formal requalification is just a small part of the information we can use to assess our vendors. 

In our experience, most sponsors communicate well with their CROs via meetings and status updates, but they under-utilize techniques like sampling, verification, validation, and structured interviewing to perform oversight--techniques that auditors use in their everyday work.  We'll be coming back to that later!

« Back to Blog