Outsourcing - managing risks and opportunities over which you now have less control

Size: px

Start display at page:

Download "Outsourcing - managing risks and opportunities over which you now have less control"

Blaise Morrison
5 years ago
Views:

1 Outsourcing - managing risks and opportunities over which you now have less control Kevin O Donnell, PhD PDA Meeting, Dublin 22 nd November 2018

2 Slide 2 Typical Examples

3 The key GMP Requirements & Guidance re. Outsourcing Chapter 7 is not the place to start! Useful to look into the GMPs for the foundational elements that support outsourcing Chapter 1 - The Pharmaceutical Quality System (PQS) The PQS should ensure that... Arrangements are made for the selection and monitoring of suppliers and for verifying that each delivery is from the approved supply chain. Processes are in place to assure the management of outsourced activities. There must be a comprehensively designed and correctly implemented PQS incorporating GMP and QRM fully documented and effectiveness monitored. Slide 3

4 GMP Requirements & Guidance cont d ICH Q9 Promoted the application of risk-based thinking to Materials Management and Outsourcing, and it also introduced the concept of complexity QRM can be used to in the assessment and evaluation of suppliers and contract manufacturers to provide a comprehensive evaluation of suppliers and contract manufacturers (e.g., auditing, supplier quality agreements). (Ref. Part II.5 Materials Management) QRM can be used to define the frequency and scope of audits, both internal and external, taking into account factors such as: Complexity of the site; Complexity of the manufacturing process; Complexity of the product and its therapeutic significance (Ref. Part II.1 Auditing / Inspection) Slide 4

5 GMP Requirements & Guidance cont d ICH Q10 (Pharmaceutical Quality System) refers to outsourcing in three places: 1.7: Design and content of the PQS 2.7 Management of Outsourced Activities and Purchased Materials 4.1 Management Review of the PQS e.g. The PQS extends to the control and review of any outsourced activities and quality of purchased materials. (Ref. 2.7) e.g. The pharmaceutical company is responsible to ensure processes are in place to assure the control of outsourced activities These processes should incorporate QRM and include: a) Assessing the suitability and competence of the other party b) Defining the responsibilities and communication processes c) Monitoring and review of the performance of the contract acceptor (Ref. 2.7) Slide 5

6 Slide 6 Typical Examples Chapter 7 Outsourced Activities No longer just aimed at CMOs and Contract Labs - since 2013 Ch. 7 is broader in scope... any type of GMP-regulated outsourcing now clearly falls within the GMPs Ch 7 refers to certain concepts, but its guidance is high level and brief: The Management of Outsourced Activities: These should be appropriately defined, agreed and controlled, with a contract between the contract giver and acceptor clearly establishing the duties of each party and addressing technical arrangements. GMP Compliance: The contract giver is responsible for ensuring by means of the Contract that the principles and guidelines of GMP are followed. MA Compliance: The arrangements for outsourced activities should be in accordance with the Marketing Authorisation for the product concerned, where applicable. Contract Giver responsibilities: Various provisions, incl. knowledge transfer Contract Acceptor responsibilities: Various provisions, incl. not making unauthorised changes outside the terms of the contract Contracts: Various provisions, incl. communication processes and having suitably knowledgeable people to draw up the technical aspects of the contract

7 Slide 7 Reflecting on Chapter 7

8 Upon reflection There are opportunities in a future revision of Chapter 7 to reflect the challenges that the increased globalisation of the supply chain presents: No mention in the current revision of complexity in outsourced activities (or in anything else) No reference to recognising the criticality of some external service providers or their services / materials Little current emphasis on risk or the application of QRM to outsourced activities - only one very high level reference The processes for the control of outsourced activities should incorporate QRM principles. Slide 8

9 How does the HPRA generally inspect Outsourced Activities? 12/11/2014 Slide 9

10 Inspecting Outsourced Activities We review the general approach the company takes to managing its outsourcing arrangements How are potential risks associated with outsourced arrangements identified, assessed and mitigated? How much QRM has been built into the oversight model that is in place e.g. if risk ratings are assigned to external partners, how robust are those and how are they used? Is the extent of qualification checking, auditing or testing reflective of the risks presented by the outsourced operation? Slide 10

Inspecting Outsourced Activities cont d We review how the company qualified certain CMOs and external service providers to carry out the outsourced activities What did the qualification involve?

11 Inspecting Outsourced Activities cont d We review how the company qualified certain CMOs and external service providers to carry out the outsourced activities What did the qualification involve? How were QRM principles applied? What data were used to support the risk assessment? If an audit was performed, how thorough was it? What was reviewed? When was reduced QC sampling and testing initiated, if applicable? Slide 11

Inspecting Outsourced Activities cont d We review how the company monitors its outsourced activities after the initial qualification was performed Do supply and other problem issues trigger

12 Inspecting Outsourced Activities cont d We review how the company monitors its outsourced activities after the initial qualification was performed Do supply and other problem issues trigger changes in the monitoring arrangements or in the extent of oversight that is applied? e.g. Increased sampling and testing by QC? e.g. More frequent audits? e.g. Changes in risk ratings? Slide 12

Inspecting Outsourced Activities cont d We review whether outsourcing plays a role in assuring the Regulatory Compliance status of the site s products The QP may be relying on an external Reg Affairs

13 Inspecting Outsourced Activities cont d We review whether outsourcing plays a role in assuring the Regulatory Compliance status of the site s products The QP may be relying on an external Reg Affairs group to provide them with current versions of MA Modules 1 & 3 (or abbreviated versions of same) to support batch certification How robust are these arrangements? Note: Approx. 10% of reported Quality Defects to HPRA relate to MA noncompliance issues Is the reliance of the QP well founded? How? Via Technical Agreements? Audits of the MAH? Review of MAH performance metrics? Is this reliance recognised and managed formally as Outsourcing? Slide 13

Inspecting Outsourced Activities cont d We review whether the internal arrangements at a site reflect the degree of outsourcing that may be in place If a lot of outsourcing is taking place, is this

14 Inspecting Outsourced Activities cont d We review whether the internal arrangements at a site reflect the degree of outsourcing that may be in place If a lot of outsourcing is taking place, is this reflected in the site s QA staffing arrangements? Does the site s self-inspection programme reflect this also? Slide 14 If a lot of reduced sampling and testing is in place in QC, does the degree of oversight that is applied to CMOs and contract labs support this?

15 Recent Deficiency Issues Observed during GMP Inspections These can be grouped under 5 general themes Slide 15

16 Theme 1: Inadequate Application of QRM principles Risk assessments and tools to determine the level of oversight applied to CMOs, contract labs and other external service providers are sometimes not robust and are poorly applied Risk scoring tools heavily biased towards low risk scores Decisions re CMO qualification and monitoring not reflective of the assessed risk Risk indicating data sometimes not used to inform reviews of earlier risk assessments The extent of post-qualification monitoring is sometimes not risk-based Where the extent of monitoring is low for important outsourced services, such as calibrations, maintenance, sterile gowning provision, etc. We often see on inspection that the focus is on the initial assessment of service providers (audit, quality agreement), but the periodic review of those service providers is often not well maintained Slide 16

17 Theme 2: Lack of Oversight Applied to Vendor Work Manufacturers sometimes delegate their responsibility for overseeing the work of vendors to the actual vendors themselves, and this is not appropriate. Where validation data are supplied by a vendor, there is sometimes little if any meaningful review performed on those data While the manufacturer may not have competence in all areas, it still needs to apply adequate oversight to its vendors and other outsourcing partners. Paragraph 1.8 of Annex 15: Appropriate checks should be incorporated into qualification and validation work to ensure the integrity of all data obtained. Paragraph 7.8 of Chapter 7: The Contract Giver should be responsible for reviewing and assessing the records and the results related to the outsourced activities. Slide 17

18 Theme 3: Poor investigation of CMO/Vendor Issues Deviations: Insufficient root cause analysis, poor approaches to CAPAs, no CAPAs Non communication of deviations to the Contract Giver The definitions for Major & Minor deviations are sometimes different between the two companies As the technical agreements between the companies often only require Major deviations to be reported, the full picture for the QP in relation to deviations is often absent. Same for Change Controls Risks presented by deviations and change controls can go unmitigated and can lead to downstream quality problems. Sometimes only deviations and change controls directly relating to the product are reported (including in CMO PQRs), and others (e.g. relating to equipment, HVAC, etc.) are not, even though they can impact the qualified / validated state of the process Slide 18

Theme 4: Quality / Technical Agreements Over-reliance on Technical Agreements to assure things work correctly at external service providers Inadequate Technical Agreements key provisions unclear or

19 Theme 4: Quality / Technical Agreements Over-reliance on Technical Agreements to assure things work correctly at external service providers Inadequate Technical Agreements key provisions unclear or vague (e.g. how change control at the CMO will be managed and reported) No agreed arrangements in place with companies that are performing outsourced activities sometimes the activities are not recognised as outsourcing (e.g. suppliers of computerised systems, engineering companies doing HVAC requalification, etc.) Slide 19

20 Theme 5: Superficial / Ineffective Audits Audits can sometimes lack scope and rigour, or be too short in duration Key areas directly related to what has been outsourced not reviewed e.g. Growth Promotion Testing on media was outsourced to an external micro lab, but the last two audits at that lab did not review this area. The audit at an API site against Part II of the EU GMP Guide lasted one day, yet there were over 1000 staff in Production at the site Slide 20

21 See Handout for Examples of GMP Deficiencies Slide 21

22 Slide 22 Final Thoughts

23 Slide 23 Typical Examples Complexity & Criticality Does increased supply chain complexity actually lead to increased patient risk? What evidence is there for this? There is probably a general consensus that it does, but there seems to be a deficit of papers in the literature that formally link complexity ratings with patient risk. (The evidence is perhaps more anectodal.) Trying to link supply chain complexity with patient risk is difficult... but linking complexity with product quality and supply problems is easier and is still relevant. Useful to develop robust ways of assigning complexity ratings to outsourcing partners or outsourced operations, so that the level of oversight that is applied is commensurate with that level of complexity. What does complexity look like? How is it best characterised? It would also be useful to develop robust ways of assigning criticality ratings to outsourcing partners or outsourced operations So that the level of oversight that is applied is commensurate with that level of criticality

QRM Tools & Oversight Models Keep QRM approaches and tools simple in their design, but not too simple many tools have scoring systems that are biased towards low risk outcomes Localise your QRM tools

24 QRM Tools & Oversight Models Keep QRM approaches and tools simple in their design, but not too simple many tools have scoring systems that are biased towards low risk outcomes Localise your QRM tools in terms of how they are applied - e.g. ensure that your site s data and experience with a CMO or other external service provider are formally reviewed during the risk assessments Corporate Quality groups involved in CMO management may be too far removed from the real problems that sites experience with certain CMOs and other outsourced partners Slide 24

The GMPs do not require normal suppliers to be managed via outsourcing (unless the supplier has been contracted to manufacture or supply a material specifically for the company).

25 The GMPs do not require normal suppliers to be managed via outsourcing (unless the supplier has been contracted to manufacture or supply a material specifically for the company). But some external companies can present high risks if things go wrong e.g. API manufacturers e.g. API suppliers e.g. Sterile gown providers Is there a middle ground between treating such companies as normal supplier and as outsourced partners? What are your thoughts? Relationships with Material Manufacturers & Suppliers Slide 25

26 Slide 26 Thank you for your attention!