10 Key Ingredients For Small Pharma GCP Quality Systems

Small to midsize pharmaceutical or biotech companies (small pharma) are enjoying the best of times.  Many have exciting products with fantastic preclinical and/or clinical results, great platforms for long-term company growth and licensing possibilities, outstanding medical and technical expertise, and support from intellectual/academic experts. However, from a quality systems perspective, it could be the worst of times. Many have weak quality systems, are not following global regulatory authority regulations and/or guidance, or lack the level of documentation required to reconstruct every aspect of clinical trials.

In the late 1980s, Big Pharma ruled in more ways than one. Today, small pharma is thriving. The outsourcing strategy Big Pharma latched onto in the mid-1990s has redefined the industry; explosive vendor growth resulted. Vendor services continued to grow throughout the 2000s, paving the way for small pharma to essentially outsource GCP regulated activities to an extent that was previously impossible; the services needed were simply unavailable until recent years.  

Regulatory requirements for GCP quality systems, including vendor oversight, are another industry trend partially driven by the explosion of outsourcing strategies. Global regulators require sponsors (regardless of size) to have strong, stable GCP quality systems, including processes for and documentation of vendor oversight. With few exceptions, our industry now refers to the quality system across GxPs. The FDA, EMA, and ISO agree that a quality system should cover organizational structure, responsibilities, procedures, processes, and resources, as well as appropriate resource, compliance, and records management. A solid quality system includes quality assurance processes, oversight, etc. to execute, support, and document organizational compliance with global regulatory requirements. Quality system components and oversight are clearly defined (e.g., qualification and training, document controlled standard operation procedures, quality assurance auditing program, vendor management, deviations and corrective and preventive actions [CAPAs], change control, archiving and records retention, etc.). Responsibilities for company processes and tasks, including QMS-related processes, are defined and assigned.

In 2018, vendors are merging and large CROs are scooping up multiple small vendors. The big vendor is emerging where Big Pharma once ruled. The tables are turning, yet small pharma is still required to demonstrate vendor oversight. But how can a small pharma company outsourcing the majority of its GCP activities due to a lack of in-house experience and manpower oversee the work of the vendors it relies on to provide the very expertise it lacks?

Factors that contribute to the challenges small pharma have with executing proper vendor oversight include a lack of solid QA presence, inexperienced QA staff, and staff lacking the right QA experience for their assigned responsibilities. Potential drivers for these factors include intense focus on production of products and services, gaps in senior management understanding of regulatory environment and requirements, and inappropriate prioritization of quality system components in long-term strategies.

So, what is a small pharma company to do? 

Ensure that quality systems basics are understood and embraced from top to bottom to establish a foundation on which to build appropriate vendor oversight. Even if you outsource 99 percent of GCP activities, you are the sponsor. This means that your company is required to have vendor oversight, regardless of your company size or the size of your vendor(s).

Include the following 10 key ingredients in your quality system using commonsense strategies:

1. Company Quality Policy, Plans, and/or Manual: Establish these within your company. They don’t need to be 50 pages long. Document the basics; communicate them to staff. Ensure that they dovetail with other standard documented processes.
2. Governance and Oversight:  Don’t just have it or say you have it in your SOPs. Document your governance and oversight activities. These can be agendas and meeting minutes, telephone contact documentation, notes to file and deviations, CAPAs, and/or organizational metrics.
3. Quality Assurance: Conduct and document internal QA activities. Have a yearly audit plan with the rationale for limited activities, if applicable. 
4. Vendor Management: Establish an approved vendor list regardless of how many vendors you have. Conduct and document vendor management activities. Include the rationale for limited activities, if applicable.
5. Staff Qualifications: Ensure that staff CVs demonstrate their qualifications for the role described in a job description. The role, CV, and tasks assigned to the role in SOPs should all match. Include current roles at your company in CVs.
6. Controlled Documented Processes: Know the basics. Sloppy SOPs imply a sloppy company. Once sloppiness is suspected, you have more to prove. Ensure you have the basic SOPs expected and that they have the right level of detail: who does what when and in what order. SOPs should, at the least, cover regulatory requirements, roles and responsibilities, good documentation practices, approvals, and required timelines.
7. Documented Risk-based Approaches and Processes: Don’t just document that you use risk-based approaches; document your risk-based approach. It doesn’t have to be complex, but it needs to be documented.
8. Documentation of Training: Establish a training matrix even if you have a small number of employees. Then document that they completed required training. Don’t say everyone trains on everything. Document your training strategy, regardless of how simple it may be.
9. Electronic Systems Validation: Document your validation strategy regardless of how simple, if you use a vendor, cloud, etc.  Document your validation assessment of all electronic systems.
10. Escalation Process: Document your escalation strategy regardless of company size. If you have three people who sit together and tell each other issues, you still need to document escalation, actions, and resolution of compliance issues that impact (or potentially impact) subject safety and data integrity.

Take your rose-colored glasses off and self-evaluate.  Ask the following questions:

• Have we failed to recognize the fine line between enough and not enough documentation?
• What is it that I don’t know and how do I find out?
• Do we have enough knowledge and experience to properly strategize and execute during rapid growth?
• Have we failed to realize that we don’t have enough knowledge and experience to properly strategize and execute during slow growth, leaving us now at a deficit we can’t see?
• Has the industry surpassed us on various levels while we had our heads down working so hard?
• Have we incorrectly assumed we don’t need to document certain aspects because we’re small?

Take the following immediate actions to increase your knowledge, skillset, and confidence:

• Use Google, ask people, read.
• Be a frequent regulatory agency website visitor.
• Spend time reading/rereading the regulations – go to the source.
• Learn how health authorities conduct inspections – this is on their websites.
• Increase awareness of hot topics and trends – join industry newsletter lists.
• Read Q&As on regulatory websites.
• Regardless of your years in the industry or with your company, ask yourself what you can learn today.
• Spend 2 hours a week on regulatory websites. Set a goal for yourself.
• Embrace the mantra “if it’s not documented, it didn’t happen.”
• Support the continued development of your QA staff.
• Review the experience and credentials of your QA staff to ensure that the right people are in the right roles. If there is a gap, develop a strategy to fill that gap. If you don’t know, engage consultants to help with this.
• Communicate the priority of continuous development with regard to regulatory requirements and give them the time.
• Support membership in industry organizations like the SQA (Society of Quality Assurance), DIA (Drug Information Association), etc.
• Send the QA staff to industry conferences so they can keep up to speed.
• Utilize consultants, as needed, not only for conducting audits but for internal gap analysis of the quality system.
• Recognize that just because you’ve not yet faced inspection or been handed a critical observation, it doesn’t mean it’s not going to happen. Don’t let the company become lackadaisical.

The current landscape presents both challenges and opportunities for small pharma. Challenges include regulatory authority expectations for oversight and the emergence of big vendors. The opportunity is to develop creative risk-based, common-sense approaches/models to establish, implement, and monitor quality systems that ensure patient safety, quality, and regulatory compliance.  Don’t fall prey to the misconception that your small pharma company doesn’t need a quality system because your vendor(s) has one.

About The Author:

Penelope Przekop, MSQA, RQAP-GCP, is a quality management systems, assurance, and compliance consultant with 25+ years of experience in pharmaceutical GxP global quality systems with a key focus on clinical development, data management, and pharmacovigilance. Her areas of expertise include quality systems, quality assurance, regulatory compliance, inspection readiness, training, and strategic planning.

Przekop earned a B.S. in biological sciences from Louisiana State University and an M.S. in quality assurance/systems engineering from Kennesaw State University. She has held leadership positions in both Big Pharma and CROs, including Johnson & Johnson, Wyeth Pharmaceuticals, Novartis, and Covance. You can connect with her on LinkedIn