Guest Column | February 7, 2019

Top 5 Strategies To Execute And Document GCP/GVP Vendor Oversight

By Penelope Przekop, MSQA, RQAP-GCP

Over the last 10 years, the face of clinical research & development (R&D) and pharmacovigilance (PV) outsourcing has dramatically changed. What was a common industry scenario by 2010 — a full-scale operational pharma company utilizing both international and U.S.-based contract research organizations (CROs) to execute clinical investigator site monitoring and data management — has evolved into a new common scenario in 2019. More than ever, we see what I call a stick-figure pharma company (just the bones) utilizing vendors to execute as many of the required drug development processes as they possibly can. In fact, it’s not surprising to see a company using multiple vendors for the same process, such as regulatory reporting of expedited adverse event cases, investigator site monitoring, multiple types of auditing, and manufacturing. In my consulting work, I meet and interview numerous pharma employees at all levels who struggle when asked to explain how their stick-figure company connects with all the good clinical practice (GCP) and good pharmacovigilance (GVP) practice vendors in play.

And I’m not alone.

Global regulators are scratching their heads over these stick-figure pharma company employees scratching their heads as they struggle to communicate what the heck is going on. Sure, this sounds a bit extreme, but really, shouldn’t there be a level of concern? After all, the most important remit for regulators, and for our industry, is to ensure patient safety. By the year 2000, with ICH stars in our eyes, we had a solid model. We all knew what we were supposed to do, and we did it. We pushed and filed papers and had our clinical auditing programs rolling. Then we blinked and we had electronic data entry and trial master files, learning management systems, DocuSign, remote offices, texting, iPads, and more vendors than we could potentially manage.

While it’s true that our industry is slow-moving, one thing remains paramount: the obligation of every company involved to ensure patient safety. That was always our joint mission, one that evolved from our joint vision to make patients safer, healthier, and happier. That’s why I love our industry. So how do we get back in control and on the same page? We maintain appropriate oversight of our vendors, whether we have one or 100. That’s a huge part of the job in 2019.

Due to all this head scratching, global regulators are now looking for evidence (documentation) of vendor oversight. Remember, if it’s not documented, it didn’t happen. I’m here to give you some insight on how this might be accomplished. There are no guarantees in life or in the pharma industry; however, the following five strategies are your best bet, in my opinion. If you can establish all five within your organization, I’m 90 percent sure you will be in good shape.

1. Establish a standard operating procedure (SOP) that describes your vendor oversight activities.

No, this is not the SOP you have on vendor selection and/or vendor qualification and auditing, and it is not the 20 different legal contracts, Statements of Work, etc. that you have executed. This is also not the Study Specific Operational Guideline.

This is a new company SOP that outlines how your company and those responsible know (not an all-inclusive list):

  • if your vendors are doing everything they are contracted to do in a compliant manner;
  • the current status and results of your vendor’s activities on your behalf;
  • who the vendor employees are and if they are qualified for their roles and responsibilities;
  • if something goes wrong and what process you will follow once notified; and
  • who (the role) in your company is responsible for vendor oversight and how they inform senior management of the ongoing status.

2. Invest whatever it takes to ensure that the documented process your organization has established for vendor oversight is not just a bunch of great-sounding words.

I’ve seen many oversight SOPs that include statements such as “we are dedicated to vendor oversight,” “we perform routine vendor oversight,” “we have oversight of our global vendors,” “we meet with our vendors regularly,” and so on. When asked how all this oversight happens, answers are few. When asked for documentation of this lovely oversight, nothing can be provided. The great strategy of having a documented process does not work unless concrete documented actions are included, and senior management is committed to providing the resources necessary to execute the process and document the activities.

3. Determine common-sense ways to document what you say you are going to do in terms of vendor oversight. Here’s an example: To ensure that your vendors are doing what they are contracted to do in a compliant manner and to be informed of the current status of their activities and deliverables, require (and obtain) a monthly or quarterly status report with applicable compliance metrics, even if it’s half a page documenting that the vendor submitted two expedited cases within the regulatory timelines or that it completed four monitoring visits according to the monitoring plan. If you rely on a big vendor that handles multiple processes on your behalf, request a combined monthly or quarterly status report. As I type this, I’m reminded of how many times I’ve seen SOPs stating that such a report will be provided, yet when asked to provide them during an audit or mock inspection … there are no reports. Instead, I’m told things like:

“Well, we moved away from that since we meet weekly. We’re so connected anyway we talk every day.”

My response, “OK, do you keep minutes for those meetings? Can those be provided?”

Silence, then, “No, our meetings are usually less than 30 minutes and sometimes we cancel because there are no issues. Writing minutes would take us away from our other important work.”

Meanwhile, I discover that 60 percent of their vendor’s monitoring visits occurred far beyond the time frame specified in the monitoring plan and most of their audit reports were late. I conclude that there is no documentation of vendor oversight and the vendor is out of compliance.

If you require status reports, take it seriously and use them to manage your vendors.

4. Review your existing SOPs and other study/client/project/product-specific documents describing vendor processes to ensure that they include clear requirements for documentation.

For example, if the client specific guideline created by your vendor notes that this will happen and that will happen, ask them to include how and where this and that are documented. Let them know that documentation of compliance not only with regulatory requirements, but also with any SOPs, client specific guidelines, etc., should be available to you, as the sponsor or market authorization holder, to demonstrate that all the elements discussed in No. 1 above are addressed. And of course, this documentation should be used to make ongoing decisions about your vendor’s activities and to ensure it is providing great service that includes ensuring patient safety and data integrity.

5. If you have established, ongoing meetings of any kind to either a) discuss and evaluate vendor activities or b) meet with vendors directly, create a group or meeting charter and maintain some type of agenda and minutes.

This can be short and sweet; however, don’t fall into the trap of documenting that the agenda is to review x, y, and z and then document in the meetings that x, y, and z were reviewed. Your agenda and minutes should at least include enough detail to provide assurance that a discussion occurred, that key points emerged, and that some sort of decision or action was taken. With this said, it’s important to be careful when creating groups and recurring meetings. Create a common-sense meeting strategy to ensure that you are not meeting just to meet and consequently sucking up everyone’s time with these meetings. Meetings should be held for a reason, a good reason, and should not be duplicative, nap time, or a social gathering. Take your meetings seriously. Use them to move forward. That’s the point.

In case you’re getting worried about all the lack of vendor oversight out there, you should know that I also visit companies that are able to demonstrate great vendor oversight. They can clearly relay and provide documentation on who their vendors are, the responsibilities of each vendor, and how they maintain communication with each vendor. I’ll call them Mikey. Be like Mikey. A Mikey company is inspection-ready in this regard. They are relaxed because they know exactly what they are going to say and provide, if necessary, to demonstrate their vendor oversight activities. They sleep well at night and wake up refreshed. If that sounds wonderful and you’re not quite there yet, not to worry. The first step is improving your knowledge, which is what you are doing right now. The next step is creating a strategy supported by senior management that will improve your vendor oversight and associated documentation. Then you’re on your way. Be sure to document that strategy in an official manner. If a regulator shows up tomorrow, you will have documentation to support that you have self-identified this issue and that a plan in place.

About The Author:

Penelope Przekop, MSQA, RQAP-GCP, partners with pharma and biotech companies of all sizes to develop risk-based strategic solutions for establishing (or enhancing) clinical and pharmacovigilance quality systems that support growth and ensure long-term compliance. She is a global GXP quality systems/assurance and regulatory compliance consultant with 25-plus years of industry experience. Her areas of expertise include strategy development, quality systems and assurance, inspection readiness, and organizational training. She frequently conducts regulatory mock inspections and develops outcomes-based inspection readiness strategies.

Przekop earned a B.S. in biological sciences from Louisiana State University and an M.S. in quality assurance/systems engineering from Kennesaw State University. She has held leadership positions in both Big Pharma and CROs, including Novartis, Covance, Wyeth, and Johnson & Johnson. She is the author of Six Sigma for Business Excellence (McGraw-Hill).