Guest Column | September 2, 2021

What Risk-Based Oversight Of GxP Vendors Is & Is Not In Clinical Trials

By Kamila Novak, KAN Consulting

Smart businessman looking forward in spyglass -iStock-1085606706

In 2016, the International Council for Harmonization (ICH) issued a revised E6 Good Clinical Practice (GCP (R2)) Guideline to encourage implementation of improved and more efficient approaches to clinical trial design, conduct, oversight, recording, and reporting while continuing to ensure participants’ protection and reliability of trial results. Article 5.2.2. states: “The sponsor should ensure oversight of any trial-related duties and functions carried out on its behalf, including trial-related duties and functions that are subcontracted to another party by the sponsor’s contracted CRO(s).”1 This means expanding sponsors’ oversight responsibilities to CROs’ vendors and subcontractors. Also, since we talk about “any” trial-related duties and functions, the sponsor’s oversight includes contract manufacturing organizations (CMOs), courier companies, central laboratories, electronic data capture providers, etc., as well as their vendors and subcontractors. In most studies, the list of involved parties is complex and long since GxP vendors are all those vendors who carry out activities subject to any good practices that may apply.

Apart from pointing out oversight responsibilities, GCP (R2) Article 5.0 introduces the concept of Quality by Design (QbD) in clinical trials, stating: “The sponsor should implement a system to manage quality throughout all stages of the trial. … The quality management system should use a risk-based approach.” And Article 5.04 reads: “Predefined quality tolerance limits should be established …”.

Since GCP (R2) became part of clinical trial regulations in most geographies (EMA adoption in June 2017, Switzerland in May 2017, FDA in March 2018, Canada in May 2018), sponsors’ compliance is mandatory.

Before we dive deeper in our topic, let us touch one misconception. Some companies still have a notion that delegating responsibility to a vendor is a way to transfer risks related to the delegated duties and functions. Nothing is further from the truth. Delegation of responsibility means sharing the existing risks and introducing new risks related to the vendor itself. In front of the authorities, you, as the sponsor, are ultimately responsible for the trial, including delegated responsibilities, selecting and qualifying vendors, and overseeing them. In the world of clinical trials, the only way to transfer a risk is to maintain adequate insurance, such as a general liability insurance and a study-specific patient insurance. Then, a big part of the risk is transferred to the insurance company. Mutual indemnification clauses in contracts and agreements between you and your vendors serve as a protection against some risks as well.

What Is Risk-based Vendor Oversight?

We can derive the four-fold answer to what constitutes risk-based vendor oversight from the quoted GCP (R2) requirements. You should:

  1. implement a quality management system based on a risk-based quality management plan specific for each trial is produced, and
  2. establish quality tolerance limits (QTLs) for the trial, and
  3. include vendor management and oversight activities in the quality management plan, and
  4. use an appropriate risk-based approach for each vendor.

The ultimate objective of risk-based vendor oversight is to make sure each vendor performs delegated duties and functions in compliance with your quality standards without breaching the predefined quality tolerance limits.

You need to qualify your vendors and approve your vendors’ vendors and subcontractors. This requires vendors to be transparent and declare all third parties they collaborate with, including in-sourced personnel, how they select and qualify them, and how they oversee them.

It is not unusual for a vendor to hide these subcontractors by creating e-mail accounts for them in the vendor’s own domain, so the subcontractor seems to be the vendor’s employee. The reasons behind this behavior are concerns the vendor may lose the project to another bidder if they present their true capabilities, as well as saving time otherwise needed for proper management of their vendors. It is not easy to identify such cases. Typically, they are revealed only when issues arise.

Possible countermeasures you can consider are adding a clause in service agreements mandating the vendor to deliver contracted services using only its own employees and, if that is not feasible, declare that third parties must provide sufficient documentation for you to approve them through an informed decision. Another clause may state that breaching this obligation presents a reason to terminate the contract or introduce penalties.

Vendor Management Life Cycle

In the GxP vendor management life cycle (Figure 1), the oversight, or supervision if you will, is typically the longest activity, the most underestimated one, and a source of repeated audit and inspection findings.

Figure 1. Click on image to enlarge.

What Does Oversight Really Mean?

Oversight is not a synonym of (micro)management. Effective oversight means you know what your vendors do and how they perform, you evaluate trends in vendors’ performance, and you take proactive measures to ensure vendors’ deliverables meet the agreed quality standards.

This starts with diligent planning and necessitates effective communication throughout the trial. Each vendor must understand the quality requirements for its deliverables, mostly derived from regulatory-related obligations, associated quality tolerance limits if applicable, and the metrics and key performance indicators (KPIs) that you evaluate. The quality requirements, metrics, and KPIs should be clearly specified in service agreements or work orders.

How do you achieve the oversight objectives in practice? Your clinical project managers, who typically oversee vendors in their studies, can include a variety of activities in their toolkit and select the most fitting ones or the appropriate combination for each vendor, e.g.:

  • Implement a database with data related to vendors’ performance to evaluate trends and patterns.
  • Develop a fitting communication plan for each vendor.
  • In cooperation with quality assurance (QA), plan on-site and remote quality oversight visits.
  • Secure audits of vendors performing critical activities, either by engaging your own QA department or independent auditors.
  • Request validation documentation, e.g., the Validation Summary Report, from vendors providing computerized systems for the clinical trial and review it.
  • Review deliverables and provide feedback.
  • Periodically review audit trails for computer systems, such as eTMF, eCRF, etc.
  • Review vendors’ documentation of performed activities.
  • Agree with vendors to provide their assessments of personnel involved in trial-related activities. These assessments may be redacted for confidentiality reasons.
  • Implement clear issue escalation and issue management plans, maintain documentation of escalated issues, and derive lessons learned from issues and their management outcomes.
  • Periodically review issue logs.
  • Hold meetings with vendors and keep minutes and action and decision logs. Follow up on actions to verify if they are completed in due time and decisions are implemented.
  • Specify requirements for progress reports, their content, level of detail, and frequency. Review progress reports and document it, e.g., by signing off.
  • Review and approve essential documents, e.g., study plans, protocol, investigator’s brochure, etc. and sign and date the final versions. Engage subject matter experts (SMEs) if needed, e.g., a statistician, a consultant for computer system validation, etc.
  • Perform periodic assessments, including risk assessments of the vendor and document it.
  • Evaluate vendors’ performance against the agreed KPIs and metrics.
  • If the vendor uses subcontractors, request and review documentation related to their qualification, oversight, and requalification of the subcontractors.

The list above is based on the MHRA GCP Grey Guide2 and the experience of the author.

Outcomes of many of these activities will be part of vendor requalification, so clinical project managers need to work closely with their QA colleagues.


In today’s complex clinical trials, holistic vendor management is a challenging mandatory activity. In Part 2 of this article series, I will discuss how to assess risks related to GxP vendors as well as preparation for and passing audits and inspections.


  1. ICH E6 GCP (R2), November 2016
  2. MHRA GCP Grey Guide, 2012

About The Author:

Kamila Novak, MSc, got her degree in molecular genetics. Since 1995, she has been involved in clinical research in various positions in pharma and CROs. Since 2010, she has been working as an independent consultant focusing on QA and QC, as a certified auditor for several ISO standards, risk management, medical writing, and training. She is a member of the Society of Quality Assurance (SQA), the World Medical Device Organisation (WMDO), the European Medical Writers’ Association (EMWA), the Drug Information Association (DIA), the Continuing Professional Development (CPD) UK, and other professional societies.