In February 2019, the FDA issued a warning letter to Vilvet Pharma for not having adequate quality procedures to be able to review and assess supplier quality. To quote, “Your firm lacked written procedures regarding critical quality control unit functions. For example: Your quality agreement with (b)(4) states that they will notify you of any process changes and provide you with batch records and final yields. However, you had insufficient related procedures.”
Further, the warning letter also pointed out that the company’s contract warehouse used to hold the drugs did not meet the cGMP requirement of training its employees for the purpose. In the Vendor/Supplier Questionnaire, it had also marked the question regarding training as ‘not applicable.’ The pharma company had a procedure that was found to be inadequate by the FDA – to prevent the approval of the questionnaire or using the warehouse.
This is not an isolated instance. Earlier, Red Mountain Inc. received a warning letter for not having an adequate Quality Unit to manage contract manufacturers to create adequate quality agreements for CMOs used. In another instance, Cosmelab received a warning letter for deficient supplier oversight.
FDA 21 CFR Part 820.50 Purchasing Controls specifies the need for each manufacturer to establish and maintain procedures ensuring that all purchased or otherwise received products and services meet the specified requirements. These requirements also include quality requirements to be maintained by the supplier, contractor and consultant. Often, businesses are either not aware or unable to comply with these requirements and find themselves either warned or penalized.
Evolving Supplier Management Regulations
The regulatory requirement for supplier management is constantly evolving. The FDA 21 CFR 820.50 for Medical Devices was written in the ’90s when supplier management was more straightforward. However, with manufacturing and supply chain processes becoming more complex critical aspects of a product are being outsourced to external global suppliers or product parts have become commodity purchases, it has become imperative that the quality of these products also meet regulatory requirements. This is especially so for the life sciences industries where compliance is paramount to the safety, efficacy and quality of products.
In the last decade or so, there has been an increase in the number of virtual life sciences companies who have outsourced key operating areas like drug discovery, engineering, clinical, testing, regulatory, manufacturing, and supply chain. Meanwhile, non-virtual companies have also reduced their overhead by not having production facilities or the resources needed to support it. For instance, for COVID-19 vaccine, over 30 CMOs are being used by vaccine developers to manufacture enough vaccines to meet global demand. Considering that the vaccine will be developed by small, mid-size and large companies, contract manufacturers must make sure they meet regulatory compliance requirements to mitigate risk to patient safety. Of course, regulatory compliance and quality metrics, ideally, must not delay time to market. The key is to ensure that a robust and automated QMS workflow is in place to ensure smooth and on-going compliance.
The organizational model is also evolving, making it important to have specific quality agreements for all the different types of suppliers regardless of the type of engagement, be it licensing, partnership or distributorship. There are over 15 different types of suppliers and many of the requirements are different for services and materials. For success in supplier management, , you must consider to have a quality agreement for each different type of supplier.
Though FDA CFR has not been revised, the FDA has introduced guidance documents to ensure that organizations bring in supplier controls when dealing with their contract manufacturers. In Nov 2016, the FDA issued a guidance document titled Contract Manufacturing Arrangements for Drugs: Quality Agreements Guidance for Industry. It specifies the responsibilities of the parties involved in contract manufacturing and documents cGMP (Current Good Manufacturing Practices) activities in quality agreements. It also refers to the terms applicable to biologics products and APIs.
Similarly, ISO 13485:2003 did not lay down any requirement for quality agreements or written agreements while the revised standard in ISO 13485:2016 established a clear requirement to have a quality agreement with special stress on how those requirements are met. Clause 4.1.5 requires supplier controls proportionate to the risk involved.
Medical Device Single Audit Program (MDSAP) also requires medical device organizations to ensure the adequacy of the specified purchase requirements – wherein a written agreement is necessary for suppliers to notify the manufacturer about any changes in the product.
EU MDR 2017/745 also requires a quality management system that enables selection and control of suppliers and sub-contractors and their manufacturing units. Chapters 11 through 14 mandate an agreement with economic operators, which includes manufacturers, importers, distributors and authorized representatives.
Challenges to implementing a watertight Supplier Quality Agreement (SQA)
SQA is one of the most important documents and it is an investment for companies to ensure that it is created properly to include various elements that are business-specific. Despite a clear mandate from the regulatory bodies, gaps continue to exist in the implementation. Some of the reasons include:
- Confusion between ‘supply agreement’ and ‘supplier quality agreement’: The Supplier Agreement includes general business terms, financial agreements, and should refer to the supplier quality agreement. A Supplier Quality Agreement (SQA) includes specifics that may change and can impact the quality of the product. For example, if there is a facility change, the vendor needs to make sure that the equipment and the cleanroom are validated prior to manufacturing products for the client. In addition, the supplier quality agreement defines responsibilities for the vendor and the client. Some important elements of an SQA include:
- Change controls
- Facility/equipment/process changes
- Periodic audits at defined intervals
- A key supplier refuses to sign the contract: The increasing number of recalls of medical devices due to the failure of critical components has increased the scrutiny of supplier purchase controls that organizations have put in place. That is why it is important for organizations and suppliers to collaborate and evaluate the quality systems and processes to ensure that regulatory requirements are met. If a supplier does not agree to sign an SQA, then the manufacturer should put in place additional controls.Drawings, specifications, different business agreements and purchasing agreements can also act as a document for quality control. The purchase document should include an agreement where possible that the supplier (or contractor/consultant) should meet the quality requirements. This ensures that the business gets enough time to assess the impact of any changes at the supplier end.If the organization is notified late or when placing the order, it will not get enough time to determine how the changes proposed by the supplier will affect the quality of the medical device, or any product, for that matter. Another option would be to change the supplier, if possible, for another supplier providing the the same part/material and is willing to sign the agreement. For commodity products, additional controls should be implemented to mitigate any risk.
- One size does not fit all: The initiation, modification, removal of section/s and approval of quality agreements require governing procedures. Each supplier should have an SQA crafted for the nature of engagement specific to them. But instead, often quality, business and technical requirements are included in one agreement that could run up to 30+ pages in a one-size-fits-all approach. A master quality agreement is used for all the different suppliers whether applicable or not and sometimes misses critical quality requirements for the key suppliers. By creating supplier-specific agreements, suppliers will have a clear understanding of the specifications they have to meet and focus on the elements they need to abide by.
- Review and/or Revisions are not scheduled: Often, after the signing of the initial agreement, SQAs are neglected like orphans and not governed by any SOPs. No requirements or frequencies are defined to review and revise the quality agreement. FDA-governed industries need to establish a document hierarchy where the governing document is the parent and the SQA the child. But with no governing SOP in place, there is no established procedure for review.When a new employee joins an organization, they struggle to understand the process for creating or revising an SQA, where to find the agreement, the frequency at which to send the agreement to high-risk suppliers, knowing who is responsible to review and revise and, most importantly, review the comments sent by the supplier. A cloud-based Supplier Management Solution, like the one from ComplianceQuest, is designed to help quality and SCM leaders manage the entire supplier quality workflow end-to-end. Periodic audits, reviews, CAPAs, and on-going supplier performance management efforts and actions can be scheduled automatically. More importantly, the supplier management solution serves as a single-source-of-truth of key supplier quality metrics. Using a data-driven approach, SCM leaders are able to ensure supplier quality goals are met through automated performance and program management efforts.
- Training requirements not met: Some life sciences companies do not have established requirements for suppliers to provide training on executed quality agreements. Organizations do not mandate that their suppliers send their training records regarding providing training on the quality agreement to the relevant stakeholders who are involved in the manufacturing of raw materials, parts, and/or products. An established process as well as documentary evidence are a must to meet applicable regulatory standards.
- Poor document management: It is not rare to find that life sciences organizations are unable to find the executed quality agreement or supporting documents, addendum etc., especially if it has a paper-based system. Often, in supplier organizations, there is a heavy turnover of individuals and there is no standard for handing over a process. Dynamic management of documents is essential to organize them in a way where retrieval becomes easy. Sometimes auditees also think that since FDA only has a guidance document, compliance is not a must. But that is not the case and recalls and warning letters become inevitable.
- Capability review & audit: The manufacturing organization should have established a program to review changes and supplier-specific requirements to ensure that the supplier notifies them when making changes. The periodicity of reviews should be specified. A supplier performance scorecard can help assess performance metrics, quality of the products supplied, timely delivery, resolution of issues etc.
The only way to ensure adherence to the SQA: A robust EQMS
In an organization, SQA may be initiated by any function. While the compliance and quality functions may be responsible for review and ensuring conformance, the SQA can be signed between any department and their suppliers. Therefore, it is essential that everybody knows the SOP and follows it for creating and maintaining SQAs.
The process of identifying, onboarding suppliers, assessing their risk level, creating specific quality agreements unique to each supplier, review and revision is complex, requiring time and effort. An EQMS like the one from ComplianceQuest makes managing SQA-related workflows or processes easier. Of course, it also makes it easy for the head of quality to have a finger on the pulse of all supplier-related regulatory compliance requirements.
Some of the key features of the Supplier Management module in the CQ EQMS that can help manage the SQA workflow effortlessly include:
- Supplier Ratings and Scorecards
- Onboarding and change management
- Corrective action requests
- Deviation request
- Document exchange
- Incoming inspections and CoA
- Production Part Approval Process
Being built on the Salesforce.com platform, the ComplianceQuest supplier solution automates the supplier management workflow and integrates with enterprise solutions such as ERP and CRM to provide end-to-end visibility. Being aligned to ISO and other key regulatory standards across geographies, helps revise documents based on any new regulatory changes. The ComplianceQuest Supplier Management solution also integrates with other EQMS workflows including CAPA, change management, risk management, document management and training.
If you would like to automate your supplier quality agreement program workflow, contact us here: https://www.compliancequest.com/contact-us
This blog has been created based on a Webinar by Bob Mehta, Principal Consultant at GMP ISO Expert Services.