A lean approach to compliance
By John Avellanet
Today's global supply chain encircles the earth as a serpent grasping its tail, a modern-day Midgard Serpent. Suppliers, contract manufacturers and research organizations provide the raw materials, semi-finished products and scientific information upon which we make decisions and doctors prescribe medicine. Adding to the challenges of global contract supplier oversight, the world economy has slipped. Behind the supply chain headlines of drug adulteration, supplier contamination or clinical data disingenuity, we see more uncertainty; big corporations and small startups increasingly struggle with smaller budgets, shareholders wonder what tomorrow's news will bring, patients cling to their doctors' ability to sort fact from fiction, and regulators wonder why the biopharmaceutical industry cannot put its hands around a contract supplier selection and qualification process that works. After all, argue regulatory and public health officials (echoed by biopharmaceutical industry critics), contract supplier selection is straightforward -- elementary, even -- compared to inventing new drugs and biologics.
Photo courtesy SAFC - Sigma Aldrich Fine Chemicals
On paper, the critics are right. The rules make sense and they are undemanding. Why then, when these seemingly simple rules meet the real world of budget meetings, on-the-fly project decisions, looming deadlines and ego-driven corporate politics, does contract supplier selection break down? It happens, in large part, because of its very plainness. Supplier selection is not sexy. We don't put the forethought into it that we do with other, more complex, more exciting biopharmaceutical projects like drug discovery. And unlike the processes and principles of scientific discovery that have been maturing since the days of Archimedes's bathtub shouts of, "Eureka," contract supplier selection and qualification has remained in its infancy.
What we need is a systematic process that delivers a consistent, reliable result. Regulators argue that risk-based decisions are the answer, but regulatory risks do not factor in cost. Compliance does not pay the bills. Given the economic constraints of today's marketplace, any contract supplier selection and qualification process must be cost-effective.
Over the past few years, with the help of clients and colleagues in pharmaceutical, biotechnology and medical device companies in the U.S., India and Europe, I have developed and refined a systematic, risk-based, cost-effective supplier selection and qualification process that is, by its very nature, both lean and adaptable. In this article, I discuss the components of this lean supplier approach as part of an overall compliance and quality philosophy that I term Lean Compliance. Using this article as a guide, you can construct your own lean contract organization selection and qualification process.
Managing Compliance Through Cost and Risk
Though you may not recognize it yet, you already have the bare bones of a lean approach in place: your budget is not limitless and your decisions are not random. Today you already manage your level of compliance and degree of product quality, safety and efficacy through price and risk. What is the price you can afford and the risk you can live with? The key is turning from a reactive mindset into a practical and proactive approach. This allows development of a systematic set of checks and balances that provide informed decision-making and risk-based controls backed by reasoned logic, facts and figures.
A lean, systematic approach to compliance relies upon a set of risk-based criteria centered on three categories:
- Impact to business operations and strategy;
- Impact to product and patient;
- Impact to regulatory and quality compliance.
Analyzing the impacts and assessing the risks in each area allows you to move beyond product quality, safety and efficacy; past regulatory and quality system compliance; and farther than any individual budget.
A lean approach requires that gaps be minimized, if not eliminated. I recommend my clients take a holistic, cross-functional view of supplier selection and qualification. Imagine a situation -- one reminiscent of a company I worked with several years ago -- wherein you have an outsourcing decision process that completely leaves out the information technology (IT or ICT) department. The process seems to work smoothly both in selecting a particular contract research organization (CRO) for your new project and in qualifying that CRO. However, in less than three months, costs inexplicitly skyrocket out of control, forcing you to make steep cutbacks. Eventually, the project is called off.
For this client, the post-mortem analysis revealed a clear point at which the non-holistic process fell short: the point when IT had to be involved after the fact. The project required data to be constantly transferred, reviewed and approved between my client and their new CRO. Because the project was under the Good Laboratory Practices (GLP) rules, the regulatory affairs and quality management executives determined that data transfers would need to be 21 CFR Part 11 compliant. The project manager, the quality assurance director and the regulatory affairs executive, not having taken the time to explore (much less recognize) the implications of the Part 11 misunderstandings under which their IT department was operating (misunderstandings which are still, sadly, widespread in the industry today), demanded validation of the data transfer and review processes. This, of course, included validating numerous computer systems and software. As validation costs escalated and actual project progress slowed, the project's budget imploded and finger pointing began.
In reviewing the project, I helped the executives of this firm revise their outsourcing selection and qualification process to be more cross-functional, even when an outsourcing need appeared so basic that asking input from other departments seemed like a waste of time. At first the executives balked, but they soon came to see the benefit from each of us viewing the world with the unique lenses we each wear. The world is so complex these days, no one of us can possibly see all the connections. The regulatory affairs person sees the Part 11 (or EU Annex 11) requirements for data transfers, but not the technical implications or the costs involved. The IT person sees the technical aspects of data transfer, but not the Part 11 requirements or project implications. And the finance person sees the cost impacts, but not the technical or regulatory priorities. By making the overall selection and qualification process cross-functional -- at least at the outset -- the melding of these various colored lenses will reveal a clear line of sight into the bottom-line impact.
The Five Steps of a Lean Outsourcing Selection and Qualification Process
The lean approach to selecting and qualifying contract suppliers has five overall steps:
- Assess the business and strategic impact
- Assess impact to product, patient and compliance
- Conduct risk and cost analyses
- Implement and verify controls
- Review and revise
Step One: Assess the Business and Strategic Impact
The initial business and strategy assessment covers the business drivers and constraints for the proposed outsourcing. Constraints can include budgets, available Resources , concurrent projects, other business partnerships, internal capabilities, and so forth. It is also important to recognize that in order for you to achieve the greatest degree of cost-effectiveness, this lean approach must be applied across the board to any potential supplier, whether it's an individual consultant, outside legal counsel, an office supply vendor, a contract sterilizer or a distributor. Does that mean that a $50,000 consultant is subject to all the same detailed inspections and monitoring that your $5 million contract sterilizer undergoes? Of course not. What it does mean is that you use this process to assess the impact to your business, your product, your patient and your compliance; to document that you will not put the independent consultant or lawyer through the same hoops as your contract sterilizer; to document the logic behind this decision; and to document the holistic set of information that went into that decision. Armed with these outputs, you may actually come to enjoy attempts by auditors to play Monday morning quarterback by second-guessing your decisions.
Step Two: Assess Impact to Product, Patient and Compliance
Step two is fairly straightforward with one caveat: I ask my clients to assess the direct impact of each potential outsourced contract supplier on:
- Product safety, efficacy and quality
- Patient and/or user safety
- Record integrity (whether paper or digital)
- Quality systems and regulatory filing
There are two aspects to keep in mind. First, retain the focus on direct impact. This is not some sort of six-degrees-of-separation game. We can all sit in a room and spin scenarios of cascading catastrophes begun by a butterfly's flutter in Japan. To avoid this, consider only what might reasonably happen, not on playing 20 "what if" questions for each piece in your supply chain. The reality is that no system, no assessment and no analysis can be perfect, particularly in foresight. Using the four impact categories and taking a holistic, cross-functional approach at the outset will help you achieve the best results for your efforts, allowing you to make the best decisions you can -- and have the documentation to prove it.
Step Three: Conduct Risk and Cost Analyses
At this point, you should have some idea of those contract outsourcers who will have a high impact (such as a contract sterilizer) to your product, your patients, and so on, versus those potential suppliers that will have no impact (the company that waters your office plants or cleans the windows). The third step of this lean process is to conduct and document specific risk and cost analyses for each of your potential outsourced vendors. Ideally, you want to tackle this for all of your suppliers, but practicality demands that you start in the "high impact, high risk" category and work your way down the list. Theoretically, you will eventually qualify the window cleaning vendor, but now you've got a documented set of priorities and logic behind not conducting the qualification of the window cleaning vendor immediately. As extreme as the window cleaning example sounds, I have seen audit reports where the auditor found a failure to comply with policies and regulations evidenced by inconsistent qualification of some vendors ahead of formal selection and contractual agreements, and then other vendors after the selection was completed and the contract was signed. This lean process will eliminate any risk of that while saving money at the same time.
Step Four: Implement and Verify Controls
As part of your risk and cost analyses, you will also document and prioritize (again, by impact, risk and business cost) potential controls to implement that will allow you to manage the impact, risks and costs associated with each vendor. Step four is to implement and verify that these controls work as intended; in other words, qualifying your vendor. This will vary by the type of vendor and controls put in place such as on-site audits, status reports, so-called "paper audits" (also known as vendor surveys), and so on. Let the risks, impacts and costs (as discussed above) be your guide.
Step Five: Review and Revise
Step five is a rapid look back to ensure you have not missed anything. Remember that outsourced supplier selection and qualification is not foolproof. Conceive of this rapid review as a last glance at the effectiveness of your controls before you turn the vendor over to be managed and overseen by someone else. Depending on the vendor and the risks and controls involved, consider conducting a mock audit, directly supervising a pilot manufacturing run, monitoring a complex parts order, and so forth. The key is to identify any obvious cracks now that the contract organization is out of negotiation and stepping into real-world production. This will get your long-term monitoring and effectiveness program kick-started at the least cost, with supporting records to prove proper due diligence.
From a business and compliance perspective, there are three immediate benefits to this approach: more upfront control of costs and risks, better quality, and a set of suppliers strongly aligned with your business objectives. These benefits are especially important as the global economy struggles and the old "big pharma" model evolves under public officials scrutinizing healthcare costs.
Perhaps the most important benefit is the intangible, but invaluable, reduction of personal stress and anxiety levels when dealing with the supply chain. As one company president put it, "I realize now it wasn't a question of whether we were going to implement this, it was a question of when."
Are you ready?
1. See "Lean Compliance for Midsized Companies" in the Journal of GXP Compliance, January 2008 (12:2), pages 30-34.
2. For a more detailed discussion and step-by-step breakdown of business and strategy factors impacting any potential outside contract supplier of materials or services, see "Shared Risk: A Regulatory Management Strategy" in BioProcess International, March 2008 (6:3), pages 20-25.