What to Look for in Selecting a CRO/CMO and How to Ensure the Right Choice: A Quality Assurance Perspective

• GxP Compliance &Training Partners (GCTP)

Outsourcing used to be done for mostly “non-critical products/services,” but the last 20 years have seen a reversal in this trend. More and more companies are outsourcing key critical Good X Practices (GxP)- regulated clinical processes and products manufacturing. To improve efficiency and increase productivity, reliance on Contract Manufacturing Organizations (CMOs)¹ and Clinical Research Organizations (CROs)² continues to increase.

When selecting service providers, according to a recent survey,³ sponsoring pharma companies stated that they focus on the following criteria (listed in order of importance). Respondents described the following as “very important”: Confidentiality (81%); Quality (81%); Consistency of performance (79%); cGMP compliance (75%); Regulatory inspection history (69%); timeliness (60%); contract firm’s financial stability (56%); and project cost (54%).³ Pharmaceutical company sponsors are outsourcing more functions so that they can focus on their core strengths.⁴

Similarly, a third of clinical trials conducted by pharmaceutical firms are outsourced to vendors,² with 70% of pharma companies expecting an increase of outsourcing to CROs.⁵

However, the selection of clinical CROs seems more focused on matching chemistry, ie, that they can work with the CRO (63%); followed by the perception of dedication (62%); experience in the same indication (61%); and CRO overall experience in the study’s therapeutic area, but hardly any weight is given to Good Clinical Practice or Good Pharmacovigilance Practice compliance.⁵

The way a pharmaceutical company contracts CROs/CMOs has a critical and direct impact on a company’s realization of its goals. Many collaborations have ended with catastrophic outcomes with shock-waves impacting all stakeholders, including the patients. In another survey,⁴ nearly half (45.6%) of responding pharma companies stated that they had quality problems resulting from vendors, poor product quality, poor service quality, inexperience with regulatory requirements, and 49.1% of vendors made promises they could not keep.^3,4

So where does it go wrong? Was the final decision not based on the most important factor—Good Manufacturing Practice (GMP) Compliance?

Identification and Selection of CROs/CMOs: A Science or Art?

The Challenges

Outsourcing can present a unique type of challenge to any organization; it is both a challenge in its own right as well as a solution to another business challenge.³ The challenges are multi-faceted:

• As the highest risk is assumed by the company, it is, therefore, critical for the client company to implement a wide array of risk-mitigation tactics⁶
• The CRO/CMO business model is not designed to absorb high levels of risk
• Quality is variable and influenced by many factors
• Cost savings can be less than expected in the end
• Cost reduction initiatives can have an impact on performance
• Risk-free compliance has a price
• CRO/CMO selection and set-up creates lag time
• CRO/CMO management and governance can be resource-intensive
• Sponsors, CROs, and CMOs may undergo a merger or reorganization, leading to a loss of team members and knowledge or a change of focus
• Many of the decision makers are risk-averse in a risk-based climate/business
• Regulatory requirements, GxP compliance, and quality, in particular, are becoming increasingly more complex

Traditionally CROs/CMOs are chosen based on:

• Reputation/word of mouth
• History of working relationship
• Cost effectiveness, price, and affordability
• Ability to supply product at an acceptable cost/dose
• Speed of execution to decrease time-to-market
• Experience with similar products
• Regional knowledge
• Availability of facilities/services/staff not otherwise available in-house
• Adoption of virtual pharma model by small-size to mid-size companies, biotech, and specialty pharma
• Scientific capabilities
• Complex and specialized technical competency/skills; capabilities (eg, high potency, biologics, etc) which are not available in-house
• Years in business and years performing the relevant service
• Location

What Is the Role of Quality Assurance in Selecting a CRO/CMO?

Quality Assurance (QA) can play a fundamental role throughout the life cycle of any GxP-related outsourcing partnership.

After the screening stage, QA can conduct a qualification audit (ie, due diligence) of the few finalist contenders with the aim of verifying the critical parameters (eg, quality, compliance, etc) stated in the completed screening questionnaire, Request for Information, and Request for Proposal.

There are also numerous advantages for a QA audit/review of the contract, although this is not always done. A QA audit of the contract is primarily done to help ensure compliance with the applicable GxP requirements. Additionally, important issues may be identified during the previous stage (the qualification audit) that may need to be stated in the contract. For example, a QA review may indicate a need to include a clause/condition in the contract that any qualification issues must be resolved prior to a set date (depending on the criticality and impact).

An effective QA function of the contracting pharma company substantially relies on many tenets such as the anatomy of the function itself (eg, its position within organization/authority, Quality Management System [QMS], qualification and experience, etc) and physiology (an effective risk-based audit program, good auditing practices, standard operating procedures [SOPs] on key aspects of auditing, corrective actions and preventative actions [CAPA] trending and effectiveness evaluation, behavioral aspects, etc). The effectiveness of a QA audit program depends on whether it has been designed to take into consideration key factors such as the status and importance of the processes and areas to be outsourced. A QA audit should provide an independent evaluation of quality as well as bring a fresh perspective and new insights to the process. The methodologies and schedule should identify potential problems (and find solutions) before it is too late; a post-mortem only identifies the reason for the death; it does not repair the effects of a fatal flaw. Evidently, to afford the above infrastructure and effective functionality, the internal QA needs to have the right caliber and expertise. If the internal auditor lacks the required expertise, contracting external auditors with the required level of expertise is worth the investment.

Qualification Visit/Audit: What Does QA Consider During the Selection Process?

This visit should be a team with representatives from both operational and QA departments. QA’s main objectives during the selection process are to verify the provider’s:

• QMS
• Relevant GxP compliance with applicable GxP regulations and quality standards and inspection history (if known)
• Competence to deliver the service
• Capacity to meet service demand and any potential variations
• Ability to supply a service at acceptable quality while meeting timelines
• Secure business capable of long-term supply, invests in up-to-date technology
• Commitment to sponsor’s business, ie, not de-prioritizing due to new businesses
• Infrastructure and quality culture
• CRO’s/CMO’s physical assets and capability
• Scalability of the facility/organization
• Facility’s/organization’s delivery metrics
• Experience with drug development
• Anticipated contract terms
• Specific strengths, eg, sometimes suppliers that focus primarily on commercial GMP production do not excel in clinical GMP
• Their processes may be too heavy and slow to accommodate the changing needs of clinical manufacture
• Such companies often lack essential analytical equipment (high-performance liquid chromatography, tandem mass spectrometry, nuclear magnetic resonance, etc)

A. Quality Management System

QA should determine the effectiveness of the provider’s QMS by reviewing and assuring the adequacy of the individual elements of the QMS—such as organization and infrastructure—that can support the contracted project.

While having written procedures does demonstrate the fulfillment of an important QMS element, QA verifies that they are indeed followed (via interviews, in-process observation, and documentation). Quality control steps in critical processes should also be confirmed.

A special skill is needed to attest the presence of an adequate training system. In addition to reviewing the training system, control, and respective documentation, the auditor needs to reach a comfort level that the system is well-designed. Having a “read and understood” statement might not suffice for certain processes. For more critical processes with a high potential impact, a verifiable training evaluation approach such as a “sign-off,” “release to conduct task unsupervised,” or a test may be warranted. Equally important is the hand-over procedure; while the initially assigned staff may have been trained and performed well, given an environment where the only constant is change, QA needs to be satisfied that when staff are replaced, an effective hand-over process is in place with no loss of knowledge/information in the transition.

Reviewing the provider’s QA system, the auditor should authenticate the independence of the QA function, adequacy, and the experience of the QA headcount as well as the effectiveness of the QA system. While no project-related problems may exist at this early stage, problems could happen down the road, so QA should attempt to anticipate where problems or deviations are likely to arise. The auditor should determine the provider’s system for managing these anticipated issues. For example, when something goes wrong, does the provider:

1. Identify quality problems?
2. Conduct a root cause analysis and investigate non-conformities?
3. Identify CAPA?
4. Verify and validate the effectiveness of CAPA?
5. Communicate quality problems to those directly affected and responsible?
6. Communicate quality problems and respective CAPA for management review and approval?
7. Implement changes to correct quality problems?

While successful regulatory inspections can demonstrate compliance, it can be challenging to verify the true outcome. Not all providers are willing to share details of such events. It is worth remembering that passing a US Food and Drug Administration (FDA)/European Medicine Association inspection does not automatically ensure that a provider will always be compliant.¹ Rather, documentation substantiating closure of such inspection findings can demonstrate compliance, transparency, and good issue management. Facility general quality certifications (such as an ISO certification) do afford an additional comfort level, while more specific certifications by a regulatory authority/international body (such as GLP or GMP certifications) can increase the comfort level dramatically. The latter does not always apply to clinical research organizations (eg, certain Phase I certifications in certain countries).

B. Operational and Other Aspects

For more technical and operational aspects, it is important that the auditor has the technical capability to assess the competence of the provider, and if he or she does not also have the operational background, he or she should be accompanied by a Subject Matter Expert (SME).

Where possible, an ideal team would consist of both the QA auditor and the SME.

To verify the claimed capacity, a QA auditor needs to review current capacity and available facilities, as well as the ability to address changes. A supplier/provider is usually chosen based on immediate project needs, but potential future developments and longer-term supply should also be considered.¹ It is imperative for the qualifying team to consider this to ensure the project will not quickly outgrow the selected provider.

For other technical systems (eg, assessing laboratory operations), QA should verify the firm’s operations are in a state of control. If an issue arises (eg, if there is an Out of Specifications [OOS] laboratory result) or if there a clinical site monitoring performance, how does the contracted vendor address such issues?

While the pharma operational personnel can be satisfied that the CRO/CMO can provide the requested process/service/product, QA need to be satisfied that such a process is validated, that adequate quality control steps have been incorporated, and monitored for effectiveness, and see that the actual testing, deviation, and complaints’ management data, etc, demonstrate the process effectively.

C. Business Continuity

Business continuity and contingency plans should also be addressed during the QA audit. For example, a QA audit should find answers to the following questions:

• Is the CRO/CMO successful and does it have a track record of profitability and growth?
• Is the company able to support its growth?
• Does the vendor have debt capacity?

While very sensitive and often associated with disclosure reluctance, the auditor should be perceptive to any signs that may imply the owners’ intentions for selling or merging the existing business. If such a prospect is confirmed, uncertainty may arise as to whether the CRO/CMO would remain dedicated to the contracting business or maintain the same level of quality. Likewise, other factors that may impact business continuity should be examined such as business resumption contingency plans in the case of possible force majeure.

At Contract Creation: Auditing the Contract

What is a good agreement? Undoubtedly, a good agreement meets the requirements of both parties to make a cohesive association. The contract needs input and review from the major stakeholders to ensure that all delegated activities are clearly stated, and no essential ones have been missed:

• Minimum requirements spelled out in contracting agreements
• Written quality agreement to clearly identify responsibilities
• Awareness of other potential constraints
• Legal/regulatory aspects, interactions between laws of different countries, and the impact of domestic and foreign Regulator Requirements
• Lines of communication and reporting
• Clear quality commitments through specific and transparent QA and quality control elements because technical details are not the only prerequisite for contract arrangements
• Contractually stated assurance that when the provider subcontracts to a third party, the level of control and quality will not be compromised
• A stringent vendor selection process with Pharma company approval

Establishing a robust contract is more than a financial document. It pays dividends to have training and experience on how to make and sustain a good agreement.

Establishing a Successful Oversight System for the Partner

Oversight of contracted providers of GxP-regulated services and products is a regulatory requirement.⁶ The more a company outsources a GxP-regulated task, the more oversight is expected.

Various international quality standards require that the quality system responsibilities extend to the oversight and review of outsourced activities. The contract giver should be responsible for assessing the suitability and competence of the contract acceptor,⁹ and the control of such outsourced processes shall be identified within the QMS.¹⁰

While the legislations could be more explicit in stating the requirement for oversight, they do execute explicit penalties when this requirement is not fulfilled. A simple review of a few warning letters on the FDA portal demonstrate this: “…failure to clearly define the type and extent of control to be exercised over suppliers,”¹¹ “…while Company X supplier approval procedure provides for ongoing monitoring, it ‘does not define the frequency & type of monitoring for these suppliers.¹¹”

The term “supplier oversight” is almost always associated with diligent audits, which are indeed imperative.⁹ However, systematic, risk-based vendor monitoring is more effective in the long term.⁹ Sponsors must understand what may adversely impact their process/product and deign the oversight system and its tools accordingly. Oversight tools include scorecards, key performance indicators, and both quality metrics and performance metrics—otherwise this may send the wrong message that performance is more important than quality. QA support in establishing the quality metrics is, therefore, paramount. Metrics can be useful and objective measuring tools to generate feedback to discuss with teams and solve problems.

Vendor oversight supports Quality by Design, as oversight is established to ensure quality and compliance (among other things). Vendor oversight should be an integrated part of the life cycle of the partnership. Indeed, this ensures awareness of the process earlier rather than later where it may be interpreted as a sign of decreasing confidence.

Risk-based regular post-contract audits are a good practice and expected by the regulatory authorities. Generally, most people find that being audited is not the most pleasurable experience, but the benefits are substantial, considering that an audit:

• Affords a better understanding of a customer’s different needs
• Helps to demonstrate the good capabilities of a CRO/CMO to a selecting sponsor
• Identifies gaps/non-conformities before they are identified during regulatory inspections (and not on a Form 483). Even if the audit outcome results in losing a client, with proper CAPA, it can protect against losing every client!
• As CROs/CMOs are subject to regulatory inspections, the impact of the issues being identified during a client audit is lower compared to the impact of issues identified during a regulatory inspection. This reduces the chance of unexpected surprises at regulatory inspections for both parties
• Helps preparation/grounding for hosting future regulatory authority inspections (if they have not been inspected before), and streamlines processes and communication
• Can measure promptness in problem resolution and cooperation
• Provides additional resources to the provider’s own internal QA resources and an external view
• Provides a sense of assurance for the pharma company, and a knowledge of quality status over time

Key Takeaways

• A company can delegate GxP-regulated tasks but not the legal responsibility
• Selection needs to be an objective, inclusive, and balanced process using multiple criteria and a risk-based approach
• Pharma needs to drive a shift from tactical to strategic partnerships
• Pharma needs to take into consideration if the selection is for a one-time relationship or for a long-term partnership
• Oversight and governance of the relationship/partnership should be integrated at the inception of the partnership
• If the internal QA function lacks the required level of expertise, to conduct a thorough vendor selection and qualification process, contracting external auditors with the required level of expertise is worth the investment
• Make sure that the contract undergoes thorough QA review
• Risk of drug/project failure is assumed by the contracting company
• The size/capacity of the provider to be selected should be of a caliber that can accommodate any potential growth of the initial project

The failure of a CRO/CMO to comply with the law or to deliver on contracted services translates to a failure of the sponsor to both comply and deliver.

References

1. Toronto D. Selecting the optimal CMO for your business critical screening steps. Available at: http://sennchem.com/sennchem_wp/wp-content/uploads/2014/03/resources_ Selecting_the_Optimal_CMO_Jan_2013.pdf. Accessed February 14, 2015.
2. Mansell P. Pharma outsourcing over one third of trials. Clin News. December 22, 2011.
3. 2014 Annual Outsourcing Survey. Contract Pharma. May 11, 2014. Available at: http:// www.contractpharma.com/contents/view_outsourcing-survey/2014-05-11/2014-annualoutsourcing- survey. Accessed February 15, 2015.
4. Langer S. Survey Examines Trends in the outsourcing relationship. Biopharm International. Available at: http://www.biopharminternational.com/survey-examines-trendsoutsourcing- relationship. Accessed on February 12, 2015.
5. Glass HE, Beaudry DP. Key factors in CRO selection. Applied Clinical Trials. April 1, 2008.
6. Contract Manufacturing Strategies: Market developments, technology transfer and key success factors. Business Insight. Available at: http://www.chidb.com/business_insight/ descriptions/contact_manufacturing.asp. Accessed February 12, 2015.
7. Strauss M, Novak J. Selection and oversight of domestic and international CMOs. BioProcess International. March 2009.
8. Pharma IQ (Division of IQPC). How pharmaceutical companies will pick their contract manufacturing organizations in 2012. IQPC survey conducted Nov 2011. Pharmaceutical Online. March 26, 2012. Available at: http://www.pharmaceuticalonline.com/doc/howpharmaceutical- companies-will-pick-their-0001. Accessed February 12, 2015.
9. Pharmaceutical quality system Q10 current step 4 version. June 4, 2008.
10. ISO 9001:2000 - Quality management systems – Requirements.
11. Master Control- White Paper: How to successfully manage your suppliers and ensure product safety and compliance. Available at: http://proddownloads.vertmarkets.com. s3.amazonaws.com/download/9dd2c916/9dd2c916-74cf-4879-a07b-d93453b25855/ original/mc_w_supplier_management.pdf. Accessed February 12, 2015.

Amer Alghabban has over a 24-year track record in the pharmaceutical industry (GxP QA, Development, Pharmacovigilance, and Medical Communications). For some time, he was the Assistant Editor for 11 medical and pharmaceutical journals. He contributed further to these disciplines by writing The Pharmaceutical Medicine Dictionary book in April 2001 and The Dictionary of Pharmacovigilance in May 2004, and is currently writing his third book, Dictionary of Clinical & Pharmaceutical Development. Amer presented and chaired at over 65 international congresses, universities, and WHO. He is currently the Managing Director of GxP Compliance and Training Partners (GCTP) and a consultant for several pharma and CRO companies.