Effective Records: Get Them Right by Getting Proactive with Vendors and Suppliers

GxP Lifeline Feature Article


Poor records – and poor management of good records – can trigger needless costs, penalties, and public embarrassment for FDA-regulated companies. And if managing your own records isn’t challenging enough, FDA holds you equally responsible for ensuring the quality of records generated by your suppliers, contractors, and vendors.

To protect the integrity of your regulated products and your company’s reputation, you must be proactive and continuously monitor the activities and records of each link along your supply chain, including suppliers and vendors whose activities may affect the safety and efficacy of your final product. Even if FDA does not directly regulate all of your suppliers, it’s ultimately your responsibility to ensure their records accurately reflect what’s happening at their sites.

What FDA Expects from You
FDA expects you to have a good supplier/vendor management program that includes ongoing communication and management review. When FDA comes calling, the agency wants you to be able to prove your vendors and suppliers are quality organizations who generate reliable records. For the kind of questions FDA may ask about your suppliers, [see Sidebar 1].

What supplier records are important? The short answer is any record involved with your regulated product and any data that supports your product. For example, if you have a vendor who tests your product for stability, you should be concerned with that vendor’s policies and procedures for product receipt, storage, and testing; its records for validating the processes and equipment used in the testing; its records for calibrating and maintaining that equipment; its training records for the people performing the work, and all records containing the original data, calculations, and final results, including of course the actual reports you receive.

With electronic records, you’ll also want to assure your vendors are maintaining and controlling them in compliance with FDA’s Part 11 rules for electronic records and signatures. FDA wants all your records –paper, electronic or a hybrid of the two – to have easily traceable attributes tied to their authorship, ownership, and responsibility. In addition, you need to be confident in your vendors’ records throughout their lifecycle – from the time they are first created until they are retired. The useful life of a record should be defined – in advance – by you and your vendor based on your business needs as well as legal and regulatory requirements. See Sidebar 2 for the characteristics of a good record – whether generated by you or one of your suppliers. Getting Proactive
Getting good quality requires assessing your vendors’ capabilities as early as possible. So qualify them before you sign any agreements. That’s when you have the most leverage, and you should use the pre-contract negotiation process to your advantage. Scrutinize vendor operations carefully – in person, preferably – and follow up on references. Check if the FDA has any information on their compliance track-record. Ask to review their quality system – and if they don’t have one, that’s a signal you should go elsewhere – fast. Ensure each vendor fully understands your expectations. Remember, too, your suppliers have their own vendors, so determine if they qualify their own supply chain as well.

One obvious way to protect yourself is by conducting vendor audits – using your own staff or a consultant or a combination of both. Always keep in mind, however, an audit is just a snapshot in time, not a substitute for continuous, proactive monitoring. Key vendor areas you should audit are listed in Sidebar 3. In concept, when you audit your suppliers, you become the FDA. One useful tool to help you think like an FDA inspector is the agency’s own Investigations Operations Manual (IOM), a 450-page inspection “bible” developed by FDA for its own inspectors. The March 2008 version includes updated guidelines inspectors should follow in issuing written requests for records. IOM is a public domain document available from the FDA, or you also can request a free electronic copy from EduQuest (info@EduQuest.net).

For audits of vendors who supply computer products or services – including software for electronic records generation and management – you have another option. The Audit Repository Center (ARC) is a “by subscription” central repository for audit information based on the Supplier Audit Process Model developed by PDA (formerly the Parenteral Drug Association). Established to reduce audit costs by minimizing duplicative efforts, the ARC provides subscribing companies with online access to completed audits done by other subscribers. This way, subscribers can obtain completed audit data from qualified auditors using an industry-endorsed, standardized audit process.

In addition to managing the audit reports, the ARC maintains a list of auditors who have been trained and qualified to the PDA audit standards. As a subscriber, you can qualify your own staff to conduct audits or you can contract with one of the qualified auditors. Once your audit report is accepted by ARC, you have access to other reports in the repository. Companies who just want to obtain reports from ARC also can subscribe. On the flip side, suppliers who want to demonstrate their quality to potential clients can be audited and have the resulting report made available in the repository. For further information on the ARC, visit http://www.syntegrallc.com.

The Case for Good Records
No matter whether your supplier records are paper, electronic, or both, vigorous record review is so much more than a mindless “paper” exercise. Look no further than the recent massive recall of heparin to appreciate the importance of being confident in your supply chain.

Good standard operating procedures (SOPs), policies, and plans tell you and your supplier what is supposed to happen at a certain time under certain conditions. Good batch records, laboratory records, complaint investigations, and other similar records tell you what has actually happened. If gaps exist in the records, a reasonable person – including an FDA inspector – could conclude the process is out of control. Memory of past events dims over time, and the exact sequence of events – even the events themselves – become anyone’s guess. FDA does not rely on memories, and neither should you. Get your records right by getting proactive with your suppliers and vendors today.
Sidebar 1 – Be Prepared for these Possible Questions from FDA Inspectors:

  1. Do you have a written vendor qualification policy and procedure?
  2. Did you qualify your vendors?
  3. Were written procedures followed?
  4. Were deviations found and followed up on?
  5. Are your vendor communications frequent and on-going?
  6. Are vendor records complete, accurate, reliable, secure, and available?
  7. In what form do you receive the records?
  8. How do you ensure their accuracy?
  9. Who owns the original records?
  10. Who has access to the records?
  11. Do the records look too clean and pristine (a possible warning sign of tampering)?
  12. Can changes be made to the records? By whom?
  13. Is there an audit trail of changes made by the vendor or by you?

Sidebar 2: What Makes a "Good Record?"
You’ll know you’re looking at a good records management program when each record meets the following criteria:

  1. Accurate – records are free from errors and carefully completed
  2. Current – records are completed at the time the operation was performed
  3. Consistent – records are completed per SOPs and to the same extent as other records generated under that procedure
  4. Attributable – records are easy to understand and interpret because all necessary information is in the record or at least referenced
  5. Available – records are easily identifiable and retrievable
  6. Reliable and trustworthy – records are generated and reviewed by authorized, knowledgeable, and trained personnel
  7. Secure – only authorized personnel can create, modify, delete or access records during appropriate times.

Sidebar 3 – Key Supplier Areas You Should Audit:

  1. Quality systems
  2. Project management capabilities
  3. Testing methodology and procedures
  4. Manufacturing processes
  5. Document and records management
  6. Security systems
  7. Personnel training and education
  8. Equipment and records maintenance

Janis V. Olson is a Senior Validation Consultant with EduQuest, Inc., a global team of FDA compliance experts based near Washington, D.C. Previously, she worked at FDA for more than 22 years, where among other responsibilities she conducted domestic and international inspections of FDA-regulated companies. Currently, Janis helps clients comply with GxP regulations worldwide. She also is a featured instructor at many conferences and training courses, including EduQuest’s popular “FDA Auditing of Computerized Systems and Part 11” course, next scheduled September 22-26 in Providence, RI, and December 8-12 in Scottsdale, AZ. The course, as well as other quality and risk management training, is also available from EduQuest on-demand. For details, call 301-874-6031, visit www.EduQuest.net, or email MartinHeavner@EduQuest.net.

Read more about improving product quality and safety:

FDA Link:
Title 21 Code of Federal Regulations (21 CFR Part 11) Electronic Records; Electronic Signatures, http://www.fda.gov/cder/gmp/index.htm

Additional Article:
“Auditing Supplier Performance,” http://www.internal-auditor.com/Features/2003/03-05-Auditing_Supplier_Performance.htm#feature