Everything can be outsourced - except responsibility. That's a rule the U.S. FDA lives by, and one you should embed in your policies, SOPs, and corporate culture.
Last year, the deaths associated with contaminated heparin - followed by the ensuing FDA investigations and embarrassing (and expensive) product recalls - underscored the importance of ensuring your suppliers comply with regulations and conform to your manufacturing specifications at all times.
FDA holds corporate management, not the quality assurance department, responsible when outsourcing decisions go bad. Whether you're outsourcing manufacturing, clinical trials, IT services, pharmaceutical ingredients, circuit boards, or anything else, the ultimate responsibility for your product is yours and yours alone. Management can't pass responsibility down the supply chain like a hot potato. But here are a few common-sense outsourcing guidelines to lessen the risk of a severe burn:
Start by letting prospective partners know what you expect of yourself. During the selection process, share more than just job specifications - share your company's codes of conduct, mission statements, quality policies, compliance SOPs, and CAPA plans. In return, ask potential partners to share their own ethical standards, mission statements, business goals, and quality programs. Evaluate--through first-hand observation, careful review of their FDA track record and other records associated with additional regulatoray bodies--whether or not they actually live up to their claims. Your reputation and profits are at stake, so don't merely rely on a third-party "snapshot audit" to select a supplier; dig deeper.
Your monitoring should focus on defined processes and mutually understood risks. The FDA thinks of risk in the context of patients, products and processes--in that order. Those risks are indeed critical, but you also need to assess and manage broader business risks such as supplier costs, business continuity, data integrity, facility security, and compliance with non-FDA regulatory requirements, just to name a few.
Furthermore, understand that risks change over time. Plan to constantly review and reassess them. After a few years, processes rarely exhibit the same risks; the initial ones hopefully have been mitigated, and new ones likely have emerged. The FDA is constantly going to look at risk and how you control it, especially when it involves your outsourcing partners.
Plan to manage non-conformances in a pre-defined, established way. Make sure you and your outsourcing partner understand your respective roles in the initial investigation and the importance of a timely response. Define who is responsible for determining root cause and CAPA follow-up. Be aware that failure to find the root cause and not documenting the closure of a CAPA event are two of the fastest ways to bring down the wrath of the FDA.
Each person involved in the outsourced operation should have the ability to input information to your CAPA system. Don't assume your partner knows or understands the system; train them on what constitutes a CAPA-worthy event. For a copy of the free CAPA Resource CD used by EduQuest in its CAPA training classes, contact MartinHeavner@EduQuest.net.
FDA has the authority to inspect most, if not all, of your outsourcing partners. Currently the agency simply lacks the resources to do it. But fueled by comments from Congress members and recently introduced legislation, FDA almost certainly will grow in the coming years. Expect accelerated rulemaking and expanded, higher-visibility enforcement actions. Your hot potato of responsibility is only going to get hotter. Use the time now, while the new Administration sorts out its priorities, to revisit your existing outsourcing agreements, upgrade your supplier monitoring capabilities, and engage new outsourcing partners wisely.
Martin Browing is the founder and president of EduQuest, Inc., a global team of FDA compliance experts based near Washington, D.C. He spent 22 years with the FDA as a local, national and international expert investigator, then served as special assistant to the Associate Commissioner for Regulatory Affairs. He also was the vice chair of the agency's Electronic Records and Signatures Working Group, which drafted the 21 CFR Part 11 regulations. Martin served as the chair of the U.S. government's ISO 9000 committee; on the Global Harmonization Task Force, and on the committee that developed the Good Manufacturing Practice regulations for medical devices, otherwise known as the Quality System Regulation (QSR). He is the program chairman of EduQuest's popular "Effective and Compliant CAPA Systems" course, next scheduled March 26-27 in New Orleans, LA, and April 30-May 1 in Dublin, Ireland. The CAPA course, as well as other quality and risk management training, can be provided at your site. For details, call 301-874-6031, visit http://www.eduquest.net/, or email MartinHeavner@EduQuest.net.