Implementing A Vendor Oversight Quality Management System: Insights From Biogen Idec Data Management

By Ed Miseta, Chief Editor, Clinical Leader

As the volume and complexity of outsourcing increases, it becomes important to implement a risk-based approach to vendor oversight. Regulatory agencies expect that sponsor companies will ensure qualified personnel are working on their behalf, following GCP-compliant processes and have adequate controls in place to ensure patient safety and data integrity.

Unfortunately, it is also common for silos to exist in many large organizations. Much of what the data management area might do is contained within that department. What the clinical operations department does might be confined to clinical operations. As a result, not all information generated on vendor interactions will be passed through all of the functional areas requiring access to the information.

When those regulatory inspectors do show up at your door, it is not uncommon for them to ask “what have you done to oversee this vendor?” or “what evidence of vendor oversight can you produce?” As the sponsor is ultimately accountable for the quality of the data and the study conduct, it is important to ensure that oversight is applied throughout the lifecycle of the study. At the same time, it is important to not duplicate effort, micromanage the vendor, or fix issues that should be resolved by the vendor.  Oversight is essential, but spending time on unnecessary activities can have the effect of decreasing quality.

“Regulatory agencies now want to know about your vendor oversight program,” says Mary Ellis, senior quality associate with Biogen Idec Data Management. “Not having that information for an inspector can have negative consequences. Some companies will realize they are not always able to produce a database audit trail report on demand, a situation regulators will attempt to change. A company-wide system is necessary to mitigate risks associated with vendors, improve the quality of deliverables provided by the vendor, and to facilitate the sharing of information within companies.”

Duplication Of Effort And Lost Opportunities

The system that some companies have in place often results in duplication of work or missed opportunities to share information. Many industry professionals I have spoken to have told me multiple departments could be working with the same vendor and experiencing the same problems, yet will not be aware others are experiencing those same issues. For example, a vendor audit report completed by the compliance department might be filed in a database and not circulated to other departments that could use the information. This could include vendors whose actions have an impact on company data. There is certainly no deliberate attempt to keep information from anyone, the way the data is stored just often makes it difficult to share.

An additional complication for companies revolves around the vendor selection process, which often does not involve specific functional groups. For example, many of the lab vendors the data management team works with may be selected by the clinical operations team. Data management may not know how that vendor was selected and simply be told, “Okay, for this study, we're going to be using this lab vendor.”   

Ellis believes any given vendor can impact data, yet when you look at the process from a high level, personnel from data management may not have been involved in the selection process or the compliance audit, and may not have seen the audit summary. In addition, contracts might be dealt with by an internal contracts group. The functional area may have been involved with providing feedback on any contract, but those results are not consistently brought back to the contracts group to facilitate the modification of contracts.

Creating A Vendor Quality Management System

The Vendor Quality Management System (VQMS) being implemented at Biogen Idec is the framework that consists of the tools, resources, and processes to perform the assessment and oversight activities to ensure a risk-based approach to vendor oversight. In order to apply a risk-based approach, you have to know your risks. Risks may be based on the complexity of an activity, the regulations, or the vendor’s process. 

A functional area capabilities assessment is performed in addition to the formal audit that is performed when a vendor is selected. This allows for a deeper dive into the functional area based on specific knowledge of the topics. The oversight approach and plan is then formulated based on the findings and follow-up from the capabilities assessment. 

The assessment is driven by a tool that outlines Biogen Idec Data Management’s expectations in critical areas that could impact subject safety or data integrity. The assessment is completed by Biogen Idec and the vendor, by either a remote or on-site review, along with feedback provided by the vendor. At that time, Biogen Idec will also review the vendor’s SOPs and other controlled documentation.

The assessment’s findings are documented and flagged for further follow-up.  The follow-up action could be a modification to the vendor’s process or an additional oversight activity by Biogen Idec.

An oversight plan is then created which includes such items as meetings, metrics, and quality oversight activities. Although Biogen Idec Data Management has only performed a few assessments thus far utilizing the new VQMS framework, the assessments have helped department personnel to become more comfortable with vendors. Ellis notes the process has also been helpful to the vendor. From the feedback received, the vendors feel they better understand what is expected of them, and the result is a better working relationship.

Additional Review At The Vendor And Study Level

After the assessment, vendor-level oversight kicks in. This includes review of contracts, the engagement plans that outline governance and communication, and the oversight plan. Next is vendor quality activity. For example, if the oversight assessment determined there might be an issue with the way the vendor is writing queries, part of the vendor-level quality activity would be increased attention paid to that process for the first six months. If the query writing improved, the review might be trimmed back to every year or every other year.

Next is the study level oversight component. There may be a plan in place at the vendor level, but that plan is generally set in stone. Unfortunately, there are a lot of idiosyncrasies that can come with a specific study. Therefore, the study-level oversight plan can be tweaked and would contain additional oversight activities that may need to be performed with that vendor at the study level. “A complicated study design, for example, may warrant some additional checks,” says Ellis. “The study level oversight plan would document that. Finally, the study-level quality activities involve the same type of activities done at the vendor level, but at a study level.”

Ultimately, all of this information has to go somewhere to be usable. Biogen Idec DM is planning to develop a vendor quality management system (QMS) database to house the information, which is essential to sharing and analyzing the data. Anyone working with a vendor would be able to access the database and view the results of the assessment and oversight activities. The data can be trended, reported, and monitored to ensure adequate oversight, and it can be adjusted as necessary.

Every company would like to get to the point where, when preparing for an inspection, the ability will exist to go to a vendor QMS and retrieve all of the information needed. During the inspection, personnel on-site will have the ability to provide inspectors with an oversight plan for any vendor, along with copies of meeting minutes and the QC process in place for each vendor. This would obviously do wonders to ensure the success of the inspection.