A Risk-Based Approach to Vendor Qualification and Management

– A Practical Guide for Clinical Trial Sponsors –

Open PDF of slides

If you have any problems accessing these resources please contact marketing@diligentpharma.com

Questions and Answers:

Can a Pharma company ask their own questions as part of Diligent’s RFI framework? And if yes, does Diligent keep the questions and answers confidential?

Yes, a Sponsor can ask their own custom questions when they make a request on the Diligent Platform. Custom questions and the associated answers are ringfenced and kept separate from the other RFI questions. Sponsors can ask Study specific or Program specific questions and be sure that their questions and answers will remain confidential.

Do you qualify internationally?
Will you qualify a vendor on behalf of a Sponsor client if it is a new one for Diligent?

Yes, our qualification services are global. We can access any geography or market around the world.

If a Provider of interest is not in our platform, or is in our platform without current data (RFI and/or audit report), we will onboard that Provider and complete the qualification work (RFIs and audits) on your behalf. We manage these efforts daily for the new Providers that we bring into our platform.

What is the average time to obtain vendor permissions?

The response time to obtain permission from the providers can be as quick as the same day or on average 2-3 business days.

If a prior questionnaire or audit did not include a specific scope of services, will Diligent obtain this on behalf of the Sponsor client?

If a Sponsor requests a service area that was not previously evaluated, Diligent will conduct an evaluation of that service area on the Sponsor’s behalf.

What tips do you have to help a CRO feel comfortable alerting the Sponsor to potential areas of concern, before they become bigger problems?

Since you didn’t state the nature of the concern (eg. quality/compliance, delivery/performance, financial, etc), I think risk management and relationship management are the components of an effective service provider oversight plan most relevant to this question. Depending on the nature of the partnership, relationship management could include the establishment of a subcommittees focused on quality, financials, and project management.

Risk management should be imbedded in these key aspects of relationship management so there are forums for open dialogue about risks identified by either party. The relationship management framework should include regular cadence of communication, mechanisms of communication, and the opportunity in an unthreatening way to engage in near real-time communication. Early detection and communication of concerns can mitigate significant risks downstream.

Given that some people at Cerevel were reluctant at first to use Diligent’s system, what was the main factor that persuaded them to try it?

At Cerevel, we aim to be on the leading edge and embrace modern quality techniques. There was interest around the Diligent model and the potential to streamline vendor qualification. We (Global Quality) did a lot of advocacy for the model and the value that it could bring to the industry. One factor that helped to convince our colleagues was the use of the qualification questionnaires that were developed by WCG AVOCA as the foundation for the scope (i.e., standardized, transparent approach). They were also interested in the potential for reducing time to qualification.

How comprehensive is the coverage of service providers in the DQP?

We cover all 28 categories listed in the presentation. This includes all types of Full Service CRO Services, Labs, Imaging, eTechnologies and Remote Sensors that support both traditional and decentralized clinical trials. We have over 300+ Providers on the DQP and this number continues to grow.

I see the benefits for trial sponsors of using the Platform. Why would service providers join? What’s in it for them?

Providers can realize a huge reduction in their resource efforts to support Qualification activities due to Diligent’s innovative model of reusing completed RFI’s and VQA’s. Additionally, being listed on the Diligent Platform will increase a Provider’s visibility and make them more attractive to our client sponsors when they know they have been qualified by Diligent. This cycle time savings is highly valued by sponsors.

What is the specific difference between Project vs. Performance Management? To me they are one and the same.

Generally, Project Management should be focused on oversight of technical aspects of work product delivery, ensuring the “what” within the engagement is delivered. Performance Management is generally focused on the how (eg. quality), when and cost aspects of work product delivery. Key performance indicators can be specific to how and when the work is to be delivered. Project Management and Performance Management are interrelated and could be combined in small target projects and partnerships. In larger engagements that include several capabilities and deliverables, I recommend keeping them separate and distinct, as project management could be defined by capability and performance management could be centralized and include enterprise metrics/measures and reported via a comprehensive relationship management framework.

Can the Sponsor purchase single vendor audit reports from Diligent?

Yes, Sponsors can certainly access single reports from our platform without requiring a subscription. Of course there are greater cost efficiencies and economies of scale with a subscription. We offer several engagement/ contract models for our Sponsor clients to consider. As a starting point we typically ask our Sponsors to share a list of their potential Providers. We can then match that list to our database and see where we have an existing report on hand. Based on the overlap to our existing database, as well as your anticipated volume of qualification needs coming up, we can develop the ideal proposal that will meet your needs.

Roughly how many service and technology providers does Cerevel rely on for their clinical research program?

We have approximately 40 providers that we work with in our clinical research program

How do you see things developing over future years for people concerned with risk management in clinical trials?

There are a few key things to consider. One is the proliferation of accessibility characteristics, or decentralized clinical trial characteristics. Things around technology services, eClinical mobile technology, where there are some unique risk components. We need to consider the infancy of these sectors, relative to understanding the provider or the vendor qualification components of those technologies. These emerging technologies and capabilities, given the proliferation, will become hugely important, particularly with global application.

Another consideration would be the regulatory perspective. On June 20th 2023, the FDA came out with draft guidance around decentralized clinical trials, which was fairly wide sweeping in terms of the implications and expectations. It’s important to understand both the opportunities around the technical capabilities, the regulatory aspects and how that impacts the patient burden, the demand for diversity in clinical research. The dynamic between the regulatory, the capability offerings and the patient expectations, and potential burden reduction is going to be one of the key tensions that we’re going to need to manage moving forward, in the next three to five years. And of course, it’s going to continue to evolve during that time as well.

As there is an increase in the use of technology in clinical trials and from September 2023, the EMA guidance on computerized systems becomes into effect. How will this impact the qualification of vendors?

This draft guidance document is out for public comments and targeted for publication in September 2023. Once it is finalized and published, the Diligent Qualification Standards will be updated as necessary to reflect any new expectations. We will then subsequently apply these new expectations in future RFI Qualification Questions and VQA (Qualification Audits). These new Regulatory expectations would be applied on a go-forward basis.

Do your RFIs also include information on the presence of any ESG frameworks at the vendor?

Our CORE RFI asks many questions regarding HR policies and compliance with many local laws and regulations (Environmental, Safety, Employment, Ethics, etc.) Additionally, we track the Provider’s Certifications (eg CAP/CLIA, ISO, Etc.), 30 different Diversity Classifications (Minority Owned, Women Owned, etc.), Compliance Posture (HIPAA, GDPR, GCP, GCLP, GLP, etc.) and other attributes that illuminate their ESG attributes.

The answers to these questions and company profile will be helpful in evaluating a provider company’s ESG framework.

How do we qualify big SaaS/Cloud services providers like Microsoft, Google or AWS?

An important thing to remember is that for GxP software solutions, regardless of the cloud deployment model (ie. cloud, hybrid or on-premises) you as a regulated company are still ultimately accountable for ensuring the GxP qualification and compliance of the technology architecture stack and associated software solutions.

In preparation for your qualification assessment of a cloud service provider (eg. AWS), it’s important that you know what cloud services they provide are relevant to your use case (eg. Infrastructure Qualification and Operation).

For services the cloud provider is responsible for, you need to assess and determine the suitability of their quality system and that it is systematically followed. The provider needs to show that they have a QMS and follow a documented set of procedures and standards governing activities. Please pay special attention to areas of shared responsibility (eg. software change management), as it may require alignment and virtual integration of Quality Management Systems from multiple organizations.

How large/small is you company and your QA dept. at Cerevel? How many clinical trials do you initiate per year?

Our company (Cerevel) is growing very rapidly. We have around 340 people in our company at the moment. In terms of traditional QA, we have three people internally dedicated to clinical audit oversight. Most of our audits are conducted by external (contract) auditors. In terms of how many trials we initiate per year, I can say that, although we’re a new company and relatively small, we have a strong pipeline and we have a decent number of studies in progress.

For services the cloud provider is responsible for, you need to assess and determine the suitability of their quality system and that it is systematically followed. The provider needs to show that they have a QMS and follow a documented set of procedures and standards governing activities. Please pay special attention to areas of shared responsibility (eg. software change management), as it may require alignment and virtual integration of Quality Management Systems from multiple organizations.

What is the cost range of your services? I know it depends upon many variables; but, it would be helpful to know the range of the orders of magnitude that it could be.

Our costing is very dependent on our clients’ needs. Pricing for a Sponsor that wants to access a single completed audit report from our platform will pay a different fee for that data than a Sponsor accessing that same report in a subscription contract. Subscriptions also vary based on the amount of inclusions in that contract.

Some Sponsors have smaller lists of Providers to qualify, so their contract pricing will be different from a high volume contract. Additionally, when a Sponsor shares their Provider list with us, we match it to our database to see where we already have completed data in our platform, and where we will have to capture new data. The mix of existing and new data factor into pricing at different levels. Economies of scale can also be captured in a subscription.

What we can say is that working with Diligent will cost you less per activity than your current process. There will be an instant cost ROI for you. And when you are able to access existing data from our platform that’s where you get the bigger ROI on pricing, and being able to access that data in real-time provides an even great timing ROI.

How are the boundaries between qualification levels defined? For example, if the risk priority number is use in assessment, from which value the transition to the highest risk level is made.

We utilize a Risk Scoring framework that evaluates each topic area within our Qualification Standards. Each of these topic areas are then scored Red (Major Risks), Yellow (Minor Risks) or Green (Minimal Risks). Additionally, we work with our clients to establish a Company Specific weighting for each topic area (High, Medium, Low) to create a Company Specific Risk Rubric that reflects the company’s Risk Tolerance.

The combination of the Risks and Ratings come together in a proprietary algorithm to create a risk score from 0 (Very Red)-100 (Very Green). High numbers indicate that the Provider will be a low risk provider. Low numbers indicate that additional levels of Vendor Oversight might be necessary in our Oversight Plan to monitor/control identified risks.

We would be happy to set up a meeting with your company to explain our methodology further and explore how this might benefit your organization.

Is provider qualification used to reduce starting materials testing? If yes, how is this qualification used?

Our focus is on GCP, GCLP and GLP only. We do not currently operate in GMP.

Could you share a success story where you were able to help a client significantly mitigate risk or avoid financial loss?

We have several examples where our qualification efforts have identified Critical/Major gaps in a Provider’s compliance posture. This led to Sponsors choosing to utilize an alternative Vendor. This also provided important feedback to the Vendor so that they could address the gaps and be better positioned for future work.

For the point made regarding that sponsors may not add input into the scope of the audit perform the Diligent. 1) what is the sample used by Diligent during the vendor audits?
and 2) what will be the recommendation from Diligent to sponsors? (e.g. should sponsors then use a separate audit to audit specific project related topics- not covered in the scope of audit?)

Our Auditor-led Vendor Qualification Assessments (VQAs) are focused on the Vendor’s QMS/Organizational posture relative to our Qualification Standards. This can include processes anticipated for future programs but our VQAs do not focus on study-specific past conduct. The VQA is focused on whether they have the capability and documentation to perform the scope of services under consideration within the applicable compliance requirements.

Additionally, we offer In-Study Audits that can be focused on Study-Specific or Program-Specific performance. These are highly customizable by each of our Clients to focus on topics of interest. These Audits are not re-used but are planned with each Sponsor’s input relative to the Scope and Sampling methodology.

Can you comment on how many vendors you have in your database in the Technical Services categories? Especially for labs.

There are currently 1200+ Vendors in our Diligent Qualification Platform that indicate they provide some sort of Lab Service (e.g. Central Lab, Biomarker Lab or Bioanalytical Lab). This number is continuously changing as we add new Vendors.