Guest Column | August 17, 2023

Vendor/Supplier Management To Maintain A Drug's Safety Profile In End-To-End Supply Chain Planning

By Anna Lukyanova, COO, Arriello


The past few years have been characterized by turbulence and consolidation for global life sciences brands and manufacturers and their third-party suppliers. This is adding layers of complexity in terms of the controls companies across the supply chain have in place to ensure end-to-end quality and safety. Marketing authorization holders’ (MAH) responsibility for ensuring the continuous monitoring of the safety profile of a medicinal product across the marketing authorization life cycle includes accountability for all third parties and contractors with a potential impact on that safety profile.

Suppliers could include anyone from local distributors or qualified persons to IT system partners, security providers, and even auditors themselves. Increasing changes to suppliers and service providers affect the vendor records and controls companies must maintain to ensure end-to-end quality and safety.

If control issues are exposed during inspections, that could lead to fines or even product withdrawal from affected markets. Scenarios potentially triggering an inspection could include a distributor failing to flag an effective product recall in a particular market; a local partner failing to implement additional risk minimization measures (aRMMs); or a local qualified person being unreachable by the relevant authority due to out-of-date contact details or the vendor going into liquidation.

It is generally expected that regulators will issue firmer guidance on vendor management controls sooner rather than later. In the meantime, robust vendor management is an expectation under EU GxP requirements. In the US, FDA 21 CFR 211 requires vendor qualification as a part of the validation process. So, if your company as a drug developer or license holder falls short, you could risk your reputation as well as significant fines and ultimately product withdrawals.

Identify And Review Supplier Risk

What steps can MAHs take? It’s important to start by identifying ALL suppliers with a potential bearing on a product’s safety profile, however tenuous. Once a definitive list has been compiled, each supplier can be reviewed for potential risk/safety impact and appropriate due diligence. (Ideally, such factors should form part of the risk-based evaluation conducted before entering into a contract with a new supplier or service provider.)

Applicable third parties could include:

  • sales and marketing companies that capture data and could come across adverse events (AEs);
  • outsourced service providers — e.g., of data management, biostatistics, or medical writing;
  • pharmacovigilance (PV) service providers;
  • IT providers that host the company’s safety database or ensure the safety data being stored; and
  • independent PV or clinical safety contract auditors.

Once all the potential third parties for assessment have been noted, assess each one for potential safety profile impact, the current supply/contract status and any monitoring, and required next steps.

Implement A Robust Vendor Management System

A robust vendor management system (VMS) is every bit as important as a robust quality management system (QMS). Ultimately, it should form an integral part of the QMS, and awareness, training, and buy-in to vendor management practices should be formalized with appropriate communication and training.

Governance and the sharing of business decisions with the Safety/Pharmacovigilance Quality Assurance (PVQA) department prior to contracting emerge as important, positive practices, too. Additionally, all contractual arrangements with PV agreements, clauses, or a PV section should be reviewed by the Safety/PVQA department. MAHs should have all responsibilities clearly documented in an appropriate agreement to avoid misunderstandings around relative responsibilities.

Perform Due Diligence On New Third Parties

R&D, MAH, CRO, or service provider organizations must assess the potential impact of any proposed new vendor on the safety profile based on the services it is going to provide. For instance, a third party that is providing services that are critical to the delivery of the safety profile, maintenance, or evaluation of the product (e.g., CRO, PV service provider, medical information provider, outsourced clinical services) will require greater vigilance than one that does not have a direct impact on the safety profile, maintenance, or delivery of product and whose failure would not disturb clinical or PV operations. In between these two extremes are suppliers posing a significant, if not critical, risk, in that their failure could disrupt the business. Performing an audit or risk-based questionnaire on all critical and significant third parties is suggested best practice.

Eight Actions For Optimum Vendor Management

  1. Inform everyone concerned about the impact of all kinds of third-party suppliers and service partners on safety.
  2. Get the safety team involved in vendor selection due diligence before the contract is signed.
  3. Practice ongoing communication and open sharing of information — all paramount to a good third-party relationship.
  4. Review potential risk factors continuously to ensure ongoing compliance.
  5. Set out respective responsibilities clearly in contracts to ensure there is no misunderstanding of responsibilities around sharing changes to information.
  6. Ensure your chosen vendor management system, like a good QMS, reflects the company’s organizational complexity.
  7. Don’t rely on audits to flag changes and issues. Audits are not the definitive solution to effective vendor monitoring and management. Foster good relationships with relevant third parties and keep reevaluating them.
  8. Encourage buy-in to supply chain safety management from everyone – from business development and contract management to marketing and beyond.

Maintain Ongoing Vendor Due Diligence And Assessment

Over the lifetime of the contract, it will be important to review any contractual changes made. Regular testing of the contact details to ensure they are still valid and correct offers one simple way to uncover changes that may not have been identified otherwise through routine processes.

From a post-marketing perspective, under the EU GVP Module IV.B.1 (pharmacovigilance audit and its objective), there must be ongoing due diligence and assessment, alongside an audit program based on risk. These regulatory expectations are likely to be reflected more globally over time. In Europe today, this needs to reflect evolving factors such as changes to legislation and guidance or a major reorganization/restructuring of the PV system (e.g., following a merger/acquisition).

Everyone in the organization should be aware of the vendors in their ecosystem and should be clear on how to report any changes to Safety/PVQA to investigate the potential risk of those changes. Ensuring the continued safety profile of drug products requires that everyone takes responsibility right across the product and supply life cycle to deliver sustained patient benefits.

Find the full guide, Vendor Selection & Management: Maintaining A Robust Safety Profile Through Tighter Supplier Controls, here.

About The Author:

Anna Lukyanova is COO of Arriello, a consultancy and solutions provider of risk management and compliance services to the pharmaceutical industry. She has extensive experience providing operational insight into the industry’s evolving technological, centralization, and outsourcing needs — including regulatory and pharmacovigilance requirements — from strategic planning to ground-level support. She can be reached by email at