Outsourcing of pharmaceutical manufacturing to contract manufacturing organizations (CMOs) has grown as companies seek to deliver medicines to patients at an increased pace.

Emma Ramnarine, Executive Director and Global Head of External Development Collaborations at Genentech/Roche, spoke at the 2021 PDA/FDA Joint Regulatory Conference about how approaching these partnerships with a quality risk management (QRM) mindset is crucial for ensuring CMOs produce quality product, particularly when it comes to deviation investigations.

She described a QRM mindset as one that draws from ICH Q10: Pharmaceutical Quality System, which identifies risk management and knowledge management as enablers (knowledge management refers to expertise gained during the product lifecycle). By following this mindset, a company can ensure the repeated manufacturing of quality products.

With manufacturing becoming increasingly global, necessitating the involvement of external partners such as CMOs and suppliers, it becomes more challenging to ensure quality in manufacturing.

“It is important to acknowledge that our manufacturing network and supply chains have become tremendously globalized,” she said. “What this might mean is that the weakest node in this hyperconnected network can really end up causing a massive collapse in quality and supply to patients, if risks are not managed adequately. Therefore, risk management across every single point in this connected network becomes nonnegotiable.”

Discuss QRM With Potential CMOs Early On

Ramnarine explained that with any CMO or supplier relationship, the relationship should begin with risk in mind, addressed in the contract and quality agreement. From a quality standpoint, the contract and quality agreement should identify responsibility for operational management and decision-making when it comes to the product, quality system, and outcomes from audits and inspections.

Both parties need to name and classify risks. Types of risks include strategic risks (governing, planning, stakeholder relations, etc.), operational risks (supply chain, contractual, business continuity, etc.), enabler risks (people, cybersecurity, technology, etc.), and quality and regulatory risks.

Therefore, risk management across every single point in this connected network becomes nonnegotiable

“You can choose to classify these risks differently. What is important here is that one should calibrate on the respective risk appetite between both the customer and the supplier,” she said. “It is important to look at these relationship risks right before you are even making the decision whether or not to go into a particular relationship.”

By initiating these conversations prior to cementing the relationship, one can gain an understanding of how a potential CMO manages risk within their quality system, and decide whether or not to pursue a partnership with that entity.

Once a relationship has been established, risks have to be managed at the project level. This requires addressing the following:

How will the identified risks be managed at the product level?
Where will these risks be documented?
Will these risks be built into the contract?
Are they referenced in the quality agreement?
Will they be built into the CMO’s procedures?
Who will be responsible for managing the risks?
What will be the procedures for communications associated with these risks?

“The important point is to make sure that this is not a one-time activity and is not event-driven, but is something that is being done constantly,” Ramnarine said.

Another critical part of the QRM mindset involves characterizing risk levels.

“If you are calling a particular risk high, is it also high for the supplier? What is considered an unacceptable risk for you? Is it also unacceptable for the supplier? If there is a difference, then that needs to be worked through during the contractual or quality agreement setup,” she explained.

“Similarly, what are the communication and notification requirements? Do you need to be informed of only the high risks, or do you also want to be informed about the moderate risks? And if you do want to be notified, how quickly? What are the parameters around being notified? Within one business day? Within a business week? All of that needs to be fleshed out.”

Managing Quality Across More than One QMS

It is important to keep in mind that a company may not be the only client of a CMO. The CMO likely has their own quality management system (QMS) used across multiple clients.

When it comes to managing quality risks across more than one QMS, there are three main areas of focus:

Supplier qualification and audits (Does the CMO need an onsite audit or is a questionnaire sufficient?)
The quality agreement
Quality oversight (How this should look at the project and operational level)

This is where the QRM mindset truly comes into play.

Ramnarine described how the ICH Q10 model allows for both reactive and proactive risk management; quality systems should include both elements. “The reactive and proactive systems within the overall quality system should really help drive toward prevention of risks,” she said.

Using QRM for Investigations at CMOs

To show how the QRM mindset works when partnering with CMOs, she used the example of a nonconformance during manufacturing. In this theoretical instance, an investigation identifies the root cause as something that occurred during primary packaging.

“This is an opportunity to calibrate on whether a risk assessment was done, whether the hazard was identified, whether the risk was underestimated, or if it was estimated correctly and CAPAs put in place,” she said. “In terms of the QRM and investigation activities, this is where our earlier discussions around setting up the right terms and agreements and the quality agreement become really important.”

An investigation would then be performed and the CMO would inform the customer based on the notification requirements agreed upon during the initial stages of the partnership.

It is important to keep in mind that a company may not be the only client of a CMO

“For example, critical and major deviations need to be informed within one business day. It is also important that the classification system for the deviations has been calibrated between the two parties. You do not want to be in a situation where a supplier classifies a change or a deviation as a minor, but the marketing authorization holder would classify it as a major. These are important to hash out early on.”

If the risk occurred at the CMO, that organization should drive the risk assessment and include input from the customer regarding the potential impact to product quality. The company partnering with the CMO is responsible for product quality regardless of whether it is manufactured internally or by a CMO.

Ultimately, a CMO partnership driven by a QRM mindset can help ensure production of high-quality products.

“This is important, not for just one supplier, but at all nodes because all of those nodes matter for delivering to the patient. The level of risk management would, of course, depend on the criticality of their supplier, and also, on their capability and maturity. But regardless of the contractual relationship, risk management and continual improvement have to be a part of that relationship mindset,” Ramnarine concluded.