How Are Service Providers Qualified in a GDP Environment?

The qualification of service providers is a central element of Good Distribution Practice (GDP). Medicinal products must neither be adversely affected in their quality nor compromised in their safety throughout the supply chain. Companies outsourcing transportation, storage, temperature monitoring, IT services, or other GDP-relevant activities remain fully responsible from a regulatory perspective. The systematic qualification of service providers is therefore a mandatory component of an effective GDP Quality Management System (QMS).

Regulatory Framework

The primary legal basis for GDP within the European Union is the “Guidelines of 5 November 2013 on Good Distribution Practice of medicinal products for human use (2013/C 343/01)”. With regard to service provider qualification, the following chapters are particularly relevant:

• According to Chapter 1.3 (Management of outsourced activities) the following applies: "The quality system should extend to the control and review of any outsourced activities related to the procurement, holding, supply or export of medicinal products.[...]"  
• Chapter 1.4 (Management review and monitoring) states that "the management should have a formal process for reviewing the quality system on a periodic basis."
• According to Chapter 2.2 (vii), the Responsible Person is responsible for " approving any subcontracted activities which may impact on GDP."
• Chapter 9.2 (Transportation) points out the following: "Where transportation is performed by a third party, the contract in place should encompass the requirements of Chapter 7. Transportation providers should be made aware by the wholesale distributor of the relevant transport conditions applicable to the consignment. [...]"

Chapter 7 is particularly relevant in this context, as it deals in detail with outsourced activities and should therefore be quoted verbatim here:

• "7.1. Principle: Any activity covered by the GDP guide that is outsourced should be correctly defined, agreed and controlled in order to avoid misunderstandings which could affect the integrity of the product. There must be a written contract between the contract giver and the contract acceptor which clearly establishes the duties of each party."
• "7.2. Contract giver: The contract giver is responsible for the activities contracted out.
  The contract giver is responsible for assessing the competence of the contract acceptor to successfully carry out the work required and for ensuring by means of the contract and through audits that the principles and guidelines of GDP are followed. An audit of the contract acceptor should be performed before commencement of, and whenever there has been a change to, the outsourced activities. The frequency of audit should be defined based on risk depending on the nature of the outsourced activities. Audits should be permitted at any time.
  The contract giver should provide the contract acceptor with all the information necessary to carry out the contracted operations in accordance with the specific product requirements and any other relevant requirements."
• "7.3. Contract acceptor: The contract acceptor should have adequate premises and equipment, procedures, knowledge and experience, and competent personnel to carry out the work ordered by the contract giver.
  The contract acceptor should not pass to a third party any of the work entrusted to him under the contract without the contract giver’s prior evaluation and approval of the arrangements and an audit of the third party by the contract giver or the contract acceptor. Arrangements made between the contract acceptor and any third party should ensure that the wholesale distribution information is made available in the same way as between the original contract giver and contract acceptor.
  The contract acceptor should refrain from any activity which may adversely affect the quality of the product(s) handled for the contract giver.
  The contract acceptor must forward any information that can influence the quality of the product(s) to the contract giver in accordance with the requirement of the contract."

In the United States, there is no stand-alone GDP guideline equivalent to the EU GDP Guidelines. Requirements derive from:

• Drug Supply Chain Security Act (DSCSA)
• 21 CFR Part 205 (Wholesale Distribution)
• Quality Systems Approach Guidance (FDA)

The FDA expects:

• Qualification of distribution partners
• Assurance of supply chain integrity
• Risk-based oversight

Delegation Does Not Relieve Regulatory Responsibility

A core GDP principle is that activities may be outsourced, but regulatory responsibility may not.

This means:

• The contract giver must at all times be able to demonstrate GDP compliance of the service provider.
• Regulatory inspections routinely review service provider qualification.
• Deficiencies at the service provider may be attributed to the contract giver.

Practical Implementation

Qualification begins during the selection phase, prior to contract execution. Initial assessment typically includes review of:

• Corporate structure
• Certifications (e.g., GDP certificate where applicable)
• Inspection history
• Quality documentation
• Evidence of GDP compliance

Depending on the criticality of the activity, a formal risk assessment is conducted.

Risk Assessment Prior to Selection

EU GDP explicitly requires a risk-based approach. The depth and extent of qualification activities depend on the potential impact on product quality and patient safety.

Typical risk factors include:

• Impact on product quality
• Storage/transport temperature requirements (2–8 °C, 15–25 °C, -20 °C, -70 °C)
• Duration of storage or transport
• Subcontracting structure
• Deviation history

Supplier Selection and Pre-Qualification

Relevant evaluation criteria may include:

• Company profile and market position
• GDP certification (if available)
• Regulatory inspection outcomes
• References
• Quality Manual and SOP structure
• Temperature mapping studies
• Validation documentation
• Training system

Auditing

For medium or high-risk activities, an audit is generally indispensable. Audits may be on-site or, where justified, remote.

Typical audit scope:

• Quality Management System
• Organizational structure and responsibilities
• Training system
• Temperature monitoring and mapping
• Alarm management
• Deviation and CAPA system
• Change management
• Documentation practices
• Subcontractor control
• Business continuity arrangements

In transportation activities, validation reports and temperature data are of particular importance.

Audits conclude with a structured report classifying findings and defining CAPA timelines. Approval is granted only after satisfactory evaluation of corrective actions.

Quality Agreement

A written Quality Agreement is mandatory and must clearly define:

• Roles and responsibilities
• Temperature requirements
• Alarm and escalation procedures
• Reporting obligations
• Subcontractor provisions
• Documentation requirements
• Record retention periods
• Audit rights
• Business Continuity Plan (BCP)

Formal Approval

Following assessment, audit, and contractual finalization, formal approval must be granted by the Responsible Person (RP).
The service provider is entered into the approved supplier list.

No operational activity may commence without documented approval.

This decision must be justified, documented, and archived, as it is subject to regulatory inspection.

Ongoing Monitoring and Requalification

Qualification is not a one-time exercise. GDP requires continuous oversight.

Monitoring Elements

• KPI monitoring (e.g., temperature excursions, delivery performance)
• Trend analyses
• Deviation statistics
• Complaint evaluation
• Regulatory inspection outcomes
• Periodic questionnaires
• Certificate review

Re-audits are conducted at defined intervals based on risk classification.

Deviation Management

GDP-relevant deviations must be reported without delay. The contract giver evaluates potential impact on product quality and patient safety.

Root cause analysis and implementation of CAPA measures are mandatory. In severe cases, suspension or contract termination may be required.

An effective CAPA system is therefore a key assessment criterion during qualification.

Documentation Requirements

GDP requires full traceability and documentation of:

• Risk assessments
• Audit reports
• CAPA evidence
• Monitoring reports
• Contractual documentation

Role of the Responsible Person (RP)

In relation to service provider qualification, the Responsible Person is responsible for:

• Approval of service providers
• Risk evaluation
• Oversight of monitoring activities
• Decision-making in case of critical deviations
• Preparation for regulatory inspections

Training and Continuous Development

As regulatory requirements continue to evolve, regular training of responsible personnel is essential. Specialized GDP training courses are offered, among others, by the ECA Academy and Concept Heidelberg.