2. Look Before You Leap into a New Supplier Relationship

Optimism is a hallmark of all new relationships, both personal and professional. Unfortunately, the good feelings that surround a new relationship are no substitute for due diligence in checking out potential new suppliers—especially sole source suppliers, where one unexpected problem could leave you with no acceptable options—and then laying out expectations, and checking quality.

Find an objective observer. Because you are primarily interested in starting a successful relationship, it's hard for you to be entirely objective. That's why you need an objective observer, such as a third party consultant, who understands regulatory and quality requirements as well as your needs, and who can be totally forthright in evaluating your potential supplier's facilities, processes, and quality systems.

Change control notification procedures are a common area of misunderstanding; a change the supplier considers inconsequential may make all the difference in the world to your product. So you need to specify that all changes must be communicated to you, and when and how they must be communicated.

Finally, you need to understand that supplier quality management extends beyond the end of the production line, and includes criteria for such things as delivery reliability, responsiveness, and the security of the supply chain.

In fact, the FDA recently launched a pilot supply-chain security program to determine the practicality of improving the safety of drugs and active ingredients produced outside the US. Participation is voluntary, but it will probably streamline customs formalities. In any case, maintaining control of your products at every step from raw material to pharmacists' shelves should be a standard part of every risk-based quality management program.

Your supplier also needs to understand your requirements for monitoring quality. If you want the supplier to submit to quality audits, provide certificates of analysis or conformance, or provide independent laboratory analysis, you must make all that clear up front.

All of this should be formalized in a risk-based quality agreement. (See item 3 below.)

Check quality early. It's always better to catch and fix issues early on, before they develop into full-blown problems (or, as in recent events, full-blown disasters).

But sometimes you have to rely on a supplier whose quality systems do not entirely measure up to your expectations. In those cases, you'll need to compensate for any supplier shortcomings through a robust receiving inspection program. You may even want to have your own representative in the plant to ensure that quality specifications are met before product is shipped. Again, finding a problem earlier is always better.

3. Apply Risk-Based Thinking to Your Quality Agreements

We have said that you need to make your expectations clear to the supplier. The regulators say the same thing: The International Conference on Harmonization (ICH) Q10 guideline on pharmaceutical quality systems discusses the manufacturer's responsibility to assess the suitability and competence of a supplier and to define in writing the quality-related responsibilities of both the manufacturer and the supplier.

A quality agreement is a formal document that does exactly that: it defines who has responsibility for the execution of every aspect of the quality system. The level of risk exposure should define the nature of the quality agreement.

Quality agreements can range from simple purchase orders to elaborate contracts, and there is no easy rule of thumb for how much detail is enough. In general, however, we have found that clients err on the side of insufficient detail; it's surprisingly easy to think that a boilerplate purchase order covers more than it really does. It's a good idea, for example, to specify:

• when and how audits should be conducted
• when and how you should be notified of changes
• when and how you should be notified of out-of-specification test results, manufacturing deviations, and nonconforming materials
• which party will conduct finished product testing
• how reporting and investigating product complaints will be handled
• which FDA quality systems and ISO requirements the supplier must meet.

By and large, if it's worth thinking about, it's worth including.

Remember that "agreement" means the supplier has to agree to it. Sure, you're trying to protect yourself. But you're also trying to optimize supplier performance, which is clearly in the supplier's best interest. So whenever you can, work with the supplier to map out manufacturing and quality system areas of responsibility. Be clear about hand-off points and high-risk areas. Specify the controls necessary to mitigate the risk in these areas, and always match the extent of the controls to the level of risk. It's also important to remember that these agreements are formal, legal documents, so it's critical to have your legal department tuned in to the development and execution of the agreements.