Supplier Quality Management: A Risk-Based Approach

Published on: 
BioPharm International, BioPharm International-01-01-2010, Volume 23, Issue 1

A systematic classification system makes supplier quality management feasible, even if you are dealing with hundreds of suppliers worldwide.

Melamine-tainted baby formula and pet food. Allergic reactions and deaths from contaminated heparin. Recent events have made supplier quality issues a top priority, for both the biopharmaceutical industry and its regulators in the US and Europe. Bottom line, what happens at any outsourced manufacturing operation can cause your company legal liability, damage your reputation, and subject you to the considerable expense of a recall. Yet outsourcing some or all of the manufacturing process has become an inevitable part of doing business for the vast majority of biopharmaceutical companies.

Bob Rhoades

Managing supplier quality is always a challenge. When you're dealing with possibly hundreds of suppliers around the globe who are engaged in a broad array of complex manufacturing processes, the challenge often appears to be insurmountable.

Rather than apply a single quality management approach to all suppliers—an approach that frequently is unworkable and invariably is inefficient—we recommend that companies develop a robust, risk-based approach that addresses each supplier situation individually, but always within the context of a carefully thought-out overall quality management system.

Risk-based quality management is one of those brilliantly simple concepts that makes all the sense in the world when you see it spelled out: When you focus on the risks with the potential to cause the greatest damage, you will almost certainly reap the greatest rewards from mitigating those risks. Or, to put it another way, you want to expend the greatest efforts in areas where you'll get the greatest "bang for the buck."

Yet, unfortunately, implementing a risk-based supplier quality management system isn't simple. Over and over, we have encountered companies whose best efforts were frustrated by failure to master one or more of a very short list of critical steps to success. If you get these five building blocks right, however, you will be well on the way to implementing a risk-based supplier quality management system that will not only prevent errors before they can develop into major problems, but also will improve the productivity and efficiency of your whole manufacturing process.

1. Classify Every Supplier by Risk Level—and Deal With Them Accordingly

Classifying suppliers by risk is the heart and soul of every risk-based quality management program. The risk level refers not to the probability of some particular event occurring, or even to the effectiveness of the supplier's internal quality system. Rather, labelling suppliers as "highest risk" means simply that what they provide is "most critical to your product," even if that particular supplier is completely reliable.

Components that present a lower risk to product safety or performance but are essential to the manufacturing process also may be considered critical and may need special measures to ensure an uninterrupted supply. Criticality should also be considered in terms of process complexity or the inability to obtain the product from a different supplier.

We generally recommend that our clients establish four risk-based categories of suppliers:

  • Tier 1: The highest risk suppliers, that have a critical impact on the quality or availability of your product. You can't get along without them.

  • Tier 2: Significant-risk suppliers that have a direct impact on your product, but for which alternatives are available.

  • Tier 3: Moderate risk suppliers that have an indirect impact on the product.

  • Tier 4: Low risk suppliers, that have no product impact.

It makes sense, both financially and in terms of quality management, to expend the greatest effort on the most critical suppliers. The quality assessment and control measures used, and the duration or interval between assessments, are adjusted based on the degree of risk exposure to each individual supplier. The higher the importance of the supplied product to the quality of the finished product, the more vigilant you must be in establishing adequate controls over the supplier. It all comes back to getting the most bang for your buck. Without a coherent system in place, you can drive yourself crazy trying to determine how much control to exert and how to apply it.

2. Look Before You Leap into a New Supplier Relationship

Optimism is a hallmark of all new relationships, both personal and professional. Unfortunately, the good feelings that surround a new relationship are no substitute for due diligence in checking out potential new suppliers—especially sole source suppliers, where one unexpected problem could leave you with no acceptable options—and then laying out expectations, and checking quality.

Find an objective observer. Because you are primarily interested in starting a successful relationship, it's hard for you to be entirely objective. That's why you need an objective observer, such as a third party consultant, who understands regulatory and quality requirements as well as your needs, and who can be totally forthright in evaluating your potential supplier's facilities, processes, and quality systems.

Lay out your expectations up front. This is no place for generalizations or boilerplate lists; be painstakingly specific. Because every product is different, your supplier has to understand exactly what criteria you require to ensure the quality and specifications of that particular supplied product.

Change control notification procedures are a common area of misunderstanding; a change the supplier considers inconsequential may make all the difference in the world to your product. So you need to specify that all changes must be communicated to you, and when and how they must be communicated.

Finally, you need to understand that supplier quality management extends beyond the end of the production line, and includes criteria for such things as delivery reliability, responsiveness, and the security of the supply chain.

In fact, the FDA recently launched a pilot supply-chain security program to determine the practicality of improving the safety of drugs and active ingredients produced outside the US. Participation is voluntary, but it will probably streamline customs formalities. In any case, maintaining control of your products at every step from raw material to pharmacists' shelves should be a standard part of every risk-based quality management program.

Your supplier also needs to understand your requirements for monitoring quality. If you want the supplier to submit to quality audits, provide certificates of analysis or conformance, or provide independent laboratory analysis, you must make all that clear up front.

All of this should be formalized in a risk-based quality agreement. (See item 3 below.)

Check quality early. It's always better to catch and fix issues early on, before they develop into full-blown problems (or, as in recent events, full-blown disasters).

But sometimes you have to rely on a supplier whose quality systems do not entirely measure up to your expectations. In those cases, you'll need to compensate for any supplier shortcomings through a robust receiving inspection program. You may even want to have your own representative in the plant to ensure that quality specifications are met before product is shipped. Again, finding a problem earlier is always better.

3. Apply Risk-Based Thinking to Your Quality Agreements

We have said that you need to make your expectations clear to the supplier. The regulators say the same thing: The International Conference on Harmonization (ICH) Q10 guideline on pharmaceutical quality systems discusses the manufacturer's responsibility to assess the suitability and competence of a supplier and to define in writing the quality-related responsibilities of both the manufacturer and the supplier.

A quality agreement is a formal document that does exactly that: it defines who has responsibility for the execution of every aspect of the quality system. The level of risk exposure should define the nature of the quality agreement.

Quality agreements can range from simple purchase orders to elaborate contracts, and there is no easy rule of thumb for how much detail is enough. In general, however, we have found that clients err on the side of insufficient detail; it's surprisingly easy to think that a boilerplate purchase order covers more than it really does. It's a good idea, for example, to specify:

  • when and how audits should be conducted

  • when and how you should be notified of changes

  • when and how you should be notified of out-of-specification test results, manufacturing deviations, and nonconforming materials

  • which party will conduct finished product testing

  • how reporting and investigating product complaints will be handled

  • which FDA quality systems and ISO requirements the supplier must meet.

By and large, if it's worth thinking about, it's worth including.

Remember that "agreement" means the supplier has to agree to it. Sure, you're trying to protect yourself. But you're also trying to optimize supplier performance, which is clearly in the supplier's best interest. So whenever you can, work with the supplier to map out manufacturing and quality system areas of responsibility. Be clear about hand-off points and high-risk areas. Specify the controls necessary to mitigate the risk in these areas, and always match the extent of the controls to the level of risk. It's also important to remember that these agreements are formal, legal documents, so it's critical to have your legal department tuned in to the development and execution of the agreements.

4. Have On-Site Quality Audits Performed by an Objective Auditor

On-site audits are the most reliable source of information about a supplier's operations. For an on-site audit program to function properly, the audits must be thoroughly objective and conducted by a qualified auditor. That means an auditor from your compliance function, or a third-party auditor, is usually preferable to an in-house team member, such as the supplier quality engineer who works with (and tends to identify with) the specific supplier.

Audits must be performed regularly to ensure quality. The logistics and costs of site audits have increased significantly with the rise in outsourcing to foreign countries, especially for Western companies with suppliers in Asia. All too often, audits are postponed or limited to being carried out "for cause," or follow-up audits are not performed simply because it's such a nuisance to get them done. Unfortunately, saving money by skipping audits is never a good trade-off.

Instead, you can minimize costs by bundling audits of suppliers in the same geographic region. It's simply a matter of planning ahead, so your auditors can schedule multiple visits on a single trip.

Use a risk-based model for planning your audit program. Not every supplier requires on-site audits; for less critical ones, third party laboratory testing, certificates of analysis, and supplier surveys may be acceptable substitutes for some on-site audits.

5. Include Suppliers in Your CAPA System

Supplier defects become your responsibility by default, so you have to initiate corrective actions associated with supplier operations just as diligently as you would with in-house products.

That means supplier quality problems should be input into your corrective and preventive action (CAPA)/deviation system and followed up with whatever corrective action is needed to prevent recurrence of the problem.


Regulators require you to manage supplier quality as if it were your own. In reality, supplier quality management is far more complex than internal quality management, because of factors of both distance and incomplete control.

A systematic risk-based approach to supplier quality management, as outlined above, can make the process manageable even if you are dealing with hundreds of suppliers worldwide. In fact, we believe it is the only feasible approach. When you treat every supplier as a top priority, you have no way to systematically gauge how much attention (and investment) each one realistically deserves.

Establishing a risk-based system is well worth the effort. In addition to ensuring compliance and avoiding recalls, regulatory and quality problems and liability, a well-managed supplier quality management system enables you to establish sustainable processes that improve operational efficiency and make your product more competitive in the global marketplace.

The bottom line is that it's too important to risk not doing.

Bob Rhoades is the senior director of quality systems in the regulatory and quality practice at Quintiles, Durham, NC, 678.896.8026,