Implementing a Risk-Based Supplier Management Program

According to recent FDA updates on the implementation of the Safety and Innovation Act (FDASIA), nearly 40 percent of finished drugs are being imported, and nearly 80 percent of active ingredients, excipients, and components used to manufacture drugs are sourced from international suppliers. To control the risks associated with increased globalization and supply chain security issues, FDASIA requires that US registered drug manufacturers include the name, address, and unique facility identifiers (UFIs) of associated excipient manufacturers as part of each drug listing. In addition, the Act clarifies that cGMP encompasses oversight and control over the manufacture of drugs to ensure quality, including managing the risk of and establishing the safety of ingredients, raw materials used in manufacturing, and finished drug products.

The reality of the risks associated with this globalization of the drug manufacturing supply chain - as well as the subsequent FDA enforcement of FDASIA - is now forcing manufacturers to build and manage robust and risk-based supplier management programs. But implementing and maintaining a successful supplier management program can be quite daunting, especially when a firm has limited knowledge of the areas that suppliers typically struggle with. So what steps should manufacturers take to detect and control supplier issues before commencing the manufacturing process?

1. Supplier management starts with the development of User Requirements for materials and services to be outsourced. Specifications for materials need to be developed and approved as part of the User Requirements prior to making initial selections of potential suppliers. A risk assessment should be performed on all outsourced materials and services to determine the level of risk that failures could have on the quality, safety, and efficacy of the final drug or device product. The risk assessment should also evaluate the integrity of the supply chain (e.g., reliability of supply, availability of alternate suppliers, etc.). Suppliers of low-risk, non-critical materials would have less stringent supplier criteria and qualification processes than suppliers of high-risk, critical materials.
2. After User Requirements for materials and services are developed, potential suppliers are identified and selected through careful risk-evaluation of business needs (e.g., supply shortages, business continuity, capacity, pricing, logistics, etc.), technical suitability of the supplier, and regulatory / quality compliance. Confirmation testing of materials and components is typically performed during the supplier selection process.  The confirmation testing will evaluate if a sample a) meets the defined specifications and b) the certificate of analysis provided with the sample is confirmed through independent testing verification. The level of testing is typically dependent on the assessment of risk (e.g., possibly confirm identification testing only for low-risk materials, full CoA confirmation testing for high-risk materials).
3. Once the “short-list” of suppliers is determined, a formal assessment of the supplier quality systems is performed to determine if there is sufficient evidence of control over the manufacture, testing, release, and distribution of the material. The compliance of the supplier to quality and regulatory requirements is confirmed through audits, material evaluation, and ongoing supplier qualification.  On-site audits should always be performed for suppliers of higher-risk and critical materials / services.  Satisfactory outcomes of quality assessments of high-risk, critical materials / services should be confirmed prior to use in the manufacturing process.
4. Implement Quality Agreements with all selected suppliers. Expectations and definitions of responsibilities between the procuring organization and supplier, as well as quality-related activities and communication flow, are expected to be defined in written agreements.  A Quality Agreement is based on the quality procedures in place at both the supplier and procuring organization, and it also creates mutual understanding of the quality & regulatory requirements relevant to the material service supplied.
5. Once the supplier has been identified and qualified, risk is managed through ongoing monitoring and trending of provided material and quality metrics (e.g., deviations, OOSs, CAPAs, complaints, etc.). Potential improvements are to be continuously identified and communicated. The performance of critical, high-risk material should be confirmed on a routine basis. This typically consists of a quality review and confirmation laboratory testing of the critical quality attributes. Results of the performance evaluation will determine the frequency and detail of future performance reviews and audits.

   It is critical that your quality unit continually evaluates the qualification status of suppliers to ensure their suitability and competence. In the event of adverse information, supplier disqualification may be necessary.

By implementing and managing a robust and risk-based supplier management program, your firm can be assured that your extension into the supply chain will detect and control any issues before they enter your manufacturing process.