Supplier quality management is complicated enough. Yet, too often, we shoot ourselves in the foot, making supplier qualification and oversight more complicated, more removed from business realities than necessary. This was the common theme amongst speakers and attendees at FDAnews' third annual Supplier Quality Management Congress.
I was fortunate enought to chair the three day event, from August 9th-11th, with speakers from FDA, pharma and device firms, and suppliers to the industry. To start the conference, my friend, Dan O'Leary, and I provided a half-day workshop on practical approaches to cost-effective supplier qualification and management. A standing-room only event, the workshop went extremely well and far too quickly, with a good mix of conversation, Q&A, and laughter. Below are two slides excerpted from our workshop:
We provided attendees with a set of implementation tools in PDF, Word and Excel format:
- Supplier quality ranking radar chart
- Overall process map for supplier qualification
- Sample SOP for supplier selection and qualification
- Audit checklist
- Base questionnaire for all suppliers
- A more comprehensive questionnaire for more critical suppliers
- Supplier re-evaluation form
Throughout the half-day pre-con workshop, we worked through various excercises and questions, and provided copies of multiple regulatory guidance documents as well as items used internally by FDA to train their inspectors. The workshop was very lean compliance-minded. We focused on how to actually implement compliant and effective vendor qualification and oversight to meet FDA, GHTF, and ICH harmonized requirements (with a little ISO thrown-in).
We also discussed differences and expectations - including cost ranges - for mock FDA audits versus more laser-focused, single process audits. While many of us are aware of mock FDA inspections, one tactic I'm increasingly advocating as a more cost-effective, more risk-based approach for supplier oversight is critical process audits. As I conceive of it, a critical process audit of a supplier is much like a mock FDA audit or third-party supplier qualification audit, but is ONLY focused on one or two critical processes at the supplier. Thus, it provides the same level of third-party, independent verification, but at lower cost because it only looks at supplier processes critical to your product or compliance status.
As an example, think of a supplier such as a contract sterilizer. Do you really need to know about their CAPA process and their training procedures? Maybe. But put this in the context of what you're using that supplier for - sterilization services - and the context of your business and available budget. Is it better to spend your budget on one big mock FDA audit of a single supplier, OR spend your money on multiple audits of the critical processes that you are using multiple suppliers for? In other words, should you spend $10K on a mock FDA audit of a contract sterilizer when, for that same $10K, you could hit five different suppliers by spending $2K to audit the contract sterilizer's sterilization processes, then another $2K on a different supplier's critical activity for you, then another $2K on a third supplier and their critical activity, and so on.
By relying on a judicious mix of remote qualification (e.g., a supplier qualification), contractual agreements and monitoring, and laser-focused audits of the critical processes actually directly relevant to your product, you minimize your risk, meet FDA, GHTF and ICH requirements, AND maximize your funds. It's a win for you, a win for your company (and your management team), a win for compliance, AND a win for the suppliers (because they don't need to devote multiple days to hosting your audit team).
The key is to select processes strictly on the basis of current and/or intended use of the supplier using a risk-analysis of their impact to your product (and your compliance).
Some of the other key learnings fro the conference included:
- FDA has really stepped up its border enforcement and product holds (and such holds can be based solely upon "appearance")
- When it comes to supplier agreements, FDA is increasingly examining the concept of "authority" - did the person approving and signing the quality agreement have the authority to commit the company and the capability to enact the terms of the agreement
- Counterfeiting of medical devices is growing (as anticipated in Get to Market Now!, pp. 106-108)
- Do not write into your SOPs that all suppliers will have a quality agreement as some suppliers will simply refuse (even if you are the 800-pound gorilla in the relationship) and you will then be in non-compliance with your own SOPs
- Courts are increasingly looking at the preamble of the regulations as a means test to determine the intent behind the written regulations
- FDA is growing increasingly frustrated with companies who hire consultants whose only qualification is that they are "ex-FDA" or "former FDA" (as one FDA safety officer noted, "Just because someone worked for FDA does not mean they are experts or that they understand current rules and expectations - how many of your former employees would you suggest someone pay as an 'expert' on your company?")
- When dealing with virtual suppliers, your internal supplier controls are paramount
- In any agreement with a supplier make sure you work with your legal department to define a "material breach" - is a material breach a deficiency in the supplier's quality system? Is it more than 3 days of a shipping delay? Is it a reject rate greater than 20%?
- For any supplier qualification process and supplier management process, plan ahead to determine what documented evidence you will want to retain to prove compliance AND limit your liability
- Make sure you understand the document retention requirements for both FDA and other associated regulations - firms need to have an FDA records retention policy, and ideally one that can also meet EU lifecycle document management expectations
Obviously, in three days' time, with a dozen different expert speakers, there was far more information and insight into compliant supplier qualification than I can cover here. More analysis and recommendations will be in several of my regulatory intel newsletter issues later this year.
