Supplier Management Key elements & Guidance

A Supplier Management Program should have below elements :

  • Definition of the product’s quality requirements
  • Evaluation of alternative suppliers
  • Selection of the most appropriate suppliers
  • Conduct joint quality planning
  • Co-operation during relationship period
  • Validation of conformance to requirements
  • Certification of qualified suppliers
  • Conduct quality improvement plans
  • Creation and use of supplier rating

Guidance for Supplier Management :

The International Standards Organization (ISO) recently revised their requirements in the ISO 9001, ISO 13485 Standards.

  • The latest revision to ISO 9001:2015 now requires an organization to not only record the criteria, but to also record the result of these activities, including performance monitoring. 
  • The focus on risk is a major feature of the latest version of the ISO 9001 Standard.

Clause 8.4 details the responsibility to control externally provided processes, products and services.

    • Sub-clause 8.4.1 scopes the extent of responsibility and, unlike the previous version of the standard, it is explicit about all the circumstances required to ensure that external suppliers conform to established requirements and specifications.
      • 8.4.1  Determine and apply criteria: Evaluation, Selection, Monitoring, Re-Evaluation
    • 8.4.2  Type and extent of Control :
      • Clarifies controls to ensure no adverse impact to your products and services
        • Controlled by Quality Management System (QMS)
        • Controls for external provider and the output
        • Consider regulatory compliance and external provider controls effectiveness
      • Verification activities
Supplier Management Regulatory Guidance ISO 8.4.1 and 8.4.2
– Externally provided processes must fall under the control of your Quality Management System
You are obligated to determine and apply controls for the provider and their product or service
– Must consider if the supplier has sufficient internal controls and if their products or service will impact your ability to meet regulatory demands
– Lastly the sub-clause insists that you have verification processes in      place to ensure the external provider will consistently meet your requirement
    • 8.4.3  Information for External Providers
      • Adequacy requirements prior to communication
      • Processes, products or service requirements
      • Approval of products / services, methods / processes / equipment, release
      • Competence
      • Interaction
      • Control and monitoring of performance
      • Verification or validation at external provider’s premises
Supplier Management Regulatory Guidance ISO 8.4.3
– Sub-clause 8.4.3 is explicit about the scope of the information you share with your suppliers
– You are obligated to define the requirements of the process, product or service you are buying.
– This also applies to:
– The required competency of the supplier’s staff
– An explanation of the verification and validation processes that you have employed to check that provision meets the requirement.

– ISO 13485:2016 have extensive updates, all aimed at reducing risk: supplier, product, and patient.
– ISO 13485 has been expanded to specify requirements for supplier approval, monitoring and reevaluation of suppliers, and supplier records.

Additional Purchasing Changes in ISO 13485:2016
– Purchasing information has been reworded and clarified to ensure that purchasing requirements are being met, including specifications, product acceptance, supplier personnel qualifications, and quality system requirements.
– Similar to the FDA Quality System Regulation (QSR), a written agreement must be established stating that changes in the purchased product must be communicated prior to the implementation of any changes.
– Communication with your suppliers is key. Your suppliers need to know that changes they make impact the products you make. Written agreements aid in that understanding between your organizations.
– ISO has strengthened the wording associated with verification of purchased products to ensure that it is appropriate based on the supplier evaluation and proportionate to the risks associated with the purchased part.
Supplier Management Regulatory Guidance: ICH 7, 9, 10
ICH Q7A:  Materials Management
– Manufacturers of intermediates and / or API should have a system for evaluating the suppliers of critical material
– Materials should be purchased against an agreed specifications, from a supplier, approved by the quality unit
– If the supplier of a critical material is not the manufacturer of that material, the name and address of that manufacturer of that material should be known by the intermediate and / or API manufacturer
– Changing the source of supply of critical raw materials should be treated according to Section 13. Change Control
ICH Q10:  Pharmaceutical Quality System
The pharma company is ultimately responsible to ensure processes are in place to assure the control of outsourced activities and quality of purchased materials

The process should incorporate quality risk management and include:
– Assessing prior to outsourcing operations or selecting material suppliers, the suitability and competence of the other party to carry out the activity or provide the material using a defined supply chain (audits, material evaluations, qualification)
– Defined responsibilities and communication process for quality-related activities. This should be included in a written agreement between the contract giver and the contract acceptor
– A system for monitoring and review of supplier performance or the quality of the material from the provider.
– A system to identify and implement any needed improvements
– Monitoring incoming ingredients and materials to ensure they are from approved sources using the agreed supply chain
Supplier Management Regulatory Guidance:  FDA
Purchasing Controls (Section 820.50):
Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants.
Each manufacturer shall:
– Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.
– Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.
– Establish and maintain records of acceptable suppliers, contractors, and consultants.
21.CFR.820.40:
Purchasing data.:
– Each manufacturer shall establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services.
– Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device.
21.CFR.211.22:
No specific mention of audits or Quality Agreements, has general requirements for Supplier Quality
Responsibilities of quality control unit.
(a) The quality control unit shall be responsible for approving or rejecting drug products manufactured, processed, packed or held under contract by another company.
(d) the responsibilities and procedures must be in writing.
Supplier Management Regulatory Guidance:  EU
GMP EudraLex Vol 4 Chapter 5 Production (supply chain):
– If manufacturer obtain API’s from outside the EU, can only source from a country with Equivalent Regulatory Control to the EU
– EU Commission will publish list of countries with Equivalent Regulatory Control : Switzerland & USA
– EU Commission will regularly verify a country’s compliance, first verification 3 years after listing