Managing Outsourcing Operations Reduces Risk

For Medical Devices


Recent problems associated with melamine in pet food, infant formula and milk products, ethylene glycol in toothpaste, salmonella in green peppers, and oversulfated chondroitin sulfate that mimics sodium heparin have prompted widespread news reports, which we have all seen, heard or read about, that affect many of the products we have grown to trust. In the case of the sodium heparin situation which resulted in hundreds of injuries and greater than eighty deaths, FDA shared the blame by failing to inspect the correct raw material manufacturing site in China. That situation resulted in a worldwide Class I recall of all products by the largest provider of sodium heparin in the United States. At least two congressional oversight hearings have subsequently been held chastising FDA for its snafus and the firm for lack of appropriate oversight, and there are rumors of a future hearing to revisit the number of injuries and deaths associated with this problem.

The sodium heparin situation resulted in hundreds of injuries and more than 80 deaths.

Supplier quality issues from off-shore vendors recently prompted Congress to propose legislation in both Houses granting FDA increased authority and presence in foreign countries and to provide sorely needed and long overdue resources to increase the number of overseas inspections performed each year. FDA just opened offices in three cities in China, with future offices anticipated in India, Latin America and South America.

As FDA-regulated industries increase their dependence on outsourcing for raw materials, components, sub-assemblies, APIs, sterilization, packaging, design services, consulting and even finished products, the importance of an effective, efficient, risk-based supplier audit program is critical to the success of your operation while reducing your potential liability and ensuring product quality. Supplier control audit programs should apply to all contactors, sub-contractors, third-party manufacturers, consultants, service providers and even "sister" facilities within your own firm that are not operating under the same global quality system that are supplying your site with components, ingredients, etc.

A firm's decision to outsource may be based on a variety of reasons. Perhaps their need is not a core competency, or their in-house capability or capacity can't meet demand, or the costs associated with in-house manufacture and the volume of product required - both in terms of quantities too large to manufacture themselves, or too small so that it is not worth the in-house investment. Manufacturers need to determine if outside technology and expertise is available and whether they wish to work with local firms or those in off-shore, low cost countries. Virtual companies are totally dependent on outsourcing for all their needs - in some cases from initial design to finished product.

FDA has expressed their increasing concerns about industry's oversight over outsourcing activities, and the possible relationship between vendor problems and the increasing number of product recalls. 21CFR 820.50 purchasing controls outline the quality system requirements for medical device manufacturers to follow, while ICH Q10 provides the requirements for pharmaceutical manufacturers. In FY 2007, forty percent of warning letters for medical device quality system deficiencies had at least one citation for non-conformance to the purchasing control requirements. Outsourcing concerns are shared throughout the international community which prompted development of the ICH Q10 document as well as one being finalized by GHTF.

A risk-based approach to outsourcing operations should be developed and implemented through SOPs at your firm to assure quality products and services are being provided. Your firm's outsourcing control program should encompass the following six critical elements, each of which will be addressed individually:

  1. Initial supplier selection is important to identify the expertise that is needed, and determine if your supplier is familiar with FDA and quality system requirements. It is important that you establish your expectations about quality and the supplier's ability to meet your established specifications, and to meet your capacity and timeliness needs. A supplier's ability to handle large quantities as well as their willingness to deliver smaller quantities can also be essential for best results. Shy away from those sources unwilling to conform to your expectations, or are unwilling to submit to quality audits, laboratory testing, or provide certificates of analysis. You should work as a team with your suppliers so they understand your products and needs, and understand the impact they may have on your finished product.
  2. Contractual agreements are considered by some to be the most critical element of a successful outsourcing program. The contract should clearly establish and articulate your requirements and expectations, and should focus on quality---not simply be a financial contract. It should establish specifications and requirements that the vendor is to follow, and should require supplier audits - whether they are on-site, self-survey where appropriate, or a hybrid of both. The contract should provide for certificates of analysis, and where necessary, laboratory analysis. It should establish scope, extent of responsibility, and liability in the case that a problem arises and is found to be caused by or contributed to by the vendor. Most importantly the contract must clearly articulate change control procedures to assure the supplier provides prompt notification of all changes or problems that may have an impact on your product. At times, vendors are required to make what they consider minor adjustments that may unknowingly have a profound impact on your finished product.
  3. Risk management stratification determines the extent of oversight required for any particular vendor. The amount of oversight required will be based on your assessment of the critical nature of the component(s), ingredient(s) or services they are providing. Perhaps the firm is a sole-supplier or they manufacture a finished product under your firm's name, both of which may have a significant impact on your ability to successfully conduct business. The risk associated with products and services provided will determine the extent of on-site audits, self-certifications, certificates of analysis and/or a hybrid of all three.
  4. A sound, risk-based audit program is the key to managing an outsourcing program that provides manufacturers with current information about their suppliers and the quality of products and services they are providing. On-site audits, either performed by qualified in-house auditors or by third party providers, provide the most reliable source of information and are especially important for suppliers of critical material and finished product. Your contractual agreement should allow for "for cause" audits when a problem arises, as well as the option of providing a "person-in-plant" for some critical operations requiring direct oversight or the monitoring of problem suppliers. From time to time, audit issues have arisen regarding the lack of protection of proprietary/trade secrets by the supplier. In those situations, use of third-party auditors may meet with less resistance in that they have less to gain financially from viewing these confidential processes. Alternatives to on-site audits may include third-party testing, certificates of analysis, recommendations from other manufacturers or obtaining any FDA or ISO inspectional or audit information. Supplier audits are not available to FDA for review, but evidence they are being conducted may be requested.
  5. Maintaining current supplier data should be maintained in "Acceptable Supplier/ Vendor Lists" (ASLs or AVLs) that provide up-to-date information about vendors being used and their quality history. The data should include the products and services they provide, their current acceptance status (approved or on probation), the most recent audit findings, their acceptance/rejection rate, when their product was last received, etc. In a multi-site corporation, it is critical these lists be shared among sites if they are not being centrally maintained so as to preclude using an unacceptable vendor. Those disqualified should not be maintained on current ASLs or AVLs or run the risk of accidentally using them. The ASL/AVL should include past and current audit information, and timing of next audit/survey.

  6. Corrective action planning is essential in anticipation of a problem that may arise and timely corrective action is required of all parties. One must evaluate the problem at hand, initiate a corrective action plan, follow corporate SOPs to address and correct the problem, work collaboratively with the vendor if they are involved by providing timely feedback about reported problems they need to address, and determine if any "ship holds" may be needed to minimize additional risk. If a CAPA is needed to determine the root cause and prevent recurrence, determine if it is a vendor problem, a manufacturer problem or possibly a "multiple" vendor problem - where one vendor's product interferes or interacts with another vendor's product. Always act appropriately in the interest of public health.

I think you will agree that it is only common sense that firms who depend on outsourcing operations should have an effective, efficient risk-based audit program in place to assure incoming product quality and to reduce potential risk. As we all know problem products can be costly and can result in increased liability. Corporate reputations may be tarnished by corrective actions, product recalls, FDA enforcement actions, and may be difficult to re-establish in today's competitive market. Be sure your risk-based supplier audit program is adequate and rigorous enough to assure the quality of your products while reducing your liability and risk.

The American public both expects and deserves it.

Steven Niedelman recently retired as the former Deputy Associate Commissioner for Regulatory Operations and COO of the Office of Regulatory Affairs at FDA. He has served as the Director of the Office of Enforcement and has held several management positions in the Office of Compliance at CDRH. He has extensive speaking experience on all FDA matters, and recently co-authored an article on Supplier Quality in FDLI's May/June 2008 Update magazine. He may be reached at, or by phone at 301-972-0688/301-655-0450.

Video:  Saving Time with MasterControl

Video Case Study:  Medical Device: BioMimetic Therapeutics

FDA LinkPharmaceutical cGMPs for the 21st Century: A Risk-Based Approach

Additional ArticleTrageting key threats and changing expectations to deliver greater value$file/state_internal_audit_profession_study_08.pdf

Learn More about Managing Outsourcing Operations and Reducing Risk