The Hot Potato of Responsibility - How to Manage Outsourcing and Not Get Burned

GxP Lifeline Feature Article


Everything can be outsourced - except responsibility. That's a rule the U.S. FDA lives by, and one you should embed in your policies, SOPs, and corporate culture.

Last year, the deaths associated with contaminated heparin - followed by the ensuing FDA investigations and embarrassing (and expensive) product recalls - underscored the importance of ensuring your suppliers comply with regulations and conform to your manufacturing specifications at all times.

It all begins with identifying the right partner. Considering the life-and-death risks inherent in drugs and devices, you absolutely must find someone who matches your organization's own goals and values.

FDA holds corporate management, not the quality assurance department, responsible when outsourcing decisions go bad. Whether you're outsourcing manufacturing, clinical trials, IT services, pharmaceutical ingredients, circuit boards, or anything else, the ultimate responsibility for your product is yours and yours alone. Management can't pass responsibility down the supply chain like a hot potato. But here are a few common-sense outsourcing guidelines to lessen the risk of a severe burn:

Select the Right Partner

It all begins with identifying the right partner. Think of your suppliers, vendors and contractors as partners in your product's success. Considering the life-and-death risks inherent in drugs and devices, you absolutely must find someone who matches your organization's own goals and values.

Start by letting prospective partners know what you expect of yourself. During the selection process, share more than just job specifications - share your company's codes of conduct, mission statements, quality policies, compliance SOPs, and CAPA plans. In return, ask potential partners to share their own ethical standards, mission statements, business goals, and quality programs. Evaluate--through first-hand observation, careful review of their FDA track record and other records associated with additional regulatoray bodies--whether or not they actually live up to their claims. Your reputation and profits are at stake, so don't merely rely on a third-party "snapshot audit" to select a supplier; dig deeper.

Focus on Mutually Understood Risks

Once you've selected your outsourcing partner, monitor its operations continuously, just as you would any critical process. All too often, when a company outsources a process or a product, it reduces its quality assurance staff, many times assuming that the contractor will now handle associated responsibilities. But in reality, the more you outsource, the more you need a vigorous and vigilant quality assurance department. Monitoring an outsourced operation, especially something as major as contract manufacturing, is more difficult and time-consuming than monitoring any internal operation.

Your monitoring should focus on defined processes and mutually understood risks. The FDA thinks of risk in the context of patients, products and processes--in that order. Those risks are indeed critical, but you also need to assess and manage broader business risks such as supplier costs, business continuity, data integrity, facility security, and compliance with non-FDA regulatory requirements, just to name a few.

Furthermore, understand that risks change over time. Plan to constantly review and reassess them. After a few years, processes rarely exhibit the same risks; the initial ones hopefully have been mitigated, and new ones likely have emerged. The FDA is constantly going to look at risk and how you control it, especially when it involves your outsourcing partners.

Set Expectations for Problem Solving

Regardless of how well your outsourcing partner performs, chances are you'll still encounter some out-of-specification results, recalls or complaints. For that reason, your outsourcing agreement should clearly define each party's roles and responsibilities for spotting and responding to problems. Such an understanding is especially crucial during the first year of operations or immediately following process changes. Those are the times when performance gaps are most likely to appear. The sidebar, Key SLA Provisions, outlines other important expectations your outsourcing agreements should cover.

Plan to manage non-conformances in a pre-defined, established way. Make sure you and your outsourcing partner understand your respective roles in the initial investigation and the importance of a timely response. Define who is responsible for determining root cause and CAPA follow-up. Be aware that failure to find the root cause and not documenting the closure of a CAPA event are two of the fastest ways to bring down the wrath of the FDA.

Each person involved in the outsourced operation should have the ability to input information to your CAPA system. Don't assume your partner knows or understands the system; train them on what constitutes a CAPA-worthy event. For a copy of the free CAPA Resource CD used by EduQuest in its CAPA training classes, contact

Don't Hide Behind Subsidiaries

Yes, a company can outsource to itself. A number of companies do - but they are mistaken if they think they've passed along the hot potato of responsibility. For example, when a company outsources equipment maintenance to another division it owns, FDA will consider it all one company for enforcement purposes. In the heparin case, a number of subsidiaries were involved in the product contamination and inadequate testing, but FDA still focused its enforcement powers on the number one company it directly regulated. The lesson is that outsourcing to yourself or buying through subsidiaries doesn't really shield you. The FDA can and will still make its case against the parent company, resulting in penalties and negative attention.

Be Proactive Now

Beyond basic compliance with quality standards, your outsourcing partners need to share your commitment to follow the regulations and understand FDA's expectations - not only what it mandates, but what it fundamentally expects. As a case in point, FDA places a high priority on documentation. The agency's unstated motto is, "If it isn't documented, it isn't done." So document everything associated with your outsourcing decisions, and have them easily accessible when the FDA inspector visits.

FDA has the authority to inspect most, if not all, of your outsourcing partners. Currently the agency simply lacks the resources to do it. But fueled by comments from Congress members and recently introduced legislation, FDA almost certainly will grow in the coming years. Expect accelerated rulemaking and expanded, higher-visibility enforcement actions. Your hot potato of responsibility is only going to get hotter. Use the time now, while the new Administration sorts out its priorities, to revisit your existing outsourcing agreements, upgrade your supplier monitoring capabilities, and engage new outsourcing partners wisely.

Key SLA Provisions

Typically, Service Level Agreements (SLAs) are negotiated as part of the initial outsourcing contract. Your SLAs should include sections on:
  • Definitions: Make all terms and concepts clear.
  • Scope of Work: Define standard vs. non-standard services.
  • Duration: Define service commencement and expiration/renewal dates.
  • Property: Identify where services are to be performed and access privileges.
  • Key contacts: Identify principals for both parties and their roles.
  • Infrastructure: Map key processes and define who's responsible for what.
  • Regulatory Requirements: Identify governing regulations - domestic and international.
  • Validation Requirements: Identify equipment and systems subject to validation.
  • Quality Processes: Document expectations for quality management systems.
  • Management Processes: Schedule service review meetings and audits where necessary.
  • Conditions and Limitations: Document service benchmarks, targets, and metrics.
  • Documentation:Set expectations for recordkeeping and access to those records.
  • Reporting Requirements: Specify content, format, and deadlines for reports.
  • Change Management: Document change control authority, policies, and procedures.
  • Support: Spell out support and service desk expectations.
  • Secrecy: Identify confidential processes, equipment, and records.
  • Security: Identify physical and electronic access controls and data security measures.
  • Business Continuity: Plan for routine disruptions as well as for disaster recovery.
  • Arbitration: Identify methods for dispute resolution.

Martin Browing is the founder and president of EduQuest, Inc., a global team of FDA compliance experts based near Washington, D.C. He spent 22 years with the FDA as a local, national and international expert investigator, then served as special assistant to the Associate Commissioner for Regulatory Affairs. He also was the vice chair of the agency's Electronic Records and Signatures Working Group, which drafted the 21 CFR Part 11 regulations. Martin served as the chair of the U.S. government's ISO 9000 committee; on the Global Harmonization Task Force, and on the committee that developed the Good Manufacturing Practice regulations for medical devices, otherwise known as the Quality System Regulation (QSR). He is the program chairman of EduQuest's popular "Effective and Compliant CAPA Systems" course, next scheduled March 26-27 in New Orleans, LA, and April 30-May 1 in Dublin, Ireland. The CAPA course, as well as other quality and risk management training, can be provided at your site. For details, call 301-874-6031, visit, or email

Learn More

FDA Link

"Guidance for Industry: Quality Systems Approach to Pharmaceutical CGMP Regulations"

Additional Article

Shanley, Agnes. "From the Editor: Curing Pharma's China Syndrome." Accessed 2-4-09