The increase in virtual or under-resourced biomedical companies has resulted in a dramatic shift in outsourcing components and supplies. Larger companies are also joining this outsourcing trend. Even more profound is the increasing reliance on single-sourced suppliers, particularly for critical components. While this can be an effective way to reduce the cost of goods and improve efficiencies, there are some significant risks associated with this practice. This article examines these risks and addresses strategies for avoiding or mitigating them.
The FDA makes yearly data available on importation of biomedical raw materials, devices, and components, as shown below (source: FDA.org). Focusing on medical devices alone, imports have increased fourfold in the eight years shown below. In fact, the FDA cites this rapid increase as a reason for replacing its current OASIS (Operational and Administrative System for Import Support) inspection program with PREDICT, which is being piloted on the West Coast in 2012. PREDICT (Predictive Risk-Based Evaluation for Dynamic Import Compliance Targeting) implements a risk-based rating system for each shipment, which scrutinizes safety, inspection history, import frequency, and complexity to determine disposition of that product. The rapid increase manifested below is also indicative of biomedical companies’ increased reliance on outsourcing as a whole. Technical transfer complexities, resource constraints, regulation issues, cost of goods (COGs) improvements, travel budgets, hiring difficulty, and mergers/acquisitions all play a role. The bottom line is that this trend will continue and accelerate.
In terms of impact to quality and supply chain, this places a burden on risk management, which needs careful consideration. As mentioned above, an even more profound trend is that of reliance on single sourcing for critical components. The same pressures for outsourcing as a whole are also at play regarding reducing redundancy in the supply chain. Ten years ago, the rule of thumb was to duplicate or have standby sources for all suppliers that had the potential to interrupt production (and sales) for extended periods. Now, this is a luxury only companies with the deepest pockets can sustain. Aside from the potential ethical issues of stock-out situations for a significant medical need product, this also raises questions about internal risk. It therefore becomes a mandatory exercise, from both a compliance and enterprise point of view, that a comprehensive risk management program be undertaken to better understand a single-sourced supply chain.
What is considered a critical or key supplier component? This can be addressed with a risk assessment approach. Below is a chart of sample components that have been plotted on a standard severity versus frequency/probability chart (source FDA.org).
On this chart, deference is always given to severity. Therefore any component that has a relatively high severity versus frequency/probability component (areas in red) is almost always considered a critical component. It is important to note that severity in the safety risk management realm refers to the risk associated with harm or hazard to the end user (or patient), not the risk to a company’s bottom line. That is referred to as enterprise risk management and is entirely a separate discussion. Why do critical components need to be singled out in the first place? Because those components are at the most significant risk under single sourcing. Lack of process controls, quality systems, traceability, etc. are all items that tend to be negatively impacted by outsourcing and become particularly leveraged for single-source suppliers. It is far easier to improve or stipulate a high degree of compliance when there is true competition (and the suppliers know that they will be competing for business).
The previous caution about single sourcing notwithstanding, the following best practices are a good starting point to ensure maximum compliance and reliability of the supplier.
A good quality management system (QMS) is the starting point of sound supplier management policy. It sets the tone and lays the foundation of expectations for the supplier. Where possible, the client's QMS should provide policies and procedures. At the very least, the client's QMS should be compatible and consistent with the QMS in place with the supplier. Even better is a signed quality or technical agreement that precisely describes the relationship and functional duties of each party’s QMS. At the minimum the supplier/client QMS should have the following functional elements: quality event management / CAPA (QEM); training management; document / change control; supplier management; audit management; and risk management.
A good supplier QMS should have provisions for the functions that will affect your critical component. It should start with an incoming raw materials audit program. It should have a section for dealing with warehousing operations, including lot traceability and disposition of approved goods. There should be provisions for in-process controls. A personnel training program should be in place. Equipment validation and calibration programs need to be addressed. Standard operating procedures need to be defined. Raw material and final product specifications need to be managed. An inspection/packaging/labeling program needs to be in place. Quality control (QC) testing procedures should be managed. And finally, a CAPA system should cover any issues that arise both during manufacturing and post-marketing surveillance.
Risk management is probably the single most important method to get an understanding of a client's exposure to supplier shortcomings. There are many risk assessment tools that can be used to better understand and prioritize risk, such as hazards evaluation, FMEA, and HACCP. It is important, however, to note that these tools themselves are limited to risk assessment, not risk management. Risk management is far more comprehensive and implies setting acceptability standards, estimation of risk evaluation, control, verification, monitoring, and reporting. Performing a failure mode and effects analysis (FMEA) at the supplier level will provide a good prioritization of component and subassembly risk, which can then be used as input into a more comprehensive risk management program. The outputs of that program will give clarity on frequency of audits, criticality of components, and impact of quality events generated at the supplier site, to name just a few.
Data analysis is another extremely useful tool for determining supplier performance. Tracking and trending of key parameters with tools such as run charts, Pareto plots, statistical process control (SPC/CPK) analysis, and scatter plots are vital to understanding whether a supplier is maintaining control over critical components.
Supplier base management (SBM) is the process of getting the most out of your supplier via effective assessments, integrated design/development, and clear communication through the supply channel. Effective assessment essentially means that the supplier has been properly vetted and qualified as a supplier within the client's QMS. This includes requests for proposals (RFPs), user requirement specifications (URS), vendor questionnaires, audits, and certifications. Integrated design means that design history files (DHFs) must include supplier inputs as well. Clear communication implies a change control system within the QMS that handles changes all the way down through the supplier.
Management of critical suppliers requires a multi-pronged approach. Quality management systems with risk management, data analysis, and supplier base management features help ensure high quality and smooth component flow for maintaining ongoing biomedical production operations.
It is,however, strongly suggested that a disaster recovery plan be put in place. This plan, which should be stress tested before actual occurrence, should include backup sites, inventory management, and communication plans with regulatory bodies.
Peter Knauer a partner consultant with MasterControl's Quality and Compliance Advisory Services. He has more than twenty years of international experience in the biomedical industry, primarily focusing on supply chain management, risk management, CAPA, audits and compliance issues related to biopharmaceutical and medical device chemistry, manufacturing and controls (CMC) operations. He was most recently head of CMC operations for British Technology Group in the United Kingdom, and he has held leadership positions for Protherics UK Limited and MacroMed. Peter started his career at Genentech, where he held numerous positions in engineering and manufacturing management. Peter is currently chairman of the board for Intermountain Biomedical Association (IBA) and a member of the Parenteral Drug Association (PDA). Peter holds a master's degree in biomechanical engineering from San Francisco State University and a bachelor's degree in materials science engineering from the University of Utah.