By Marcelo Trevino, Senior VP, Regulatory Affairs and Quality Systems, Applied Medical
Evaluating suppliers from a risk-management perspective is imperative for medical device companies.
In Part 1 of this series, we discussed developing a risk management strategy for supplier evaluation, along with a qualification plan to demonstrate compliance to auditors/regulators. In this article, I will share best practices for implementing a successful risk-based supplier management system, as well as explain the requirements that should be clearly defined in a supplier quality agreement.
Supplier Communication Is Paramount
Establishing good communication with your supplier is vital to a productive, risk-mitigating collaboration. Fostering that good relationship is easy in theory, but sometimes it's hard in practice, especially when you're dealing with a large supplier.
For example, if the supplier views you as a small customer, it may be challenging to get them to agree to your demands. That’s something you really have to think about: How will both you and the supplier approach the relationship? You need to be confident that, when you request changes or need something, good communication processes are in place that ensure you're going to get prompt responses from them.
The last thing you want is to have is a supplier that doesn’t prioritize your problems, respond to your supplier corrective action plans (SCAPAs), or allow you to audit them in-person. Worse is a supplier that won’t allow supplier audits, notified body audits (which now require supplier audits, in some instances), and FDA inspections, if the agency determines they are needed.
Supplier Risk Score Cards And Ratings
Developing supplier risk score cards will empower you with a system that evaluates and ranks your suppliers based on historical and current performance. This can be a difficult initiative to manage, especially when you're dealing with many suppliers, so it's important to develop supplier risk score cards ahead of time.
First, using failure mode and effects analysis (FMEA) or other tools, as you prefer, define the important metrics and key performance indicators (KPIs) that you want to measure — the ones that will have a significant impact on your process. Review that list periodically with your FMEA members to ensure you're not missing anything; reassess whether new challenges or new data you should be tracking have surfaced and should be considered as you're assessing suppliers.
Next, as you're collecting information from —and about — your supplier, it's important that you build a database or mechanism to give you a complete picture of what's happening with that supplier. For example, if a supplier is having a large number of adverse events, then that should raise a red flag in their profile, allowing you to recognize and react to it; those events could impact your supply chain. One supplier’s problems might create issues in other areas, and you need to think about how you will mitigate the problem as a whole.
Establish a portfolio that allows you to look at and rate critical elements for each supplier, as well as the impact of those elements on other processes across the organization. You might lose sight of the big picture if you're just focusing on that one problematic supplier, and not considering how that supplier is affecting other elements of your quality system.
As you store and process this information, technology is another risk factor that must be considered. You communicate with your suppliers through specific reports, or using certain data across the supply chain, but you may encounter suppliers that use different, incompatible systems. In such cases, you need to be able to manage data from that supplier in a different way.
Some companies are very interconnected, using Systems Application Products (SAP) or enterprise resource planning (ERP) systems, making it easier to manage what's happening across the supply chain. But sometimes, small suppliers don't have the resources to maintain such systems. In those situations, you must consider how technology — or the lack thereof —will impact the supply chain.
Clearly Define Requirements In A Supplier Quality Agreement
The supplier quality agreement is extremely important because, without it, you can't really hold suppliers accountable to their commitments.
Supplier quality agreements are equally important for internal suppliers — peripheral facilities or subsidiary providers of services or products under a single company’s ownership, for example — as they are for external suppliers. You also may encounter situations where an outside supplier is providing components, but you’re outsourcing the processes that make use of those components.
Regardless of the type of relationship, the supplier quality agreement should define how you are going to share information about what's happening within the quality system. For example, if it's important to you to know if your supplier is inspected by FDA or audited by its notified body, and you want to see what those auditors are finding, you need to define that in your agreement. In turn, the supplier would need to agree to inform you that it’s being audited, and to reveal anything the auditors discover, but you need to be very specific about how you want to see that information.
In addition to information sharing, there are a multitude of other factors you may want to address in your supplier quality agreements:
All of the above items could be reported as part of your management review, but detailing reporting requirements in your quality agreements, ahead of time, likely will save you a lot of headaches. Most reputable suppliers will not balk at such requests.
Record-Keeping And Data Sharing
Your supplier quality agreement also should stipulate who will maintain which records. If your supplier is supposed to be doing certain activities, and you require documentation of those activities, it must be decided whether they are going to keep that information on site or send it to you as part of the traveler that accompanies the product. Remember, during an audit or inspection, you will be expected to have access to that information.
The same principle applies to statistical techniques on process parameters. If the supplier is tracking those metrics, you have to determine which information is associated with your processes and stipulate when and how you would like access to it. Similarly, if the supplier is having problems associated with your product, you want to ensure they're not waiting for you to audit them before reporting the issue. Ideally, they should provide that information as part of your regular assessments, as well as an explanation of how the issue was resolved through a Supplier Corrective and Preventive Action (SCAPA). You should request those reports periodically until theSCAPA is effectively closed.
If a supplier is going to handle distribution on your behalf, you need to be very specific about how they're going to handle it. Even if they're just going to ship certain components to you, you might want the components shipped under certain conditions. For example, you may have specific needs regarding temperature controls, packaging conditions, or certain distribution parameters. Transportation and packaging validations are important, and suppliers must adhere to those processes approved by the manufacturer.
Distribution management becomes even more critical as you ship overseas, procure products from overseas, or outsource services to other countries. With that increased complexity comes increased risk, so you need to re-evaluate: “Do we need to audit that more often, or do we need to ask them to do things a certain way?”
Risk-based supplier management is a constant process of organization, re-evaluation, and using the information at hand to quickly mitigate any problems that occur. As you conduct supplier assessments throughout the year and renew your contracts, you always need to ask yourself, “how is this working out? Are they being responsive, or not? Do we need to implement something special, or make a change?”
Accordingly, every aspect of the supplier relationship is critical as you define your quality agreements. Do an FMEA of your completed quality agreement and think of worst-case scenarios: Your supplier has agreed to handle record retention, but what happens if there’s a fire? Are they going to back up those records electronically, or should we take the initiative and do that for them? Or, perhaps their processes look good on paper, but did you consider the quality of their environmental controls? If those controls are faulty and negatively impact the component you’re getting, you may not be shipping a final product at all.
The bottom line when incorporating risk management into supplier quality management is to think about all the things that can go wrong, and put safeguards in place to prevent or mitigate them.