Risk Management within the Global Supply Chain

October 1, 2008
Susan J. Schniepp
Susan J. Schniepp

Susan J. Schniepp is a fellow at Regulatory Compliance Associates, Inc. and a member of Pharmaceutical Technology's Editorial Advisory Board.

Pharmaceutical Technology, Pharmaceutical Technology-10-01-2008, Volume 2008 Supplement, Issue 5

The growth and globalization of the pharmaceutical supply chain make risk assessment more important than ever for pharmaceutical manufacturers. The authors describe a program to identify, prioritize, mitigate, and communicate risks in manufacturer–supplier relationships.

The global supply chain for the pharmaceutical industry has expanded during the past decade as companies have striven to be competitive and harness emerging technology. Foreign markets have emerged to offer lower costs for various products. Many companies find managing global suppliers and product-quality issues to be challenging. Recent industry events such as the contamination of batches of heparin demonstrate that a lack of control in the global supply chain can lead to patient harm and death, product recalls, loss of integrity, and significant financial liability for a company. Current good manufacturing practice (CGMP) regulations state that companies that design and manufacture pharmaceutical products must ensure that all components, raw materials, and product from suppliers meet predetermined specifications and that suppliers and their operations are in a state of control.

In today's climate, companies should use a risk-management program to assess their suppliers' ability to provide material suitable for the manufacture of medicinal products. A risk-management program should help companies evaluate and control the quality of their suppliers and of the supply chain. The US Food and Drug Administration's Pharmaceutical CGMPs for the 21st Century initiative is intended to enhance and modernize the regulation of pharmaceutical manufacturing and product quality. Its goal is to bring the pharmaceutical industry in line with the risk-management activities the medical-device industry uses to reduce patient and business risk. FDA's expectations are outlined in the International Conference on Harmonization's Q7, Q8, Q9, and Q10 guidelines. Several key elements can help control and limit risk throughout a global supply chain. This article will discuss risk prioritization, risk assessment, risk control, risk communication, and risk review in detail.

Risk prioritization

Deciding how to begin implementing a supplier risk-management program can be challenging for established companies, let alone for startups. A risk-prioritization matrix outlines a systematic and objective approach that helps companies select the best starting point.

One approach to developing a specific company's matrix is to create a list of manufactured and distributed products that includes key data. The following data may be considered in developing a risk-prioritization assessment:

  • Patient risk (i.e., sterile, parental, nonsterile)

  • Quality data such as nonconformances, corrective actions/preventive actions (CAPA), deviations, and customer complaints

  • Volume of product manufactured

  • Supplier history.

These data can be entered into a table similar to that in Figure 1. The individual data categories are assigned a numerical risk-ranking value as in the following example:

  • Patient risk for parentals—3

  • Patient risk for sterile products—2

  • Patient risk for nonsterile products—1

  • High-risk supplier—3

  • Medium-risk supplier—2

  • Low-risk supplier—1.

Figure 1: Example risk-prioritization matrix. (ALL FIGURES ARE COURTESY OF THE AUTHORS.)

Key quality data such as nonconformances, CAPA, deviations, and customer complaints should receive values equal to their number of occurrences.

Likewise, the risk value for the volume of product manufactured is equal to the number of lots or units produced. Typically, this value is weighted to reduce the chance that a low-risk product with a high production volume will become the highest priority. Values are multiplied to obtain a risk-prioritization score. The product with the highest score gets top priority.

Risk assessment

Once the products have been prioritized, a risk-assessment technique can be used to evaluate, control, and communicate the associated risk related to a given product. Failure mode effects analysis (FMEA) is currently used to assess supplier risk. A supplier FMEA does the following things:

  • Lists each component of the product along with its function.

  • Identifies possible supplier-failure modes.

  • Assesses the severity of the supplier failure modes based on their effect on the end user. Product characteristics are identified as critical if patients are harmed when the characteristics are not controlled.

  • Lists possible causes of the supplier failure modes and estimates the number of occurrences for each cause.

  • Lists current controls to prevent or detect the supplier failure modes or causes and estimates how effective the current controls are.

One obtains a risk priority number (RPN) by multiplying predefined rankings for severity, occurrence, and detection. These rankings are typically numbers from 1 to 5 or 10. A threshold RPN should be identified, and suppliers whose risk exceeds the threshold should be considered unacceptable. Figure 2 provides an example of a supplier FMEA template (1, 2).

Figure 2: Example supplier failure mode effects analysis template. RPN is risk priority number.

Suppliers with RPNs that exceed the threshold value should be audited. Companies can conduct a full or modified audit, depending on the severity of the risk that prevented the supplier from achieving an acceptable RPN ranking. Key items to focus on during an audit include the quality of the supplier's risk-assessment program and how the supplier controls critical characteristics. Supplier audits are discussed in more detail below.

Risk control

The manufacturer and its supplier should work together to establish a plan to reduce the risk of quality nonconformances and agree on an approach for communicating and reducing risk. Approaches to reducing risk generally fall into two categories.

Category 1: Joint cooperative plan. The industry prefers the easier approach, which is for the manufacturer and supplier to agree on a joint cooperative plan that reduces the identified risk to an acceptable level. This plan frequently necessitates further risk analysis of the supplier's suppliers and components (i.e., Tier 2 analysis, or analysis of a secondary supplier) to understand where the sources of risk enter the supply chain. In some cases, improved controls at the Tier 1 (i.e., primary) supplier, combined with improved inspection or processing by the finished-goods manufacturer, reduces risk to an acceptable level. Tier 3 or Tier 4) suppliers might be investigated to achieve acceptable finished-good product risk levels if the Tier 1 controls and mitigations are not sufficient.

During the implementation of the corrective actions or risk mitigations, the supplier FMEA should be updated, and residual risk should be assessed. All revisions and updates to formal risk-management documents and reports should be reviewed and stored in a risk-management file established for that product. If risk controls and mitigations at the supplier and finished-goods manufacturer are exhausted and the risk remains unmitigated, alternative approaches to achieving robust quality may become necessary.

Category 2: Establish an alternate supplier. A longer path toward achieving robust quality and low risk is to qualify an alternate supplier or to change the design or process so it achieves a higher level of quality. Category 2 is generally chosen only if the all plans for reducing risk at the current supplier have been exhausted or if the supplier does not cooperate in implementing a risk-reduction plan. It is useful to apply tools such as design for Six Sigma to the component's critical characteristics during the development of new or modified processes or component designs.

If the finished product has a level of residual risk that is above the threshold of acceptability, even after all opportunities for risk mitigation and control have been exhausted or found to be economically infeasible, a company should perform a medical risk–benefit analysis to determine whether the product's benefits outweigh the harm that could result from using the end product. Figure 3 provides a flow diagram that shows the supplier-assessment process using FMEA and RPN.

Figure 3: Supplier risk-assessment process. FMEA is failure mode effects analysis, and RPN is risk priority number.

Risk communication

After the supplier risks have been identified, reduced to acceptable levels, and communicated, it is important to establish a formal agreement to ensure that the supplier maintains a state of control and the manufacturer is an active participant in the supplier's quality- and risk-management programs. An effective way to establish this relationship is through a quality agreement. The quality agreement is a contract between the pharmaceutical manufacturer and its supplier of critical components or materials used during the development and manufacturing processes. The purpose of a quality agreement is to clearly define supplier qualification requirements, product and process specifications, regulatory-compliance requirements, management responsibility, a risk-management plan and a comprehensive communication plan.

The quality agreement should also specify the manufacturer's expectations for processing changes that the supplier considers. The supplier should inform the pharmaceutical manufacturer of proposed changes to their manufacturing process in a "Notification of Change." The pharmaceutical manufacturer can thus evaluate the impact of the change on its final product. The manufacturer's previously identified management team should approve the change before the supplier implements it. Even the smallest change to a supplier's process can have an immense effect on a manufacturer's product or process. Establishing and maintaining a quality agreement is essential to controlling this potential risk.

Once established, the quality agreement should be periodically reviewed and monitored for effectiveness. Predetermined quality criteria such as the number of products out of specification, CAPA, and the number of product complaints should be measured, and trends should be investigated. The quality agreement must be evaluated regularly to ensure that required updates are implemented and communicated to each party in a timely manner.

Risk review

In addition to monitoring quality criteria, it is recommended that the manufacturer conduct periodic supplier audits to ensure and verify that the supplier is maintaining a state of control, meeting the pharmaceutical manufacturer's requirements, and employing a quality-management review system. The manufacturer should evaluate its suppliers according to defined criteria and procedures. Results should be documented. Each supplier that a manufacturer selects should have a demonstrated capability of providing products or services that meet the established requirements specified in the quality agreement. Once a supplier is selected, its performance must be monitored periodically. The frequency of monitoring should be commensurate with the significance of the product or service the supplier provides. The complexity of the service and its potential effect on the finished product's performance also should be considered.

Planning for a supplier audit is critical. Supplier audits should be scheduled according to the product and process risk assessments. The interval between audits should be established according to the significance of the material for final-product performance and the supplier's demonstrated ability to manufacture to the specified requirements consistently. An evaluation of the supplier's past history in providing similar products or services should be included in the assessment when possible. Written mail surveys or questionnaires frequently are used to assess the supplier's quality plan, test and inspection procedures, validation history and references, and the results of previous regulatory inspections or registration audits. Often, one set of questions will not fit all suppliers. Also, the focus of supplier audits can evolve as the relationship between the manufacturer and supplier matures. Though previous relationships with a supplier and registration to a specific industry standard such as ISO 9001 are important to manufacturers, they should not rely solely on previous audits and certifications as evidence that a supplier can provide acceptable products. Instead, manufacturers should conduct on-site supplier audits to assess supplier risk and establish conformance.

The supplier audit helps identify nonconformances that occur in many processes throughout the product life cycle—from the design process to the manufacturing process to the distribution process. Supplier audits can build both parties' confidence and provide a system for high-quality technology transfer.

In addition, an audit helps the supplier understand the pharmaceutical manufacturer's expectations. Supplier audits generally provide objective analyses of the vendors and can be fact gathering tools to ensure that the supplier meets the manufacturer's expectations, thus enabling control over the quality of the product.


Because of the rapid growth of the global supply chain for the pharmaceutical industry, increased risk management is essential to ensure regulatory compliance and consumer safety. By implementing the ideas and tools described in this article, the pharmaceutical manufacturer will reduce risk, enhance patient safety, and ensure long-term success for its products.

Sarah Wood* is a quality-systems manager, Ronald Dunn is the director of quality systems, Marsha Nelson is a senior quality engineer, Taunya Alexander is a quality-program manager, and Larry Servi is the director of product and process development, all at Regulatory Compliance Associates, 7401 104th Ave., Suite 160, Kenosha, WI 53142, tel. 262.842.1250, fax 262.842.1251, s.wood@rcainc.biz. Susan Schniepp is the president of Schniepp and Associates and a member of Pharmaceutical Technology's Editorial Advisory Board.

*To whom all correspondence should be addressed.


1. D.H. Stamatis, Failure Mode and Effect Analysis: FMEA from Theory to Execution, (American Society for Quality, Milwaukee, WI, 2nd ed., 2003).

2. Dyadem Press, Guidelines for Failure Modes and Effects Analysis (FMEA) for Medical Devices, (CRC Press, Boca Raton, FL, 2003).