Drawing on FDA Turbo 483 database analyses, warning letter reviews since 2010, and the statements of FDA officials over the past four years, there are eight ways in which companies typically fall short in their supplier oversight and qualification activities:

  1.  Internal v. external supplier confusion
  2.  Inadequate supplier criteria
  3.  No ongoing monitoring
  4.  Poor supplier control records
  5.  No linkages across product activities
  6.  Over-reliance on self-questionnaires
  7.  Over-reliance on certificates
  8.  Not doing anything.

And since 2006, my experiences holding corporate training workshops or helping clients with supplier quality management and auditing, having certainly borne these issues out. Take a look and see if your organization at risk.

1) Internal v. External Supplier Confusion

A perennial point of confusion is whether a company’s other sites or its subsidiaries are to be treated as suppliers. Irrespective of drug or device (or cosmetic or dietary supplement) product, FDA has been consistent on its expectations for the past 7 years:

“…the requirements apply to all product and service received outside the finished manufacturer, whether payment occurs or not. Thus, a manufacturer must comply with these provisions when it receives a product or services from its ‘sister facility’ or some other corporate or financial affiliate.”1

Or to sum up, if an entity is not covered by a firm’s internal quality audits, the entity is a supplier. Thus, whether a company classifies a supplier as internal or external is irrelevant to FDA because “Internal suppliers are to be controlled in a similar way as external suppliers are controlled.”2

2) Inadequate Supplier Criteria

Another common misstep is not establishing quality criteria for suppliers. This does not mean, as some people interpret it, that every supplier should have a quality system. It might be nice if the corrugated cardboard box supplier and the pipette calibration supplier and the product insert printer were ISO 9001 certified, but this is not what FDA intends.

Supplier quality criteria are defined by FDA as “the supplier’s ability to meet specified requirements including quality requirements.”3

In other words, what are your documented requirements for each supplier? Perhaps you require that suppliers have insurance, that they are incorporated as a business, or that suppliers have experience in providing the material or activity you are sourcing.

Think of FDA’s supplier quality criteria as traits that relate directly to the material or activity you are sourcing. Then you evaluate the supplier to verify that it has those expected traits. This provides flexibility to use basic questionnaires for many low risk, low volume suppliers while restricting more intensive audits to those suppliers deemed critical.

Documenting supplier criteria is critical as it helps prevent four of the eight common failures, including:

  • not having ongoing monitoring
  • no linking controls to product design and development and acceptance activities
  • Over-reliance on certificates of analysis and conformance; and
  • Only relying on supplier self-questionnaires.

3) No Ongoing Monitoring

Considerable confusion continues in the industry as to how much monitoring of suppliers is appropriate. FDA’s typical answer, “it depends,” is rather unhelpful in a day-to-day context. Given the endless variety of suppliers, materials, services, contexts and risks, FDA officials are understandably hesitant to provide any sort of general rule.

Over time, however, some basic precepts have proven themselves:

  • Incorporate incoming acceptance activities as one type of monitoring
  • Identify periodic testing to be done to verify supplied materials (and certificates of analysis/conformance) based on good sampling rates
  • Trend both of these as part of supplier re-evaluations
  • Pre-define the frequency of “re-evaluation” based on associated risks.

For instance, you might define the frequency of re-evaluation for low risk suppliers as only upon contract renewal, or if they cause a recall or adverse event, or as a result of some external event (supplier suffers labor unrest or bankruptcy).

4) Poor Supplier Control Records

This covers everything from missing contracts or quality/technical agreements to no documented supplier criteria, from an out-of-date approved vendors list (AVL) to an incomplete supplier-related CAPA or inconsistent revision levels on drawings, formulations or investigator brochures.

Simply having an SOP is akin to having written down a “to-do” list. It is not proof of anything other than intent to do something. Firms need a defined records retention and records management program. SOPs should reference the records generated as a result of following the written procedure. And quality departments must conduct internal audits against such records.

This can help prevent poor supplier control records. Also, consider reviewing the various records listed in the 2010 GHTF guideline, SG4/N84 Guidelines for Regulatory Auditing of Quality Management Systems of Medical Device Manufacturers, Part 5: Audits of Manufacturer Control of Suppliers (view online through the IMDRF at http://www.imdrf.org/documents/documents.asp#ghtf).

5) No Linkages Across Activities

When it comes to supplier management and FDA inspections, supplier management should tie together incoming acceptance activities, product design and development, process and production validation activities, finished product storage and distribution, and even data integrity and Part 11 compliance.

To understand why supplier management relates to incoming acceptance activities, in my corporate compliance workshops, I walk clients through a conceptual activity that begins with a simple statement, “If we do no supplier qualification, we will start with 100% inspection and testing of all received materials. Assuming this will be an entirely impractical level of overhead, what controls will we put in place on our suppliers to keep the amount of incoming inspection and testing to a reasonable level?”

Being able to show these controls across the product’s lifecyle is the linkage that FDA is looking for.

6) Over-Reliance on Self-Assessments

Basic supplier questionnaires are a well-worn industry tactic to help segregate those suppliers needing further evaluation from those whose risk-level justifies very little further control. However, assuming that a questionnaire one submits to suppliers to fill out cannot possibly serve to offer anything but the “best answers,” what supplier will be forthcoming on their needed improvements?

Use a questionnaire to obtain (and preferably only verify) basic information, not as the only evaluation tool. Instead, use online reviews, remote audits, and onsite audits to qualify your suppliers – these are cost-effective, compliant supplier qualification activities.

7) Over-Reliance on Certificates

Industry continues to rely on supplier-provided Certificates of Analysis or Certificates of Conformance with no independent verification. Having written extensively on this,5 suffice it to say that just as monitoring frequency and type is based on risk and sound sampling, so too should periodic verification of supplier-provided certificates. Take a look at FDA’s 2012 Warning Letter to Grato, Inc. (http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2012/ucm314702.htm) for insight into current FDA expectations around CofA and CofC verifications.

8) Not Doing Anything

This is against the regulations and against the recent Food and Drug Administration Safety and Innovation Act (FDASIA) signed into law in July 2012. Firms that continue to do nothing leave their executives open to prosecution as well as disgruntled shareholder/investor litigation.

Final Thoughts

Blaming FDA’s antiquated regulations for these supplier management failures is easy. However, digging deeper into these eight common missteps shows that out-of-date regulatory wording is hardly to blame. Ultimately, these expectations have been encapsulated in rules since last century.

If you need FDA supplier management expert advice or would like private corporate training on current supplier management requirements, contact Cerulean today.


About the Author

John Avellanet is the Managing Director & Principal of Cerulean Associates LLC. He is the author of Get to Market Now! Turn FDA Compliance into a Competitive Edge in the Era of Personalized Medicine (Logos Press), co-author of Pharmaceutical Regulatory Inspections (Euromed) and Best Practices in Biotechnology Business Development (Logos Press), and the writer of the ComplianceZen.com blog. Reach out to Mr. Avellanet for compliance consulting help or for an expert speakercontact us today.



1GHTF, SG3/N17 Guidance on the Control of Products and Services Obtained from Suppliers, December 2008, p. 5.

2FDA, 21 CFR 820.50(a)(1) Quality System Regulation: Purchasing Controls.

3Avellanet, John, “FDA Officials on Supplier Control,” SmarterCompliance, Vol. 3, No. 34, 2010, pp. 6-7.