Supply-Base Risk: Three Tools to Take the Edge Off

As manufacturers, we constantly evaluate the range of risks associated with the supply of goods and services purchase. The risks can be as minor as a missing certificate of conformance or a late shipment, or as significant as lost sources due to supplier business closures and fraud.

12 Min Read
Supply-Base Risk: Three Tools to Take the Edge Off


The business reasons alone for managing supply risks justify the resources required to ensure continuity of supply. But beyond that, FDA is discussing regulatory change regarding purchasing controls, which could make such risk management a mandatory activity. FDA’s heightened concern is based, in part, on failures that have caused public harm, such as the heparin issue of late 2007, which resulted in about 80 deaths and a drug recall. There are many excellent sources describing purchasing controls and how they’re used to manage risk in the supply base. One such source is the Global Harmonization Task Force (GHTF) Study Group Three report, “Guidance on the Control of Products and Services Obtained from Suppliers,” which was released in 2009.1 Many aspects of supply- chain management are worth investigation including developing an outsourcing strategy, using low-cost country suppliers, limiting the length of the supply chain, and devising effective contract review with suppliers. This article, however, focuses on three specific tools that can be used to help identify and mitigate risk, as follows:?Supplier risk mapping, which focuses on mitigation strategies for suppliers that are most likely to represent unacceptable risk to the manufacturer and would require the longest recovery time.?Supplier assessments for evaluation and selection.?Supplier ratings for reevaluation of suppliers.The emphasis is on improving the effectiveness of the manufacturer’s activities, in addition to changing the supplier’s activities, as required.First and foremost, it is critical to have an extensive up-front supplier qualification process. Such a system enables manufacturers to avoid, or at least minimize, potential supply-base failures. Compare it to hiring the right candidate for a critical job in an organization. If you take the time to ensure that the required skills and capabilities are there, the effort required to manage the candidate, once hired, is minimal, and the returns should meet expectations.The process is no different when hiring a supplier. The up-front work, however, does not eliminate the need for ongoing evaluations. An OEM must develop good, solid relationships and communicate regularly to help avoid any surprises.Supplier Risk MappingAccording to GHTF, “manufacturers are required to define and document the type and extent of controls applied to suppliers and to maintain objective evidence that products and services meet predefined specifications. . . . Failure to. . . have objective evidence of the controls associated with supplier activities could result in a major noncompliance.”2At this point, it is appropriate to share FDA’s definition of a supplier. Suppliers deliver goods and services to the OEM and, as such, are subject to purchasing controls. Suppliers include related companies that are not operated as part of a quality management system (QMS) and are not, therefore, subject to internal audits of that QMS.

Table I. (Click to enlarge) Supplier risk mapping and mitigation strategies.

Extensive evaluation of every potential supplier is time-consuming and expensive—too expensive for most manufacturers. Therefore, this article uses the term risk mapping to highlight areas in which loss of control and resulting product quality or line-down instances is a possibility. As shown in Table I, the focal point is on the goods or services being purchased, not on any particular supplier being considered.

Risk mapping, however, is a subjective exercise based on what the medical device OEM knows at a given time of the material or service being purchased, and what it knows about the potential supplier with whom there often is no work history. Developing a standard list of risk elements and characteristics, along with appropriate mitigation strategies to ensure control for each risk element identified, can minimize such subjectivity. Table I is based on the OEM’s historical performance and is tailored to meet the manufacturer’s needs. Once developed, it is a good practice to revisit the map annually.

For example, with off-the-shelf components or materials, the risk map might help the OEM select a supplier that shows the required goods in its catalog and successfully completes a self-audit. In contrast, when selecting a supplier for a custom printed circuit board, for example, the full range of mitigations would likely be recommended. After the risk assessment team recommends the mitigation strategies based on the risk element, it is important to apply the second tool, supplier assessments for selection and evaluation.

Supplier Assessments

Risk mapping for each sourced material, component, or service provides a list of the qualification activities that are recommended. It is used to meet the GHTF recommendation for “documenting the type and extent of controls” and guides technical, business, and quality concerns, all of which are vital assessments in the selection and qualification of new suppliers.

Frequently, the assessment requires a visit to the supplier’s facility. Who performs this assessment? If corporate governance standards allow, the supplier engineer can perform the assessment alone for less-significant suppliers. For more critical ones, the supplier engineer can serve as the lead assessor with quality or business support.

Technical Evaluation. The purpose of a technical evaluation is to select a supplier that demonstrates the capability to meet specifications. To do that, the risk assessment team should do some or all of the following:

?Understand the supplier’s processes and process controls.

?Review equipment and how it is maintained.

?Tour the facility to evaluate cleanliness, order, and the condition of both the facility and equipment.

?Assess the attitude and knowledge of the workers.

?Understand how the supplier accepts and traces product and keeps records.

?Verify capacity of key equipment.

?Discuss contingency plans for loss of critical equipment.

Other questions that might need considering include the following:

?How does the supplier ensure that only acceptable materials and manufacturing aids are used?

?What is the status of environmental controls and cleanliness on the line?

?How does the supplier ensure that overspray or dust from other operations doesn’t contaminate product?

?How will the supplier establish the process or processes to use?

?Will any process require validation? If so, how is it done?

?If the process-monitoring characteristic shifts on a validated process, what is the reaction plan?

Ultimately, the risk team must address the critical characteristics of the parts, materials, or services to be purchased. How does the supplier typically verify that parts meet the OEM’s requirements? Make sure the supplier understands why the critical characteristics are indeed critical; otherwise, the OEM may need to find another supplier. If buying a service, know which individuals will be participating in the work. Remember you are typically buying a person’s expertise, not the firm’s capability or experience.

Business Evaluation. Beyond technical expertise, the OEM needs to learn how well the new business it brings fits with the supplier’s existing business. Learn about available capacity by walking around the supplier facility. Learn about indices for business vitality. Understand the business reporting structure and workforce. The risk assessment team should know how many employees the supplier has, how many shifts are worked, and its regular hours. Understand the critical skills and whether the supplier has a cross-trained workforce in these skills. Such knowledge provides good baseline information for future evaluations to help determine the supplier’s business viability.

Here’s a suggested list of questions for a business evaluation checklist:

?How is contract review done?

?Does the supplier keep track of on-time delivery for its shipments?

?How does the supplier assess and manage their supply base?

?Does the supplier assess the risk?

?How will the supplier ensure confidentiality for your technology and business planning?

?When you tour the plant, do you see competitors’ materials?

?How will the supplier ensure that the know-how developed at your expense will not be shared with competitors?

?Who owns the intellectual property for the processes developed and used?

?If the supplier is purchasing job-specific components that cover more than the open orders, such as final purchases for a planned end-of-life component, does the supplier carry the cost or will they bill you?

?Is the supplier meeting its sales forecast?

?What has their turnover rate been over the past 12 months?

Discuss bank and business references. If a supplier is unwilling to share financial information, it will probably be willing to set up a conference with its financial management. Failure to do so calls into question the supplier’s commitment and whether your business is really important to it.

Evaluate the supplier’s quality management system. If the potential supplier is ISO 13485 certified, the job is simplified; it’s safe to say a third-party auditor has better access and spends more time auditing than you will. Get a copy of the certificate and verify that the supplier will notify you of any changes to the certificate. If the supplier is not ISO certified (13485 or 9001), then ensure that the applicable quality management processes are in place. Understand that ISO certification alone is not a substitute for the OEM’s supplier assessment process. Certifications do not mitigate either the technical or business risks, only the quality management system risks.

Whether a supplier is certified or not, the best use of a risk assessment team’s time is to understand the quality processes that affect the OEM. These processes include corrective and preventive action (CAPA), quality planning, training, purchasing controls, change controls, and record keeping.

Review CAPA processes, including how the supplier deals with nonconformities discovered during manufacturing. Ask how the supplier handles customer returns. How does it determine if an advisory notice is required? If a nonconformance is found for a validated process, how are special causes identified and corrected? Is revalidation required? How are those data shared with you as the customer?

Other important aspects to understand are the advanced quality plans the supplier uses, such as process flow diagrams, risk assessments and control plans.3 What are the candidates for process controls for the items the OEM plans to purchase? What are the reaction plans? Are records of process control and reactions auditable? Ask how the supplier determines what training or experience is necessary to establish competence. What records are available from that determination?

In addition, it is important to understand how the supplier controls its supply chain. For example, if there is a problem with a second-tier supplier, how is the problem addressed and how will the supplier notify the OEM? How does the supplier ensure that reasonable corrective action is taken and that the corrective action is effective? What is the supplier’s reaction plan to a second-tier supplier that is not performing acceptably?

How a supplier handles change control should also be explored. Does the supplier understand the limits of the OEM’s supplier change controls? Does the supplier have a procedure or is it specific for each customer? What about supplier change controls for second-tier suppliers? How does a device manufacturer ensure that records are reasonably accessible for the retention period? Are records adequately protected?

In summary, the authors find that assessments are more thorough if an assessment checklist is used. The checklist does not necessarily include a series of questions to be answered, but rather a range of concerns to be investigated. After the assessment, the assessment team should report its findings on the assessment checklist with attachments, as required, to support its recommendation of acceptance, acceptance with conditions, or rejection. Use this assessment as the objective evidence of the appropriate purchasing controls that were established.

Supplier Ratings

Rating the performance of suppliers seems straightforward. Measure on-time delivery compared with the allowable tolerance for receiving shipments earlier or later than the promised date. Develop a quality metric based on number of defects found at incoming inspection or during use. Some manufacturers also measure service, price, etc. The rating should then be shared so the supplier understands how it is perceived by the manufacturer. Ratings below a threshold value normally require corrective action by the supplier.

Don’t preschedule evaluations to occur only quarterly or annually. Conduct them continuously, behind the scenes, based on the standard entries upon receiving, incoming inspection, problem reports, and scrapping of line fallout. As we saw during the economic downturn in early 2009, the business vitality of some suppliers can erode very quickly.

The key to effective rating systems, though, is not to create supplier scorecards and supplier corrective action activity only; but rather to adjust the OEM’s activities based on supplier performance. For instance, if a supplier’s receipts are often late, the OEM should extend the planned lead time so that a late delivery does not cause a line to go down.

Another example is adjustment of the sampling plan at incoming inspection. If quality is normally acceptable, review the design failure mode and effects analysis (dFMEA) and, if appropriate, reduce the sample size or accept as dock-to-stock. If quality is spotty, increase inspection levels to heighten detectability, or require the supplier to provide product acceptance data.

For large or more-critical suppliers, it is imperative to conduct periodic business and technical reviews to ensure that management at both companies understands how well the program is performing. Frequency depends on risk, as detailed in Table I. But as an example, some critical suppliers might have quarterly reviews, and other, less-significant suppliers might be reviewed annually. These reviews, of course, should be face-to-face, and scheduled at regular intervals to keep abreast of relevant business conditions. The agenda for a business or technical review must be published in advance so that management understands what needs to be accomplished.

An effective quality review is not a quality system audit, but rather a review of records and reactions for the goods or services being delivered. Follow the record on an internal nonconformance to see how containment was handled and whether the supplier decided to perform a corrective action. See firsthand how records are stored. Review the engineering changes that relate to the OEM processes to see if the supplier is meeting its commitments regarding change notice. Review training records that relate to the work instructions used for making products.

Business reviews can include business updates (by both customer and supplier), supply-chain reviews and updates, program status reviews, scorecard reviews, capacity analysis reviews, lead-time reviews, site tours (if applicable), cost savings and improvement opportunities, and other special interest topics or current issues.


Managing risk in the supply chain is not just one event or audit, but rather an ongoing discipline. It is a critical component of good manufacturing practice and may soon become an FDA-mandated activity. Using supplier risk mapping, supplier assessments, and supplier ratings not only help to mitigate risk and improve your company’s performance, but also provide objective evidence for confident supply-chain decisions. Using these three tools enables medical device OEMs to objectively compare suppliers of similar commodities, reward the best performers, and satisfy their products’ requirements.



1.GHTF SG3 N17 “Quality Management System—Medical Devices—Guidance on the Control of Products and Services Obtained from Suppliers.”

2.GHTF SG4 N28 “Guidelines for Regulatory Auditing of Quality Management Systems of Medical Device Manufacturers Part 1: General Requirements.”

3.AIAG APQP-2, “Advanced Product Quality Planning and Control Plan,” 2008.

Lee Fox is manager, regulatory compliance and system improvement, at Mack Molding/MackMedical (Arlington, VT). Beverley Proctor is medical supply-chain manager for the company.

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like