Supplier Assessment – who’s in charge?

Fionnán Friel provides an in-depth analysis of supplier qualification and says that a company is only as compliant as the suppliers they outsource to.

Supplier Qualification is more than just auditing. Supplier qualification, for Life Science companies in particular, is a risk assessment tool with the goal of demonstrating a confidence that suppliers / vendors / contractors (referred to as suppliers from here on) can supply consistent quality products and services in compliance with established company and regulatory requirements. It gives a company a level of confidence in allowing them to outsource the delivery of critical products and services.

It makes perfect business sense for suppliers to ensure that their products and services are of a certain standard and quality to attract and maintain clients. However, it is the unfaltering view of regulatory authorities that the regulatory burden ultimately and always resides with the regulated company that has engaged the supplier.

“A company is only as compliant as the suppliers they outsource to”


Why Outsource? 

Historically, the two main reasons why organisations decided to outsource were to reduce costs and to have the ability to focus on core business goals and planning. Very often a company must outsource as it doesn’t have / cannot get the expertise in-house. 

But recent research shows a shift in industry thinking. Outsourcing is not just about saving money anymore, it’s seen as a critical tool in innovation. There are new and emerging reasons for outsourcing, including: 

  • Enabling competitive advantage 
  • Improve speed / time to market 
  • Embracing disruptive solutions (such as Cloud) 

Cloud is a perfect example of a new technology that is enabling and driving outsourcing. A recent survey from Deloitte ‘2018 global outsourcing survey – Disruptive outsourcing trends, technology, and innovation’ [1] identified new and emerging reasons for outsourcing and adopting Cloud. 

Deloitte Global Outsourcing Survey Results on Cloud Adoption[1] 

Why Audit? 

Regulatory bodies allow for outsourcing. However, they demand that the regulated entity audits potential suppliers to determine their level of compliance and ultimately their “fitness for intended use”.  

All companies – but especially heavily regulated companies such as those in the Life Science industry – depend on their suppliers for delivery of critical activities, making them vulnerable to potentially catastrophic quality issues if they get it wrong. They are required by the governing regulatory bodies to execute this process and they audit potential suppliers to ensure that they can meet company requirements and expectations in respect of the quality of their product, application or service.  

The table below outlines at a high level what you must ensure when you audit a supplier to whom you are considering outsourcing:  

Problem Statement Solution Confirm In Audit 
Need to increase capacity in packaging Outsource to Contract Manufacturing Organisation (CMO) Confirm that they have an equivalent QMS (Processes, procedures, training, documentation etc.) that is reflective of how we do this in-house to ensure quality of end product.  
Need to modernise our IT infrastructure and move to a more cost-effective model Outsource to a company delivering Cloud based infrastructure Confirm that they have an equivalent QMS (Processes, procedures, training, documentation etc.) that is reflective of how we do this in-house to ensure quality of end product remembering that Annex 11 states that infrastructure must be qualified. 

What do the Regulations and Regulators Say? 

1.1 EudraLex – The Rules Governing Medicinal Products in the European Union [2] 

Volume 4, Annex 11 within Eudralex governing computerised systems states the following in respect of suppliers and service providers:  

Excerpt from Eudralex Vol 4, Annex 11[2] 

Key things to note: 

  1. IT Departments should be considered analogous, meaning that IT departments and practices for the supplier selected should act and behave exactly as an internal IT department acts and behaves (Analogous – Comparable, Similar, Equivalent). Remember that Annex 11 states that infrastructure must be qualified, and software must be validated. If the supplier selected cannot demonstrate this then they should not be used.  
  2. Competence and reliability of supplier are key factors – suppliers need to be able to demonstrate this, ideally by having quality standards in place.  
  3. Audit & audit information must be available to inspectors on request – suppliers must be available for audits in the same manner internal departments within a regulated company would be made available during an audit. 

1.2 FDA (US Food and Drug Administration) 

21 CFR Part 820 [3] – Medical Devices (Section 820.50 Purchasing Controls) states each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements, which in summary involves: 

  1. Establishing requirements, including quality requirements – e.g. if evaluating a potential supplier of a computerised service then infrastructure must be qualified, and software must be validated. 
  2. Evaluating and selecting potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. 
  3. Defining the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results. 

FDA Guidance for Industry Q10 Pharmaceutical Quality System [4] 

Section G. Management of Outsourced Activities and Purchased Materials of the guidance document details the expected control and review of any outsourced activities and quality of purchased materials and critically states that “the pharmaceutical company is ultimately responsible to ensure processes are in place to assure the control of outsourced activities and quality of purchased materials”. These processes should incorporate quality risk management and must include:  

  1. Assessing, prior to outsourcing operations or selecting material suppliers, the suitability and competence of the external party to carry out the activity or provide the material. 
  2. Defining the responsibilities and communication processes for quality-related activities of the involved parties. 
  3. Monitoring and review of the performance of the external party 

Key things to note: 

  1. It’s up to the regulated company to establish the requirements. This should be easy as you should apply the same requirements you have when you did it in-house prior to outsourcing. If not the same, you will have additional work to explain to regulators why you feel it can be different out-of-house.  
  2. Assess and audit suppliers prior to selection on their ability to meet requirements, including quality requirements.  
  3. Monitor and review as you go.  


So, who’s in charge? 

Risk assessment and auditing including supplier assessment within regulated Life Science companies is the domain of the Quality department, and for good reason. They are the ultimate arbiters on the quality of the pharmaceutical product or medical device, leaving the manufacturing plant ultimately responsible for the health and safety of the end user. 

No matter what you are assessing – be it a material, application or service – and regardless of how advantageous it is perceived to be from a technological and business perspective, if it does not meet the quality requirements and expectations of the regulated company, then it should not be used.  

A supplier assessment team should be made up of a variety of Subject Matter Experts (SMEs) with the goal of assessing the supplier on their ability to deliver on all requirements including Quality system and User/Functional Requirements. It is crucial – and an expectation of the regulators – that Quality Departments are making the final decision on whether a supplier and their products and/or services are of acceptable quality.  

  • It is not enough that the technology is new, state of the art, innovative and capable.   

  • It is not enough that the solution will save time, resources and money.  

Ultimately, without Quality oversight, it could end up costing a regulated company a lot more. With the emergence of new reasons for outsourcing (enabling competitive advantage and embracing disruptive solutions), quality departments need to maintain vigilance and not let the reasons for outsourcing overshadow the reasons for quality. 



  1. 2018 global outsourcing survey – Disruptive outsourcing trends, technology, and innovation 
  2. EudraLex The Rules Governing Medicinal Products in the European Union Volume 4 Good Manufacturing Practice Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems 
  3. Guidance for Industry Q10 Pharmaceutical Quality System U.S. Department of Health and Human Services, Food and Drug Administration 
  4. Title 21—Food and Drugs, Chapter I—Food and Drug Administration Department of Health and Human Services Subchapter H – Medical devices, Part 820 Quality System regulation, Subpart E – Purchasing Controls  

Fionnán Friel

Fionnán Friel

Fionnán Friel is the COO of Odyssey VC and Compliant Cloud

Share on

Share on twitter
Share on linkedin
Share on facebook
Notify of