Guest Column | June 16, 2017

Using Risk-Based Thinking To Manage Suppliers

By Mark Durivage, Quality Systems Compliance LLC

Using Risk-Based Thinking To Manage Suppliers

Probably the most significant concern for anyone responsible for implementing, deploying, and maintaining a quality management system (QMS) is the integration of risk-based thinking. While the concepts of risk management are not new, previous practice was more reactionary, primarily focusing on detection after the fact, root cause analysis, corrective actions, and preventing recurrence of the failure. Contemporary thinking places the emphasis on considering risks up front (prevention) and having a solid approach to address risk in planning, managing, and driving actions.

This article will first present the definitions and requirements regarding risk pertaining to the control of suppliers and then introduce some tools to incorporate and integrate risk management techniques within the QMS specifically applied to supplier management/purchasing controls.

Requirements And Background

There several International Organization for Standardization (ISO) standards, Food and Drug Administration (FDA) regulations, and national and international guidance documents that provide direction and lay out the framework for successfully implementing, maintaining, and sustaining an effective and robust quality management system, regardless of its type or size or the products and services it provides requiring the use of risk-based thinking to manage suppliers. These include but are not limited to the following:

ISO 9001:2015  ̶  Quality management systemsRequirements

8.4.2 The organization shall ensure that externally provided processes, products, and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers. The organization shall take into consideration the potential impact of the externally provided processes, products, and services on the organization’s ability to consistently meet customer and applicable statutory and regulatory requirements

ISO 13485:2016  ̶  Medical devicesQuality management systems — Requirements for regulatory purposes

7.4.1 Purchasing process requires the organization shall document procedures to ensure that purchased product conforms to specified purchasing information. The organization shall establish criteria for the evaluation and selection of suppliers. The criteria shall be based on the effect of the purchased product on the quality of the medical device and proportionate to the risk associated with the medical device.

ANSI/AAMI/ISO 14971:2007 ̶  Medical devices — Application of risk management to medical devices

3.1 Risk management process

The manufacturer shall establish, document, and maintain throughout the life cycle an ongoing process for identifying hazards associated with a medical device, estimating and evaluating the associated risks, controlling these risks, and monitoring the effectiveness of the controls. This process shall include the following elements:

⎯ risk analysis

⎯ risk evaluation

⎯ risk control

21 CFR 820  ̶  Quality System Regulation

820.50 Purchasing controls

Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.

(a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants. Each manufacturer shall:

(1) Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.

(2) Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.

GHTF/SG3/N17:2008  ̶  Quality Management System – Medical Devices – Guidance on the Control of Products and Services Obtained from Suppliers.

3.1 Planning. In establishing the controls for product and services obtained from suppliers, it is expected that planning activities initiate the process. The output of this activity may be in the form of design and development plans, quality plans, purchasing plans, etc., as defined in the manufacturer’s QMS. The manufacturer should consider the objectives, risks, requirements, processes, and resources and demonstrate that effective controls are in place and regulatory obligations are met.

3.1.4 Identification of risk(s). As part of the planning activities, the manufacturer should identify the risks associated with the product or services to be obtained.

International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use (ICH)  ̶  ICH Harmonised Tripartite Guideline Quality Risk Management Q9

II.5 Quality Risk Management as Part of Materials Management

Assessment and evaluation of suppliers and contract manufacturers

To provide a comprehensive evaluation of suppliers and contract manufacturers (e.g., auditing, supplier quality agreements).

Starting material

To assess differences and possible quality risks associated with variability in starting materials (e.g., age, route of synthesis).

Use of materials

To determine whether it is appropriate to use material under quarantine (e.g., for further internal processing).

Pharmaceutical Inspection Co-Operation Scheme (PIC/S) – Guide To Good Manufacturing Practice For Medicinal Products Part I

5.26. Starting materials should only be purchased from approved suppliers named in the relevant specification and, where possible, directly from the producer. It is recommended that the specifications established by the manufacturer for the starting materials be discussed with the suppliers. It is of benefit that all aspects of the production and control of the starting material in question, including handling, labeling, and packaging requirements, as well as complaints and rejection procedures are discussed with the manufacturer and the supplier.

Pharmaceutical Inspection Co-Operation Scheme (PIC/S) – Guide To Good Manufacturing Practice For Medicinal Products Part II

7.11 Manufacturers of intermediates and/or APIs should have a system for evaluating the suppliers of critical materials.

7.12 Materials should be purchased against an agreed specification, from a supplier or suppliers approved by the quality unit(s).

7.31 Supplier approval should include an evaluation that provides adequate evidence (e.g., past quality history) that the manufacturer can consistently provide material meeting specifications.

7.33 Samples should be representative of the batch of material from which they are taken. Sampling methods should specify the number of containers to be sampled, which part of the container to sample, and the amount of material to be taken from each container. The number of containers to sample and the sample size should be based upon a sampling plan that takes into consideration the criticality of the material, material variability, past quality history of the supplier, and the quantity needed for analysis.

The above regulations, standards, and guidance documents either refer directly or indirectly to the use of risk-based thinking to manage the supplier/purchasing controls function.

Life Science Training Institute

Learn how to apply a risk-based approach to your Process Validation in Mark’s webinar:

How to Establish the Number of Runs Required for Process Validation



Supplier Management

Risk-based thinking should be an integral part of an effective and efficient risk-based supplier management program. The level of supplier control should be proportionate to the effect on the quality of the purchased or otherwise acquired product or services supplied to your organization. It should be obvious that as the risk level of the supplier increases, so should the requirements and controls used to manage the supplier.

A good method to determine the risk level is the failure mode and effects analysis (FMEA). FMEA (design, process, user) is a systematic group of activities designed to recognize, document, and evaluate the potential failure of a product or process and its effects. FMEA uses a risk priority number (RPN), which is comprised of frequency, detection, and severity. The higher the RPN, the higher the risk; however, a high severity in conjunction with low probability of occurrence and high probability of detection may still necessitate the appropriate controls for high risk.  Figure 1 depicts an example FMEA with the associated risk levels.  Once the risk level has been determined (low, medium, high), the appropriate risk-based supplier controls can be applied. 

Figure 1: Risk process for determining the appropriate supplier risk level


Table 1: Example FMEA

The supplier risk category can be defined as a rating of suppliers based upon an assessment of the relative risk of the material or service they provide that affects product quality and/or safety.  I prefer to use a three-level system consisting of high, medium, and low risk. The following are example definitions that can be used to determine the supplier risk:

  • High risk – A supplier that provides material considered to be a custom component or product, such as service providers of calibration and inspection activities
  • Medium risk – A supplier of products and/or services utilized for product testing and any other suppliers not clearly defined as either high or low risk
  • Low risk – A supplier, such as a distributor, that provides commercial off the shelf (COTS) products or standard catalog materials

One method uses FMEA to rank the risk associated with commodities (goods and services) that are to be purchased. Some organizations will also rank supplier risk based on part numbers or part families. Table 1 is an example of a commodity-based risk category scheme. Table 2 could be developed using FMEA as previously discussed.

Table 2: Example Supplier Commodity Category Scheme

The organization should also consider the commodity being purchased, the business impact, sourcing difficulty (sole source/proprietary), and time required to re-source. For COTS, there is generally little value to qualify the supplier. Suppliers that are selling catalog items will probably laugh if they see a supplier questionnaire, an audit request, or a supplier quality agreement. However, if the commodity being purchased is custom, then more controls are required, including QMS certification, on-site audits, quality agreements, advanced product quality planning (APQP), production part approval process (PPAP), measurement systems analysis (MSA), statistical process control (SPC), control plans, process validation, first article layouts, etc.

Table 3 provides example supplier requirements using a risk-based approach. As demonstrated in Table 4, the higher the risk level, more controls are required.

Table 3: Example Minimum Risk-Based Supplier Requirements

The example requirements shown in Table 3 are considered the minimum necessary based on risk. However, there may be instances in which additional controls may be applied to medium- and low-risk suppliers. Remember, being conservative is always the best approach. Always under-promise and over-deliver.

In addition to the supplier risk category, some organizations will utilize a supplier status code. Generally, there are four status codes: Approved, Probationary, Certified, and Desourced.

  • Approved - Indicates the supplier is meeting quality and delivery expectations.
  • Probationary - Indicates the supplier is not meeting quality and delivery expectations. Continued quality and delivery issues may lead to Desourced status. Additionally, this status may be used for a newly added supplier.
  • Certified - A supplier whose internal and external capability has been evaluated against predetermined criteria during a specified period.
  • Desourced - Indicates the supplier is not to be used. The supplier can be desourced because of quality or delivery issues or if the goods and services provided are no longer needed.

The supplier risk level can also be used to determine incoming inspection activities. Tables 4-6 provide example AQL levels based upon the supplier risk rating and status.

Table 4: Example AQL based upon risk acceptance (approved supplier status)


Table 5: Example AQL Based Upon Risk Acceptance (Probationary Supplier Status)


Table 6: Example AQL Based Upon Risk Acceptance (Certified Supplier Status)

Note: There may be instances in which goods and services from certified suppliers can be accepted based upon a certificate of analysis (C of A) or a certificate of conformance (C of C), depending on your procedural requirements.

The incoming sampling inspection schemes require a supplier risk category and status. Using these two items (risk category and status) demonstrates the use of risk-based thinking by placing more control on high-risk probationary suppliers and less control on low-risk certified suppliers.  The same concepts can be applied using other non-AQL based sampling schemes, such as the Success-Run Theorem, statistical tolerance intervals, variable sampling plans, attribute sampling plans, and lot tolerance percent defective (LTPD) sampling plans.


The discussion above has shown various opportunities for integrating risk management concepts to manage suppliers. The concepts presented can be readily applied to virtually any industry as best practices.

Different values and requirements presented in this article can and should be utilized based upon an organization’s risk acceptance determination threshold, industry practice, guidance documents, and regulatory requirements.

The methods presented here have been used and successfully defended during audits and inspections. I cannot emphasize enough the importance of documenting the statistical methods and rationale your organization may use for managing risk activities.


  1. Durivage, M.A., 2014, Practical Engineering, Process, and Reliability Statistics, Milwaukee, ASQ Quality Press
  2. Durivage, M.A., 2017, The Certified Supplier Quality Professional, Milwaukee, ASQ Quality Press
  3. Squeglia, Nicholas K. 2008, Zero Acceptance Number Sampling Plans. 5th ed. Milwaukee: ASQ Quality Press.

About the Author:

Mark Allen Durivage is the managing principal consultant at Quality Systems Compliance LLC and an author of several quality-related books. He earned a BAS in computer aided machining from Siena Heights University and an MS in quality management from Eastern Michigan University. Durivage is an ASQ Fellow and holds several ASQ certifications including CQM/OE, CRE, CQE, CQA, CHA, CBA, CPGP, and CSSBB. He also is a Certified Tissue Bank Specialist (CTBS) and holds a Global Regulatory Affairs Certification (RAC). Durivage resides in Lambertville, Michigan. Please feel free to email him at with any questions or comments, or connect with him on LinkedIn.