Beruflich Dokumente
Kultur Dokumente
Under development
Description Page
Page 1 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
There will be other tools / methodologies not mentioned in this guide which may be
appropriate to use and new techniques will always be developed. Care must be exercised as
some tools appear suitable but are designed for retrospective analysis (Root Cause Analysis),
whilst Risk Management tools are intended to be prospective tools to determine the potential
future consequences.
Page 2 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
• Brainstorming
• What If? & SWIFT (Structured what If checklisT)
• Mind Mapping
• Checksheets
• Flowcharting
• Process Mapping
• Value Stream Mapping
• Cause and Effect/Fishbone Diagrams
• HEA ((Human Error Analysis)
Brainstorming
Brainstorming is often referred to as a creative technique and aims to achieve quality through
quantity. The technique is usually utilised where you have a group of people trying to find a
solution to a problem. It provides a means of capturing a wide spectrum of ideas from all
stakeholders in an open and encouraging atmosphere. The method is simple, requires little in
terms of resources but there are a number of simple rules that should be followed to gain the
most value from this technique:
• Appoint a facilitator – it is beneficial to assign one individual as a facilitator to ensure
that all participants’ voices are heard.
• Encourage a focus on quantity – aim to ensure that a large number of ideas are
generated in relation to solving the risk problem - the more potential risks identified
the more comprehensive subsequent analysis and evaluation will be.
• No discouragement / no criticism – all ideas no matter how unusual should get a fair
hearing. It also encourages participation of all stakeholders and prevents areas or
items being overlooked.
• Combine and Improve – as the list of ideas increases, it is prudent to review the ideas
being put forward and group those that are identical or similar under a single heading.
The environment and atmosphere in which brainstorming is conducted can be very important,
and should wherever possible be removed from external distractions. A means of capturing
ideas is important e.g. using a whiteboard or flipcharts or other means. The method for
recording ideas generated during the brainstorming session should be set out for everyone to
understand.
The facilitator should open the session with a clear description of the subject to be
brainstormed e.g., “this session is focused on identifying risks with repacking sodium chloride
before distribution to our customers.”
Often people find it beneficial to make use of colour or symbols or other distinguishing means
to collate ideas into subgroups e.g., all risks identified with machinery in black ink, all risks
associated with raw materials in red ink etc.
The final output of the exercise should be a list of ideas as to what risks can occur. These can
then be subjected to the subsequent steps of the risk management process.
What If?
What if? is a technique commonly used in Engineering to determine hazards associated with
a facility, equipment or a process. It is easily adopted as a risk identification tool. What if? is
similar to brainstorming. The process under review is broken down into sub-processes and a
series of questions is brainstormed by asking what if there is a failure in the sub-process or
Page 3 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
what if there is a failure in the operation of the sub-process? The answers to the questions will
highlight if a potential hazard exists.
For example a process may contain the sub-processes of equipment, people, materials etc.
What if questions for Equipment sub-process would be;
What if the agitator fails? Æ product does not meet specification => hazard
What if the seals leak? Æ product becomes contaminated => hazard
What if the valve is left open? Æ product is lost => hazard
Mind Mapping
Mindmaps are diagrammatic representations of ideas arranged radially around a central idea
or theme. They have been used as study aids, problem solving and decision making tools.
Mindmaps can be constructed manually by hand-drawing or electronically using freely
available software packages. This tool promotes the brainstorming / idea generation sub
processes by way of its structure leading to the capture of large volumes of information in a
concise visual representation.
To construct a mind map a central idea is placed in the centre. Branches are drawn from the
central theme or concept radially. Each branch represents a single sub idea of the main idea.
On each of these branches are drawn sub branches, each one drilling down further into the
idea represented by the main branch. Experts promote the use of colour for different branch
trees as well as graphics to aid the conceptualisation process in the brain. It is also
recommended that the least number of words is used to describe each idea or branch in the
diagram.
Page 4 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
Check-sheets
Check-sheets are tools that allow collection of information from a process in a systematic,
organised way in real time at the location where data is generated. Check-sheets are
commonly used and the data collected on check-sheets is easily used as an input to other
tools. Date can be collected quantitatively e.g. counts or qualitatively e.g. attributes like yes /
no or go / no go type data. There are 4 main types of check-sheets commonly used. These
are:
• Item Check-sheets – used to identify what type of risks are occurring in the process
e.g. the check-sheet will have a list of potential problems and provision to count
occurrences or frequency
• Location Check-sheets – used to identify potential areas or location in the process
where risk occurs. E.g. the check-sheet may be a diagrammatic flowchart of the sale
and distribution of a product that illustrates the main processing steps involved. A
mark is placed on the location where the problem occurs most often giving data on
counts / frequency.
• Defect Check-sheets – used to try and identify causes of risk e.g. may be used to
identify the potential causes associated with mislabelling of products and provides
means of recording data about the operators, labelling machines, batch code printers
etc.
• Checklist Check-sheets – used to identify risk by checking if procedures are followed
e.g. check-sheet will have a list of tasks that need to be performed or risk to be
mitigated.
Page 5 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
Flowcharting
Page 6 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
Fishbone Diagrams (also known as cause and effect diagrams or Ishikawa diagrams) are
primarily used to identify causes associated with an event, but are easily adopted to identify
potential risks associated with an event. Diagram Z illustrates a typical fishbone diagram.
Insert Example Diagram
The diagram is constructed with a box on the right hand side (the head of the fish). This box
contains the subject under examination. The spine of the fish has a number of main bones
coming off it. Each one represents a subject category. These can be tailored to specific
needs but some commonly used categories are the 6M’s, 8P’s or 4S’s
6M’s = Materials, Man (People), Machinery (Equipment), Method (Procedures), Maintenance
(Management), Mother Nature (Environment)
8P’s = Price, Promotion, People, Processes, Place/Plant, Policies, Procedures, Product
4S’s = Surroundings, Suppliers, Systems and Skills
Finer bones come off each category bone to list potential risks associated with for example
materials. Often the more populated the bone is the more influential that category is to overall
risk. This technique is very powerful when used in conjunction other tools such as
brainstorming and Pareto analysis,
The final output of the exercise should be a list of ideas as to what risks can occur. These can
then be subjected to the subsequent steps of the risk management process.
Page 7 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
Description: Enable effective data assessment and aid in determining the significance of the
data set(s).
Page 8 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
A Practical example of its use in Supply chain management for a manufacturer is given below
A set of key parameters is determined where the probability of an event based on a history or
event occurs in a quality metric and is measured against the likely severity if a failure or event
occurs. For the purposes of having a simple measure to high- medium and Low, the Medium
Risk defined as between High and Low Risk. Note that lack of adequate measurement
defaults to higher risk. No Measurement or new Supplier defaults to highest risk element.
Risk*
Risk Element High Medium Low Weight Score
cGMP > Significant quantity and/or severity of > Few or no regulatory 3
Compliance regulatory observations observations
History > Adverse Regulatory Status (e.g., FDA > Few Findings
Consent Decree, Severe or multiple > CAPA on target per schedule
Warning Letters, Official Action > Audit closed on time
Indicated)
> An Area of Special Concern
> Several Major Findings
> Past Due CAPA items
Quality System > High number of deviations per batch > Few to no deviations/significant
Processes > Significant deviations deviations
> Multiple events requiring a major > No market related events 2
quality review > Few to no reworks or
> Product recall and/or market actions reprocessing
> Significant reprocessing of
manufacturing step indicating a
Probability of event
Page 9 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
Risk*
Risk Element High Medium Low Weight Score
Quality/ > Supplier is not willing to accept X > Supplier is in compliance with 2
Technical terms in the quality agreement all the significant requirements of
> Significant deviation(s) from the the quality agreement
Agreement quality agreement
> No Quality Agreement or Quality
Agreement not effective
Technical > Older facility with Poorly operating > Newer facility with 1
Capabilities equipment contemporary technology and
> None or significance Non adherence automation
to maintenance schedule > Highly capable, well-trained
> Lack capable personnel and high staff personnel
turnover > Low staff turnover
> Significant Items for SQRT due to > High volume (non necessarily
technical & supply issues company X brand)
> Infrequent volume - 3 or less batches > Long-term experience with
per year product
> Newer product - Less experience with
product
> Lack of RFT throughout facility > RFT environment 3
operations > Risk assessment is accurate
> Poor Risk Assessment (i.e., Quality (e.g., Science-based compliance
Management is ineffective in assuring decisions)
appropriate decisions) > Quality Management applies
> Lack of continuous improvement appropriate control at the facility
Quality and (e.g., trending, CAPA) > Continuous improvement (e.g.,
Risk Culture > Lack of internal audit and external trending, CAPA)
supplier audit program > Strong internal audit and
> Financially unstable, privately held, external supplier audit program
low investment willingness > Financially stable,
demonstrated willingness to
invest
Supply Chain > Broker in supply chain (Complex) > Supply of API from area of high 5
Security material origin from area of high quality regulatory control
concern > Supply of excipients from area
> supply of API from area of high of high quality regulatory control
concern > non complex supply chain
> Supply of excipients from area of high
concern
Communicatio > Supplier deficient in reacting to and > All issues requiring notification 3
ns notifying X of deviations/changes to X are communicated in a timely
affecting X products manner per the appropriate
with X > Difficult to visit, contact/liaise with. agreement.
> visits are readily accepted and
communication lines smooth
Product > Critical device or injectable/parenteral > Non-registered products 4
Criticality for X > Tablets, capsules and topicals
Consequences of Risk
> Highly potent narrow therapeutic (Non sterile products and API)
range > Not medically critical
> Controlled release pharmaceutical > High Therapeutic Index
> Life-saving product
> Sterile API for use in a non terminally
Sterilized Finished product
Supply Chain > No or very limited product for supply > No issues with supply of 5
continuity > Top value product (may have relative Product to markets
low volume) > Non-critical product or market
> Critical markets
This is plotted onto a Risk Evaluation score matrix of the X – Y plot with Probability the Y axis
and Consequences the X axis.
Some companies may wish to have one total score however this can lead to distortion of the
scoring and the obscuring of a critical risk. Where approach is of value is to use as a metric
on just the probability of an event scoring (single axis) and revisit on a very regular basis.
Page 10 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
Description: PHA applies prior experience and knowledge of a hazard or failure to identify
future hazards or failures.
Examples:
Useful when analyzing existing systems where circumstances prevent a more extensive
technique from being used. Useful early in the development of a project when there is little
information, knowledge, design details, or operating procedures. Can be used on product,
process, or facility design
Page 11 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
• Assemble team
• Describe product / process
• Identify intended use
• Construct process flow diagram (see earlier in tool box)
• Confirm flow diagram on-site.
HACCP is a seven step process that provide for both Risk Assessment and Risk Control. In
essence it is a detailed process flowchart map from raw materials to finished product and
testing, with each identified critical control point on the flowchart identified. The seven steps
are as follows:
A hazard is defined as the potential to harm the consumer (safety and for
pharmaceuticals also efficacy) or danger to the product (contamination).
In considering hazard analysis, all hazards should be listed that reasonably may
occur from incoming materials, production, testing, distribution up to point of use.
Hazard analysis identifies which hazards are such that elimination or reduction to
acceptable levels is essential. It is advisable to separately identify quality, safety and
business risks. Note: FMEA (see below) may be an appropriate hazard analysis tool.
A critical control point is defined as a stage in the manufacturing process (including all
raw materials), which, if not controlled correctly, will cause a threat to safety or a
contamination issue. Having identified the hazards on the flowchart, determine if
there are any that have no critical controls – need to install controls at these points.
Specify critical limits for each CCP. Typical criteria for measurement could be
temperature, time, etc or subjective criteria. Data should be scientifically based and
more than one limit may be necessary for a CCP.
Monitoring must detect loss of control at a CCP and should be recorded. Real time
monitoring enables timely response to trends and prevents deviation from the limit.
Page 12 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
Example: Common use is to identify and manage physical, chemical and biological (including
microbiological contamination) related risks in a process and assess impact of change. This
has been used in the Food industry to identity the key areas in supply and production chain.
In the supply chain can look at multiple supplier chain from a high end customer down to the
base supplier or as part of the whole process flow of components to final service or product
For further information refer to WHO Technical Report 908 (37th Report of expert Committee
on Specifications for Pharmaceutical preparations, 2003).
Reference Microbiology for the analytical chemist, RK Dart, 1996, RSC p100-102
Page 13 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
Fault Tree Analysis (FTA) Description: FTA is a method to identify all root causes of an
assumed failure or problem. The method evaluates system/sub-system failures one at a time,
but can combine multiple causes of failure by identifying causal chains. FTA relies upon
process understanding to identify causal factors.
Examples: Investigating complaints or deviations.
Page 14 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
Carrot Diagram
A carrot diagram is often used to display risks. The high risks (to be reduced) are at the top
and the low risks at the bottom. The middle risks may be described as the tolerable region as
the risks are not insignificant but not practically reduced.
Page 15 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
Brainstorming
This is a key tool to evaluate the risk and identify possible controls. More detail is given in
section 2.3.1
The 4T’s
Risk acceptance is part of risk evaluation and a more details are provided in section 2.7.1.
Page 16 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
CAPA
CAPA (Corrective and Preventative Action) is a term used in Quality Management Systems
such as ISO in a variety of industries but is often poorly understood. Essentially there are
three elements to CAPA.
In terms of Risk Reduction CAPA is a process that compliments other techniques such as
Root Cause Analysis. In order to utilise CAPA for Risk Reduction these basic steps are
followed.
Risk Management aims to be proactive approach. It is likely then that once embedded in an
organisations culture the majority of CAPAs being implemented as risk reduction measures
will be preventative actions rather than corrections or corrective actions.
Page 17 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
carries the risk e.g. not driving a car so as not to have a traffic accident. It could be argued
that this strategy is the safest option to avoid risk completely. In reality however it is difficult
to take this approach to many activities as this strategy would simply mean no process, no
product or no service. Every risk avoided in this way is a loss in potential gain in terms of
business, profit, end-user benefit and/or customer satisfaction.
Risk avoidance is a practical and sometimes only viable approach to risk reduction. However
it must be applied cautiously to ensure the benefit outweighs any alternatives.
Page 18 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
TERMINATE the risk – i.e. stop doing whatever it is that is exposing the business to the risk.
TOLERATE the risk after deciding that the risk has been reduced to an acceptable level.
Checklist
See 2.3 for general detail but a checklist would assist in determining if all steps have been
completed and a decision can be made.
Check the Pareto example in risk acceptance in original versions
RACI – A RACI matrix will ensure that people and their responsibilities in the process are
clearly defined. [LINK]
Page 19 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
1. Contracts: The most formal method is a business contract however this is normally the
method of communicating legal and basic business expectations. A supplementary
technical agreement is a regulatory requirement for pharmaceutical industry to agree,
control and define such matters as: communications, information flow, capabilities,
regulatory requirements and expectations, duties and responsibilities, however the main
sections of these can be torturous to amend quickly.
2. Letter/memo: A formal communication normally reserved for agreeing or approving
actions and expectations. It may contain formal certificates, specifications, processes and
other technical information.
3. E-mail: These may contain electronic copies of draft documents and scanned
agreements, technical information, certificates etc, may be used for agreeing, requesting
or discuss information. This now takes the place of a letter in most matters as well as
being a vehicle for less formal communications.
4. Telephone: Ideas, arrangements, informal agreement and discussion. These may be
added to by use of net meetings and video conferencing if appropriate to the task.
5. Fax: Normally considered as formal as a letter but its use is being replaced by the use of
e-mail.
6. Internet: this is a way of advertising and a source of information however care should
taken to verify information freely adaptable in this way.
7. Face to face meeting to exchange ideas, presentations, carry out audits and come up
with assignments, actions and agreements, Agreements and actions should formally
recorded in minutes or a letter.
8. Minutes are formal records of any type of meeting (or conference) that includes
decisions, agreements and actions. These should be retained as documents in a Quality
management system for audit of a decision or review. An example of this practice is the
retention of meeting minutes for development and design of Medical devices as part of
the device master file.
9. Presentations including graphs, mapping and plans may be shared to show general
proposals and action points but these reflect the author(s) ideas and situation progress.
This is a common way of quickly getting essential points across to explain a situation or
proposal for a wider, possibly less knowledgeable, audience or to get outline
management approval, not normally detailed plans.
Page 20 of 21
A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical,
Medical Device and Allied Industries
Key Performance Indicators (KPI) are measures or metrics used to help an organization
define and evaluate how successful has been in meeting targets, typically in terms of making
progress towards its long-term goals.
KPIs can be specified by answering the question, "What is really important to different
stakeholders?". KPIs may be used to assess the present state of the process or business and
to assist in prescribing a course of action. The act of monitoring KPIs in real-time is known as
business activity monitoring (BAM). KPIs are frequently used to "value" difficult to measure
activities such as the benefits of, engagement, service, and satisfaction.
The type and number of KPIs used differ depending on the nature of the organization, the
process/es being monitored, outputs of the organisation and future strategy. They assist in
evaluating progress towards objectives, especially toward difficult to quantify knowledge-
based goals. However care must be exercised in specifying the correct parameters and
criticality. Too many indicators may swamp the critical indicator that some thing is awry with a
supplier.
A KPI is a key part of a measurable objective, and may be used as a tool in a bench marking
process.
Bench marking is most used to measure performance using a specific indicator resulting in a
metric of performance that is then compared to others.
This then allows organizations to develop plans on how to make improvements or adopt best
practice, usually with the aim of increasing some aspect of performance
Page 21 of 21