Improve Supply Chain Security: An Overview of Our Supplier-Led Working Group’s Whitepapers

In the pharmaceutical industry, ensuring the integrity of the supply chain, material quality, and patient safety is paramount. One of the tools that organizations use to achieve these goals is the audit process. Knowing the right steps to follow will help you streamline your supply chain audit process and improve supply chain security. How do life sciences leaders like you find information that helps create efficiencies in the supply chain?

Sharing information is part of the mission at Rx-360. For information about supply chain security, the Supplier-Led Working Group at Rx-360 has shared perspectives and worked collaboratively to create guides about GMP audits, vendor selection, the threat of illicit medicines and more.

  • GMP Audits: With the increasing complexity of global supply chains, ensuring Good Manufacturing Practices (GMP) is paramount. The working group has shared best practices and methodologies to conduct thorough and effective GMP audits, ensuring that every link in the supply chain adheres to the highest standards.
  • Vendor Selection: Choosing the right vendor is a critical aspect of supply chain security. The Supplier-Led Working Group has provided valuable insights into the criteria and processes that organizations should consider to select vendors that align with their supply chain security objectives.
  • Threat of Illicit Medicines: The global pharmaceutical supply chain is not immune to the infiltration of counterfeit or substandard medicines. By sharing information on the latest threats, trends, and mitigation strategies, the working group plays a vital role in safeguarding the integrity of medicines and, by extension, patient safety.
  • Collaborative Approach: Beyond these specific areas, the Supplier-Led Working Group emphasizes the importance of collaboration in enhancing supply chain security. By pooling resources, knowledge, and expertise, the group ensures that the broader pharmaceutical community benefits from shared experiences and lessons learned.

Rx-360’s dedication to sharing information, particularly regarding supply chain security, underscores its role as a leader in the pharmaceutical industry. Through the collaborative efforts of the Supplier-Led Working Group, Rx-360 continues to pave the way for a more secure, transparent, and resilient supply chain, ultimately serving the greater good of patients worldwide

This article provides a brief overview of the top articles created by the Supplier-Led Working Group in order to spread best practices for supply chain security.


Whitepaper 1: Managing Critical Vendors

Managing Critical Vendors [DOWNLOAD]

A critical vendor can be defined as: A vendor that is deemed to be the major or sole provider of a critical materials and/or services, whose failure to supply goods/and or services would have the most significant impact on the organization/business.

This paper covers critical vendors that supply manufacturers (customers) of regulated products. The focus will be limited to first tier vendors. The process and best practices discussed are focused on regulatory areas of scrutiny but are able to be applied to other areas of quality concern.
The manufacture of medical products, drugs and devices is highly regulated all over the world. All aspects of the manufacturing process, from product design to product delivery, require documented procedures. Key points in the process also require quality oversight and where needed testing. Risk assessment to determine the critical areas of the process is now mandatory for regulated companies and is required for non-regulated companies that follow the ISO 9001 quality management system starting in 2015. One very important part of the whole manufacturing process is the proper sourcing and management of vendors that provide goods and services to the regulated company. This is one area in which it is very important to assess risk in order to properly manage production.

Every company should develop a program to assess and evaluate risk to determine the most critical vendors of their manufacturing process. Regulated companies have additional considerations when evaluating critical vendors. Such a program should focus on factors that can potentially disrupt the supply chain such as single source, regulatory compliance, unique capabilities of the vendor, and limited sub-tier suppliers to a key supplier. Both proactive and reactive monitoring should be utilized when managing critical vendors.

While a risk assessment or risk evaluation can be used as a tool to develop a plan to address potential issues, no plan is 100% perfect and sometimes unforeseen problems occur. When issues arise that affect a critical vendor, an action plan needs to be developed to mitigate the situation and prevent a disruption to the supply chain. This is especially true if the cause of the issue is related to regulatory compliance.

Managing Critical Vendors [DOWNLOAD]

Who Should Download Managing Critical Vendors?

Regulated industry (i.e. medical products, drugs and devices) is one that relies heavily on suppliers for the provision of materials (e.g. APIs, packaging components, excipients, etc.) and/or services (e.g. sterilization, testing, warehousing/distribution, etc.) to support their core business. Failures to meet the regulatory and compliance regulations requirements would potentially have a serious impact on the reputation and financials of an organization. The extent of the impact associated with supplier non-compliance varies and will depend on how critical the supplier is to the organization. Having a well-defined process for identifying and monitoring critical vendors is key to mitigating such risk. The following provides a summary of criteria to distinguish a critical supplier, recognizing that the distinction should be applied specifically and customers should be wary of identifying broad categories of suppliers as critical (e.g. although certain API suppliers may be critical vendors, not all API suppliers should
automatically be considered critical.

Identifying critical vendors should be an integral part of the supplier qualification process. Factors that can be used to identify critical vendors may include, but are not limited to, the following:

  1. Criticality of the materials and/or services to the business. Materials and/or services associated with the production of drug product and/or medical device that are i) medically necessary (lifesaving) and ii) have limited alternatives, should be considered critical.
  2. Availability of the material and/or service. Material and /or services that are provided by limited number of suppliers or by a sole supplier pose a higher risk to business.
  3. Number of products/material supplied. The higher the number and/or volumes of material sourced from a supplier, the greater the risk to the supply chain.
  4. Financial impact. This factor can be measured by how significant the disruption of supply of critical material and/or services by a supplier would be.

Managing Critical Vendors [DOWNLOAD]

Guidelines for Evaluating a Critical Vendor

Due diligence is an imperative step of the supplier qualification process by which supplier’s suitability can be evaluated. When evaluating a critical vendor, a customer should perform a comprehensive due diligence assessment.

It is very important to develop a process for monitoring potential regulatory issues that can arise for a customer’s vendors, especially critical vendors. The development of a program to identify events of concern and notification process is beneficial in managing any regulatory issues of concern.

There has been a recent surge in the past 5 years of reported data integrity issues in both the North American & European markets. Because of this point regulatory bodies have placed an increased scrutiny on issues related to data integrity during inspections. Any risk evaluation should be performed within the scope of customer’s established internal SOPs.

Measures to control, reduce, and ultimately eliminate the non-compliance and the potential deleterious impact or liability caused by the non-compliance issue must be taken in order to assure product safety and to restore the situation to a state of compliance. The approach and actions taken will vary depending on the nature of the non-compliance issue identified and whether it is a systemic or isolated issue. In all cases, for controls and risk mitigation to be effective, the situation must be viewed holistically including short term and long term measures.

Managing Critical Vendors [DOWNLOAD]

Guidelines for Remediation with Critical Vendors

An important part of the overall remediation process is to manage the issue of concern through the vehicles used to identify key problems or non-conformances. All non-conformances must be acted upon by the critical vendor. This includes audit findings, both internal and external, deviations and any non-conformances discovered by a regulatory agency. All of these must go through well-defined investigation and Corrective & Preventive Action (CAPA) process.

The observations or findings made should be evaluated by risk evaluation as to the criticality of the critical vendor and the critical vendor’s ability to provide the company with products or services that are compliant with current regulations. The evaluation should include the potential regulatory impact or actions that might come against the critical vendor which would impact their ability to operate.

“Prevention is better than cure.” Identifying critical vendors at the earlier stages of the supplier qualification process will ensure that they are subjected to appropriate controls and monitoring levels. The level of visibility to supplier operations is essential for an early detection of potential quality and compliance concerns.

Managing Critical Vendors [DOWNLOAD]


Whitepaper 2: Quality Elements of GMP Providers

The purpose of this document is to outline those basic GMP elements that may be required of suppliers whose products or services eventually enter the supply chain for the manufacture and delivery of regulated medical products. When established and followed, these GMP elements help to assure product quality, minimize compliance risk to the manufacturer, and protect patients. This document addresses the risks involved regarding the intended use vs. actual use of products and services.

Quality Elements of GMP Providers [DOWNLOAD]

Medical products are items used to diagnose, treat, cure, mitigate or prevent disease in patients. These include pharmaceutical products and medical devices. The manufacture of medical products that are used in the United States, and in many other countries, are regulated by Good Manufacturing Practices (GMP) and Quality System Regulations (QSR). These regulations, which are nearly identical in many countries, cover not only the manufacture of finished products, but may also encompass starting and intermediate materials and related services that are a part of the supply chain for those medical products. The result is that many medical product manufacturers require products or services from providers who adhere to GMP/QSR (collectively, “GMP”) as well.

Adoption of GMP can provide advantages to suppliers, including expanded market opportunities with the added benefit of increased profitability through improved manufacturing techniques.

Quality Elements of GMP Providers [DOWNLOAD]

Who Should Download Quality Elements of GMP Providers?

This document applies to all suppliers of products or services that have an impact on GMP processes within the supply chain for commercial manufacturing and delivery of regulated medical products.

The GMPs referred to within the document are related to regulated medical products manufacturing. When established and followed, these GMP elements help to assure product quality, minimize compliance risk to the manufacturer, and protect patients. The target audience for this report is suppliers of starting and intermediate products and related services within the supply chain used by manufacturers of medical products subject to GMP regulations. This document is written with a focus on the supplier, but explanations and expectations of the customer are also described.

Although medical product manufacturers commonly expect their suppliers to comply with regulations to which they are subject, not all products, materials or services supplied to medical product manufacturers need to meet GMP requirements. Further, not all suppliers are aware of how their products will be utilized by their customers. As such, intended use, design-use, and applied use by the customer are not always in alignment with the supplier’s own product or service specifications. This misalignment is a common occurrence that can result in conflict between suppliers and customers and in some cases, may lead to regulatory action for non-GMP compliance against the end-user.

Quality Elements of GMP Providers [DOWNLOAD]

Best Practices of GMP

These principles are the backbone of a good data integrity program.

  • Validation of Input Data
    Data should always be properly checked before it is used and allowed into a data storage system.
  • Access Controls
    Data must be tightly regulated to ensure only those with proper authorizations have access to data.
  • Audit Trails
    There needs to be a mechanism in place to track the source and history of the data. Also there needs to be documentation any time the data is adjusted in any way.
  • Data Backup
    For electronic systems data needs to be backed up to be able to be recovered in the event of a system failure.
  • Data Integrity Audits
    Data integrity should be included in the internal audit program as a critical process. The auditor should have a prepared checklist based on concepts listed here to investigate for documented evidence that the data integrity program exists, and the area is compliant to any policies or procedures.

Quality Elements of GMP Providers [DOWNLOAD]


Whitepaper 3: Best Practices Quality Agreement Guide Version 3.0

Best Practices Quality Agreement Guide Version 3.0 [DOWNLOAD]

This Best Practices Quality Agreement Guide is intended to assist both Customers and Suppliers in efficiently managing the initiation, negotiation, implementation, and ongoing maintenance of quality agreements. “Supplier” is used broadly in this document to refer to a company that provides materials, products, or services. Establishing a quality agreement can be time-consuming as negotiations, misunderstandings, and inflexibility frequently cause delays in the process.

This guide contains some best practices, sample language, external references and resources, along with solutions to routine issues that come up during the quality agreement process. Perspective from both suppliers and manufacturers presents a balanced view designed to assist both parties in achieving a complete, concise agreement. Flexibility and compromise are needed in order to understand and work together to meet the requirements of both parties.

What Is The Quality Agreement Process?

The objective of the Supplier Quality Working Group is for this guide to help facilitate a more efficient and effective quality agreement negotiation process. As with all of our other documents we have published, this document will be reviewed and updated based on the most current industry and regulatory practices. This paper establishes a process for ensuring supply chain security in quality agreements in the following steps:

  • Scope
  • Structure
  • Framing Content
  • Technical Content
  • Negotiate
  • Review
  • Signature

Scoping Quality Agreements: It is recommended that the scope of the Quality Agreement should cover the purpose and scope to specify the relationship between the two or more parties; product(s)/service(s) covered under the agreement; terms of the agreement; responsibilities of each party related to quality activities; and communication mechanism and contacts.

Read best practices for this step in Best Practices Quality Agreement Guide Version 3.0 [DOWNLOAD]

Format and Structure: The FDA recommends quality agreements “[…] should not cover general business terms and conditions such as confidentiality, pricing or cost issues, delivery terms, or limits on liability or damages” (FDA Guidance for Industry: Contract Manufacturing Arrangements for Drugs: Quality Agreements).

Read best practices for this step in Best Practices Quality Agreement Guide Version 3.0 [DOWNLOAD]

Content: The content of a quality agreement is contingent on the type of supply (e.g., Active Pharmaceutical Ingredients, Excipients, Components, Single-Use Products for manufacturing, Ancillary materials, Bulk Product, Finished Product, Medical Devices, etc.) or service (e.g., Contract Laboratories, Warehousing, Carriers, etc.) and the scope of the agreement.

Read best practices for this step in Best Practices Quality Agreement Guide Version 3.0 [DOWNLOAD]

Technical Content: Other important terms might not be consistently defined in guidelines and/or regulations. It is advisable that both Customer and Supplier mutually agree on definitions for terms with a potential for misinterpretation. The interpretation of terms will vary depending on industries, business relationship, regions, as well as internal policies/procedures at Supplier or Customer.

Read best practices for this step in Best Practices Quality Agreement Guide Version 3.0 [DOWNLOAD]

Negotiation and Review: Negotiation will become significantly easier and faster if standardized templates – ideally pre-reviewed by Legal – are used. The “time argument” will also be most convincing for a number of suppliers or customers to accept the use of a standard template (“if we can agree upon the ABC template, we may be ready for signature within two weeks”).

Read best practices for this step in Best Practices Quality Agreement Guide Version 3.0 [DOWNLOAD]

Signing and Maintaining Agreements: The purpose of a signature is to authenticate writing, or provide notice of its source, and to bind the individual entity signing the writing by the provisions contained in the document. Signing the document is not simply writing one’s name on a piece of paper. The signature means that the person agrees to the conditions outlined and also agrees to perform the actions stated in the contract. The person signing pledges to follow the rules and also pledges to accept the consequences if they fail to do so.

Tips for Using This Guide

The sections are present in the process flow, reviewed above, of implementing a Quality Agreement. Throughout this document, Best Practices and Tips are outlined in a red box with appendices offering a set of comprehensive tools to aid in developing a quality agreement program including:

  • Content Regulatory References
  • Sample Content Selection Matrix
  • List of Industry Templates and Guides

The objective of the Supplier Quality Working Group is for this guide to help facilitate a more efficient and effective quality agreement negotiation process. As with all of our other documents we have published, this document will be reviewed and updated based on the most current industry and regulatory practices.


Whitepaper 4: GMP Audit Manual

This audit manual provides an approach for GMP auditing and self-assessment of pharmaceutical manufacturers, contract manufacturers and laboratories for data integrity elements. This includes the manufacture and testing of human and veterinary medicinal products regulated by FDA, intermediates, active pharmaceutical ingredients (APIs), excipients and raw materials critical to product quality. The target audience for the audit manual is GMP auditors and stakeholders including those who have limited experience with data governance and data integrity expectations and enforcement practices.

This audit manual addresses the integrity and trustworthiness of GMP records within the regulated pharmaceutical industry. This includes the manufacture and testing of human and veterinary medicinal products regulated by FDA, intermediates, active pharmaceutical ingredients (APIs), excipients and raw materials critical to product quality. Audits of software vendors are not within the direct scope of this manual.

GMP Audit Manual [DOWNLOAD]

How to use this guide to improve supply chain security?

The manual is divided into three major sections addressing Computer System Validation, QC Laboratories, and Manufacturing.

  • Computer System Validation: Computerized system validation (CSV) is the documented process of assuring that a computerized system does exactly what it is designed to do in a consistent and reproducible manner
  • QC Laboratories: The section underscores the significance of training in Good Documentation and Data Integrity Practices, the control and archiving of laboratory forms, and the establishment of clear documentation procedures, including data generation, processing, review, and approval.
  • Manufacturing: Manufacturing should have the same data integrity controls as those described previously in laboratory systems. Data should be managed similar to laboratory data based on critical process parameters (CPP) and documented risk assessment.

Each of these sections are divided into subsections. While there is some duplication among the sections, duplication has been limited as much as possible. It is important to read the audit manual in its entirety because topics apply broadly and have not been completely repeated in all three sections. Topics including data governance and process mapping are explained in detail in the ISPE Data Integrity Guide and should be utilized to enhance the utility of the audit manual.

GMP Audit Manual [DOWNLOAD]


Whitepaper 5: The Threat of Illicit Medicines

Understanding the Threat of Illicit Medicines: An Overview of Counterfeit, Tampered, Unapproved and Diverted Pharmaceuticals

The Threat of Illicit Medicines (2 Parts) [DOWNLOAD]

Illicit medicines are a global concern for patients, healthcare professionals, regulators, and manufacturers. For the purposes of this paper, illicit medicines are defined to include counterfeit, tampered, unapproved and diverted drugs.

  • Counterfeit Medicines are made or altered by a party other than the manufacturer with intent to deceive. They are not equivalent to the genuine product in safety, efficacy, and quality. At best, they are of unknown composition and may be ineffective, and at worst harmful to patients.
  • Tampered Medicines are defined as medicines that have been intentionally and improperly altered without the knowledge of the product’s owner or eventual user.
  • Unapproved Medicines are drug products that have not been approved by a country’s health authority for product quality and efficacy or patient safety.
  • Diverted Medicines are redirected from the manufacturer’s intended area of sale or destination to a different geography or distribution channel. They may be genuine but may not have the properties that doctors/pharmacists expect (if they are imported products) and may be subject to mishandling and inappropriate storage conditions that may impact product quality. They typically contain packaging and information leaflets in foreign languages for foreign markets that are not approved by the local health authority and are considered misbranded.

Considering that patient safety is the priority for the industry, pharmaceutical manufacturers should have a process dedicated to the identification and prevention of illicit medicines in the marketplace. This document provides a general overview of the definitions, sourcing, and distribution of illicit medicines in the finished form that enable pharmaceutical companies and other supply chain partners to have a foundational understanding of this issue, and aid in their ability to detect, deter, and to establish appropriate controls for Illicit Medicines in the supply chain. This document is meant to provide a basic understanding but does not seek to provide exhaustive or detailed guidance.

The Threat of Illicit Medicines (2 Parts) [DOWNLOAD]

Responding to the Threat of Illicit Medicines Methodologies for Monitoring, Investigation & Stakeholder Engagement

Patient safety is the highest priority for industry, therefore pharmaceutical manufacturers should have processes and capabilities dedicated to identifying and detecting illicit medicines and preventing their distribution. This document provides a high-level summary of Supply Chain Security (SCS) practices and tools that pharmaceutical companies, and other supply chain partners, can use to help detect, deter, and prevent the distribution of illicit medicines. This document is meant to provide a basic understanding but does not seek to provide detailed guidance.

Illicit medicines are often distributed through unauthorized channels or illicit markets. They can also be inserted into legitimate distribution channels. Many illicit products are distributed through online sellers such as trade boards, individual ads listings, online pharmacies, social media apps; and illegitimate physical supply chain outlets such as flea markets/body builder networks and health/nutraceutical stores. They can also be sold through legitimate sources where the buyer is unaware that they are buying
illicit products. Different illicit product types may be mixed.

Supply Chain Security Methodologies

A manufacturer’s direct control over the manufacturing, distribution, and monitoring of its products provides opportunities to identify product-specific threats and implement protective measures that prevent, limit, and/or rapidly detect issues of illicit products. This includes information on products, logistics, quality reporting, internal testing capacity, and additional assets that are within the direct access and control of the manufacturer.

There are five supply chain security practices that can help manufacturers identify, investigate, and react to the sale and distribution of illicit products within the direct control of the manufacturer.

  1. Product Security Threat Risk Assessment
  2. Product Security Features and Serialization
  3. Leveraging Existing Internal Systems and Processes
  4. Incident Management
  5. Suspicious Product Verification

Explore these best practices in The Threat of Illicit Medicines (2 Parts) [DOWNLOAD]

There are also five best practices for the external environment. A significant amount of information can be learned from external signals and other sources of information from outside of the company. These include:

  1. Threat and Signal Database and Intelligence System
  2. Theft Monitoring and Analysis
  3. Monitoring the Internet
  4. Monitoring of Physical Operations
  5. Test Purchase Capabilities

Explore these best practices in The Threat of Illicit Medicines (2 Parts) [DOWNLOAD]

How Can You Make Stakeholders Aware of Supply Chain Security Measures?

The importance of communication and awareness to detect and prevent illicit trading of pharmaceuticals cannot be overstated. Companies should have a process for educating their supply chain partners, both internally and externally, about signs of potential illicit activity that should be reported to the manufacturer and health authorities and the procedure to report. This is a critical step in enabling enforcement actions and other risk mitigation actions. Best practices include:

  1. Internal Communication and Education
  2. Working with Outside Agencies and Other Industry Organizations
  3. External Communication and Education

Explore these best practices in The Threat of Illicit Medicines (2 Parts) [DOWNLOAD]

The distribution and sales of illicit medicines are a global concern for pharmaceutical patients, healthcare providers, regulators and manufacturers. This document has provided a general overview of the definitions, sources, and distribution of illicit medicines in the finished form, as well as a high-level summary of Supply Chain Security (SCS) monitoring practices and tools that pharmaceutical companies can use to help detect, deter, and to establish appropriate controls in the supply chain.


Choosing Rx-360 stands as a testament to prioritizing patient safety and supply chain security. Unlike many audit partners you might come across, we operate on a nonprofit basis, ensuring that your best interests are always at the forefront. While third-party options might seem cost-effective, they often lack the transparency that we guarantee. Moreover, by sponsoring an audit with us, you have the potential to earn back through licensing credits. At the heart of it all, Rx-360’s unwavering commitment is to uphold the quality and safety of healthcare materials, ensuring that patients receive the best care possible. If you have any further questions, please refer to our FAQs or reach out to our dedicated team through Brian Shipley at