John Avellanet

April 1, 2010

10 Min Read

A growing trend in US Food and Drug Administration (FDA) warning letters has been citations for “no justified rationale.” Since 2004, warning letters taking companies to task for poorly documented decision-making and risk-assessment practices has more than doubled — from two in 2004 to four in 2008 and five in 2009. These citations are always in relationship to risk-based decisions: sampling (what, how often, and how much), nonconformances and corrective/preventative actions (when is “root cause” actual root cause, when and why should an open nonconformance investigation be closed out), and clinical data decisions (what data to include or exclude, what patients to include or exclude).

As the FDA continues to cajole companies to adopt risk-based quality systems, such citations are becoming more common. One area increasingly coming under fire for poor decision-making is supplier oversight. Of the eleven warning letters noted above, 30% are directly related to supplier selection, qualification, and control. Unfortunately, try as you might to nail down your supplier quality management standard operating procedures and forms, poor documentation and records will betray you.

In an interview for my client newsletter, former FDA prosecutor Nancy Singer noted, “Companies are full of what I call document ‘land mines,’ written statements in the company’s paper or electronic files that create havoc when uncovered in an inspection” (1). Such land mines can be found in a company where decisions about product safety and quality intersect with supplier management.

Regulatory Expectations: When it comes to controlling risk and documenting decisions related to supplier management, FDA officials expect you to balance safety and quality with your available resources and time. As CDRH quality systems expert Kim Trautman put it in August at the Supplier Quality Management Congress, 20 August 2009 in Washington, DC, “You can’t put the same level of scrutiny on all your suppliers as you do on your critical suppliers. There has to be a balance. It’s up to you define what the appropriate balance is for your company based on risk to patient, product quality, efficacy, and other such factors. You have to use risk management principles like those in ICH Q9 (2). You have to assess your risks, decide on controls, and document this.”

Outside the context of a conference, risks are not so neatly assessed, and decisions are not so nicely documented. This is where companies get into trouble.

Document Land Mines

Over the course of several days in August and September, I interviewed Singer for my SmarterCompliance FDA regulatory intelligence newsletter concerning mistakes companies continue to make that get them in trouble with the FDA (1). During her time with the US Department of Justice, she prosecuted seven medical device and biopharmaceutical companies and their executives for violating FDA statutes and regulations.

Singer is now president of the Compliance Alliance consultancy ( and spends a significant portion of the year providing corporate workshops to executive teams and companies on document land mines that can get them into trouble. When it comes to supplier oversight and risk-based control records, she noted three common types of document land mines: meeting minutes, memos to files, and documents stamped CONFIDENTIAL or FOR INTERNAL USE ONLY.

In meeting minutes, companies too often capture what each individual at a meeting says. For instance, “Mary said we should ask the distributor to recall the product. John said that he was concerned about the effect of a recall on the bottom line. The decision was not to recall the product.” When found in your product or supplier files, all such meeting minutes do is give inspectors ammunition to dig deeper and question individuals about off-the-cuff remarks they make at meetings when they might not have all of the facts. To eliminate this type of land mine, it is better to state the overall conclusion alone: “The team decided not to recall the product when a health hazard analysis revealed that there would be no harm to patients.”

Memos to files can be tricky. FDA inspectors tend to take a negative view of them. A positive use of a file note can be when executives realize their company has a gap in its compliance program and decide to take action to resolve it. For instance, after an FDA inspection of supplier controls one of my clients realized that it did not have any real integration among the quality management team, the regulatory affairs group, and the supply chain management staff. As a result, the company brought me in to conduct a full gap analysis and present a set of recommendations and options. It then used the memo-to-the-file format to document that process, including decisions made on which recommendations to undertake and the priorities and timelines for each activity.

According to Singer, where companies get into trouble with file memos are when the memos are clearly written in an attempt to protect the company or its employees from legal and administrative penalties, criticism, or other punitive measures. In the situation above, after FDA inspectors uncovered the lack of integration among compliance teams, the executives might have written self-justification memos stating their views about solving the issue and pointing fingers at who or what got in the way — or noting that the inspectors had exceeded the scope of their inspection in pointing out the lack of a holistic compliance strategy. Such a memo to the file would be classified as a document land mine that would give future inspectors impetus to dig deeper. If the company were ever sued, that file memo would give ammunition to opposing counsel for painting a picture of executive ineptitude and self-interest.

Stamping CONFIDENTIAL or FOR INTERNAL USE ONLY on documents is a subtler land mine because it gives employees a false sense of security. Here my experiences in defending quality systems and internal corporate documents to outside litigators back up Singer’s explanation. Just because something is stamped CONFIDENTIAL or FOR INTERNAL USE ONLY does not keep it from being subject to review and public disclosure in the event of a lawsuit — nor does it mean FDA inspectors will ignore the document.

Supplier-Specific Land Mines

When it comes to unwittingly endangering yourself in supplier management and controls, look no further than your supplier qualification and management files and your supplier corrective and preventative action (CAPA) files. Singer suggests that biotech companies be careful in how they phrase their supplier-related CAPAs. I recommend further that before implementing your CAPA program — or constructing your CAPA files — you carefully determine what documents you actually need to retain in your CAPA file and what to be cautious about. For instance, most CAPA files that I’ve seen are not simply plain manila folders with a single, filled-out CAPA form in each. Instead, they have printed-out copies of email threads, meeting agendas, investigation notes, and so on. Think about what an inspector will surmise when he or she stumbles on a printed email thread with one vice president’s note reading, “I know this goes against the regs, but this investigation is taking too much time; [the supplier] is complaining that they’ll have to start charging us more if we continue to delay any further. We should just close it and wait for the government to take regulatory action.” Is this the type of opinion you actually want to retain in company records?

When I give presentations on building defensible documents and putting in place FDA records-retention programs, I suggest that every standard operating procedure (SOP) should have a section that clearly spells out what records are produced as part of it. In the case of a supplier CAPA file, that might be a CAPA form, the root-cause summary found in an investigation, and the verification report showing whether the preventative controls work(ed). Assuming your company also conducts a periodic quality systems management review, that might have a reference to the specific CAPA. But that’s it; more records could increase the potential of document land mines.

The same holds true for your supplier selection, qualification, and management files. I suggest that clients maintain a “communication matrix” for all their critical suppliers. It would identify who at each company plays a role equivalent to quality manager, regulatory affairs manager, computer department manager, and so on. Then the client staff should query their counterparts periodically through the year to check in and learn what might have changed or is planned that didn’t come through more formal communication channels. In each supplier file, the company would have its actual matrix — no email strings or personal notes from individual conversations. Specifying the documents to retain for proving compliance helps to lower the risk of creating and retaining document land mines.

Supplier-Related Litigation and Land Mines: Inevitably, most companies will be involved in a lawsuit with at least one supplier. Files and documents related to that supplier — CAPA files and supplier management files — will be subject to discovery and disclosure in such a lawsuit. And those records may also be made public. For example, note the current release of correspondence and files between GlaxoSmithKline and several of its suppliers in the Paxil litigation.

One of my biggest surprises over a decade ago occurred when I became accountable for records at a biotechnology and medical device company involved in litigation. The “open window” opposing counsel and plaintiffs had for reviewing our internal documents and correspondence was staggering. And the penalties for not handing over requested documents and emails were millions of US dollars. In my experience, document land mines become very expensive and very dangerous very fast.

Training to Control Risk

In addition to determining ahead of time what records will be retained in FDA files, a further measure to control the risk of document land mines is training employees and management how to craft documents and correspondence that, as Singer points out, reflect your company’s “commitment to making safe and effective products that comply with regulatory requirements” (1). This is not something you can simply pick up along the way in your career.

From Singer’s experience, senior managers need to understand how often their employees write inappropriate statements in company documents and correspondence. Middle management and line supervisors need to recognize such statements (e.g., document land mines), know what to do when they’re uncovered, and learn how to work with staff and line workers to prevent such problems in the future. Employees need to understand what document land mines are, how easily they can slip into files, and how to minimize their chances of creating such problems. To tackle this segregation, Singer divided her own corporate workshop, “Dangerous Documents: Avoiding Land Mines in Your Emails and FDA Documents,” into three different levels: one for senior management, one for middle management, and one for general employees.

Such a tiered approach to training is the same method I noted as being increasingly tied to effective training in a recent teleconference for FOI Services ( called “Making Required FDA Training Captivating.” Information retention among attendees at tiered training sessions jumps tenfold over the one-size-fits-all approach (3). Different types of documents and records are created at different levels of an organizational hierarchy, so a tiered and targeted approach provides a better means to get your environment under control.

Final Thoughts

A company’s records contain the proof of its decisions, thought processes, and commitment to product safety, efficacy, quality, and regulatory compliance. Document land mines draw attention to noncompliance. When it comes to supplier records — especially supplier qualification and management files, supplier CAPA files, and correspondence — the company carries a significant amount of risk. To control that risk, take a tiered approach to train personnel how to minimize document land mine creation, decide ahead of time what records to retain for every process, and make sure you stay abreast of evolving FDA expectations when it comes to documenting risk-based decision-making.

As we proceed down the product lifecycle path embodied in quality by design and ICH guidelines, our documented decisions travel with us. As Nancy Singer frequently notes, “Our documents are like diamonds: They are precious and last forever.” To control risk throughout a product’s development, manufacture, distribution, and postmarket surveillance, a sponsor company needs to minimize the creation of document land mines for inspectors to find and cite. There is no better place to start than in supplier selection, qualification, and oversight. Are you ready?


1.) Avellanet, J, and N. Singer. 2009. Former FDA Prosecutor on Document Mistakes. SmarterCompliance 3:8-9.

2.) 2006. ICH Q9: Quality Risk Management. Fed. Reg. 71:32105-32106.

3.) Finch, J, and E. Montambeau. 2000.Retention Rates from Different Ways of Learning, NTL Institute, Arlington.

You May Also Like