Guest Column | October 2, 2020

A Quality Agreement Primer: Managing Risk When Working With Contractors

By Crystal M. Booth, PSC Biotech

With many companies utilizing contract manufacturing and contract laboratories, quality agreements are extremely important. A quality agreement defines the quality parameters as well as who is responsible for those parameters. This is part one of a three-part series that explores quality agreements, regulations, guidelines, and working with vendors to ensure quality expectations are met. Part one discusses identifying key risks in partnering with contract companies and working with vendors. In part two, we explore the regulations and enforcement activities that govern quality agreements and in the third part, we examine what to include in quality agreements and who should be responsible for the assigned tasks.

A third party, also known as a vendor or contract company, is a company that provides a service or product that is not provided by the primary company. Most commonly, contract companies can be laboratories, manufacturers, or service providers. Primary companies, or owners, can use contract companies for many reasons. These reasons can include:

  • A need for a quick turnaround time
  • A need for expertise the primary company may not have
  • A need for required resources
  • A need for temporary assistance
  • A need for infrastructure or extra capacity

While using contract companies can ease the burden of primary companies, using third parties comes with risks that need to be managed. Primary companies need to ensure that vendors are complying with regulations, protecting confidential information, avoiding unethical practices, maintaining supply chain security, delivering high quality and high performance, and properly handling disruptions.1

Identifying Key Risk Areas In Partnering With Third Parties

Risk mitigation can be managed using a variety of tools, including quality agreements. “A quality agreement is a document that defines both specific quality parameters for a project and which party is responsible for the execution of those parameters.”2 Quality agreements should assure full cGMP compliance, facilitate consistent delivery of safe and effective medicines, and define, establish, and document each party’s responsibilities.3 When writing a quality agreement, all aspects that impact a product’s identity, quality, safety, potency, purity, or compliance status should be included.2

To minimize risks with vendors, the risks must first be identified. Identifying potential risks helps you to understand, prepare, and create mitigations for the potential problems before they occur. Some key risk areas and thought-provoking questions for risk mitigation include:

  • Subcontractors often use subcontractors (i.e., fourth-party contractors).
    • Who will audit, maintain, and approve fourth-party contractors?
    • Set up the expectations regarding fourth-party contractors in advance.
  • Subcontractors may not always adhere to quality agreements.
    • Subcontractors try to manage many quality agreements
    • The more items you change in the contractor’s quality agreement template, the greater the risk the subcontractor will make a mistake.
  • Using subcontractors comes with potential compliance risks.
    • Is the subcontractor accredited or audited by regulatory agencies?
    • Do they routinely follow cGMPs?
    • Do they have a good audit history?
  • Using subcontractors could pose reputation risks.4
    • Does the third or fourth party have a good reputation?
    • If not, their poor reputation could jeopardize the reputation of your products.
  • Using subcontractors could increase performance risks.4
    • Subcontractors are busy. What if their equipment breaks?
    • Example: During testing performed in a sterility isolator, the VHP generator stops working. This could cause a delay in testing and product release.
  • Subcontractors could produce poor quality products or reject product batches.
    • What if the subcontractor makes a mistake and the product fails specifications?
    • Who is responsible for the costs?
  • Using subcontractors could have data integrity risks.5
    • Does the subcontractor follow data integrity rules?
    • Data integrity refers to the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA).
  • Beware of cost differences.4 Subcontractors do not all charge the same amount for the same or similar services.
    • Are the subcontractors overcharging you?
  • Subcontractors could have data breaches.4
    • What if data or confidential information is exposed?

Keeping these risks and questions in mind while creating the quality agreement will help you create a clear quality agreement with clear expectations, roles, and responsibilities.

Working With Vendors

Despite the risks, it may be necessary to work with subcontractors. Start by developing a plan. Identify the need for a vendor and decide what the vendor can do to help. Establish clear roles and responsibilities regarding who will obtain documents from vendors and monitor vendor performance.6 Identify several vendors able to perform the work and obtain quotes from them to ensure you are getting the best service for the best price. Finally, decide which vendor sounds like a good fit for the organization and choose accordingly.

Do your due diligence. Review the potential risks of using a subcontractor. Determine if the proposed vendor is audited by an outside party, such as the FDA,6 and research the contract company’s reputation and regulatory history. Consider what types of data are accessible by the contract company and what types of transactions they will be performing.6

Audits are a great way to help mitigate risks. Perform routine on-site audits or paper audits of the contract company, depending on the criticality of the project.

Expect there to be some contract negotiation. Work with the vendor to develop a mutually agreed upon quality agreement. Contract negotiation may take several rounds of red-lines, emails, phone calls, and meetings. Remember that all employees who must know the contents of the quality agreement to perform their job should be included in the drafting of the quality agreement. Include the company lawyers if needed.

All parties involved will have SOPs that must be followed. If either side strays too far from the vendor’s quality agreement template, the risks of failure to adhere to the agreement and to established SOPs will increase. For example, if the vendor’s SOP requires keeping raw data for seven years and the primary company insists on changing the requirement to 10 years, the vendor may accidently dispose of the raw data at the seven-year point.

Be knowledgeable of the vendor’s use fourth parties.

When executing quality agreements, the contract company should execute the work according to the agreed-upon plan and all roles and responsibilities of all involved parties should be clearly stated and followed; this will be addressed in detail in part three of this series.7 It is important that the quality agreement and the cGMPs are followed.7 Any communications regarding changes, change controls, deviations, investigations, OOSs, or back orders should occur regularly.7

Good vendor management requires ongoing monitoring to make sure that the vendor continues to meet expectations. Review reports from the vendor to monitor their performance on a periodic basis6 and perform periodic cGMP audits of the vendor; don’t forget about any fourth-party contractors that are used.

Termination of the service may be required at some point. Have a backup plan prepared ahead of time to know what to do if the relationship needs to be terminated.


Identifying the risks of working with contractors helps the primary company to understand and mitigate the risks before they occur. When working with vendors, expect there to be some contract negotiation. Audit the vendors periodically to ensure they are performing the quality of work you expect them to perform. If the vendor is not performing up to par, the contract may need to be terminated, so be prepared with a backup plan. Be knowledgeable of the use of fourth parties. Be clear on roles and responsibilities in the quality agreement. Also, be aware of the reputation of the vendor you choose to do business with. If the vendor has a poor regulatory history, this could harm your reputation as well.

In part two of this three-part series we explore the regulations and enforcement activity of quality agreements.


  1. Metric Stream (2019) 9 Best Practices to Jumpstart your Third-Party Management Program. Accessed on September 17, 2020 at
  2. Trag, Arvilla (2017) The 5 ‘W’s of Quality Agreements. MasterControl. Accessed on September 17, 2020 at
  3. Katz, Paula (2016) Putting the ‘Quality’ in Quality Agreements for Contract Manufacturing Operations. Food and Drug Administration (FDA) Downloads. Accessed on September 17, 2020 at
  4. Steinkamp, Ron (2017) The Reality of Risk in Third-Party Contract Relationships. Accessed on September 17, 2020 at
  5. Food and Drug Administration (FDA) Guidance for Industry. Data Integrity and Compliance with cGMP (April 2016). Accessed on September 17, 2020 at
  6. Houshian, Andrew (2017) Third-Party Vendor Management Best Practices. A-LIGN. Accessed on September 17, 2020 at
  7. Food and Drug Administration (FDA) Guidance for Industry. Contract Manufacturing Arrangements for Drugs: Quality Agreements (November 2016). Accessed on September 17, 2020 at

About The Author:

Crystal BoothCrystal M. Booth, M.M., is a regional manager with PSC Biotech. She has over 20 years of experience in pharmaceutical microbiology, working in quality assurance, CDMOs, R&D, and quality control laboratories, including startup companies. During her career, she has developed and validated methods for antibiotics, otic products, topical creams, topical ointments, oral solid dose products, oral liquid dose products, veterinary products, human parenterals, vaccines, biologics, aseptically filled products, and terminally sterilized products. Those methods include microbial limits testing, bacterial endotoxins testing, particulate testing, sterility testing, pharmaceutical water system validations, environmental monitoring programs, surface recovery validations, disinfectant efficacy studies, minimum inhibitory concentration testing, antimicrobial effectiveness testing, hold time studies, and various equipment validations.