It never ceases to amaze Dr. D how something as easy to control as your supplier base becomes such a difficult task in a regulated industry. Besides, where does it state in the regulations that medical device establishments are required to audit all of their suppliers? Do you know where you can find this requirement? Well readers, you cannot, because it just does not exist.
In support of complying with Subpart E of 21 CFR, Part 820 (Purchasing Controls), establishments must “establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.” In fact, complying with the requirement is so easy, a caveman or a group of cavemen can do it (thank you GIECO). For those of you that are struggling to comply with 21 CFR, Part 820.50, you have two options: (a) bite the bullet and script a reasonable procedure needed for effective purchasing controls, including supplier management; or (b) embark on a “hegira” to escape the wrath of FDA.
I hope the readers follow Dr. D’s advice and spend some time visiting the agency’s enforcement page each week to see what issues are creating significant angst with FDA. Reading warning letters is an excellent place to start. The warning letter the doctor selected to support this week’s guidance is scripted with one of the agency’s favorite phrases; “your firm failed to establish and maintain.” Remember people, we are not manufacturing toys here, we design, develop, and manufacturer finished medical devices and hopefully, devices that are safe and effective in their intended use. Controlling your supplier base should be deemed a mission-critical endeavor considering the products and services procured are part of the entire safety and efficacy equation. Unfortunately, the organization depicted in the following warning letter excerpt failed to understand their responsibility under the Quality System Regulation (QSR).
Warning Letter – Dated 27 January 2014
Your firm failed to establish and maintain the requirements that must be met by suppliers, contractors, and consultants. Your firm failed to evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements, and document the evaluation, as required by 21 CFR 820.50(a).
For example your firm failed to implement its established procedures for purchasing controls. The Amgen Operating Standard for Managing Contractors ((b)(4), version (b)(4), dated December 1, 2012) requires that contractors be evaluated, monitored, and approved. With regards to the (b)(4) located in Building (b)(4) of your firm’s facility, upon request, your firm could not certify that (b)(4), the contractor that serviced the equipment on May 22, 2013, had been evaluated.
In your response you commit to ensuring that service providers conducting preventive maintenance for the X-ray equipment “are evaluated and maintained to the appropriate quality standard.” However, your response is not adequate because you did not describe how appropriate employees will be trained on the new procedures, and you did not provide in your response whether your firm intends to review its records to ensure that those suppliers, contractors, and consultants currently being used by your firm have been appropriately evaluated.
21 CFR, Part 820.50 – Subpart E – Purchasing Controls
Sec. 820.50 Purchasing controls
Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.
(a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants. Each manufacturer shall:
(1) Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.
(2) Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.
(3) Establish and maintain records of acceptable suppliers, contractors, and consultants.
(b) Purchasing data. Each manufacturer shall establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services. Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with 820.40.
What must you do to comply?
The beauty of the regulation is that the agency does not dictate to establishments what they must do to support compliance. In fact, the agency gives each of the organizations plenty of rope to support mass hangings. Seriously folks, it begins with organizations defining the requirements appropriate for each supplier. The doctor strongly suggest that you employ risk: (a) business risk; (b) regulatory risk; (c) quality risk; and (d) potential patient risk when establishing supplier requirements and basic requirements for the product and service being procured.
Trust the doctor when I say, I am not proposing that establishments perform 100 percent on-site audits for all of the suppliers. In fact, that approach is just pure lunacy. However, visiting your critical suppliers such as your contract manufacturers, contract sterilizers, or critical component manufacturers is probably warranted. The doctor also recommends that you at least have a basic supplier-quality questionnaire on file for suppliers that provide Parts, Packaging; and Labeling (PPL) that are used in the manufacture, packaging, and labeling of finished medical devices.
Additionally, the doctor recommends collecting current ISO 9001, ISO 13485, and/or ISO/IEC 17025 certificates to support compliance. Furthermore, Dr. D never selects a potential supplier without checking with D & B first. Why? Because selecting a supplier hurtling toward a meeting with a bankruptcy judge is just bad business.
Although supplier management is important, receiving inspection is also of value and unfortunately a necessary evil. However, the doctor hates mindless incoming inspection as it is a drain on resources and most quality professionals agree, it is of limited value. Regardless, FDA is a big fan of having device establishments pursue acceptance activities employing established procedures. Since 100 percent inspection of every-single component procured also falls into the category of lunacy, the doctor recommends using a C = 0 sampling plan as part of receiving inspection. The sample size employed can then be linked to risk and the sample size adjusted to support excellent supplier performance and conversely, sample sizes increased to support problem suppliers; and please do not lie to yourselves as every device manufacturer has problem suppliers.
For those problem suppliers, do not be afraid to use one of Dr. D’s favorite acronyms SCAR. The supplier corrective action request can be a valuable tool when properly employed. For example, you cannot just issue a SCAR and forget about following up with the supplier if a response is not received or the response is unacceptable. Otherwise, you will continue to burn through valuable inspection resources versus having your suppliers actually fix a problem. Make sure you also perform a verification of effectiveness on all SCARs. In fact, for suppliers that you actually decide to audit, make sure a review of all SCARs, opened and closed, is part of the audit agenda.
Finally, “In God We Trust, All Others Bring Data” (thank you Mr. Deming) is an incredibly insightful statement. If you haven’t already noticed, FDA is pretty big on having documented evidence. If none of your efforts associated with purchasing controls are documented, in the eyes of the agency it just never happened. However, for the Chief Jailable Officers (CJOs) in the reading audience, it is your butt hanging out there if your organization lacks documented evidence when the agency shows up for a cup of coffee and an inspection.
For this week’s guidance, the doctor is going to leave the readers with five takeaways:
- The entire purchasing controls process begins with the establishment of well-written procedures. Do yourselves a favor and invest some time into the scripting of a robust SOP.
- Create a supplier evaluation process premised on risk.
- Unfortunately, receiving inspection is a necessary evil; however, the 100 percent inspection of everything purchased is just insane.
- The doctor strongly recommends employing a C = 0 approach for sampling plans as part of receiving inspection.
- “In God we trust all others bring data” is a salient concept when it comes to collecting and documenting evidence of compliance and one that should always be on the minds of quality professionals. Besides, your CJO will be in a better position to defend claims of compliance during an inspection, with documented evidence.
In closing, thank you again for joining Dr. D and I hope you find value in the guidance provided. Until the next installment of DG – cheers from Dr. D. and best wishes for continued professional success.
- Code of Federal Regulation. (2013, April). Title 21 Part 820: Quality system regulation.
Washington, D.C.: U. S. Government Printing Office.
- Devine, C. (2011). Devine guidance for complying with the FDA’s quality system regulation – 21 CFR, Part 820. Charleston, SC: Amazon.
- FDA’s enforcement page – warning letters. (2014, March). FDA.gov Website. Retrieved
March 17, 2014, from