Dr. Christopher Joseph Devine, President, Devine Guidance International
Devine Guidance

Supplier Management – You Own It!

By Dr. Christopher Joseph Devine
Dr. Christopher Joseph Devine, President, Devine Guidance International

To get Devine Guidance off with a bang in 2014, the doctor will begin by broaching a subject that continues to stymie many device establishments around the globe: supplier management and specifically, supplier audits.

Happy New Year! The doctor hopes that all of the readers have a prosperous 2014.

As we move into 2014, Dr. D would like to start the year off with “eupeptic” (Look-it-up) optimism. To get Devine Guidance off with a bang in 2014, the doctor will begin by broaching a subject that continues to stymie many device establishments around the globe, supplier management and specifically supplier audits.

As many of you are already aware, 21 CFR, Part 820.50 (Purchasing Controls) and ISO 13485, Clause 7.4 (Purchasing) do not state medical device establishments must audit their supplier. What is required by device manufacturers is that requirements necessary for the evaluation, selection, and controls employed for supplier management, must be delineated in a written procedure. How much information is required versus how much is too much? Folks, that is entirely up to your organization. However, please keep in mind notified bodies are looking for ways to increase their revenue streams for FY 2014 so please read the fine print in your contracts. Some notified bodies are now requiring that they audit your critical suppliers, especially if your organization is not performing supplier audits (please note: there is no requirement for them to do so; and do not be afraid to push back – they work for you).

Regardless, Dr. D strongly believes in employing a risk-based approach to the selection, evaluation, and defining the overall amount of control necessary to effectively manage suppliers. Enjoy.

Subpart E–Purchasing Controls
Sec. 820.50 Purchasing controls

Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.

(a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants. Each manufacturer shall:

  1. Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.
  2. Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.
  3. Establish and maintain records of acceptable suppliers, contractors, and consultants.

Recent FDA Warning Letter – December 17, 2013

Failure to implement procedures to ensure all purchased or otherwise received product conform to specified requirements, as required by 21 CFR 820.50. Specifically, your firm’s purchasing control procedures were in draft form and you failed to maintain records of acceptable suppliers.

We reviewed your response to the FDA 483 received on November 22, 2013. You provided a blank vendor survey; however, you have not provided evidence your firm has met the full requirements of 21 CFR 820.50, which includes:

(a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, which must be met by suppliers, contractors, and consultants. Each manufacturer shall:

  1. Evaluate and select potential suppliers, contractors, and consultants, on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.
  2. Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.
  3. Establish and maintain records of acceptable suppliers, contractors, and consultants.

(b) Purchasing data. Each manufacturer shall establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services. Purchasing documents shall include, where possible, an agreement the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with 21 CFR 820.40.

Risk-based supplier management

As the doctor’s readers are already aware, the doctor is a big fan of Merriam-Webster’s Online Dictionary. Since RISK is a salient factor in effective supplier management, Dr. D is going to provide the readers with a couple of definitions extracted from Merriam-Webster’s.

Risk (noun) has two definitions relevant to this week’s guidance: (a) the possibility that something bad or unpleasant (such as an injury or a loss) will happen; or (b) someone or something that may cause something bad or unpleasant to happen.

It appears that bad or unpleasant is a common theme. If a device establishment fails to employ a risk-based approach to supplier management, bad or unpleasant things will happen. By the way, the doctor strongly agrees in the concept that bad or unpleasant things happen when suppliers are not properly managed. Can you say product recall (Dr. D’s favorite 6-letter word)? Can you say FDA Form 483 observation? Can you say FDA warning letter? Now wait just a minute doctor, are you being just a tiny bit melodramatic? Nope, Dr. D is just being pragmatic.

Risk-based supplier management begins with understanding applicable regulatory requirements, appropriate standards, and the actual composition of your supplier base. Obviously, a written procedure will be required to quantify your organization’s approach to risk-based supplier management into one procedure.

You may choose to include supplier requirements into your organization’s purchasing controls procedures. However, the doctor recommends scripting a stand-alone document. Before starting, Dr. D recommends placing all of your suppliers into categories, premised on Risk! When placing suppliers into categories ensure that multiple types of risk are considered: (a) business risk; (b) regulatory risk; (c) patient risk; (d) user risk; and (e) product risk. Failure to consider all aspects of risk and bad or unpleasant things are bound to happen. That being said, creation of four categories is usually sufficient for device establishments: (a) Category I – High Risk; (b) Category II – Medium Risk; (c) Category III Low Risk; and Category IV – No Requirement. Pretty simply, right? Table 1 contains an example of a supplier requirements table, premised on risk.

Table 1 – Example of Supplier Categories Premised on Risk 
 Risk Category
 Supplier Type   Evaluation Criteria   Re-evaluation Requirement
 I – High   Contract Manufacturer; Sterilization Facility   1. Quality Agreement

 2. No-Change Agreement (if not part of Quality Agreement)

 3. Initial Supplier Quality Questionnaire

 4. On-Site Audit

 5. Copy of D & B Report

 6. Copy of ISO Certs (if applicable)

 Annually

 1. On-Site Audit

 2. Copy of ISO Certs (if applicable)

 II – Medium   Component Manufacturer
 1. Quality Agreement

 2. No-Change Agreement (if not part of Quality Agreement)

 3. Supplier Quality Questionnaire

 4. On-Site Audit (optional)

 5. Copy of D & B Report

 6. Copy of ISO Certs (if applicable) 

 Every 3 Years

 1. Quality Questionnaire

 2. On-Site Audit Optional

 3. Copy of ISO Certs (if applicable)

 

 III – Low   Distributor; Contractors; and Consultants   1. Quality Agreement

 2. Supplier Quality Questionnaire

 3. Copy of D & B Report (as applicable)

 4. Copy of ISO Certs (if applicable)

 5. Resume (if applicable) 

 Every 4 Years

 1. Quality Questionnaire

 2. Copy of ISO Certs (if applicable)

 3. Current Resume (if applicable)

 IV – No Requirements   Business Supplies  N/A    N/A

 

One thing to keep in mind is that it is not practical to perform on-site audits on 100 percent of your supplier base. In fact, your CFO will ensure that such an insane approach to supplier management never occurs. However, it is reasonable to assess high-risk suppliers. In this day and age of virtual device establishments, there is a whole bunch of faith being placed in contract manufacturers and their ability to manufacture medical devices that are safe and effective. Unfortunately, even virtual organizations cannot outsource their quality and regulatory responsibilities. If a finished device has your organization’s name stamped on it or the device packaging, the FDA and regulators from around the globe are going to be either standing on your doorstep or lighting up your phone system if the devices are hurting patients and/or healthcare practitioners. Remember, you own it, not the contract manufacturer. That is why risk-based supplier management is so darned important.

When it comes to scripting the procedure(s), there are some elements the Dr. D strongly suggests that you consider for inclusion:

  • Clearly define the supplier selection, supplier evaluation, supplier re-evaluation, overall approach to supplier controls, and yes, include the supplier disqualification process. Supplier partnerships are like marriages and sometimes they end badly.
  • The doctor recommends having a dedicated supplier questionnaire and a dedicated on-site supplier evaluation form.
  • Work with other functional groups, including legal (if you have one) in creating a robust supplier agreement. The doctor recommends building the “supplier no-changes” requirement into the supplier agreement.
  • The doctor also strongly recommends using Dunn and Bradstreet as these reports provide insight into business risk.
  • Ensure that the supplier management program contains a tool for obtaining corrective action. The Supplier Corrective Action Request (SCAR – great acronym) is an invaluable tool for pursuing and documenting supplier corrective action.
  • Supplier report cards and the use of metrics are an integral part of the supplier management program. It is imperative that suppliers are kept abreast of their performance. Nobody likes surprises.

Takeaways

For this first edition of DG for FY 2014, the doctor will leave the readers with just one takeaway. Bad or unpleasant things will happen to organizations that fail to employ a risk-based approach to supplier management. Remember, device establishments cannot outsource their quality and regulatory responsibilities. Simply stated, if your organization’s name is on the finished medical device or device packaging, you own it. Until the next installment of DG – cheers from Dr. D. and best wishes for continued professional success.

References:

  1. Code of Federal Regulation. (2013, April). Title 21 Part 820: Quality system regulation. Washington, D.C.: U. S. Government Printing Office.
  2. Devine, C. (2011). Devine guidance for complying with the FDA’s quality system regulation – 21 CFR, Part 820. Charleston, SC: Amazon.
  3. ISO 13485:2003. (2004, February). Medical devices – quality management systems – requirements for regulatory purposes (ISO 13485:2003).
  4. Warning Letters – Inspections, Compliance, Enforcement, and Criminal Investigations. (2013, December). Retrieved December 30, 2013, from http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2013/ucm379092.htm.

About The Author

Dr. Christopher Joseph Devine, President, Devine Guidance International