The incompetence exhibited by some device establishments never ceases to amaze old Dr. D. Now granted, occasionally an establishment will end up with one or two Form 483 observations during a visit from the FDA when they arrive at an establishment’s front door for a cup of coffee and an inspection. However, when the number of Form 483 observations reaches 13, the offending device establishment better begin to pursue some serious organizational soul searching. Even better advice, begin mitigating the observations quickly. The doctor has to believe paroxysms (look-it-up) of paranoia are haunting the management team of an offending establishment that racks up 13 Form 483 observations, as well they should. Seriously, some real bad regulatory mojo has just been unleashed on this week’s offending establishment, courtesy of FDA and the issuance of a warning letter. Enjoy!
Warning Letter – September 30, 2015
With a selection of 13 observations, the doctor had to choose just one observation worthy of writing. The doctor loves to focus on procedures, especially ones that are being ignored. According to the warning letter, the offending establishment scripted a procedure for purchasing controls that required suppliers to be evaluated, with basic information such as supplier no-change agreements being placed into the purchase order. Unfortunately, the SOP was being completely ignored. In fact, when questioned by the investigator, the firm replied that: (a) it was not using the supplier evaluation form; (b) it did not have a product specification; (c) it did not have defined product requirements; and (d) there were no purchasing agreements with suppliers. So much for having an SOP for purchasing controls.
Warning Letter Excerpt
Observation Five: “Failure to establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements, as required by 21 CFR 820.50. For example:
Your firm has not documented or implemented the evaluation of suppliers per the requirements in your firm’s SOP, QSP04 “Purchasing Control”, Revision A, no date of issuance.
Specifically, the procedure states in section 4.2.1 that all suppliers of goods and services including contractors, sub-contractors, and consultants are evaluated before issuing a purchasing data. The evaluation may be very simple such as having a potential supplier complete the Supplier Evaluation Form. Section 4.2.4 of the procedure, states that the evaluation of potential supplier is documented and maintained as part of the quality records.
Your firm was asked to provide Supplier Evaluation forms for the IVD devices it manufactures including devices for HIV I/II, HBV and HCV. Your firm stated that it has not utilized this form for any of its suppliers.
Section 4.3.2 of the procedure, notes that where applicable, documents such as the product specification and quality requirements are indicated on the purchase order or attached. The purchasing data shall also stipulate that the supplier agrees to [notify] Lusys Laboratories, Inc. of any changes made to the product and/or terms of the service so that Lusys may determine whether the change may [affect its] final products.
When asked by the investigator, your firm stated it has not documented product specification and/or quality requirements for product received from its suppliers nor does it have any purchasing agreements with any of its suppliers.”
“Your response dated 03/03/2015 is not adequate. You responded that “A formal supplier qualification procedure will be drafted to ensure all materials and services meet Lusys quality specifications”. Your firm did not, however, submit any documentation or provide evidence of establishing and maintaining procedures to ensure that all purchased or otherwise received product and services conform to specified requirements for its IVD devices including devices for HIV I/II, HBV and HCV. Your firm also did not provide evidence of implementation of a corrective action to include a retrospective review of the purchasing control procedures to ensure product specification and/or quality requirements are documented as required. In addition, no date was provided for when corrections associated with this observation would be resolved.”
21 CFR, Part 820.50 – Purchasing Controls
“Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.
(a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants. Each manufacturer shall:
(1) Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.
(2) Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.
(3) Establish and maintain records of acceptable suppliers, contractors, and consultants.
(b) Purchasing data. Each manufacturer shall establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services. Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with §820.40.”
Compliance for Dummies
For readers who have been following Devine Guidance, you already know that Dr. D loves to preach about purchasing controls and supplier management. It is one of his favorite topics. It is also one of the easier Quality System Regulation (QSR) requirements in which to comply. Compliance is 100% in the hands of the establishment. The establishment defines the purchasing and supplier controls, including receiving inspection. If the supplier management process is premised on collecting an ISO 13485:2003 or an ISO 9001:2008 (now 2015) certificate and the process is effective, go with it. However, best practice is to link the supplier management process to risk—always. In fact, Dr. D recommends paying a visit to high-risk suppliers and kicking the proverbial tires (e.g., performing a supplier assessment).
Additionally, the doctor cannot fathom placing a purchase order with a supplier without providing clear and concise instructions in the purchase order and ensuring a copy of the actual drawing/specification is actually attached to the purchase order. Can you say Approved Supplier’s List (ASL)? Seriously, suppliers, contractor and consultants (e.g., Dr. D) are required to be evaluated. As the doctor has already alluded, the evaluation process is entirely up to the establishment. However, the process better be documented and effective.
Furthermore, supplier assessments are records that an establishment does not have to share with FDA. However, documented evidence that the evaluations are being performed must be shared with the agency, upon request. If an establishment is performing supplier assessments, Dr. D recommends scripting an evaluation plan (all assessments) and agenda (for on-site assessments) and having these available for FDA as documented evidence. Before the doctor forgets, ensure an annual supplier assessment schedule is also available.
Moreover, establishments should employ risk to their benefit. This can be accomplished by assigning categories to suppliers premised on risk. For example, a contract manufacturer should always be considered high risk. As such, they can be placed into Category 1, with specific evaluation requirements defined. For example, a Category 1 supplier could be required to:
- Complete a supplier quality questionnaire
- Pass an initial supplier evaluation
- Sign a supplier agreement, including a no-change requirement
- Have a valid ISO 9001 or ISO 13485 accreditation
- Provide inspection data with each shipment
- Be registered as an establishment with FDA
- Require an annual supplier evaluation
A Category II supplier (e.g., metrology facility) could be required to:
- Complete a supplier quality questionnaire
- Have a valid ISO/IEC 17025:2005 accreditation
- Be evaluated once every three years (or when their ISO/IEC 17025 certificate expires)
A Category III supplier (e.g., contractor or consultant) could be required to:
- Complete a supplier quality questionnaire
- Provide a resume and appropriate certification(s)
- Be evaluated once every five years
If you do not like the doctor’s recommendations, establishments are free to develop requirements that make sense for their business model. Seriously, complying with §820.50 is that simple!
Finally, do not forget about receiving inspection (RI). As an old quality guy, Dr. D absolutely hates RI. In fact, the doctor wrote his entire doctoral dissertation on the effectiveness of supplier management and RI. RI equates to spending money. The equipment can be expensive. Depending on where the facility is located, inspector time can be expensive. Do yourself a favor and place the inspection burden on your suppliers. Device establishments pay top dollar for the product and services, so hold your supplier base accountable. However, in the end: “Trust, but verify.” Suppliers providing inspection data to support evidence of compliance is a real money saver if the program is established correctly. The end result is inspectors can be redeployed performing value-added services such as supporting R&D with first article inspections as new products are developed.
For this week’s guidance the doctor will leave the readers with three takeaways. One: Purchasing controls is mandated by the QSR and as such, a procedure must be fully established (defined, documented, and implemented). Two: Establishments have a free hand in establishing a purchasing controls program that is suitable and scaled for their businesses. Three: Please do not be the establishment that scripts a procedure and then fails to actually follow the procedure (e.g., fail to establish). Bad mojo is in the future for establishments that fail to follow their own procedures. In closing, thank you again for joining Dr. D, and I hope you find value in the guidance provided. Until the next installment of DG, cheers from Dr. D. and best wishes for continued professional success.
- Code of Federal Regulation. (April 2015). Title 21 Part 820: Quality system regulation. Washington, D.C.: U.S. Government Printing Office.
- Devine, C. (2011). Devine guidance for complying with the FDA’s quality system regulation – 21 CFR, Part 820. Charleston, SC: Amazon.
- Devine, C. (2013). Devine guidance for managing key attributes of a FDA-compliant quality management system – 21 CFR, Part 820 Compliance. Charleston, SC: Amazon.
- FDA. (September 30, 2015). Inspections, Compliance, Enforcement, and Criminal Investigations. Lusys Laboratories, Inc. Accessed October 26, 2015. Retrieved from http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2015/ucm465999.htm