Dr. Christopher Joseph Devine, President, Devine Guidance International
Devine Guidance

Purchasing Controls

By Dr. Christopher Joseph Devine
Dr. Christopher Joseph Devine, President, Devine Guidance International

FDA is really taking medical device manufacturers to task in regards to purchasing controls and the overall management of their suppliers. According to Kimberly Trautman, FDA’s current Good Manufacturing Practices (cGMP) and Quality System Regulations (QSR) expert, suppliers providing non-conforming material are directly related to an increase in medical device recalls; which increases the need for effective quality processes to mitigate risk. As the medical device industry continues to grow in leaps and…

Back in January, I expanded on the virtues and the importance of effective processes for purchasing controls and supplier management, collectively. In fact, the U.S. Food and Drug Administration (FDA) is really taking medical device manufacturers to task in regards to purchasing controls and the overall management of their suppliers.

According to Kimberly Trautman, FDA’s current Good Manufacturing Practices (cGMP) and Quality System Regulations (QSR) expert, suppliers providing non-conforming material are directly related to an increase in medical device recalls; which increases the need for effective quality processes to mitigate risk. If you have the chance, Dr. D. strongly suggests that you revisit my series of articles on supplier management that were published in Medical Device Summit back in January and February of this year. These articles provide a significant amount of granularity in support of this week’s Devine Guidance topic—Purchasing Controls.

Remember, as the medical device industry continues to grow in leaps and bounds, industry experts are pullulating with ideas and approaches to effective purchasing controls and supplier management. Also remember, Dr. D., in the pursuit of apotheosis (look-it up time), will always travel the high road, and provide readers with an objective and common-sense approach to compliance.

Warning letter violation
I hope my readers have visited FDA’s database depicting the issuance of warning letters by the agency. If you have, the first thing that you would notice is the significant increase in the number of letters the agency is issuing. If you have not, you do not know what you are missing. My goal, through the penning of Devine Guidance, is to ensure the organizations my readers support are not on the receiving end of an agency’s love letter.

In this week’s edition of DG, the offending medical device manufacturer has failed to establish policies and procedures for clearly defining the requirements for purchased products and services. Now granted, Dr. D. is not a polymer engineer or a resin expert; however, common sense should dictate the need for chemical and physical analysis of resins. Additionally, any type of change, regardless of the change being rooted in material, process, maintenance procedure, etc. the entire process needs to be documented and the results collected as evidence in support of compliance. That said, FDA, and rightly so, awarded this offending medical device manufacturer a warning letter.

Warning Letter (February 2010): Failure to establish and maintain data that clearly describes or references the specified requirements, including quality requirements, for purchased or otherwise received product and services, as required by 21 C.F.R. § 820.50(b). FDA 483 Item 4. Specifically:

a. Your firm has not requested from the foreign supplier certificates of analysis (COA) of the (b)(4) anion resin in order to verify that the received resin material conforms to the resin specifications or recognized AAMI standards for dialysis use. Your firm verbally stated that your supplier’s sales representative kept the COA for you.

b. Your firm has not documented, approved, and maintained written specifications for the replacement carbon that was used to re-bed the carbon tanks, and the (b)(4) anion resin for the mixed-bed D1 tanks. Further, your firm verbally stated that you had changed the supplier of the carbon material in the last (2) years and had not documented a description of the change and approved the change.

Quality system regulation – 21 CFR, Part 820
QSR – Subpart E – Purchasing Controls Sec. 820.50 Purchasing controls
Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.

(a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements,  that must be met by suppliers, contractors, and consultants. Each manufacturer shall:
– Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.
– Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.
– Establish and maintain records of acceptable suppliers, contractors, and consultants.

(b) Purchasing data. Each manufacturer shall establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services. Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with 820.40.

Purchasing controls
Dr. D. will begin this week’s analysis with my customary broken record time: “All of the requirements delineated within the QSR require written documentation that defines an organization’s policies and procedures that reflect compliance.” Remember DG Rule # 6—all procedures, work instructions, drawings, specifications, etc. must be written, well-documented, and controlled within a defined document control system. Feel free to reread the doctor’s guidance on document controls, as a refresher.

That said, a procedure or series of procedures, which capture all aspects of the purchasing and supplier control functions needs to be created, including the extremely important Approved Supplier’s List (ASL). Additionally, the intent of the requirement is to ensure procured products and services comply with requirements. Furthermore, your organization needs to define the requirements, in writing. Finally, the documented results, employed for determining if procured products or services reflect compliance with requirements, must be collected and retained. Remember, FDA visits are not audits; they are investigations, with the goal of collecting evidence if compliance to the QSR is not observed. Establishing well-defined requirements, and collecting and retaining objective data to support compliance to requirements, is the best defense during an FDA visit.

Evaluation of suppliers, contractors, and consultants (a)
The process for determining what constitutes an acceptable supplier, contractor, or consultant must be rooted in requirements. And your organization needs to define the criteria for what is deemed an acceptable or qualified supplier. In an earlier edition of DG, I recommended selecting suppliers that have approved EN ISO 13485 or ISO 9000 based quality systems from a recognized registrar or notified body. Will this piece of paper, a.k.a. the quality system certificate equate to selecting a supplier capable of meeting requirements? Of course not; however, having an established and functioning quality system is winning half the battle.

Dr. D recommends a system that places suppliers into categories premised on risk; (a) business, (b) product and (c) patient. The categories will define the amount of control needed for a supplier. For example, critical suppliers such as a sterilization facility or a component identified as critical during the execution of an FMEA should require an initial selection evaluation and probably an annual assessment. A supplier of floor stock items such as fasteners may require only a mail-in assessment with an update once every two-years. A supplier of finger cots may require that only a current copy of their ISO quality system certificate is on file and retained.

Regardless, your organization can exude some common sense and define the requirements. Additionally, Dr. D strongly recommends the assembly of a cross-functional team for an initial supplier assessment. The quality, purchasing, engineering, regulatory functions, etc. bring different insights and perspectives into the assessment process. A 360-degree approach to on-site assessments, supported by a cross-function team, will improve the overall effectiveness of the supplier selection and evaluation process.

When defining requirements, you need to ensure that a path for disqualifying suppliers is also available. The selection criteria should have sufficient granularity that supplier approval categories; e.g., approved, not approved approval pending, probation, or disqualified are delineated. Additionally, supplier requirements will vary depending upon the commodity or service being procured. Supplier-specific requirements must be accounted for as part of defining overall supplier requirements. For example, a supplier of polymers or resins will have different requirements that that of a precision-machining facility.

Furthermore, any special supplier requirements must be defined. Dr. D. recommends creating a supplier agreement for complex relationships that clearly define the roles and responsibilities of the supplier, as well as the procuring organization. Finally, everything associated with purchasing controls and the entire supplier-management process shall be documented. Remember DG Rule # 3: Document the results of all events in writing, because if it is not documented in writing, the event did not occur.

Purchasing data (b)
In the context of the QSR, purchasing data is the creation and collection of all of the documentation needed to accurately define the policies, procedures, requirements, specifications, etc. employed in the procurement of product and services for the medical device industry. It is the hope of Dr. D. that as a minimum, purchase orders are being issued to suppliers, which define with sufficient granularity, the requirements for the products or services being procured. This includes contractors and consultants.

Additionally, FDA recommends the use of agreements with suppliers that clearly delineate a policy for change notification. It is Dr. D’s recommendation that a zero change or no-change policy be pursued. Remember any change that influences the finished medical device, product packaging, or product labeling needs to be evaluated and probably revalidated, when changes occur. Depending on the product classification, a formal review and approval by FDA, e.g. PMA supplement, may be required prior to implementing proposed changes. Finally, all data must be reviewed, approved, and maintained in accordance with the regulation’s requirement for document controls.

Conclusion: Evidence of documentation your best defense
For an in-depth look at effective purchasing controls, I recommend visiting my blog page on Medical Device Summit. In earlier editions of DG, I provided an expanded view of effective approaches to purchasing controls and supplier management, collectively.

As for this edition of DG, the key takeaways are:

  1. Establish well-defined procedures for purchasing controls;
  2. Create an accurate ASL and maintain it accordingly;
  3. Establish categories for your suppliers premised on risk;
  4. Once categories are established audit your suppliers per a predefined schedule and more frequently if issues arise;
  5. When possible, employ cross-function teams during audits;
  6. Use supplier agreements as a tool for managing business relationships;
  7. Ensure an avenue that clearly defines a process for proposed supplier changes exists;
  8. Dr. D. strongly recommends a no-change policy as revalidation efforts can be expensive; and
  9. ll records associated with purchasing controls must be retained, sustained, maintained, and available to the agency so you will not be entertained when they issue a Form 483, for failure to comply.

Remember, evidence of compliance is always an organization’s best defense when FDA shows up on your doorstep for a friendly visit.

In closing, thank you again for joining Dr. D and I hope you find value in the guidance provided. Until the next installment of DG, when I begin discussing Subpart – F: Identification 820.60 and Traceability – 820 .65 – cheers from Dr. D. and best wishes for continued professional success.

References:

  1. Code of Federal Regulation. (2009, April). Title 21 Part 820: Quality system regulation.  Washington, D.C.: U. S. Government Printing Office.
  2. Devine. C. (2009, July). Exploring the effectiveness of defensive-receiving inspection for medical device manufacturers: a mixed method study. Published doctoral dissertation. Northcentral University. Prescott Valley, AZ. 
  3. FDA – U.S. Food and Drug Administration Website. (2010). Warning letters. Retrieved May 25, 2010, from http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/
  4. Poor supplier control causing recalls, FDA says; contract is key to success. (2007, May). The Sheet – Medical Device Quality Control, 11(6). Danvers, MA.

About The Author

Dr. Christopher Joseph Devine, President, Devine Guidance International