Happy New Year! The doctor hopes that all of the readers have a prosperous 2014.
As we move into 2014, Dr. D would like to start the year off with “eupeptic” (Look-it-up) optimism. To get Devine Guidance off with a bang in 2014, the doctor will begin by broaching a subject that continues to stymie many device establishments around the globe, supplier management and specifically supplier audits.
As many of you are already aware, 21 CFR, Part 820.50 (Purchasing Controls) and ISO 13485, Clause 7.4 (Purchasing) do not state medical device establishments must audit their supplier. What is required by device manufacturers is that requirements necessary for the evaluation, selection, and controls employed for supplier management, must be delineated in a written procedure. How much information is required versus how much is too much? Folks, that is entirely up to your organization. However, please keep in mind notified bodies are looking for ways to increase their revenue streams for FY 2014 so please read the fine print in your contracts. Some notified bodies are now requiring that they audit your critical suppliers, especially if your organization is not performing supplier audits (please note: there is no requirement for them to do so; and do not be afraid to push back – they work for you).
Regardless, Dr. D strongly believes in employing a risk-based approach to the selection, evaluation, and defining the overall amount of control necessary to effectively manage suppliers. Enjoy.
Subpart E–Purchasing Controls
Sec. 820.50 Purchasing controls
Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.
(a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants. Each manufacturer shall:
Recent FDA Warning Letter – December 17, 2013
Failure to implement procedures to ensure all purchased or otherwise received product conform to specified requirements, as required by 21 CFR 820.50. Specifically, your firm’s purchasing control procedures were in draft form and you failed to maintain records of acceptable suppliers.
We reviewed your response to the FDA 483 received on November 22, 2013. You provided a blank vendor survey; however, you have not provided evidence your firm has met the full requirements of 21 CFR 820.50, which includes:
(a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, which must be met by suppliers, contractors, and consultants. Each manufacturer shall:
- Evaluate and select potential suppliers, contractors, and consultants, on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.
- Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.
- Establish and maintain records of acceptable suppliers, contractors, and consultants.
(b) Purchasing data. Each manufacturer shall establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services. Purchasing documents shall include, where possible, an agreement the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with 21 CFR 820.40.
Risk-based supplier management
As the doctor’s readers are already aware, the doctor is a big fan of Merriam-Webster’s Online Dictionary. Since RISK is a salient factor in effective supplier management, Dr. D is going to provide the readers with a couple of definitions extracted from Merriam-Webster’s.
Risk (noun) has two definitions relevant to this week’s guidance: (a) the possibility that something bad or unpleasant (such as an injury or a loss) will happen; or (b) someone or something that may cause something bad or unpleasant to happen.
It appears that bad or unpleasant is a common theme. If a device establishment fails to employ a risk-based approach to supplier management, bad or unpleasant things will happen. By the way, the doctor strongly agrees in the concept that bad or unpleasant things happen when suppliers are not properly managed. Can you say product recall (Dr. D’s favorite 6-letter word)? Can you say FDA Form 483 observation? Can you say FDA warning letter? Now wait just a minute doctor, are you being just a tiny bit melodramatic? Nope, Dr. D is just being pragmatic.
Risk-based supplier management begins with understanding applicable regulatory requirements, appropriate standards, and the actual composition of your supplier base. Obviously, a written procedure will be required to quantify your organization’s approach to risk-based supplier management into one procedure.
You may choose to include supplier requirements into your organization’s purchasing controls procedures. However, the doctor recommends scripting a stand-alone document. Before starting, Dr. D recommends placing all of your suppliers into categories, premised on Risk! When placing suppliers into categories ensure that multiple types of risk are considered: (a) business risk; (b) regulatory risk; (c) patient risk; (d) user risk; and (e) product risk. Failure to consider all aspects of risk and bad or unpleasant things are bound to happen. That being said, creation of four categories is usually sufficient for device establishments: (a) Category I – High Risk; (b) Category II – Medium Risk; (c) Category III Low Risk; and Category IV – No Requirement. Pretty simply, right? Table 1 contains an example of a supplier requirements table, premised on risk.
Table 1 – Example of Supplier Categories Premised on Risk | |||
Risk Category |
Supplier Type | Evaluation Criteria | Re-evaluation Requirement |
I – High | Contract Manufacturer; Sterilization Facility | 1. Quality Agreement
2. No-Change Agreement (if not part of Quality Agreement) 3. Initial Supplier Quality Questionnaire 4. On-Site Audit 5. Copy of D & B Report 6. Copy of ISO Certs (if applicable) |
Annually
1. On-Site Audit 2. Copy of ISO Certs (if applicable) |
II – Medium | Component Manufacturer |
1. Quality Agreement
2. No-Change Agreement (if not part of Quality Agreement) 3. Supplier Quality Questionnaire 4. On-Site Audit (optional) 5. Copy of D & B Report 6. Copy of ISO Certs (if applicable) |
Every 3 Years
1. Quality Questionnaire 2. On-Site Audit Optional 3. Copy of ISO Certs (if applicable)
|
III – Low | Distributor; Contractors; and Consultants | 1. Quality Agreement
2. Supplier Quality Questionnaire 3. Copy of D & B Report (as applicable) 4. Copy of ISO Certs (if applicable) 5. Resume (if applicable) |
Every 4 Years
1. Quality Questionnaire 2. Copy of ISO Certs (if applicable) 3. Current Resume (if applicable) |
IV – No Requirements | Business Supplies | N/A | N/A
|
One thing to keep in mind is that it is not practical to perform on-site audits on 100 percent of your supplier base. In fact, your CFO will ensure that such an insane approach to supplier management never occurs. However, it is reasonable to assess high-risk suppliers. In this day and age of virtual device establishments, there is a whole bunch of faith being placed in contract manufacturers and their ability to manufacture medical devices that are safe and effective. Unfortunately, even virtual organizations cannot outsource their quality and regulatory responsibilities. If a finished device has your organization’s name stamped on it or the device packaging, the FDA and regulators from around the globe are going to be either standing on your doorstep or lighting up your phone system if the devices are hurting patients and/or healthcare practitioners. Remember, you own it, not the contract manufacturer. That is why risk-based supplier management is so darned important.
When it comes to scripting the procedure(s), there are some elements the Dr. D strongly suggests that you consider for inclusion:
Takeaways
For this first edition of DG for FY 2014, the doctor will leave the readers with just one takeaway. Bad or unpleasant things will happen to organizations that fail to employ a risk-based approach to supplier management. Remember, device establishments cannot outsource their quality and regulatory responsibilities. Simply stated, if your organization’s name is on the finished medical device or device packaging, you own it. Until the next installment of DG – cheers from Dr. D. and best wishes for continued professional success.
References: