Dr. Christopher Joseph Devine, President, Devine Guidance International
Devine Guidance

Is Dr. D on Your Approved Supplier’s List?

By Dr. Christopher Joseph Devine
Dr. Christopher Joseph Devine, President, Devine Guidance International

Device establishments must maintain records of acceptable suppliers.

Hopefully, the title of this week’s Devine Guidance (DG) grabbed the attention of the readers. Now granted, considering the number of medtech companies in the world today, the doctor is willing to place a bet and gamble that he is not listed on the vast majority of approved supplier’s lists (ASL) of establishments that are scattered around the globe. However, although Dr. D may not be on your ASL, chances are pretty good that others performing similar tasks such as audits (internal and external), writing submissions, providing quality engineering support, and filling short-term roles (i.e., purchasing, quality, regulatory, R & D, etc.) are listed on your ASL. If they are not, they should be, as it is a fundamental requirement of 21 CFR, Part 820.50. In fact, if an establishment fails to list contractors and consultants on their ASL, including identifying the evaluation requirements for these roles, the Chief Jailable Officer (CJO) risks being on the receiving end of a Form 483 observation during an agency inspection. For all of you CJOs out there, the FDA will never feel a tinge of schadenfreude (look-it-up) when writing a boatload of Form 483 observations during an inspection. It is their job to investigate and document compliance issues and concerns. Enjoy!

Warning Letter – July 11, 2017

If the warning letter used as a reference in this week’s DG looks familiar, you are not dreaming; it is the same one used as a reference in Dr. D’s previous article. It appears the FDA’s focus on device establishments has not been as numerous versus previous years. In fact, as of late, the establishments playing in the “vape” space have targets on their backs instead. Simply stated, smoking is bad for the readers, and the FDA wants to influence the bad choices individuals are making. The end result is Dr. D must get as much mileage as possible out of warning letters issued to recently identified offending establishments. As mentioned in the previous DG, this establishment was on the receiving end of eight Form 483 observations. As many of the readers already know, eight Form 483 observations typically will result in the issuance of a warning letter. Although there is no set rule cast in stone, the more Form 483’s issued, the increased likelihood of a warning letter being awarded. Can you say directly proportional? Well, almost directly proportional.

Warning Letter Excerpt

Observation Seven (6) – “Failure to establish and maintain procedures to ensure that all purchased or otherwise received products and services conform to specified requirements, as required by 21 CFR 820.50. Specifically, Your Purchasing and Vendor Requirements procedure, QI-741, Rev 004, dated 11/3/2016, is inadequate in that:

a) Consultants and contractors (test service lab) are not listed in your purchasing control procedures, and have not been evaluated; and requirements, including quality requirements have not been established, as required by 21 CFR 820.50.

b) Quality requirements have not be established or evaluated for your high risk component suppliers, as required by 21 CFR 820.50(a). You have not required or evaluated processes at several suppliers that require validation of the process to manufacture the part/component. For example, parts/components have undergone processes such as injection molding, anodization and powder coating at the supplier and you do not require these processes be validated and have not included process validation during your evaluation.

c) The type and extent of control has not been adequately defined for products based on evaluation results, as required by 21 CFR 820.50(a)(2). Specifically, your Purchasing and Vendor Requirements procedure does not describe the point values for any of your performance indicators nor does it describe the rating system associated with the assignment values.

d) Consultants, testing services and off-the-shelf components used by your firm are not listed on your approved supplier list, as required by 21 CFR 820.50(a)(3).”

Subpart E – Purchasing Controls

21 CFR, Part 820.50 – Purchasing Controls

“Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.

(a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements that must be met by suppliers, contractors, and consultants. Each manufacturer shall:

(1) Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.

(2) Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.

(3) Establish and maintain records of acceptable suppliers, contractors, and consultants.

(b) Purchasing data. Each manufacturer shall establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services. Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with §820.40.

Compliance for Dummies

Let’s begin with establishing some common ground. For starters, I believe the readers can agree with Dr. D that a written procedure is required to be established (define, document and implement) for purchasing controls. Dr. D’s preference is to have separate procedures for purchasing, supplier controls and receiving inspection, the three salient elements of purchasing controls. Although it is acceptable to have one very large and concise procedure, it becomes quirky when procedures grow too large. Who in the heck wants to read a 20-page procedure (potentially larger) anyhow? The doctor thinks the FDA investigators might. After all, it is the investigator’s job to understand an establishment’s level of compliance with their own procedures and collectively their compliance with the quality system regulation (QSR).
It is also important to develop supporting forms that result in the collecting of relevant information that can be shared with FDA to support claims of compliance. However, please keep in mind, the content of supplier audits does not need to be shared with FDA, only documented evidence that they are being performed. So let’s begin with discussing some reasonable approaches to purchasing controls.

For starters, device establishments are required to maintain records of acceptable suppliers in accordance with §820.50(a)(3). The most widely accepted way of documenting the status of suppliers is through the use of an ASL. Additionally, the doctor strongly recommends placing suppliers into categories, driven by risk. For example: (a) Patient risk, (b) user risk, (c) device/design risk, (d) regulatory risk, (e) quality risk, (f) statutory risk, etc. These categories can be used to drive the requirements for supplier selection, re-evaluation and deliverables. Most of the device establishments that Dr. D audits during the course of year have at least three categories. A handful may have four categories and fewer yet, some have five categories. For example, a Category I supplier (highest risk) may have the following requirements prior to the listing of a supplier on the ASL (e.g., contract manufacturer):

  • Supplier questionnaire
  • On-site supplier evaluation (mandatory)
  • Supplier change/no-change agreement
  • Supplier quality agreement
  • Non-disclosure agreement
  • Applicable ISO accreditation, e.g., ISO 13485:2016 (required)

A Category II Supplier may have reduced requirements such as (e.g., custom component manufacturer such as a CNC machining facility):

  • Supplier questionnaire
  • On-site supplier evaluation (optional)
  • Supplier change/no-change agreement
    Supplier quality agreement
  • Non-disclosure agreement
  • Applicable ISO accreditation, e.g., ISO 13485:2016 (preferred but not required)

Requirements for Category III suppliers can be further reduced to include (e.g., distributor)

  • Supplier questionnaire
  • Non-Disclosure agreement
  • An ISO accreditation (send one if you have it)

Requirements for a Category IV supplier (e.g., consultant or contractor) may entail the collection of a resume or other qualifying document such as a lead auditor certification.

Not wanting to state the obvious but obliged to do so, some of the documentation (forms) needed to support a fully-functional approach to purchasing controls include:

  • ASL
  • Purchase requisition
  • Purchase order
  • Supplier questionnaire
  • On-site evaluation checklist
  • Non-disclosure agreement
  • Supplier change/no-change agreement
  • Supplier quality agreement
  • Supplier Corrective Action Report (SCAR)
  • Supplier add and removal forms for controlling the ASL
  • Supplier score card
  • Receiving inspection (inspection instructions and data collection sheets)
  • Discrepant material report (Non-conforming material report)
  • Supplied data sheet
  • Sampling plans
  • Any other document needed to make your approach to purchasing controls manageable

There are a few more points the doctor would like to make before bringing this week’s guidance to an end. One: There is no requirement to perform on-site audits on every supplier. There are a few contractors and consultants out there that preach 100% on-site supplier audits is a requirement. If such an individual graces your lobby with their presence, kick them out and lock the doors. There is no such requirement. Two: Each establishment can decide what their approach to purchasing controls will look like. Identify an approach that works for your establishment and run with it. Document the approach and collect the appropriate documentation to support compliance. Three: Keep meticulous records to support claims of compliance. If the FDA wants to see documented evidence of supplier audits, provide an agenda, audit plan and signature sheet. Remember, the contents of supplier audits are off-limits to the FDA. Four: It is an acceptable practice to employ external auditors to perform your supplier assessments. Make sure external auditors are qualified in accordance with ISO 19011 requirements.


Purchasing controls is actually an extremely large topic. Dr. D understands that a brief article cannot possibly cover all of the ins and outs of purchasing controls and supplier management. That being said, the doctor will leave the readers with three takeaways. One: Contractors and consultants must be incorporated into your purchasing controls. Make sure these individuals are placed onto your ASL. Two: It is acceptable to scale a purchasing controls program to meet your establishment’s size and needs. There is no on-size-fits-all approach to creating an effective purchasing control’s program. Three: Remember, there is no requirement to share the content of supplier audits with our dear friends from FDA. Establishments only need to provide documented evidence that such audits are being performed, if identified by procedure. In closing, thank you again for joining Dr. D, and I hope you found value (and some humor) in the guidance provided. Until the next installment of DG, cheers from Dr. D., and best wishes for continued professional success.


  1. Code of Federal Regulation. (April 2016). Title 21 Part 820: Quality system regulation. Washington, D.C.: U.S. Government Printing Office.
  2. Devine, C. (2011). Devine guidance for complying with the FDA’s quality system regulation – 21 CFR, Part 820. Charleston, SC: Amazon.
  3. Devine, C. (2013). Devine guidance for managing key attributes of a FDA-compliant quality management system – 21 CFR, Part 820 Compliance. Charleston, SC: Amazon.
  4. FDA. (July 2017). Inspections, Compliance, Enforcement, and Criminal Investigations. National Biological Corp.. Accessed July 23, 2017. Retrieved from https://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2017/ucm566621.htm

About The Author

Dr. Christopher Joseph Devine, President, Devine Guidance International