Devine Guidance

Purchasing Controls is not Rocket Science!

By Dr. Christopher Joseph Devine

A well-balanced purchasing controls program encompasses many tools, but in an effort to meet the requirements delineated within §820.40, the FDA expects establishments to have certain elements in place.

Folks, for this week’s guidance the doctor will cover a topic that has always been near and dear to Dr. D’s heart: purchasing controls. And before you start making snide comments under your breath, yes, the doctor does have a heart. Just kidding – the doctor is heartless. Seriously, Purchasing Controls (Subpart E), in Dr. D’s humble opinion, is one of the Quality System Regulation’s (QSR) easier requirements to comply with. After all, the FDA does leave the creation of a suitable approach to purchasing controls in the hands of the establishment. Please keep in mind there is nothing in the regulation that states on-site supplier audits are mandatory. In fact, §820.50 does not contain the word “audit”. The approach pursued to ensure that all purchased items meet an establishment’s specified requirements is completely up to the establishment to define. However, here lies the problem. Each establishment must decide what the requirements are and then establish (define, document, and implement) an appropriate procedure or set of procedure(s) to drive compliance to the requirement. Remember, in the eyes of the FDA (and Dr. D) there is no such thing as minimum compliance; there is no such thing as maximum compliance; there is only compliance! That being said, FDA investigators are not prone to varied or captious (look it up) interpretations of the regulations. If an establishment fails to comply with the QSR, the investigator commences with the scripting of the Form 483 observation. If an establishment earns enough Form 483 observations during an inspection, then a prized agency warning letter will be forthcoming. Enjoy!

Warning Letter – 20 February 2015

Purchasing controls definitely do not fall into the category of rocket science. If an establishment’s procedure entails collecting supplier questionnaires and ISO certificates, and they can convince an investigator that the approach is effective (supported by documented evidence of compliance), then as long as the process is documented in a procedure, it should be acceptable to FDA. However, the establishment that is the subject of this week’s Devine Guidance missed one tiny-little step—they failed to document, in writing, how their suppliers are evaluated, selected and controlled. Additionally, the offending establishment provided the FDA with a less-than-stellar response to the Form 483 observation. Ouch! In fact, make that a double ouch!

Warning Letter Excerpt

Observation Five (5): “Failure to establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements, as required by 21 CFR 820.50. Specifically, your current purchasing control procedure does not define the type and extent of control to be exercised over vendors and/or products based on the results of that evaluation.”

“We reviewed your firm’s response and conclude that it is not adequate. Your revised procedures do not define the type/extent of control based on ability of the suppliers to meet your requirements. The provided procedures appear to be focused on the qualification of your suppliers. Although it appears you have grandfathered your long time vendors, it does not appear that you have adequately established an approved supplier list or have established the criteria for your potential critical vendors.”

Subpart E – Purchasing Controls

Section 820.50 – Purchasing Controls

“Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.

(a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants. Each manufacturer shall:

(1) Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.

(2) Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.

(3) Establish and maintain records of acceptable suppliers, contractors, and consultants.

(b) Purchasing data. Each manufacturer shall establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services. Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with 820.40.”

Compliance for Dummies

There is a plethora of tools device establishments can employ in support of effective purchasing controls. Some of the tools typically employed by establishments consist of: (a) supplier questionnaires; (b) on-site evaluations; (c) the collection of ISO certificates; (d) supplier no-change agreements; (e) supplier contracts; (f) supplier-provided inspection data (a.k.a., supplied-data program); (g) ship-to-stock programs; (h) defensive receiving inspection; (i) well-written specifications; (j) purchase orders (no verbal orders please); (k) creation of an approved supplier’s list (ASL) and (l) Dr. D’s favorite, supplier corrective action requests, a.k.a., the SCAR. Typically, a well-balanced purchasing controls program will encompass many of the tools mentioned in the previous sentence. However, in an effort to meet the requirements delineated within §820.40, there are certain elements the FDA will expect each establishment to have in place.

  1. The FDA requires that a well-written procedure with sufficient granularity describing the procurement process be scripted. Remember, the FDA is very clear about ensuring “suppliers, contractors, and consultants” are being evaluated as part of the procurement process. The procedure(s) must clearly define the how products or services are procured and what steps are used to verify compliance to the establishment’s specifications. Unfortunately, some level of inspection will be required. Most establishments employ receiving inspection (RI); however, Dr. D views RI as an expensive proposition. Device manufacturers spend top-dollar for their products and services, so the expectation is that suppliers should always meet specifications. That being said, establishments should place the burden of inspection where it belongs, with the suppliers (trust but verify).


  2. If the inspection burden is placed on the shoulders of an establishment’s supplier, feel free to use a supplied-data program. The supplied-data program requires suppliers to provide statistical data to support compliance with an establishment’s specifications and requirements. Instead of spending a ton of money on inspection, the establishment reviews the data and determines if the supplier met specification and/or requirements.


  3. It is always prudent to perform and on-site audit on critical subcontractors and crucial suppliers (note: terminology aligns with 2013/473/EU) before placing an initial order. Sustaining audits can be employed to assess ongoing supplier compliance with statutory and regulatory requirements. Dr. D recommends creating supplier categories and noting the categories on the ASL. High-risk suppliers such as critical subcontractors and crucial suppliers should be reassessed at a rate to commiserate with risk. The doctor recommends auditing critical subcontractors at least annually (e.g., contract manufacturers and sterilization facilities). Note: establishments do not have to share the results of supplier audits with the FDA, only evidence that they are being performed (if audits are part of an establishment’s program).


  4. In many cases, the use of a supplier questionnaire and the collection of an ISO certificate will suffice. However, the doctor recommends collecting new ISO certificates when the old ones expire and collecting new questionnaires once every three years.


  5. In a perfect world, a SCAR would never be required; however, Mr. Murphy is alive and well in the device industry. Dr. D recommends that two levels of SCARs be employed: (a) “information only” for minor issues and annoyances; and (b) “response required” for major screw-ups. Do not be afraid to hold suppliers accountable!


  6. The agency does not like surprises; and establishments should never tolerate surprises from their suppliers. To prevent such surprises from happening, establishments should script and have their suppliers sign no-change agreements. In fact, Dr. D recommends writing detailed supplier quality contracts that delineate all quality requirements that a supplier should meet and the ramifications for failure to meet the defined requirements.


  7. Although the QSR does not mention the use of an ASL, the FDA (enough acronyms for you) will expect to see the ASL during one of their friendly visits for a cup of coffee and an inspection. The ASL should contain sufficient information so the status of a supplier can be quickly ascertained. Additionally, the requirements for placing a supplier on the ASL and removal of a supplier from the ASL should be clearly defined within a procedure.


  8. Always use written purchase orders when placing an order for product or services. The purchase order should be accompanied by all of the necessary documentation needed by a supplier to successfully manufacturer a product or provide a service. If the requirements change, the establishment should create and issue a change order, accompanied by all of the necessary documentation, and send it to the supplier.


  9. Finally, keep meticulous records needed to support documented evidence of compliance. Your Chief Jailable Officer (CJO) will appreciate the effort when sitting across from an agency investigator during an inspection. Remember if an activity is not documented in writing, in the eyes of FDA, it never happened! If the records are questionable, the CJO will not be able to defend an establishment during an inspection (e.g. garbage in/garbage out syndrome).


For this week’s guidance, Dr. D will leave the readers with just one takeaway: Purchasing controls is not rocket science! The QSR provides plenty of leeway when it comes to interpreting the requirements. At the end of the day, the expectation is that establishments adequately evaluate and select suppliers, contractors, and consultants premised on their ability to meet specifications. The entire process is left in the capable hands of the establishment. In closing, thank you again for joining Dr. D; and I hope you find value in the guidance provided. Until the next installment of DG – cheers from Dr. D., and best wishes for continued professional success.


  1. Code of Federal Regulation. (2014, April) Title 21 Part 820: Quality system regulation. Washington, D.C.: U.S. Government Printing Office.
  2. Devine, C. (2011). Devine guidance for complying with the FDA’s quality system   regulation – 21 CFR, Part 820. Charleston, SC: Amazon.
  3. Devine, C. (2013). Devine guidance for managing key attributes of a FDA-compliant quality management system – 21 CFR, Part 820 Compliance. Charleston, SC: Amazon.
  4. FDA’s enforcement page. (2015, February). Website. Retrieved March 31, 2015, from

About The Author

Dr. Christopher Joseph Devine, President, Devine Guidance International