Dr. Christopher Joseph Devine, President, Devine Guidance International
Devine Guidance

Risk-Based Purchasing Controls

By Dr. Christopher Joseph Devine
Dr. Christopher Joseph Devine, President, Devine Guidance International

Managing suppliers is critical, and your processes in doing so must be documented.

One of the challenges facing establishments registered as specification developers, or re-labeler and re-packer, is the heavy reliance on outsourcing needed to introduce finished medical devices that are safe and effective into commerce. Our dear friends from FDA often have no alternative but to spend a significant amount of time in purchasing controls when they arrive for that friendly cup of coffee and an inspection. Now granted, device establishments do not have to share the results of supplier assessments, if supplier audits are in fact being performed. However, the FDA will want to understand the effectiveness of purchasing controls because of the heavy reliance on critical subcontractors and crucial suppliers. When investigators from the FDA commence with their deep dive into purchasing and supplier controls, scilicet (look-it-up), the chief jailable officer (CJO), purchasing, quality, and other inspection-facing individuals, will find themselves in an untenable position if the appropriate controls have not been established. Enjoy!

Warning Letter – January 09, 2018

The warning letter recipient mentioned in this week’s guidance received a five-form 483 observation prize, based on the results of an inspection performed in August of 2017. It appears (conjecture on the part of Dr. D) that the investigator(s) quickly recognized that a spec developer should probably have a robust approach to design controls, and a re-labeler and re-packer should have an equally robust approach to purchasing controls. The FDA appeared to focus on design controls and purchasing controls as a result. Three out of the five form 483 observations were design control (§820.30) specific. One observation was related to rework (§820.90). One observation was rooted in purchasing controls (§820.50), the topic of this week’s article. Once each year, the doctor attempts to enlighten the readers about the importance of managing procurement activities and the challenges associated with supplier management. That being said, the doctor made the decision to share that enlightenment this week.

Warning Letter Excerpt

Observation Three (3) – “Failure to adequately establish procedures to ensure that all purchased 820.50. Specifically, your Purchasing Procedure (QSP6.1, Rev I) is not adequate. The procedure does not ensure that suppliers of critical processes that cannot be verified, such as sterilization, passivation, and hydroxyapatite (HA) coating, are evaluated on their ability to meet specified requirements. Your firm qualifies your suppliers based solely on ISO certification(s) and does not adequately document that each supplier can consistently produce devices in accordance with the designated specifications.”

Title 21: Food and Drugs


Subpart E—Purchasing Controls

§820.50 Purchasing controls.

“Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.


(a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements that must be met by suppliers, contractors, and consultants. Each manufacturer shall:


(1) Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.

(2) Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.

(3) Establish and maintain records of acceptable suppliers, contractors, and consultants.


(b) Purchasing data. Each manufacturer shall establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services. Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with §820.40.”

Compliance for Dummies

All device establishments buy stuff. The doctor does not care what type of devices an establishment designs, manufacturers, or a service an establishment might provide—purchasing is a given and by default, so is supplier management. Now granted, gone are the old days when device establishments spent small fortunes in the pursuit of mindless receiving inspection (RI). Yes, RI is still a necessary evil; however, quality inspectors can better serve an establishment by providing value-added deliverables such as first article inspection (FAI) in support of new product development. However, regardless of an establishment’s approach to purchasing, supplier management or inspection, these activities have to be adequately documented in a written procedure? Can you say, “Establish” (define, document—in writing or electronically—and implement)?

Dr. D strongly recommends scripting a minimum of three high-level procedures in support of purchasing controls: (a) purchasing controls SOP, (b) supplier controls SOP, and (c) receiving inspection SOP. Well-written procedures will clearly delineate all of the controls an establishment has instituted in support of complying with §820.50 (all of it).
Let’s begin with the actual selection of a supplier. Establishments cannot pick names out of a hat or throw darts at a board when selecting prospective suppliers. The purchasing requirements (e.g., component specification, inspection, testing, secondary processing, etc.) must be clearly defined, and suppliers selected premised on their ability to meet the requirements. The doctor strongly believes in a 360-degree cross-functional team approach be pursued when qualifying suppliers. Now granted, supplier quality engineers are pretty-sharp individuals; however, a supplier quality engineer will look at a supplier in a different light versus a procurement specialist, industrial engineer, design engineer or someone in marketing. Yes, it can be expensive bringing all of these individuals to a supplier site (not so much if the supplier is local). If that is not the case, ask the supplier to come visit your team. If the supplier is not willing to visit, you picked the wrong supplier.

Additionally, you cannot fall into the proverbial speed trap when speed and greed equal bad supplier selection decisions. There is no doubt the typical mom and pop shops can make something quickly, but can they make 10,000 units quickly? If the answer is no and the part they are making is critical, you need to look elsewhere; otherwise, an expensive re-validation effort will be in a device establishment’s future is a supplier change is mandated by the need for volume (no crystal ball required).

Furthermore, device establishments cannot under estimate the importance of risk. In fact, ISO 13485:2016 demands that risk be considered in all aspects of the quality management system (QMS). Dr. D is a big proponent of using the Dun & Bradstreet report as way of gaging a big portion of supplier risk: The business piece. If a supplier is having fiscal difficulties and is on the verge of filing for bankruptcy protection, then a decision to climb into bed with a fiscally challenged supplier is a bankrupt one.

Finally, once a supplier is selected, everything associated with managing the supplier needs to be put into writing. For example, if the supplier is deemed to be critical, the FDA is going to expect to see a quality agreement that clearly spells out the roles and responsibilities of both the establishment and their supplier. The establishments will want their supplier base, to complete and/or provide:

  • Non-Disclosure Agreement (NDA)
  • Supplier questionnaire
  • Supplier no-change agreement
  • Supplier accreditation from a qualified notified body or registrar
  • FAI samples (recommend samples from three different lots)
  • Access for an on-site assessment (dependent upon risk)

One thing to remember is that device establishments can never underestimate the importance of risk. Business, quality, and regulatory risk needs to always be considered when assessing new suppliers or assessing a sustaining relationship with existing suppliers. Tools that all device establishments should write into the QMS are:

  • Qualified suppliers shall be listed on the approved supplier’s list (ASL).
  • If there is a documented procedure for adding a supplier, there should be an equal process for removing a supplier from the ASL.
  • Always use purchase orders when placing orders (Note: Basic supplier expectations can be added to purchase orders by having a terms and conditions sheet).
  • Always issue a supplier questionnaire to gage supplier capabilities and qualifications.
  • Always issue supplier no-change agreements, as it is an FDA and ISO requirement to appropriately assess supplier changes (Note: This can be part of the supplier agreement).
  • Always issue supplier corrective action requests (SCARs) when suppliers provide a nonconforming product or service.
  • If possible, establish a supplied data program with critical suppliers. The suppliers provide the statistical data, and the establishment accepts or rejects material based on the data.
  • Always insist on FAIs for critical components.
  • Always issue supplier report cards to your critical subcontractors and crucial suppliers. No supplier wants to be on the receiving end of a “you suck” letter at the end of the year, without any warning or hint of previous problems.
  • If available, always collect ISO accreditation; however, do your homework and verify if the certificate is current and valid.
  • If outsourced processes require validation, ensure that the processes have been appropriately validated. For example, device packaging modalities and sterilization methods shall be appropriately validated before they can be considered for use.


For this week’s guidance, the doctor will leave the readers with two takeaways. One: There are three components associated with managing supplier risk—business, quality and regulatory. If supplier risk is not properly assessed and managed, achieving effective purchasing controls is not possible. Two: Purchasing controls (or lack of) continue to be one of the more frequently cited form 483 observations during agency inspections. Protect your establishment by drafting well-written procedures that address all aspects of §820.50. In closing, thank you again for joining Dr. D, and the doctor hopes you found value (and some humor) in the guidance provided. Until the next installment of DG, cheers from Dr. D., and best wishes for continued professional success.


  1. Code of Federal Regulation. (April 2017). Title 21 Part 820: Quality system regulation. Washington, D.C.: U.S. Government Printing Office.
  2. Devine, C. (2011). Devine guidance for complying with the FDA’s quality system regulation – 21 CFR, Part 820. Charleston, SC: Amazon.
  3. Devine, C. (2013). Devine guidance for managing key attributes of a FDA-compliant quality management system – 21 CFR, Part 820 Compliance. Charleston, SC: Amazon.
  4. FDA. (January 2018). Inspections, Compliance, Enforcement, and Criminal Investigations. Vilex in Tennessee, Inc. Accessed March 26, 2018. Retrieved from https://www.fda.gov/ICECI/EnforcementActions/WarningLetters/ucm600759.htm

About The Author

Dr. Christopher Joseph Devine, President, Devine Guidance International