Purchasing Controls: Draft the Best Supplier Quality Agreement

Unacceptable purchased products account for about 17 percent of medical device recalls each year. Many of these products are considered unacceptable because the finished device manufacturer did not properly describe the product or agree to the terms of accretion and rejection with their suppliers.

I can’t complicate this. Some companies call their relationships with suppliers “partnerships” or “understandings”—it doesn’t matter what you call it; the manufacturer must define the type and extent of control exercised over products, services, suppliers, contractors and consultants based upon a documented process for evaluation and selection criteria. If the supplier doesn’t understand the directions, how can that supplier properly fulfill the requirements?

You’re right; they can’t.

Purchasing Controls is the only section of the QS Regulation and ISO Standard in which business and quality systems management overlap ever so blatantly, with the objective evidence realized from that association presented in terms of quality assurance and various levels of measured controls. When a medical device manufacturer chooses to employ suppliers, this manufacturer must ensure control over any product, process or service obtained from these suppliers. The controls may extend further if a supplier subcontracts work to sub-tier relationships that, based upon inherent risks, may have to define their specific scope of compliance.

The bones of this article, in part, came from a roundtable discussion during Breakfast with the Experts at OMTEC® 2015.

Quality Agreements and Objective Evidence
Quality agreements between manufacturers and suppliers had been in play way before the new 21 CFR, Part 820 was made effective in the late ‘90s. It’s gone from “just about the business” to “business and quality issues” to just a “quality assurance-aligned document”. For many years, the purchase order (PO) was considered to be an agreement, and it remains a popular legal document for conducting business between two companies, i.e., it can be great objective evidence as long as both parties sign the PO. Agreements can be advantageous for a solid foundation of mutual understanding and can set the stage for agreements between companies based upon risk management principles. This is where we have an opportunity to quantify our relationships in terms of defined deliverables, acceptance activities and clear objectives for business success.

The cGMP-QS Regulation indicates that purchasing documents shall include, where possible, an agreement that the suppliers, contractors and consultants agree to notify the manufacturer of changes in the product, process or service so that manufacturers may determine whether the changes may affect the quality of a finished device. The quality agreement is an effective management tool to prevent problems and reduce their impact should they occur. With the increased emphasis on purchasing controls, you can expect strong attention to this area during an FDA inspection.

Typical areas generating objective evidence for compliance that could be considered for finalizing this agreement between the manufacturer and its supplier will address these areas:

1) Acceptance and verification activities
2) Complaint handling
3) Responsibilities for root cause analysis and investigation
4) Corrective action and preventive action
5) Product and Process risk management
6) Design responsibilities
7) Labelling/traceability requirements
8) Technical documentation as supplied
9) Handling of non-conformities
10) Change control requirements
11) Creation and retention of documents and records
12) Supplier audits
13) Product recall
14) Periodic evaluation or re-evaluation of the supplier’s data and operation


The “NO CHANGE” Agreement

…..don’t change “anything” unless you have my permission first…..

As I indicated, requirements for purchased products and services must be documented to ensure that suppliers provide a product or service that conforms to specified requirements. If the requirements change or the supplier makes changes to the device or process, the customer must not only be aware of the change, but must approve the change prior to implementation. FDA still believes that this change information is essential to the core competencies of the manufacturer, and that the manufacturer should obtain information on changes to the product, process or service in a timely and documented manner. Where a supplier refuses to agree to provide such notification, depending on the product or service being purchased, it may render that company an unacceptable supplier. However, where the product is in short supply and must be purchased, the manufacturer will need to heighten control in other ways, e.g., heightened incoming inspection. FDA has given manufacturers the flexibility to define in the agreement the types of changes that would require notification. And, yes, the decisions being made are based upon risk management requirements.

Suppliers must ensure that adequate notification is provided for changes that may affect the form, fit, function, reliability, serviceability, performance, functional interchangeability, regulatory compliance, safety or interchangeability of the product, part or service. This may include changes made by sub-suppliers. This allows the manufacturer to assess whether the change may affect the overall quality, safety, performance or effectiveness of affected devices. Notification of changes must include description of the change, proposed implementation date and affected products, parts or services. Notification must be in writing and should be addressed to a purchasing representative. Some larger companies require a minimum of six months’ notice prior to implementing a change. For instance, there may be revalidation, verification or re-qualification involved, and that doesn’t happen in three days.

For documentation such as production drawings, specifications, assembly procedures, etc., FDA agrees that the requirement for changes be approved by an individual in the same function or organization that performed the original review and approval, unless specifically designated otherwise. The intent of the requirement is to ensure that those who originally approved the document have an opportunity to review any changes, because these individuals typically have the best insight on the impact of the changes. The requirement is flexible, however, because it permits with a documented rationale the manufacturer to specifically designate individuals who did not perform the original review and approval to review and approve the changes. In this way, the review and approval will not be haphazard, in any case.

What Product, Process or Service Should Have a Formal Agreement?
You should have a formal policy that defines the type of product, process or supplier type that needs a supplier quality agreement. Contract manufacturers and contract sterilizers clearly qualify, as do suppliers of critical components.

Common materials purchased in large quantities often qualify, to some extent, whereas services that don’t impact your product or process in a quality assurance manner probably won’t apply. Yes, I know! It depends on quantitative risk-based decision-making. Don’t forget, when the risk dictates, defined controls around second or further-tier suppliers may also be needed.

Control points within your quality management system (QMS) that have an effect on this risk-based decision can include:

  • Control of second or further-tier suppliers
  • Audits and timely Supplier Corrective/Preventive Actions (SCARS)
  • Testing/Verification
  • Certificates of Analysis/Conformity
  • Formal requirements for the QMS, such as specific certificates (QMS, environmental management, accredited labs, access rights for third party assessment)
  • What to measure and how (e.g., ppm, Key Performance Indicators)
  • Measurement System Analysis (e.g., Gauge R&R, Gauge Correlation Studies)
  • Activities to ensure environmental compatibility, electromagnetic compatibility, reliability/reliability forecasts
  • Process capability and Process capacity
  • Process validations
  • Response times
  • Statistical process control
  • Correction, reworking
  • Inventory control (First-In-First-Out/FIFO, time limit (time target) )
  • Batch sizes, lot sizes
  • Traceability (Process, product, equipment, operators)
  • Change Control (changes to process, parts, procedures, etc., regardless of who initiated)
  • Configuration management
  • Protection of intellectual property
  • Protection of patient information
  • Document retention periods
  • Quality system records

Can you identify all of the controls pointed out in this example? Are there more?
For example, a manufacturer is buying a sterile product as a component for a kit, where the kit will also be sterilized. The supplier of the sterile product utilized a contract sterilizer. In this case, the manufacturer may need to conduct audits, or review validation records, of this sub-tier sterilization supplier. The manufacturer should determine if the second sterilization of the supplied sterile product will have any adverse impact on safety and effectiveness of the medical device. Consideration would need to be given to the supplied product and its properties to ensure that the two (possibly different) sterilization processes will not degrade or adversely affect safety and effectiveness of the medical device or any specified requirements of the supplied product. The finished device manufacturer is ultimately responsible for the kit with all of its components, and should ensure that such validation information would be readily accessible to demonstrate the effects and suitability of all the sterilization processes.

Note: In the situation of internal suppliers, there may not be contractual arrangements or purchase orders. However, some type of formal arrangement (interface agreements) needs to be defined (procedures). Standardized processes for these arrangements may be of benefit to the manufacturer, especially in order to ensure coverage of all relevant regulatory and legal requirements.

Concluding Statements (FDA feedback and understanding)
Although written quality agreements are not demanded under U.S. Good Manufacturing Practice (21 CFR, Part 820) Regulations, FDA recommends that medical device companies prepare such agreements to document roles, timing and responsibilities. Although these agreements are not mandatory, this has not prevented FDA from issuing warning letters to companies that have failed to set up such risk-based agreements, e.g. “Your firm failed to establish a quality plan defining the quality practices, resources, and activities relevant to devices that are designed and manufactured, as required by 21 CFR 820.20(d). Specifically, your firm has not established a quality agreement with the contract manufacturer of the XYZ implantable orthopaedic devices. The responsibilities between the manufacturer and the contractor have not been clearly defined. Additionally, a similar observation was made regarding your failure to establish a quality agreement with your contract manufacturer of the final assembly kit designated for use in the operating room.”

FDA has indicated on numerous occasions that they are going to be looking at your supplier selection and qualification, and monitoring programs in inspections. They continue to train their inspectors to look at these issues.

Quality agreements are an essential part of a contractual relationship in the medical device world. FDA considers contractors an ”extension of the manufacturer’s own facility.” Thus, both parties are responsible for ensuring that products are not adulterated or misbranded. With respect to contract manufacturing, parties must work together to establish and maintain quality oversight of contracted operations and the materials produced under contract. This is where the quality agreement comes into play. Quality agreements are so essential that failure to have one can result in a warning letter from FDA. This is true even though there is no actual legal requirement to have an agreement of this nature.

John Gagliardi has had success over the past 45 years in the medical device and pharmaceutical industries because of his practical approach to process-orientation and business. He has been actively involved in research and development, quality assurance, training, operations, process architecture, FDA inspections and regulatory affairs. Mr. Gagliardi specializes in building systems in a compliant and business-ready manner. Mr. Gagliardi can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..

MidWest Process Innovation, LLC
www.midwestprocessinnovation.com