Supplier Quality Agreements Are Not Just a Handshake Anymore

  Join Our eNewsletter List


You’re only as good as the products and services provided by your suppliers. You know this. When your suppliers ship your company substandard products and provide atrocious customer service, it could be a sign that your purchasing and quality organizations must now spend a lot of money, commit human resources and waste precious time to qualify another supplier. But, hold on. This understanding and enabling of quality requirements is partly your responsibility, as well.

This is a perfect example of the “two-way street” that we all travel on from time to time. The logistics of this precarious journey can be simplified and readily defined by putting pen to paper, sitting down in a prearranged meeting with each of your critical suppliers and discussing your relationship in real and agreed-upon terms. A requirements review, if you will. The deliverable is a supplier quality agreement (SQA) between two interested parties that outlines exactly what these requirements are, how the customer will “get what you bargained for” and how the supplier gets compensated for what your company requires. Purchasing controls is the one key process in the quality management system that directly combines the regulations and standards with business (dollars and common sense).

As with any regulated industry, your company should have procedures in place that include the following requirements concerning purchasing controls and the development of a SQA to:
• Ensure that purchased products and services conform to documented requirements
• Establish criteria for selection, evaluation and re-evaluation of suppliers
• Evaluate suppliers on their ability to meet the established criteria for product and quality requirements
• Define type and extent of control based on documented evaluation of the supplier
• Maintain records of supplier evaluations and agreements
• Develop and enable a “no change” agreement

These procedures or work instructions should clearly indicate which suppliers are required to have SQAs and which should only be considered for these types of agreements. The procedure should also specify the contents of SQA and who has responsibilities for creating, approving and changing these agreements. You’ve heard this before. It’s based on risk. Minimally, quality and purchasing controls process owners should approve of these agreements. The number of approvers should be kept at a minimum so that the agreements can be kept flexible enough to be kept up-to-date as experience and events decree. Although your procedures should spell out the areas that should be covered in a SQA with a supplier, these agreements should always be established jointly between your company and the supplier. Neither party should take anything for granted. These agreements are a productive tool to help both you and the supplier understand your roles and responsibilities and to foster good communication between the two of you. Your company should agree with the critical supplier on individual responsibilities and deliverables. Although you, the manufacturer, are ultimately responsible for the medical device, the supplier also has certain obligations to meet and exceed the customer’s requirements every day of the week.

Let’s Get Serious

The Food and Drug Administration’s (FDA) Center for Devices and Radiological Health has been emphasizing to all device manufacturers that they must assume the responsibility for every step of the global administration of purchasing controls. Current recalls of medical devices due to failures of components, raw materials and services supplied to device manufacturers provoked FDA’s increased analysis of supplier purchasing controls about six or seven years ago. FDA inspections and ISO audits still put increased emphasis on challenging your company’s supplier quality management system, in terms of the agreements formally put in place to control procured products and services. Your company must verify that purchasing documentation, including (where appropriate) the requirements for approval of product, procedures, processes, equipment, qualification of personnel and other quality management system requirements. The objective evidence starts with producing a formal agreement between the two parties. Formal not only means in writing and signed, but also, by definition, binding. Additionally, there must be detailed assurances in place to show that purchasing documents contain, where possible, an agreement that the supplier will notify the manufacturer of changes in products or services that may affect the quality of a finished device [21 CFR 820.50(b)].

FDA is not only focusing on U.S. manufacturers and suppliers, but also overseas suppliers. With more inspectors on board, the agency plans to perform overseas inspections on a timely basis. In the recent past, this has not been FDA’s strength. With the advent of our so-called global economy, the issues with foreign suppliers have escalated in geometric proportions that, in many cases, are not well defined. Again, the best way to make sure that you and your critical suppliers show equilibration between risk, cost, quality and regulatory compliance is to develop, issue and co-sign a reasonable and equitable quality agreement to establish process and product deliverables, co-responsibilities and, of course, defined liability. Suppliers must be aligned with your manufacturing and design controls operations as if all concerned were part of the same quality management system (QMS) living under the same roof.

The design and implementation of your company’s QMS is a strategic decision based on the regulatory, quality and monetary needs of your company, the size of your organizational structure, the processes employed and the medical devices provided to your customers. If your company does not perform certain processes (e.g. design and development, sterilization, manufacturing of components, production of raw materials, etc.), i.e. chooses to outsource critical processes related to the design and/or manufacture of medical devices, these suppliers, servicers and supplied processes must be controlled within your quality management system. Your company has the responsibility to make this happen, and FDA does not. Component and raw material manufacturers do not have a regulatory obligation to adhere to the current Good Manufacturing Practices. You will have to define the extent of this type of control in the SQA.

Risk Management

When developing and writing an SQA, your company should identify high-risk component and service suppliers through a documented risk management process, such as the use of design and process failure mode effects analysis. Other more efficient methods can also be used, such as component category risk grid methodologies that prioritize remediation efforts based upon the degree of customization and effect on function and safety.

Not all supplier categories require a full-blown quality agreement in place to enable a relationship to carry on. Commonly, high risk suppliers (custom components, unique or critical services such as calibration checks, clean-room monitoring, sterilization and contract manufacturers) should have a written agreement in place to assure that ongoing mitigation and improvement are always part of decision-making. Your company should develop a quality plan with an accurate timeline to address high- and moderate-risk components and services with an approach on how to address low-risk suppliers in the long term. You should identify any additional interim incoming supply quality controls needed until corrective action is complete. At the end of the day, your quality and purchasing process owners must balance risk, cost and quality while maintaining regulatory compliance. Sometimes this becomes quite a challenge because, as I indicated previously, this part of the QS Regulation is affected by monetary considerations that your company and the supplier impose upon yourselves. FDA has no jurisdiction or interest when it comes to cost considerations.

What Quality Systems Areas Should be Part of this SQA

Once completed, the SQA should establish clear definitions of supplier and customer responsibilities. Depending upon the risks involved with the product or services your company is procuring, these important topics should be covered by this agreement:

  • Ownership of product specifications, such as the documentation presented in the Design History File and the Device Master Records.
  • Inspection plans for releasing product coming from the supplier to the customer and receiving product by the customer.

  • The logistics and timing of audits conducted by the customer on the critical supplier’s premises. Besides the quality and regulatory related subjects covered in this article, these topics should be addressed during supplier audits:
  1. Quality Management System
  2. Personnel Competencies
  3. Buildings and Facilities
  4. Corrective and Preventive Action
  5. Risk Management
  6. Handling, Storage and Delivery of Product
  7. Handling of Recalls
  8. Supplier Quality Agreement – Note: Companies often have written agreements with their lower-risk suppliers, but these are frequently supply agreements that focus on financial and legal arrangements between the two. SQA agreements should be kept separate from supplier agreements dealing with the monetary and legal aspects of a viable relationship, although they are usually included by reference for clarification purposes.
  9. Identification and Traceability of Product
  10. Non-conforming Product
  11. Installation and Service Agreement(s)
  12. Calibration of Instruments
  13. Acceptance Activities
  14. Sterilization Agreements
  15. Internal Quality Audits
  • Also, in the case of a contract manufacturer, notification requirements should be addressed when FDA shows up to conduct an inspection, and especially if FDA wants to review the processes and products directly related to the customer.
  • Complaint handling processes and the responsibilities for investigation, documentation and follow-up.
  • Change and Document control is particularly important when co-implemented specifications are issued and revised by either party. This issuance of specification revisions could culminate this agreement effort as expressed on a purchase order and then the ensuing purchasing information shipped with the product or service, e.g. Certificates of Analysis, Certificates of Conformance, Calibration Certificates, Certificates of Compliance, etc. The test frequently comes from poorly-worded agreements, which can include language that refers to “significant changes” or “changes that could affect the finished device.” In many cases, the supplier is asked to make changes that originate in its processes, but which they might not be fully qualified to make. For example, a change that may have a minimal effect on a supplier’s process may affect regulatory submissions. Guaranteeing that effective change control processes are fully implemented requires: 1) clear language within the SQAs, 2) effective supplier quality system change control processes, 3) consistent provision of change control information to the manufacturer and vice versa and 4) oversight by the supplier’s and manufacturer’s audit processes.
  • The requirements for process validation and machine qualification flow downhill using a master validation plan as a basis for decision-making and validation in an effort to reduce costs and further assure product quality in a more consistent manner.
  • Periodic meetings, such as requirements reviews, should be part of the agreement and scheduled every year.
  • If warrantees are involved with your products, these details should be covered in terms of timing, remuneration and objective evidence requirement.
  • Process controls during manufacturing and the documentation for which each party is responsible.
  • If your company has hired a contractor to conduct design controls on your behalf, this relationship will be defined by service-related requirements, timing issues, who owns generated proprietary information, what documentation must be developed toward design transfer (back to the customer), record retention, the design history file and re-design opportunities. Conversely, this is always a critical phase for suppliers, because once you, the customer, receive FDA clearance to market a device, there is almost always a rush to move quickly from pre-production and/or development to full production.

  • If there is a requirement that the supplier maintain a certified quality system or other certification, such as ISO 9001 or ISO 13485, this must be documented with a copy of the certification and all ensuing re-certifications moving forward.
  • Control of sub-tier suppliers has always been a controversial subject, especially with suppliers located in India, Mexico and China. The goal of your critical supplier is to save money for everyone involved. Commonly and from my experience, suppliers in these countries change suppliers on the spur of the moment and don’t always have your best interests in mind from a regulatory and quality standpoint.
  • Legal aspects as related to reliability.
  • Key personnel responsibilities and contact information.


Regulatory bodies do not see supplier quality agreements as a new requirement. They also expect medical device manufacturers to require suppliers to conduct remediation where required and within documented timelines. It is appropriate to use a risk management approach to prioritize required focal points concerning formal agreements and resulting work products. By the way, your company will probably want to make a profit, after all is said and done. This agreement will act as a compass.

This evaluation and monitoring process is not getting any easier; device manufacturers now must comply with regulated expectations using the world-economy approach to conducting business. Developing and agreeing to a master plan will work to everyone’s advantage as the world turns.

As a person growing up in a singular and successful America, life was far simpler than it is today. It seems like business cultures continue to clash and regulatory ideologies are in, what looks like, an unrelenting change-management mode. Computerization is not helping. Moving faster without clear direction can be another type of detriment to both supplier and manufacturer. An SQA can at least define the game rules, the requirements and the players involved.

Enforcing these agreements is, of course, another story. I continue to conduct a portion of my business overseas because of global demands and the innate drive to put bread on the table. Companies continue to try to take liberties when it comes to quality mandates and business excellence. Device manufacturers that don’t take the issue seriously could face regulatory action and imposing monetary implications. Making safe and effective medical devices has always been our responsibility. A detailed SQA that accounts for the impact of regulations and standards and clearly defines the essential responsibilities and necessary authority is imperative during these challenging times.

Suppliers need to look inwardly at their quality systems to ensure that they are meeting the intent and spirit of the regulations and, frankly and more importantly, their customer’s requirements. A partnership between manufacturers and suppliers should be an acutely sought-after deliverable to assure success as global sourcing continues to flourish. Companies that face the risks head on will then co-share the profits when an effective Quality Agreement becomes a foundation point.

John Gagliardi has had success over the past 45 years in the medical device and pharmaceutical industries because of his practical approach to process-orientation and business. He has been actively involved in research and development, quality assurance, training, operations, process architecture, FDA inspections and regulatory affairs. Mr. Gagliardi specializes in building systems in a compliant and business-ready manner. Mr. Gagliardi can be reached by This email address is being protected from spambots. You need JavaScript enabled to view it..

MidWest Process Innovation, LLC