Employing Audits for Improved Supplier Performance

Bob Mehta

Note: The views expressed in this article are those of the author and do not necessarily represent those of his employer, GxP Lifeline, its editor or MasterControl Inc.

According to the FDA, 21 CFR Part 820.50 (Purchasing Controls) continues to be a significant concern, with the agency issuing Form 483 Observations and Warning Letters citing continued violations by device manufacturers. According to Kimberly Trautman, the FDA's current Good Manufacturing Practices (cGMP) and Quality System Regulations (QSR) expert, suppliers providing non-conforming material are directly related to an increase in medical device recalls, which increases the need for effective quality processes to mitigate risk. With the FDA's increased vigilance, how can device manufacturers better position themselves to achieve and sustain compliance? The answer lies in the establishment of an effective purchasing control procedure that places significant emphasis on supplier controls and the establishment of a value-added supplier audit program. A value-added supplier audit program can help organizations mitigate business and regulatory risk while reducing the Cost of Poor Quality (COPQ).

When intelligently designed, a value-added supplier audit program can provide great benefits to a device manufacturer. Establishing a value-added program begins with the understanding that the program fundamentals expand beyond the physical performance of supplier audits.

21 CFR Part 820 - Subpart E Purchasing Controls

Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.

  • (a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements that must be met by suppliers, contractors, and consultants. Each manufacturer shall:
    1. Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.
    2. Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.
    3. Establish and maintain records of acceptable suppliers, contractors, and consultants.
  • (b) Purchasing data. Each manufacturer shall establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services. Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with 820.40.

One of the terms employed by the FDA throughout the QSR is "establish." According to the FDA, establish means "define, document (in writing or electronically), and implement." In support of establishing an effective value-added supplier audit program for improving supplier performance, not only is attention to detail important, but documenting the entire process in writing an implementation should be considered a mission critical task.

Additionally, the trend in the agency's issuance of warning letters for failure to comply with 820.50 can easily be reversed if device manufacturers establish adequate procedures and controls for purchasing and supplier management. Warning letters, such as following one issued on February 9, 2012, highlight the need for device manufacturers to establish effective procedures and actually employ them for assuring the quality of products purchased.

Warning Letter Exerpt - 2/9/2012

"Failure to establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements, as required by 21 CFR 820.50. For example, your firm does not have any purchasing controls procedures to ensure that all purchased or otherwise received powered muscle stimulator devices conform to specified requirements. Your firm has not evaluated your supplier and vendor of the powered muscle stimulator device, your label manufacturer, or your overseas import broker on their ability to meet specified requirements, including quality requirements."

Value-Added Supplier Audit Program

There are many reasons for organizations to establish a value-added supplier audit program. Granted, sustaining regulatory compliance is a salient requirement; however, there are other factors organizations need to consider when establishing an approach to value-added supplier audits. For example: (a) preservation of brand equity; (b) ensuring values and strategy are clearly understood by the supplier; (c) establishment of consistent practices among suppliers; (d) achieving supplier return on investment (ROI) goals; and (e) providing supplier oversight, so efficiency and continuous improvement targets can be achieved.

When intelligently designed, a value-added supplier audit program can provide great benefits to a device manufacturer. Establishing a value-added program begins with the understanding that the program fundamentals expand beyond the physical performance of supplier audits. Suppliers with a certified Quality Management System (QMS), in accordance with ISO 9001:2008 or ISO 13485:2003, have the basic system elements in place. Certification allows device manufacturers to focus on process-specific audits which inherently provide more value. However, Trautman cautions manufacturers against relying solely on ISO certification by third parties as evidence that suppliers have the capability to provide quality products or services.

In any event, these are the key elements that should be considered for inclusion in a value-added supplier audit program:

  • A well-written supplier quality agreement delineating responsibilities and expectations
  • A supplier questionnaire that focuses on business and technology
  • Supplier scorecards that are performance-centric
  • Supplier on-site assessment checklist
  • Supplier statistical data program in support of reduced incoming inspection
  • Creation of supplier categories premised on risk (business and regulatory)

Device Industry Trends in Auditing

The device industry continues to employ three categories of supplier assessments: (a) supplier selection/qualification audits; (b) supplier surveillance audits to ensure conformance to requirements is being sustained; and (c) for-cause audits, when supplier non-conformances negatively influence finished-device performance. Because of the expense associated with performing supplier audits, device manufacturers are in a constant cost-containment battle. The trade-off lies in containing costs associated with supplier oversight while reducing costs associated with COPQ. It has never been economically viable to perform on-site audits on all of a device manufacturer's suppliers, nor is it value-added.

Another trend influencing the medical device industry is suppliers wanting to be paid for entertaining audits. Device manufacturers invest a significant amount of time and money selecting, approving, and incorporating purchased components into finished medical devices. Considering the expense of validation and the regulatory ramifications associated with the changing of critical component suppliers, it is seldom economically viable to replace suppliers charging for audits. A supplier charging for an audit is an expense that must be considered in advance.

Focused Versus QMS Audits

Focused and QMS audits provide value depending upon the application. If a supplier has a certified QMS, then the elements of an effective quality system are already in place. However, if a potential supplier does not have a certified QMS, performing an initial audit of the supplier's quality system is considered prudent and categorized as value-added. Considering the costs associated with device validation, it is too risky to proceed with a business relationship without first kicking the tires. However, if the supplier has a certified QMS, a focused audit is probably the correct path to travel. A focused audit can be employed to assess technical capabilities, capacity and supply chain.

Audit Need and Frequency

Audit need versus frequency is one of the significant drivers for a value-added supplier audit program. It makes zero sense for device manufacturers to attempt to audit 100% of their supplier bases. Conversely, not auditing suppliers or failing to establish a program for supplier oversight will in all likelihood result in an increase in the COPQ and potentially invite regulatory action from the FDA. A value-added supplier audit program should be governed by audit need, premised on supplier risk. For example, critical suppliers, such as a sterilization facility, should warrant an annual assessment. For the supplier of a poly/Tyvek pouch (sterile barrier), once every three years may be appropriate. The key is for the device manufacturer to adequately define need and frequency. Regardless of the approach, the FDA will want to see evidence of program effectiveness.

Evaluating Risk

Performing supplier audits can be expensive. Employing trained auditors, managing an extensive list of suppliers, time associated with pre- and post-audit activities, and the cost of travel can quickly become problematic even for the most cost-conscious organizations. That is why it is extremely important to include the assessment of risk as part of the program. Creating risk categories, performing risk analysis, focusing on risk reduction, and when appropriate, identifying levels of risk assessment are important features associated with a value-added supplier audit program.

Third-Party Audits

Third-party audits, the use of consultants as an extension of a device manufacturer's value-added supplier audit program, can be a blessing or a curse. Outsourcing supplier audits can result in an immediate and often substantial savings to device manufacturers. However, there is also significant trust involved when outsourcing supplier audits. Auditor competency will influence the overall effectiveness of third-party audits. Auditors lacking experience to assess compliance against applicable regulations, standards, and industry guidelines or lacking technology-specific competency, regardless of credentials, affect the performance of optimum audits resulting in missed opportunities for driving supplier corrections and improvements.

Summary and Conclusion

Considering the current regulatory climate and the need for organizations to focus on factors reducing the COPQ, implementing an effective value-added supplier audit program becomes a fundamental requirement for device manufacturers. It will never be practical to institute a program requiring a 100% performance of on-site supplier audits, nor will it be acceptable not performing some level of supplier assessments. The solution is to develop and implement an appropriate tool set that supports a value-added approach. Audit type, frequency, and the employment of third-party auditors will influence the cost of any audit program. However, the goal of the program should be to reduce the COPQ. An effective value-added supplier audit program will significantly reduce the COPQ ensuring: (a) suppliers maintain a QMS; (b) suppliers sustain compliance to applicable regulatory requirements; and (c) suppliers manufacture and/or supply a quality product or service.

Bob Mehta is a quality systems consultant at GMP ISO Expert Services (www.gmpisoexpert.com), a Los Angeles-based consulting firm helping U.S. and international clients in the pharmaceutical, biotechnology, IVD, dietary supplement/food, and medical device industries. Bob has more than 20 years' experience in the fields of quality assurance, quality control, supplier management, and risk management. He has helped clients with remediation and implementation of risk-based quality systems and supplier audit programs in a variety of FDA regulated and ISO certified industries. He has published more than 20 articles in the eScope, a monthly publication for ASQ Orange Empire Section 701, and he serves on the committee of the Industry Board of Advisors for Medical Device Industry Education Consortium (MDIEC). He teaches medical device regulations, risk management, and project management courses at local universities in addition to teaching ASQ certification courses. He can be reached at (949) 510-9138 or contact@gmpisoexpert.com.