Note: The views expressed in this article are those of the author and do not necessarily represent those of his/her employer, GxP Lifeline, its editor or MasterControl, Inc."
Supplier quality assurance (QA) agreements can play a vital role in helping companies not only demonstrate to regulatory agencies that they are properly controlling their suppliers, but also show that they are informed and aware of what their suppliers are doing. Manufacturers of all types of medical devices are responsible for the product they make and sell. However, more and more companies are outsourcing all or part of their manufacturing or other operations. Regulatory and certification agencies are therefore looking to the companies that sell the product to have sufficient knowledge and control over their suppliers to assure that products are safe and meet the claims made for them. This article will discuss why supplier agreements are desirable and sometimes even required, which suppliers should have supplier quality agreements, and what should be contained in those agreements.
The FDA in 21 CFR 820.50 requires that companies control all their suppliers, including providers of materials, services, consultants and contractors, if they could have an effect on product quality or the quality system. ISO 13485 section 7.4.1 requires that device companies have a procedure that includes the following requirements:
To aid medical device manufacturers there have been two fairly recent guidance documents, one in 2008 by the Global Harmonization Task Force (GHTF) and one in 2010 by the Notified Body Operations Group (NBOG). Both of these guidance documents are available for free on the Internet. See Figure 1 for the names, general information, and website addresses for these guidance documents. The GHTF document has been referenced by FDA many times since it came out and is now recognized as the "current" practice for supplier controls. This means that the FDA is looking for device manufacturers to follow this guidance unless they can demonstrate that they have sufficient control of their suppliers without following this document.
The Notified Body Operations Group (NBOG) is an organization that provides guidance to European Notified Bodies on how they should audit a particular requirement, in this case the supplier control requirement of ISO 13485. This means that if you require a European Notified Body to audit your ISO 13485 implementation, this is what they will be looking for. Therefore medical device manufacturers should be using both of these documents when designing their supplier control program. This article talks specifically about quality agreements, one of the concerns of these guidance documents. Quality agreements can go a long way to demonstrating the kinds of control manufacturers have over their suppliers, and can be extremely useful to manufacturers as well. A good supplier quality agreement can take the guesswork out of the process of deciding who (either the manufacturer or the supplier) is responsible for what and how communication should work between the two.
Companies often have written agreements with their key suppliers but these are often supply agreements, which focus on financial and legal arrangements between the two. Quality or Quality Assurance (QA) agreements are best kept separate from supplier agreements, although they are usually included by reference in the main supply agreement. Supplier and quality agreements should be kept at least somewhat separate because supplier agreements often require legal review, approval by a company officer, and may exist for many years of the relationship between the manufacturer and the supplier. On the other hand, like attachments such as annual pricing and quantities, quality agreements need to be flexible, based on day-to-day operations, and easy to change as needed without legal review. See Figure 2 for key points of supplier vs. QA agreements.
Which supplier should have QA agreements? It is neither expected nor desirable that all suppliers have QA agreements. However, critical and key suppliers should all have QA agreements, and all outsourced processes related to the manufacture of your product should be considered for QA agreements. See Figure 4 for definitions of critical suppliers. In addition to critical suppliers, key suppliers might be those that are single-source for a key component or material, even if the component or material does not affect product safety, those with long lead-times, or ones that do not have a certified quality management system. Contract manufacturers need QA agreements because they are acting on behalf of the manufacturer and are doing a variety of operations that the manufacturer does not control directly. QA agreements are the way the manufacturer can have maximum control over the contract manufacturer without interfering in the actual operation of the contract manufacturer.
Distributors should have QA agreements because they interface directly with the customer and the extent of their responsibilities can have both quality and regulatory ramifications. For instance, if a field action is needed it is important that a distributor be cooperative and have the required information. In addition, devices requiring installation and/or service which are often part of a distributor's responsibility, can greatly affect both the safety and function of a device. Outsourced processes again are a part of the manufacturing process that you, the manufacturer, do not control directly. There are often processes that you cannot easily verify were done properly. QA agreements are one way, in addition to process validation, that you can use to maintain the control over outsourced processes. As required by the guidelines mentioned, risk should be taken into account when deciding on the type of control for suppliers. High risk suppliers and high risk outsourced processes, such as sterilization, and contract design and development are examples of processes that are usually considered key or critical and therefore would be expected to have quality agreements.
Your supplier agreement or a related procedure or work instruction should clearly state which suppliers are required to have QA agreements and which should be considered for these agreements. The procedure should also specify the contents of QA agreements and who has responsibilities for creating, approving and changing these agreements. At a minimum, quality and related departments (usually operations or manufacturing) should approve these agreements. The number of approvers should be kept at a minimum so that the agreements can be kept flexible enough to be kept up-to-date as experience and events dictate. Although your procedure should spell out the areas that should be covered in a QA agreement with a supplier, QA agreements should always be developed jointly between you and the supplier. Neither party should take anything for granted. These agreements are a working tool to help both you and the supplier understand your roles and responsibilities and to foster good communication between the two of you. The manufacturer should agree with the supplier on individual responsibilities and deliverables. Although you, the manufacturer, are ultimately responsible for the medical device, the supplier also has certain obligations.
Process or product validation is a good example of how manufacturer and supplier can cooperate. It is the manufacturer's responsibility to ensure that the validation is properly performed, regardless of who actually performs the validation. At a minimum, the manufacturer will need to demonstrate that they have reviewed and accepted the validation documents. Therefore, the manufacturer and the supplier should have a mutually approved process for performing process validations, evaluating any changes and determining when re-validation should be performed. Responsibilities related to these tasks should be assigned.
The following is a list of things that should be included in a QA agreement with a supplier, as they are applicable to the particular task the supplier is doing.
Remember the overall responsiblity for the design of the device, including design documentation, is ultimately the responsibility of the manufacturer.
QA agreements should spell out who is responsible for each type of activity or document. This includes who does or creates it, who approves it, what notices are needed and when. See Figure 5 for an example of how this can be done clearly and briefly. Agreements should define the methods and points of contact. Will there be a single person in each organization responsible for all communication or multiple points of contact allowed? The agreement should give the contact information, including names, job titles, phone numbers and the email addresses of each of the contacts. This section of the agreement often has its own change provision, so that it can be kept up-to-date without re-signing the entire agreement. Especially if there is a single source contact at each location, then provision should be made for an alternate for times the primary contact is not available.
In summary, QA agreements are not only the expected method of control for high risk suppliers but can provide clarity and smoother operations for both the manufacturer and the supplier.
Betty Lane has over 20 years of experience in Medical Device quality assurance and regulatory affairs. She has established or updated quality systems for numerous small and medium sized medical device and diagnostic companies. Her work enables companies to manage their business in compliance with FDA and ISO 13485 requirements, thus enabling worldwide sale of their products. Her background in digital systems engineering enabled her to facilitate design controls and software validation when they became FDA and industry requirements.
Betty is the founder and president of Be Quality Associates, LLC, a consulting company helping medical device companies implement and improve their quality systems for both business improvement and regulatory compliance. Other services include training, auditing, supplier management and medical device quality system software validation.
Betty has been active in local sections of the American Society for Quality. In addition Betty is a member of the Regulatory Affairs Professional Society, Association for the Advancement of Medical Instrumentation, The Society of Women Engineers and the Institute of Electrical and Electronic Engineers.
Be Quality Associates, LLCMedical Device Quality Systems Specialists7 Hartswood RoadDover, NH 03820phone: 603-742-4963cell phone: 603-781-3472