Supplier Quality Agreements: Benefits to You and Your Supplier

Betty Lane

Note: The views expressed in this article are those of the author and do not necessarily represent those of his/her employer, GxP Lifeline, its editor or MasterControl, Inc."

Supplier quality assurance (QA) agreements can play a vital role in helping companies not only demonstrate to regulatory agencies that they are properly controlling their suppliers, but also show that they are informed and aware of what their suppliers are doing. Manufacturers of all types of medical devices are responsible for the product they make and sell. However, more and more companies are outsourcing all or part of their manufacturing or other operations. Regulatory and certification agencies are therefore looking to the companies that sell the product to have sufficient knowledge and control over their suppliers to assure that products are safe and meet the claims made for them. This article will discuss why supplier agreements are desirable and sometimes even required, which suppliers should have supplier quality agreements, and what should be contained in those agreements.

Which supplier should have QA agreements? It is neither expected nor desirable that all suppliers have QA agreements. However, critical and key suppliers should all have QA agreements and all outsourced processes related to the manufacture of your product should be considered for QA agreements.

The FDA in 21 CFR 820.50 requires that companies control all their suppliers, including providers of materials, services, consultants and contractors, if they could have an effect on product quality or the quality system. ISO 13485 section 7.4.1 requires that device companies have a procedure that includes the following requirements:

  • Ensure that purchased products and services conform to documented requirements
  • Establish criteria for selection, evaluation and re-evaluation of suppliers
  • Evaluate suppliers on their ability to meet the established criteria for product and quality requirements
  • Define type and extent of control based on documented evaluation of the supplier
  • Maintain records of supplier evaluations

To aid medical device manufacturers there have been two fairly recent guidance documents, one in 2008 by the Global Harmonization Task Force (GHTF) and one in 2010 by the Notified Body Operations Group (NBOG). Both of these guidance documents are available for free on the Internet. See Figure 1 for the names, general information, and website addresses for these guidance documents. The GHTF document has been referenced by FDA many times since it came out and is now recognized as the "current" practice for supplier controls. This means that the FDA is looking for device manufacturers to follow this guidance unless they can demonstrate that they have sufficient control of their suppliers without following this document.

Figure 1

The Notified Body Operations Group (NBOG) is an organization that provides guidance to European Notified Bodies on how they should audit a particular requirement, in this case the supplier control requirement of ISO 13485. This means that if you require a European Notified Body to audit your ISO 13485 implementation, this is what they will be looking for. Therefore medical device manufacturers should be using both of these documents when designing their supplier control program. This article talks specifically about quality agreements, one of the concerns of these guidance documents. Quality agreements can go a long way to demonstrating the kinds of control manufacturers have over their suppliers, and can be extremely useful to manufacturers as well. A good supplier quality agreement can take the guesswork out of the process of deciding who (either the manufacturer or the supplier) is responsible for what and how communication should work between the two.

Companies often have written agreements with their key suppliers but these are often supply agreements, which focus on financial and legal arrangements between the two. Quality or Quality Assurance (QA) agreements are best kept separate from supplier agreements, although they are usually included by reference in the main supply agreement. Supplier and quality agreements should be kept at least somewhat separate because supplier agreements often require legal review, approval by a company officer, and may exist for many years of the relationship between the manufacturer and the supplier. On the other hand, like attachments such as annual pricing and quantities, quality agreements need to be flexible, based on day-to-day operations, and easy to change as needed without legal review. See Figure 2 for key points of supplier vs. QA agreements.

Figure 2

Which supplier should have QA agreements? It is neither expected nor desirable that all suppliers have QA agreements. However, critical and key suppliers should all have QA agreements, and all outsourced processes related to the manufacture of your product should be considered for QA agreements. See Figure 4 for definitions of critical suppliers. In addition to critical suppliers, key suppliers might be those that are single-source for a key component or material, even if the component or material does not affect product safety, those with long lead-times, or ones that do not have a certified quality management system. Contract manufacturers need QA agreements because they are acting on behalf of the manufacturer and are doing a variety of operations that the manufacturer does not control directly. QA agreements are the way the manufacturer can have maximum control over the contract manufacturer without interfering in the actual operation of the contract manufacturer.

Figure 3

Figure 4

Distributors should have QA agreements because they interface directly with the customer and the extent of their responsibilities can have both quality and regulatory ramifications. For instance, if a field action is needed it is important that a distributor be cooperative and have the required information. In addition, devices requiring installation and/or service which are often part of a distributor's responsibility, can greatly affect both the safety and function of a device. Outsourced processes again are a part of the manufacturing process that you, the manufacturer, do not control directly. There are often processes that you cannot easily verify were done properly. QA agreements are one way, in addition to process validation, that you can use to maintain the control over outsourced processes. As required by the guidelines mentioned, risk should be taken into account when deciding on the type of control for suppliers. High risk suppliers and high risk outsourced processes, such as sterilization, and contract design and development are examples of processes that are usually considered key or critical and therefore would be expected to have quality agreements.

Your supplier agreement or a related procedure or work instruction should clearly state which suppliers are required to have QA agreements and which should be considered for these agreements. The procedure should also specify the contents of QA agreements and who has responsibilities for creating, approving and changing these agreements. At a minimum, quality and related departments (usually operations or manufacturing) should approve these agreements. The number of approvers should be kept at a minimum so that the agreements can be kept flexible enough to be kept up-to-date as experience and events dictate. Although your procedure should spell out the areas that should be covered in a QA agreement with a supplier, QA agreements should always be developed jointly between you and the supplier. Neither party should take anything for granted. These agreements are a working tool to help both you and the supplier understand your roles and responsibilities and to foster good communication between the two of you. The manufacturer should agree with the supplier on individual responsibilities and deliverables. Although you, the manufacturer, are ultimately responsible for the medical device, the supplier also has certain obligations.

Process or product validation is a good example of how manufacturer and supplier can cooperate. It is the manufacturer's responsibility to ensure that the validation is properly performed, regardless of who actually performs the validation. At a minimum, the manufacturer will need to demonstrate that they have reviewed and accepted the validation documents. Therefore, the manufacturer and the supplier should have a mutually approved process for performing process validations, evaluating any changes and determining when re-validation should be performed. Responsibilities related to these tasks should be assigned.

The following is a list of things that should be included in a QA agreement with a supplier, as they are applicable to the particular task the supplier is doing.

General for all QA Agreements

  • Scope of agreement
  • Period of agreement
  • Detailed specifications for the devices/activities covered
  • Agreement that the supplier will not make any changes to the product, processes or this agreement without written permission from the manufacturer
  • Spell out how notification of changes desired by either the manufacturer or supplier are communicated
  • Handling of Corrective and Preventive Actions (CAPAs)
  • Allowed visits and/or audits of the supplier by the manufacturer
    • by you
    • by your notified body
    • by other regulatory bodies, if required
  • Record/documentation retention requirements
    • The supplier can decide how long to keep record but the agreement should usually state that the supplier must offer the records to the manufacturer at the end of their record retention time.
  • If there is a requirement that the supplier maintain a certified quality system or other certification, such as ISO 9001 or ISO 13485
    • If there is a certification requirement, agreement that they notify the manufacturer if there is a status change to that certification

Manufacturing Related

  • Control of documentation
  • Procurement of materials
  • Traceability of raw material/components
  • Control of suppliers
  • Inspection and handling of materials
  • Assembly handling and processing
  • Process deviations
  • Revisions of documents and processes
  • Nonconformances and product deviations
  • Maintenance and calibration requirements
  • Packaging and shipping requirements
  • Sterilization requirements
  • Product returns/product complaint handling
  • Corrective action
  • Warrantee
  • Periodic meetings
  • Handling process for non-conformities
  • Handling of Out-of-Specification (OOS) conditions

Design/development related

  • Generation and control of documentation, including electronic and CAD model files
  • Development plans
  • Design Review (manufacturer should always participate)
  • Risk analysis
    • Risk Management file is always the manufacturer's responsibility
  • Verification activities
    • Validation is always the manufacturer's responsibility
  • Transfer to manufacturing and manufacturing documentation

Remember the overall responsiblity for the design of the device, including design documentation, is ultimately the responsibility of the manufacturer.

Distributor Related (as applicable to the role of the distributor)

  • Addition of labels or translation of labeling
  • Complaint Handling
    • Time to report to manufacturer, usually within 24 hours for anything potentially reportable, that is potentially safety related, and within a few business days for other complaints (specify number of days or range)
    • Obtain and pass on to manufacturer the following complaint information
      • Identification of the customer (e.g. name, company name, address, phone and email);
      • Device name, model and lot or serial number, if supplied by the complainant
      • Description of the complaint, including the date of the incident
      • Whether any devices have been or will be returned
    • Distribution records requirements
      • Serial or lot number of any product distributed
      • Date a quantity shipped
      • Who they shipped it to
  • Cooperation on recalls
    • Distributor records must include sufficient information to permit a complete and rapid recall of all medical devices
  • Product storage requirements
  • Requirements for training on products including training records, if the distributor is reponsible for training
  • Installation requirements including installation records (if the distributor is responsible for installation)
  • What if any responsibility the distributor has for any country-specific regulations or licensing

QA agreements should spell out who is responsible for each type of activity or document. This includes who does or creates it, who approves it, what notices are needed and when. See Figure 5 for an example of how this can be done clearly and briefly. Agreements should define the methods and points of contact. Will there be a single person in each organization responsible for all communication or multiple points of contact allowed? The agreement should give the contact information, including names, job titles, phone numbers and the email addresses of each of the contacts. This section of the agreement often has its own change provision, so that it can be kept up-to-date without re-signing the entire agreement. Especially if there is a single source contact at each location, then provision should be made for an alternate for times the primary contact is not available.

Figure 5

In summary, QA agreements are not only the expected method of control for high risk suppliers but can provide clarity and smoother operations for both the manufacturer and the supplier.

References for Further Reading

  1. ISO 13485:2003, Medical Devices - Quality Management Systems - Requirements for regulatory purposes, 2003 editions
  2. 21 CFR 820, Medical Devices; Current Good Manufacturing Practice (CGMP) Final Rule; Quality System Regulation, Department of Health and Human Services, Food and Drug Administration, October 7, 1996
  3. GHTF/SG3/N17:2008, Quality Management System - Medical Devices - Guidance on the Control of Products and Services Obtained from Suppliers, December 11, 2008
  4. GHTF SG4 N33 R16 Guidelines for Regulatory Auditing of Quality Management Systems of Medical Device Manufacturers Part 3: Regulatory Audit Report
  5. NBOG BPG 2010-1, Guidance for Notified Bodies auditing suppliers to medical device manufacturers, 2010
  6. The 5 "W"s of Quality Agreements, ( by Arvilla Trag, ASQ Certified Quality Auditor, Midwest Consulting Services, Inc. Lifeline Publications (Written for pharmaceutical/biological companies, but also applicable to medical devices)

Betty Lane has over 20 years of experience in Medical Device quality assurance and regulatory affairs. She has established or updated quality systems for numerous small and medium sized medical device and diagnostic companies. Her work enables companies to manage their business in compliance with FDA and ISO 13485 requirements, thus enabling worldwide sale of their products. Her background in digital systems engineering enabled her to facilitate design controls and software validation when they became FDA and industry requirements.

Betty is the founder and president of Be Quality Associates, LLC, a consulting company helping medical device companies implement and improve their quality systems for both business improvement and regulatory compliance. Other services include training, auditing, supplier management and medical device quality system software validation.

Betty has been active in local sections of the American Society for Quality. In addition Betty is a member of the Regulatory Affairs Professional Society, Association for the Advancement of Medical Instrumentation, The Society of Women Engineers and the Institute of Electrical and Electronic Engineers.

View Betty's profile on LinkedIn

Be Quality Associates, LLCMedical Device Quality Systems Specialists7 Hartswood RoadDover, NH 03820phone: 603-742-4963cell phone: 603-781-3472