Supplier Controls —
Requirements and Trends:
Medical Devices
Edward C. Wilson, Jr.
Partner, Washington, D.C.
ecwilson@hhlaw.com
(202) 637-5839
© 2009 Hogan & Hartson LLP. All rights reserved.
1
Overview
•
Why Are Purchasing Controls Important?
–
Business Reasons — Assurance that all components,
materials, and services involved with the manufacture of
medical devices are acceptable for their intended use
•
–
Recalls and low yields are expensive and inefficient
Compliance Reasons — FDA enforcement
© 2009 Hogan & Hartson LLP. All rights reserved.
2
Regulatory Background
•
The Quality System Regulation (QSR) applies to finished
device manufacturers
•
Generally speaking, component suppliers do not have an
independent obligation to comply with the QSR
•
However, a finished device manufacturer may require, by
contract, that a component supplier meet some or all of
the QSR requirements
© 2009 Hogan & Hartson LLP. All rights reserved.
3
Regulatory Background
•
Finished Device — any device or accessory to a device
that is suitable for use or capable of functioning, whether
or not it is packaged, labeled, or sterilized. 21 CFR §
820.3(l)
•
Component — any material, substance, piece, part,
software, firmware, labeling, or assembly, which is
intended to be included in the finished, packaged, and
labeled device. 21 CFR § 820.3
© 2009 Hogan & Hartson LLP. All rights reserved.
4
Regulatory Background
•
Finished device manufacturers serve as gatekeepers over all
components, materials, and services brought into or used by the
finished device manufacturer
Component
Sub-assembly
Contract steriliser
Finished Device Manufacturer
Accessory
© 2009 Hogan & Hartson LLP. All rights reserved.
Contract
manufacturer
Environmental
controls consultant
5
Regulatory Background
•
Compliance with FDA’s Purchasing Control
requirements consists of five (5) key steps
1.
Supplier evaluation
2.
Determination of the level of control to exercise over that
supplier
3.
Recordkeeping
4.
Maintaining and disseminating purchasing data
5.
Incoming acceptance activities (which is covered under a
separate QSR requirement)
© 2009 Hogan & Hartson LLP. All rights reserved.
6
Step 1 — Supplier Evaluation
21 CFR § 820.50
Each manufacturer shall establish and maintain procedures to ensure
that all purchased or otherwise received products and services conform
to specified requirements
Tips for Compliance
•
Implement Purchasing Control procedures that meet each of
FDA’s requirements
•
Ensure that ALL providers of products and services are covered
–
The scope includes, for example, contract manufacturers and
sterilizers, raw material suppliers, suppliers of manufacturing
materials, suppliers of subassemblies, environmental control
specialists and third-party auditors/ consultants
© 2009 Hogan & Hartson LLP. All rights reserved.
7
Step 1 — Supplier Evaluation
Tips for Compliance (cont.)
•
Purchasing Control procedures should:
–
Include processes for qualification, disqualification, and
requalification of suppliers
–
Provide the criteria that are necessary to attain, and then maintain,
“approved” status
–
Include a process by which suppliers can be placed on
probationary status or disqualified
–
Explain how the company’s behavior changes if it continues to
receive product or services from a supplier that is on probation or
that has been re-qualified after being disqualified
© 2009 Hogan & Hartson LLP. All rights reserved.
8
Step 1 — Supplier Evaluation
(a) Evaluation of suppliers, contractors, and consultants. Each
manufacturer shall establish and maintain the requirements, including
quality requirements, that must be met by suppliers, contractors, and
consultants.
Tips for Compliance
•
The type of evaluation is typically determined by the risk, or criticality, of
the products or services provided
•
The evaluation must include the supplier’s ability to meet the finished
device manufacturer’s requirements, including quality requirements
•
The defined requirements, as well as objective evidence the supplier
meets those requirements, should be documented
•
Audits are not mandated by the QSR. However, common practice is to
audit key (critical) suppliers
•
Merely conducting the audit is not enough. You need to establish
acceptance criteria to demonstrate the suitability of the supplier
© 2009 Hogan & Hartson LLP. All rights reserved.
9
Step 2 — Determination of Level
of Control
Each manufacturer shall define the type and extent of control to be
exercised over the product, services, suppliers, contractors, and
consultants, based on the evaluation results.
Tips for Compliance
•
Level of control exercised over supplier is typically based on
supplier type and the risk (criticality) of the product or service
provided.
•
Controls can range from receipt and review of Certificates of
Conformity and Analysis, to 100 percent inspection of incoming
products, to annual audits of the supplier.
•
Other controls may include, for example, ongoing monitoring/
trending of supplier quality metrics and requiring suppliers to
initiate supplier corrective actions.
© 2009 Hogan & Hartson LLP. All rights reserved.
10
Step 3 — Records
Each manufacturer shall establish and maintain records of acceptable
suppliers, contractors, and consultants.
Tips for Compliance
•
•
Maintain an Approved Vendor List
–
And the products/services the supplier is approved to provide
–
One size does not necessarily fit all
For each approved supplier, maintain a file that includes:
–
The qualification and requalification documentation
–
The requirements, including quality requirements, that the supplier
is required to meet
–
Evidence of compliance with those requirements
–
Correspondence regarding corrective actions
–
Performance history
© 2009 Hogan & Hartson LLP. All rights reserved.
11
Step 4 — Purchasing Data
21 CFR § 820.50(b)
Each manufacturer shall establish and maintain data that clearly
describe or reference the specified requirements, including quality
requirements, for purchased or otherwise received product and services.
Purchasing documents shall include, where possible, an agreement that
the suppliers, contractors, and consultants agree to notify the
manufacturer of changes in the product or service so that manufacturers
may determine whether the changes may affect the quality of a finished
device. Purchasing data shall be approved in accordance with 820.40.
© 2009 Hogan & Hartson LLP. All rights reserved.
12
Step 4 — Purchasing Data
Tips for Compliance
•
Examples include drawings, specification sheets, catalogue
numbers, manufacturing procedures
•
Implement systems for providing purchasing data to the supplier
with each order or sending revised purchasing data as needed,
and requiring that obsolete purchasing data be returned or
destroyed
•
Contracts should include provisions whereby the supplier must
notify the finished device manufacturer of any design, product, or
process changes involving the supplied product or component
•
Sub-contracting production to a second- or third-tier supplier
also should be disclosed to the finished device manufacturer
© 2009 Hogan & Hartson LLP. All rights reserved.
13
Step 5 — Acceptance Activities
21 CFR § 820.80
(a) General. Each manufacturer shall establish and maintain procedures
for acceptance activities. Acceptance activities include inspections,
tests, or other verification activities.
(b) Receiving acceptance activities. Each manufacturer shall establish and
maintain procedures for acceptance of incoming product. Incoming
product shall be inspected, tested, or otherwise verified as conforming
to specified requirements. Acceptance or rejection shall be
documented.
© 2009 Hogan & Hartson LLP. All rights reserved.
14
Step 5 — Acceptance Activities
Tips for Compliance
•
Balance Purchasing Controls with Receiving Acceptance
•
The level of incoming inspection or controls should be
commensurate with the criticality or risk of the device
–
For example, some lower risk products may be accepted based on
a visual inspection or test of a statistically based number of units
per lot
–
Higher risk products likely require tighter controls, such as 100%
inspection
•
Collect and use meaningful historical data of the supplier’s
performance
•
Apply the company’s purchasing control and acceptance activity
procedures to internal suppliers
© 2009 Hogan & Hartson LLP. All rights reserved.
15
Global Harmonization Task Force, Study Group 3
Guidance on the Control of Products and Services
Obtained from Suppliers
•
Released in January 2009
•
Manufacturers should treat all intra-company suppliers that
operate under separate quality systems as third-party suppliers
•
Approach could be utilized by FDA
•
Per the GHTF guidance document, a company may wish to
utilize its Purchasing Control and Incoming Inspection
procedures to cover products/components that are supplied by
divisions within the same company if those divisions operate
under a different quality system
–
One method to determine whether the intra-company divisions
operate under a different quality system is to determine whether
the division is subject to the receiving division’s internal audit
process
© 2009 Hogan & Hartson LLP. All rights reserved.
16
Enforcement
•
Purchasing Controls are becoming a greater enforcement
priority for FDA
–
Coverage of Purchasing Controls is mandatory as part of
Production and Process Control portion of QSIT inspections
•
It is important to thoroughly cover Purchasing Controls, to
include outsourced processes, as a [Quality System Inspection
technique] linkage under [Production & Process Controls]
whenever [Production & Process Controls] is covered. The
Purchasing Control coverage must be documented in the
[Establishment Inspection Report] especially if the
manufacturer contracts a sterilization process or contracts the
manufacture of significant components, subassemblies, or
processes.
FDA Compliance Policy Guide (CPG), Policy 7382.845, June 2006
© 2009 Hogan & Hartson LLP. All rights reserved.
17
Enforcement
FDA’s Enforcement Remedies
•
Inspectional Observations
(FDA-483s)
•
Warning Letters and Untitled
Letters
•
Product Seizures
•
Administrative Detention
•
Recalls (Voluntary and
Mandatory)
•
Application Integrity Program
© 2009 Hogan & Hartson LLP. All rights reserved.
•
Injunctions
•
Refusing Requests for 510(k)
Clearance or Premarket
Approval (PMA) of New
Products as well as PMA
Supplements
•
Civil Monetary Penalties
•
Criminal Fines and Penalties
•
Import Alerts/Detentions
18
Enforcement
•
The number of inspectional observations involving Purchasing
Control activities appears to be trending upwards
Warning Letters with Purchasing Control Deficiencies
35
25
19
2006
2007
2008
Source: FDA Warning Letter Database
© 2009 Hogan & Hartson LLP. All rights reserved.
19
Enforcement
•
The number of inspectional observations involving
incoming acceptance activities also is trending upwards
–
2006 — 15 Warning Letters
–
2007 — 13 Warning Letters
–
2008 — 20 Warning Letters
© 2009 Hogan & Hartson LLP. All rights reserved.
20
Enforcement
•
Import Alerts/Detentions
–
FDA’s ability to enforce Purchasing Controls is enhanced when the
third-party supplier is outside of the United States
–
Under broad grant of authority, the FDA can bar the entry of a
product into the United States based on the mere appearance of
adulteration or misbranding
–
The FDA does not need a court order to initiate such action — the
action can be initiated by the FDA and U.S. Customs and Border
Protection Agents at the port of entry
–
FDA also can issue an Import Alert, also known as a ‘detention
without physical examination’ to bar admission of a particular
product. Import Alerts also can be product-specific, or apply to
every product that is manufactured at a particular foreign facility
© 2009 Hogan & Hartson LLP. All rights reserved.
21
For more information on
Hogan & Hartson, please visit us at
www.hhlaw.com
Abu Dhabi
Baltimore
Beijing
Berlin
Boulder
Brussels
Caracas
Colorado Springs
Denver
Geneva
Hong Kong
Houston
London
Los Angeles
Miami
Moscow
Munich
New York
Northern Virginia
Paris
Philadelphia
San Francisco
Shanghai
Silicon Valley
Tokyo
Warsaw
Washington, DC
© 2009 Hogan & Hartson LLP. All rights reserved.
22