Who’s ultimately responsible for a finished device’s quality and safety? The manufacturer—also known as the sponsor/owner or the company that lists the finished device on the FDA’s database, including kit assemblers. A strong purchasing control process is critical for success because it’s likely there are materials, components, or processes outsourced to a contract supplier.

Weekly, I receive questions about specification, inspection, and validation responsibilities from contract manufacturers (suppliers) and device manufacturers:

• “What if I’m going to package an off-the-shelf (fill-in-the-blank) with my device for surgeon convenience?”
• “The contract manufacturer is ISO 13485 certified; why worry about inspection or validation?”
• “Our (fill-in-the-blank) is just like the competitor’s product that gets sterilized at the same location, so do we really need to validate the sterilization process?”

Answering these and similar questions is not easy; start from the beginning with the regulation’s verbiage and the definition of the terms.

21 CFR § 820.50 Purchasing controls: Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.

(a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants. Each manufacturer shall:

• (1) Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.
• (2) Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.
• (3) Establish and maintain records of acceptable suppliers, contractors, and consultants.

(b) Purchasing data. Each manufacturer shall establish and maintain data that clearly describe or reference specified requirements, including quality requirements, for purchased or otherwise received product and services. Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with § 820.40.


Purchasing controls apply to supplied products, components, services, and consultants. “Product” means components, manufacturing materials, in-process devices, finished devices, and returned devices. “Component” means any raw material, substance, piece, part, software, firmware, labeling, or assembly intended as part of the finished, packaged, and labeled device.

21 CFR § 820.3: “Service” (contractor) means parts of the manufacturing or quality system that are contracted to others, for example, plating of metals, testing, and sterilizing, among others. (Preamble, Comment #102)

Purchasing controls apply to all or nearly all suppliers for any raw material, components, manufacturing material (chemicals used in any manufacturing process), outside processes, etc. that are part of, come in contact with, or impact the finished device’s quality. The manufacturer is responsible for finished device’s quality. This depends on the quality of the raw materials, components, processes, and services. It’s not possible to outsource that responsibility to contract manufacturers or suppliers through quality agreements or assignments.

Section 820.50(a)(1) makes it sound simple: “evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluations shall be documented.”

The first item is evaluation shall be documented, which means the manufacturer needs a documented process that lays out a repeatable method to complete evaluations and document results. Evaluating potential suppliers often involves quantifying the risk associated with the product or service and a list of qualification activities that increase in depth as the potential risk to quality increases.

According to Section 820.50(a)(2), a manufacturer shall “define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.” The first step involves a risk assessment that varies slightly from process and design risk assessments but uses information gleaned from those two types.

For products or processes listed in the table, those where a supplier failure is difficult to identify in incoming inspection should be considered high risk and a higher “extent of control” is required. If the manufacturer can’t confirm a raw material is exactly as specified in a certificate of analysis, there must be overwhelming confidence in the material supplier and their documentation. The same applies to most other products and processes in the table because most companies can’t inspect unseen product or process characteristics.

Two types of risks to be evaluated are risks inherent to the product, component, or process, and risks based on the supplier’s internal quality controls. If a supplier meets all initial requirements but incoming inspection identifies a high number of failures, that supplier should be considered high risk. There should be cooperation with the supplier to improve performance and increased inspection until the issues are resolved.

Supplier qualification activities should be based on risks identified for that product or process. These include collecting proof of ISO 13485 certification, supplier surveys, facility audits, increased incoming inspections, review of validation activities, and a quality agreement. A supplier shouldn’t be considered qualified until all required activities are completed. For consultants, it’s the manufacturer’s responsibility to have documentation related to education, experience, and certifications.

According to Section 820.50(a)(3), the manufacturers shall “establish and maintain records of acceptable suppliers, contractors, and consultants.” The general practice involves having an “approved supplier list” (ASL) controlled by the quality department and a method of preventing products or services from being ordered from any company that isn’t on the ASL for that specific product or process.

There are generally re-approval timelines, like annual review of the supplier survey or a facility re-audit every three years. The quality system should have ways of triggering supplier review if there are problems with quality identified through nonconformances found in incoming inspections, or through failures in the field. A quality agreement (contract) should be in place with each supplier that includes a clause requiring the supplier to notify the manufacturer of any changes that may affect the finished device’s quality. If a manufacturer receives a notification, documented activities should include a thorough assessment of any modified or new risks associated with the change.

FDA warning letters, product recalls, and patient harm are why purchasing and supplier controls are so important. In September 2022, Med Pen Concepts received a warning letter partly because their purchasing control processes were not followed: “Activities surrounding acceptance of devices were not documented showing that your firm is inspecting, testing, or otherwise verifying that devices received from contract manufacturers conform to specified requirements.”

In June 2023, Vitang Technology received a warning letter partly for “not defining the type and extent of control to be exercised over supplier services” and when asked for a documented evaluation of the contract manufacturer, the company only provided “a Manufacturing and Supply Agreement.”

A manufacturer cannot contract away the responsibility for product quality.

---

MORE FROM THIS AUTHOR: How to Hit the Moving Target of Medical Device Cybersecurity

---

Meredith Vanderbilt, director of consulting at Empirical, is an internationally known medical device regulatory affairs consultant unafraid to communicate directly and honestly with regulatory bodies and clients about strategies and submissions to provide compliant and high-quality devices to the market.