Hello everyone and welcome back to another week of MedTech Compliance Chronicles! This week we are continuing our exploration of the quality management system requirements by examining the purchasing process. By now, you should have the requirements for your product, personnel, facility and equipment all worked out. Part of the reason for the existence of a QMS is to provide evidence that all of these requirements are being met. Unless you plan on doing everything from mining the raw material, refining, fabricating, assembling, packaging and delivering yourself, you will need some sort of suppliers for your business. Most suppliers will not necessarily be subject to the same requirements that you are. However, this does not preclude whatever product or service you receive from that supplier from meeting the requirements pertinent to it. It therefore, becomes an important requirement for organizations to make arrangements to ensure that products and services from suppliers meet their requirements.
Suppliers can be a wide array of organizations that provide some sort of product or service to your organization. From the standpoint of the QMS, the purchasing process applies to all received products and services that may have an impact on product quality and do not fall under the same QMS of the organization. This provides two important insights that must be considered. One, these requirements do not apply to suppliers who supply anything that does not affect product quality (i.e., office supplies). Two, what determines if something is considered an internal or supplied product depends on if it falls under the same QMS as the receiving organization. This second point can be a point of confusion in larger organizations with different QMS for different locations. In such cases, even if you are shipping between different business locations within the same organization, the product may still be considered a supplied product if both locations are not covered under the same QMS certificate.
Regardless of who your suppliers are and what they do, there are some general requirements which they all must meet. You will need to evaluate each supplier, clearly define your purchasing information for each purchased product (or service), and verify that the purchased product (or service) meets the requirements that have been set for it.
Supplier evaluation
Before you even decide to purchase something from a particular supplier, you must first perform an evaluation of that supplier. The evaluation must be based on the ability of that supplier to meet the requirements of whatever is being purchased from them. As with all things QMS, the detail of the evaluation should be proportionate to the risk associated with the supplied product or service. This risk can further be broken down into the risk of supplied product and service on the device and the risk of the device itself. If you have available records on the performance of the supplier, this should also be considered in the evaluation. The results of this evaluation will determine the controls you enforce on the supplier later on.
When it comes to how you perform these evaluations you have a number of options. For lower risk suppliers, it is usually justifiable to just verify that the organization has the appropriate licensing and is experienced in performing/producing whatever they are being hired for. For higher risk suppliers you will usually want to verify that they have and maintain a QMS certificate and perhaps, if your organization’s resources allow, even consider visiting the supplier and auditing them to whichever QMS standard they claim conformance. Another standard practice for higher risk suppliers is to go into a formal quality agreement with the supplier in question that clearly states the responsibilities of each party and provides a written agreement that the supplier is able and willing to perform to your specifications (the specifications they are agreeing to should be explicitly stated or referenced in the agreement).
Supplier evaluation is also an iterative, continuous process. At suitable periods, the supplier must be re-evaluated for continued adequacy and in these re-evaluations the performance of the supplier will usually be the primary method of evaluation. Some organizations do an annual re-evaluation of all suppliers while others tier it by the risk level of the supplier (i.e., annual for high risk, biennial for medium risk, triennially for low risk). Whatever interval you choose just be sure you can logically justify it and that you cover all suppliers.
Purchasing Information
Purchasing information refers to all information necessary for the supplier to perform their responsibilities and for your organization to receive them. This includes detailed specifications of what is to be received, engineering drawings, delivery schedules, quantities, prices, etc. For higher risk suppliers, it may even be necessary to put specific requirements on the type of equipment the supplier is supposed to use, the qualifications of the personnel performing the work and even specify testing and sampling levels that must be used prior to supplying the product/service. The key is to be as detailed as you possibly can. You should be trying to get to the point where the compilation of documents that make up the purchasing information, when given to any person experienced in the specific field, will all produce the same product/service and it will be what your organization wants. Remember that, no matter what is in your quality agreement, responsibility for conformity of the product ultimately falls on your organization. If and when you receive nonconforming product (product that does not meet specifications) if you do not have documentation demonstrating that you communicated with the supplier the correct specifications for whatever feature is nonconforming, as far as the regulatory bodies are concerned this is your organization’s mistake. Unfortunately, this holds true no matter how obvious you think some requirements would be.
Product Verification
The final requirement of the purchasing process is that purchased product meets specified requirements. This is usually done via incoming inspection and/or testing. The adequacy of inspection/test and any sampling methods used (if you do not verify every single product) must be justified. If your risk assessment deems it acceptable (which would be based on the risk of the product and the ability of the supplier to produce it), requiring the supplier to include a certificate of conformity (COC) with each shipment and verifying this COC along with maybe the part #’s and quantities may suffice for an incoming inspection. Having the supplier produce COC’s is usually used in one of three instances 1) where the supplied product is low risk 2) when acceptance testing and or verification of the product is either obvious or well known industry standard and 3) you have specified inspections/testing to be performed prior to shipment, and that the supplier must include a COC that these activities were done in the purchasing information. Whatever methods you choose to implement you must maintain documented evidence that all received product conforms to its requirements. If you use sampling for inspection/testing you must also have documented rationale for the sampling methods used based on valid statistical techniques.
Another aspect affecting product verification is if the supplier happens to make changes to the product. For this reason, it is a requirement that wherever possible the organization have the supplier agree, in writing, to inform the organization of its intentions to change the product prior to implementing the change. When this notification comes, or if such an agreement is not possible and the organization becomes aware of a change in purchased product, the organization must perform a risk-based assessment of if the change will affect product realization or the device itself.
Conclusion
You do not have to perform every single activity required to produce your medical device yourself. However, not doing so forces you into a situation where you do not have complete control over all of these activities. While you may not have control over the activities, you are responsible for what they produce. This is why purchasing controls are necessary for an organization to maintain compliance with regulations. Just like the activities you do control, you must verify that the outputs of supplier processes meet their requirements. This verification comes first from having a clearly defined and thorough supplier evaluation process to ensure the right supplier is chosen. You must then also make sure you are setting up the supplier for success and what exactly you want from them is crystal clear. Finally, it is never enough to just set things up well and hope for the best, so you must continue to verify the supplied product is conforming and re-evaluate each supplier from time to time.
Comments