Medical Device Link.

Legal responsibility

Medical device manufacturers are ultimately responsible for the products and services that they obtain from their suppliers, regardless of what is supplied and where the supplier is located. In the United States (US) and Europe, this is not just a quality system responsibility, it is a legal responsibility. Under European requirements, the manufacturer is responsible for ensuring and declaring that the products placed on the market meet the provisions of the Directives that apply to them. Conformity to the European harmonised standard for medical devices, EN ISO 13485:2003 (ISO 13485), provides a presumption of conformity to the medical device quality assurance requirements. Under US regulations the legal responsibility of the manufacturer to comply with the US Quality System Regulation (QSR) (21 CFR 820) is in section 820.1, Scope, which states that the QSR applies to manufacturers of finished medical devices. The specific requirements in the QSR concerning suppliers are discussed later.

The important point is that when product problems occur because of a failure of supplied products, materials, components or services, the manufacturer placing the products on the US or European market is legally responsible for addressing these problems and for any adverse events that may have occurred as a result of these problems. For this reason, it is critically important that medical device manufacturers develop effective systems for managing and controlling suppliers.

ISO 9001 clarification on supplier controls

Some medical device companies operate not only under medical device quality system standards and QSR requirements, but also under ISO 9001, Quality Management Systems, Requirements. In November 2008, ISO 9001:2008 was published, which is intended to enhance the clarity of ISO 9001:2000 and increase its compatibility with ISO 14001:2004. ISO 9001:2008 does not introduce any additional requirements or change the intent of ISO 9001:2000.

One of the amendments concerns clause 4.1, General Requirements, which in ISO 9001:2000 requires that an organisation controls outsourced processes that affect product conformity with requirements and that this control be identified within the quality management system. ISO 9001:2008 includes the need to define the type and extent of control to be applied to outsourced processes. In addition, the notes applying to this subclause have been changed. A note that was in ISO 9001:2000 has been slightly amended, but more significantly two additional notes have been added. Note 2 defines “outsourced process.” Note 3 points out that ensuring control over outsourced processes does not absolve the organisation of the responsibility of conformity to all customer, statutory and regulatory requirements. It also advises that the type and extent of control to be applied to the outsourced process may be influenced by factors such as

• the potential impact of the outsourced process on the organisation’s capability to provide product that conforms to requirements

• the degree to which the control for the process is shared

• the capability of achieving the necessary control through the application of clause 7.4.

In addition to the changes to clause 4.1, ISO Technical Committee 176/Subcommittee 2 has published a number of guidance modules, which are available from www.iso.org/tc176/SC2, one of which is on “Outsourced Processes.” This provides useful information, but medical device manufacturers will need to ensure that both US and European requirements are being met.

Otherwise received products

EN ISO 13485:2003 (ISO 13485) is the quality system standard adopted in Europe for medical devices, and clause 7.4.1, Purchasing Process, requires the establishment of documented procedures to ensure that purchased product conforms to specified purchase requirements. Section 820.50 of the QSR requires the establishment of documented procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.

The inclusion of “otherwise received product and services” in the QSR means that purchasing and/or goods receipt procedures must cover all product and services received from outside the finished device manufacturer, whether payment occurs or not. This includes products or services provided by a corporate affiliate or even customer supplied product. If manufacturers do not understand that purchasing controls should be applied to products and services that are not necessarily purchased, but may originate from an affiliate company or other type of internal supplier, their purchasing procedures may not comply with US requirements.

The guidance in ISO TIR 14969:2004, Medical Devices, Quality Management Systems, Guidance on the Application of ISO 13485:2003, supports the inclusion of “otherwise received products and services” in supplier control programmes. Clause 7.4.1.1 points out that the application of the supplier control process depends on the nature and risk associated with the product or service, including outsourced processes being purchased or otherwise received.

In addition to ISO TIR 14969, two other documents provide guidance on the inclusion of products or services that are not necessarily purchased. The Global Harmonisation Task Force (GHTF) guidance on supplier controls1 in section 1.0, Scope, states that a supplier is anyone that is independent from the manufacturer’s quality system, and discusses the concept of internal suppliers. Readers are encouraged to obtain the GHTF guidance document, which is intended for educational purposes and not to be used to assess or audit compliance with regulatory requirements. Additional guidance on the need to consider internal suppliers is included in the ISO guidance on Outsourced Processes mentioned above.

Suppliers, contractors and consultants

ISO 13485 clause 7.4.1, Purchasing Process, states that the organisation shall evaluate and select suppliers based on their ability to supply product in accordance with the organisation’s requirements. Section 820.50(a), Evaluation of Suppliers, Contractors and Consultants, of the QSR requires that each manufacturer establishes and maintains the requirements, including quality requirements that must be met by suppliers, contractors and consultants. This clause also requires that the manufacturer evaluates and selects potential suppliers, contractors and consultants on the basis of their ability to meet specified requirements, and that the evaluation must be documented. It is then necessary to define the type and extent of control to be exercised over the product, services, suppliers, contractors and consultants, based on the evaluation results. In addition, the manufacturer must establish and maintain records of acceptable suppliers, contractors and consultants.

Manufacturers conforming only to the requirements of ISO 13485 may not have included consultants in their supplier control programmes and therefore risk failing to fully comply with QSR section 820.50(a).

Notification of changes

ISO 13485 clause 7.4.2, Purchasing Information, requires that purchasing information describes the product to be purchased, including where appropriate, requirements for approval of product, procedures, processes and equipment; requirements for qualification of personnel; and quality management system requirements. The US requirement is similar. Section 820.50(b), Purchasing Data, requires that manufacturers establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services.

The primary difference between US and European requirements regarding purchasing information and purchasing data is that the QSR specifically requires that purchasing documents include, where possible, an agreement that the suppliers, contractors and consultants agree to notify the manufacturer of changes in the product or service, so that manufacturers may determine whether the changes may affect the quality of a finished device. Regardless of the inclusion of “where possible,” the US Food and Drug Administration (FDA) has stated2 that information on changes made by suppliers is important to the manufacturer and that the manufacturer should obtain information on changes to the supplied product or service. FDA also states that where a supplier refuses to agree to provide this notification, depending on the product or service being purchased, it may render the supplier unacceptable. FDA acknowledges, however, that where the product is in short supply and must be purchased, the manufacturer will need to increase control in other ways.

The need to obtain an agreement regarding changes made to the product or service is not included in ISO 13485. For this reason, manufacturers conforming only to ISO 13485, without specifically evaluating the QSR, will probably fail to be in compliance with this US requirement.

Other important differences

Readers should pay particular attention to the guidance provided in ISO TIR 14969 on meeting the requirements of ISO 13485 clause 7.4.2, Purchasing Information. The guidance states that an organisation’s purchasing information (including the requirement for supplier records) should define appropriate requirements and communicate them to the supplier to ensure the quality of the purchased product or service. The guidance then states that typically these requirements are formalised in an agreement between the organisation and the supplier.

Manufacturers who fail to establish adequate written agreements with their suppliers not only risk receiving nonconforming products or services, but also FDA enforcement actions. FDA has issued warning letters to manufacturers who have failed to have written agreements with suppliers, which specify the division of responsibilities as they relate to

• developing, implementing and controlling the Device Master Record

• indicating the authority for lot release and distribution

• how product release is to be implemented and controlled

• how the handling, investigating and analysing of nonconforming data, complaints and corrective and preventive actions will be documented, exchanged and coordinated.

As stated previously, section 820.50(a) of the QSR requires the establishment and maintenance of records of acceptable suppliers, contractors and consultants. Clause 7.4.1, Purchasing Process, of ISO 13485 requires that records of the results of evaluations and any necessary actions arising from the evaluation are maintained; however, there is no specific requirement for a record of acceptable suppliers.

QSR section 820.50(b), Purchasing Data, requires that purchasing data be approved in accordance with section 820.40. This means that purchasing data such as a product specification or drawing must be reviewed and approved before release of the data. The approval, including the date and signature of the approving individual, must be documented. Readers are referred to section 820.40 for the full requirement. It should be noted that FDA does not require the approval of each purchasing transaction. The requirement in ISO 13485 clause 7.4.2, Purchasing Information, to maintain documents in accordance with the clause covering document control is much less specific than the US requirement; therefore, compliance with ISO 13485 alone may lead to a failure to fully comply with the US requirements for approving purchasing data.

Guidance on US expectations regarding the control of suppliers, including contract sterilisers, can be found in chapter 10, Purchasing and Acceptance Activities, of the FDA Medical Device Quality Systems Manual: A Small Entity Compliance Guide, www.fda.gov/cdrh/dsma/gmpman.html.

Ensuring compliance

Prudent medical device manufacturers marketing or planning to market their products in the US and Europe will make every effort to develop an effective supplier control programme, which will be significantly more efficient and less costly than risking the use of unacceptable products and services in their finished medical devices. They will also seek to clearly understand the similarities and differences between the US and Europe regarding supplier control requirements, and thus avoid nonconformities with either requirements.

Maria E. Donawa Donawa Consulting, Piazza Albania 10, I-00153 Rome, Italy, tel. +39 06 578 2665, e-mail: medonawa@donawa.com www.donawa.com