According to FDA, 21 CFR Part 820.50—Purchasing Controls continues to be a significant concern for device manufacturers The agency reports continued violations, and has issued multiple Form 483 Observations and Warning Letters. According to Kimberly Trautman, the FDA’s current Good Manufacturing Practices (CGMP) and Quality System Regulations (QSR) expert, suppliers providing nonconforming material are directly related to an increase in medical device recalls. Such nonconformance increases the need for effective quality processes to mitigate risk.

Bob Mehta

January 7, 2013

9 Min Read
Using Audits to Improve Supplier Performance

pen_checkmarks.jpgWith the agency’s increased vigilance over device manufacturers, how can companies better position themselves to achieve and sustain compliance? One key tool is the establishment of an effective purchasing control procedure that places significant emphasis on supplier controls and a value-added supplier audit program. A value-added supplier audit program can help organizations mitigate business and regulatory risk while reducing the cost of poor quality (COPQ). 

21 CFR, Part 820 – Subpart E Purchasing Controls says that each manufacturer must establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements. Two sections are critical to understanding purchase controls, outlined here. 

Evaluation of Suppliers, Contractors, and Consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements that must be met by suppliers, contractors, and consultants. According to this section, each manufacturer must perform the following tasks: 

  • Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. Evaluations should be documented. 

  • Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results. 

  • Establish and maintain records of acceptable suppliers, contractors, and consultants. 

Purchasing Data. Manufacturers must establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services. Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with 820.40. 

One of the terms employed by FDA throughout the QSR is “establish.” According to FDA, establish means to define, document (in writing or electronically), and implement. In support of establishing an effective value-added supplier audit program for improving supplier performance, attention to detail is important. Documenting the entire process in writing an implementation should be considered a mission-critical task. 

Warning Letter Excerpt — 2/9/2012

 “Failure to establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements, as required by 21 CFR 820.50. For example, your firm does not have any purchasing controls procedures to ensure that all purchased or otherwise received powered muscle stimulator devices conform to specified requirements. Your firm has not evaluated your supplier and vendor of the powered muscle stimulator device, your label manufacturer, or your overseas import broker on their ability to meet specified requirements, including quality requirements.”

Additionally, the trend in the agency’s issuance of warning letters for failure to comply with 820.50 can easily by reversed if device manufacturers establish adequate procedures and controls for purchasing and supplier management. Warning letters, such as one issued on February 9, 2012 (see the sidebar “Warning Letter Excerpt — 2/9/2012), highlight the need for device manufacturers to establish effective procedures and actually employ them for assuring the quality of products purchased. 

Value-Added Supplier Audit Program 

There are many reasons for organizations to establish a value-added supplier audit program. Now granted, sustaining regulatory compliance is a salient requirement; however, there are other factors organizations need to consider when establishing an approach to value-added supplier audits, some examples of which are as follows: 

  • Preservation of brand equity

  • Ensuring values and strategy are clearly understood by the supplier

  • Establishment of consistent practices amongst suppliers

  • Achieving supplier return on investment (ROI) goals

  • Providing supplier oversight, so efficiency and continuous improvement targets can be achieved. 

When intelligently designed, a value-added supplier audit program can provide real value for a device manufacturer. Establishing a value-added program begins with the understanding that the program fundamentals expand beyond the physical performance of supplier audits. Suppliers that have a certified quality management system (QMS), in accordance with ISO 9001:2008 or ISO 13485:2003, have the basic system elements in place. Certification allows device manufacturers to focus on process-specific audits, which inherently provide more value. However, Trautman cautions manufacturers against relying solely on ISO certification by third parties as evidence that suppliers have the capability to provide quality products or services. Key elements needing to be considered for inclusion into a value-added supplier audit program are as follows: 

  • A well-written supplier quality agreement delineating responsibilities and expectations; 

  • A supplier questionnaire that focuses on business and technology; 

  • Supplier scorecards that are performance centric; 

  • Supplier onsite assessment checklist; 

  • Supplier statistical data program in support of reduced incoming inspection; and 

  • Creation of supplier categories premised on risk (business and regulatory). 

The device industry continues to employ three categories of supplier assessments: supplier selection and qualification audits, supplier surveillance audits to ensure conformance to requirements is being sustained, and for-cause audits, when supplier nonconformances negatively influence finished device performance. Because of the expense associated with performing supplier audits, device manufacturers are in a constant cost-containment battle. The trade-off becomes containing costs associated with supplier oversight while reducing costs associated with COPQ. It has never been economically viable to perform on-site audits on all of a device manufacturer’s suppliers, nor is it value added. 

Another trend influencing the medical device industry is suppliers wanting to be paid for entertaining audits. Device manufacturers invest a significant amount of time and money selecting, approving, and incorporating purchased components into finished medical devices. Considering the expense of validation and the regulatory ramifications associated with the changing of critical component suppliers, it is seldom economically viable to replace suppliers charging for audits. A supplier charging for an audit is an expense that must be considered in advance. 

Focused versus QMS Audits 

Focused and QMS audits provide value depending upon the application. If a supplier has a certified QMS, then the elements of an effective quality system are already in place. However, if a potential supplier does not have a certified QMS, performing an initial audit of the supplier’s quality system is considered prudent and categorized as value-added. Considering the costs associated with device validation, it is too risky to proceed with a business relationship without first kicking the tires. However, if the supplier has a certified QMS, a focused audit is probably the correct path to travel. A focused audit can be employed to assess technical capabilities, capacity, and supply chain. 

Audit Need and Frequency 

Audit need versus frequency is one of the significant influencers driving the need for a value-added supplier audit program. It makes zero sense for device manufacturers to attempt an audit 100% of their supplier base. Conversely, not auditing suppliers or establishing a program for supplier oversight will in all likelihood result in an increase in the COPQ, and potentially invite regulatory action from FDA. A value-added supplier audit program should be governed by audit need, premised on supplier risk. For example, critical suppliers, such as a sterilization facility, should warrant an annual assessment. For the supplier of a poly/Tyvek pouch (sterile barrier), once every three years may be appropriate. The key is for the device manufacturer to adequately define need and frequency. Regardless of the approach, FDA will want to see evidence of program effectiveness. 

Evaluating Risk 

Performing supplier audits can be expensive. Costs such as employing trained auditors, having to manage an extensive list of suppliers, time associated with pre and post-audit activities, and the cost of travel can quickly become problematic even for the most cost-conscience organizations. That is why it is extremely important to include the assessment of risk as part of the program. Creating risk categories, performing risk analysis, focusing on risk reduction, and when appropriate, identifying levels of risk assessment are important features associated with a value-added supplier audit program. 

Third-Party Audits 

Third-party audits, the use of consultants as an extension of a device manufacturer’s value-added supplier audit program, can be a blessing or a curse. Outsourcing supplier audits can result in an immediate and often substantial savings to device manufacturers. However, there is also significant trust involved when outsourcing supplier audits. Auditor competency will influence the overall effectiveness of third-party audits. Auditors lacking experience to assess compliance against applicable regulations, standards, and industry guidelines or lacking technology-specific competency, regardless of credentials, affect the performance of optimum audits resulting in missed opportunities for driving supplier corrections and improvements. 


Considering the current regulatory climate and the need for organizations to focus on factors reducing the COPQ, implementing an effective value-added supplier audit program becomes a fundamental requirement for device manufacturers. It will never be practical to institute a program requiring a 100% performance of on-site supplier audits, nor will it be acceptable not performing some level of supplier assessments. The solution is to develop and implement an appropriate tool set that supports a value-added approach. Audit type, frequency, and the employment of third-party auditors will influence the cost of any audit program. However, the goal of the program should be to reduce the COPQ. An effective value-added supplier audit program will significantly reduce the COPQ ensuring: (a) suppliers maintain a QMS; (b) suppliers sustain compliance to applicable regulatory requirements; and (c) suppliers manufacture and/or supply a quality product or service. 

Warning letters. Retrieved March 10, 2012. 

Medical device warning letter statistics 2011.  

SQA Services Website Protecting the global supply chain through an effective audit program.  

Managing risk in supplier audits

SGS Website Supplier Audit


Mehta-Headshot.jpgBob Mehta is principal consultant of GMP ISO Expert Services, a Los Angeles/Orange County-based consulting firm specializing in global supplier quality management, supporting quality systems for FDA and ISO regulated companies and helping with remediation of quality systems as a result of FDA’s warning letters to make the system compliant to regulatory requirements. Mehta has more than 22 years of experience in the fields of quality, regulatory compliance, regulatory and notified body inspections, supply management, and risk management. Mehta holds MSQA, MBA, B.S. (Chem), and ASQ - CSSBB, CQE, CRE, CSQE, CBA, CQA, CPA certifications. He serves on the committee of the Industry Board of Advisor for Medical Device Industry Education Consortium (MDIEC). He is heavily involved in remediating and implementing the risk-based quality systems and supplier audit program for Fortune 500 clients in a variety of industries, including medical device, pharmaceutical, biotech and neutraceutical. 

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like