Medical device manufacturers Supplier management requirements, QSIT Inspection techniques, and MDSAP tasks

The regulatory bodies hold medical device manufacturers responsible for every step of their supply chain. The increasing complexity in global and outsourced supply requires the manufactures to implement a life-cycle management approach. The surge in Medical device recalls in the U.S in recent years has led FDA to increase its scrutiny of manufacturers' supplier controls.

The preceding makes it vital for you as medical device professionals to be well informed about the requirements and different types of inspections. Proper supplier management limits financial, business and reputational risk.

The regulatory requirements

Supplier selection and management, purchase controls

The QSR includes requirements with regard to the methods, facilities, and controls used for designing, manufacturing, packaging, labeling, storing, installing, and servicing medical devices intended for human use. Finished device manufactures should evaluate the capability of their suppliers, contractors, and consultants to provide quality products pursuant to 21 CFR Part 820.50 - Purchasing Controls.

"Each manufacturer shall establish and maintain the requirements, including quality requirements that must be met by suppliers, contractors, and consultants. Each manufacturer shall:

• Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.
• Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.
• Establish and maintain records of acceptable suppliers, contractors, and consultants."

Purchasing data: "Each manufacturer shall establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services. Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with B' 820.40."

The ISO 13485:2016 requirements

The manufacturer is responsible for the supplier's performance

The abstract states "The processes required by ISO 13485:2016 that are applicable to the organization, but are not performed by the organization, are the responsibility of the organization and are accounted for in the organization's quality management system by monitoring, maintaining and controlling the processes."

Control of outsourced process

In the Quality Management System section of the ISO 13485 standard (4.1), states "the organization shall retain responsibility of conformity to this International Standard and to customer and applicable regulatory requirements for outsourced processes. The controls shall be proportionate to the risk involved and the ability of the external party to meet the requirements in accordance with 7.4. The controls shall include written quality agreements".

7.4.1 Purchasing process, 7.4.2 Purchasing information, and section 7.4.3 Verification of purchased product

• Requires the organization to have an established criteria for supplier evaluation and selection
• Use the criteria to evaluate the ability of the supplier to provide a products that satisfies the requirement
• Take into account the supplier's performance
• Take into account the criticality and the effect that a purchased product may have on the medical device's quality
• Requires the organization to have an established criteria for supplier evaluation and selection
• Use the criteria to evaluate the ability of the supplier to provide a products that satisfies the requirement
• Take into account the supplier's performance
• Take into account the criticality and the effect that a purchased product may have on the medical device's quality

Documentation

• A procedure
• Records of suppliers evaluation, selection, and monitoring
• Purchasing information documents and records,
• Written agreement as applicable that the supplier inform the company of changes in the purchased product before implementation of any changes that affect the ability of the purchased product to meet specified purchase requirements
• Documentation for full purchasing process including verification

Learning from the Inspections

Quality System Inspection Technique - QSIT Inspections

Quality system inspections are conducted using the Quality System Inspection Technique (QSIT). By reviewing the Guide to Inspections of Quality Systems, (also called QSIT guide), you will be equipped to meet the needs of every inspection.

FDA's QSIT inspections are developed to systematically assess the compliance of a firm. The four major subsystems identified in the QSIT are Design Controls, Corrective and Preventive Actions (CAPA), and Production and Process Controls. The two types of QSIT inspections

Level 2 (Comprehensive) inspection:

• Covers all four major subsystems
• Conducted after a firm has had a Level 2 inspection and every six years thereafter
• Provides an overall evaluation of the quality system.

Level 1 (Abbreviated) inspection:

• Conducted after a firm has had a Level 2 inspection and the quality system was found to be in compliance with all requirements
• Includes the Corrective and Preventive Actions (CAPA) subsystem, plus one other major subsystem. A different subsystem will be chosen for each subsequent Level 1 inspection

MDSAP auditing

"The Medical Device Single Audit Program (MDSAP) is a program that allows the conduct of a single regulatory audit of a medical device manufacturer's quality management system that satisfies the requirements of multiple regulatory jurisdictions. Audits are conducted by Auditing Organizations authorized by the participating Regulatory Authorities to audit under MDSAP requirements."

For a detailed understanding of the MDSAP program, attend the seminar Medical Device Single Audit Program [MDSAP] Implementation & Participating Country Regulatory Processes: U.S., Canada, Brazil, Australia and Japan.

MDSAP includes the regulatory jurisdictions and agencies of:

1. United States: Food & Drug Administration or FDA (Quality System Regulation 21 CFR Part 820)
2. Canada: Health Canada or HC
3. Brazil: AgC*ncia Nacional de VigilC"ncia SanitC!ria or ANVISA (RDC ANVISA 16/2013)
4. Australia: Therapeutic Goods Administration or TGA (TG(MD)R Sch3)
5. Japan: Ministry of Health, Labo ur and Welfare, and the Japanese Pharmaceuticals and Medical Devices Agency or MHLW/PMDA (MHLW Ministerial Ordinance No. 169)
• Auditing organizations that are authorized by the participating regulatory authorities conduct the audits. Companies should comply with ISO 13485:2016 and additional requirements of each country in the MDSAP.
• The applying company is graded for compliance with approximately 80 MDSAP tasks.
• A 4-point grading matrix is used to assign points to non-conformities written against requirements in ISO 13485:2016.
• The initial point score is applied to a series of escalation rules that may or may not result in a higher final point grade

The MDSAP is based on a 3-year audit cycle:

FDA's supplier classification

"Internal (In house) - only when the supplier is under the same Quality System internal quality audit.

External - supplier is not under the same Quality System internal quality audit. - Affiliated companies - supplier affiliated with the device manufacturer, a "sister company," or another division

**Need to qualify external suppliers"

Attend the seminar 'Supplier management for medical device manufacturers' to gain access to tools, templates, and methods that help you implement an effective, efficient, and compliant supplier management program.

The speaker Daniel O'Leary has more than 30 years' experience in quality, operations, and program management in regulated industries including aviation, defense, medical devices, and clinical labs. He is an ASQ certified biomedical auditor, quality auditor, quality engineer, reliability engineer, and Six Sigma black belt; he holds an APICS certification in resource management.