Guidance Document: Quality Management System - Medical Devices - Guidance on the Control of Products and Services Obtained from Suppliers

Help on accessing alternative formats, such as Portable Document Format (PDF), Microsoft Word and PowerPoint (PPT) files, can be obtained in the alternate format help section.

Contact: Device Licensing

Notice

May 31, 2010

Our file number: 10-109706-625

Subject: Adoption of Global Harmonization Task Force (GHTF) Guidance: Quality Management System - Medical Devices - Guidance on the Control of Products and Services Obtained from Suppliers

Health Canada is pleased to announce the adoption of the GHTF Guidance Quality Management System - Medical Devices - Guidance on the Control of Products and Services Obtained from Suppliers.

This guidance has been developed by the appropriate GHTF Expert Study Group (Study Group 3) and has been subject to consultation by the regulatory parties, in accordance with the GHTF Process. The GHTF Steering Committee has endorsed the final document.

In adopting this GHTF guidance, Health Canada endorses the principles and practices described therein.  This document should be read in conjunction with this covering letter and with the relevant sections of other applicable Health Canada guidances.

This and other guidance documents are currently available on the Health Canada website.

Additional Information

Should you have any questions regarding the content of the guidance, please contact:

Device Licensing Services Division
Medical Devices Bureau
Therapeutic Products Directorate
Health Canada
Room 1605 Main Building
150 Tunney's Pasture Driveway
Address Locator 0301H1
Ottawa, Ontario
K1A 0K9

Telephone: 613-957-7285
Fax: 613-957-6345

Email: device_licensing@hc-sc.gc.ca

Date Adopted: 2010/04/20
Effective Date: 2010/05/31

Foreward

This guidance document was produced by the Global Harmonization Task Force (GHTF), which is comprised of representatives from medical device regulatory agencies and the regulated industry. The document is intended to provide non-binding guidance for use in the regulation of medical devices, and has been subject to consultation throughout its development.

There are no restrictions on the reproduction, distribution or use of this document; however, incorporation of this document, in part or in whole, into any other document, or its translation into languages other than English, does not convey or represent an endorsement of any kind by the Global Harmonization Task Force.

In adopting this GHTF guidance, Health Canada endorses the principles and practices described therein. This document should be read in conjunction with the accompanying notice and the relevant sections of other applicable guidances.

Guidance documents are meant to provide assistance to industry and health care professionals on how to comply with the policies and governing statutes and regulations. They also serve to provide review and compliance guidance to staff, thereby ensuring that mandates are implemented in a fair, consistent and effective manner.

Guidance documents are administrative instruments not having force of law and, as such, allow for flexibility in approach. Alternate approaches to the principles and practices described in this document may be acceptable provided they are supported by adequate scientific justification. Alternate approaches should be discussed in advance with the relevant program area to avoid the possible finding that applicable statutory or regulatory requirements have not been met.

As a corollary to the above, it is equally important to note that Health Canada reserves the right to request information or material, or define conditions not specifically described in this guidance, in order to allow the Department to adequately assess the safety, efficacy or quality of a therapeutic product. Health Canada is committed to ensuring that such requests are justifiable and that decisions are clearly documented.

Table of Contents

1. Introduction
2. Scope
3. Definitions
   • 3.1 Supplier (ISO 9000:2005, Clause 3.3.6)
   • 3.2 Product (ISO 9000:2005, Clause 3.4.2)
   • 3.3 Process (ISO 9000:2005, Clause 3.4.1)
   • 3.4 Objective evidence (ISO9000:2005, Clause 3.8.1)
   • 3.5 Manufacturer (Global Harmonization Task Force (GHTF) SG1(PD)N055 R6, section 4.1)
4. General Principles
   • 4.1 Planning
     • 4.1.1 Product or service to be obtained from supplier(s)
     • 4.1.2 Technical and process information
     • 4.1.3 Identification of potential supplier(s)
     • 4.1.4 Identification of risk(s)
     • 4.1.5 Identification of controls
   • 4.2 Selection of potential suppliers
     • 4.2.1 Supplier business capability
     • 4.2.2 Supplier operational capability
     • 4.2.3 Selection of potential supplier
   • 4.3 Supplier evaluation and acceptance
     • 4.3.1 Planning for evaluation and selection criteria
     • 4.3.2 Communicate with potential suppliers
     • 4.3.3 Evaluation of potential supplier's ability to meet selection criteria
     • 4.3.4 Supplier acceptance
   • 4.4 Finalization of Controls
   • 4.5 Delivery, measurement and monitoring
   • 4.6 Feedback and communication

1. Introduction

This guidance document is intended for medical device manufacturers and it is expected that the reader is familiar with regulatory quality management system requirements within the medical devices sector. This guidance document may also be useful to regulatory authorities and suppliers. This guidance document is intended for educational purposes and it is not intended to be used to assess or audit compliance with regulatory requirements.

Existing regulatory requirements, such as Sections 4.1 and 7.4 of ISO13485:2003, Articles 5 and 37 through 39 of the Japanese Ministerial Ordinance on Standards for Manufacturing Control and Quality Control for Medical Devices and in vitro Diagnostics (MHLW Ministerial Ordinance Number 169, 2004), and the United States Food and Drug Administration (FDA) 1996 Quality System Regulation 21 CFR Part 820, sections 820.50 Purchasing controls, and 820.80 Receiving, in-process, and finished device acceptance, which require organizations to control products and services obtained from suppliers. These requirements call for the type and extent of controls to be established and documented within the organization's quality management system. Control could be defined and documented in the form of contractual arrangements, quality plans or other types of documents.

Several medical device quality management system regulations have their requirements harmonized around ISO 9001. Clause 4.1 of ISO 9001:2000 utilizes the term "outsourced processes", however, it is not defined in the vocabulary standard ISO 9000:2005. There are no requirements within ISO 9001:2000 related to outsourced processes beyond what is found in clause 4.1. Clause 7.4 defines purchasing requirements in the terms of "purchased product" and "suppliers", but does not include or reference outsourced processes from clause 4.1. This has led to differing interpretations regarding the controls of outsourced processes as they relate to purchasing controls in clause 7.4 of ISO 9001:2000 and the quality management system requirements for medical device manufacturers derived from this standard.

ISO TC 176, the authoring group of the ISO 9000 series of standards, has published a guidance document intended to clarify ISO 9001:2000 clause 4.1, regarding the control of outsourced processes titled ISO 9000 Introduction and support package: Guidance on outsourced processes.

Clause 2.2 of this document states:

The intent of Clause 4.1 of ISO 9001:2000 is to emphasize that when an organization chooses to outsource (either permanently or temporarily) a process that affects product conformity with requirements (see ISO 9001:2000 clause 7.2.1) it cannot simply ignore this process, nor exclude it from the quality management system.

The organization has to demonstrate that it exercises sufficient control to ensure that this process is performed according to the relevant requirements of ISO 9001:2000, and any other requirements of the organization's quality management system. The nature of this control will depend, among other things, on the importance of the outsourced process, the risk involved, and the competence of the supplier to meet the process requirements.

Outsourced processes will interact with other processes from the organization's quality management system (these other processes may be carried out by the organization itself, or may themselves be outsourced processes). These interactions also need to be managed (see ISO 9001:2000 clause 4.1 [a] and [b]).^{Footnote 1}

Therefore, when a medical device manufacturer chooses to utilize suppliers, the manufacturer should ensure control over any product or service obtained from such suppliers as defined within the quality management system (QMS). The controls may extend further if a supplier subcontracts work.

The remainder of this document will not utilize the term "outsourced processes".

2. Scope

This document provides guidance for medical device manufacturers on the control of products and services obtained from suppliers.

For the purposes of this document, a product or service is one which is purchased or otherwise obtained by the manufacturer. In addition, a supplier is anyone that is independent from the manufacturer's quality management system. This includes a supplier that may be part of the manufacturer's organization but operates under a separate quality management system. For example, if the supplier is not a part of the manufacturer's internal audit scope, then the supplier is under a separate quality management system and is considered an internal supplier.

Corporations or companies that have corporate quality policies and procedures do not necessarily place all divisions or groups under the same quality management system. Therefore, one division or group can be an internal supplier to another division or group within the same corporation/company. Internal suppliers are to be controlled in a similar way as external suppliers are controlled.

Manufacturers are required to define and document the type and extent of controls applied to suppliers and to maintain objective evidence that products and services meet predefined specifications. These documents and records are subject to regulatory evaluation and therefore should be present or readily available at the manufacturer's site. Failure to provide access to or have objective evidence of the controls associated with supplier activities could result in a major noncompliance^{Footnote 2}

This guidance document is also applicable to combination products which are regulated as medical devices. However, regulations may impose additional or differing requirements on suppliers and/or manufacturers of combination products (device/drug, device/tissue, device/biologic, etc.).

3. Definitions

The references to clauses in this section refer to ISO 9000:2005. Medical device specific examples are given in the body of this guidance.

3.1 Supplier (ISO 9000:2005, Clause 3.3.6)

organization (3.3.1) or person that provides a product (3.4.2)

Example: Producer, distributor, retailer or vendor of a product, or provider of a service or information.

Note 1: A supplier can be internal or external to the organization.

Note 2: In a contractual situation a supplier is sometimes called "contractor".

3.2 Product (ISO 9000:2005, Clause 3.4.2)

result of a process (3.4.1)

Note 1: There are four generic product categories, as follows:

• services (for example [e.g.] transport);
• software (e.g. computer program, dictionary);
• hardware (e.g. engine mechanical part);
• processed materials (e.g. lubricant).

Many products comprise elements belonging to different generic product categories. Whether the product is then called service, software, hardware or processed material depends on the dominant element. For example the offered product "automobile" consists of hardware (e.g. tyres), processed materials (e.g. fuel, cooling liquid), software (e.g. engine control software, driver's manual), and service (e.g. operating explanations given by the salesman).

Note 2: Service is the result of at least one activity necessarily performed at the interface between the supplier (3.3.6) and customer (3.3.5) and is generally intangible. Provision of a service can involve, for example, the following:

• an activity performed on a customer-supplied tangible product (e.g. automobile to be repaired);
• an activity performed on a customer-supplied intangible product (e.g. the income statement needed to prepare a tax return);
• the delivery of an intangible product (e.g. the delivery of information in the context of knowledge transmission);
• the creation of ambience for the customer (e.g. in hotels and restaurants).

Software consists of information and is generally intangible and can be in the form of approaches, transactions or procedures (3.4.5).

Hardware is generally tangible and its amount is a countable characteristic (3.5.1). Processed materials are generally tangible and their amount is a continuous characteristic. Hardware and processed materials often are referred to as goods.

Note 3: Quality assurance (3.2.11) is mainly focused on intended product.

3.3 Process (ISO 9000:2005, Clause 3.4.1)

set of interrelated or interacting activities which transforms inputs into outputs

Note 1: Inputs to a process are generally outputs of other processes.

Note 2: Processes in an organization (3.3.1) are generally planned and carried out under controlled conditions to add value.

Note 3: A process where the conformity (3.6.1) of the resulting product (3.4.2) cannot be readily or economically verified is frequently referred to as a "special process".

3.4 Objective evidence (ISO9000:2005, Clause 3.8.1)

data supporting the existence or verity of something

Note: Objective evidence may be obtained through observation, measurement, test, or other means.

3.5 Manufacturer (Global Harmonization Task Force (GHTF) SG1(PD)N055 R6, section 4.1)

"Manufacturer" means any natural or legal person* who designs and/or manufactures a medical device with the intention of making the finished medical device available for use, under his name; whether or not such a medical device is designed and/or manufactured by that person himself or on his behalf by a third party(ies).

(*The term "person" that appears here includes legal entities such as a corporation, a partnership or an association.)

Note 1: This 'natural or legal person' has ultimate responsibility for ensuring compliance with all applicable regulatory requirements for the medical device in the countries or jurisdictions where it is intended to be made available or sold.

Note 2: The manufacturer's responsibilities are described in other GHTF guidance documents. They include a responsibility to ensure pre- and post-market regulatory requirements for a finished medical device are met. This includes adverse event reporting and notification of corrective actions.

Note 3: "Design and/or manufacture", as referred to in the above definition, may include:

1. specification development, production, fabrication, assembly, processing, packaging, repackaging, labelling, relabelling, sterilization, installation, or remanufacturing; and/or
2. assembly, packaging, processing and/or labelling of one or more finished products.

Note 4: Any person who assembles or adapts a device(s) that has already been supplied by another person for an individual patient, in accordance with the instructions for use, is not the manufacturer, provided the assembly or adaptation does not change the intended use of the device(s).

Note 5: Any person who changes the intended use of, or modifies, a finished medical device in a way that may affect safety or performance, without acting on behalf of the original manufacturer and who makes it available for use under his own name, should be considered the manufacturer of the modified medical device.

Note 6: To the extent that an accessory is subject to regulatory requirements of a medical device^{Footnote 3}, the person responsible for the design and/or manufacture of that accessory is deemed to be a manufacturer.

4. General Principles

Within existing regulatory frameworks the term "manufacturer" may be defined differently. However, each regulatory authority ultimately holds one "manufacturer" of medical devices or entity primarily responsible for meeting regulatory quality management system requirements. This "manufacturer" or entity, that has the ultimate responsibility for its quality management system, cannot relinquish (contractually or otherwise) its obligation and responsibility over any or all functions within the quality management system. This means the responsibility for complying with the quality management system requirements cannot be delegated to any supplier of products and services.

Some suppliers may undergo some form of oversight either by a regulatory authority, or a third-party operating on behalf of a regulatory authority (for example contract sterilizers, contract laboratories, pharmaceutical manufacturers, other medical device manufacturers, etc.). This oversight does not relinquish the responsibility of a manufacturer to establish controls and provide evidence for products and services obtained from suppliers.

Regulatory authorities and third parties will inspect/audit a manufacturer to confirm that objective evidence of control over products and services from suppliers is present, or readily available, at the manufacturer's site. Failure to have any evidence on-site, or provide access to any objective evidence of the controls associated with products and services from suppliers could result in the manufacturer's quality management system being non-compliant.

The process of establishing controls for products and services obtained from suppliers typically comprises six phases, which include:

• Planning;
• Selection of potential supplier(s);
• Supplier evaluation and acceptance;
• Finalization of controls;
• Delivery, measurement and monitoring;
• Feedback and communication, including Corrective Action and Preventive Action process.

The diagram below illustrates key activities that a manufacturer would perform, along with examples of the type of objective evidence that could be generated to help demonstrate the manufacturer's control. Some of these activities may be performed in parallel and are not meant to be an all-inclusive list. In addition some of these activities may occur within other QMS processes. For example, planning for supplier control may be part of quality planning. The examples of objective evidence given in the diagram could be subject to regulatory audits only in regard to the safety and effectiveness of the medical device.

After giving consideration to other legal obligations, the manufacturer can terminate the arrangement with the supplier at any time throughout the process.

Figure 1 - Process of establishing controls for products and services obtained from suppliers

4.1 Planning

During the planning and execution of product realization for a new or existing medical device the manufacturer identifies products or services to be obtained from a supplier. A manufacturer's QMS may require products or services from suppliers, such as training, document archiving, etc., that need to be planned for and controlled.

In establishing the controls for product and services obtained from suppliers, it is expected that planning activities initiate the process.  The output of this activity may be in the form of design and development plans, quality plans, purchasing plans, etc., as defined in the manufacturer's QMS. The manufacturer should consider the objectives, risks, requirements, processes and resources and demonstrate that effective controls are in place and regulatory obligations are met.

Planning provides the direction for establishing the extent of controls for product and services obtained from suppliers. These plans are typically documented and approved, as part of the QMS.

4.1.1 Product or service to be obtained from supplier(s)

An outcome of the planning would facilitate the identification of what product or services could be obtained from a supplier.  Such products and services may include components, raw materials, metrology, cleaning or sterilization services, authorized representative, etc.

The following examples may be classified differently according to local regulatory requirements:

Off-the-shelf products:

• Electronic components (resistors, capacitors, power supplies, etc.);
• Mechanical components (screws, washers, helicoils, tubing, etc.);
• Commercial software (operating systems, databases, etc.);
• Computer hardware (laptops, recorders, etc.).

Parts and components made to manufacturer's specifications:

• Mechanical (valves, pumps, pacemaker can, etc.);
• Electrical (detector arrays, electrogardiogram (ECG) cables, circuit board assemblies, etc.);
• Software for specified uses (radiation therapy planning software, planning software for hip implants, etc.);
• Single use (glucose test strips, reagents, enzymes, etc.).

Services obtained from suppliers:

• Sterilization;
• Design;
• Manufacturing (assembly, printing, packaging, labeling, etc.);
• Document archiving;
• Transport / storage;
• Environmental monitoring (e.g. microbial and particle counts for clean rooms);
• Calibration;
• Consultants.

Finished medical device:

• Any final medical device (e.g. own brand labelling);
• Supplied medical device used as component in manufacturer's medical device (X-ray tubes, ECG cables, medical batteries, patient monitors).

Objective evidence may include:

• Identification of the product and services to be obtained. This can be a general description or a specification, if already available.

4.1.2 Technical and process information

Appropriate personnel need to be involved in the development of the necessary technical and process information, which is essential in identifying and evaluating the risk involved with the product or service being obtained (see 4.1.4), as well as with potential suppliers.

Objective evidence may include:

• Product and service requirements/specifications for parts, materials, process, software, environment, testing, etc.;
• QMS process requirements, such as procedures/work instructions for adverse event reporting, QMS auditing, post market data, design, manufacturing, calibration, maintenance, verification activities, etc.

4.1.3 Identification of potential supplier(s)

A manufacturer may wish to identify one or more potential suppliers dependent upon the identified need. Suppliers may be internal or external (see 2).

Objective evidence may include:

• Name(s) and contact information of potential supplier(s).

4.1.4 Identification of risk(s)

As part of the planning activities, the manufacturer should identify the risks associated with the product or services to be obtained.^{Footnote 4}

In the process of identifying risks, consideration may be given to the following. For example:

• Is the part custom built or off-the-shelf?
• How complex is the part to manufacture?
• What is the criticality of the part? (If there was a design failure modes and effects analysis (FMEA) conducted review the severity the item was given if it should fail in the hands of the end user.)
• Does the supplier currently manufacture parts for medical device regulated industry or is this their first?

Information about potential suppliers (such as technical, financial, continuity of supply, etc.) should be used to determine additional potential risks (such as business risks).

Business risks may include giving consideration to items such as:

• Financial viability of the supplier;
• Continuity of supply;
• Liability;
• Amount of work awarded to supplier in view of supplier's overall capacity;
• Capital investment;
• Single source suppliers;
• Supplier company legal status (e.g. licensing).

Objective evidence may include:

• Documented list of the risks identified (although not a regulatory requirement, it is advisable to document business risks).

4.1.5 Identification of controls

The identified risk(s) should be evaluated to determine the type and extent of control(s). These controls should be defined and documented and include any quality requirements. In some instances, it may be necessary for the manufacturer to ensure control beyond the first tier supplier due to the potential effects of changes made by a second or third tier supplier.

The manufacturer should ensure that other relevant regulatory requirements, for example environmental protection legislation, occupational health and safety legislation, Good Laboratory Practices, data privacy, etc., are taken into account when developing controls.

Such controls could include:

• Supplier audits;
• Control of second or further-tier suppliers;
• Testing/Verification;
• Certificates of Analysis / Conformity;
• Formal requirements for the QMS, such as specific certificates (QMS, environmental management, accredited labs, access rights for third party assessment);
• What to measure and how (e.g. parts per million [ppm], Key Performance Indicators);
• Measurement System Analysis (e.g., Gauge R&R, Gauge Correlation Studies);
• Activities to ensure environmental compatibility, electromagnetic compatibility, reliability/reliability forecasts;
• Process capability and Process Capacity;
• Process validations;
• Response times;
• Statistical process control;
• Correction, reworking;
• Inventory control (First-In-First-Out (FIFO), time limit (time target));
• Batch sizes, lot sizes;
• Traceability (Process, product, equipment, operators);
• Change Control (changes to process, parts, procedures, etc. regardless of who initiated);
• Configuration management;
• Protection of intellectual property;
• Protection of patient information;
• Document retention periods;
• Quality system records.

Objective evidence may include:

• List of potential controls as a result of identified risk(s).

4.2 Selection of potential suppliers

When selecting potential suppliers the manufacturer should investigate their business and operational capability, which may include technological capability, to ensure that the supplier can provide the necessary quality, safety, performance and reliability of the products and services.

4.2.1 Supplier business capability

A potential supplier's business conduct, practices, reputation and financial viability may provide useful information about the business capabilities of that supplier.  A potential supplier's business capability could have an important effect on a manufacturer's ability to deliver safe and effective devices. The financial viability of the potential supplier is particularly important especially when a manufacturer intends to enter into a long-term partnership.

The outcome of this type of analysis, coupled with an analysis of the potential risks of the product/service provided, may influence the manufacturer's decision of how to control the products and services obtained from suppliers.

4.2.2 Supplier operational capability

The operational capability should be investigated to determine whether the supplier is able or willing to adapt and respond to performance indicators required by the manufacturer, such as lead times, on-time delivery, response time, etc. The scope of the investigation may include the supplier's past performance, experience, expertise, and human resources.

Investigation of the supplier's technological capability should include the assessment of the supplier's ability to meet the manufacturer's product and/or service specifications. Things to consider may include the adequacy of manufacturing processes or equipment, information technology, system infrastructure, engineering resources, etc.

Objective evidence may include:

• The manufacturer's assessment of the supplier's resources (e.g. facilities, personnel, infrastructure), current product/service portfolio.
• Documentation and records provided by the supplier, such as environmental control records, equipment maintenance programs, calibration records, qualification records of appropriate personnel, process validation records, capacity planning, certificates, etc.

4.2.3 Selection of potential supplier

The manufacturer should select potential suppliers according to predefined criteria and the results of capability investigations.

Objective evidence may include:

• Documentation of potential suppliers;
• Selection criteria and decision rationale.

4.3 Supplier evaluation and acceptance

This section provides guidance on the process by which the manufacturer evaluates that the selected potential supplier (see section 4.2 above) is actually capable of supplying product or service in accordance with the manufacturer's requirements.

The extent of evaluation and acceptance activity performed should be in proportion to the identified risk (see 4.1.4) of the procured product, and/or services, on the safety and effectiveness/performance of the final product.

Generally the processes in this section are constructed in the following steps:

• Planning for evaluation and selection criteria;
• Communication with potential supplier and refinement of the requirements;
• Evaluation of the potential supplier's ability to meet selection criteria;
• Acceptance of the supplier.

4.3.1 Planning for evaluation and selection criteria

The manufacturer should initiate planning to define criteria for the evaluation and selection to reduce the number of potential suppliers to acceptable suppliers.

Evaluation of the supplier's competencies and capability to fulfill the manufacturer's requirements is to be performed against a defined set of selection criteria based on:

• the product/service to be purchased;
• its intended use;
• and the effect the purchased product/service might have on the subsequent product realization or the final product.

The manufacturer should consider a combination of factors during the evaluation, depending on the risk and potential effect on device quality of the product or service. Such factors may include:

• Technology used;
• Off the shelf (OTS) product;
• Product/service based on specifications provided by the manufacturer;
• History with the particular supplier;
• Certification (for example ISO 13485, ISO 9001).

Certification may play a role in evaluating suppliers but manufacturers should be cautioned against relying solely on certification as evidence that suppliers have the capability to provide quality products or services.

4.3.2 Communicate with potential suppliers

To assist in the evaluation of the potential supplier certain information or data should be exchanged with the potential supplier.

The manufacturer is responsible for communicating the specified criteria. In addition the manufacturer may request data and/or a specific product (e.g. first article, first lot, prototypes) in order for the potential supplier to demonstrate their ability to fulfill the specified requirements.

The relevant information gathered and compiled should be communicated throughout and should be considered when defining initial supplier arrangements. A confirmation by the supplier should be kept.

4.3.3 Evaluation of potential supplier's ability to meet selection criteria

The evaluation by the manufacturer of the selected potential supplier should be based on the potential supplier demonstrating their ability to meet the defined selection criteria.

Commensurate with the degree of risk, (see 4.1.4) the demonstration may include but not be limited to evaluating first article(s), first lot(s) or prototype(s), auditing a supplier, data from other organizations or any combination of the foregoing. Where appropriate, valid statistical techniques should be employed.

4.3.4 Supplier acceptance

If a potential supplier is found to be acceptable then the manufacturer should document the acceptance decision, e.g. by inclusion of the supplier into a documented approved suppliers list. Additionally the records of the results of the evaluations should be retained.

If a potential supplier does not meet one or more of the defined criteria, either

• a plan for supplier development and a re-evaluation may be set up; or
• the next supplier in a potential supplier list may be evaluated; or
• a completely new supplier selection may be initiated.

For example, a potential supplier of electronic circuit boards is required to provide circuit boards at a certain cleanliness level (minimizing reactive residues) to avoid reliability and performance issues associated with residue remaining from the soldering process. To do so, the supplier subjects circuit boards to a standard aqueous wash and monitors ionic contamination of the cleaning solution as an indirect indicator of board cleanliness. Upon receipt and testing of the first lot of circuit boards by the manufacturer, some boards fail certain tests. The manufacturer traces this back to reactive residue on the boards. The manufacturer and the supplier jointly investigate this issue and determine that the ionic contamination of the cleaning solution is well within its specifications. Both conclude that this indirect determination of board cleanliness is inadequate, and the supplier agrees to perform cleanliness tests in those areas of the circuit boards that are particularly sensitive and prone to performance issues caused by reactive residues. Those boards that fail this test will be subjected to an additional cleaning process. The originally failed boards which were subjected to this process, are required to pass the subsequent testing. The outcome of these actions should result in permanent implementation of this additional test and cleaning process and the supplier can be deemed acceptable.

If a single source supplier does not meet one or more of the defined criteria, the manufacturer does not have the option of selecting a different potential supplier. In this case, additional communication should ensue to determine if the single source supplier is able or willing to satisfy the specified requirements. If the single source supplier is not willing or able to adjust, the manufacturer should add supplemental controls within his quality management system in order to ensure the design specifications are met. It may be necessary to go back to the design and development process if these supplemental controls cannot be added by the manufacturer.

Records of the results of the evaluations and any necessary actions arising from the evaluation shall be maintained (ISO 13485:2003, Clause 7.4.1).

Objective evidence for the evaluation and acceptance phase can be provided through:

• Documented evaluation and selection criteria;
• Documented initial agreement(s);
• Documents and records;
• Documented decision and rationale.

Although not a regulatory requirement, it is good business practice to retain information about suppliers which have not been able to demonstrate their ability to meet the acceptance criteria.

4.4 Finalization of Controls

This section provides guidance for the finalization of the controls that are mutually agreed upon by the manufacturer and the supplier. Determining the extent and degree of controls, as well as defining clear lines of responsibilities, should be defined by the manufacturer.

As a result of the supplier evaluation and acceptance, the controls need to be finalized as previously defined in the planning process (see 4.1.5).

When the risk dictates, defined controls around second or further-tier suppliers may be needed. For example, a manufacturer is buying a sterile product as a component for a kit, where the kit will also be sterilized. The supplier of the sterile product utilized a contract sterilizer. In this case the manufacturer may need to conduct audits, or review validation records, of this sub-tier sterilization supplier. The manufacturer should determine if the second sterilization of the supplied sterile product will have any adverse effect on safety and effectiveness of the medical device. Consideration would need to be given to the supplied product and its properties to ensure that the two (possibly different) sterilization processes will not degrade or adversely affect safety and effectiveness of the medical device or any specified requirements of the supplied product. The finished device manufacturer is responsible for the kit with all of its components and should ensure that such validation information would be readily accessible to demonstrate the effects and suitability of all the sterilization processes.

The manufacturer should agree with the supplier on their individual responsibilities and deliverables. While the manufacturer is responsible for the medical device, the supplier also has certain obligations such as exchange of information. However the manufacturer cannot delegate any responsibility for the medical device to the supplier.

Regulatory requirements call for processes to be validated where the resulting output cannot be verified by subsequent monitoring or measurement. Regardless of who actually performs the process validation it is the manufacturers responsibility to ensure that the validation is properly performed.^{Footnote 5} The manufacturer will need to demonstrate that the associated documents and records have been reviewed and accepted by the manufacturer.

The manufacturer and the supplier should have an agreed upon process for evaluating any changes to a validated process and for determining when re-validation should be performed and documented. This needs to be captured in the agreement between the manufacturer and the supplier.

The list below shows other typical areas that should be considered for finalizing the agreement between the manufacturer and its supplier.

• Acceptance and verification activities;
• Complaint handling;
• Root cause analysis;
• Corrective action and preventive action;
• Product risk management;
• Design;
• Labelling/traceability requirements;
• Technical documentation (of the supply);
• Handling of non-conformities;
• Change control requirements;
• Creation and retention of documents and records;
• Supplier audits;
• Product recall;
• Periodic evaluation or re-evaluation (supplier's product, service and/or data).

The controls and responsibilities are typically documented in contractual arrangements, purchasing orders, interface agreements, etc. Irrespective of their title it is the content of such agreements which is essential.

In the situation of internal suppliers there may not be contractual arrangements or purchase orders. However, some type of formal arrangement (interface agreements) needs to be defined. Standardized processes for these arrangements may be of benefit to the manufacturer, especially in order to ensure coverage of all relevant regulatory and legal requirements.

From the assurances obtained from the supplier evaluation and finalized controls, responsibilities, and interfaces, the manufacturer should determine the acceptance activities to be performed. The combination of the purchasing controls and the acceptance activities need to be directly related to the risk of product/service.

Objective evidence may include:

• Contracts, purchase orders, interface agreements etc.;
• Acceptance procedures; purchasing requirements;
• Specifications and requirements;
• Records of review and acceptance.

At the end of this phase the necessary arrangements with the accepted supplier are established and controls are in place.

4.5 Delivery, measurement and monitoring

In this phase the accepted supplier will deliver products/service according to the agreed arrangements and these products will be used by the manufacturer in the product realization process. Within the product realization process the manufacturer will establish checkpoints to monitor the supplier's performance to ensure that customer and regulatory requirements continue to be met. Typically these activities consist of:

• Receiving product/service;
• Carrying out acceptance activities (e.g. inspection or test, review certificates of conformity/analysis);
• Conducting measurement and monitoring;
• Analyzing data using valid statistical techniques.

These activities can identify problems with the supplied product/service as well as supplier problems associated with adherence to the supplier arrangements.

If a problem is within the product realization process or related processes, (see Figure 1) the manufacturer should initiate a correction and if appropriate a corrective action and/or preventive action.

Depending on the risk of the supplied product/service, the manufacturer may plan and perform periodic supplier re-evaluations, regardless of whether problems have been identified. The purpose of this re-evaluation is to assess the supplier's ability (process and output) over time to continue to meet specified product/service requirements as agreed (see 4.4).

Objective evidence may include:

• Receiving, inspection, acceptance records;
• Records of results of any corrections.

4.6 Feedback and communication

Provisions should be in place for the manufacturer to inform the supplier of whether the manufacturer's expectations are being met. Feedback should be both positive and negative. The manufacturer should ensure that there are effective lines of communication open to both parties to discuss problems/complaints or other matters. It is important that trust be developed between parties so that any problems can be resolved quickly in a cooperative way.

When problems are identified and corrected there should be a determination as to whether feedback for a successful correction is necessary, or whether feedback is given on an ongoing basis.

If a corrective action or preventive action (CAPA) is initiated to a supplier, additional feedback and communication may be necessary. As part of this action, the manufacturer may need to re-evaluate the continued suitability of the supplier.

Depending on the nature of the procured product/service, portions of the activities that are to be performed under CAPA may be delegated by the manufacturer to the supplier. The combined CAPA related activities of both the manufacturer and the supplier must satisfy the requirements of applicable regulations and standards.

While some of the CAPA activities may be delegated to a supplier, the overall responsibility for these activities resides with the manufacturer. CAPA related decisions and effectiveness checks reside with the manufacturer and cannot be delegated. If CAPA activities are delegated to suppliers, the manufacturer needs to ensure that:

• Provisions for CAPA related activities performed by suppliers are defined in the manufacturer's QMS.
• Based on the products provided by a supplier, all CAPA specific activities to be performed and data/information to be provided by that supplier are identified (e.g. related to the extent of control necessary at the supplier).
• The supplier's obligations related to CAPA activities are communicated to the supplier and clearly defined in a contractual agreement (e.g. in the contract itself or a quality assurance agreement).
• The supplier fulfils his contractual obligations in relation to the CAPA activities (e.g. timely processing of corrections).
• Documentation and records related to a supplier's CAPA activities are controlled and readily available.

If a supplier is not able to fulfill the CAPA activities as defined in the supplier arrangement, the manufacturer must take adequate activities to correct the identified problems. Those activities may include training for the supplier, redefining the responsibilities for CAPA activities, allocation of resources to the supplier, or, if the necessary improvements cannot be achieved, the change to another supplier.

The manufacturer must be able to show through objective evidence that the overall CAPA process is implemented and effective.

Objective evidence may include:

• Manufacturer and/or supplier correspondence;
• Documentation and records of corrective action and preventive action process.