Expert: How to Build a Strong Supplier Auditing Program

Over the past few years, poor supplier controls remain one of the top five FDA citations for device manufacturers.

Although the agency allows quite a bit of flexibility on how companies manage their suppliers, devicemakers should conduct an internal risk assessment to define what their supplier controls should look like within their companies.

First, companies need to define their company profile and set goals accordingly, said David Parkin, group lead for Philips Healthcare, during a recent FDAnews webinar.

The first step in setting goals is to create a supplier-focused team and perform site-level audits. Audits include quality management system-type audits, as well as process and technical- focused audits.

Companies should first look at their high-profile suppliers, and then assess the risk of all their suppliers and components, identifying sole-source over single-source suppliers.

Suppliers fall into critical, major and minor categories when it comes to risk. Critical suppliers — those that could have an immediate effect on patients — get annual site audits. Major suppliers would get audited every two years, and minor suppliers should get surveyed every three years or so.

To Certify or Not to Certify?

The supplier inspection should include data monitoring activities. The supplier has data that is valuable to the device manufacturer, and the supplier should be willing to share that data.

Parkin suggests using a portal where a supplier enters lot data when product is ready to go. The portal would then tell the supplier whether or not the lot can ship or not, depending on the upper or lower control limits and tolerance built into the system.

“A lot of people have heartburn about just letting the supplier have control,” Parkin said. “But if you’ve done your homework upfront, you know what the supplier is capable of doing, and you know how they can manage that and provide you data that will benefit you, as well.”

Overall, the “charter is to drive goals and expectations of our parts that come in, and we expect a certain quality and a certain type of reliability in that they’ve used the materials properly and they’ve made them right,” he stressed.

To push suppliers toward certification, he suggests reassessing the critical-to-quality requirements and how that relates to risk, and then dovetail those suppliers right into the Failure Modes and Effects Analysis (FMEA) work.

Audits are a good indicator to ensure that suppliers have a process to monitor their own data and that they’re reporting that data properly.

The audit should also include business reviews, including quality agreements and supply agreements. Make the business review count, so that it’s a two-way discussion, he said, stressing that working with suppliers is about managing long-term business relationships. Devicemakers should focus on their key suppliers and stay in contact with them frequently.

“As quality individuals we’re looking at the quality aspects and patient harm to drive some of the decisions we make,” Parkin said.

For quality agreements, companies should focus on answering questions about what happens when things go wrong. The biggest obstacle with quality agreements is that companies usually try to put in too much detail, and by the time they sign off on them, they’re already out of date.

Similarly, supply agreements start to get too big once legal and other entities get involved. Supply agreements should focus on the inventory logistics and pricing, as well as forecasting. — Tamra Sami