Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

Hi All,

I'm curious if anyone has used an alternate approach to on-site supplier audits for high risk suppliers. Although the manufacturer is responsible for having procedures in place for purchasing controls and supplier evaluations, higher risk suppliers may not require on-site audits if that's not what your procedures state. There may be a difference between this requirement for EU vs. US, but this question is aimed at US FDA purchasing control regulations only. On-site audits may be the easiest method to evaluate a high risk suppliers, but requires more resources. Are there other methods to evaluate high risk suppliers differently than low risk suppliers besides an on-site audit?

Thanks

​HI all.

Please take this with the following caveat grain of salt - I have not done supplier audit probably in about 15 years.  However, I would think that alternatives to on-site options can be found.  A couple that come to mind include:

1. You could theoretically use other certifications/audits as an option.  In doing so I would request full reports from the supplier of the audit results and any and all corrective actions taken in response to the audit results as well as proof that the actions have been completed.

2. You could work through an outside third party to get audits of these suppliers completed.  Again, you would need to work with both the supplier and the third party to manage the audit process and the supplier should know that you are going to be privy to any and all results and proposed corrections and proof of completion when the auditor arrives.

3. You could request information or proof of meeting an industry-wide standard that must be documentable and reviewed by you.  This is obviously the least (read absolute minimum) level of audit that you could perform basically requiring the supplier to specify exactly what standard is being met and exactly how they meet it.

Please note that I don't know that any of these individually would be acceptable to FDA during inspection.  These are just some initial thoughts on how you might be able to mitigate the internal resource needs by managing the process a little differently.  FDA obviously has requirements out there for a reason but I have also found them to be reasonable scientifically-motivated individuals who are not averse to the use of methods other than direct supplier over-sight.  I will warn you that some inspectors may not accept these options even with perfectly defensible justification from the company and that you might end up with a 483 and a need to argue your case to a higher authority than the inspection team itself.  But there could be some instances (especially 1 and 2 above) where you could avoid the costs and resource drain of getting a person or a team to the supplier in order to complete an on-site audit.  Just be ready scientifically to defend any decision to not personally audit a high risk supplier and materials used to both the inspection team and potentially the higher levels of FDA.

------------------------------
Victor Mencarelli
Director Regulatory Affairs
United States
------------------------------

Original Message:
Sent: 10-Sep-2018 12:46
From: Anonymous Member
Subject: Supplier Audits

This message was posted by a user wishing to remain anonymous

Hi All,

I'm curious if anyone has used an alternate approach to on-site supplier audits for high risk suppliers. Although the manufacturer is responsible for having procedures in place for purchasing controls and supplier evaluations, higher risk suppliers may not require on-site audits if that's not what your procedures state. There may be a difference between this requirement for EU vs. US, but this question is aimed at US FDA purchasing control regulations only. On-site audits may be the easiest method to evaluate a high risk suppliers, but requires more resources. Are there other methods to evaluate high risk suppliers differently than low risk suppliers besides an on-site audit?

Thanks

I think Victor's response was outstanding.  He gave some good options that I would not have thought of if someone were to pose that question to me.

A couple thoughts I might add invoke "it depends" on the level of risk (obviously somewhat high in this case).  Your company will need to think through the justification as Victor mentions, using a risk-based approach.  One measure I tend to use is vague but tangible that can help with ultimate motivation: "what if it were my daughter that needed to have the product used on her and it were to malfunction due to that supplier's error."  Another measure is the amount of history you may already have with the supplier.  If they (in some setting) have been very reliable and provided evidence of consistently meeting requirements, then such historical data should factor into the justification.  These are consistent with ISO 13485, but maybe something to which you can easily relate.

As with the strength of this Forum, others might be able to amplify on these responses with great thoughts of their own.

------------------------------
Rem Siekmann MBA, ASQ CBA
Senior Principal Engineer
Bellaire MI
United States
------------------------------

Original Message:
Sent: 10-Sep-2018 16:55
From: Victor Mencarelli
Subject: Supplier Audits

​HI all.

Please take this with the following caveat grain of salt - I have not done supplier audit probably in about 15 years.  However, I would think that alternatives to on-site options can be found.  A couple that come to mind include:

1. You could theoretically use other certifications/audits as an option.  In doing so I would request full reports from the supplier of the audit results and any and all corrective actions taken in response to the audit results as well as proof that the actions have been completed.

2. You could work through an outside third party to get audits of these suppliers completed.  Again, you would need to work with both the supplier and the third party to manage the audit process and the supplier should know that you are going to be privy to any and all results and proposed corrections and proof of completion when the auditor arrives.

3. You could request information or proof of meeting an industry-wide standard that must be documentable and reviewed by you.  This is obviously the least (read absolute minimum) level of audit that you could perform basically requiring the supplier to specify exactly what standard is being met and exactly how they meet it.

Please note that I don't know that any of these individually would be acceptable to FDA during inspection.  These are just some initial thoughts on how you might be able to mitigate the internal resource needs by managing the process a little differently.  FDA obviously has requirements out there for a reason but I have also found them to be reasonable scientifically-motivated individuals who are not averse to the use of methods other than direct supplier over-sight.  I will warn you that some inspectors may not accept these options even with perfectly defensible justification from the company and that you might end up with a 483 and a need to argue your case to a higher authority than the inspection team itself.  But there could be some instances (especially 1 and 2 above) where you could avoid the costs and resource drain of getting a person or a team to the supplier in order to complete an on-site audit.  Just be ready scientifically to defend any decision to not personally audit a high risk supplier and materials used to both the inspection team and potentially the higher levels of FDA.

------------------------------
Victor Mencarelli
Director Regulatory Affairs
United States

Original Message:
Sent: 10-Sep-2018 12:46
From: Anonymous Member
Subject: Supplier Audits

This message was posted by a user wishing to remain anonymous

Hi All,

I'm curious if anyone has used an alternate approach to on-site supplier audits for high risk suppliers. Although the manufacturer is responsible for having procedures in place for purchasing controls and supplier evaluations, higher risk suppliers may not require on-site audits if that's not what your procedures state. There may be a difference between this requirement for EU vs. US, but this question is aimed at US FDA purchasing control regulations only. On-site audits may be the easiest method to evaluate a high risk suppliers, but requires more resources. Are there other methods to evaluate high risk suppliers differently than low risk suppliers besides an on-site audit?

Thanks

I think the on site audit for high risk  MD is the best way, I don´t recommend no other option .

Based upon EU rules (MDD)  the EU  Notified Bodies can may perform unannounced audit at the  suppliers premises as well.

------------------------------
Evangelos Tavandzis
Praha
Czech Republic
------------------------------

Original Message:
Sent: 10-Sep-2018 12:46
From: Anonymous Member
Subject: Supplier Audits

This message was posted by a user wishing to remain anonymous

Hi All,

I'm curious if anyone has used an alternate approach to on-site supplier audits for high risk suppliers. Although the manufacturer is responsible for having procedures in place for purchasing controls and supplier evaluations, higher risk suppliers may not require on-site audits if that's not what your procedures state. There may be a difference between this requirement for EU vs. US, but this question is aimed at US FDA purchasing control regulations only. On-site audits may be the easiest method to evaluate a high risk suppliers, but requires more resources. Are there other methods to evaluate high risk suppliers differently than low risk suppliers besides an on-site audit?

Thanks

Hello,

I agree with Victor on the approach to alternatives beyond yourself going out to visit a supplier that is considered a higher risk supplier for your organisation.

- Require them to have certification to ISO 13485:2016 by an accredited Registrar - this may not be ideal because this is a general QMS audit and not specific to your product or processes
- Have a consulting company (third party) conduct the supplier audit for you - this does have a cost though will not take your time away from the office
- Conduct a remote audit such as a desktop audit reviewing their documentation and records - this may not be ideal especially if they are doing manufacturing with special processes or key processes or making a finished medical device for you (Contract Manufacturer)
- Have them conduct a "self-audit" by completing a questionnaire that you have (this is a type of remote audit that they complete and then you review) or request records of their own internal audits - you would have to "trust" them on the information 

You can always not perform audits of your crucial (higher risk) suppliers with a documented rationale.  However, an FDA investigator or Notified Body auditor may decide that is not sufficient control and they will go audit/inspect your supplier for you (with a Notified Body at your expense as well).

------------------------------
Richard Vincins RAC
Vice President Global Regulatory Affairs
------------------------------

Original Message:
Sent: 11-Sep-2018 01:58
From: Evangelos Tavandzis
Subject: Supplier Audits

I think the on site audit for high risk  MD is the best way, I don´t recommend no other option .

Based upon EU rules (MDD)  the EU  Notified Bodies can may perform unannounced audit at the  suppliers premises as well.

------------------------------
Evangelos Tavandzis
Praha
Czech Republic

Original Message:
Sent: 10-Sep-2018 12:46
From: Anonymous Member
Subject: Supplier Audits

This message was posted by a user wishing to remain anonymous

Hi All,

I'm curious if anyone has used an alternate approach to on-site supplier audits for high risk suppliers. Although the manufacturer is responsible for having procedures in place for purchasing controls and supplier evaluations, higher risk suppliers may not require on-site audits if that's not what your procedures state. There may be a difference between this requirement for EU vs. US, but this question is aimed at US FDA purchasing control regulations only. On-site audits may be the easiest method to evaluate a high risk suppliers, but requires more resources. Are there other methods to evaluate high risk suppliers differently than low risk suppliers besides an on-site audit?

Thanks