Q: When we audit suppliers for design control, what’s the best approach for doing the audits? And what main documents should we review?
A: To audit a third-party design facility, first ensure it’s registered with the FDA and has a Quality System in place. For design, you want to make sure it has design control procedures that comply with the Quality System Regulation (21 CFR Part 820).
Your supplier’s procedures should include design planning, design inputs, design outputs (including procedures on how to identify and document outputs essential for the proper functioning of the device), design verification and validation, design transfer, design reviews, and design changes — both during the design process and after the design has been released for commercial production.
If you’re maintaining the Design History File (DHF), then you need to audit suppliers to ensure they maintained control over document revisions and have provided you with all of the documentation, not just the final documents. If, on the other hand, your supplier is maintaining the DHF, then you need to ensure the DHF is for the actual device, not just a design project, and that the supplier has all document revisions.
Ensure the plan included who was involved in design and that their roles were documented.
If the supplier is using your design procedures — instead of its own — make sure it has followed your procedures. Review the design plan and ensure it’s been reviewed and approved prior to the start of design, then was updated as the design plans changed. Ensure the plan included who specifically was involved in design and that their roles were documented. Ensure the plan documented when design reviews were to occur; then check to see those reviews actually happened and were documented.
Otherwise, the same Design Control rules apply as always. When you audit suppliers, your audit should confirm that:
– Design reviews included an independent reviewer and the supplier documented who the reviewer was.
– There is documentation of any corrections or changes to the design and those corrections/changes were re-verified and re-validated as appropriate.
– Design verification and validation activities are documented, reviewed and approved. For any testing performed, make sure there is objective data, not merely pass/fail results.
– Design was correctly transferred to manufacturing.
– Suppliers are qualified; all processes that need validating are indeed validated; all tools are qualified, and all process and product risk assessments are documented.
– Databases are appropriately updated.
– Employees (in production, quality, customer service, sales, service, etc.) are trained.
– Workmanship examples are in place for visual inspection at incoming, in-process and finished product stages.
– Acceptance activities are documented with statistically-based criteria and pass/fail criteria.
– There are documented initial design inputs.
– Input/output requirements specifications are documented and verified, and all the final design output specifications in the Device Master Record (DMR) are traceable back to the initial design inputs and the associated verification and validation activities and results.
– All risk mitigations have been implemented in design (including packaging and labeling) or manufacturing.
– Changes are appropriately documented, verified and validated.
Finally, for suppliers who are software developers, ensure they are following an appropriate life-cycle approach and have configuration management, security and control over their software tools and upgrades.
Answered by Denise Dion, EduQuest VP of Regulatory and Quality Services, 18 years as an FDA investigator and co-developer of FDA’s Quality Systems Inspection Technique (QSIT), and lead instructor of EduQuest’s Design Control for Medical Devices Training Class.