The dilemma of vendor qualification
As part of the design qualification process, the vendor should be qualified: The question is, how should this be done ? Is an established and documented quality system enough, e.g., ISO 9001? Should there be a direct audit ? Is there another alternative between these two extremes ?
It is my feeling that this point is frequently heatedly discussed by consultants. I have listened to a presentation at an international symposium for clinical laboratories where a consultant referred to an FDA 483 warning letter that was issued because of missing vendor qualification. It may be true, that such warning letters have been issued, but we have never experienced a similar letter concerning off-the-shelf analytical systems. There may be situations where a vendor audit is recommended: for example, when complex computer systems are being developed for a specific user. However, this is rarely the case for analytical equipment. Typically, off-the-shelf systems are purchased from a vendor with no or little customization for specific users.
In most cases it is a also a question of confidence between the vendor and the user’s firm. Unfortunately, confidence is not taken into account in arguments with FDAs. So how should one proceed? The exact procedure depends very much on the individual situation; for example, is the system in mind employing mature or new technology? Is the specific system in widespread use either within your own laboratory or your company, or are there references in the same industry? Does the system include complex computer hardware and software? For example, if the equipment does not include a computer system, a good reputation, own experiences or good references from other users together with ISO 9001 certification, can be sufficient.
When the equipment to be purchased is an off-the-shelf commercial system that includes a computer for instrument control and data handling, we recommend following the steps described in table 3, in so far as there is no previous experience with this vendor in your company. [LIST=1]
- Does the vendor have a documented and certified quality system, e.g., ISO 9001 (please note: ISO 9002 or 9003 is insufficient because they don’t cover development!)?
- For products that include software: does the vendor comply with ISO 9000-3 (Guidelines for the application of ISO 9001 to the development, supply and maintenance of software) or an equivalent standard or guide?
- Is equipment hardware and computer software developed and validated according to a documented procedure, e.g., according to a product life cycle?
- Is the vendor prepared to make product development and validation records and source code accessible to regulatory agencies ?
- Does the vendor provide declaration of conformity to documented specifications ?
- Does the vendor provide assistance in design qualification, equipment installation, qualification, maintenance and timely repair through qualified people?
- Is there a customer feedback and response system in case the user reports a problem or enhancement request?
- Is there a change control system with suitable notification of users after the changes?