Control of COTS (Commercial Off The Shelf) Specifications


Involved In Discussions
We are a small medical device manufacturer, with a quality system operating primarily under ISO 13485 with future plans to operate under FDA quality requirements. We are using a paper document control system and have historically approved a separate specification document for every component or material used in a product. Recently, however, we have considered the possibility that there are many cases where this creation of separate approved documents might be overkill.

In particular, the details regarding the components on a PCB, or raw materials used on a molded, cut or machined part, are often only actually used in practice to the extent that the make and model are communicated to the CM as inputs to the process of creating the PCB assembly or custom part. The proposal we are entertaining is that the make and model can simply be defined on the drawing or BOM of the assembly where it is used (in cases where that is sufficient information), so that the parent assembly is the only controlled specification document.
  • Do you feel that this is adequate to meet ISO 13485 and FDA requirements (assuming a company policy exists to verify that the correct product is received)? Is it perhaps already an accepted practice?
  • If this approach is used where the CM manages purchasing and receiving, does the parent assembly specification (or contract?) need to require that the CM verify the input components and materials on receiving inspection? Or would that only apply if the CM isn't itself certified to 13485 or 9001?

Appreciate your thoughts on the matter. Thanks.


Super Moderator
Another apology for not responding to this sooner.

The 'manufacturer of record' is always ultimately responsible for ensuring all regulatory requirements are met. If some are flowed down to a CM, it's your responsibility to ensure they are complying.

FDA lays out purchasing data requirements in 820.50(b) and it's spelled out in much more detail in 13485 in 7.4.2 and 7.4.3. In 13485, there is certainly the concept of documentation commensurate with the risk. And what you describe (verifying the correct product is received is, I believe, generally the case for such commercial components. The CM needs to confirm the part meets the spec (typically in a BOM rather than a drawing) and then provide whatever traceability is required.


Involved In Discussions
Thank you yodon. When I reviewed the regulations I came away with the impression that if a part is specified only on the BOM of a parent assembly, then this satisfies the regulations if:
a) the entry on the controlled BOM of the parent assembly is sufficient to inform receive inspection, and
b) measures are in place to ensure that receiving inspection is conducted against the controlled BOM of the parent assembly (whether that's in-house or at a CM).

So my concern is primarily from lack of experience, having only ever worked at companies where every individual part is controlled as its own separate specification document. By abandoning that, I just want to make sure we aren't straying into some sort of unprecedented territory that will raise eyebrows.
Top Bottom