All medical devices start from somewhere, and that somewhere is usually supplied by an outside organization. For medical device companies, the quality and safety of their devices are essential, which means that they must guarantee that high-quality products and services are coming in their door. The first step in ensuring they are provided quality materials is having a rock-solid supplier management process.
Many medical device companies have difficulty with supplier management, and for good reason. If the supplier management process is too lenient, it can lead to bad finished products, complaints, and worse. But, if the supplier management process is too intense, it will become watered down and convoluted, resulting in constant struggle and continuous audit findings from massive paperwork requirements.
Your supplier management process needs to be right-sized for your company to ensure that it maintains good relationships with suppliers and is constantly provided with high-quality products and services. We’ll break down the requirements of ISO 13485 section 7.4.1 and help you construct a powerful and effective supplier management process for your company.
Table of Contents
The Why
If a company wants to make a high-quality product, it must be supplied with high-quality materials. Effective supplier management is a great tool for ensuring an organization works with companies committed to the quality of what they produce.
Many people see supplier management as a massive undertaking that costs a company lots of time and money to implement, but this is backward. The expense of a recall resulting from a supplier concern costs much more than creating a worthwhile supplier management process.
Furthermore, if a medical device company wants to 100% inspect all of the material it receives, it can have minimal supplier controls. But I don’t recommend this approach.
The purpose of supplier management is to save time and money by building trusted relationships with talented suppliers.
Supplier Qualification and the ASL
Note: ISO 13485 does not have a section with “suppliers” in the title and instead includes requirements in section 7.4 on Purchasing. This article covers section 7.4.1 titled Purchasing Process which is not about the full purchasing process but focuses on supplier selection, qualification, and monitoring.
Approved Supplier List
The first step in your supplier management process involves the evaluation and selection of suppliers. You need to know if the supplier provides the type of material you need, what their quality system looks like, and if they can supply the quantities to meet your company’s demand.
The goal of this evaluation is to determine if the supplier meets your requirements and can be added to your Approved Supplier List (ASL). Nothing related to final product quality should be purchased from suppliers that are not on your ASL, as this puts you at serious risk of bad quality products, audit findings, and regulatory consequences.
(The one exception is contracting an initial pilot build or first article with a company that is not on your ASL to see if they meet your specifications and can be added to the ASL. However, the purchased materials should never be used on final products).
Your ASL will be your guiding document for suppliers. It will determine which companies Purchasing is allowed to order from and will be one of the first things an auditor looks at regarding your supplier management process.
It must be up-to-date and accurate, and many different QMS software can help you manage your ASL. However, you can also have an ASL in a Word or Excel file that includes the relevant information. If you go this route, the ASL must be a controlled document within your document control system.
What type of information needs to be included in an ASL?
There are no specific requirements for what needs to be on a company’s ASL. In its most simple form, it could simply list company names and risk levels (discussed below). Depending on the software used, an ASL could also function more like an index that includes company names and links to more information about the company.
However, if you are building an ASL from scratch, here is the type of information that is commonly included:
- Supplier name
- Contact information (either a quality or distribution contact)
- Goods/services that are approved to be provided by the company
- Supplier approval and re-evaluation date
- Supplier classification or risk level
- Supplier status
- Links or references to supplier-related documents
What types of suppliers need to be on your ASL?
The short answer is a supplier that provides any material or service that affects the quality of your product or your quality management system. The longer answer depends on the specific needs of your organization and the type of medical device it is producing.
Some companies might not seem like suppliers at first but notified bodies and regulatory agencies will tell you are suppliers. One example is distributors, especially if they are distributing products that can only be purchased by physicians. For this reason, these companies should also be added to your ASL.
Consultants also need to be added to your ASL depending on the type of service they are providing. Examples include consultants conducting internal audits at your organization or aiding in the creation of 510(k) submissions.
Here are the types of suppliers that may need to be included in your ASL, however, remember this is not comprehensive, and it depends on the needs of your organization:
- Contract Manufacturers
- Original Equipment Manufacturers (OEMs)
- Raw material suppliers
- Device component suppliers (both custom and off-the-shelf)
- Contract sterilization services
- Software companies that supply software related to your device
- Software companies that affect your QMS (such as an eQMS provider)
- Calibration and testing services
- Design and development services
- Consultants/contractors
- Distributors
- Packaging suppliers
Who doesn’t need to be on your ASL?
There are some obvious answers, like companies that supply toilet paper, snacks, or anything else that does not affect product quality. This list can also include companies supporting your organization with accounting, marketing, general IT, and other services. Ultimately, it is up to you to determine which suppliers are appropriate to not include on your ASL.
Supplier Risk Classifications
Before you start qualifying suppliers for your supplier management process, you need to have criteria in place for determining whether a supplier can be added to your ASL.
Because you are in the medical device industry, your qualification criteria should be based on the risk the purchased component or service has on the safety and performance of your products. It does not make sense to audit every single supplier or only receive a supplier survey from a contract manufacturer.
Additionally, the risk can be affected by the ability to verify the purchased product or service. Sterilization suppliers are usually considered high-risk because it is not feasible to verify the output of their service.
It is typical to start by breaking suppliers into classifications or tiers based on the product’s impact on device safety. You need to have enough levels to meaningfully distinguish different types of suppliers, but not so many that it creates confusion.
We’ll start with three classes of suppliers, which is common in the industry.
- Class A Supplier (High Risk): Contract manufacturers and sterilizers.
- Class B Supplier (Medium Risk): Supplier of custom components for the device(s), internal packaging, and off-the-shelf products that have a significant impact on the device(s).
- Class C Supplier (Low Risk): Supplier of off-the-shelf products, calibration services, outside packaging, and labeling suppliers.
This is just one way to classify the suppliers to your organization. As usual, the exact ways suppliers fit into your classifications will depend on your company and product. If your company produces a high-risk device, you’ll likely need tighter controls on the majority of your suppliers.
You might notice that certain types of suppliers are missing from this list. Personally, I find that the three-tier system is useful, but it does not accurately capture specific suppliers.
Consultants are one example. It doesn’t make sense for a company to require that a consultant be ISO-certified, or have a change notification agreement established. Therefore, I usually place consultants into their own classification (Class D) so that they can have different evaluation criteria.
Another example is distributors. Distributors play a different role than any other supplier, and the evaluation criteria will also be unique. This puts distributors into Class E.
This may seem like a lot of classes, but you want a system that helps you with the rest of your supplier management process. If you have too few classes, suppliers end up lumped together with requirements that don’t make sense.
Supplier Evaluation Criteria
Now that you have your different supplier risk classifications, it’s time to take the next step and specify the requirements for each class of supplier. At this stage, you are using the risk classifications to determine how much information or insurance of quality is needed from the different types of suppliers.
Your evaluation criteria can include:
- FDA Registration (required for contract manufacturers in the US)
- ISO Certification (ISO 13485 or ISO 9001)
- Quality Agreements
- Supplier Audits
- Change Notification Agreements
- First Article Inspection
- Supplier Surveys** (see section under Choosing Suppliers and Gathering Information)
Once you’ve established the criteria required for your suppliers, you can place the criteria in a matrix based on the supplier classes.
A supplier classification matrix like this will make it easy to understand if a supplier can be qualified for the ASL. It can also be referenced by auditors to ensure a certain supplier is meeting the requirements.
It’s important to keep in mind that an organization should not rely solely on a 3rd-party accreditation (like ISO certification), and there should be other controls in place to ensure the supplier is in the company’s best interest.
What about consultants and distributors? The purpose of adding these suppliers to different classifications was so it would be easy to have unique criteria in place. For consultants, the minimum requirement I have is maintaining a resume on file. For distributors, you want a detailed distribution agreement in place that dictates their responsibilities regarding your products.
One thing to consider at this stage is that you always want the ability to use a supplier that does not entirely meet the requirements. For example, there may only be one type of supplier in the world of a certain component that is required for your device, and they might not be ISO certified. You will have to provide a sufficient documented reason for why you are using the supplier, but you still want to have the option available.
Supplier Audits
Supplier audits can be one of the best ways to confirm information about a supplier’s quality. However, audits are also expensive and time-consuming.
In the matrix above, Class A and B suppliers require an audit before they can be qualified in the supplier management system. That said, the nature of these audits does not necessarily need to be the same.
A Class A supplier might require an in-person audit, while a Class B supplier might require a virtual audit. The audit frequency could also be different, with Class A suppliers requiring audits every one to two years and Class B suppliers only requiring audits up front and if there are quality issues.
There might not be anyone at your company who is qualified to perform audits. In this case, an employee can perform lead auditor training and receive the necessary credentials.
Alternatively, start-ups and smaller organizations may only be required to audit a few suppliers. If so, the company can hire a contract auditor to perform the audit on their behalf. If you are going this route, make sure the contract auditor is qualified and on your ASL!
Another action that can be beneficial is an informal supplier visit that does not include a full audit. This is useful for establishing a relationship with a supplier and gaining an understanding of their facility. If your company makes a low-risk device, a supplier visit can even substitute for an audit with Class B and lower suppliers.
Supplier Quality Agreements
Supplier Quality Agreements are legally binding documents that are put in place to govern the relationships with suppliers. Not only are they required in certain situations, but they are a great way of formalizing expectations. For these reasons, Supplier Quality Agreements are essential to supplier management.
While Supplier Quality Agreements are very helpful to a company, they can also be difficult to put into place. This is especially true of large organizations that provide off-the-shelf components. For this reason, it is best to require full Quality Agreements only from medium and high-risk suppliers.
What needs to be included in a Supplier Quality Agreement? As usual, it depends on the type of product or service being provided. Appendix 2 of this NBOG document related to supplier controls can be a good start.
Certain items I’ve seen in Quality Agreements include:
- When the supplier will send validation data to the company
- If the supplier will send testing or inspection reports to the company
- When the company has the right to audit the supplier, and if the supplier agrees to be audited by the company’s notified body.
- The change notification agreement (more information below).
- Traceability requirements of products
- Access to documents maintained by the supplier
Each Supplier Quality Agreement should be tailored to the specific supplier. Quality Agreements typically need a higher level of control and are reviewed by a company’s legal department, so it’s best to have discussions with companies beforehand to understand who will be included in sign-offs.
Change Notification Agreements
Change Notification Agreements are one piece of a Quality Agreement that is specifically required by ISO 13485.
From section 7.4.2:
“Purchasing information shall include, as applicable, a written agreement that the supplier notify the organization of changes in the purchased product prior to implementation of any changes that affect the ability of the purchased product to meet specified purchase requirements.”
If you are going to put a Supplier Quality Agreement in place with a company, it’s best to include the Change Notification Agreement in that document. However, for lower-risk suppliers who may not have a full agreement in place, you should still obtain a Change Notification Agreement.
The good news is that many large medical device suppliers who it may be difficult to obtain written agreements with have a change notification system in place. Take this example from Sigma Aldrich with their M-Clarity program. If the supplier you are working with has a public change notification system, I’d highly recommend documenting this in your supplier management system instead of obtaining a separate agreement if possible.
The type of Change Agreement will also depend on the specific supplier and material/service being purchased.
With custom products, the Change Agreement may specify that the supplier will not make any changes unless they have written approval from your company. However, with off-the-shelf components, this may be impossible to obtain, and the agreement can be limited to the supplier notifying the company before any changes are made.
What types of changes should be included in a Chance Notification Agreement?
Just like a company’s change control process, some of the types of changes that should be included in the agreement include:
- Facility changes
- Changes to specifications
- Material Changes
- Packaging changes
- Labeling changes
- Supplier changes
- Process changes
The timeline of the notification will also vary based on the supplier’s commitments. From a customer perspective, it’s best to be notified as early as possible about any upcoming changes. For changes to specifications, three to six months is typical. However, larger changes, such as changing a facility or material might require a longer notification period. The specific timeline should be detailed in the agreement.
Choosing Suppliers and Gathering Information
Once your supplier evaluation process is in place, you can start finding and qualifying suppliers.
Initially, you need to find companies that provide the type of materials or services that you need. This can be done through Google searches or contacts in or around your organization. There is no point in qualifying a supplier and going through the process of adding them to your ASL if they aren’t capable of providing the product you need.
After you have some potential suppliers picked out, it’s common for a cross-functional team, including Purchasing, Engineering, and Quality, to meet with the supplier. Each of these departments will be heavily involved with the supplier, so it’s useful for all of them to gather relevant information on the supplier.
Some of the questions you are looking to get answered are:
- Are they capable of producing products to your specifications?
- Do they have the capacity to meet your needs?
- Will they be able to meet your supplier evaluation criteria?
- Are there any major changes coming to the organization, such as being bought out or moving locations?
You can also assess any public or private information on the reputation and expected reliability of the supplier.
While cost can be a major factor in choosing a supplier, it should never be what decides a supplier (this is called out specifically in different documents, including the MDSAP audit approach). For this reason, avoid all mentions of cost in your quality-related supplier documentation.
At this stage, especially if a meeting isn’t conducted, it’s also typical to send a supplier survey to the company to document information related to their Quality Management System.
When you are preparing to move forward with a supplier, you’ll need to gather all of the information required by your supplier evaluation criteria. But before you reach out to the supplier, search their website for any of your listed requirements.
A large percentage of companies in the medical device space have their FDA registration number and ISO certification listed on their websites. They may also have a standard supplier survey and change notification system available.
Make sure you check their website for this information before sending out requests! If a supplier has a current ISO 13485 certification easily available, it shows a lack of empathy to ask for it by email. You want to maintain a good relationship with the supplier, and they have already demonstrated that they are making it easier for you!
However, if the supplier does not have their certifications or FDA registration number publicly available, it is appropriate to reach out to them to gather those records.
If all the departments are happy with the information they have received from the supplier, you can move forward to the more resource-heavy elements of supplier qualification.
If they are providing a product, you can request a first article to ensure it meets specifications. If the supplier is high-risk, you can schedule or perform the supplier audit.
This is also the time to get the Quality Agreement drafted and in place. Once that is signed, you can celebrate since it’s time to add the supplier to your ASL!
Supplier Surveys
This is a personal note, but I’m not a fan of supplier surveys. I believe they rarely add value to the supplier management process or organization, slow down evaluation, and start the supplier relationship on a bad foot.
Ultimately, you need a record that the supplier can make the product you want and meet your order timelines. However, if I go to a supplier’s website and it says: “We are an ISO 13485 certified injection molded part supplier”, and then I send them a survey that asks: “Are you ISO Certified?” and “What do you make?”, all I’ve done is create busy work for their Quality person.
In my opinion, you should be creative in how you meet this requirement. If you are meeting remotely with the supplier, ask them if you can record the meeting and save it with their record. Or, just take notes on the meeting and see if all of the necessary questions are answered. Perform a website review and document your findings.
If they ask for a survey, sure, send them a survey. Outside of that, I do not believe surveys are the best way of gathering information about suppliers and that talking to the supplier is far more effective. As mentioned earlier, this can include an informal on-site visit.
Neither ISO 13485, MDSAP, nor the FDA or any other regulation that I know of says: “You must have a completed supplier survey on your companies’ letterhead.” There is information you must have documented, and it is up to you as the quality professional to justify your approach to an auditor or notified body.
Supplier Management and Monitoring
Is the supplier management process complete once the supplier has been evaluated and added to your ASL? Absolutely not. In fact, it’s just getting started. At this point, it’s time to start monitoring and re-evaluating your supplier as necessary.
Supplier monitoring hinges on some key aspects of a supplier’s performance.
- Is the purchased product meeting the stated specifications?
- Is the supplier fulfilling other obligations that have been listed in the Quality Agreement (sending batch reports or validation information)?
- Is the supplier shipping products by agreed-upon deadlines?
So how do you monitor suppliers? The MDSAP audit approach includes the following activities for motoring suppliers:
“supplier re-audits, statistical analysis of incoming acceptance results, monitoring of complaints and nonconformities related to supplied product, independent confirmation of certificate of conformance data, and consideration of the supplier’s responses to requests for corrective action”
As with everything Medical Device related, the breadth and frequency of monitoring will depend on the risk level of the supplier. High-risk suppliers will need more frequent re-audits and motoring of material, while for low-risk suppliers, you may need to do occasional reviews of the nonconformities and complaints.
A supplier scorecard can be a useful way of documenting your monitoring and re-evaluation of suppliers.
Taking the motoring activities listed above, build a specific weighted scoring approach for each element. For example, it is important that a supplier ships material on time, but it is more important that the material a supplier ships is correct.
Using the score, you can put the suppliers into different categories such as preferred, acceptable, and at-risk. A preferred supplier may be the go-to supplier if you need a similar product or service in the future, and an at-risk supplier may be a supplier you are looking to replace.
Also, as part of your supplier re-evaluation process, you should ensure that the supplier’s certification status has not changed and that you have a record of their current certificate on file.
We’ll talk about SCARs down below, but I will note that I like the comment on SCARs in the MDSAP section I included. It is reasonable to have monitoring criteria that include the number of SCARs, and a surplus of SCARs should have you looking for a new supplier.
However, if you send one SCAR to a supplier and they become defensive and dismissive, I believe that supplier is worse than a supplier who has received three SCARs but has sent back excellent results each time and shown improvement.
You should be trying to build healthy, long-standing relationships with suppliers. At times, you might need to visit a supplier on-site and help them through processes related to your products. If you do this, you will build a better, more resilient product in the long run, as opposed to jumping to different suppliers and starting over every time there are issues.
Supplier Nonconformances and SCARs
Another aspect of supplier management is addressing the non-fulfillment of purchasing requirements with suppliers. In the medical device industry, this is handled by sending your supplier a Supplier Corrective Action Request (SCAR).
A SCAR is the supplier version of a CAPA and is a request by the company to have the supplier open a corrective action related to the company’s product.
This is one reason it is useful to work with suppliers who are ISO certified, as you can be confident that they have a corrective action process in place to address issues. If they are not ISO certified, there is no harm in walking the supplier through the expected process to try and fix the problem.
There are many different reasons a SCAR might be initiated. It could be from a batch of incoming products that does not meet specifications. It could be an output of a Management Review Meeting.
A SCAR could also be raised as the result of the supplier monitoring process. At times, a supplier being behind schedule or sending incorrect quantities might just be noted and communicated to the supplier. However, a pattern of this behavior might be escalated to a SCAR.
Should you send a SCAR form managed by your company to the supplier?
My preference is that if you are working with an ISO-certified supplier, they (hopefully) have a CAPA system in place. Many companies use different eQMS software to manage their CAPAs, and if not they should be recording the CAPA on specific forms within their QMS.
Ask the supplier and see if they have a system in place that can send you a record of their CAPA. Since all of the steps of a CAPA are generally the same, this record should be able to meet your requirements. Making your supplier take all of their information and copy it into your form is another way of unnecessarily building bad blood with a supplier. But, if they do not have a form available, it’s fine to send them documentation to complete the activities.
Supplier Documentation
Everything you do related to supplier management should be documented.
Not only will you need to have a procedure in place for supplier evaluation and motoring, but you should also have records of your actions related to these activities.
Outside of a supplier evaluation form (or similar electronic record), you will need to maintain copies of up-to-date supplier certifications, audit reports, surveys, supplier-provided documents (the supplier-controlled surveys and change notifications I mentioned), SCARs, and other actions related to suppliers.
And most importantly, your ASL should always be accurate and up-to-date.
A good eQMS system can go a long way in making supplier management simpler. Either way, you need to document everything you are doing related to suppliers.
Wrapping Up
Supplier management is a crucial aspect of producing high-quality medical devices. ISO 13485 and medical device regulations expect you to select, qualify, and monitor your suppliers to ensure you have control over what is going into your products. By following this guide, you can your company up for success and nail supplier management.
If you learned something from this article, please subscribe to our newsletter below and be sure to check out our other informative articles breaking down ISO 13485.