You’ve qualified your suppliers and purchased their products, but what should a company do once the products arrive? ISO 13485 section 7.4.3 is all about the verification of purchased products to ensure they meet the company’s and supplier’s specifications.
Table of Contents
What are the requirements for verification of purchased product?
The variety in purchased product verification can be massive, which is one reason that ISO 13485 is not prescriptive in this section. What the requirement comes down to is that an organization must have established processes for the inspection or other verification activities needed to confirm purchased product meets purchasing requirements.
It is up to the organization to decide on the method they will use to check the products they purchase. Some of the inputs going into the decision are the type of product, risk level, effect the purchased product has on the medical device, and feasibility of verification. As I will discuss below, the most influential input is the supplier management process.
Relationship between Supplier Management and Verification
Companies should always strive to lower their appraisal costs. Inspection and other forms of verification are expensive and are one of the least effective means of guaranteeing the quality of their devices.
For purchased products, a company does not have the option of further validating or improving the process. This means that the mechanism to lower appraisal costs is supplier management.
One way of understanding this is that, at similar risk levels, there is an inverse relationship between supplier management and verification of purchased products. Companies can choose to do 100% inspection for every purchase and have minimal supplier controls, but this is ineffective and expensive.
Instead, they should utilize their supplier management process to establish tight relationships with high-quality suppliers. If an organization can trust that the materials coming in their door will meet specifications, they do not need to devote as much time to verification.
This idea can be built into your supplier management process. As you determine the different risk levels and requirements for various products, you can state the required verification activities for those risk levels. You can also lower the verification activities if the supplier meets the stated criteria.
For certain types of suppliers, such as sterilization suppliers, companies may not have easy methods of verifying that the activity was successfully completed. This is why sterilization suppliers are almost always in the highest risk category of a medical device company’s supplier management process. The verification is built into the supplier management process.
Verifications of Products
As usual, the type of verification activities a company should perform depends on its medical device and the purchased product.
Certain verification activities extend beyond medical devices and are good for any business. Namely, checking if all of the purchased products are there, identified, and undamaged.
Other initial activities can include checking the packing slip and any Certificates of Conformity (CoC) or Certificates of Analysis (CoA). For low-risk products and/or well-qualified suppliers, this could be the full extent of the verification activities.
That said, it is still a good idea to occasionally verify the supplier’s claims. Confirming the results of a CoC/CoA can be done frequently when initially qualifying a supplier, with fewer checks performed once the relationship is established. Organizations can also choose to verify the supplier’s products according to different sampling plans.
Verification activities that require more resources include testing and inspection of purchased products. This could mean measuring products with mechanical tools to see if the dimensions are within specification, sending products out to 3rd party testing companies, etc.
The inspection and testing will need to be performed according to a specified sampling plan. It is a good idea to include items like the AQL criteria in a Quality Agreement with a supplier so that both parties can better agree on the inspection results. The sampling plan could also change based on the results of previous inspections, with increased inspection being performed if products are consistently outside of their specifications.
Verification of Services
While measuring a product makes sense to most people, it’s common to struggle with the idea of verifying services.
No surprise, but the type of verification will depend on the specific service being provided.
As an example, it is standard for calibration suppliers to send certificates for the calibration of measuring equipment. Organizations should review the calibration certificates to ensure they contain the necessary information and include any organization-specific requirements. For a service supplier providing internal auditing, the verification could be the receipt and review of the audit report.
Sterilization suppliers perform a high-risk process that is difficult to verify. To verify the sterilization activities, companies should record the CoC in addition to having strong supplier controls. Remember, supplier management activities like auditing can be included as part of the verification of purchased product.
Supplier Nonconformities
Organizations also need to determine how they will respond when an incoming test or inspection determines that a product or service does not meet its specifications.
Similar to an internal nonconformance process, companies have several options available. They can return the product to the supplier, rework the purchased product, accept the products use under concession, or scrap the material on site. The MDSAP audit approach has more information about dispositioning nonconforming purchased product. The decision should be approved and documented.
The organization should also notify the supplier about the nonconformance. If the nonconformance is serious or if there are repeated nonconformances, the issue may escalate to a Supplier Corrective Action Request, which we cover in more detail in our Supplier Management Guide.
Documentation Requirements
An organization should document or record the following information to support its processes for verifying purchased material:
- Process for verifying purchased products
- Process for handling nonconforming purchased products
- Inspection, test, and sampling plans for purchased products
- Records of verification of purchased products
- Records resulting from any nonconforming purchased products
I also recommended holding onto supplier-provided documents like CoCs with the verification records.
Changes to Purchased Product
The next requirement in ISO 13485 section 7.4.3 involves changes a supplier makes to a purchased product.
As part of supplier management, organizations need to have a Change Notification Agreement in place with their supplier. This requirement covers what the organization should do once they are notified of a change.
The good thing is that if the supplier is following the agreement, an organization should have a significant amount of time to respond to a change. As soon as a company becomes aware of a change from a supplier, it should initiate the change in its own change control process.
The actions taken will depend on the specifics of the change. A change could have no effect on the device, a facility change could require a new audit, and a specification change might start a whole series of design control activities.
If the change has anything to do with the fit, form, or function of the device the change should be reviewed for its impact on the medical device. The change might be significant enough to require new design verification and validation activities.
While it is possible to grasp the full effects of the change based on the information in the notification, it’s also useful to test the newest version of the product once it is available. Additionally, it is common to perform a First Article Inspection on a new version of a product, which is a more thorough inspection, to ensure it matches the supplier’s and organization’s specifications.
Wrapping Up
Wrapping up, I will stress that while verifying purchased material may be necessary, organizations should have strong supplier controls to limit appraisal activities. It can be extremely difficult for a company to respond to nonconforming purchased material and seriously delay production. Having good supplier controls in place will not only lower appraisal costs but will also reduce the likelihood of having to handle nonconforming purchased products.
If you have any questions, please leave a comment. If you found this article helpful, be sure to sign up for the newsletter below and review the rest of our articles, which cover ISO 13485 requirements in-depth.