Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Jennifer Chu
Findings point to faster way to find bacteria in food, water, and clinical samples
Matthew M. Lowe
Take this opportunity to prepare for the future
Etienne Nichols
QMSR for medical device companies
Kari Miller
CAPA systems require continuous management, effectiveness checks, and support
Etienne Nichols
The answers will reveal the truth about your product and get it to market faster

More Features

FDA Compliance News
Facilitates quick sanitary compliance and production changeover
Creates one of the most comprehensive regulatory SaaS platforms for the industry
Company’s first funding round will be used to accelerate product development for its QMS and MES SaaS offerings
Showcasing tech, solutions, and services at Gulfood Manufacturing 2022
Easy, reliable leak testing with methylene blue
Now is not the time to skip critical factory audits and supply chain assessments
Google Docs collaboration, more efficient management of quality deviations
Delivers time, cost, and efficiency savings while streamlining compliance activity
First trial module of learning tool focuses on ISO 9001 and is available now

More News

Jon Speer

FDA Compliance

Qualifying Your Suppliers Using a Risk-Based Approach

Lessons from the medical device industry

Published: Thursday, June 13, 2019 - 12:02

This notion of risk-based processes within quality systems is something that has become part of our formal lexicon following the release of ISO 13485:2016, the globally harmonized standard for medical device quality management systems (QMS).

Well before these risk-based processes became a quality system requirement under ISO 13485, many medical device companies were already using this type of approach, perhaps without even realizing it. This is because there’s always been an element of confusion surrounding this topic.

So, what does “risk-based” actually mean? If you look at each of the individual processes within your QMS, there can be different logic and approaches for each as they apply to risk.

From an audit perspective, some areas of your QMS will likely have a higher emphasis on risk. Supplier management has been one of those areas, attracting a great deal of attention from auditors. One main reason being how the commercialization of this industry is rapidly evolving, which impacts the way we conduct business.

Emphasis on supplier management

When I first entered the medical device industry, the vast majority of companies were vertically integrated. They housed every essential operational process, from design, to manufacturing, to business development, under the same roof. Fast forward 20 years, and there’s a growing trend to outsource more and more work throughout the premarket and postmarket cycles.

For example, a lot of U.S.-based device makers will outsource their manufacturing overseas to minimize higher labor costs associated with having it made in the United States. They leverage third-party contractors and points of sale to manage these jobs and processes. One recurring theme I’ve noticed in doing this is that due diligence is often neglected while selecting these suppliers.

Without proper due diligence, companies may wind up with a returned product that does not meet the necessary standards for quality. This can lead to unforeseen new costs—negating any potential benefit of outsourcing to save costs in the first place. It can also lead to increased audits, more time spent on quality control, or in some cases the complete overhaul of a product.

For these reasons, regulatory agencies, such as the FDA, have put a new emphasis on current good manufacturing practices (CGMP) and how medical device companies must qualify and manage their suppliers. But how do you determine that suppliers have the skills and meet the standards needed to do the job well? How do you ensure that they meet all quality and regulatory requirements? Because ultimately, it’s the device maker that will be held responsible.

Identify criteria for your supplier

First, you must identify criteria for your suppliers that are commensurate with what they are doing for your company. For instance, if you have a supplier that is manufacturing a material that will be in direct contact with patients, you want to make sure their facility is clean. You want to know that they follow an acceptable standard for CGMP, have conducted purity testing on materials, and can consistently provide the same quality of material for multiple batches of your product.

Using the same example above, another aspect that shouldn’t be overlooked is the level of risk of your product and the biocompatibility testing on the material that will likely be required. How will you know that the material you tested today will be the same in a few years time? Appropriate controls need to be in place, and you as the medical device company need to be monitoring them.

When I say “commensurate with what they are doing for your company,” not all suppliers will require the same level of scrutiny. If you’re going to be manufacturing a less-invasive product that is not intended to be patient-contacting or considered high risk, you might not have as many criteria for assessing and evaluating the supplier.

Qualifications for suppliers

After you identify the criteria for your supplier, creating an approved supplier list is important. But I think the reference to “approved supplier” can be confusing. When you approve someone on your list, you’re not approving them to supply just anything. You can’t assume that because you’ve approved component X and it meets required standards, that the same supplier will be qualified to work on components Y and Z.

Within your approved supplier list, you need to clearly state what they are approved to supply. Part of your assessment should involve evaluating suppliers on those components, and there are many ways to do this. For example, if it’s a tangible product, you might do first-article inspection and apply higher scrutiny to the first lot you receive from them.

From a quality perspective, you want some kind of objective evidence that the supplier will be able to meet the set standards, and do so consistently. As part of your supplier qualification, you’ll also want to understand the state of the supplier’s quality system, if it has one. You’ll want to know if the supplier is certified, if that is necessary for your company’s needs.

supplier survey form is a good tool to use for qualifying suppliers. It helps to give you more detail about the supplier, such as what it is, how it works, and where its facilities are located. As part of your qualification process, you may want to do an onsite audit, especially if the device the supplier be working on will be classified as high risk.

Managing risk with suppliers

As the medical device company that is overseeing the process, you should always be able to accurately assess the criticality of what the supplier is doing. There’s a common practice used for this: critical-to-quality (CTQ), which can help you to dictate what kind of controls you should have with a supplier.

ISO 13485 includes a “risk-based approach,” and the standard also references guidance from ISO 14971. I think this creates confusion for many companies because ISO 14971 is product-based risk management. According to ISO 13485, your risk-based approach is more about methodology—that is, a risk management plan, risk assessment, and risk controls. You can and should apply this type of methodology when qualifying your suppliers.

When you do a risk assessment, you can determine which things are classified as “low risk” vs. “high risk” in order to clarify your supplier criteria. For example, suppliers classified as higher risk might have controls such as onsite audits, clear supplier quality agreements with roles and responsibilities defined, and monitored activities such as spot checks on incoming product. You may even choose to do 100-percent inspection on the first few shipments of the product.

Another thing that’s important about this topic is that contract manufacturers are considered to be suppliers. Companies have often taken a lot of liberties with contract manufacturers, such as overlooking certain aspects based on the fact the manufacturer is ISO 13485-certified. At the end of the day, it is your responsibility as the medical device company associated with the device being produced. You don’t get to point to the contract manufacturer to assume responsibility for any issues.

How to handle supplier issues

Your risk-based approach to managing suppliers should include trigger events or scenarios that tell you when to escalate an issue or take necessary action. If you start identifying nonconformances, such as parts that don’t meet your user criteria, and the issue appears to be systemic, then you can issue a supplier corrective action request (SCAR).

The expectation of the supplier, if it is issued a SCAR, is to initiate its own internal investigation and corrective and preventive action (CAPA). You’d also expect the supplier to involve and communicate with your company along the way. Once the supplier closes the CAPA, you’re essentially going to be verifying the effectiveness of its corrective action. You might find that you have to tighten controls, at least for a period of time.

In any case, you should definitely notify the supplier of any known issues with the product being returned, even if you’ve noticed just one or two noncompliant products coming through. The idea is to nip nonconformances in the bud before they becomes a systemic issue. This is where ongoing monitoring of supplier performance is key.

Final thoughts

The risk-based approach you use for supplier management should be looked at as a top-down approach to how you do everything in your medical device company. So for example, you conduct risk assessments on your device, and you come up with a certain risk level for it; this can be an excellent guide for the level of risk and scrutiny you apply to suppliers.

Supplier management should be an area of your quality system where you conduct internal audits regularly to ensure records and procedures are properly documented and up to date. Develop clear acceptance criteria, use an approved suppliers list, and ensure that you have monitoring activities in place to manage the relationship. And remember: The quality of your suppliers and those relationships have a direct relationship with the outcomes for your medical device.

First published May 19, 2019, on the Greenlight Guru blog.


About The Author

Jon Speer’s picture

Jon Speer

Jon Speer is the founder and vice president of quality assurance and regulatory affairs at Greenlight Guru, a software company that produces the only medical device quality management software solution. Device makers in more than 50 countries use Greenlight Guru to get safer products to market faster. Speer has served more than 20 years in the medical device industry and helped dozens of devices get to market. As a thought leader and speaker, he regularly contributes to numerous industry publications. He is also the host of Global Medical Device Podcast.