The MDR and ISO 13485:2016, just like the FDA, set out clear requirements regarding supplier evaluation, supplier selection and supplier monitoring.
This article not only gives you an overview of the regulatory requirements. It also gives you tips on how to implement them and tells you when a supplier audit is necessary.
As soon as manufacturers stop developing something themselves and start buying it in, they require a supplier evaluation. Examples of products and services supplied externally are:
First of all, manufacturers should establish criteria by which they assess the suppliers. Then they carry out the supplier evaluation. Based on this supplier evaluation they select the most suitable supplier/s (supplier selection).
Fig. 1: Supplier evaluation, supplier selection and supplier monitoring is an ongoing process.
Manufacturers monitor suppliers continually, e.g. within the scope of the supplier audit and evaluate the suppliers regularly, for example, based on audit results and the quality of the products and services delivered.
The MDR makes it unequivocally clear that quality management must regulate “selection and control of suppliers and sub-contractors” (Article 10 (9)d.). The notified bodies must check that this actually happens.
The notified body must decide whether a specific supplier or sub-contractor audit is necessary (Annex VII 4.5.2.a, Annex IX 2.3 and 3.3). If this applies, even the suppliers (“sub-contractors”) are subject to unannounced audits – “at least once every five years” (Annex IX 3.4).
The notified body is obliged to take samples of the documentation from the supplier (“sub-contractor”), particularly if the delivered parts have an influence on the conformity of the products and the manufacturer is unable to demonstrate sufficient control over its suppliers (Annex VII 4.5.2).
The manufacturers must specify which suppliers and sub-contractors are involved in development and production (see Annex II, 3.c.).
ISO 9001:2015 and ISO 13485:2016 place concrete requirements on the selection and evaluation of external suppliers of products and services – supplier selection, supplier evaluation and supplier assessment. Manufacturers must...
Please bear in mind that these criteria must be established specifically for the product.
Alongside suppliers, the regulatory requirements also concern products and services respectively. Manufacturers must...
ISO 13485 adds aspects that are specific to medical devices such as:
You can find further requirements on supplier assessment in the ZLG documents, e.g. documents 3.9 B16 and 3.9 B 17.
The FDA mentions practically identical requirements in 21 CFR part 820.50 “Purchasing Controls”. Contrary to ISO 13485, it explicitly mentions a quality assurance agreement:
Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device.
FDA 21 CFR part 820.50
You shouldn’t decide how you select and evaluate your suppliers in every new case, but you should establish a procedure specification for selecting and evaluating suppliers.
Fig. 2: The supplier control measures, as well as supplier monitoring and supplier evaluation, should depend on specific criteria
In order to fulfill the above-mentioned requirements, this procedure specification must determine criteria and methods for selecting and evaluating suppliers.
The criteria you can consider when implementing measures for selecting and evaluating your suppliers include:
If the delivered product is or contains software, further criteria are to be taken into account for the supplier evaluation:
Regardless of the criteria, adopt one or more of the following measures:
You certainly won’t be using the methods and criteria mentioned for every supplier. It doesn’t make much sense to subject your stationary supplier to an audit. If, however, your supplier writes the software for your medical device and is not ISO 13485 certified, it is your duty to arrange a supplier audit.
Thus, in the last step you establish which supplier evaluation measures you are to implement and under what criteria. As the rules and regulations can very quickly become confusing, you can group together the measures and stipulate different types of suppliers.
Thus, there could be a category for “highly critical suppliers” with whom you sign a quality assurance agreement and who allow for audits, a full incoming goods inspection and personnel with a certain level of qualifications.
You can set out these rules for supplier evaluation in a table, in a text or as a flow chart.
As explained above, supplier audits are included in the measures that manufacturers take within the scope of ongoing supplier monitoring and evaluation.
Whether and when supplier audits are to take place depends on the criticality of the products and services delivered, as well as whether the suppliers have their own QM system or not.
In this case, the manufacturers declare their own quality management system and its rules respectively to be binding for their suppliers.
Manufacturers must check that suppliers are adhering to these rules by means of supplier audits. Within the scope of such an audit, manufacturers check, for example, whether or not the supplier documents development or production according to the manufacturer’s specifications. These audits should be performed at least once a year.
Fig. 3: If the supplier works under the umbrella of the manufacturer’s QM system, during the supplier audit the manufacturer must check their conformity with the QM system.
The manufacturer is also audited. According to ISO 13485 these audits by notified bodies must also extend to suppliers, meaning that it is possible that the auditor may pay the supplier a visit.
As component manufacturers and development service providers do not bring any medical devices into circulation themselves, they do not need to be subjected to any audits by notified bodies. They normally only allow this to meet the requirements of their customers, the manufacturers.
To prevent their own supplier audit from getting out of hand, many manufacturers prefer suppliers who have their own QM system. In this case, audits on the manufacturer carried out by notified bodies are limited to document inspections.
Fig. 4: If the supplier has their own QM system (according to ISO 13485:2016), the manufacturer may refer to that
In the selection of suppliers, above all companies with ISO 13485 certification and not just ISO 9001 lend themselves to medical device manufacturers.
However, even with this type of company, an additional supplier audit is also recommended. Such audits must be performed as a part of the contracts between the medical device manufacturer and the supplier.
Conformity assessment procedures refer to the development and production of medical devices. This means that whenever a manufacturer has components developed or produced for their medical devices, these work steps may be subject to a supplier audit.
This is different for components that are not specially developed or produced for the medical device such as monitors, mains adapters or off-the-shelf software components. In this case the manufacturers will ensure, within the scope of risk management, that these “purchased parts” (“catalogue goods”) do not lead to any unacceptable risks. A supplier audit would not be carried out there (or be allowed).
Manufacturers must evaluate and select suppliers before commissioning them. This choice must be made based on clear criteria.
Supplier control, which particularly includes monitoring the suppliers, is an ongoing process.
The selection of these criteria and the intensity of this control must be risk-based.
Supplier audits are carried out at companies to which part of one’s own tasks, such as development, have been outsourced. Here we often refer to the “extended workbench”. The audit must then be performed according to the rules of the manufacturer’s QM system (ISO 13485).
The manufacturer (distributor) can only spare themselves this audit if the development partner has their own ISO 13485 QM system and presents the corresponding documentation for the product to the manufacturer. The same applies to audits by the notified body.
Manufacturers are increasingly outsourcing tasks like development and production, either wholly or in part. The regulations make it clear that by doing so the tasks may not be withdrawn from a quality management system. For this reason, the notified bodies are obliged to also inspect the suppliers, if necessary, and in some cases within the scope of unannounced audits.
So manufacturers are well advised to select and monitor manufacturers with whom they can guarantee consistent quality management and therefore product conformity and safety.
The Johner Institute supports manufacturers and supplies in the following tasks, among others: