Supplier Evaluation Process

Printed on 13-Oct-2022 23:00:53, Expires on 14-Oct-2022 23:00:53
Supplier Evaluation Process

IMS0091
General
1. Scope
To outline the process necessary to select and evaluate:
∑ Suppliers of products and services that directly affect the quality of xxxxx own products and services, the
confidentiality, availability, or integrity of Xxxxxxx’s data, including that of its employees processed for business
purposes
∑ Suppliers providing a service required to execute part of a clinical investigation (e.g.: sample storage facility,
sample processing facility) where Xxxxxxx acts as sponsor, co-sponsor or CRO, and as agreed within contractual
requirements
2. Purpose
The purpose of this document is to define the method of evaluating, selecting, ongoing monitoring and re-evaluating
Suppliers and Subcontractors and to outline how (and whether) potential risks to using said suppliers are mitigated.
It is also in the purpose of this process to ensure that our Suppliers and Subcontractors follow the legislative and
regulatory requirements.
3. Definitions
Issue 6.1 • Pre-Release • Restricted Page 1 of 11

Uncontrolled if printed

IMS0091
Term Description
Critical Sub-Contractor The contracted activity or service is critical to the performance and safety of the
device(s), the quality of the Services or the security of the data
Critical Supplier Provides materials, components, or services that if they were to fail may cause a
degradation in the performance of the device, of the service or
reputational/financial harm to Xxxxxxx
Historical Supplier Indicates that a supplier either:
1) Was in scope, but now no longer in scope due to the process’s scope
change
2) Was being used by Xxxxxxx, or investigated as a potential supplier, but
now is no being longer used
May Indicates that a step is optional
Moderately Critical Supplier Have a direct impact on product or service quality but they are not critical. The
supplier issues from these vendors could potentially cause moderate risk. These
suppliers often provide custom parts that are not found off-the-shelf.
Non-Critical supplier Have minimal effect on product or service quality. Sometimes are large
distributors that supply off-the-shelf goods in the scope of this process, and they
are easy to replace in case something goes wrong due to the high availability of
their product/service
Xxxxxxx This includes Xxxxxxx UK, Singapore and US sites
Process A series of actions or steps taken (activities) to achieve a goal and which transform
process inputs into process outputs
Process Customer A Xxxxxxx Employee who is impacted by, or regularly uses the products or
outputs of a process and is able to make accurate judgments on that process’
efficiency and effectiveness
Process Owner A Xxxxxxx Employee who has ultimate responsibility for the performance of a
process and has the authority to make necessary changes
Process User A Xxxxxxx Employee who regularly executes a process and is able to make
accurate judgments on its efficiency and effectiveness
Shall Indicates that a step is mandatory
Should Indicates that a step is not mandatory but is best practice
Sub-Contractor An independent individual or business that is contracted to perform part or all the
obligations defined in another’s contract
Supplier Indicates anyone who is an external provider external of goods or services
4. Acronyms and Abbreviations


IMS0091
Term Description
BAA Business Associate Agreement
COO Chief Operating Officer
CRO Contract Research Organisation
GCP Good Clinical Practice
HIPAA Health Insurance Portability and Accountability Act
IS Information Security
MMR Mean Mitigated Risk
NC Non-Conformity
NDA Non-Disclosure Agreement
PIMS Xxxxxxx Integrated Management System
QA Quality Assurance
SME Subject Matter Expert
5. Roles and Responsibilities
Role Responsibility
Asset Owner Removing access to systems and returning assets for Historical Suppliers
Clinical Affairs Providing GCP training to Suppliers if required
COO Approving high-risk and Critical Suppliers
Data Protection Officer/Legal Considering the need for a HIPAA Business Associate Agreement (BAA) for
Counsel Suppliers and if necessary, drafting one
Head of Information Security Deciding if Critical and Moderately Suppliers require an audit and approving
medium-risk Suppliers, related to Information Security
Head of Information Removing access to systems and returning assets for Historical Suppliers
Technology
Head of Quality Assurance Deciding if Critical and Moderately Suppliers require an audit and approving
medium-risk Suppliers, related to Quality
Information Security Assessing Suppliers for Information Security risks, adding the Supplier on PIMS
and training Suppliers where necessary
Legal Deciding if a contract is required and negotiating one if necessary
Process Customer For monitoring and measuring the efficiency and effectiveness of this process
from the view of the Process Customer, as per the IMS Monitoring and
Measuring Process – IMS0051
Process Owner For ensuring that this process is fit for purpose and that any suggested
improvements or issues are dealt with in an appropriate manner
Process User For monitoring and measuring the efficiency and effectiveness of this process
from the view of the Process User, as per the IMS Monitoring and Measuring
Process – IMS0051
Quality Assurance Assessing the Suppliers, adding the Suppliers on PIMS and training Suppliers
where necessary
Subject Matter Expert Providing any necessary input to the completion of the Supplier Evaluation Form –
IMS0004
Supplier Initiator Xxxxxxx employee that requests an evaluation of a new Supplier


IMS0091
6. References
Reference Number Reference Description
IMS0004 Supplier Evaluation Form
IMS0051 IMS Monitoring and Measuring Process
IMS0096 IMS Risk Management Process
IMS0100 Purchasing Process
IMS0105 Internal Audit Process
IMS0111 Findings, and Corrective & Preventive Action Process
IMS0355 Legal Process


IMS0091
Process Flow Chart
Process Description
Stage Action Responsibility


IMS0091
General It is vital to manage third party security and quality risks, as a breach due Xxxxxxx
Principles to improper supply chain management can cause reputational and
financial loss to Xxxxxxx. The need for assurance shall be managed against
the urgency and priority of the supplier being evaluated
Need for New 1. The need for a new Supplier shall be identified and the potential Supplier Initiator
Supplier Supplier selected
Identified 2. Where applicable, initial costings for the services/products shall Supplier Initiator
be identified prior to funding application and/or contracting. This
will ensure that any costs can be incorporated in the early stages
3. The Supplier Initiator shall request a Supplier to be evaluated by Supplier Initiator
using the Supplier Evaluation Request Form on the SharePoint
Homepage
4. A JIRA Ticket will be created automatically on the E&V Board, and Quality Assurance,
at least one member of QA will be notified. The JIRA Ticket shall Information Security
be updated accordingly throughout the process with all relevant
details
Pre-evaluation 1. A pre-evaluation shall be carried out to determine whether a Quality Assurance,
formal evaluation is required Information Security
2. Where the new Supplier is required for providing a service to Quality Assurance,
execute part of a clinical investigation, a member of the Clinical Information Security
Affairs Team shall be consulted
3. Where the new Supplier provides software, or services that will be Quality Assurance,
used to process Xxxxxxx information, Information Technology shall Information Security
be consulted
4. A Supplier may not need to be approved when they provide off- Quality Assurance,
theshelf products and where those products do not fall within the Information Security
scope of Xxxxxxx’s ISO 13485, ISO 27001 activities, or Xxxxxxx’s
compliance to the applicable legislation and GCP
Examples are given in Appendix at the end of this document
4. If a formal evaluation is not required, the Supplier Initiator, Head Quality Assurance,
of QA and Head of IS shall be informed. The status of the JIRA Information
ticket shall be changed to “Not required” and a rationale shall be Security, Supplier
recorded in the ticket. The process shall stop here, and the Initiator
Purchasing Process – IMS0100 shall be followed to adhere to
Xxxxxxx Financial
Rules and Regulations. The Supplier can then be used
5. If a formal evaluation is required, proceed to next stage. The Quality Assurance,
Supplier Initiator should be informed Information Security
Supplier 1. Suppliers shall be classified according to the following: Quality Assurance,
Evaluation ∑ Type A – Critical Supplier Information Security
∑ Type B – Moderately Critical Supplier
∑ Type C – Non-critical supplier
Please see definitions and examples in the Appendix


IMS0091
2. Depending on their classification the methods of qualification of the Quality Assurance,

suppliers and subcontractors shall vary as per the description Information Security
below:
Supplier
Classification Method of Qualification
Type A ∑ Contact Supplier for relevant
information
Critical Supplier
∑ Audit can be required at discretion of
the Head of QA or the Head of IS
∑ Completion of Supplier Evaluation Form
– IMS0004
∑ Relevant Certifications
∑ Legal Agreement/Quality Agreement
∑ NDA, where applicable
∑ Re-evaluation due every year
∑ Contact Supplier for relevant

Type B
information
Moderately ∑ Audit can be required at discretion of
Critical Supplier
the Head of QA or the Head of IS
∑ Completion of Supplier Evaluation Form
– IMS0004
∑ Relevant Certifications – the form can
be signed before Xxxxxxx has this
information
∑ Legal Agreement/Quality Agreement
(where applicable)
∑ NDA (where applicable)
∑ Re-evaluation due every 2 years
∑ Contact Supplier for relevant

Type C
information, where possible
Non-critical ∑ Completion of Supplier Evaluation Form
supplier
– IMS0004
∑ Re-evaluation due every 3 years


IMS0091
Whether there is the impossibility to collect or obtain part of the

documentation required to qualify the Supplier/Subcontractor, the
records of the attempt to obtain the documentation shall be retained and
filed on PIMS/ Supplier Evaluation Form – IMS0004
Where it is not possible to perform an audit on Critical Suppliers or for
some reason it is agreed not to perform the audit a justification should be
provided, and recorded in the Supplier Evaluation Form – IMS0004
3. The Supplier to be assessed shall be added to the Accounts in PIMS. Quality Assurance,
The account status shall be set as ‘To be assessed’ Information Security
4. A Supplier Evaluation Form- IMS0004 shall be completed for the Quality Assurance,
potential supplier, this shall include: Information
∑ Assessing whether at least two acceptance criteria listed on Security, Supplier
the form are met Initiator, SME
∑ Conducting a risk assessment as per IMS Risk Management
Process – IMS0096
∑ Contacting Supplier for relevant information and
certifications


IMS0091
Note 1: QA should consult with the Supplier Initiator and where

required a SME
Note 2: For the sub-contractors related to the Clinical Facility
Service (e.g. OUH, TDL), the following shall be asked:
∑ In the last three years, has your organisation or any members
been found guilty of unlawful discrimination by an
Employment Tribunal, an Employment Appeal Tribunal or any
other court?
∑ In the last three years, has your organisation had a complaint
upheld following an investigation by the Equality and Human
Rights Commission or its predecessors on grounds of alleged
unlawful discrimination?
∑ In the last three years, has your organisation or any
subcontractor/consortium member been investigated by an
Ombudsman, funding body or Commissioner for a case
related to unlawful discrimination or breach of the Equality
Act 2010, or any members within been found guilty of
unlawful discrimination by an Employment Tribunal, an
Employment Appeal Tribunal or any other court?
∑ Has your organisation been convicted or had a notice served
upon them for infringement of environmental legislation? If any of
these answers is yes, the summary of the investigation and
explanation of the outcome shall be requested
5. If audit is required, the Audit shall be arranged and conducted as Quality Assurance,
per the Internal Audit Process – IMS0105 Information Security
Note: If necessary, the audit can be conducted after Supplier
approval
6. The approval or rejection of a Supplier shall be made based on: Quality Assurance,
∑ the Supplier’s ability to provide product that meets Information Security
Xxxxxxx’s requirements
∑ the performance of the Supplier
∑ the effect of the purchased product/service on the quality
of the medical device or on the quality of the service
provided by Xxxxxxx
∑ risk-based approach considering the quality and
performance of the service/products provided by Xxxxxxx.
∑ the reputation of the Supplier
∑ the Supplier meets at least two acceptance criteria (as listed
in Supplier Evaluation Form – IMS0004)
7. The Supplier shall be approved (or rejected) by the Supplier Supplier Initiator,
Initiator and one additional approver. The additional approver Quality Assurance,
varies, depending upon both the Mean Mitigated Risk (MMR), and Information
the highest single mitigated risk identified, as indicated below: Security, COO
∑ 2 ≤ MMR < 5, and no single mitigated risk > 4: QA or IS
Engineer as appropriate
∑ 5 ≤ MMR < 8, and no single mitigated risk > 7: Head of
Quality Assurance or Head of Information Security as
appropriate


IMS0091
∑ 8 ≤ MMR ≤ 10 or a single mitigated risk ≥ 8: COO

Note: Regardless of the risk scoring all the Critical suppliers shall
be approved by the COO
Supplier 1. When approved, the status of the Supplier, recorded in Accounts in Quality Assurance,
Approval PIMS, shall be set as ‘Approved’ and the Supplier Initiator shall be Information Security
informed
2. The Purchasing Process – IMS0100 shall be followed to adhere to Supplier Initiator
Xxxxxxx Financial Rules and Regulations
3. If applicable, the ‘Legal Agreements’ stage and/or ‘Training’ stage Quality Assurance,
shall be followed. Otherwise, the Supplier can be used. Information Security
Supplier 1. If the Supplier is not approved this process may restart with an Quality Assurance,
Rejection alternate Supplier. The Status of the Supplier, recorded in Accounts Information Security
in PIMS, shall be set as ‘Rejected’ and the Supplier Initiator shall be
informed
Legal 1. If required, the legal agreement shall be negotiated and should Legal
Agreements include information security, privacy, quality, GCP, and any other
clauses, as appropriate. The agreement shall be in place prior to
any product or service being supplied (See Legal Process –
IMS0355). If the negotiation is unsuccessful, this process may
restart with alternate Supplier
Note: For Critical Suppliers, the legal agreement is mandatory
2. Legal shall keep the records of the contracts and legal agreements Legal
3. The need for a HIPAA Business Associate Agreement (BAA) shall be Data Protection
considered and if necessary, fulfilled Officer & Legal
Counsel,
Information Security
Training 1. If Xxxxxxx will be sharing unencrypted information with a Supplier Information Security
or Subcontractor, they may receive information security training
2. If Xxxxxxx will be sharing patient information with a Supplier that Quality Assurance,
does not ordinarily deal with such data, GCP training may be Clinical Affairs
required
Periodical 1. Supplier performance in meeting requirements for the purchased Quality Assurance,
Performance product or the service provided shall be monitored proportionally Information Security
Monitoring to the risk associated with the Supplier
2. Any issues related to: Product/Service Quality, incorrect supply, Quality Assurance,
late delivery, customer service response time, customer complaint, Information Security
delay in notification of security incident shall be recorded on PIMS.
Suppliers’ performance is also reviewed at Management Review
meetings
3. If a Nonconformity occurs for a Supplier, a Finding shall be raised Quality Assurance,
as per Findings, and Corrective & Preventive Actions Process – Information Security
IMS0111 and the supplier shall be notified


IMS0091
Re-evaluation 1. The supplier re-evaluation frequency shall vary as per the Supplier Quality Assurance,
Classification; however, other factors may affect the frequency Information Security
such as NCs that have been raised against the Supplier, feedback or
complaints or any other issues noticed during the periodical
performance monitoring
2. Any changes regarding the re-evaluation frequency where different Quality Assurance,
to the frequencies listed in the Supplier Classification shall be Information Security
recorded in the Supplier Evaluation Form- IMS0004
Historical 1. QA and/or IS should be informed if a Supplier is no longer being Supplier Initiator
Supplier used. During re-evaluations, it should also be confirmed if the
Supplier is still being used before proceeding with the evaluation.
2. If the decision is taken to no longer use the Supplier, where Head of Information
applicable, access to systems shall be removed and all assets shall Technology, Asset
be returned Owners
3. The status of the Supplier, recorded in Accounts in PIMS, shall be Quality Assurance,
set on Historical Supplier Information Security


IMS0091
APPENDIX
A) Does my supplier require an approval?

Examples of Suppliers requiring approval: Cloud computing suppliers, medical reporting, training providers,
prepaid credit card companies, subcontracted laboratories, sample storage facility, sample processing facility,
VPN services, regulatory consultants and phantom suppliers.
Examples of Suppliers not requiring approval: Office supply merchants, travel agents, catering providers and
venue hiring.
B) Classification of Suppliers
Type A – Critical Supplier
Critical Supplier: A critical supplier provides materials, components, or services that if they were to fail may
cause a degradation in the performance of the device, of the service or reputational/financial harm to
Xxxxxxx.
Critical Suppliers are not easy to replace in case something goes wrong
∑ Examples: Amazon Web Services (Cloud Computing Services), Atlassian
Critical Sub-contractor: An organization that performs an outsourced process on Manufacturer's behalf and
where the activity or service is critical to the performance and safety of the device(s) and conformity to
relevant regulations is dependent on the outsourced process.
∑ Example: CNS
Type B – Moderately Critical Supplier
Moderately Critical suppliers have a direct impact on product or service quality but they are not critical. The
supplier issues from these vendors could potentially cause moderate risk . These suppliers often provide
custom parts that are not found off-the-shelf.
∑ Examples: Phantom Suppliers, Testing Facilities, Regulatory Consultants/Quality Consultants, Anti-virus,

Network provider
Type C - Non-critical supplier
Page
These suppliers have minimal effect on product or service quality. Sometimes are large distributors that
supply off-the-shelf goods in the scope of this process, and they are easy to replace in case something goes
wrong due to the high availability of their product/service.
Issue 6.1 • Pre-Release • Restricted 12 of 11


IMS0091
∑ Examples: Batalas (Training Provider), 360 Resourcing Solutions (Applicant Tracking System)
Page
Issue 6.1 • Pre-Release • Restricted 13 of 11


Supplier Evaluation Process

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Supplier Evaluation Process

Uploaded by

Copyright:

Available Formats

Printed on 13-Oct-2022 23:00:53, Expires on 14-Oct-2022 23:00:53

Printed on 13-Oct-2022 23:00:53, Expires on 14-Oct-2022 23:00:53