Supplier Approval

Based on Risk for

Medical Device
Companies

knacknewbery@icloud.com
Written by: Brian Newbery
Founder of Fast-Track QMS
Consultants
https://fasttrackiso13485.com 1 of 6 P027.1
 Supplier Approval Based on Risk for
Medical Device Companies
Supplier approval and ongoing management of suppliers for medical device companies, is
another one of those critical processes which if done right can help you manufacture your
medical device to the high quality you and your customers are expecting.

It’s also one of the elements of ISO 13485:2016 that requires medical device companies to use
a risk based approach for supplier selection, as well as ongoing supplier management.

With the pending publication of the FDA QMSR and harmonization

with the ISO 13485:2016 requirements, supplier approval based on
risk is one of the added requirements that some medical device
companies who are not currently following ISO 13485, will need to
adapt too.
This certainly makes a great deal of sense when you consider the safety and quality
requirements for medical devices. Also a factor in justification for close attention to risk
management, is the increasing amount of commercialization, including outsourcing, that has
become even more common practice for many medical device companies.

Many North American and European based device companies will outsource their
manufacturing to other countries where the labor costs will be a lot less. This can lead to a
higher degree of appropriate due diligence while selecting and managing these suppliers.

The manufacturing costs may be significantly reduced by using overseas suppliers, but without
the required level of attention and monitoring it can lead to unforeseen new costs that will
reduce or eliminate any benefits from the outsourcing. Other issues could be dealing with audit
concerns, more time and effort on quality control, or even in some cases a change in product
design, and possibility of a field recall. So outsourcing is another risk factor to consider.

ISO 13485:2016 includes risk management throughout the standard including supplier
management. FDA also have emphasis on risk and expect this to increase as they head
towards incorporating the ISO 13485:2016 requirements.

Need for new Risk Approval Supplier Monitoring of

supplier assessment process approved performance

https://fasttrackiso13485.com 2 of 6 P027.1
Let’s take a look at the compliance requirements in ISO 13485:2016 and the FDA
regulations. The requirements dealing with risk are highlighted with bold blue font.

The Purchasing requirements including those for Supplier

Approval to meet ISO 13485:2016
ISO 13485:2016: Section 7.4.1 states the following:

The organization shall document procedures (see 4.2.4) to ensure that purchased product
conforms to specified purchasing information .

The organization shall establish criteria for the evaluation and selection of suppliers. The
criteria shall be:

a) based on the supplier’s ability to provide product that meets the organizations
requirements.
b) based on the performance of the supplier.
c) based on the effect of the purchased product on the quality of the medical device.
d) proportionate to the risk associated with the medical device.

The organization shall plan the monitoring and re-evaluation of suppliers. Supplier performance
in meeting requirements for the purchased product shall be monitored. The results of the
monitoring shall provide an input into the supplier re-evaluation process.

Non-fulfillment of purchasing requirements shall be addressed with the supplier

proportionate to the risk associated with the purchased product and compliance with
applicable regulatory requirements.

Records of the results of evaluation, selection, monitoring and re-evaluation of supplier

capability or performance and any necessary actions arising from those activities shall be
maintained.

https://fasttrackiso13485.com 3 of 6 P027.1
Examples of controls over incoming supplier materials:

Increasing controls.
Risk Level Dock to C of C only C of A only Random lot All lot 100% Certified
stock inspection inspection inspection
Low Risk X X X X X X X
Medium Risk X X X
High Risk X X
X = optional acceptance methods

Examples of Supplier Risk categories:

Low Risk:
Suppliers who pose little or no risk to the quality of the products and no risk to the
customer/end user.

Medium Risk:
Suppliers who pose some risk to the quality of the products and low risk to the customers and
also have a high probability of being detected by inspection or testing.

High Risk:
Suppliers with the potential to pose a high risk to the products and to the customer.

Critical Supplier:
Supplier who may also be in the High-Risk category but could also be a sole supplier of a key
component that could seriously affect production if issues occur with their material or service.

Certified Supplier:
A Low or Medium Risk supplier that over time has proven to meet all of the quality
requirements and for a Low-Risk supplier can upon review have their products go directly from
dock to stock without inspection or for Medium Risk suppliers can use minimum sampling
inspection.

https://fasttrackiso13485.com 4 of 6 P027.1
 OVERALL SUPPLIER APPROVAL PROCESS

https://fasttrackiso13485.com 5 of 6 P027.1
SUPPLIER APPROVAL PROCESS AND ONGOING MONITORING

Approval process:
Once a risk assessment is completed the approval process can be carried out based on the
degrees of risk involved for the material that you will be sourcing from this supplier. The basic
steps in the approval process are shown in the diagram above and include a documented
supplier survey.

Depending on the risk level an audit of the supplier may be required. For high-risk suppliers it
may be good practice to schedule an annual audit or more frequent depending on the findings.

After the supplier survey is completed by the supplier and returned, it is reviewed by Quality
and Purchasing and if acceptable approved. Any concerns or questions should be resolved
before approval is completed.

Once approved the supplier is added to a documented Approved Supplier List and should
include the specific material the supplier is approved for. Later if any additional products are to
be purchased from the same supplier they will need to go through a review and approval
process, including a risk assessment, before those new materials are added to the approved
supplier list.

Only suppliers that have gone through the supplier approval process and have been approved
and added to the approved supplier list, can Purchasing then proceed to use that supplier as a
source for production materials.

This complete Supplier Approval process also applies to service suppliers, and is a requirement
of the FDA, and also makes good sense for those services that can potentially effect quality of
the product.

One more note on the supplier approval process, and it concerns the fact that some medical
device businesses subcontract the manufacturing of their medical device, either for the
complete device or part of the processing. In either case the degree of involvement for supplier
approval and monitoring takes on a much higher level of required activity, including in depth
risk evaluation, and ongoing monitoring.

https://fasttrackiso13485.com 6 of 6 P027.1
Monitoring:

Ongoing monitoring of supplier performance is also a requirement under ISO 13485:2016 along
with supplier re-evaluation on a regular basis. This should be part of the general ongoing
quality system monitoring, measurement and analysis process.

All nonconformances found at receiving inspection or during the company’s manufacturing

process should be communicated to the supplier through a non-conformance report. Any
repeat issues can be addressed either through a separate Supplier Corrective Action Request
(SCAR) or as part of the general CAPA process.

Incoming inspection for materials from that supplier should be considered for a tighter
inspection plan until evidence of the suppliers corrective action is received and verified for
effectiveness. Although not a specific requirement of ISO 13485 I would also recommend that a
summary of ongoing supplier quality is part of the Management Review process.

HOW CAN FAST-TRACK QMS CONSULTANTS HELP

Want to learn more about Fast-Track QMS Consulting and the document bundles and
consulting services we can provide, including proven, Purchasing and Suppler Approval
procedures along with supporting form templates.

then just go to the link at top of this post:

We can also provide procedures for all elements of the ISO 13485:2016 Quality System. Our
complete Turnkey Document Bundle includes 41 procedures and 36 supporting forms that also
cover FDA 21 CFR 820 requirements.

The Turnkey Quality System bundle includes:

• Quality Manual template and supporting documents

• 50 Procedures covering all elements of ISO
13485:2016, plus FDA 21 CFR 820 and MDR
• 41 Forms that support the procedures
• 10 -hours of on-line consultation at no charge
Ultimate ISO 13485 Implementation Kit
Check out our web site at:

https://fasttrackiso13485.com/

https://fasttrackiso13485.com 7 of 6 P027.1