TheMDRand ISO 13485:2016, just like theFDA,set out clear requirements regardingsupplier evaluation,supplier selectionandsupplier monitoring.
This article not only gives you an overview of the regulatory requirements. It also gives you tips on how to implement them and tells you when asupplier audit is necessary.
1. Basic principles of supplier management
a) Examples of suppliers and delivered products and services
As soon as manufacturers stop developing something themselves and start buying it in, they require a supplier evaluation. Examples of products and services supplied externally are:
- Product development
You order the development of an entire product. A special case would be if this product is a medical device.
- Component development
You order the development of part of a product. Here too, if this part or component is part of a medical device, it is to be considered a special case.
- Component purchasing (“catalogue goods”)
You use a “ready”, that is, an already existing product within your product or medical device as the case may be.
- Tool purchase or hire
You buy or hire products as tools. This includes external software as a service, e.g. in the sales department.
- IT services
You use an IT service like server hosting and a cloud service. Here, it would be necessary to determine whether this service is a part of your products or services.
b) Supplier selection, supplier evaluation, supplier monitoring
First of all, manufacturers should establish criteria by which they assess the suppliers. Then they carry out the supplier evaluation. Based on this supplier evaluation they select the most suitable supplier/s (supplier selection).
Fig. 1: Supplier evaluation, supplier selection and supplier monitoring is an ongoing process.
Manufacturers monitor suppliers continually, e.g. within the scope of the supplier audit and evaluate the suppliers regularly, for example, based on audit results and the quality of the products and services delivered.
2. Regulatory requirements for supplier management
QM system requirements
The MDR makes it unequivocally clear that quality management must regulate “selection and control of suppliers and sub-contractors”(Article 10 (9)d.). The notified bodies must check that this actually happens.
The notified body must decide whether a specific supplier or sub-contractor audit is necessary (Annex VII 4.5.2.a, Annex IX 2.3 and 3.3). If this applies, even the suppliers (“sub-contractors”) are subject to unannounced audits – “at least once every five years”(Annex IX 3.4).
The notified body is obliged to take samples of the documentation from the supplier (“sub-contractor”), particularly if the delivered parts have an influence on the conformity of the products and the manufacturer is unable to demonstrate sufficient control over its suppliers (Annex VII 4.5.2).
Product documentation requirements
The manufacturers must specify which suppliers and sub-contractors are involved in development and production (see Annex II, 3.c.).
b) ISO 13485:2016 and ISO 9001:2015
ISO 9001:2015and ISO 13485:2016 place concrete requirements on the selection and evaluation of external suppliers of products and services – supplier selection, supplier evaluation and supplier assessment. Manufacturers must...
- Establish criteria for the providers/suppliers (examples of criteria are mentioned below)
- Evaluate providers/suppliers according to these criteria
- Select providers/suppliers according to these criteria
- Monitor providers according to these criteria
Please bear in mind that these criteria must be established specifically for the product.
Alongside suppliers, the regulatory requirements also concern products and services respectively. Manufacturers must...
- Establish specifications for the products to be purchased
- Provide the providers/suppliers with the necessary information in writing
- Establish whatprocedures*, processes and tools are to be used to test the delivered products
- Test the products according to these specifications.
ISO 13485adds aspects that are specific to medical devices such as:
- regulatory requirements
- analysis of the effects of the product/service purchased on the safety and performance of the medical device
- risks, which are generally assumed for the medical device (regardless of the product purchased)
c) ZLG requirements
You can find further requirements on supplier assessment in theZLGdocuments, e.g. documents3.9 B16and 3.9 B 17.
d) FDA: 21 CFR part 820
The FDA mentions practically identical requirements in21 CFR part 820.50“Purchasing Controls”. Contrary to ISO 13485, it explicitly mentions a quality assurance agreement:
Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device.
FDA 21 CFR part 820.50
3. Evaluating suppliers
You shouldn’t decide how you select and evaluate your suppliers in every new case, but you should establish a procedure specification for selecting and evaluating suppliers.
Fig. 2: The supplier control measures, as well as supplier monitoring and supplier evaluation, should depend on specific criteria
In order to fulfill the above-mentioned requirements, this procedure specification must determine criteria and methods for selecting and evaluating suppliers.
a) Step 1: establish criteria
The criteria you can consider when implementing measures for selecting and evaluating your suppliers include:
- Does the supplier develop a medical device or parts/components for it?
- Does the supplier provide services that form part of your services? Such an example is a hosting service provider with whom you offer your software as a service.
- Is your supplier ISO 13485 certified?
- How dependent is the manufacturer on the supplier? Are there alternative suppliers, products or procedures?
- Do you have experience with the supplier in terms of adherence to delivery deadlines and quality of the products delivered?
A Google search that associates the supplier with terms like “problem” or “unreliable” often provides new insight. Product reviews can also be helpful.
- Is the product or service business-critical?
Would failure to meet requirements lead to a breach of the law, a breach of data security, disclosure of company secrets, loss of reputation or financial deficits?
If the delivered product is or contains software, further criteria are to be taken into account for the supplier evaluation:
- Whatsafety classdoes this software belong to?
- Is itSOUP or OTS?
- Does this software itself contain SOUP?
- Is the software atoolor part of a product?
- Is this a case of purchasing, hiring or development?
b) Step 2: list measures for supplier evaluation
Regardless of the criteria, adopt one or more of the following measures:
- Conclude a quality assurance agreement(y/n)
- Adapt the contents of a quality assurance agreement
- Standards to be met by your supplier
- List of procedure specifications that your supplier must follow
- Number and qualifications of staff to be provided by the supplier
- Supplier’s assent to supplier audits including scope and frequency
- Limit potential suppliers to those who are ISO 13485 certified (y/n)
- Inspect incoming goods
- Frequency, sampling
- Methods, e.g. additional tests, visual inspection
- Type and scope of the documentation made available to the supplier, e.g.
- Product specifications
- Acceptance criteria
- Project specifications such as time and budget
- Quality assurance agreement (see above)
c) Step 3: correlate measures and criteria
You certainly won’t be using the methods and criteria mentioned for every supplier. It doesn’t make much sense to subject your stationary supplier to an audit. If, however, your supplier writes the software for your medical device and is not ISO 13485 certified, it is your duty to arrange a supplier audit.
Thus, in the last step you establish which supplier evaluation measures you are to implement and under what criteria. As the rules and regulations can very quickly become confusing, you can group together the measures and stipulate different types of suppliers.
Thus, there could be a category for “highly critical suppliers” with whom you sign a quality assurance agreement and who allow for audits, a full incoming goods inspection and personnel with a certain level of qualifications.
You can set out these rules for supplier evaluation in a table, in a text or as a flow chart.
4. Supplier audits
As explained above, supplier audits are included in the measures that manufacturers take within the scope of ongoing supplier monitoring and evaluation.
Whether and when supplier audits are to take place depends on the criticality of the products and services delivered, as well as whether the suppliers have their own QM system or not.
a) Supplier audit: if the supplier does not have their own QM system
In this case, the manufacturers declare their own quality management system and its rules respectively to be binding for their suppliers.
Manufacturers must check that suppliers are adhering to these rules by means of supplier audits. Within the scope of such an audit, manufacturers check, for example, whether or not the supplier documents development or production according to the manufacturer’s specifications. These audits should be performed at least once a year.
Fig. 3: If the supplier works under the umbrella of the manufacturer’s QM system, during the supplier audit the manufacturer must check their conformity with the QM system.
The manufacturer is also audited. According to ISO 13485 these audits bynotified bodiesmust also extend to suppliers, meaning that it is possible that the auditor may pay the supplier a visit.
Ascomponent manufacturersand development service providers do not bring any medical devices into circulation themselves, they do not need to be subjected to any audits by notified bodies. They normally only allow this to meet the requirements of their customers, the manufacturers.
b) Quality management system instead of supplier audits
To prevent their own supplier audit from getting out of hand, many manufacturers prefer suppliers who have their own QM system. In this case, audits on the manufacturer carried out by notified bodies are limited to document inspections.
Fig. 4: If the supplier has their own QM system (according to ISO 13485:2016), the manufacturer may refer to that
In the selection of suppliers, above all companies withISO 13485certification and not just ISO 9001 lend themselves to medical device manufacturers.
However, even with this type of company, an additional supplier audit is also recommended. Such audits must be performed as a part of the contracts between the medical device manufacturer and the supplier.
c) Which companies can be excluded from supplier audits?
Conformity assessment proceduresrefer to the development and production of medical devices. This means that whenever a manufacturer has components developed or produced for their medical devices, these work steps may be subject to a supplier audit.
This is different for components that arenotspecially developed or produced for the medical device such as monitors, mains adapters or off-the-shelf software components. In this case the manufacturers will ensure, within the scope of risk management, that these “purchased parts” (“catalogue goods”) do not lead to any unacceptable risks. A supplier audit would not be carried out there (or be allowed).
Read more on the subject of audits here.
Read more on the subject ofauditshere.
a) Supplier evaluation and selection
Manufacturers must evaluate and select suppliersbeforecommissioning them. This choice must be made based on clear criteria.
Supplier control, which particularly includes monitoring the suppliers, is an ongoing process.
The selection of these criteria and the intensity of this control must be risk-based.
b) Supplier audits
Supplier audits are carried out at companies to which part of one’s own tasks, such as development, have been outsourced. Here we often refer to the “extended workbench”. The audit must then be performed according to the rules of the manufacturer’s QM system (ISO 13485).
The manufacturer (distributor) can only spare themselves this audit if the development partner has their own ISO 13485 QM system and presents the corresponding documentation for the product to the manufacturer. The same applies to audits by the notified body.
Manufacturers are increasingly outsourcing tasks like development and production, either wholly or in part. The regulations make it clear that by doing so the tasks may not be withdrawn from a quality management system. For this reason, the notified bodies are obliged to also inspect the suppliers, if necessary, and in some cases within the scope of unannounced audits.
So manufacturers are well advised to select and monitor manufacturers with whom they can guarantee consistent quality management and therefore product conformity and safety.
Support from the Johner Institute
The Johner Institute supports manufacturers and supplies in the following tasks, among others:
- Drawing up MDR, ISO 13485 and FDA-compliant procedure specifications for evaluating, selecting and monitoring suppliers
- Formulating quality assurance agreements
- Preparing audits by manufacturers and notified bodies
- Guaranteeing the correct interplay of tasks (e.g. supplier monitoring, risk management, market surveillance, trend analysis, etc.) within the scope ofpost-market surveillance(central requirement of the MDR)
Contact us now
Prof. Dr. Christian Johner
The steps are: recognize a supplier selection need, identify supply requirements, determine a supply strategy, identify potential suppliers, reduce the number of suppliers in the selection pool, conduct a formal evaluation, and select a supplier and reach agreement.What are the 4 stages of supplier selection? ›
- Supplier Selection Criteria. ...
- First Stage: Evaluating Offers. ...
- Second Stage: Operational Capacity Analysis. ...
- Third Stage: Technical Capability Determination. ...
- Fourth Stage: Financial Analysis. ...
- value for money.
- Step 1: Initiation & Planning. ...
- Step 2: Tender requirements. ...
- Step 3: Tender Qualification. ...
- Step 4: Tender Selection. ...
- Step 5: Tender Evaluation. ...
- Step 6: Tender BAFO & Selection. ...
- Step 7: Contract Preparation. ...
- Step 8: Contract Documentation.
- Financially stable.
- Payment terms.
By improving supplier evaluation and selection process, companies can gain a better understanding of supplier performance and reduce wasteful costs occurring due to suppliers' activities such as additional inspections, extra freight charges, obsolete inventory, and many more.What are the key suppliers evaluation criteria? ›
That said, supplier evaluation criteria should align with your company's mission, vision, and business goals. Additionally, it should also include factors like quality, cost and financial integrity, corporate social responsibility, communication, and cultural commitments.What is supplier selection strategy? ›
Supplier selection is the process by which firms identify, evaluate, and contract with suppliers. The supplier selection process deploys an enormous amount of a firm's financial resources and plays crucial role for the success of any organization.What is supplier selection scorecard? ›
A supplier scorecard, also known as a vendor scorecard, is a document that allows a business to measure the performance and effectiveness of a vendor over time. The scorecard breaks down supplier performance into categories and factors that can be quantified.How do you create a supplier evaluation? ›
- Competency. First, look at how competent the supplier is. ...
- Capacity. The supplier needs to have enough capacity to handle your company's requirements. ...
- Commitment. Your supplier needs to provide evidence that they are committed to high quality standards. ...
- Control. ...
- Cash. ...
- Cost. ...
- Consistency. ...
While the performance metrics might differ from company to company, some common gradable metrics include quality, on-time delivery, acknowledgment rate, and responsiveness.What are the three major steps in supplier selection and evaluation? ›
- Step 1 – Supplier Selection Scorecard. The first step in the supplier selection process is to create a supplier selection scorecard. ...
- Step 2 – Identify Suitable Suppliers. ...
- Step 3 – Scorecard Ranking. ...
- Step 4 – Negotiate. ...
- Step 5 – Create Contract.
- Delivery. ...
- Flexibility. ...
- Quality and reliability. ...
- Fair price. ...
- Familiarity. ...
- Technical capabilities. ...
- Financial and business stability.
What is a Supplier Evaluation Form? Supplier evaluation is a term used by many businesses and organizations to evaluate and approve their existing and potential suppliers through a series of assessments.How do you evaluate supplier quality? ›
Common metrics include: the percentage of products that are in compliance within quality specifications, percentage of products that are delivered on time and are complete, and new product introduction (NPI), which measures the percentage of new products that meet time, volume and quality standards.How can supplier selection be improved? ›
- Step 1: Identify suppliers. ...
- Step 2: Determine supply performance. ...
- Step 3: Analyze financial factors. ...
- Step 4: Create a contract.
- No. 1 - Focus First on Your People.
- No. 2 - Listen to Your Customers.
- No. 3 - Focus on Lead-time Reduction.
- No. 4 - Understand Your Vision and Have a Plan.
- No. 5 - Share Expertise with Customers.
- No. 6 - Market to OEM Customers How You Manage Risk.
- Quality: The term quality stands for ability and willingness of the supplier to meet the specifications of the buyer. ...
- Price: ...
- Quick Delivery: ...
- Service: ...
- Assurance of supply: ...
- Size of the supplier: ...
- Number of suppliers: ...
- Local suppliers:
- Price. The price of supplies will have a direct effect on how much it costs the company to produce a product. ...
- Location and transport costs. If a supplier is located near to your company the transport and delivery costs will be lower. ...
- Lead time.
Against their subjectivity and drawbacks, the categorical method, the weighted-point method and the cost-ratio method are the most widely used techniques in supplier evaluation due to their ease of use and implementation.
There are many different types of criteria used to select a supplier. These include price, quality, service, delivery, reputation, etc. Some companies will use all of these criteria, while others may only focus on one or two. It depends on what they want from their supplier.What is supplier evaluation in procurement? ›
What is Supplier Evaluation? In procurement, supplier evaluation means a formal assessment of suppliers to measure their performance against various criteria and determine if they meet the organizational needs. The objective is to create a best-in-class and low-risk portfolio of available suppliers for use.What is the definition of supplier selection? ›
Supplier selection is the process by which firms identify, evaluate, and contract with suppliers. The supplier selection process deploys an enormous amount of a firm's financial resources and plays crucial role for the success of any organization.How do you conduct supplier evaluation? ›
There are several ways you can carry out a supplier assessment - questionnaires, scorecards, site visits, and third-party standard certifications. Or you could use a supplier management platform like Prokuria.How can you improve the process of supplier evaluation and selection? ›
- Step 1: Identify suppliers. ...
- Step 2: Determine supply performance. ...
- Step 3: Analyze financial factors. ...
- Step 4: Create a contract.
A supplier audit checklist is used to audit your supplier's facility, record if the supplier meets the criteria, and evaluate its suitability to be your supplier. The checklist can serve as a guide for the inspector to evaluate the following areas: Management Responsibility. Infrastructure, Sanitation, and Maintenance.What is supplier Process audit? ›
A supplier audit inspects a supplier's usage of industry regulation practices, including the health and safety and correct manufacturing processes. Generally, auditing a supplier covers a large area with several practices. Therefore they are usually bespoke to the client's requirements.