Supplier evaluation – supplier selection – supplier audits

The MDR and IVDR, as well as ISO 13485:2016, just like the FDA, set out clear requirements regarding supplier evaluation, supplier selection, and supplier monitoring.

This article not only gives you an overview of the regulatory requirements. It also gives you tips on how to implement them and tells you when a supplier audit is necessary.

1. Basics of supplier management

a) Examples of suppliers and delivered products and services

As soon as manufacturers stop developing something themselves and start buying it in, they need to perform a supplier evaluation. Examples of products and services supplied externally are:

• Product development
  You commission the development of an entire medical device.
• Component development
  You commission the development of a part of a medical device.
• Component purchasing (“catalogue goods”)
  You use a “ready,” i.e., an already existing product within your medical device.
• Tool purchase or rental
  You buy or rent products as tools. This includes external software as a service, e.g., a document management system (CSV must be taken into account here).
• IT services
  You use an IT service like server hosting and a cloud service. Here, it would be necessary to determine whether this service is a part of your products or services.

b) Supplier evaluation, supplier selection, supplier monitoring

First of all, manufacturers should determine criteria by which they assess potential suppliers. Then they carry out the supplier evaluation. Based on this supplier evaluation they select the most suitable supplier(s) (supplier selection).

Manufacturers monitor suppliers continually, e.g., during the inspection of incoming goods or within the scope of the supplier audit and evaluate the suppliers regularly, e.g., based on audit results and the quality of the products and services delivered.

The criteria used for the initial evaluation are usually not the same as those used for the ongoing evaluation as part of monitoring. For example, the “delivery reliability” criterion cannot be measured in the initial evaluation, as there has not yet been a delivery. In contrast, delivery reliability will be a criterion in the ongoing evaluation.

2. Regulatory requirements for supplier management

a) MDR and IVDR

QM system requirements

The MDR and IVDR make it unequivocally clear that quality management must regulate the “selection and control of suppliers and sub-contractors” (MDR Article 10 (9) d) or 10 (8) d) for the IVDR).

Requirements for the manufacturer’s notified body

The notified body must decide whether a specific supplier or sub-contractor audit is necessary (Annex VII 4.5.2.a, Annex IX 2.3 and 3.3). If this applies, even the suppliers are subject to unannounced audits – “at least once every five years” (Annex IX 3.4).

The notified body is obliged to conduct audits of the supplier in case the delivered products have a major influence on the conformity of the medical devices and the manufacturer is unable to demonstrate sufficient control over its suppliers (Annex VII 4.5.2).

Requirements for the technical documentation

The manufacturers must specify which suppliers and sub-contractors are involved in development and production (see MDR Annex II, 3.c. or IVDR Annex II 3.2. b)).

b) ISO 13485 and ISO 9001

ISO 9001:2015 and ISO 13485:2016 place specific demands on the selection and evaluation of external providers of purchased products (ISO 13485:2016 defines products as the results of a process and includes services in the product concept). According to ISO 13485, manufacturers must…

1. determine criteria for suppliers and the products to be purchased (examples of criteria are given below)
2. evaluate suppliers according to these criteria
3. select suppliers according to these criteria
4. monitor suppliers according to these criteria
5. re-evaluate suppliers according to these criteria

The regulatory requirements affect not only the suppliers but also the products. Manufacturers must…

1. analyze the impact of the purchased product on the safety and performance of the medical device
2. address associated risks
3. define specifications for the products to be purchased
4. specify requirements for products, qualification, and quality management of the supplier as far as appropriate
5. determine which procedures, processes, and tools are to be used to test the products supplied
6. test the products in accordance with these specifications

The standard also insists on written quality agreements:

The controls shall be proportionate to the risk involved and the ability of the external party […] [and] include written quality agreements.

ISO 13485:2016 Chapter 4.1.5

c) ZLG* requirements

*ZLG = Central Authority of the [German] Länder for Health Protection with regard to Medicinal Products and Medical Devices

You can find further requirements on supplier evaluation in the ZLG documents, e.g., 3.9 B16 (German) and 3.9 B 17.

d) NBOG requirements

The limited benefit of certificates matches the experience of notified bodies during various audits: Unfortunately, self-written, non-accredited, dubious certificates are ultimately nothing more than a piece of paper and offer no reliability.

The better approach is to conclude a good Quality Assurance Agreement (QAA) and(!) carry out supplier audits.

e) FDA: 21 CFR part 820

The FDA states practically identical requirements in 21 CFR part 820.50 “Purchasing Controls,” e.g., a Quality Assurance Agreement:

Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. 

FDA 21 CFR part 820.50

The FDA emphasizes that the data generated during the selection, evaluation, and monitoring of suppliers and products is subject to the document control requirements of 21 CFR part 820.40.

3. Supplier evaluation in practice

You should not decide how you select and evaluate your suppliers on a case-by-case basis but should define a standard operating procedure for supplier selection and evaluation.

In order to ensure compliance with the above requirements, this standard operating procedure must define criteria and methods for supplier evaluation and selection.

a) Step 1: Define criteria

The criteria that you can take into account when implementing measures for selecting and evaluating your suppliers include:

• Does the supplier develop a medical device or parts/components for it?
• Does the supplier provide services that form part of your services? Such an example is a hosting service provider with whom you offer your software as a service.
• Is your supplier ISO 13485 certified?
• How dependent are you on the supplier? Are there alternative suppliers, products, or procedures?
• Do you already have experience with the supplier regarding delivery reliability and the quality of the delivered products?
  A Google search combining the supplier with terms such as “problem” or “unreliable” sometimes brings new insights. Product reviews can also be helpful.
• Is the product or service business-critical?
  Would a failure to meet the requirements lead to law violations, a breach of security, the loss of company secrets, a loss of reputation, or financial disadvantages?

If the delivered product is or includes software, further criteria for the supplier evaluation are conceivable:

• What safety class does this software have?
• Is it SOUP or OTS?
• Does this software itself contain SOUP?
• Is the software a tool or part of a product?
• Is this a case of purchasing/renting or development?

b) Step 2: List possible measures

Depending on the criteria, take one or more of the following measures:

• Negotiate a Quality Assurance Agreement
  • Standards to be met by your supplier
  • List of your standard operating procedures that your supplier must follow
  • Number and qualifications of personnel to be provided by the supplier
  • Supplier’s agreement to supplier audits, including scope and frequency
• Limit potential suppliers to those who are ISO 13485 certified, if applicable
• Inspect incoming goods
  • Frequency, sampling
  • Methods, e.g., additional tests, visual inspection
• Type and scope of the documentation made available to the supplier, e.g.,
  • Product specifications
  • Acceptance criteria
  • Project specifications such as time and budget
  • Quality Assurance Agreement (see above)
• Supplier audit

c) Step 3: Assign measures to criteria

You will certainly not apply the above methods and measures to every supplier. For example, an audit of your office supply vendor may not be a sensible undertaking. On the other hand, if your supplier writes the software for your medical device and is not ISO 13485 certified himself, a supplier audit will be your duty.

In the last step, you, therefore, determine which supplier evaluation measures you will apply for which criteria. Since the rules can quickly become confusing, you can group the measures and define different types of suppliers.

For example, there could be a type of “highly critical supplier” with whom you sign a Quality Assurance Agreement that includes audits, a complete incoming goods inspection, and persons with a certain level of qualification.

You can describe this algorithm for supplier evaluation in tabular, textual, or flowchart form.

4. Supplier audits

As explained above, supplier audits are one of the measures manufacturers carry out as part of the initial supplier evaluation and/or ongoing supplier monitoring.

Whether and when supplier audits are to take place depends on the criticality of the products and services delivered, as well as whether the suppliers have their own QM system or not.

In other words, manufacturers should control their suppliers as much as possible with agreements, specifications, and inspections (at the supplier or manufacturer). If the inspection of the products or processes does not provide sufficient certainty, a supplier audit is required.

a) Supplier audit: If the supplier doesn’t have his own QM system

In this case, the manufacturers declare their own quality management system and its rules respectively to be binding for their suppliers. This means that they prescribe the processes to the supplier or develop specifications together with the supplier.

Manufacturers must verify that suppliers comply with these rules by conducting supplier audits. During such audits, manufacturers check, for example, whether the supplier is documenting development or production by the manufacturer’s specifications.

The manufacturers themselves are also audited. According to ISO 13485, these audits by notified bodies must also extend to the suppliers, i.e., the auditor may visit the supplier.

Since the component manufacturers and development service providers do not market any medical devices, they would not have to undergo an audit by a notified body. They usually only allow this in order to meet the requirements of their customers, the manufacturers.

b) Quality management system instead of supplier audits

To avoid this “spillover” of their own audit to the suppliers, many manufacturers prefer to use suppliers that have their own QM system. In this case, the audit by a notified body is usually limited to the manufacturer.

When selecting suppliers, manufacturers of medical devices should give preference to companies with an ISO 13485 certificate and not (only) an ISO 9001 certificate.

But, certification alone is not enough: manufacturers must ensure that the scope of the service provider’s certificate covers the processes that are relevant to the manufacturer.

However, an additional supplier audit is not to be discouraged even with this option. Such audits would have to be included as part of the contracts between the medical device manufacturer and the supplier.

c) Which companies can be excluded from supplier audits?

Conformity assessment procedures refer to the development and production of medical devices. This means that whenever a manufacturer has components developed or produced for their medical devices, these work steps may be subject to a supplier audit.

The situation is different for components not developed or produced specifically for the medical device, such as monitors (screens), power supplies, or off-the-shelf software components. Here, the manufacturers would ensure, as part of risk management, that these “bought-in parts” (“catalog goods”) do not lead to any unacceptable risks. You would not (be allowed to) carry out a supplier audit for suppliers of such products.

5. Summary

a) Supplier evaluation and selection

Manufacturers must evaluate and select suppliers before commissioning them. This choice must be made based on clear criteria.

Supplier control, which particularly includes monitoring the suppliers, is an ongoing process.

The selection of these criteria and the intensity of this control must be risk-based.

b) Supplier audits

Supplier audits are carried out on companies to which a part of the manufacturer’s own activities have been outsourced, e.g., a part of the development. This is often referred to as the “extended workbench.” In this case, the audit must be carried out according to the rules of the manufacturer’s QM system (ISO 13485).

Manufacturers (those placing products on the market) can only avoid this audit if the development partner has an ISO 13485 QM system and can provide the manufacturer with the relevant product documentation. The same applies to audits by the notified body.

c) Conclusion

Manufacturers are increasingly outsourcing some or all of their activities, including development and production. The regulations clarify that this does not mean that the activities can be withdrawn from a quality management system. Therefore, the notified bodies are obliged to inspect suppliers if necessary – possibly as part of unannounced audits.

Manufacturers are, therefore, well advised to select and monitor suppliers with whom they can ensure consistent quality management and, thus, the conformity and safety of the devices.

---

Change history:

• 2023-05-31: Editorial changes