Dr. Christopher Joseph Devine, President, Devine Guidance International
Devine Guidance

For an Effective Supplier Selection Process

By Dr. Christopher Joseph Devine
Dr. Christopher Joseph Devine, President, Devine Guidance International

To my colleagues who have decided to rejoin me for an ongoing exploration into the trials and tribulations of effective supplier management for the medical device industry, thank you for returning. I hope you will be able to glean some useful information from the compilation of current industry practices, concepts extracted from my doctoral dissertation, and an overall common-sense approach to supplier quality. It is my personal belief that pursing the ideas presented within this paper, and scheduled to…

To my colleagues who have decided to rejoin me for an ongoing exploration into the trials and tribulations of effective supplier management for the medical device industry, thank you for returning. I hope you will be able to glean some useful information from the compilation of current industry practices, concepts extracted from my doctoral dissertation, and an overall common-sense approach to supplier quality.

It is my personal belief that pursing the ideas presented within this paper, and scheduled topics for the upcoming weeks, will assist in keeping you and your organization on the path toward or continue to be compliant with industry-recognized quality and regulatory practices.

Warning letter violation
Referencing a comment I presented in my last paper by Kimberly Trautman, the U.S. Food and Drug Administration’s (FDA) current Good Manufacturing Practices and Quality System Regulations expert, suppliers providing non-conforming materials are directly related to an increase in medical device recalls. This increases the need for effective quality processes to mitigate risk.

The FDA is very serious in its attempt to reduce the number of field actions associated with the poor supplier management. The following is an excerpt from a warning letter issued by the Agency in 2009: “Failure to establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements, as required by 21 C.F.R. 820.50. Failure to establish and maintain the requirements, including the quality requirements, that must be met by suppliers, contractors, and consultants. 21 C.F.R. 820.50(a). For example, your Procedure for Purchasing (Suppliers), Procedure SLP0007, Revision K, dated April 21, 2009, and Procedure for Vendor Audits, Procedure, SLP0020, Revision D, dated May 16, 2005, are inadequate in that they do not require an evaluation and qualification determination of contract service providers for the manufacturing operations including laser etching, porous-coating, solution treatment and fusion welding of orthopedic implants and contract laboratory testing for the analysis of (b)(4) and (b)(4) in EtO processed orthopedic implants.”

Regulations and requirements
The Quality System Regulation (QSR), Medical Device Directive (MDD), and EN ISO 13485:2003/AC2007 are sufficiently vague when delineating requirements for supplier management and selection. This allows organizations to develop effective supplier management strategies that are aligned with their business model. However, medical device manufacturers are required to adhere to these regulations; compliance is not optional. Key regulations providing oversight for supplier management are:

  1. QSR – Subpart E – Purchasing Controls Section 820.50: Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received products and services conform to specified requirements.
    • Evaluation of suppliers, contractors, and consultants: Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants. Each manufacturer shall:
      1. Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.
      2. Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.
      3. Establish and maintain records of acceptable suppliers, contractors, and consultants.
    • Purchasing data: Each manufacturer shall establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services. Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with 820.40.
  2. MDD Article 3 – Essential Requirements:  The devices must meet the essential requirements set out in Annex I, which apply to them, taking account of the intended purpose of the devices concerned.
    • Where a relevant hazard exists, devices, which are also machinery within the meaning of Article 2(a) of Directive 2006/42/EC of the European Parliament and of the Council of 17 May 2006 on machinery (5) shall also meet the essential health and safety requirements set out in Annex I to that Directive to the extent to which those essential health and safety requirements are more specific than the essential requirements set out in Annex I to this Directive.
    • Annex II.3 EC Declaration of Conformity – Full Quality Assurance System: The manufacturer must ensure application of the quality system approved for the design, manufacture and final inspection of the products concerned, as specified in Section 3 and is subject to audit as laid down in Section 3.3 and 4 and to Conformity surveillance as specified in Section 5.


  3. EN ISO 13485 – 7.4 Purchasing: 7.4.1 The organization shall establish documented procedures to ensure that purchased product conforms to specified purchase requirements.
    • The type and extent of control applied to the supplier and the purchased product shall be dependent upon the effect of the purchased product on subsequent product realization or the final product.
    • The organization shall evaluate and select suppliers based on their ability to supply product in accordance with the organization’s requirements. Criteria for selection, evaluation, and re-evaluation shall be established. Records of the results of evaluations and any necessary actions arising from the evaluation shall be maintained.

Supplier selection process
An effective selection of a supplier must be based on four salient concepts. First, the selection must be requirements-driven. Business needs such as quality, regulatory and compliance, manufacturing capabilities, technology, capabilities, customer service, delivery and cycle times, and lifecycle management, are worthy of consideration, as part of the selection process.

The second concept is risk. The assessment of business risk, regulatory risk, risk of product failure, etc. must be effectively gauged throughout the entire supplier selection process.

The third is the development of an effective supplier survey. Finally, you must remember the importance of documentation, documentation, and more documentation. All of the supplier selection activities must be thoroughly documented, in writing I might add. Why you ask? Because in the eyes of the FDA, notified bodies, and other regulatory bodies, if events are not documented in writing, they just did not happen.

Sharing requirements
You would not buy a house without sharing with your real estate agent some basic requirements as to what your needs are in terms of size, rooms, location, etc. Similarly, the supplier selection process cannot commence until basic requirements and needs are defined by your organization.

For all of you engineers used to working from a napkin drawing, once your ideas are captured and formulated, a formal component specification document needs to be created. Additionally, when defining these requirements, the approach pursued must be cross-functional.

While engineers drive the show because they are tasked with owning the design and development, other key stakeholders are quality, regulatory, manufacturing, procurement, materials, supply chain, and marketing, and they should provide input into the selection process.

Furthermore, if a candidate supplier possesses a quality system certified by a recognized registrar or notified body, the focus of the initial supplier visit can be focused on processes and overall business capabilities. Finally, because developing suppliers and qualifying material is expensive, never let the one functional group be the sole stakeholder in the selection process. The final decision to approve and add a supplier to your organization’s approved vendors list (AVL) must be a collaborative one.

Assessing risk
For medical device manufacturers, it is incumbent upon the organization to investigate the capabilities of potential suppliers prior to the commencement of an on-site assessment. I strongly recommend starting with the moderately famous and extremely useful Dunn & Bradstreet report (and no, I am not a paid spokesperson for this service).

The D & B report (while not an all-encompassing selection tool) provides a condensed business synopsis on potential suppliers and can save an organization from much grief and pain if potential suppliers have cash flow issues, pending litigation, or other significant issues that can influence their business in both the short and long term. Remember, if a potential supplier is experiencing business problems, and you decide to proceed with the relationship, those problems will quickly become your (organization’s) problems.

The second important factor relating to risk is the potential failure of a procured component and the influence a failed component could have on the finished medical device. Early in the design and development process, link the component failure risk back to the design and preferably to the design Failure Mode and Effects Analysis (dFMEA).

Additionally, best-in-class industry practices drive the alignment of suppliers into categories premised on risk and organizational need. For example, when selecting a supplier for providing a disposable manufacturing aide such as a finger cot, the selection and evaluation process will differ dramatically from that of a contract manufacturer. The identification of categories and the subsequent placement of suppliers into these categories are dictated by organizational structure and need.

An example of a supplier category table is depicted in Table 1. Remember; the table is only an example and not all encompassing model as the final model will be premised on organizational need.


 Table 1: Sample Categorization of Suppliers
 Category & Assessment  Applicability
Category 1
Annual Assessment Mandatory – Due to Risk
OEMs, Contract manufacturers, Co-development suppliers, and own label distributors
Category 2
On-Site Assessment Mandatory – Premised on Schedule & Risk 
Strategic Suppliers providing materials or services intended for use in the product, packaging, or labeling

Suppliers of custom materials that go into an active implantable medical device
Active pharmaceutical ingredients, which are part of the finished product

Any component carrying a drug identification number (DIN) 
Laboratory services providers

Analytical test labs 
Sterilization service providers

Biological indicators, e.g., dosimeters
Suppliers of software solutions which influence operations and global systems 
Category 3
On-site Assessment as Necessary – Premised on Risk
Custom material, process, and/or component

Calibration service providers (without ISO 17025 accreditation)

Translation service provider 
Offsite record storage

Environmental services provider
Category 4
On-site Assessment Optional/ Mail-In Survey Required
Current EN ISO 9000 or EN ISO 13485 Quality Certificate acceptable in lieu of survey
Standard catalog component manufacturers

Low-risk components

Distributors of catalog components (e.g., chemicals)

Calibration service providers (ISO 17025 accreditation required) or NVLAP accreditation
Category 5
No Requirement for Quality System Assessments – Purchase Order Only
MRO items not utilized in the manufacture of product, packaging, or labeling

Transportation services

Consultants (resume on file)

Preventative maintenance contractors

Facility services, i.e., janitorial services, pest control, etc.

Supplier assessments survey

In reviewing multiple types of supplier assessments, as part of my doctoral research, one shortfall noted was a strong reliance on a single model by organizations to assess their supplier base. This practice does not lend itself to being a proactive and efficient approach for effective supplier management.

For example, requirements for a contract sterilization supplier will differ from the requirements that are relevant for a machined component supplier. The fundamental quality system requirements may be the same; however, manufacturing processes and inspection methodologies will differ.

So how does an organization address the technological differences? I recommend creating commodity-specific surveys to support the supplier assessment process. Since quality-specific requirements such as corrective and preventive action, non-conforming material, and management review are standard throughout the medical device industry, a single bank of questions, specific to these quality systems, can be created and placed into a dedicated quality section within each survey. These questions would be applicable for all suppliers. Additionally, for a low-risk application, the quality certificate from a recognized notified body or registrar should be acceptable.

Furthermore, not all suppliers will require an on-site assessment, as this approach is expensive. A well-designed supplier quality questionnaire, that captures relevant business and quality information, can be a reliable tool for non-critical components, services, or other business needs deemed not critical.

In closing, I hope the information provided above focusing on basic concepts for supplier selection, risk, supplier categories, and supplier assessments are useful and reinforce some of the current practices currently being pursued by you in your organizations. Remember; there is no holy grail of quality systems. In fact, there are two fundamental quality systems: one, a quality system that complies with regulations and standards, and two, a quality system that does not. How you reach and sustain compliance is completely up to you, and the organizations that you support.

In my next installment of Devine Guidance, I will expand on the importance of specifications and begin exploring the value of defensive-receiving inspection.


  1. Code of Federal Regulation. (2008, April). Title 21 Part 820: Quality system regulation. Washington, D.C.: U. S. Government Printing Office.
  2. Devine. C. (2009, July). Exploring the effectiveness of defensive-receiving inspection for medical device manufacturers: a mixed method study. Published doctoral dissertation. Northcentral University. Prescott Valley, AZ. 
  3. FDA – U.S. Food and Drug Administration Website. (2009). Warning letters. Retrieved January 11, 2010, from http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/ucm193670.htm.
  4. Medical Device Directive. (1993). Council Directive 93/42/EEC. Medical Device Safety Service. Retrieved January 11, 2010, from http://www.mdss.com/MDEV/93_42_EEC.htm.
  5. Medical devices – quality management systems – requirements for regulatory purposes. (2007). EN ISO 13485:2003/AC:2007.
  6. Poor supplier control causing recalls, FDA says; contract is key to success. (2007, May). The Sheet – Medical Device Quality Control, 11(6). Danvers, MA.


About The Author

Dr. Christopher Joseph Devine, President, Devine Guidance International