In my recent interactions with organizations ranging from small, virtual manufacturing start-ups to established medical device manufacturers, I’ve observed significant uncertainty around the expectations for supplier quality. Under EU Directive 93/42/EEC (MDD) and ISO 13485:2016, managing supplier quality with few resources is possible. Some organizations have successfully managed suppliers from a regulatory perspective with a minimal compliance approach and no on-site supplier audits. From a quality perspective, there is a different story. Although the regulatory requirements are not specific, numerous quality issues arise with lax supplier controls. With heightened supplier scrutiny in the EU MDR (Regulation 2017/745), now is the time to reevaluate your supplier quality program to address both regulatory and quality concerns.
ISO 13485:2016 requires criteria for evaluating, selecting, monitoring and re-evaluating suppliers. The standard further requires that these criteria are commensurate with the supplier’s ability to provide the product or service, the supplier’s performance, the effect of the product or service on the quality of the medical device, and the risk profile of the medical device. Lastly, the requirements for qualification of supplier personnel must be defined in your organizations purchasing information.
Attend the EU MDR Implementation Strategies Workshop | November 27–28, 2018 | Washington, D.C. or virtually | Learn MoreThe Medical Device Directive establishes the authority for notified bodies to inspect a manufacturer’s supplier or contract manufacturer when “duly substantiated”. No details are provided regarding what constitutes “duly substantiated”. The regulation also states that the organization must ensure that products must conform to the regulation at every stage, starting with initial design and throughout manufacturing. This includes establishing and maintaining quality system requirements for any third party involved in the design, manufacture, inspection or testing of the product or any components used therein. The organization must determine the methods and extent of supplier controls for all such suppliers. No specific details are provided.
Nothing in the standard or regulation precisely defines the activities you must perform in your supplier quality program. There is no mention of on-site audits, remote audits (also called “desktop” or “survey” audits), or any specific methods of evaluating suppliers. While some organizations view this as a pass to implement a bare bones supplier quality program, the quality risks far outweigh the resources required to ensure thorough but efficient supplier quality. Conversely, one need not interpret this to mean that supplier quality controls must be heightened across all suppliers. Supplier controls must be proportionate to the risks of the supplier’s product or service on your finished device.
Existing practices in some organizations already coincide with the requirements in the new EU Medical Devices Regulation (EU Regulation 2017/745). The new requirements in the EU MDR do not add significant burden for organizations that have already adopted best practices for supplier control. The new regulation primarily strengthens the authority and responsibility of notified bodies regarding the evaluation of their clients’ supplier controls. Let’s review the new requirements and my recommendations to comply.
1: Selection and control of suppliers are recognized in the MDR as a component of resource management; therefore, resource management activities should include suppliers.
For organizations certified to ISO 13485:2016, supplier performance is monitored and management review includes a review of the data and evaluation of supplier performance. Resource management is also addressed with management review and includes the resources, including human, equipment and facility resources. During management review of resources, consider an expanded diagram of all related organizations –your own as well as your suppliers. Construct an organizational chart or process chart that clearly identifies your organization’s functional areas, your suppliers, and how they interact. I recommend a chart that identifies the suppliers that perform manufacturing (finished device or component), testing or inspection with a pointer to the applicable step in the overall manufacturing process. This visual display of a sometimes-complicated arrangement allows executive management to engage in a more global assessment of resources. Document this evaluation in your management review record along with the organizational or process chart.
2: More detail is provided regarding the audit of suppliers or contract manufacturers by notified bodies. Specifically, the regulation states that during audit planning, the notified bodies will “identify links between, and allocation of responsibilities among, the various manufacturing sites, and identify relevant suppliers and/or subcontractors of the manufacturer, and consider the need to specifically audit any of those suppliers or subcontractors”.1 Therefore, the notified body is required to plan for supplier audits in advance of the audit. This new requirement highlights the increasing focus of regulators on suppliers and supplier controls.
The activity in the previous section allows proactive planning for the notified body’s assessment and audit planning. The expanded organization or process chart allows an objective view of the links between your organization and your suppliers. Detailing the links between your organization and your suppliers demonstrated to the notified body that you have implemented a system-wide evaluation of your outsourced processes. By implementing controls corresponding with the risks demonstrated in the organizational or process chart, you provide a clear summary of adequate supplier controls. Issuing supplier approval on a simple evaluation and supplier survey is not adequate preparation for the scrutiny that a critical supplier may face from your notified body.
3: Explicit instruction is provided for notified bodies to assess the manufacturer’s controls over suppliers with influence on the conformity of finished devices. In these cases, notified bodies are to audit the manufacturer’s supplier controls on the premises of the supplier. If a manufacturer does not demonstrate adequate supplier control, an on-site notified body audit of the supplier is more likely.
Note that the regulation is broadly based on any influence a supplier may have over the finished device (no specific circumstances are described). A supplier performing a service (e.g., packaging or sterilization), a component (e.g., packaging or a tissue-contacting material), or a contract manufacturer of a finished device all exert some influence on the finished device. For this reason, you as the legal manufacturer must clearly document your rationale for the level of supplier controls you maintain for various suppliers. This documentation must clearly demonstrate that you have adequate supplier controls commensurate with the risk of the product or service provided by the supplier relative to your finished device.
Rather than rely on the supplier’s risk management for their processes, consider partnering with them on a risk management package that specifically addresses their process as it affects the conformance of your finished device. That is, don’t rely solely on a generic process failure mode and effects analysis (pFMEA) provided by your supplier. Your supplier may be most knowledgeable about potential problems in their process; however, you are better suited to determine the risks of those problems to your finished device.
4: Notified bodies are required to maintain procedures for unannounced audits, including those of subcontractors and suppliers.
By following the recommendations outlined thus far and otherwise preparing your suppliers for unannounced audits, you will mitigate supply risks caused by audit findings issued against your suppliers. Again, here your approach should be risk-based with the greatest efforts applied to your most critical suppliers (those with the greatest impact on the conformity of your finished devices). Do not assume that your supplier’s quality system certification, esteemed reputation, or results from other audits means they are prepared for an unannounced inspection related to your device. For high-risk or critical suppliers, perform an on-site audit and verify they have procedures and competent personnel for handling unannounced inspections.
Speaking of supply risks, establishing alternate suppliers at this time may prevent a lag in a critical component or service. With increased regulatory focus on contract manufacturers and suppliers, the risks associated with having a sole supplier have increased. The ability to lean on an alternate supplier while your primarily supplier resolves any regulatory issues may be worth the expense of maintaining two suppliers.
5: The MDR outlines specific QMS subsystems that a notified body must audit, including purchasing controls and verification of purchased devices. This requirement overlaps the requirements for supplier controls and should be considered when planning your compliance approach.
Ensure consistency and efficiency between verification of purchased product and your supplier management program. In some cases, the activities you perform to verify purchased product may adequately mitigate some risks. For example, you may choose to rely more on stricter incoming inspection or testing than general supplier controls. By reassessing your entire supplier management approach, you have the opportunity to implement efficient and coordinated processes. However, a cogent risk-based assessment must be documented and maintained where one process is used to mitigate a risk associated with another.
Employ a risk-based approach to supplier quality that considers both the influence of the supplier on quality of the finished device and the purchasing controls in your organization. Partner with your suppliers to ensure they understand the new requirements as they relate to the products or services they provide to you. Ensure your suppliers are aware of the risks to your product associated with their product or service. Verify that any risks identified by the supplier are commensurate with the risks identified in your risk management package for your device.