ISO 13485

What can you do to stay ahead of medical device supply chain disruptions and comply with reporting requirements of possible device shortages?

Supply chain issues can be somewhat cyclical. As we approach the holiday season, we also approach the shipping season. Public shipping services such as FedEx and UPS see an increase in freight as the holiday seasons approach. Manufacturers need raw materials and components to stock the shelves with all of those holiday gifts. Since we are still living under pandemic conditions, I would be willing to bet there will be more care packages and mailed gifts in place of traditional gatherings. On top of the approaching increase in demand, staffing shortages can very quickly exacerbate supply chain bottlenecks. All the while importers are still expected to… well, import! If transportation affects all general industry you can bet it can also cause medical device supply chain disruptions.

So what does an overburdened mail service have to do with medical devices and quality systems?

Consider, how are your customers getting your product in their hands? How are you receiving raw materials and components? How about your contract manufacturer? Do they have supply chain redundancies? Does your supplier quality agreement address notifications for shipping disruptions? 

Do you have a regulatory obligation to report a shortage/supply chain disruption or interruption of manufacturing to the FDA, or Health Canada? The FDA monitors for discontinuance and meaningful disruption of manufacturing certain devices and similarly Health Canada monitors their own list of devices for market shortages. Supply chain disruptions either through difficulty sourcing of raw materials and components, or through transportation breakdown of finished devices to market are just one way you could experience a reportable disruption or shortage.

Matthew did not choose the topic of medical device supply chain disruptions randomly. His signature brand of pessimistic cynicism is the reason we have him tasked with keeping his fingers on the pulse of global concerns and potential threats and risks. Potential supply chain disruptions will involve your quality staff in developing preventive actions and contingency plans in case there is an issue. Then, your regulatory team will be in charge of reporting and AHJ notification if you are an affected manufacturer (or importer in Canada!). Understaffed and overloaded shipping and transportation suppliers are about to be bombarded with seasonal freight. This makes them an attractive target for ransomware because, just like healthcare facilities, they will not be in a situation where they can afford any downtime. 

Regulatory responsibilities related to device supply chain disruptions – Organized by Jurisdiction

The FDA requires reporting shortages and supply chain disruptions to CDHR of permanent discontinuance or interruption in manufacturing of a medical device in Section 506J of the FD&C Act. Especially so in response to the COVID-19 public health emergency. In part, the general public’s need for healthcare during the pandemic guides what devices the FDA needs notification about.

Currently, the FDA is concerned about specific device types by product code or any devices that are critical to public health during a public health emergency. For the most up to date list, the URL to the FDA website will show the specific product codes of the monitored device types;

As an Authority Having Jurisdiction, Health Canada also has reporting requirements for supply chain disruptions of specific types of medical devices. Health Canada is also an independent authority that uses a different device classification system than the U.S. FDA.

The table below shows the device types by their classification level that HC requires supply chain disruption notifications for. This information is current as of September 5^th, 2021, and the following link will take you to the HC webpage for the most up-to-date list.

How to prevent device supply chain disruptions

Harden your supply chain with redundancies. Now is the time to qualify a second supplier as a contingency plan before it is too late…. Maybe even consider opening a Preventive Action? (HINT HINT for those ISO 13485 manufacturers that need to beef up their Clause 8.5.3. operations!)

Supply chains have both up and downstream functions. First, you likely need to source raw materials and components for production. Then you also need to ship those finished devices to distribution centers and your customers. Disrupt either of those and your ability to sell your devices is compromised or even completely halted.

Ask yourself, “Do I have a backup option for shipping?”, and “Do I have a backup option for raw materials and components?”.

Why?

Why go through all of that effort? Well, if you lose UPS and have to use FedEx instead, are their shipping procedures identical? Likely you will need a WI level document for each shipper to explain the process. It is easier to pre-qualify a contingency supplier and establish a WI now rather than in December when holiday shipping is at its peak. Consider if you also need to open accounts, etc. Scheduling pickup online may not be intuitive.

Just identifying a backup is important, but you can take that a step further and pre-qualify them. If they are a shipping and transportation supplier then give them a shipment or two in order to evaluate them. Hold them to the same standards you would for your primary supplier.

Did your shipment arrive on time? Was it damaged during transit? This is provisional, or pre-qualification. Did they perform adequately enough to use as a tentative supplier in the event the primary supplier is unable to perform? This is designed to make a full qualification of this supplier simple and easy… If you need to utilize them that is. Maintaining this pre-qualification should also be simple and easy as well. Once a year or so have them deliver a shipment for you.

That is just for importing or shipping finished devices. Do you have backup raw material or components suppliers identified? If not identifying or even pre-qualifying secondary suppliers might not be a bad idea either. You are probably tied down to a specific geographic area for shipping and transportation. You may not be for raw materials. If you need barrels of silicone consider a backup supplier from a different area than your primary supplier. Natural disasters create havoc for shipping. If your silicone comes from Company A, and they are closed down because of a hurricane then Company B ten miles away is likely affected as well.

For example, if you are in the U.S. and your primary supplier is in the Northeast then a backup supplier in the Southeast may be strategically important. Whereas a backup supplier from the Southwest may be cost-prohibitive.

What about your suppliers? Is your device high-risk enough that if your supply chain is disrupted, you have an obligation to report it to the FDA? In that scenario, if you use a contract manufacturer, it may be worth requiring supply chain contingencies and clearly identifying who owns what reporting responsibilities within your quality agreement with them.

There is an element of proactive responsibility in reporting these shortages, or projected shortages. In order to be able to predict medical device supply chain disruptions, there should be metrics that your quality system is monitoring. What is your monthly production capacity? How much raw material or components does your warehousing have on hand? How many units could you manufacture if the transport industry stopped right this second?

Determine what you need to track in order to identify a disruption before it occurs.

Prepare for notification now. This article looked at the problem from the point of view that transportation issues were the root cause of the supply chain disruption. However, many other things could be disruptive, such as natural disasters and supply availability. Therefore, develop a WI level document for conducting these types of regulatory reporting activities and train personnel before a disruption happens. It is easier to tackle these kinds of problems if you already have process controls in place and trained competent staff than if you wait until the reporting timeline clock is already ticking.

See also our blog article on Medical Device Shortage Reporting and Device Supply Chain Disruptions

Future blogs about device supply chain disruptions…Shortage Reporting

About the Author

Matthew Walker – QMS, Risk Management, Usability | Human Factors Engineering, Cybersecurity & DFIR

Matthew brings a unique background as a former Firefighter/EMT and Rope Rescue Tech with expereince in OSHA and NFPA regulations. For the better part of a decade, he has worked as a Technical/Medical Writer and Lead Auditor. He holds degrees in Fire Science and Computer Forensics and Digital Investigations, graduating Summa Cum Laude from Champlain College. Matthew is also an active member of several academic honor societies including Omicron Sigma Sigma’s Order of the Sword and Shield. His professional focus includes Human Factors Engineering, Risk Management, and Cybersecurity with a special interest in applying Digital Forensics and Incident Response (DFIR) practices to medical technology. He combines regulatory expertise with technical insige to strengthen both product safety and oranizational resiliance. He can be reached by email. You can also follow him on LinkedIn or YouTube.

We desperately need to find a way to get more customer feedback and suggestions for product improvement, but what is the best way to do that?

Surveys rarely have a high response rate, but we need to gather customer feedback. Therefore, we created this blog posting as a living document of how we are trying to gather customer feedback. Specifically, we are looking for more customer feedback and better engagement with us. We don’t just want YouTube subscribers to like our videos, we want you to share our videos with other people in your company so they can learn about quality and regulatory too. We don’t just want you to register for a free webinar and watch the recording when you get a chance. We want to you to add a question when you register and please interrupt us during our live webinars to clarify anything you don’t understand. Finally, we want you to give us suggestions for improving our procedures, writing new blogs, and recording new training webinars and videos. Tell us what you want.

Using the headline analyzer to attract more customer feedback

We have a page on our website for a “suggestion portal” where we are asking people to provide suggestions for new and improved procedures, blogs, webinars, and videos. But the last time someone filled in the form on that page is October 16, 2019. We desperately need to find a way to get more engagement from you in the form of suggestions. The first approach to gathering feedback is to send out email notification to our current 1,057 blog subscribers by posting this blog. To improve our chances for you to open an email about this blog, we optimized the headline using the CoSchedule Headline Analyzer. The first version of the headline scored a 75, while 70 is the minimum threshold for a worthy title. Our second attempt included the emotional word “exciting” and the new result scored an 83 (see below). Normally it requires 20+ tries before we achieve a headline score higher than 80, but today was a good day. We decided to stop at 83 and focus on other elements of this posting.

1. How can you encourage more customer feedback? (75)
2. How can you encourage more customer feedback and exciting engagement? (83)

A picture says 1,000 words

A great thumbnail or featured picture often helps improve click through rates for video, but pictures also communicate more information than words alone. Pictures can communicate the temperature, directions, speed you are moving, and even emotions. Ideally, a combination of a picture with a short caption does the most. The layout of your picture matters too. For example, the featured image above originally had just 6 images grouped together. To communicate that we were trying to decide which icon best communicated the concept of a suggestion box, we separated each icon image with a blue border. To help people identify the different images, we used letters under each icon image. We could have used numbers, but then people might have replied with phrases like “#2 was my 1st choice,” instead of “B was my 1st choice.” To make it clear that the far right icon image was our current icon, we used the word “current” instead of a letter. Finally, we used a bright yello text box at the top of the featured image to communicate instructions for polling of the various icon images.

In the end, we didn’t feel that the suggestion box icons were very attractive. In fact, icons in general are boring. Therefore, we hired an artist to create some concept sketches for other ideas that would communicate “please take the opportunity to give us your suggestion.” The three concepts we liked most were a wishing well, a coffee filter, and an open door with a suggestion doormat that opens into space. We selected the door as our favorite and added some details to create the final image you see now on our webpage. Specifically, we wanted the doormat to appear more three-dimensional, we wanted to incorporate Medical Device Academy’s logo, and we wanted a better focal point in the space beyond the door. Therefore, the artist created three different versions of a moon (crescent, partial, and full). The partial moon was our final choice.

A video is 1,000+ pictures

Full-frame video typically ranges from 24-60 frames per second (FPS). Therefore, there are at least 1,000 pictures in 42 seconds of video. Therefore, the five-and-half-minute video below is giving you much more information than you read above in a lot less time. The video walks you through the evolution of our suggestion box (all 24 versions). This is why we recommend recording a training video to every single medical device company we work with. This is also why our website has steadily been increasing the number of videos we procedure and publish on our YouTube channel.

A call to action increases customer feedback and engagement

Gathering customer feedback requires just as much marketing as selling a medical device. Typically, near the end of your presentation you will include a call to action. The call to action is intended to persuade customers to take immediate action. The call to action will create a sense of urgency. Sometimes a series of small calls to action will precede a final larger call to action. In our case, we are just trying to get suggestions from you regarding what quality and regulatory training materials we should develop next. We are asking you for advice on what our customers want to learn. In return we will develop the training materials you want. The better your questions are, the better our training materials will become. This strategy of offering valuable information to customers develops trust, and this has been our company’s primary marketing strategy since the beginning.

Try using a call-to-action button

If you want more engagement, you need to increase your click-through rate (CTR) first. Campaign Monitor conducted a test to which call-to-action performs best. They found a call-to-action button helped increase the CTR by 28%. We took this concept one step further, we used the headline analyzer tool to optimize the wording of the call-to-action button. The wording we used in the call-to-action button above scored an 86, while “click here” scored a dismal 28 and “click the button” only scored 31. We are also trying a contrarion approach to the design of the button. Instead of using bright colors that modern advertisers have trained us to ignore, we used a light grey background with Palatino Linotype font to optimize readability. We also used a small caption to make sure your subconscious knows what to do.

You already have a supplier questionnaire, but do you know how to make a supplier questionnaire to assess a supplier’s ability to support a remote audit?

The four most significant mistakes people make when designing a supplier questionnaire

In Medical Device Academy’s supplier qualification webinar, you learn how to improve your supplier qualification process by replacing the traditional methods of supplier qualification with more effective approaches to supplier evaluation. The following are four examples of how to improve your supplier questionnaire.

Supplier questionnaires should be specific to the product or service provided

The first mistake people make is to use a generic questionnaire. It would be best if you asked your supplier questions that are important to the work that the supplier will be performing. Therefore, each category of product or service should have its own set of questions. For example, important questions related to ethylene oxide contract sterilization services are the maximum size limitations for pallets in the sterilization chamber and whether the facility can conduct sterility testing on-site. However, an injection molding supplier might delay the return of your supplier questionnaire if these questions were on the survey that you send to them because they don’t understand the questions.

Supplier surveys should be more than checkboxes

The second mistake people make is to ask questions that can be answered with a “yes” or “no” response or a checkbox. These are closed-ended questions. It would be best if you always were asking open-ended questions because the response will give you more information about the supplier. In addition, most people resist responding with a “no” response even if the real answer is “no.” For example, “What is your FDA registration number?” is more useful than “Is your company FDA registered?” Another example is, “How many production lines use SPC charts?” instead of “Do you use SPC charts?” In fact, in the open-ended version of this question, you will learn if the use of SPC charts is widespread, and you learn how many production lines the supplier has.

Remember to ask suppliers to update survey surveys every year

The third mistake people make is to request that a supplier questionnaire be completed only during the initial supplier qualification process. Every year companies grow, shrink, or change. If you ask suppliers to update their questionnaire, you can use that information to determine the health of your supplier’s business. You might also discover that one supplier just added a new production capability that will allow you to consolidate more of your outsourced work with that supplier and eliminate another problem supplier. Every company has a turnover in personnel as well. It is a great idea to ask suppliers to provide contact information for multiple people in the organization, such as quality contact, billing contact, and a production planner. Eventually, you will probably need to speak with each of these people, and if one of the contacts is no longer at your supplier, you will still have two other contacts. Updating this information also gives you a hint of whether turnover is widespread or limited to a specific individual.

Supplier questionnaires should be in spreadsheet format

The fourth mistake people make is to send a Word Document for suppliers to complete (PDF format is even worse). Word and PDF formats are time-consuming to complete, and they are harder for you to analyze than a spreadsheet. Most people provide a Word document or a PDF because they are focusing on the requirement for control of records. However, if you have an electronic quality system, the supplier survey information will be part of your electronic system as soon as you enter the data into your software. Alternatively, if you have a paper-based quality system, then you can print the spreadsheet out, sign it, and date it. The huge advantage of using Excel spreadsheets is that you can copy the new data into a column next to the previous year’s responses. Then you can quickly see what changes your supplier made in the past year.

What should you add to your supplier questionnaire?

Most private companies will not share what their revenues are for the business, but as a customer, you should be more concerned with how many human resources your supplier has. Therefore, you should consider asking, “How many employees, or full-time equivalents (FTEs), work for your company?” You might also want to know if your supplier is relying on a temporary workforce. For example, “What percentage of the FTEs are temporary workers?” Many questionnaires will ask for the square footage of the facility, but this doesn’t provide you with any details about the facility layout. Alternatively, you could ask for a copy of the pest-control map for the facility. This would give you a detailed layout of the facility, and it also confirms that your supplier has a pest control plan for the facility. Another related question to ask is, “Please describe any expansion/construction projects that have been implemented in the past year or projects that are in progress (e.g., the addition of a mezzanine).” If the company added 30,000 square feet to their production area, but there was no change to the pest control plan, you might have some clarification questions for your supplier. In general, a good strategy for developing your questionnaire is to think of at least one open-ended question related to each clause of the ISO 13485:2016 standard without referencing the standard. The following are some examples that might help you:

1. When was the last software re-validation for quality system software?
2. How many active external standards is your company currently maintaining?
3. Please provide a list of procedures and identify the person who would be interviewed during an audit for each procedure (i.e., process owner or subject matter expert).
4. In the absence of the management representative, who is designated as the liaison for an FDA inspector?
5. What are the upper control limits for particulate counts, air viable counts, and surface viable counts in your controlled environment(s)?
6. On what dates was the environmental monitoring of controlled environments conducted in the last year?
7. Please identify how many quality inspectors are responsible for the incoming inspection?
8. Please list the calibration ID and equipment name for any inspection equipment that requires specialized training (e.g., CMM)?
9. How many suppliers are on your approved supplier list (ASL)? And how many suppliers did you audit in the past year?
10. How many nonconforming material reports (NCMRs) were opened in the past year? And how many NCMRs currently remain open?
11. How many partial or complete lots were returned to your company by customers in the past year?
12. Please list any corrections and removals (i.e., recalls) that your company has been involved in during the past year and the current status?

How many questions should your supplier questionnaire include?

There are 28 required procedures in ISO 13485:2016, and there are even more subclauses within the standard. It is an excellent idea to create a list of questions you might ask for each subclause, but a supplier questionnaire should not include all of those questions. Just as audits are just a sampling, your supplier survey questions should be sampling as well. You should review last year’s questions and eliminate questions that you think are not especially useful for that supplier. Some questions should be asked each year to assess if the quality system has changed significantly, and you should consider adding a few new questions each year. The best questions will require the person to perform some research to answer the questions. But it is unreasonable to expect a supplier to spend more than two hours completing a supplier questionnaire if you plan to purchase less than $20,000 in product or services.

Supplier questionnaires specific to remote auditing

In many ways, a well-designed supplier questionnaire is similar to a remote audit, because you are asking the supplier to answer multiple open-ended questions about their quality system to verify that the quality system is fully implemented and remains effective. However, due to the Covid-19 pandemic, many employees are now required to work from home, and it is not possible to physically visit certain facilities. Therefore, you should be adding three elements to your supplier questionnaire to assess your supplier’s ability to support a remote audit and to determine their ability to maintain the effectiveness of the quality system during a viral outbreak. The three elements are 1) policies for personal protective equipment for employees and visitors, 2) business continuity plans to maintain internal operations and to ensure redundancy of crucial suppliers, and 3) availability of digital documents and records or paper documents and records via video conference software. These three areas were also the subject of a previous blog on changes triggered by Covid-19. It would help if you also asked about the availability of hardware and software communication tools for conducting a remote audit. You might ask your supplier, “Which areas of your facility can we observe during a remote audit using live video conferencing (e.g., Zoom mobile application)?” and “What experience does your company have in the use of Zoom as a video conferencing tool?”

Access to documents and records during remote audits

During a remote audit, you will need to access documents and records virtually. If your supplier can participate via a video conferencing tool with a high definition web camera or smartphone, then you should be able to see any documents and records that you could normally see during an on-site audit. However, your supplier will need to hold the document or records steady, possibly by using a music stand and a camera tripod so that you can take notes regarding the contents of the document or record. You will also need a way to record your notes. You might try using a Pixelbook or similar computer to write your audit notes. At the same time, you watch the video conference using a second computer–possibly on a conference room projector screen or large flat screen monitor. You could also use a tablet, such as remarkable. Of course, you can always use a pad of paper and a pen and then transcribe your notes later. All of these methods will be faster and more convenient than digitally scanning each document and uploading the documents to a shared folder or sending the scanned document by email.

It would help if you also were asking your supplier which records are already available digitally. You can expect all of the quality system procedures to be available in digital formats, but many records may already be available electronically as well. For example, purchase orders, quality system certificates, drawings, and blank forms should be available in digital format. In a supplier audit, you typically will focus on a subset of the quality system records that are related to production process controls, purchasing, incoming inspection, shipping, and control of the nonconforming product. Asking your supplier which of these records are available in digital format will help you determine which records you need to request from the supplier in advance and which records can be requested on-demand.

How to obtain our supplier questionnaire template (FRM-004)

If you are interested in purchasing our supplier questionnaire template, FRM-004, it is included with the purchase of our supplier qualification webinar. If you think of any new questions to add to this template, please email me at rob@13485cert.com. Just put “FRM-004 Suggestion” in the subject line.

This blog is intended to help clear your justified confusion if you are wondering what the difference is between PMS, PSUR, and PSR.

The nine most terrifying words in the English language are, “I’m from the Government, and I’m here to help.” That quote is from a speech by President Reagan on August 12, 1986.  One of the goals of the European Parliament and Council was “to ensure effective coordination of [competent authority] market surveillance activities and to clarify the applicable procedures.” After studying the new European MDR, I can confidently say that the European Parliament and Council have done their job well. My boss is a regulatory consultant with 30 years of experience, and he asked me to explain the difference between PMS, PSUR, and PSR.

To answer that question as objectively as possible, and cite my sources, I have included a copy and paste directly from Regulation (EU) 2017/745. Red text is my commentary, while the italicized text is a quotation from the most relevant article within the new EU regulations.

Under the New MDR, the only Class IIa, Class IIb, and Class III products are definitively required to have a Periodic Safety Update Report (PSUR). The PSUR needs to be updated annually for Class III and Class IIb implants, and the PSUR needs to be updated at least every two years for Class IIb (non-implants) and Class IIa devices. The PSUR must be available to your notified body, and upon request, the competent authorities. In contrast with the PSUR, Post-Market Surveillance (PMS) reports are required for Class I devices. Finally, a manufacturer’s Periodic Summary Report (PSR), relates to specific cases of Serious Incidents and Field Safety Corrective Actions (FSCA’s) based upon an agreement between the manufacturer and the competent authority or authorities instead of submitting individual FSCA reports.  This is confusing because the PSUR also meets the requirements of a PMS Report as defined in Article 85, but we don’t call it a PMS Report.

“Article 83 – Post-market surveillance system of the manufacturer

1. For each device, manufacturers shall plan, establish, document, implement, maintain, and update a post-market surveillance system in a manner that is proportionate to the risk class and appropriate for the type of device. That system shall be an integral part of the manufacturer’s quality management system referred to in Article 10(9).”

In Matthew’s words, “Manufacturers are required to establish a PMS system for every device or device family.”

“Article 84 – Post-market surveillance plan

The post-market surveillance system referred to in Article 83 shall be based on a post-market surveillance plan, the requirements for which are set out in Section 1.1 of Annex III. For devices other than custom-made devices, the post-market surveillance plan shall be part of the technical documentation specified in Annex II.”

In Matthew’s words, “Article 84 requires you to have a PMS plan in your quality system.”

“Article 85 – Post-market surveillance report

Manufacturers of class I devices shall prepare a post-market surveillance report summarizing the results and conclusions of the analyses of the post-market surveillance data gathered as a result of the post-market surveillance plan referred to in Article 84 together with a rationale and description of any preventive and corrective actions taken. The report shall be updated when necessary and made available to the competent authority upon request.”

In Matthew’s words, “A Class I device requires a PMS report, while the other product classifications require a PSUR.”

“Article 86 – Periodic safety update report

1.1 – Manufacturers of class IIa, class IIb, and class III devices shall prepare a periodic safety update report (‘PSUR’) for each device and were relevant for each category or group of devices summarizing the results and conclusions of the analyses of the post-market surveillance data gathered as a result of the post-market surveillance plan referred to in Article 84 together with a rationale and description of any preventive and corrective actions taken. Throughout the lifetime of the device concerned, that PSUR shall set out:

Manufacturers of class IIb and class III devices shall update the PSUR at least annually. That PSUR shall, except in the case of custom-made devices, be part of the technical documentation as specified in Annexes II and III.

Manufacturers of class IIa devices shall update the PSUR when necessary and at least every two years. That PSUR shall, except in the case of custom-made devices, be part of the technical documentation as specified in Annexes II and III.

For custom-made devices, the PSUR shall be part of the documentation referred to in Section 2 of Annex XIII.

2. For class III devices or implantable devices, manufacturers shall submit PSURs by means of the electronic system referred to in Article 92 to the notified body involved in the conformity assessment in accordance with Article 52. The notified body shall review the report and add its evaluation to that electronic system with details of any action taken. Such PSURs and the evaluation by the notified body shall be made available to competent authorities through that electronic system.
3. For devices other than those referred to in paragraph 2, manufacturers shall make PSURs available to the notified body involved in the conformity assessment and, upon request, to competent authorities.”

In Matthew’s words, “Barring specified exemptions, manufacturers of a Class IIa device would need to submit a PSUR and update it at least every two years.”

“Article 87 – Reporting of serious incidents and field safety corrective actions

9. For similar serious incidents that occur with the same device or device type and for which the root cause has been identified or a field safety corrective action implemented or where the incidents are common and well documented, the manufacturer may provide periodic summary reports instead of individual serious incident reports, on condition that the coordinating competent authority referred to in Article 89(9), in consultation with the competent authorities referred to in point (a) of Article 92(8), has agreed with the manufacturer on the format, content, and frequency of the periodic summary reporting. Where a single competent authority is referred to in points (a) and (b) of Article 92(8), the manufacturer may provide periodic summary reports following an agreement with that competent authority.”

In Matthew’s words, “Periodic summary reports (PSRs) refer to significant incidents (SIs) and field safety corrective actions (FSCAs). PSRs require an agreement between the manufacturer and the competent authority(s) for cases where there is a group of common, well-known, and documented SIs or FSCA’s with a known root-cause. PSRs are an alternative to submitting individual SI and FSCA reports.”

Additional Quality System Resources

My boss also asked me to update the procedures for post-market surveillance (SYS-019) and vigilance (SYS-036). The PMS procedure includes requirements for Articles 83-86. The vigilance procedure includes the requirements for Articles 87-92.

About the author

Matthew Walker – QMS, Risk Management, Usability | Human Factors Engineering, Cybersecurity & DFIR

Matthew brings a unique background as a former Firefighter/EMT and Rope Rescue Tech with expereince in OSHA and NFPA regulations. For the better part of a decade, he has worked as a Technical/Medical Writer and Lead Auditor. He holds degrees in Fire Science and Computer Forensics and Digital Investigations, graduating Summa Cum Laude from Champlain College. Matthew is also an active member of several academic honor societies including Omicron Sigma Sigma’s Order of the Sword and Shield. His professional focus includes Human Factors Engineering, Risk Management, and Cybersecurity with a special interest in applying Digital Forensics and Incident Response (DFIR) practices to medical technology. He combines regulatory expertise with technical insige to strengthen both product safety and oranizational resiliance. He can be reached by email. You can also follow him on LinkedIn or YouTube.

This article identifies the requirements for purchasing controls and supplier qualification procedures, as well as best practices for implementation.

Purchasing Controls

Sourcing suppliers in the medical device industry is not as simple as going on the internet and finding your material and purchasing it. As part of a compliant quality management system, purchasing controls must be in place to ensure that quality products and materials are going into your device and that any service providers that your company uses in the production of your product or within your quality management system are qualified.

ISO 13485 Requirements

In light of that, ISO 13485:2016 sections 7.4.1 Purchasing process, 7.4.2 Purchasing information, and section 7.4.3 Verification of purchased product outline the purchasing controls for medical device manufacturers. The following are requirements for the evaluation and selection of suppliers:

• The organization must have established criteria for the evaluation and selection of suppliers.
• The criteria need to evaluate the supplier’s ability to provide a product that meets the requirements.
• It needs to take into consideration the performance of the supplier.
• It must consider the criticality and the effect that the purchased product may have on the quality of the medical device.
• The level of supplier assessment and monitoring should be proportionate to the level of risk associated with the medical device.

Maintaining Purchasing Controls

To start, in the most basic sense, purchasing controls involve procedures that ensure you are only purchasing from suppliers who can meet your specifications and requirements. The best way to keep track of your qualified suppliers is to maintain an Approved Supplier List (ASL). You should only purchase products or services that affect your product or quality management system from companies on the ASL (you would not necessarily need to qualify things like office supplies or legal assistance through purchasing controls).

When used effectively, the Approved Supplier List can be a great tool to manage the key facets of purchasing control and keep track of supplier monitoring. Items that you can capture on the ASL include:

• Supplier Name
• Scope of Approved Supplies
• Contact Information
• Status of Approval (Approved, Pending, Unapproved, etc.)
• Qualification Criteria
• Supplier Certification and expiry dates
• Monitoring Requirements/Activities
  • Date of Last Review
  • Date of Next Review

The first step in your purchasing procedure should involve checking to see if the supplier is under active approved status on the ASL. The second step will be to ensure that you are purchasing an item/service that is within the scope of approval of that supplier. If you have not approved the supplier, or the intended purchase is beyond the scope of that supplier, your purchaser will need to go through the necessary channels to add the supplier to the ASL or modify their scope on the ASL.

Supplier Qualification Criteria

As required by the FDA, the level of supplier assessment should be proportionate to the level of risk associated with the medical device. The FDA is not prescriptive about the use of specific qualifications or assessments for different types of suppliers, so that is up to your company to determine. This is a somewhat grey area but based on years working with companies and suppliers, as well as participating in FDA and ISO 13485 audits, there are some general expectations of vendor qualifications that we have observed and would recommend.

It is good practice to have a form or template that guides your supplier evaluation process. Using input from engineering and QA to first determine the level of risk and the requirements of that supplier, and then base your qualification plan on that information. If you have a higher risk supplier who may be supplying a critical component to your device, or providing a critical service such as sterilization, then your qualification process will be much more involved.

Here is an example of two different levels of criteria based on the type of supplier (the intent is not for the following items to be rules, and your company is responsible for determining the adequate acceptance criteria for suppliers, but this is a general example of what you may expect).

• Critical Custom Component Supplier
  • ISO 13485 Certification
  • On-site audit of supplier’s facility
  • References
  • Provides Certificates of Analysis (CoA)
  • A written agreement that the supplier will communicate with the company regarding any changes that could affect their ability to meet requirements and specifications.
  • You validate a production sample, and it meets requirements
• Non-Critical Consumable Supplier
  • Product available that meets the needs of the company.
  • An associate has previously used by an associate who recommends the supplier.
  • Adequate customer service returns allowed.

Additional Function of Supplier Evaluation Forms

The supplier evaluation form can also be used as the plan to assign responsibility and track completion and results during the initial evaluation. It can also include the plan for ongoing monitoring and control of the supplier. This evaluation form should be maintained as a quality record, and auditors will frequently ask to see supplier evaluations.

Are Supplier Audits Required as Purchasing Controls?

Also valuable, supplier audits may be included as part of an evaluation plan for a new supplier, the change of scope of a supplier, a routine audit as part of ongoing monitoring, or as part of a nonconformity investigation of a high-risk product. While it is not required by ISO 13485, nor does the FDA does specify in the CFR that you must audit suppliers, it is a very good idea to audit your critical suppliers. If an auditor or FDA inspector sees evidence that your current purchasing controls are inadequate, performing supplier audits may be forced as a corrective action.

Beyond that, you can gain so much value, and gather countless clues and important information in an audit that you just cannot get without visiting your critical supplier. You can see where they plan to/are making/cleaning/sterilizing/storing your product. Talk to the people on the line, are they competent and trained? Does the company maintain their facility well? How secure is it? Do they maintain adequate records and traceability? Have there been any nonconformities relating to your product that have been detected? Etc.

Supplier audits should also include evaluation of the procedures, activities, and records of the supplier that could have an impact on the product or service they are providing your company. If it is not the first audit of the company, you should be sure to review the previous audit report findings and ensure the company has addressed any nonconformities, review supplier performance data, information about any changes that may have occurred at the supplier since your last visit, etc.

Record Maintenance and Ongoing Evaluation of Suppliers

No matter the method of supplier qualification, it is best practice to maintain supplier files that contain useful information relative to the supplier that may include:

• The original supplier qualification form
• Supplier certificates
• References
• Audit reports
• Subsequent performance evaluations
• Expanded scope qualifications
• Supplier communications
• Current contact information
• Copies of any non-conforming material reports related to the supplier, etc.

ISO 13485 requires monitoring and re-evaluation of suppliers, and maintaining detailed supplier files will assist in meeting this requirement, and will help in the feedback system to identify and recurring problems or issues with a supplier. On a planned basis, whether that is annually, or every order (dependent on the criticality of the product), your company should conduct a formal supplier evaluation to determine whether the supplier has continued to meet requirements – In general, annual supplier reviews are standard. Additionally, you must specify this frequency in your procedure (auditors will look for what period you specify in your procedure, and then will check your ASL to make sure all of your suppliers have been reviewed within that timeframe).

During the supplier evaluation, if you find there have been issues, you need to determine and weigh the risks associated with staying with that supplier, and document that in the supplier file. If you determine the supplier should no longer be qualified, then you must also indicate on the ASL that the company no longer approves of the supplier.

Making the Purchase

When you have verified your supplier is approved on the ASL, you are authorized to purchase a product. Engineering is usually responsible for identifying the product specifications, requirements for product acceptance, and adequacy of specified purchasing requirements before communication to the supplier. The specifications may be in the form of drawings or written specifications. Additional information communicated to the supplier should also include, as applicable, an agreement between your company and the supplier that the supplier will notify you before the implementation of changes relating to the product that could affect its ability to meet specified purchasing requirements. When the first batch of product is received from a particular supplier, it is a good idea to verify that the product performs as intended before entering into production with new material or components.

Supplier Nonconformity

From time to time, you may encounter issues with a supplier. Sources of nonconformity include incoming inspections, production nonconformities, final inspection, or customer complaints. You must notify your supplier of the nonconformity and record their response and assessment. Depending on the level of criticality of the vendor, it is reasonable to require them to perform a root cause analysis to determine and alleviate the cause of failure. You should also request documentation of an effectiveness check to ensure the supplier has taken corrective actions. You should maintain copies of supplier nonconformity reports in the supplier file, and discuss nonconformities during ongoing supplier evaluations.

If the supplier does not cooperate or fails to address the nonconformity in an acceptable manner, or if there is a pattern of nonconformities with the vendor, then you should disqualify the supplier, and indicate that the supplier is “not approved” on the ASL.

Purchasing Controls Procedures You Might Need

Medical Device Academy developed a Supplier Qualification Procedure, Purchasing Procedure, and associated forms that will meet purchasing controls regulatory requirements for ISO 13485:2016 and 21 CFR 820.50. These procedures will help you ensure that goods and services purchased by your company meet your requirements and specifications. If you have any questions or would like help in developing a custom procedure or work instructions that meet your company’s unique needs, please feel free to email me or schedule a call to discuss.

The article shares lessons learned from implementing procedures for a new ISO 13485 quality system. This is the second in a series. The first month of procedure implementation was covered in a previous article titled, “How to implement a new ISO 13485 quality system plan in 2016.”

Typically, I recommend implementing a new ISO 13485 quality system over six months. Still, recently I a few clients have requested my assistance with implementing a quality management system within four months. In November, I wrote an article about implementing a new ISO 13485 quality system. That article described implementing procedures for the first month. Specifically, the implementation of the following procedures was covered:

1. SYS-027, Purchasing
2. SYS-001, Document Control
3. SYS-002, Record & Data Control
4. SYS-004, Training & Competency
5. SYS-011, Supplier Quality Management
6. SYS-008, Product Development
7. SYS-010, Risk Management
8. SYS-006, Change Control

These eight procedures are typically needed first. This article covers the implementation of the next set of procedures. During this month, I recommend conducting company-wide quality management system training for the ISO 13485 and 21 CFR 820.

Implementing Receiving Inspection Procedures

During the first month, procedures for purchasing components and services are implemented. As these products are shipped and received by your company, you need to create records of incoming inspection. It is not sufficient to merely have a log for receiving inspection. You need records of the results of the inspection. You may outsource the inspection activities, but receiving personnel must review the records of inspection for accuracy and completeness before moving product to your storage warehouse or production areas. Even if the inspection is 100% outsourced, it is still recommended to verify the inspection results independently on a sampling basis periodically. This should be a risk-based sampling that takes into account the importance of the item being inspected and the existence of in-process and final inspection activities that will identify potential nonconformities.

The most challenging part of this process typically is identifying inspection procedures and calibrated devices for inspection. Your company must find a balance between inspections performed by suppliers, incoming inspection, in-process inspection, and final inspection. Each of these process controls requires time and resources, but implementation should be risk-based and take into account the effectiveness of each inspection process–as determined by process validation. Sample sizes for inspection should also be risk-based.

Implementing Procedures for Identification and Traceability

The lot or a serial number of components must be identified throughout product realization–including incoming inspection, storage, production, final inspection, and shipping. In addition to determining what things are, you must also identify the status of each item throughout the product realization process. For example:

• Is the product to be inspected or already inspected?
• After the inspection, is product accepted or rejected?
• Which production processes have been completed?
• Is the product released for the final shipment?

The procedure for identification and traceability should be implemented immediately after the purchasing process, implemented during 1st month, because traceability requirements should be communicated to suppliers as part of supplier quality agreements and as part of each purchase order.

Initially, when this process is implemented, there is a tendency to complete forms for every step of the process and to distribute copies of the forms to communicate status. Completing forms and copying paperwork requires labor and adds no value. Therefore, learn manufacturing methods and visual indicators such as color-coding are recommended as best practices for identifying products and their status.

Implementing CAPA Procedures

When a product is identified as nonconforming, corrective actions need to be implemented to prevent a recurrence. Procedures need to include the requirement for planning corrective actions, containing a nonconforming product, correcting nonconformities, and implementing actions to prevent any future nonconformities. These procedures also need to address negative trends to prevent nonconformities before the product is out of specification (i.e., preventive actions). Procedures also need to provide guidelines on how to verify the effectiveness of corrective and preventive actions. Initially, the actions implemented will be specific to a purchased product that is received and rejected. However, over time data analysis of process monitoring and internal auditing will identify additional corrective and preventive actions that are needed.

The effectiveness of CAPA processes, in general, requires three key elements:

1. A well-designed CAPA form
2. Proper training on root cause analysis
3. Performing effectiveness checks

In the CAPA training provided during the second month, the best practices for CAPA form design are covered. The training includes several methods for root causes analysis too. Finally, the training emphasizes using quantitative measurements to verify the effectiveness of corrective actions. It is recommended to identify the quantitative acceptance criteria for an effective corrective action before initiating actions to ensure that the actions planned are sufficient to prevent a recurrence.

Monitoring Your Procedure Implementation Process

As indicated in November’s article, I recommend using quantitative metrics to track the progress of procedure implementation. For example:

1. % of procedures implemented,
2. duration of document review and approval process, and
3. % of required training completed.

Implementing Procedures for ISO 13485:2016

If you already have a quality system in place, you are implementing procedures that are modified for ISO 13485:2016 compliance, some of the same lessons learned to apply. If you are interested in learning more about the changes required for compliance with the 2016 version of the standard, we recorded two live webinars on March 24, 2016.