Supplier Quality Management

Supplier qualification, supplier evaluation, supplier auditing and supplier management.

Inspection Results: Understanding FDA Requirements

Learn three valuable tips for efficiently recording your inspection results in medical device manufacturing while remaining FDA-compliant.

What are the best ways to record inspection results?

If you are inspecting a lot of material at an incoming inspection, and the inspection plan calls for inspecting ten samples for length, what is the best way to record the inspection results?

The person who sent me this question also provided three options (read on for better suggestions):

  1. Record the maximum and minimum dimensions
  2. Record all ten measurements in a data collection table
  3. Circle “pass” or “fail” next to each sample number

6 inch caliper Inspection Results: Understanding FDA Requirements

FDA requirements for incoming inspection results

The first method fails to meet the requirement as specified in 21 CFR 820.80(b) because recording only the maximum and minimum dimensions of the ten samples does not include the inspection results for the eight samples in between the extremes. The second method meets the requirements, but this method takes the most amount of time. The third method appears to meet the requirements. However, if you read the FDA requirements more carefully, 21 CFR 802.80(e)(3) states that “[Inspection] records shall include…the results.” If the test method is pass/fail, circling pass or fail makes sense, but if the test measures a dimension, the result should be a measurement. Also, if you have to investigate a complaint or non-conforming product, this dimensional information might be critical to the analysis.

21 CFR 820.80 1024x981 Inspection Results: Understanding FDA Requirements

The FDA has provided an official interpretation of these requirements in the QSR preamble:

“Comment # 147: One comment stated that record keeping this dimensional information might be critical to the analysis if you have to investigate a complaint or non-conforming product is a significant cost factor in the operation of a total quality system and that the revised CGMP regulation should not add cost through duplication of documentation. The comment said recording all quantitative data is inappropriate and of little value.

FDA agrees that unnecessary duplication of documentation should be avoided. They also believe that the Quality System Regulation requires the minimum documentation necessary to ensure that safe and effective devices are designed and produced. FDA similarly believes that maintaining records of results of acceptance activities is imperative to ensure that non-conforming product is not inadvertently used or distributed. FDA has, however, deleted from Sec. 820.80(a) the requirement for recording the results of inspections and testing, because Sec. 820.80(e) requires that the results of acceptance activities be recorded. The requirement in Sec. 820.80(a) was, therefore, unnecessary. Further, the regulation does not specify quantitative data, but simply requires that the results be recorded.

The FDA believes that it is essential for the manufacturer to maintain records which provide evidence that required acceptance activities were completed. These records must clearly show whether the product has passed or failed the acceptance activities according to the defined acceptance criteria. If a product fails to pass acceptance activities, you must identify the product as a non-conforming product and conduct an investigation. If the acceptance records are not clear about how the product failed, then the manufacturer may end up duplicating the acceptance to perform appropriate investigations.”

Here are three other methods that can save you time and add value.

Method 1: Run Charts

If you create an inspection results form that is in the form of a “Run Chart,” then you can put an “X” on the appropriate location of the Run Chart for each sample (see Chart 1 below). It is less time-consuming to write an “X” than the actual value. However, if you need to conduct an investigation, you can convert the “X” into a quantitative number and enter the values into a spreadsheet or statistical analysis software (e.g., Minitab). Also, inspectors and supervisors can visually glance at a Run Chart and determine if the measurement is “in control” or “out of control.” This is done by marking the upper and lower specifications on the Run Chart. Over time, alert limits can be established as a preventive action, as well. You can also use this data as a rationale for eliminating certain inspections, reducing sampling, qualifying suppliers, and even converting a part from statistical sampling to a “dock-to-stock” inspection.

Chart 1 for Inspection Blog Inspection Results: Understanding FDA Requirements

One disadvantage of Method 1 is that it takes time to create inspection forms, and the forms need to be maintained as a controlled document, with the drawings for each part–as paper records or electronically. Therefore, I recommend that companies create a quality plan that calls for creating one of these charts every time an NCR is initiated for a part. That way, you only are creating this type of chart for parts that are found to be out of specification. This approach allows you to implement the work over a reasonable period of time.  You can also habitually review historical data when you have an NCR that does not already have a Run Chart created.

Method 2: Automating Inspection Results

If you have critical inspection activities and a high volume of parts to inspect, you can automate recording measurements and performing data analysis. This can be done by purchasing digital inspection devices that automatically send the values to a computer system. Devices with this capability only require pressing a button to record the value, and the computer system will often provide the inspector with the sampling plan for each lot automatically. These sophisticated software systems require validation, giving manufacturers extensive real-time data on supplier performance, in-process inspection, and final product acceptance. The primary disadvantage of this method is the cost of installation and set-up.

Method 3: Pass/Fail with Go/No-Go Gauges

If a supplier can make good parts with high certainty, you may not need routine monitoring of part dimensions. In this case, you can reduce your inspection time by using a “go/no-go” gauge for critical attributes instead of measuring the dimensions. This type of gauge would be ideal if the tolerance for a part with a tolerance of +/- 3 mm. The length of a part can be verified to be between two lines, representing the upper and lower specifications for the tolerance. This method can also be used for precise tolerance if magnification is used. Still, performing a gauge R&R study of any go. If this type of inspection is used, you can use an inspection record that only records pass/fail. However, this inspection method is not recommended for parts that are occasionally out of conformity because re-measurement of parts will be necessary to investigate non-conforming products.

Statistical Techniques

The most significant advantage of methods one and two is that they facilitate statistical data analysis. Chart one shows too much variation for the tolerance of 6.50 mm to 6.60 mm. Some companies qualify suppliers for a new part by establishing a threshold for a minimum Cpk value (i.e., process capability coefficient). A typical Cpk minimum is 1.33. Often, the company will require that suppliers provide data for 100% inspection of the initial production lot. This data is then used to create a sampling plan based on the likelihood of parts being out-of-specification. High-risk dimensions might require 99.5% confidence, medium-risk dimensions might require 99% confidence, and lower-risk dimensions might require 95% confidence. Each confidence level corresponds to a different Cpk value. It is not possible to do this type of analysis for Method 3.

Inspection Results: Understanding FDA Requirements Read More »

Supplier Audit – Where should you spend your time?

In this article, you will learn how to spend your time during a supplier audit. We’ll teach you what is important and what you can skip.

Which suppliers need a supplier audit?

Before you start scheduling supplier audits, you should first decide which suppliers you need to audit. You are required to use a risk-based approach for supplier quality management but have specific recommendations. We recommend that you create five risk-based supplier quality categories:

  1. Critical suppliers
  2. Crucial suppliers
  3. Off-the-shelf component suppliers
  4. Service providers
  5. Consultants

Your critical suppliers are contract sterilizers, contract manufacturers, and contract packagers. Your crucial suppliers are suppliers manufacturing custom components or subassemblies. Off-the-shelf components speak for themselves, but examples of service providers include a company doing plating and other secondary processes. The last supplier category, but not the least, is the consultant category, such as the quality system auditors you hired to do an internal audit.

need an audit quote 300x79 Supplier Audit   Where should you spend your time?

Which supplier categories require a supplier audit?

The FDA regulations don’t specifically require supplier audits. However, if an inspector finds any nonconformities among your purchased components, you will need to demonstrate how you have addressed the quality issues. If the corrective actions taken are not sufficient, you will need to conduct supplier audits as part of your corrective action plan or effectiveness check. Other countries have different expectations with regard to supplier auditing, but the most common supplier categories that you will be conducting a supplier audit of are “critical suppliers” and “crucial suppliers.” These two supplier categories are also the two supplier categories that you will need to make sure are prepared and willing to accommodate unannounced audits by Notified Bodies. Click on the image below if you would like to read the requirements for audits conducted by Notified Bodies.

EU Recommendations for audits 1024x903 Supplier Audit   Where should you spend your time?

What is the purpose of a supplier audit?

When you attend a lead auditor course, the focus is on quality system auditing. However, when you perform a supplier audit—the quality system is not the focus. The focus of a supplier audit can fall into two primary categories: 1) qualifying the supplier or 2) re-evaluating the supplier.

Suppliers are not required to have a registered quality system or ISO 13485 certification. Therefore, many of the things that an auditor might learn about audit agendas in a lead auditor course just don’t apply. However, one thing always applies: reviewing previous quality issues. When we audit internal auditing and supplier auditing programs, we find that one of the most common mistakes is the failure to close out previous nonconformities. Therefore, the second section of my audit report template is a review of prior audit findings. If you have no previous findings, ensure your audit report states that. If you are qualifying a new supplier, ensure that the new supplier doesn’t have the same problems you are having with current suppliers.

When you close the previous issues, there are two approaches. The first approach is to close previous issues at the beginning of the audit—immediately after the opening meeting. This is the most common strategy. The second approach is to close previous issues as you audit the applicable area. For example, if you have previous problems in the area of incoming inspection and maintenance records, it might make sense to close these findings when you audit these areas. The advantage of this second approach is that it ensures that the process owner is closing the previous finding and facilitates the sampling of additional records.

What has little value in the supplier audit agenda? Auditing the management review process has the least value because the supplier is not required to have a quality management system. In fact, subcontractor audits for BSI do not include management reviews, CAPAs, or internal audits—the three required areas for every quality system audit.

What are the most valuable areas to audit?

Incoming inspection, control of nonconforming materials, preservation of the product, production controls, training, and process validation are the areas we typically audit. We would like to start with the nonconforming material area and see which materials are on hold. Then, we would like to sample the incoming inspection records for those raw materials. Next, we want to see how the company is storing those raw materials—if they are accepted. We typically cover these three areas as one process approach audit. This also happens to be the process audit we like to use for training new auditors because the audit of incoming inspection results in numerous audit trails in the support process areas of document control, training, calibration, etc.

The next area we visit is the production area. For this portion of the audit, we are doing a process audit of the production process. We usually request that we schedule the audit for a time when the production area is running the product(s) of interest. A process flow chart helps plan this portion of the audit, and we will often write some notes directly on a copy of the process flow chart.

We conclude the audit with follow-up trails in the areas of 1) document control (to ensure the supplier has the most current versions of all documentation “we” provided), 2) calibration (to ensure that all measurement devices used for inspection are calibrated), and 3) training (to ensure that all personnel working on “our” product are appropriately trained).

What are the advantages and disadvantages of skipping areas?

Since we do not have to spend time on quality system issues during a supplier audit, we spend more time sampling records in the other areas. Therefore, we might sample 5-10 records in each of the above areas instead of 3-4 records. If the number of samples available to sample is small, we may even sample 100% of the records. We also have a supplier auditor tool kit to help your supplier auditor team prepare.

Did you consider confidentiality and security issues during your supplier audit?

Historically, it has always been easy to identify a missing or out-of-date confidentiality agreement during audits, but do you include this in your internal and supplier audits? The new cybersecurity requirements that the FDA released in October 2023 certainly changed what companies need to provide in a 510(k) submission, and the latest FDA eSTAR template has a lot of specific documentation that companies need to include their 510(k). If you want to learn more about the 510(k) requirements, please visit our webpage for the cybersecurity work instruction and webinar.

  1. How will this impact your supplier audit program?
  2. Do you include cybersecurity questions in your supplier audits?
  3. Do your supplier quality agreements address cybersecurity?
  4. Do you have cybersecurity testing vendors added to your approved supplier list?
  5. Is cybersecurity embedded in your post-market surveillance activities?
  6. Do you and your supplier have a schedule for cybersecurity retesting?

Supplier Audit – Where should you spend your time? Read More »

Device Supply Chain Disruptions

What can you do to stay ahead of medical device supply chain disruptions and comply with reporting requirements of possible device shortages?

Device Supply Chain Disruptions Device Supply Chain Disruptions

Supply chain issues can be somewhat cyclical. As we approach the holiday season, we also approach the shipping season. Public shipping services such as FedEx and UPS see an increase in freight as the holiday seasons approach. Manufacturers need raw materials and components to stock the shelves with all of those holiday gifts. Since we are still living under pandemic conditions, I would be willing to bet there will be more care packages and mailed gifts in place of traditional gatherings. On top of the approaching increase in demand, staffing shortages can very quickly exacerbate supply chain bottlenecks. All the while importers are still expected to… well, import! If transportation affects all general industry you can bet it can also cause medical device supply chain disruptions.

So what does an overburdened mail service have to do with medical devices and quality systems?

Consider, how are your customers getting your product in their hands? How are you receiving raw materials and components? How about your contract manufacturer? Do they have supply chain redundancies? Does your supplier quality agreement address notifications for shipping disruptions? 

Do you have a regulatory obligation to report a shortage/supply chain disruption or interruption of manufacturing to the FDA, or Health Canada? The FDA monitors for discontinuance and meaningful disruption of manufacturing certain devices and similarly Health Canada monitors their own list of devices for market shortages. Supply chain disruptions either through difficulty sourcing of raw materials and components, or through transportation breakdown of finished devices to market are just one way you could experience a reportable disruption or shortage.

Matthew did not choose the topic of medical device supply chain disruptions randomly. His signature brand of pessimistic cynicism is the reason we have him tasked with keeping his fingers on the pulse of global concerns and potential threats and risks. Potential supply chain disruptions will involve your quality staff in developing preventive actions and contingency plans in case there is an issue. Then, your regulatory team will be in charge of reporting and AHJ notification if you are an affected manufacturer (or importer in Canada!). Understaffed and overloaded shipping and transportation suppliers are about to be bombarded with seasonal freight. This makes them an attractive target for ransomware because, just like healthcare facilities, they will not be in a situation where they can afford any downtime. 

fda logo Device Supply Chain Disruptions
U.S. FDA

The FDA requires reporting shortages and supply chain disruptions to CDHR of permanent discontinuance or interruption in manufacturing of a medical device in Section 506J of the FD&C Act. Especially so in response to the COVID-19 public health emergency. In part, the general public’s need for healthcare during the pandemic guides what devices the FDA needs notification about.

Currently, the FDA is concerned about specific device types by product code or any devices that are critical to public health during a public health emergency. For the most up to date list, the URL to the FDA website will show the specific product codes of the monitored device types;

health canada logo sante canada 1024x224 1 Device Supply Chain Disruptions
Health Canada

As an Authority Having Jurisdiction, Health Canada also has reporting requirements for supply chain disruptions of specific types of medical devices. Health Canada is also an independent authority that uses a different device classification system than the U.S. FDA.

The table below shows the device types by their classification level that HC requires supply chain disruption notifications for. This information is current as of September 5th, 2021, and the following link will take you to the HC webpage for the most up-to-date list.

Class I Medical Devices
Masks (surgical, procedure or medical masks) – Level 1, 2, 3 (ATSM)
N95 respirators for medical use
KN95 respirators for medical use
Face shields
Gowns (isolation or surgical gowns) – Level 2, 3 and 4
Gowns (chemotherapy gowns)
Class II Medical Devices
Ventilators (including bi-level positive airway pressure or BiPAP machines, and continuous positive airway pressure or CPAP machines)
Infrared thermometers
Digital thermometers
Oxygen Concentrators
Pulse Oximeters (single measurement)
Aspirators/suction pumps (portable and stationary)
Laryngoscopes
Endotracheal tubes
Manual resuscitation bags (individually or part of a kit)
Medical Gloves – Examination and Surgical (Nitrile, Vinyl)
Oxygen Delivery Devices
Class III Medical Devices
Ventilators (including bi-level positive airway pressure or BiPAP machines)
Pulse Oximeters (continuous monitoring)
Vital Signs Monitors
Dialyzers
Infusion Pumps
Anesthesia Delivery Devices
Class IV Medical Devices
Extracorporeal Membrane Oxygenation (ECMO) Devices

How to prevent device supply chain disruptions

Harden your supply chain with redundancies. Now is the time to qualify a second supplier as a contingency plan before it is too late…. Maybe even consider opening a Preventive Action? (HINT HINT for those ISO 13485 manufacturers that need to beef up their Clause 8.5.3. operations!)

Supply chains have both up and downstream functions. First, you likely need to source raw materials and components for production. Then you also need to ship those finished devices to distribution centers and your customers. Disrupt either of those and your ability to sell your devices is compromised or even completely halted.

Ask yourself, “Do I have a backup option for shipping?”, and “Do I have a backup option for raw materials and components?”.

Why?

Why go through all of that effort? Well, if you lose UPS and have to use FedEx instead, are their shipping procedures identical? Likely you will need a WI level document for each shipper to explain the process. It is easier to pre-qualify a contingency supplier and establish a WI now rather than in December when holiday shipping is at its peak. Consider if you also need to open accounts, etc. Scheduling pickup online may not be intuitive.

Just identifying a backup is important, but you can take that a step further and pre-qualify them. If they are a shipping and transportation supplier then give them a shipment or two in order to evaluate them. Hold them to the same standards you would for your primary supplier.

Did your shipment arrive on time? Was it damaged during transit? This is provisional, or pre-qualification. Did they perform adequately enough to use as a tentative supplier in the event the primary supplier is unable to perform? This is designed to make a full qualification of this supplier simple and easy… If you need to utilize them that is. Maintaining this pre-qualification should also be simple and easy as well. Once a year or so have them deliver a shipment for you.

That is just for importing or shipping finished devices. Do you have backup raw material or components suppliers identified? If not identifying or even pre-qualifying secondary suppliers might not be a bad idea either. You are probably tied down to a specific geographic area for shipping and transportation. You may not be for raw materials. If you need barrels of silicone consider a backup supplier from a different area than your primary supplier. Natural disasters create havoc for shipping. If your silicone comes from Company A, and they are closed down because of a hurricane then Company B ten miles away is likely affected as well.

For example, if you are in the U.S. and your primary supplier is in the Northeast then a backup supplier in the Southeast may be strategically important. Whereas a backup supplier from the Southwest may be cost-prohibitive.

What about your suppliers? Is your device high-risk enough that if your supply chain is disrupted, you have an obligation to report it to the FDA? In that scenario, if you use a contract manufacturer, it may be worth requiring supply chain contingencies and clearly identifying who owns what reporting responsibilities within your quality agreement with them.

There is an element of proactive responsibility in reporting these shortages, or projected shortages. In order to be able to predict medical device supply chain disruptions, there should be metrics that your quality system is monitoring. What is your monthly production capacity? How much raw material or components does your warehousing have on hand? How many units could you manufacture if the transport industry stopped right this second?

Determine what you need to track in order to identify a disruption before it occurs.

Prepare for notification now. This article looked at the problem from the point of view that transportation issues were the root cause of the supply chain disruption. However, many other things could be disruptive, such as natural disasters and supply availability. Therefore, develop a WI level document for conducting these types of regulatory reporting activities and train personnel before a disruption happens. It is easier to tackle these kinds of problems if you already have process controls in place and trained competent staff than if you wait until the reporting timeline clock is already ticking.

In the near future, we will be posting a new blog about 506J and Shortage Reporting. We will also have a work instruction and training webinar available soon.

Future blogs about device supply chain disruptions…Shortage Reporting

About the Author

20190531 005146 150x150 Device Supply Chain DisruptionsMatthew came to us with a regulatory background that focused on OSHA and NFPA regulations when he was a Firefighter/EMT. Since we kidnapped him from his other career, he now works in Medical Device Quality Management Systems, Technical/Medical Writing, and is a Lead Auditor. Matthew has updated all of our procedures for  He is currently a student in Champlain College’s Cybersecurity and Digital Forensics program, and we are proud to say that he is also a member of both the Golden Keys and Phi Theta Kappa Honor Societies! Matthew participates as a member of our audit team and has a passion for risk management and human factors engineering. Always the mad scientist, Matthew pairs his professional life in regulatory affairs with hobbies in the culinary arts as he also holds a Butchers/Meat Cutters certificate from Vermont Technical College.

Email: Matthew@FDAeCopy.com

Connect on Linkedin: http://www.linkedin.com/in/matthew-walker-214718101/

Device Supply Chain Disruptions Read More »

Software Service Provider Qualification and Management

What is your company’s approach to qualifying a software service provider and managing software-as-a-service (SaaS) for cybersecurity?

The need for qualifying and managing your software service provider

Most of the productivity gains of the past decade are related to the integration of software tools into our business processes. In the past, software licenses were a small part of corporate budgets, and the most critical software tools helped to manage material requirements planning (MRP) functions and customer relationship management (CRM). Today, there are software applications to automate every business process. Failure of a single software service provider, also known as “Software-as-a-Service” or (Saas), can paralyze your entire business. In the past, business continuity plans focused on labor, power, inventory, records, and logistics. Today our business continuity plans also need to expand for the inclusion of software service providers, internet bandwidth, websites, email, and cybersecurity. This new paradigm is not specific to the medical device industry. The medical device industry has become more dependent upon its supply chain due to the ubiquity of outsourcing, and what happens to other industries will eventually filter its way into this little collective niche we share. With that in mind, how do we qualify and manage a software service provider?

Threats to software service providers (Kaseya Case Study)

Two years ago the WannaCry ransomware attack affected 200,000 computers, 150 countries, and more than 80 hospitals.

Wana Decrypt0r screenshot Software Service Provider Qualification and Management

Kaseya isn’t a hospital. Kaseya is a software service provider company. So why is this example relevant to the medical device industry?

The ransomware attack on Kaseya was severe enough that both CISA and the FBI got involved, and it compromised some Managed Service Providers (MSPs) and downstream customers. This supply chain ransomware attack even has its own Wikipedia page. The attack prompted Kaseya to shut down servers temporarily. None of this is a critique of Kaseya or their actions. They were merely the latest high-profile victim of a cyberattack in the news. Now cybercriminals are attacking your supply chain. We want to emphasize the concepts and considerations of this type of attack as it pertains to your business.

What supplier controls do you require for a software service provider?

If you are a manufacturer selling a medical device under the jurisdiction of the U.S. FDA, you need to comply with 21 CFR 820.50 (i.e. purchasing controls). The FDA requires an established and maintained procedure to control how you are ensuring what your company buys meets the specified requirements of what you need. Many device manufacturers only consider suppliers that are making physical components, but a software service provider may be critical to your device if your device is software as a medical device (SaMD), includes software, or interacts with a software accessory. A software service provider may also be involved with quality system software, clinical data management, or your medical device files. Do you purchase software-as-a-service or rely upon an MSP for cloud storage?

You need to determine if your software service provider is involved in document review or approval, controlling quality records, Protected Health Information (PHI), or electronic signature requirements. You don’t need a supplier quality agreement for all of the off-the-shelf items your company purchases. For example, it would be silly to have Sharpie sign a supplier quality agreement because you occasionally purchase a package of highlighters. On the other hand, if you are relying upon Docusign to manage 100% of your signed quality records, you need to know when Docusign updates its software or has a security breach. You should also be validating Docusign as a software tool, and there should be a backup of your information.

21 CFR 820.50 requires that you document supplier evaluations to meet specified and quality requirements per your “established and maintained” procedure. The specified requirements for this supplier might include the following:

  • How much data storage do you need?
  • How many user accounts do you need?
  • Do you need unique electronic IDs for each user?
  • Do you need tech support for the software service?
  • Is the software accessed with an internet browser, is the software application-based, or both?
  • How much does this software service cost?
  • Is the license a one-time purchase? Or is it a subscription?

The quality requirements for a supplier like this may look more like these questions;

  • How is my information backed up?
  • Can I restore previous file revisions in the case of corruption?
  • How can I control access to my information?
  • Can I sign electronic documents? If yes, is it 21 CFR Part 11 compliant?
  • Does this supplier have downstream access to my information? (can the supplier’s suppliers see my stuff?)
  • Do I manage PHI? If so, can this system be made HIPAA compliant? What about HITECH?
  • What cybersecurity practices does this supplier utilize?
  • How are routine patches and updates communicated to me?

A risk-based approach to supplier quality management

ISO 13485:2016 requires that you apply a risk-based approach to all processes, including supplier quality management. A risk-based approach should be applied to suppliers providing both goods and services. For example, you may order shipping boxes and contract sterilization services. Both companies are suppliers, but in this example, the services provided by the contract sterilizer are associated with a much higher risk than the shipping box supplier. Therefore, it makes sense that you would need to exercise greater control over the sterilizer. Software service providers are much like contract sterilizers. SaaS is not tangible but the service provided may have a high level of risk and potential impact on your quality management system. Therefore, you need to determine the risk associated with SaaS before you can evaluate, control, and monitor a software service supplier.

First, you need to document the qualification of a new supplier. It would be nice if your cloud service provider had a valid ISO 13485:2016 certification. You would then have an objectively demonstratable record of their process controls and know that they are routinely audited to maintain that certification. They would also understand and expect to undergo 2nd party supplier audits because they operate in the medical device industry. Alternatively, a software service provider may have an ISO 9001:2015 certification. This is a  general quality system certification that may be applied to all products or services. In the absence of quality system certification, you can audit a potential supplier. For some suppliers, this makes sense. However, many companies that are outside of the medical device industry do not even have a quality system because it is not required or typical of their industry. For the ones that do, though, you can likely leverage their existing certifications and accreditations.

Cybersecurity standards you should know

Most cloud service providers will not have ISO 13485 certification, because it is a quality management standard specific to the medical device industry. However, you might look for some combination of the following ISO standards that may be relevant to a software service provider:

  • ISO/IEC 27001 Information Technology – Security Techniques – Information Security Management Systems – Requirements
  • ISO/IEC 27002:2013 Information Technology. Security Techniques. Code Of Practice For Information Security Controls
  • ISO/IEC 27017:2015 Information Technology. Security Techniques. Code Of Practice For Information Security Controls Based On ISO/IEC 27002 For Cloud Services
  • ISO/IEC 27018:2019 Information Technology – Security Techniques – Code Of Practice For Protection Of Personally Identifiable Information (PII) In Public Clouds Acting As PII Processors
  • ISO 22301:2019 Security And Resilience – Business Continuity Management Systems – Requirements
  • ISO/IEC 27701:2019 Security Techniques. Extension to ISO/IEC 27001 and ISO/IEC 27002 For Privacy Information Management. Requirements And Guidelines

Does your software service provider have SOC reports?

%name Software Service Provider Qualification and Management

The acronym “SOC” stands for Service Organization Control, and these reports were established by the American Institute of Certified Public Accountants. SOC reports are internal controls that an organization utilizes and each report is for a specific subject. SOC reports apply to varying degrees for SaaS and MSP Suppliers

The SOC 1 Report focuses on Internal Controls over Financial Reporting. Depending on what information you need to store on the cloud, this report could be more applicable to the continuity of your overall business than specifically to your quality management system.

The SOC 2 Report addresses what level of control an organization places on the five Trust Service Criteria: 1) Security, 2) Availability, 3) Processing Integrity, 4) Confidentiality, and 5) Privacy. As a medical device manufacturer, these areas would touch on control of documents, control of records, and process validation, among other areas of your quality system. Some suppliers may not share a SOC 2 report with you, because of the amount of confidential detail provided in the report.

The SOC 3 Report will contain much of the same information that the SOC 2 Report contains. They both address the five Trust Service Criteria. The difference is the intended audiences of the reports. The SOC 3 is a general use report expected to be shared with others or publicly available. Therefore, it doesn’t go into the same intimate level of detail as the SOC 2 report. Specifically, information regarding what controls a system utilizes is very brief if identified at all compared to the description and itemized list of controls in the SOC 2 Report.

Other ways to qualify and manage your software service provider

SOC reports will help paint a picture of the organization you are trying to qualify for. You will also need to evaluate the supplier on an ongoing basis. It is essential to know if the supplier is subject to routine audits and inspections to maintain applicable certifications and accreditations. For example, if their ISO certificate lasts for three years, you should know that you should follow up with your supplier for their new certificate at least every three years. On the other hand, if they lose certification, it may signify that the supplier can’t meet your needs any longer and you should find a new supplier.

There is a long list of standards, certifications, accreditations, attestations, and registries that you can use to help qualify a SaaS or MSP supplier. One such registry is maintained by Cloud Security Alliance (i.e. the CSA STAR registry). “STAR” is an acronym standing for Security, Trust, Assurance, and Risk. CSA describes the STAR registry in their own words:

“STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM) and CAIQ. Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to. It ultimately reduces complexity and helps alleviate the need to fill out multiple customer questionnaires.”

Some of the questions your supplier qualification process should be asking about your SaaS and MSP suppliers include:

  • Why do I need this software service?
  • Which standards, regulations, or process controls need to be met?
  • What is required for qualifying suppliers providing SaaS or an MSP?
  • How will you monitor a software service provider?

ISO certification, SOC reports, and the CSA STAR registry are supplier evaluation tools you can use for supplier qualification and monitoring. When you use these tools, make sure that you ask open-ended questions instead of close-ended questions. Our webinar on supplier qualification provides several examples of how to convert your “antique” yes/no questions into value-added questions.

Are your suppliers qualified Supplier Evaluation Tools Software Service Provider Qualification and Management

Your software service provider should be able to provide records and metrics demonstrating the effectiveness of their cybersecurity plans. Below are three examples of other types of records you might request:

  • Cloud Computing Compliance Controls Catalogue or “C5 Attestation Report”
  • System Security Plan for Controlled Unclassified Information in accordance with NIST publication SP 800-171
  • Privacy Shield Certification to EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield

The privacy shield certification may be especially important for companies with CE Marked devices in order to comply with the European Union’s General Data Protection Regulation (GDPR) or Regulation 2016/679.

A final consideration for supplier qualification is, “Who are the upstream suppliers?” It is essential to know if your new supplier or their suppliers will have access to Protected Health Information (PHI). Since you have less control of your supplier’s subcontractors, you may need to evaluate how your supplier manages their supply chain and which general cybersecurity practices your supplier’s subcontractors adhere to.

Additional cybersecurity, software validation, and supplier quality resources

For more resources on cybersecurity, software validation, and supplier quality management please check out the following resources:

Learn how to quickly perfect your 510k cybersecurity documentation rvp 8 12 2021 Software Service Provider Qualification and Management

Software Service Provider Qualification and Management Read More »

Supplier Qualification: How To Get The Best Results

In this article, you will learn strategies for better supplier qualification to obtain the highest quality components and services.

Supplier Qualification in ISO 13485:2016

Section 7.4 of EN ISO 13485:2016 states that companies shall “evaluate and select suppliers… based on their ability to supply product in accordance with the organization’s requirements.” Supplier qualification is one of the most important purchasing controls. This requirement is quite vague, but the medical device industry has developed a surprisingly limited number of approaches to address the requirement of this clause.

The most common approach is to ask for some combination of the following:

  1.  ISO certification,
  2.  a copy of the Supplier’s Quality System Manual,
  3.  completion of a Supplier Questionnaire and
  4.  performing a Supplier Audit.

Unfortunately, all four selection criteria are flawed.

ISO Certification

I think the best way to explain why these criteria are flawed is to use an analogy. Let’s compare qualifying a new supplier with recruiting a new employee. ISO certification is sort of like a college degree. You can make some general assumptions about a potential job candidate based upon which school they got their engineering degree from, but the degree is still just a piece of paper on the wall. As the old joke goes:

           ” What do you call the person that graduated last in their class at medical school?

Doctor

Some registrars have a better reputation than others. Still, the name of the registrar is only as good as its worst client—who had four major nonconformities during their last audit and is about to lose that certificate. To improve this approach to supplier qualification, a potential customer could ask for a copy of the most recent audit report. This information is dependent upon the quality of the audit, but this would be a significant improvement over requesting a copy of the certificate.

caution sign picture warning 6699085 960 720 Supplier Qualification: How To Get The Best Results  CAUTION: Audits are still just samples—tiny samples. 

Again, like degrees, certification must be relevant. ISO 9001:2015 may be a ‘nice-to-have’ quality for potential suppliers. However, it doesn’t hit the mark if you need them to have ISO 13485:2016 certification. Perhaps you need a European Normative version, or A11:2021 as well. For example, sometimes any law degree might be appropriate. Sometimes you specifically need a degree in healthcare law. 

This makes it important to establish the criteria for your supplier evaluation early on in the process. Not just because it is required for standard compliance. It is difficult to evaluate a supplier with no guidance on how or what to evaluate them against. 

Supplier Quality Manual

The second selection criteria mentioned is The Quality Manual. The Quality Manual is analogous to a resume. The purpose of a resume is two-fold: 1) to provide an interviewer with information, so they can ask the interviewee questions without looking like an idiot, and 2) to provide objective evidence that a company did not illegally discriminate against a candidate that the hiring manager did not like.

I suppose you could argue that the purpose is to help candidates get a job, but in my own experience, less than 10% of resumes submitted result in a job interview—let alone a job offer. The purpose of a Quality Manual is NOT to help a company get new customers. If I am wrong about this, I need to do a much better job of marketing my Quality Manuals in the future.

Some suppliers have the nerve to say that their Quality Manual is proprietary. Humbug! Proprietary information should not be in the Quality Manual. You can copy a manual from another company and edit a few of the details. I will gladly write you a Quality Manual in less than a week that will pass any auditor’s review. You can even buy a Quality Manual online (In fact, Medical Device Academy sells one… Online! POL-001 Quality Manual). This almighty document just explains the intent of the Quality System—which is to conform to the requirements of the ISO Standard. Several auditors will tell you that this can be done in just four pages.

When you request a Quality Manual from a supplier, your primary intent for supplier qualification should be to use this document for planning a supplier audit. Any other purpose is just a waste of your time—unless you need to write a Quality Manual of your own.

Supplier Qualification Questionnaire

The third selection criteria I mentioned was: a supplier questionnaire or supplier survey. Questionnaires are analogous to employment applications. Coincidently, supplier questionnaires are often required by companies when a Quality Manual or ISO Certificate is not available. Do you find the similarities eerie?

Questionnaires are typically 15-20 page documents that someone has plagiarized from a previous employer. I have seen various versions of this questionnaire, but several of them appear suspiciously similar. Hmmm?

I am not sure what the original intent of this type of document was, but I think it was intended to capture detailed information about potential suppliers for a company in the Fortune 500®.

For most companies, 80% of the information on the questionnaire is meaningless. Customer requirements for a supplier are typically few in number and specific to the product or service being purchased. Therefore, please use your MRP system as a template and ensure that the questionnaire answers all the information you need to add the supplier to your system as an approved supplier. You should also have a product or service specification that gives you some more questions to ask.

Ideally, your questionnaire will be organized in the same order that you enter the information into the MRP system. Then this questionnaire will make the data entry easier for the purchasing agent, adding the supplier to the database. Questionnaires and surveys are great, but brevity is next to Godliness.

Supplier qualification questionnaire Supplier Qualification: How To Get The Best Results

Supplier Qualification Audits

Finally, we come to the auditor’s favorite—supplier audits. Audits are similar to job interviews. Ideally, you want a cross-functional audit team, and you might need to visit more than once. Unfortunately, most companies cannot afford to audit every supplier. Some companies supplement with remote audits. I guess I think of a desktop audit as a “phone interview.” I use phone interviews to prescreen candidates before I pay more money and waste other people’s time with on-site interviews. Desktop audits of suppliers should not be used as a replacement for an on-site audit, so your supplier quality engineers do not have to spend so many nights at the Hampton Inn.

If audits are your best selection criteria, how can you make the most of your auditing resources? Also, how can you audit for supplier qualification if you only have enough auditors to audit 5% of the approved supplier list? I have the following suggestion: “Start at the end.” You might consider reviewing our article on hiring an auditor.

ISO 13485:2016 Clauses 8.5.2 / 8.5.3  CAPA

What I mean by this cryptic, four-word phrase is that auditors should start at the end of the ISO Standard with sections 8.5.2 & 8.5.3 (Corrective and Preventive Action (CAPA) Process). This is the heart of a Quality System. If you disagree, remember that FDA inspectors are required to look at the CAPA system during every Level 1 inspection. Registrars also look at the CAPA process during every assessment—not just the certification audits. The purpose of the CAPA process is to fix problems, so they don’t come back—ever.

If you think that a new supplier is never going to make a mistake, you might as well quit looking. You want suppliers with strong CAPA systems. If a supplier has a strong CAPA system, problems will be fixed quickly and permanently. To sample the CAPA process, an auditor only needs the following: 1) the CAPA procedure(s), 2) the CAPA log(s), and 3) a handful of completed CAPA records—selected not so randomly from the log(s). This can all be done remotely in a desktop audit. If suppliers are resistant to giving you the log or actual records, ask them to redact any sensitive information. If you have executed a nondisclosure agreement, the supplier should agree with this approach.

ISO 13485:2016 Clause 8.4 Analysis of Data

Working from the back of the Standard, the next process to sample is clause 8.4 (Analysis of Data). There are four requirements of this clause. If the company has a requirement for customer satisfaction to be measured (ISO 9001:2008 section 8.4a), this is a great place to focus. There are also requirements to look at the trend of product conformity (8.4b), process metrics (8.4c), and trends in supplier data—such as on-time delivery and raw material nonconformities (8.4d). The quality of the analysis will tell an auditor as much about the company as the data itself. This process audit can also be performed remotely as a desktop audit.

A lot has changed since this article was first written. For example, if your potential supplier isn’t using ISO 9001:2015 you may want to verify that other areas of their quality management system aren’t outdated as well. 

ISO 13485:2016 Clause 8.3 Control of Nonconforming Materials

Clause 8.3, Control of Nonconforming Materials, is the third area to look at. To sample this area, you will need the “Holy Trinity” again: 1) procedure, 2) log, and 3) records. In this desktop audit, you want to look very closely at any nonconforming materials that are reworked or accepted “as is” (i.e., UAI). Either of these two dispositions should be ULTRA-RARE. Everything else should be processed efficiently as scrap or returned to the Vendor (i.e., – RTV).

If a potential supplier passes all three “tests” described above, you are ready to address clause 8.2.4—Monitoring & Measurement of Product. In this section, there is a requirement to maintain records of product releases and to verify that product requirements are met. for supplier qualification, if you think you can effectively audit this by paperwork alone, the supplier is a good candidate for “desktop only.” However, if the lot release paperwork, batch record, or Device History Record (DHR) is a 50-page tome—then you better make your flight plans.

The good news is that very few suppliers will pass the first three tests and implode during the on-site audit. Also, with three process audits complete, you should be able to reduce the duration of your on-site audit. Finally, for low-risk suppliers, you have a strong basis for provisional approval of suppliers to proceed with prototype runs before you schedule an on-site audit. If you need a procedure for supplier qualification, please check our Supplier Quality Management Procedure (SYS-011).

Medical Device academy Youtube Button 1024x451 Supplier Qualification: How To Get The Best Results

For more information on supplier controls, quality systems, auditing, and regulatory submissions visit our YouTube Channel          

 

Supplier Qualification: How To Get The Best Results Read More »

How to make a supplier questionnaire for remote auditing

You already have a supplier questionnaire, but do you know how to make a supplier questionnaire to assess a supplier’s ability to support a remote audit?

FRM 004 Supplier Questionnaire How to make a supplier questionnaire for remote auditing

The four most significant mistakes people make when designing a supplier questionnaire

In Medical Device Academy’s supplier qualification webinar, you learn how to improve your supplier qualification process by replacing the traditional methods of supplier qualification with more effective approaches to supplier evaluation. The following are four examples of how to improve your supplier questionnaire.

Supplier questionnaires should be specific to the product or service provided

The first mistake people make is to use a generic questionnaire. It would be best if you asked your supplier questions that are important to the work that the supplier will be performing. Therefore, each category of product or service should have its own set of questions. For example, important questions related to ethylene oxide contract sterilization services are the maximum size limitations for pallets in the sterilization chamber and whether the facility can conduct sterility testing on-site. However, an injection molding supplier might delay the return of your supplier questionnaire if these questions were on the survey that you send to them because they don’t understand the questions.

Supplier surveys should be more than checkboxes

The second mistake people make is to ask questions that can be answered with a “yes” or “no” response or a checkbox. These are closed-ended questions. It would be best if you always were asking open-ended questions because the response will give you more information about the supplier. In addition, most people resist responding with a “no” response even if the real answer is “no.” For example, “What is your FDA registration number?” is more useful than “Is your company FDA registered?” Another example is, “How many production lines use SPC charts?” instead of “Do you use SPC charts?” In fact, in the open-ended version of this question, you will learn if the use of SPC charts is widespread, and you learn how many production lines the supplier has.

Remember to ask suppliers to update survey surveys every year

The third mistake people make is to request that a supplier questionnaire be completed only during the initial supplier qualification process. Every year companies grow, shrink, or change. If you ask suppliers to update their questionnaire, you can use that information to determine the health of your supplier’s business. You might also discover that one supplier just added a new production capability that will allow you to consolidate more of your outsourced work with that supplier and eliminate another problem supplier. Every company has a turnover in personnel as well. It is a great idea to ask suppliers to provide contact information for multiple people in the organization, such as quality contact, billing contact, and a production planner. Eventually, you will probably need to speak with each of these people, and if one of the contacts is no longer at your supplier, you will still have two other contacts. Updating this information also gives you a hint of whether turnover is widespread or limited to a specific individual.

Supplier questionnaires should be in spreadsheet format

The fourth mistake people make is to send a Word Document for suppliers to complete (PDF format is even worse). Word and PDF formats are time-consuming to complete, and they are harder for you to analyze than a spreadsheet. Most people provide a Word document or a PDF because they are focusing on the requirement for control of records. However, if you have an electronic quality system, the supplier survey information will be part of your electronic system as soon as you enter the data into your software. Alternatively, if you have a paper-based quality system, then you can print the spreadsheet out, sign it, and date it. The huge advantage of using Excel spreadsheets is that you can copy the new data into a column next to the previous year’s responses. Then you can quickly see what changes your supplier made in the past year.

What should you add to your supplier questionnaire?

Most private companies will not share what their revenues are for the business, but as a customer, you should be more concerned with how many human resources your supplier has. Therefore, you should consider asking, “How many employees, or full-time equivalents (FTEs), work for your company?” You might also want to know if your supplier is relying on a temporary workforce. For example, “What percentage of the FTEs are temporary workers?” Many questionnaires will ask for the square footage of the facility, but this doesn’t provide you with any details about the facility layout. Alternatively, you could ask for a copy of the pest-control map for the facility. This would give you a detailed layout of the facility, and it also confirms that your supplier has a pest control plan for the facility. Another related question to ask is, “Please describe any expansion/construction projects that have been implemented in the past year or projects that are in progress (e.g., the addition of a mezzanine).” If the company added 30,000 square feet to their production area, but there was no change to the pest control plan, you might have some clarification questions for your supplier. In general, a good strategy for developing your questionnaire is to think of at least one open-ended question related to each clause of the ISO 13485:2016 standard without referencing the standard. The following are some examples that might help you:

  1. When was the last software re-validation for quality system software?
  2. How many active external standards is your company currently maintaining?
  3. Please provide a list of procedures and identify the person who would be interviewed during an audit for each procedure (i.e., process owner or subject matter expert).
  4. In the absence of the management representative, who is designated as the liaison for an FDA inspector?
  5. What are the upper control limits for particulate counts, air viable counts, and surface viable counts in your controlled environment(s)?
  6. On what dates was the environmental monitoring of controlled environments conducted in the last year?
  7. Please identify how many quality inspectors are responsible for the incoming inspection?
  8. Please list the calibration ID and equipment name for any inspection equipment that requires specialized training (e.g., CMM)?
  9. How many suppliers are on your approved supplier list (ASL)? And how many suppliers did you audit in the past year?
  10. How many nonconforming material reports (NCMRs) were opened in the past year? And how many NCMRs currently remain open?
  11. How many partial or complete lots were returned to your company by customers in the past year?
  12. Please list any corrections and removals (i.e., recalls) that your company has been involved in during the past year and the current status?

How many questions should your supplier questionnaire include?

There are 28 required procedures in ISO 13485:2016, and there are even more subclauses within the standard. It is an excellent idea to create a list of questions you might ask for each subclause, but a supplier questionnaire should not include all of those questions. Just as audits are just a sampling, your supplier survey questions should be sampling as well. You should review last year’s questions and eliminate questions that you think are not especially useful for that supplier. Some questions should be asked each year to assess if the quality system has changed significantly, and you should consider adding a few new questions each year. The best questions will require the person to perform some research to answer the questions. But it is unreasonable to expect a supplier to spend more than two hours completing a supplier questionnaire if you plan to purchase less than $20,000 in product or services.

Supplier questionnaires specific to remote auditing

In many ways, a well-designed supplier questionnaire is similar to a remote audit, because you are asking the supplier to answer multiple open-ended questions about their quality system to verify that the quality system is fully implemented and remains effective. However, due to the Covid-19 pandemic, many employees are now required to work from home, and it is not possible to physically visit certain facilities. Therefore, you should be adding three elements to your supplier questionnaire to assess your supplier’s ability to support a remote audit and to determine their ability to maintain the effectiveness of the quality system during a viral outbreak. The three elements are 1) policies for personal protective equipment for employees and visitors, 2) business continuity plans to maintain internal operations and to ensure redundancy of crucial suppliers, and 3) availability of digital documents and records or paper documents and records via video conference software. These three areas were also the subject of a previous blog on changes triggered by Covid-19. It would help if you also asked about the availability of hardware and software communication tools for conducting a remote audit. You might ask your supplier, “Which areas of your facility can we observe during a remote audit using live video conferencing (e.g., Zoom mobile application)?” and “What experience does your company have in the use of Zoom as a video conferencing tool?”

Gimbal How to make a supplier questionnaire for remote auditing

Access to documents and records during remote audits

During a remote audit, you will need to access documents and records virtually. If your supplier can participate via a video conferencing tool with a high definition web camera or smartphone, then you should be able to see any documents and records that you could normally see during an on-site audit. However, your supplier will need to hold the document or records steady, possibly by using a music stand and a camera tripod so that you can take notes regarding the contents of the document or record. You will also need a way to record your notes. You might try using a Pixelbook or similar computer to write your audit notes. At the same time, you watch the video conference using a second computer–possibly on a conference room projector screen or large flat screen monitor. You could also use a tablet, such as remarkable. Of course, you can always use a pad of paper and a pen and then transcribe your notes later. All of these methods will be faster and more convenient than digitally scanning each document and uploading the documents to a shared folder or sending the scanned document by email.

It would help if you also were asking your supplier which records are already available digitally. You can expect all of the quality system procedures to be available in digital formats, but many records may already be available electronically as well. For example, purchase orders, quality system certificates, drawings, and blank forms should be available in digital format. In a supplier audit, you typically will focus on a subset of the quality system records that are related to production process controls, purchasing, incoming inspection, shipping, and control of the nonconforming product. Asking your supplier which of these records are available in digital format will help you determine which records you need to request from the supplier in advance and which records can be requested on-demand.

How to obtain our supplier questionnaire template (FRM-004)

If you are interested in purchasing our supplier questionnaire template, FRM-004, it is included with the purchase of our supplier qualification webinar. If you think of any new questions to add to this template, please email me at rob@13485cert.com. Just put “FRM-004 Suggestion” in the subject line.

How to make a supplier questionnaire for remote auditing Read More »

How to avoid the most common supplier evaluation mistakes

The focus of this article is on the process of supplier evaluation and re-evaluation for medical device companies and how to document your evaluations.
No Grandfathering Image How to avoid the most common supplier evaluation mistakes

You have several suppliers today, but did you have a rigorous supplier evaluation process when you first hired those suppliers? If your business is going to be successful, you need to treat your supplier evaluation process as a critical strategic process. Supplier qualification and is more important than the hiring of any senior manager. ISO 13485:2016 requires you to have a procedure for supplier evaluation and re-evaluation, but the type and extent of your supplier controls are not specified.

Which of your suppliers are critical or crucial?

Crucial suppliers were defined in a draft policy published by the European Commission as part of the introduction of the requirement for unannounced audits. Essential suppliers make a component or subassembly that is high-risk, or your firm cannot easily purchase the component or subassembly from another supplier. Critical suppliers for medical device manufacturers fall into one of three categories: 1) a contract manufacturer, 2) a contract sterilizer, or 3) a contract packager or labeler. These three types of suppliers may be selected for unannounced audits by a Notified Body. The FDA also requires these three categories of suppliers to register their facility.

Should you establish other supplier evaluation categories?

The short answer is no. The purpose of categories is to ensure that a large number of suppliers are consistently managed. Instead, try reducing the number of suppliers you are managing. Give your best suppliers more work, and fire the worst suppliers. If a component is “single-source,” encourage another supplier to quote that business before you look for a new supplier. It would be best if you took the time to evaluate each supplier thoroughly. If you don’t have the supply chain resources to do this, then you have three choices: 1) hire another person to help manage your supply chain, 2) fire suppliers that are not meeting your requirements, or 3) replace the weakest member of your supply chain team.

How do you re-evaluate existing suppliers now?

There are a lot of possible answers to this question, but unfortunately, the most common answer is, “because that’s who we’ve always used.” This practice, referred to as “grandfathering,” is a horrible approach to supplier re-evaluation. Suppliers that miss your requested delivery dates, and suppliers that ship nonconforming product should be required to implement supplier corrective actions immediately. You need to follow-up on these corrective actions and verify that the corrective actions were effective. If the corrective actions are not effective, or if new supplier issues occur, then you should find an alternate supplier as soon as possible.

Another stupid reason for selecting a supplier is “because they were the lowest bidder.” There’s an old government contracting joke about this strategy. It sounds something like this, “a million mission-critical parts, designed by engineers that have no clue what the real world is like, built by the lowest bidder, and inspected by a bureaucrat that can be bribed with a bottle of wine and some prime rib.” I tend to discount the quality of the lowest bidder every time. I always wonder what they forgot to consider when they bid on the job. If the lowest bidding supplier can explain why they have an inherent advantage over their competition, then maybe you should consider hiring them. If there is no rational reason why a supplier’s pricing is below their competition, this usually means that the supplier is desperate, or they plan to increase their pricing after you are a customer.

What should be your supplier evaluation and re-evaluation criteria?

All medical device suppliers should have a quality system, but ISO certification is not required. Therefore, if a supplier has ISO 13485 certification, you might abbreviate your initial supplier qualification process. However, ISO 13485 certification should have minimal impact upon your on-going supplier evaluation process. You need to know how well your supplier’s quality system is being maintained. If your supplier is sharing copies of their annual surveillance audits and FDA inspection reports with you, this will give you a better indication of the quality system effectiveness.

Consider performing supplier audits for supplier evaluation

Although it is not required, the best way to evaluate the effectiveness of a supplier’s quality system is to perform a supplier audit. Specifically, you should focus on the processes that are directly related to your product or component. Production process controls and final inspection are the most critical areas to audit. Other areas that are important to consider for supplier audits are 1) incoming inspection, 2) purchasing controls, 3) shipping, and 4) control of nonconforming materials. Conducting a supplier audit using the process approach is the most effective method. The process approach method of auditing will ensure that document control, record control, calibration, process validation, and training are sampled as support processes. The supplier audits may also be conducted as on-site audits or remote audits.

Certificate of Conformity (CoC) vs. Certificate of Analysis (CoA)

Another supplier evaluation criteria should be product conformity. You should be reviewing more than whether your supplier shipped the correct product and the correct quantity. Did your supplier provide a Certificate of Analysis (CoA) that summarized the inspection methods, acceptance criteria, and the inspection results? Or do you verify that a Certificate of Conformity (CoC) was included and accept the lot you received? If your company is only receiving a CoC from a supplier, you should be sampling the product at incoming inspection and verifying that the product is conforming with your requirements. Even if the supplier is providing a CoA, you should still perform periodic sampling and inspection of the product to make sure the CoA provided matches the actual product you are receiving.

Considering Improving your supplier questionnaires

If your company is requesting that suppliers complete supplier questionnaires, make sure that you are asking the most relevant questions. You need to know if your supplier can support remote audits. You need to know if there have been any significant changes to the quality system. You need to know if the company has had any significant non-conformities resulting from certification body audits. You need to know if there have been FDA inspections and what the results of the inspection were. You should also be obtaining monitoring and measurement data related to process conformity and product conformity. Asking your supplier to identify any shutdown periods or planned renovations is a required input for critical and crucial suppliers for CE Marked medical devices subject to unannounced audits. It would help if you also were asking your supplier to update the names, titles, and contact information for key management personnel. Would you like a copy of our supplier questionnaire?

No Grandfathering Image 1 e1591549101295 How to avoid the most common supplier evaluation mistakes

What should you be doing to address the Covid-19 pandemic?

As a consequence of the Covid-19 pandemic, many suppliers have had significant disruptions to their supply chains, workforce availability, and transportation vendors. Since many medical device products are urgently needed during this pandemic, it is important to ask suppliers to provide a summary of their current situation and any analysis they have done to assess potential risks that could disrupt your supply chain. Does your supplier have adequate personal protective equipment (PPE)? What type of precautions is being taken to ensure that employees don’t exhibit symptoms of Covid-19 illness? Does your supplier have a policy for self-quarantining if an employee is exposed to someone that has the virus? Does your supplier have a disaster recovery plan?

Consider using size for supplier evaluation

Bigger is not always better. If you are a small customer of a large supplier, your needs will seldom be important to your supplier. Alternatively, if your company is much larger than your supplier, your supplier may not have the resources to grow with you and keep up with your current demand. When you are initially qualifying suppliers, try to select suppliers that are approximately the same size as your company or slightly larger. You should also consider identifying more suitably sized suppliers if you have a significant size mismatch or one develops over time.

What if you don’t have the resources to evaluate your suppliers?

Supplier evaluation and re-evaluation is a strategic function that impacts your profits, your ability to deliver product on-time to your customers, and nonconforming product can tarnish your company’s reputation. Therefore, your company needs to invest resources to analyze your supply chain. It would help if you had suppliers that have excellent quality and suppliers that will encourage your company to improve. Are there best practices you can learn from your suppliers? Is your supplier able to help you manage your inventory? Can your suppliers help you solve production problems? Supplier evaluation should only be secondary in importance to your design process and post-market surveillance. As they say, “garbage in equals garbage out.”

Do you need additional training on supplier evaluation?

On June 25, 2020, at 11 am EDT, and we are hosting a live webinar on how to qualify your suppliers. In this webinar, you will learn how to qualify new suppliers even if they don’t have ISO certification and best practices in supplier evaluation. We will be sharing a new supplier questionnaire that includes questions to help you assess whether a supplier is capable of supporting remote audits. We will help you develop a strategy for the allocation of supply chain personnel, and show you how to convince top management to prioritize supplier audits.

How to avoid the most common supplier evaluation mistakes Read More »

3 Tools for Effectively Qualifying Suppliers

%name 3 Tools for Effectively Qualifying Suppliers
Do you have the right tools to qualify your suppliers?


For every task, you have a choice of tools that you can use. Are you using the correct tools to qualify your suppliers? 

This blog reviews how to utilize statistical process control, process validation, and supplier auditing to qualify suppliers effectively.
Only qualified suppliers would be approved if you could afford to audition suppliers against hundreds of other competitors for a few months. Unfortunately, you don’t have the same budget as American Idol. So what should you do instead?

Most companies use the same three tired tools to qualify suppliers: ISO Certification, Quality Manuals, and questionnaires. ISO certification is a weak tool because certification is only as good as the registrar’s worst client. Quality Manuals are intended to define the intent of your supplier’s Quality Management System, while most of the details are located in procedures. You only need a copy of your supplier’s Quality Manual to help you plan audits. Supplier questionnaires seem to be the most popular tool, but most questions require a “Yes/No” response that suppliers rarely answer negatively. To assess the qualifications of potential suppliers more effectively, try using the following tools instead:

Tool # 1: Statistical Process Control

Most companies require a Certificate of Compliance (CoC) with every shipment. A CoC is useless. Like the “Yes/No” questionnaire responses, you will never see a CoC that indicates something is wrong. A Certificate of Analysis (CoA) is much more helpful because the CoA has actual data, and the tolerance range is typically indicated for each test or measurement the supplier performed. The best report you can get from a supplier is a statistical analysis of each specification during the prototype production lot. When you have a Statistical Process Control (SPC) run chart, you know quantitatively if the supplier can make an acceptable product. The run chart can also be used to develop an appropriate sampling plan for incoming inspection.

Tool # 2: Process Validation

Process validation is much more than determining if a process is capable of producing a consistent product. An SPC run chart can do that. Process validation tells you what range of operating parameters will create a consistent product. Therefore, when you have process deviations or measurement devices that are slightly out-of-calibration, you will know if your supplier’s process will still make an acceptable product. The validation of a process should also identify which variables are critical indicators of the process. This information can be used to reduce the number of variables and specifications that are monitored for a production process and focus both your supplier’s resources and your own.

Tool # 3: Supplier Auditing

A multi-disciplinary team audit of a potential supplier is an effective tool for assessing a supplier’s qualifications. It will help build a stronger relationship between your team and the supplier’s team. Before you conduct an audit, it is important to plan the audit to ensure you get the most significant possible value. The following recommendations are essential to supplier auditing:

  1. Use a risk-based approach to auditing suppliers (this goes beyond just critical and non-critical)
  1. Strategically select auditors and train them well
  2. Plan the auditing goals and objectives for the team in advance
  3. Create a formal audit agenda that defines which processes each auditor will be focusing on

Auditing 100% of your critical suppliers may seem impossible due to limited resources, but have you ever seen a cost/benefit analysis?

What’s the cost of rejects, rework, and product redesign?

Supplier Quality Management Webinars Available 

Are your Suppliers Qualified? Prove It! 

http://robertpackard.wpengine.com/suppliers-qualified-prove/

Supplier Auditing and Remote Auditing: Tips to Save You Time and Money 

http://robertpackard.wpengine.com/supplier-auditing-and-remote-auditing-tips-save-time-money/

 

 

3 Tools for Effectively Qualifying Suppliers Read More »

Scroll to Top