This notion of risk-based processes within quality systems is something that has become part of our formal lexicon following the release of ISO 13485:2016, the globally harmonized standard for medical device quality management systems.
Well before these risk-based processes became a quality system requirement under ISO 13485, many medical device companies were already using this type of approach, perhaps without even realizing it. This is because there's always been an element of confusion surrounding this topic.
So what does “risk-based” actually mean? If you look at each of the individual processes within your QMS, there can be different logic and approaches for each as they apply to risk.
From an audit perspective, some areas of your QMS will likely have a higher emphasis on risk. Supplier management has been one of those areas, attracting a great deal of attention from auditors. One main reason being, how the commercialization of this industry is rapidly evolving--impacting the way in which we conduct business...
Emphasis on supplier management
When I first entered the medical device industry, the vast majority of companies were vertically integrated. They housed every essential operational process, from design, to manufacturing, to business development, under the same roof. Fast forward twenty years and there's a growing trend to outsource more and more work throughout the premarket and postmarket cycles.
For example, a lot of American-based device makers will outsource their manufacturing overseas to minimize higher labor costs associated with having it made in the United States. They leverage third-party contractors and points of sale to manage these jobs and processes. One recurring theme I've noticed in doing this is that due diligence is often neglected while selecting these suppliers.
Without proper due diligence, companies may wind up with a returned product that does not meet the necessary standards for quality. This can lead to unforeseen new costs--negating any potential benefit of outsourcing to save costs in the first place. It can also lead to increased audits, more time spent on quality control, or in some cases the complete rehaul of a product.
For these reasons, regulatory agencies, such as FDA, have put a new emphasis on current good manufacturing practices (CGMP) and how medical device companies must qualify and manage their suppliers. But how do you determine that they have the skills and meet the standards needed to do the job well? How do you ensure that they meet all quality and regulatory requirements? Because ultimately, it's the device maker who will be held responsible.
Identify criteria for your supplier
First, you need to identify criteria for your suppliers that is commensurate with what they are doing for your company. For instance, if you have a supplier that is manufacturing a material that will be in direct contact with patients, you want to make sure their facility is clean. You want to know that they follow an acceptable standard for current good manufacturing practices, have conducted purity testing on materials and can consistently provide the same quality of material for multiple batches of your product.
Using the same example above, another aspect that shouldn't be overlooked is the level of risk of your product and the biocompatibility testing on the material that will likely be required. How will you know that the material you tested today will be the same in a few years time? Appropriate controls need to be in place and you as the medical device company need to be monitoring them.
When I say “commensurate with what they are doing for your company,” not all suppliers will require the same level of scrutiny. If you’re going to be manufacturing a less-invasive product that is not intended to be patient-contacting or considered high risk, you might not have as many criteria for assessing and evaluating the supplier.
qualifications for suppliers
After you identify the criteria for your supplier, the creation of an approved supplier list is important. But I think the reference to “approved supplier” can be confusing. When you approve someone on your list, you’re not approving them to supply just anything. You can’t assume that because you’ve approved component X and it meets required standards, that the same supplier will be qualified to work on components Y and Z.
Within your approved supplier list, you need to clearly state what they are approved to supply. Part of your assessment should involve evaluating suppliers on those components and there are many ways to do this. For example, if it’s a tangible product, you might do “first article inspection” and apply higher scrutiny to the first lot you receive from them.
From a quality perspective, you want some kind of objective evidence that the supplier will be able to meet the set standards, and do so consistently. As part of your supplier qualification, you’ll also want to understand the state of their quality system, if they have one. You’ll want to know if they’re certified, if that is necessary for your company's needs.
A supplier survey form is a good tool to use for qualifying suppliers. It helps to give you more detail about the supplier, such as who they are, how they work and where their facilities are located. As part of your qualification process, you may want to do an on-site audit, especially if the device they'll be working on will be classified as high risk.
Managing risk with Suppliers
As the medical device company who is overseeing the process, you should always be able to accurately assess the criticality of what the supplier is doing. There’s a common practice used for this - CTQ (Critical-to-Quality), which can help you to dictate what kind of controls you should have with a supplier.
In ISO 13485:2016 they talk about a “risk-based approach” and they reference guidance from ISO 14971. I think this creates confusion for many companies because 14971 is product-based risk management. What 13485 is saying is that your risk-based approach is more about methodology - that is, risk management plan, risk assessment and risk controls. You can and should apply this type of methodology when qualifying your suppliers.
When you do a risk assessment, you can determine which things are classified as “low risk” versus “high risk” in order to clarify your supplier criteria. For example, suppliers classified as higher risk might have controls such as: on-site audits, clear supplier quality agreements with roles and responsibilities defined, and monitored activities such as spot checks on incoming product. You may even choose to do 100% inspection on the first few shipments of the product.
Another thing that’s important about this topic is that contract manufacturers are considered to be suppliers. Companies have often taken a lot of liberties with contract manufacturers, such as overlooking certain aspects based on the fact the manufacturer is ISO 13485 certified. At the end of the day, it is your responsibility as the medical device company associated with the device being produced. You don’t get to wash your own hands and point to the contract manufacturer to assume responsibility for any issues.
How to Handle supplier issues
Your risk-based approach to managing suppliers should include trigger events or scenarios that tell you when to escalate an issue or take necessary action. If you start identifying nonconformances, such as parts that don’t meet your user criteria and it appears to be systemic, then you can issue a SCAR (Supplier Corrective Action Request).
The expectation of the supplier, if they are issued a SCAR, is to initiate their own internal investigation and CAPA. You’d also expect them to involve and communicate with your company along the way. Once they close the CAPA, you’re essentially going to be verifying the effectiveness of their corrective action. You might find that you have to tighten controls, at least for a period of time.
In any case, you should definitely notify the supplier of any known issues with the product being returned, even if you’ve noticed just one or two non-compliant products coming through. The idea is to nip it in the bud before it becomes a systemic issue. This is where ongoing monitoring of supplier performance is key.
The risk-based approach you use for supplier management should be looked at as a top-down approach to how you do everything in your medical device company. So for example, you conduct risk assessments on your device and you come up with a certain risk level for it - this can be an excellent guide for the level of risk and scrutiny you apply to suppliers.
Supplier management should be an area of your quality system that you conduct internal audits on regularly to ensure records and procedures are properly documented and up to date. Develop clear acceptance criteria, utilize an approved suppliers list and ensure that you have monitoring activities in place to manage the relationship. And remember, the quality of your suppliers and those relationships have a direct relationship with the outcomes for your medical device.
With Greenlight Guru's Part 11 compliant medical device QMS software, companies will automatically use a risk-based approach throughout its advanced document management features. Users can tackle this entire process worry-free, while also expediting reviews and approvals for every document needed to qualify and manage their suppliers.