- Why Us
A medical device is only as good as its parts.
Low-quality parts and components will result in a low-quality device. And a low-quality device puts patients at risk. That’s why supplier management is mandated by quality management system (QMS) regulations around the world.
Good supplier management is one of the fundamental methods for preventing failure of your product. Its goal is to ensure the consistent supply of high-quality parts or components that conform to your specifications.
It may sound simple when I put it like that, but supplier management is a highly involved process with a lot of nuance. So, with this guide, my goal is to help you understand what supplier management requires from your medical device company—and how you can use it to your advantage.
Contract manufacturers and supplier management
Supplier management in the US
What are some tools you can use to manage and monitor suppliers?
Should you have more than one supplier for the same part or service?
Working with multiple suppliers
Final thoughts on supplier management for medical device companies
Supplier management is the umbrella term we use to describe the processes and procedures medical device companies use to ensure that all the products and services they receive meet their specifications.
It’s also one of the first lines of defense against product failure and an essential part of your QMS.
That’s because you probably won’t be making most—if any—of the parts in your medical device yourself. Practically everything you need to manufacture your device will be coming from another company. You may even use a contract manufacturer to build the final product for you.
And that means your internal processes are really the only method you have for controlling the parts and components that will eventually make up your devices. Remember, your goal is to manufacture a perfect device every time. If you can’t control the quality of the materials that go into that device, you will eventually fail to make a perfect device. Probably quite quickly.
But I don’t want you to think that supplier management is simply about preventing failure. It’s more than that. Good supplier management reduces costs and allows you to find creative solutions to logistics problems.
I once worked for a company that made contact lens solution. The bottles for the solution were manufactured for our aseptic manufacturing plant, but they had to be sterilized by radiation at another plant owned by a different company. Could we have them ship the bottles to us, after which we would ship them to the radiation plant and then have them shipped back? Sure.
But because we had strict requirements in place for the transportation of those bottles, we could confidently have the aseptic manufacturing plant ship them directly to the radiation plant, and then back to us. That may not sound incredibly innovative, but it saved us a lot of money on shipping and it was only possible because of good supplier management.
And for smaller companies that are just starting out, without buckets of cash to pour down the drain, that type of maneuver can be the difference between success or failure.
Before we dive into the regulations surrounding supplier management, we need to get one thing clear: even if you are outsourcing manufacturing to a contract manufacturer, supplier management is still your responsibility.
There was a time, decades ago, when medical device companies were usually vertically integrated and made many, if not all, of their parts in-house.
Those days are over, and using a contract manufacturer is the new norm now. However, the contract manufacturer may be dealing with all the parts and components as they come in, but as the legal manufacturer of the medical device, you are responsible for managing those suppliers—including your contract manufacturers.
Remember, you can outsource the work; you can’t outsource the responsibility.
Finally, we need to clarify what constitutes a supplier for software as a medical device (SaMD). After all, making SaMD really just entails writing code, right? Do you even have suppliers if you don’t have hardware?
The answer, of course, is yes. The word “supplier” often leads people to think of someone providing physical supplies, but you can’t forget about service providers. If you outsource any work on your code to other companies or independent contractors, they are supplying you with a service and thus fall under the purview of the regulations regarding supplier management.
If you want a deeper dive on SaMD suppliers, I’d recommend visiting the MedTech Excellence Community and watching this AMA on contract manufacturing and supplier management with Mark Rutkiewicz.
Supplier management is an integral part of a medical device manufacturer’s quality management system (QMS), and its requirements are found in the regulations and standards governing quality management systems around the world.
Before we get into these, it’s important to note that most of the regulations and standards you’ll find don’t talk about “supplier management.” They talk about “purchasing.” These terms are synonymous, but the industry tends to use supplier management (as I’m doing in this guide) while the regulations and standards refer to it as purchasing.
In the US, supplier management is part of the FDA’s Quality System Regulations (QSR), which govern what a medical device manufacturer must do to maintain a compliant QMS.
The requirements for supplier management can be found in CFR 21 Part 820.50, in Subpart E - Purchasing Controls:
Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.
(a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants. Each manufacturer shall:
(1) Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.
(2) Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.
(3) Establish and maintain records of acceptable suppliers, contractors, and consultants.
(b) Purchasing data. Each manufacturer shall establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services. Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with § 820.40.
Note that the first sentence calls out “received product and services.” As I mentioned when we talked about SaMD suppliers, service providers very much still count as suppliers. A company that performs radiation sterilization is a service supplier—but without that service you may not be able to sell your product.
Quality management systems in the European Union, and thus supplier management, are expected to follow the requirements set out in ISO 13485, the international standard for medical device quality management systems.
ISO 13485 is a standard, not a regulation, which means it does not hold the force of law. However, your notified body will expect your QMS to conform to ISO 13485 when they come to audit you.
The requirements for supplier management can be found in Section 7.4 — Purchasing, and are made up of three subsections:
7.4.1 Purchasing Process
7.4.2 Purchasing Information
7.4.3 Verification of purchased product
These requirements are lengthier than those from FDA, but cover much of the same ground. It’s worth noting that in the FDA’s proposed Quality Management System Regulations (QMSR) —which incorporate ISO 13485 by reference—FDA has stated that the Purchasing requirements for both the QSR and ISO 13485 are “substantively similar.”
Here’s what section 7.4.1 has to say about the responsibilities of medical device manufacturers:
The organization shall document procedures (see 4.2.4) to ensure that purchased product conforms to specified purchasing information.
The organization shall establish criteria for the evaluation and selection of suppliers. The criteria shall be:
a) based on the supplier’s ability to provide product that meets the organization’s requirements;
b) based on the performance of the supplier;
c) based on the effect of the purchased product on the quality of the medical device;
The organization shall plan the monitoring and re-evaluation of suppliers. Supplier performance in meeting requirements for the purchased product shall be monitored. The results of the monitoring shall provide an input into the supplier re-evaluation process.
Non-fulfilment of purchasing requirements shall be addressed with the supplier proportionate to the risk associated with the purchased product and compliance with applicable regulatory requirements.
Records of the results of evaluation, selection, monitoring and re-evaluation of supplier capability or performance and any necessary actions arising from these activities shall be maintained (see 4.2.5).
While it is expected that you follow ISO 13485 in the EU, we can’t forget about the Medical Device Regulation (EU MDR) and the In Vitro Diagnostic Regulation (EU IVDR). There are provisions in both regulations for purchasing and supplier management that you should be aware of.
Notably, MDR and IVDR both say that the competent authorities "shall carry out both announced and, if necessary, unannounced inspections of the premises of economic operators, as well as suppliers and/or subcontractors, and, where necessary, at the facilities of professional users."
This means your notified body can and will audit your suppliers—potentially unannounced. I’ll get to the implications of that and some practical tips for handling it when we talk about your own supplier audits and agreements.
The Medical Device Single Audit Program (MDSAP) was created to streamline the auditing process for companies that place medical devices on the market in multiple jurisdictions. The current members of MDSAP are the US, Canada, Australia, Brazil, and Japan.
The program offers a single audit that’s recognized by all of these countries, and it has released a document called the MDSAP Audit Model that lays out what their auditors are looking for.
If you plan on taking advantage of MDSAP, you can find information on supplier management in Chapter 7 - Purchasing of the MDSAP Audit Model document, which lists five outcomes auditors want to see.
Outcomes: As a result of the audit of the Purchasing process, objective evidence will show whether the medical device organization has:
A. Defined, documented and implemented procedures to ensure purchased or otherwise supplied products conform to specified purchase requirements
B. Established criteria for the selection, evaluation and re-evaluation of suppliers based on the type and significance of the product purchased and the impact of the supplied product on subsequent product realization or the quality of the finished device
C. Performed the evaluation and selection of suppliers based on the capability of the supplier to meet specified requirements
D. Ensured the continued capability of suppliers to provide quality products that meet specified purchase requirements through re-evaluation
E. Determined and implemented an appropriate combination of controls applied to suppliers in conjunction with acceptance verification activities to ensure conformity to product and quality management system requirements, based on the impact of the supplied product on the finished device.
The MDSAP Audit Model is an extremely useful document because it combines both ISO 13485 and FDA QSR requirements for supplier management. It also provides country-specific requirements, such as those for Brazil and Australia, and it’s a great baseline to follow for supplier management best practices.
Before you can purchase anything from a supplier, you must qualify them and place them on your Approved Suppliers List (ASL)
Your ASL is simply a list of all the suppliers you’ve qualified, as well as what items or services you’ve qualified them for. Just because a supplier is on your ASL for one specific part, that doesn’t mean you can order other items from them unless they’ve been qualified for the other items, as well.
The process for getting a supplier onto that list will look a little different for every company, but generally you’ll follow these six steps:
The first clause in both the QSR and ISO 13485 directs medical device companies to establish procedures for ensuring that purchased product meets your requirements.
These procedures are a critical part of your greater QMS, and you should have your supplier management procedures in place before you begin qualifying suppliers.
You don’t want to get to a point where you’re trying to retroactively apply those procedures to suppliers that you’ve already purchased product from. It’s very difficult to justify that choice to an auditor when it’s clear you didn’t follow any documented procedures for evaluating and choosing a supplier.
Click here to download your free copy of our checklist for selecting suppliers and contract manufacturers.
Creating the criteria you’ll use to evaluate suppliers is a crucial first step, because without criteria in place, you may be tempted to use a supplier that doesn’t actually meet all your requirements.
The criteria you use will be unique to your circumstances, but they’ll revolve around some key points, such as:
The product specifications that you need a supplier to meet
Whether they have a documented quality system in place
Whether they have supplier management procedures in place for their suppliers
The standards they’re certified to (like ISO 13485 or ISO 9001)
The volume they can produce for your company
Once you have the criteria in place for a given part or component, you can begin your search for suppliers that meet those requirements.
Most companies start by Googling for suppliers who can provide the product or service you need. There’s no harm in starting that way, but your initial Google search is not nearly enough.
Once you find some prospective suppliers, you’ll need to send them a supplier questionnaire to gather more information about their ability to meet the criteria you laid out in the previous step. You’re trying to get to the bottom of questions like:
Can they meet your internal specifications for this item? For instance, if you need a plastic bottle, what characteristics must that bottle have? What materials must it be made from? What dimensions must it have?
How many units can they make each year? Can they make enough product to meet your needs right now? Will they be able to grow with you or will you need to look for additional suppliers for this item as you produce more devices?
What regulations do they currently follow and what standards are they accredited to? If they’re ISO 13485 certified, you can be confident they already meet many of the requirements you’ll need them to. If they’re not ISO 13485 certified, that doesn’t mean you can’t use them, but you’ll need to include a lengthier set of questions regarding their QMS.
A detailed questionnaire helps both you and the prospective supplier. It will give them a better sense of whether or not they can do what you’re asking, and it will help you decide whether or not they meet your criteria.
For each supplier, you’ll need to determine the level of risk they represent to the product and thus the extent of your responsibilities when it comes to monitoring them.
There are a number of ways to categorize your suppliers, but I’m partial to starting with a critical vs. non-critical framework.
Non-critical suppliers have no direct or indirect relationship with the product or manufacturing processes, such as a business that supplies your stationary or caters meals for you. These are still suppliers, but they don’t have to go on your ASL.
Critical suppliers have a direct or indirect relationship with the product or process and they must be qualified and placed on your ASL if you want to order anything from them.
Critical suppliers are generally broken down into three categories based on their potential impact on product safety. Although there are other ways to group them, personally, I would use a three tier approach. For example:
Tier 1 - Highest Risk: Includes any integral component of the device that impacts safety. Also includes contract manufacturers assembling the device. This would also include services like sterilization that impact the safety of the device.
Tier 2 - Medium Risk: Includes custom, device-specific components that don’t directly impact device safety. This tier also includes services like pest control and your logistics and shipping provider.
Tier 3 - Lowest Risk: Standard, “off-the-shelf” items. Any consultants you use that provide a service related to the product or processes would also fall under this tier.
Now, is it possible to lump all your critical suppliers into one group and still be compliant with the regulations? Sure. However, by using the tiered approach, you’re demonstrating to auditors that you understand risk and are actively using a risk-based approach to supplier management.
Your supplier questionnaire is a way for suppliers to tell you what they can do; an onboarding audit is a means of verifying the answers to that questionnaire.
You can think of your onboarding audit like the first step of ISO 13485 certification. You’re there to ensure the supplier’s QMS meets your requirements and they can handle working with a company in a highly regulated space.
Generally speaking, you’ll need to audit all of your Tier One suppliers before adding them to your ASL. After that, you would generally audit them every one to two years to ensure they are still able to supply products that meet your specifications—and do so in a manner that is compliant with regulations.
Tier Two suppliers also likely need an upfront audit. However, you might audit them on a longer schedule, such as every three years.
For Tier Three suppliers, you probably won’t need to audit them before onboarding them. You also won’t be expected to do ongoing audits with them unless there is cause, such as a high number of complaints or a poor supplier scorecard.
PRO TIP: If you’re on the fence about doing an initial audit, you should probably take the leap and perform it.
For one thing, you now have the option of doing virtual audits. And while it may not be exactly the same as being on site, you can still perform virtual audits successfully.
But the other reason you may want to be proactive about auditing your suppliers has to do with EU MDR. I previously mentioned the provision in MDR which states that your notified body can audit your suppliers at any time. As you might imagine, that puts a lot of pressure on your suppliers.
However, if you can show your notified body that you’ve performed an initial audit of your supplier and that you’re regularly auditing them afterward, it gives the notified body less incentive to go see your supplier. That’s not to say they won’t, but it shows them you’re monitoring this supplier closely.
The final thing that stands in the way of adding a supplier to your ASL is crafting a formal agreement for their services.
Your supplier agreement is a legally binding document and it will govern your relationship for as long as you’re using that supplier. In my experience, no one thinks about the supplier agreement when everything is going well. It’s only when there’s a problem that both parties look back at the document they signed.
That’s why your agreements need to spell out more than just the price you’ll pay and the number of units the supplier will deliver. There are a number of items that should end up in your agreements, but there are three in particular I want to call out here because of their importance:
The quality agreement. This is the high-level overview of both your responsibilities and those of the supplier. It ensures everyone knows what they need to do and how to do it.
The no-change clause. This ensures your supplier can’t make a change to the product or service without informing you a certain amount of time in advance. This absolutely must be in your supplier agreement, as it protects you from unannounced changes in what you’re receiving.
The audit clause. In this clause, your supplier agrees to submit to an audit from your notified body. This is an important clause because, as we touched on earlier, it ensures your notified body has the access to suppliers required by MDR and IVDR.
These are not the only elements of a formal agreement that should be in place, but they are some of the most important.
My advice is to use Appendix 2 of this NBOG document and Annex 4 of the MDSAP Audit Model to get a good understanding of what needs to be in your agreements. The NBOG guidance is particularly useful because it’s a document that notified bodies use and it shows you exactly what they want in a supplier agreement.
Once you have a formal agreement in place, your supplier can finally go on the ASL and you can begin ordering from them.
So, you’ve got the suppliers you need on your ASL. The entire qualification process can take months, and it’s a major milestone in getting your device to market.
But this is really only the beginning of what will hopefully be a long and mutually beneficial relationship. Just because you’ve approved a supplier, that doesn’t mean supplier management ends there. You’re required to monitor and periodically re-evaluate suppliers to ensure the product and/or service they supply still meets your specifications.
With that in mind, let’s walk through some of the methods you’ll use to manage your relationships with suppliers.
You’ll use a supplier scorecard to keep track of how well your suppliers are doing in terms of meeting your agreement and sending you products that meet your specifications. Basically, you’ll track certain data, such as:
Once you’ve decided the performance categories you’ll use, then you need to develop a weighted scoring approach. This will ensure that you’re prioritizing what’s most important to you as you score your suppliers.
And at the end of every month (or at least every quarter) you’ll review the scorecards and see how each supplier is doing.
Different companies will grade their suppliers in different ways, but I’ve seen a “traffic light” approach work well here.
Green - They have a clean scorecard and there are no problems with this supplier.
Yellow - The scorecard shows that there have been some issues. You’ll need to have a conversation with this supplier and you may even need to visit them in person to look at the specific problem that’s come up, outside of a scheduled reevaluation audit.
Red - There are serious issues with the supplier. They need to be addressed immediately or you will need to explore potential new suppliers.
A scorecard is a great way to ensure that you’re tracking a variety of data about each supplier, and it creates a systematic process for the ongoing monitoring of your suppliers.
A supplier corrective action request (SCAR) is a formal request regarding a nonconformity issue with a supplier. SCARs are generally raised in response to receiving a batch of product from your supplier that doesn’t meet your specifications upon incoming inspection. (This isn’t the only reason you might raise a SCAR with your suppliers, but it is one of the most common.)
Now, a SCAR sounds scary, but it’s really just a request for your supplier to open a CAPA. You’re asking them to investigate the problem, find the root cause, and then take corrective and/or preventive actions to ensure it doesn’t happen again.
This is one of the reasons it’s nice to work with a supplier that has ISO 13485 certification. You know they already have a CAPA process in place and you can be fairly confident they know how to handle a SCAR if you need to raise one.
So, if a supplier isn’t ISO 13485 certified, that means one of the questions on your supplier questionnaire should probably be whether or not they have a CAPA process in place.
When we talked about determining the risk for your suppliers, I mentioned that your Tier One and Tier Two suppliers would need to be audited on a regular schedule.
That schedule will be determined by the supplier agreement, and it’s a good way to ensure that your suppliers are still adhering to the standards or regulations you expect them to. Your goal here is to determine whether your process and quality management requirements are being carried out.
For example, that may mean an inspection of their facility to ensure their clean room areas are actually sterilized and not being contaminated in some way. But you may also want to see their process for handling nonconforming products or ensuring the traceability of their products from raw material to final product.
Your scheduled audits are also a good opportunity to follow up on any SCARs you’ve raised in the past, especially if you’ve raised the same one multiple times. It’s a chance for visual confirmation that they’ve taken action to fix the issue.
I can’t stress the importance of your supplier agreement enough. If you’ve created a thorough one that covers all your bases, it can be one of your most important tools for managing your relationship with your supplier.
Take supplier concession requests, for instance. You may run into a situation where your supplier asks you to make a concession for a nonconforming product. This means they have a batch of your product that doesn’t quite meet your specifications, but the supplier says it will still function as necessary. The issue could be that the color is a little off or there’s a very small discrepancy in a measurement that won’t cause a problem.
However, you, the customer, must accept or refuse to make the concession. And the whole situation will be a lot easier to resolve if you’ve stipulated how concessions should be handled in your supplier agreement.
I’ll start with the short answer, which is yes. It’s not a good idea to have all your eggs in one basket. Maybe the supplier goes bankrupt. Maybe they raise their prices beyond what you can afford. Or maybe there are quality issues that become so severe you’re forced to stop doing business with them.
At that point, you may be facing months of work to qualify a new supplier and get them onto your ASL. So, unless stopping production for a few months doesn’t sound like a big deal to you, then you’ll want to have multiple sources for items or services that you need.
For some parts and components, getting multiple suppliers onto your ASL shouldn’t be difficult.
“Off-the-shelf” items you can buy from dozens of suppliers will fall into your Tier Three group, and won’t require an intense supplier qualification process. But for important items with higher risk levels, it can be more difficult to navigate your supplier relationships.
However, establishing several suppliers for higher risk parts can be trickier.
The first hurdle is figuring out how you’ll allocate your purchasing between multiple suppliers. Keep in mind that you probably won’t be able to qualify a supplier and then keep them on the ASL as backup. Few suppliers want to go through the evaluation process and an audit just to be your backup in case anything goes wrong. They want to do business with you for the hoops they’ve had to jump through.
So, you have some options here. You could simply qualify multiple suppliers and split the supply of parts you get from them evenly. You could also use a primary supplier to cover your basic needs, and another supplier to cover your growth projections. Whatever you do, I promise you’ll be glad that you have another supplier on your ASL if things go south with one of them.
It’s all well and good to say, “Get more than one qualified supplier for all your parts.” But sometimes, there’s only one supplier who can do what you need them to.
You’ll usually run into this for two reasons. First, you need a niche part or component that is difficult to source, especially at the volume you need. Second, the industry for the product you need may be heavily consolidated. It’s not uncommon to run into a company that holds a monopoly on a part or service, so they are de facto your only option.
There aren’t any easy solutions here, unfortunately, but there are a couple things you can do.
If you only have one option for a supplier, that’s a huge business risk, and you can take that into account as you consider which tier to place them in. So, regardless of the safety risk this part represents, you might place the supplier in Tier One, which requires the most careful management. By doing so, you’ll hopefully catch any issues early and use the tools from the previous section to fix them.
Your other option is to simply order more than you need, like saving for a rainy day. That way, you buy yourself some time (maybe six months to a year) to fix any issues or continue searching for another supplier before you have to stop production.
These aren’t easy situations to navigate, but it pays to prepare for them ahead of time because it’s possible you’ll find yourself with limited options for a specific part or service at some point.
Supplier management requires an enormous amount of documentation. It also requires you to be able to find and access those documents quickly and easily.
If you’re an early-stage medical device company that’s considering going with a paper-based QMS or a generic eQMS used by dozens of other industries, you should know there’s another, better option.
Greenlight Guru’s MedTech Lifecycle Excellence (MLE) platform includes an eQMS built specifically for the medical device industry. With Greenlight Guru, you get a single source of truth for all your documentation, including supplier management, and you maintain closed-loop traceability throughout the entire product lifecycle.
Greenlight Guru also helps you conduct better supplier audits, flagging certain suppliers for follow-up actions and linking to nonconformance issues to determine if you’ve had problems in the past. It all creates a highly visible system that’s easy to navigate and understand.
If you’re ready to make supplier management a competitive advantage for your medical device company, then get your free demo of Greenlight Guru today.
Benjamin Bancroft is a Medical Device Guru at Greenlight Guru who enjoys working on audits, CAPAs and Root Cause Analysis. He is a Quality and Regulatory Manager who began his career maintaining the QMS for multiple companies as a CAPA and audit SME. He enjoys helping customers successfully navigate regulations to...