Supplier Management Under ISO 13485:2016

Let’s look at how to perform supplier management under the ISO 13485:2016.

Effective supplier management is critical for controlling risks, ensuring the reliability of the supply chain, and ultimately delivering safe and effective medical devices to patients.

ISO 13485:2016 emphasizes in Chapter 7.4 the importance of supplier selection, evaluation, and monitoring. Let’s explore the key aspects of supplier management as outlined in the standard:

The Key Aspects

1. The product: At first, there’s the need to purchase a product. In a perfect world, you would define which product you need and which quality requirements you have for that product. Only then, you would fan out to look for a supplier. We all know that in reality, you would probably first compare the suppliers and see which product is nicer. Only then you would “define the quality requirements” according to the available products.
2. Supplier Selection: Of course, you would only consider suppliers that are able to provide you with the product you’re looking for. Duh. What you should also consider here though is whether the supplier can also meet your organization’s requirements: Do they offer to sign a Data Protection Agreement? What are their customer service availabilities? Are their servers in the EU or in the US? Stuff like that. Auditors love if you note all those considerations down. Further, you might want to check whether they have certain certifications. When they are handling your health data for example, it would be good if they were ISO 27001 certified.
3. Risk-based approach: Before you go overboard with defining requirements, always remember the context. Does the product even have an impact on the medical device (direct or only indirect?)? What would happen if the supplier stops providing the product? If nothing would happen, you can relax.
4. Monitoring: Whenever you purchase a product from the supplier, you should check whether it’s actually the product that you wanted/ordered. Apparently, this has to be mentioned. Sometimes I have the feeling that the regulators think we’re dumb. Depending on the criticality of that product and/or supplier, it makes sense to establish further quality controls for the purchased product and/or supplier audits. Anyway, you should keep track of whether the supplier keeps delivering the quality that you expect.

Documentation

1. Create a List of Qualified Suppliers. Include every supplier that influences your QMS or medical device. Exclude suppliers that don’t have any influence at all: coffee bean suppliers etc.
2. Create a Supplier Checklist for every supplier on the list.
3. Add the results from the Supplier Checklist to the List of Qualified Suppliers
4. Update your supplier assessments (the scores) regularly – i.e. every time you receive a product from them. At the very least, you should reassess your suppliers once a year. An ideal time for this would be just before your management review.

Feel good

By adhering to the guidelines and requirements of ISO 13485, organizations in the medical device industry can establish a robust supplier management process. This helps ensure the reliability of the supply chain, minimize risks, and maintain the highest level of quality and safety in their products. Effective supplier management not only benefits the organization itself but also contributes to the overall improvement of the healthcare ecosystem, ultimately safeguarding the well-being of patients who rely on medical devices for their health and well-being.