Regulatory Open Forum

 View Only
  • 1.  Supplier questions

    Posted 12-Jul-2019 09:09
    Hi everyone,

    Happy Friday to you all.  I have a few questions regarding supplier management in a small medical device startup company. 

    One of my concerns is the loose usage of the term "critical supplier".  We manufacture electrical medical equipment. There are many pieces like PCBs, connecting cables that are deemed critical components.  Due to the special nature of the device, many of our suppliers are single-source ( meaning if they were to go out of business tomorrow, there are no easy replacements or at least  the replacements would not come without incurring significant costs and time).  In a risk-based approach as per ISO 13485:2016, we classify them as high-risk critical suppliers. At the same time, we have many critical component suppliers that are low risk because they are requite replaceable and they have good industry reputation. They would not be evaluated like the high-risk critical suppliers as mentioned above.  In both cases, they are critical suppliers.  

    For the 4 classes of suppliers, we have highest risk, high risk, moderate risk, and low risk.  In the world of MDSAP, which ones are critical suppliers?  The high-risk critical suppliers or the low-risk critical suppliers?  We also have a QMS process that is outsourced like subassembly manufacturing, it is a very high risk supplier. But does it make sense to classify them in the same category with suppliers of PCBs?  

    I look forward to any insights. 


    Thank you.



    ------------------------------
    Karen Zhou
    ------------------------------


  • 2.  RE: Supplier questions

    Posted 13-Jul-2019 10:56
    Edited by John Minier 13-Jul-2019 11:04
    Hi, Karen,

    Interesting question. First, I would advise you separate business risk from product quality risk. Yes, single-source suppliers are a major concerns for your business continuation plans. You can address this risk with appropriate  levels of inventory, supply agreements, and keeping an eye out for potential alternative suppliers. Contingency plans will help quantify the potential costs if a single-source vendor closes up shop.

    Product quality risk is the goal of your QA/RA approach to supplier classification. That is based on potential harm to patients and users, a factor of severity of harm and occurrence of harm, based on various hazardous situations. These are the input and output of you product quality risk management process. Usually critical suppliers are sterilization services or if you outsourced the assembly of your product. Remember, too, to include mitigation such as audits, incoming inspection, inspection acceptance/rejection trending, and testing as well as any design or training mitigation.

    Separating these 2 types of risk will help you focus on the basics of addressing each appropriately.

    Good luck!
    ------------------------------
    John Minier, RAC
    Consultant, Principal
    john@johnminier.com
    (914) 850-4432
    Highland Mills, NY
    United States
    ------------------------------



  • 3.  RE: Supplier questions

    Posted 13-Jul-2019 21:13

    I believe you have made this more complicated than necessary.

    First, you should ignore MDSAP. The MDSAP program doesn't create any requirements for a supplier. It is only an auditing method. If you meet the regulatory requirements of each region is which you market a device, then you will pass an MDSAP audit.

    So, the first question is whether you know of any regulatory requirements to define a critical supplier.

    Based on your description, you seem to have eight categories of suppliers not four. It appears that each of four (highest risk, high risk, moderate risk, and low risk) could have the attribute "critical" Yes/No). You mention "high-risk critical suppliers".

    With these eight categories, you, presumably, have at least eight sets of controls. In my experience, for many of them (probably six – the suppliers that are critical and the suppliers that are highest risk or high risk) you require both third party certification to a QMS standard and you also conduct periodic QMS audits. I also suspect that you don't have the resources to manage this approach to supplier control.

    You mention the ISO 13485:2016 risk-based approach to supplier management. (In my opinion, the authors of ISO 13485:2016 made a mess of the word risk.) Because ISO 13485:2016 does not use the phrase "risk-based approach", "risk-based", etc. in clause 7.4 it appears you have implemented a non-existent requirement. The requirement is that supplier evaluation and selection criteria are "proportionate to the risk associated with the medical device".

    My recommendation is that you use the GHTF definition of a critical supplier from GHTF/SG4/N84:2010, 5.3. Critical supplier means a supplier delivering materials, components, or services, that may influence the safety and performance of the product.

    The best method to determine a critical supplier is to look at your list of essential design outputs from 820.30(d). Any material, component, or service that supports an item on the list is critical. Any supplier that provides a critical material, component, or service is a critical supplier.

    In my opinion, you should have only two categories of supplier. Critical and non-critical. The controls should be at incoming inspection (sampling plans – use c=0 with switching rules), external controls (independent test houses to verify CoAs), and audits of the process to create certs (CoA or CoC to ensure they are complete and correct) when you rely on them for acceptance.

    If you are concerned about correct implementation of the supplier's QMS, then require that the supplier send you the third party audit report. (It cannot be confidential to the supplier, since you have required conformance to the QMS.)

    In my opinion, too many companies equate compliance with complexity. Unfortunately, a complex implementation is not sustainable.



    ------------------------------
    Dan O'Leary CQA, CQE
    Swanzey NH
    United States
    ------------------------------