QA/RA Consulting, Auditing & Training


Let's get started

How to Evaluate, Select Combination Products Suppliers

Combination products are some of the most heavily scrutinized healthcare products on the market, and often involve numerous subcontractors and suppliers. For the legal manufacturers of combination products, the selection of suppliers is fraught with risk. A problem with a single component supplier can have serious implications for patient safety, supply continuity, and the manufacturer’s bottom line!


How Supplier Evaluation, Selection, and Management Fit Into Your Overall QMS

US FDA and the EU require combination products manufacturers to evaluate potential suppliers and document the process of doing so. In this article, we focus on the nuts and bolts of supplier evaluation and selection.

Supplier quality management is a subset of your overall quality management system (QMS). If you were to separate your QMS into three buckets, it might look like this:


  1. Internally focused components – documentation management, management review, internal audits, etc.
  2. Product realization components – design control, production and process control, process validation, etc.
  3. Externally focused components – customer-related processes, feedback, complaints, and supplier quality management

Aspects of supplier evaluation and selection fall into all three buckets. As the legal manufacturer, you are responsible for all aspects of safety and efficacy, even those activities that might be performed or provided by the supplier. As such, you must have documented procedures for overall supplier management, including but not limited to supplier evaluation, selection approval, and verification of purchased products. In this article we focus specifically on the evaluation and selection of suppliers. The ultimate goal is to plan and implement a consistent risk-based approach to engaging with new suppliers.

Combination products fall into one of the following categories. If you’d like to see examples of products from each of these four categories, read our article “Drug, Device, or Both? Overview of FDA Premarket Regulation of Combination Products.”


Drug + DeviceDrug + BiologicBiologic + DeviceBiologic + Device + Drug

Defining Purchased Product Requirements for Combination Devices

Your purchased product requirements feed directly into supplier requirements. Once you know what you want to purchase, you can determine who could supply it. The supplier requirements define exactly how you need the supplier to meet your purchased product requirements:



The need to establish supplier selection criteria applies equally to medical device and pharmaceutical manufacturers. Inputs to establishing supplier criteria include:


  • Adequacy of requirements
  • Supplier capability
  • Performance history
  • Criticality of components
  • Applicable regulations
  • Impact on patient safety
  • Effect on quality

Your focus should be on a supplier’s capability and suitability to meet the requirements. You can think of those requirements as falling into two categories:


  • General supplier requirements – applied to all suppliers regardless of their impact on the product; these include factors like environmental requirements, legal requirements, financial stability metrics, etc.
  • Product-specific supplier requirements – these include a mix of technical and business needs, such as:


    • Specialized personnel qualifications
    • QMS requirements
    • Regulatory requirements
    • Change notification requirements
    • Process capability to generate the product
    • Scaling capacity to produce needed quantities
    • Technical expertise
    • Delivery performance and customer service responsiveness
    • Facility location(s)
    • Pricing
You Can’t Outsource Risk!
When you take on a new combination products supplier, they introduce new risks to your product and company. Some of those risks may be known ahead of time and deemed acceptable, while others are obviously unknown. You – the legal manufacturer – assume all risks for your device. Learn more with our Managing Risks in Combination Products and Drug Delivery Systems course.


Establishing Combination Products Supplier Evaluation and Selection Criteria

Before you start an evaluation, set yourself up for success (and compliance) by treating it like a mini-project with appropriate project controls:


  • Define clear requirements
  • Establish specific and achievable objectives
  • Evaluate your people/money / time resources
  • Set up a Gantt chart with major tasks, dependent tasks, and schedules
  • Establish milestones and communication methods for potential problems and progress

You must have specific objectives and consistent criteria against which to evaluate each supplier. There are two specific types of criteria that should be defined:


1. Supplier-focused criteria

  • Supplier capability to meet requirements
  • Supplier performance – can the supplier meet your expectations for quality and delivery?

2. Product- / service-focused criteria

  • The impact of a potential purchased product on combination product quality
  • Risks associated with the (related) finished combination product

You decide how many criteria to create and what to name them. Purchased products/services for combination products may include:


  • Medical device constituents
  • Medical device components and assemblies
  • Active pharmaceutical ingredients
  • Drug products
  • Containers and closures
  • Services – contract manufacturing, packaging, delivery, sterilization, etc.

Regulations and standards will define which purchased products fall within the scope of your organization. As a general rule, if the product/service could affect the safety or efficacy of your product or combination device – or your compliance with regulatory requirements – then it falls within the scope of your supplier’s QMS.

Once you’ve determined your criteria, create a spreadsheet to keep track of each supplier score in the individual criteria. A simple template is shown below. Because some individual criteria will be more important than others, we recommend that you weigh each evaluation criterion. For instance, take all criteria below and assign each one a value so the combined score adds up to 100. Then adjust each one to assign a higher value to some (e.g., previous supplier relationship, incoming inspection results) and perhaps a lower value to others (e.g., on-time delivery, access to records). Don’t overthink it. The key is to be consistent in how you evaluate each supplier.

Start this evaluation with a list of potential suppliers, even if that list includes just one company! Why would you do a full evaluation if there’s only one supplier (perhaps an internal division) to choose from? That’s easy – because it’s required. You need to document that you have gone through the full evaluation process, applied all criteria, and examined all risks associated with the purchased product and the supplier. This will allow you to demonstrate that you established appropriate controls by gathering the information needed to make an informed, risk-based decision.

Section 7.4.1 of ISO 13485:2016 clearly states that you “…shall establish criteria for the evaluation and selection of suppliers.” In reality, these activities are two distinct steps, each with its own risk-based criteria:


1. Evaluation – focus on purchased product risk
2. Selection – combine purchased product and supplier risk


When to Use Specific Methods of Supplier Evaluation

There are, of course, many ways to evaluate suppliers. Some are simple, others far more intensive. The depth with which you evaluate a potential supplier has a lot to do with the potential impact that supplier could have on your company and finished product, as noted below:


Potential ImpactWork PerformedExamplesPotential Evaluation Criteria

Finished device manufacturer

Critical subassembly

Contract sterilization

Primary packaging

Original equipment manufacturer (OEM)

Contract manufacturer of device part, inactive or active drug

Critical service or material providers

Full QMS audit

Quality agreement

Capability study

Measurement system analysis

Product sample

Evidence of qualification (e.g., QMS certification)


Secondary packaging

Calibration services

Warehouse services

Catalog / off-the-shelf material supplier

Routine service provider

Documentation audit

Licenses, certificates, or other evidence of qualification

MINORQMS consulting


Pest control provider

Evidence of qualification
(e.g., CV or license)

Here are different ways to evaluate suppliers and when to use them:


  • Supplier self-assessment – This can be a bare-bones baseline assessment that’s applicable to all suppliers. It can be an effective way to gather some basic information such as QMS certifications, licenses, org charts, and DUNS #, but you should put limited weight on a self-assessment of capabilities or performance.
  • Desktop audit – This is a lower-cost method of evaluation than an onsite audit, and it’s used to look for evidence of conformance to your purchased product and / or supplier requirements. You can use this as an alternative if you can’t conduct an onsite audit.
  • Onsite audit – If you are selecting a sole-source supplier and / or the purchased product has a high-risk impact on the finished device, you’ll want to conduct an onsite audit, if possible. This should be performed by an experienced quality auditor and a subject matter expert. During the audit, you’ll look for evidence of conformance to requirements in both documentation and implementation. Essentially, you want to confirm that the supplier has the capability to provide the product or service you are purchasing according to your requirements. You can outsource the audit to a qualified third-party auditor if needed. Some manufacturers may not allow this to occur, so you’ll need an alternative plan – such as increased testing – to assess the risk.
  • Previous performance – If you want to use an existing supplier for a different product, look for data in the organization that can be used to evaluate the supplier as a provider for the different purchased product. This can include existing capability studies, on-time delivery performance, known technical expertise, etc.
  • Material testing – Again, this is highly dependent on the product being purchased, but in some cases, it makes sense to have a third-party lab perform tests on the samples. If the material is an item that is already being manufactured, the supplier should present an analysis of the quality and supply history for the item. Embrace the maxim “trust but verify.”
  • Formal certifications – The importance of this somewhat depends on the product type that you are planning to purchase, but many manufacturers look for ISO 13485, ISO 9001, and / or ISO 17025 certification, among others. Various licenses may also be required / applicable.

Remember, do not provide any confidential information to a potential supplier until a confidentiality agreement has been signed. Also, take steps to ensure that submissions and assessment data gathered during the organization’s evaluation phase are not communicated outside the evaluation team.

Single Source or Multiple Suppliers?

Having two suppliers for a particular component can be a good way to mitigate supply risk. However, a single supplier may be able to lower your overall costs. Each has pros and cons.

Single-Source RisksMultiple-Source Risks

Disaster recovery / disruption to supply

Cost control

Significant quality issues – other supply options?

Variance in quality from supplier to supplier, and impact to your processes and product

Information management and consistency in communication to all suppliers

Selecting, Qualifying, and Approving the Supplier

The goal of supplier selection is to document why you chose a specific supplier and add them to your approved supplier list (ASL). ISO 13485:2016, FDA 21 CFR 820.50, and ICH Q7 all require you to maintain records concerning results of supplier selection activities.

Once a supplier is chosen, you’ll need to go through a qualification process. That process may be quite simple for low-risk suppliers who may be added to your ASL with a status of “approved.” High-risk suppliers will require a more involved qualification process before they can be added to your ASL with “conditional” approval status.

Qualifying the supplier provides a structured way to communicate expectations and ensure the supplier’s understanding of them. It can also be used to generate evidence to justify the application of varying levels of control to suppliers (e.g., approval levels). You should use a risk-based approach to choose the qualification tools for each supplier. You define the qualification requirements, but many of the activities will be completed by the supplier. For example, you may require process validation studies for a critical manufacturing process, but the supplier conducts the studies and presents the results to you. Or, you may choose to begin receipt of purchased product from the supplier while conducting qualification activities in parallel (e.g., conditional supplier approval). Conditional approval is OK as long as you have proper controls in place, such as tighter sampling / inspection plans, more direct oversight (service suppliers), etc. Always make sure that supplier and quality agreements are in place.

Who needs to sign off on supplier selection approvals? At a minimum, members of the selection team or the selection project leader need to approve the selection, but it is highly recommended that you get management-level review and approval signatures for higher-risk purchased product suppliers.


Want to Learn More?

Oriel STAT A MATRIX offers a wide variety of training on medical devices and pharmaceutical compliance, including combination products. To advance your knowledge on this topic, consider our in-depth class on supplier qualification for combination products. Our consulting team is also available to help you with specific issues.

Our team is here to help. Contact us online
Get answers right now. Call

US OfficeWashington DC


EU OfficeCork, Ireland

+353 21 212 8530