Oct 19, 2018

Understanding the Risks Posed by Your Medical Device Suppliers and How Supplier Quality Fits

Medical manufacturing

With each passing decade, the world economy becomes more interconnected.

It is not unusual for today’s medical device manufacturer to source circuit boards from South Korea, display screens from China, injection-molded components from Mexico, and precision bearings from Germany – all of which are assembled into a finished device in Costa Rica before being sent to the US for distribution all over the world.

The geographic dispersion of suppliers, combined with the fact that more device companies are choosing to become “virtual” manufacturers, means medical device companies have to be ever-more vigilant about maintaining control over their suppliers.

The impact medical device suppliers and subcontractors have on your overall business risk

Suppliers can introduce significant risk to your company that extends well beyond the safety and efficacy of finished devices – they impact your ongoing compliance with regulations and present operational risks that might not be obvious. Here’s a quick story to illustrate that point.


This is the first installment of a 4-part blog series on supplier management. In subsequent posts we talk about evaluating new suppliers, auditing them, and evaluating their output. We’ve combined all four posts into one easy-to-read PDF. Download it here.

In late 2017, Kentucky Fried Chicken (KFC) changed their delivery logistics provider in the UK. Their previous delivery logistics provider had distribution centers throughout the UK. The new provider was large and reputable, promised lower costs, but had only one UK distribution center. While the new supplier did indeed deliver lower costs, they forgot to deliver the chicken. For weeks, hundreds of UK outlets were KF minus the C. The fiasco resulted in tens of millions of dollars in lost sales, angry customers, an avalanche of negative press, and social media mockery heard across the world.

The point is that traditional Supplier Quality Management (SQM) often focuses on product quality (the chicken) and not risks associated with suppliers that are independent of the actual product (delivering the chicken). Communication breakdowns. Supply interruptions. Trade disputes. Currency fluctuations. All of these factors have little to do with product quality, but they certainly can have a massive impact on the risk associated with your suppliers. You need to evaluate and mitigate them.

Regulatory requirements related to medical device purchasing and supplier controls

Manufacturers that outsource some or all of their manufacturing and assembly sometimes assume that their regulatory obligations are shared with their manufacturing partners, but this is often not the case. If you put your name on a device, you are legally responsible for all aspects of quality and safety, regardless of whether you actually make the device! Also, when we talk about “purchased products,” those products don’t actually have to be purchased – they could be sourced from another facility in your organization that has its own quality management system. Purchased products can also be services (e.g., sterilization).

In a nutshell, regulators want to make sure you have…

  • Defined, documented, and implemented procedures to ensure that purchased or otherwise supplied products conform to specified purchase requirements.
  • Established criteria for the selection, evaluation, and reevaluation of suppliers based on the type and significance of the product and its impact on subsequent product realization or the finished device quality.
  • Performed the evaluation and selection of suppliers based on the capability of the supplier to meet specified requirements.
  • Developed, implemented, and continue to monitor supplier metrics to assure ongoing compliance with established quality requirements and performance.

Every year, the US FDA cites hundreds of manufacturers for failing to properly implement purchasing controls. It’s a major source of Form 483 and warning letter citations by FDA. Here’s an actual published example written by an FDA inspector:

Your firm’s purchasing control procedure was inadequate in that there were no specified requirements for critical suppliers or non-critical suppliers and annual assessments were to be conducted based on quality/QMS among other criteria; the procedure did not describe how quality would be assessed. Furthermore, your firm did not follow the purchasing control procedure. Specifically, Section 2 of your purchasing control procedure mentions the selection of potential suppliers is based on technological and operational capabilities, logistics, quality, and technical risks. Additionally, Section 4 of the same procedure mentions the requirement that annual assessments be conducted for suppliers. Your QA Manager stated that your firm assesses quality based on discussions held with customers and distributors; however, this was not documented.”

Important regulations and standards relevant to supplier and purchasing controls

We won’t take a deep dive into specific supplier quality regulations in this article, but if you are new to medical device purchasing and supplier controls management you should definitely be aware of (and study) the following key regulations, standards, and guidance documents. This is not a comprehensive list.

ISO 13485:2016 – Section 7.4 pertains to purchasing and section 4.1.5 deals with general requirements, including outsourced processes. Also see sections 8.2.6 and 8.3.

US: 21 CFR Part 820.50 – Purchasing Controls

US: 21 CFR Part 820.80 – Receiving, In-Process and Finished Device Acceptance

US: 21 CFR Part 820.30 – Design Controls

US: 21 CFR Part 820.20 – Management Responsibility

Europe: Medical Device Regulation (2017/745)

GHTF/SG3/N17:2008 – Read this document, entitled “Guidance on the control of products and services obtained from suppliers”

The mechanics of supplier quality management and how it fits in the broader QMS

Supplier quality management is an important subset of your broader quality management system (QMS) and functions as a cyclical process linked to other sections of your QMS. There are three basic components. 

1 – INPUTS – This is where you define the requirements for purchased products, including overall quality planning plus specifying requirements for monitoring outsourced processes, drafting quality agreements, risk management for supplier quality, verification criteria, material specifications, design/development acceptance criteria, traceability, and more.

2 – PURCHASING – The purchasing process has three parts:

  • Supplier evaluation, selection, and approval – Implementing a supplier selection process proportionate to the risk associated with the finished device.
  • Purchased product information – Appropriate information describing the purchased product, including specifications, acceptance requirements, supplier personnel qualification, supplier change notification requirements, traceability, and more. Also includes quality agreements.
  • Verification of purchased product – Defined inspection or other activities to confirm that purchased product meets requirements. This may include inspection instructions, sampling plans, pre-shipment inspections at the supplier, and change risk assessments.

3 – OUTPUTS – Data from the purchasing process feeds multiple interrelated QMS processes. There are three primary outputs:

  • Purchased product and related data – You must monitor and measure product quality throughout the product realization process. This applies to parts and materials too, not just finished devices! Nonconforming products must be identified, documented, controlled, segregated, evaluated, and dispositioned.
  • Supplier performance measures – Appropriate monitoring and measurement must be established for the supplier QMS processes.
  • Overall supplier QMS performance – Monitoring and measurement of the processes will provide both immediate (i.e., catch a problem immediately) and longer-term feedback (i.e., via management review) for system improvements.

Want to learn more about supplier management? We’re just getting started.

If you are enjoying this article, continue reading about how to evaluate medical device suppliers and implement effective controls, the second post in this four-part series. Alternatively, you can download all four posts in a single PDF here. Also, if you want to take the next step and truly enhance your knowledge on this topic, consider our comprehensive Medical Device Supplier Quality Management Training class. As always, we are available at any time to assist with consulting and auditing related to supplier management and other aspects of QMS compliance.

Our team is here to help. Call 1.800.472.6477 or contact us online ›