Guest Column | July 23, 2015

How To Incorporate Risk Management In Medtech Supplier Quality Management, Part 1

By Marcelo Trevino, Senior VP, Regulatory Affairs and Quality Systems, Applied Medical


Evaluating suppliers from a risk management perspective has become an imperative for medical device companies.

How did we arrive at this point? For one, a number of well-publicized quality issues prompted international regulators and standards organizations to require risk mitigation as part of a manufacturer’s quality management system. (Previous articles in this series have pointed out the prominence of risk management in draft updates to ISO 13485 and ISO 9001.)

In addition, outsourcing has become ubiquitous across the medical device supply chain. Even the smallest manufacturers now work with multiple third-party providers, and some large device makers maintain hundreds of contract service relationships. This trend is making quality management a far more complex and challenging endeavor.

As a result of these and other factors, medical device companies now are re-evaluating their supplier management strategies, drilling into the underlying factors behind quality issues. They are looking at elements like design control problems, or a history of delivery issues or key performance indicators (KPIs) that are off the mark. These investigations often reveal that past supplier assessments were not quite thorough enough, or that key elements were overlooked during evaluations.

In this article (and the one that will follow), I will explain how medical device manufacturers can address these issues by incorporating risk assessment into their supplier quality management plan.

Developing A Risk Management Strategy For Supplier Evaluation

When formulating a risk-based approach to evaluating new or existing suppliers, it is important to first identify the critical control points for your product. These are the points in the process where failure could result in significant harm to customers and to the business.

When many medical device manufacturers conduct assessments to determine if a supplier is critical and will be able to meet expectations, they often focus on the management system requirements for a given standard — looking at checklists to assess ISO 13485 or ISO 9001 compliance, for example. However, this method takes too narrow a view and fails to account for other important parameters that need to be defined.

Although each company will have its own unique process for identifying critical control points, a great tool for defining things that can go wrong with a particular product or process is the failure mode and effect analysis (FMEA). Many device makers use this tool for evaluating internal processes, but FMEA can also be used to identify areas of significant risk at your suppliers that demand special attention, and to determine what you need to do to ensure the risk stays low with them. FMEAs typically are used to assess design or production controls, but they also can be used to incorporate other aspects of the quality system to assess if suppliers are identifying and anticipating potential failures and taking action to mitigate them.

After you have identified those critical control points, you should define the quality requirements you will use to maintain necessary performance at those points. If your product’s success or failure hinges upon certain parameters, tolerances, or specifications that a supplier needs to meet, you must make it a priority to factor those into your checklist and your assessments. Develop questions to ensure that the supplier can produce objective evidence linked to each specific requirement.

For instance: How will we communicate with the supplier? Do we have compatible technology and software systems? Are we looking at the right metrics and key performance indicators (KPIs)? (We’ll explore these and other best practices for implementing risk based supplier management system in Part 2 of this article.)

Another step that is very important is examining the interrelationships across your entire supply chain, and not just looking at aspects in an isolated way. This is a common area of oversight, mainly because medical device companies have so many suppliers and so many considerations. It’s easier to conduct a desktop audit and just follow a checklist, looking at everything from a “yes” or “no” perspective. Unfortunately, this is insufficient. Reviewing significant changes from previous audits and following up on closure from previous SCAPAs, particularly verifying evidence of effectiveness verification checks, is extremely important.

Say you are reviewing a machine that is supposed to cut parts to certain tolerances. You need to look beyond those parameters and ask questions like: What are the supplier’s calibration processes for that piece of equipment? What is the service interval? What training do people who use it have to undergo? What work instructions are operators supposed to follow, and are those instructions clear? Are there any corrective actions, internal audit findings, or nonconforming material reports associated with the process? If it’s a new machine, was it validated appropriately?

To summarize, an effective risk-based supplier management strategy should identify the critical control points for a supplier, determine the data points necessary to evaluate the supplier’s performance on those points, and view everything from an interconnected, process-based standpoint.

Preparing To Demonstrate Compliance To Auditors/Regulators

Another important consideration in any supplier quality management strategy is the development of a qualification plan. This document explains how you determined that a supplier was adequate during the assessment process. Regulators and auditors will expect you to have a qualification plan available for each supplier, and to provide evidence that you’re using them in your supplier audits.

Auditors also will inquire about your approved supplier list. They will want to know how you rank your suppliers on the list, and how you determined that one was more critical than another. You must be able to differentiate your supplier rankings, as well as the type of controls you are applying to each supplier based on that ranking.

In addition, it also is important to be able to show what you are finding in your supplier audits. With so many requirements, it is almost impossible to audit a supplier and find nothing worth noting. Document everything that your audits reveal; regulators will expect to see something from each audit, even if you have only positive observations.

Related, when your audit (inevitably) uncovers an issue, you must create a supplier corrective action plan (SCAPA) or supplier corrective action request (SCAR). This is the same thing you would do for internal issues, just for your suppliers. At the same time, you need to document the methods you use to track completion and ensure these plans are working and effective — be able to produce evidence that you actually followed up on SCAPA, reviewed it, and included it as part of your metrics for quality management reviews.

Third-party auditors will look for evidence of risk. For example, what if you have three SCAPAs on the same issue? How are you dealing with it? Is there something in your process that will trigger a special type of audit or a special meeting with that supplier? How are you managing those risky situations? How did you formalize SCAPA management as you formalized the supplier partnership?

Also, keep detailed nonconforming material reports (NCMRs). Perhaps you will see a trend associated with a particular supplier, pointing to issues with packaging and labeling. Or maybe you have a supplier that is not meeting incoming specifications, which indicates you should go back and determine whether the problem is a result of machining issues, training issues, a new manufacturing location, organizational issues, or some other factors at the supplier. NCMRs will help you identify areas you need to focus on in your supplier audits.

Keep in mind that auditors now are being assigned to certain companies based on the auditor’s level of technical knowledge in a certain area, so they know what trends are out there. If there is an issue with a certain type of material or chemical, they understand how it can impact risk and will want to know how you plan on managing the situation. This is yet another impetus for device makers to be well organized in their supplier risk management planning. Also, when scheduling audits, organizations can benefit from pairing up supplier or internal auditors with processes with which they have previous experience and good technical knowledge.

Auditors also will expect to see your supplier quality agreements. Do you even have one in place? If so, did you define how often you will audit the supplier, what kind of data is required, and what they are supposed — and not supposed — to do? Supplier quality agreements are a must-have. (I will cover this topic in more detail in Part 2.)

Finally, it is important that you go back to your suppliers and collect objective evidence on any items that carry risk. You can't just say you audited a supplier to ISO 13485. Especially when it comes to critical suppliers, you must be able to show what special standards you utilized during an audit. A supplier may have very unique items you have to review in addition to ISO 13485, things like technical requirements, biological requirements, animal origin standards, chemical standards, electrical standards, or specific requirements from the medical device manufacturer. In such cases, you must show what questions you asked, what you looked at when you were there, and what kind of objective evidence you collected to determine if a supplier complies with those requirements (or not). That level of traceability is crucial when answering to an auditor or regulator. Many international regulators and notified bodies expect evidence of compliance to these technical standards and expect the medical device manufacturers to be fully enforcing them.

In Part 2 of this article, I will share best practices for implementing a successful risk-based supplier management system, and explain the requirements that should be clearly defined in a supplier quality agreement.