Guest Column | August 24, 2015

How To Incorporate Risk Management In Medtech Supplier Quality Management, Part 2

By Marcelo Trevino, President, Global Regulatory Affairs and Quality Systems, TregMedical Compliance Services


Evaluating suppliers from a risk-management perspective is imperative for medical device companies.

In Part 1 of this series, we discussed developing a risk management strategy for supplier evaluation, along with a qualification plan to demonstrate compliance to auditors/regulators. In this article, I will share best practices for implementing a successful risk-based supplier management system, as well as explain the requirements that should be clearly defined in a supplier quality agreement.

Supplier Communication Is Paramount

Establishing good communication with your supplier is vital to a productive, risk-mitigating collaboration. Fostering that good relationship is easy in theory, but sometimes it's hard in practice, especially when you're dealing with a large supplier.

For example, if the supplier views you as a small customer, it may be challenging to get them to agree to your demands. That’s something you really have to think about: How will both you and the supplier approach the relationship? You need to be confident that, when you request changes or need something, good communication processes are in place that ensure you're going to get prompt responses from them.

The last thing you want is to have is a supplier that doesn’t prioritize your problems, respond to your supplier corrective action plans (SCAPAs), or allow you to audit them in-person. Worse is a supplier that won’t allow supplier audits, notified body audits (which now require supplier audits, in some instances), and  FDA inspections, if the agency determines they are needed.

Supplier Risk Score Cards And Ratings

Developing supplier risk score cards will empower you with a system that evaluates and ranks your suppliers based on historical and current performance. This can be a difficult initiative to manage, especially when you're dealing with many suppliers, so it's important to develop supplier risk score cards ahead of time.

First, using failure mode and effects analysis (FMEA) or other tools, as you prefer, define the important metrics and key performance indicators (KPIs) that you want to measure — the ones that will have a significant impact on your process. Review that list periodically with your FMEA members to ensure you're not missing anything; reassess whether new challenges or new data you should be tracking have surfaced and should be considered as you're assessing suppliers.

Next, as you're collecting information from —and about — your supplier, it's important that you build a database or mechanism to give you a complete picture of what's happening with that supplier. For example, if a supplier is having a large number of adverse events, then that should raise a red flag in their profile, allowing you to recognize and react to it; those events could impact your supply chain. One supplier’s problems might create issues in other areas, and you need to think about how you will mitigate the problem as a whole.

Establish a portfolio that allows you to look at and rate critical elements for each supplier, as well as the impact of those elements on other processes across the organization. You might lose sight of the big picture if you're just focusing on that one problematic supplier, and not considering how that supplier is affecting other elements of your quality system. 

As you store and process this information, technology is another risk factor that must be considered. You communicate with your suppliers through specific reports, or using certain data across the supply chain, but you may encounter suppliers that use different, incompatible systems. In such cases, you need to be able to manage data from that supplier in a different way.

Some companies are very interconnected, using Systems Application Products (SAP) or enterprise resource planning (ERP) systems, making it easier to manage what's happening across the supply chain. But sometimes, small suppliers don't have the resources to maintain such systems. In those situations, you must consider how technology — or the lack thereof —will impact the supply chain.

Clearly Define Requirements In A Supplier Quality Agreement

The supplier quality agreement is extremely important because, without it, you can't really hold suppliers accountable to their commitments.

Supplier quality agreements are equally important for internal suppliers — peripheral facilities or subsidiary providers of services or products under a single company’s ownership, for example — as they are for external suppliers. You also may encounter situations where an outside supplier is providing components, but you’re outsourcing the processes that make use of those components.

Regardless of the type of relationship, the supplier quality agreement should define how you are going to share information about what's happening within the quality system. For example, if it's important to you to know if your supplier is inspected by FDA or audited by its notified body, and you want to see what those auditors are finding, you need to define that in your agreement. In turn, the supplier would need to agree to inform you that it’s being audited, and to reveal anything the auditors discover, but you need to be very specific about how you want to see that information.

In addition to information sharing, there are a multitude of other factors you may want to address in your supplier quality agreements:

  • Quality management review — Do you expect to see the results of each review? Consider which metrics you want to know and how frequently you expect to have information reported back to you.
  • Change controls — Are you going to be okay if a supplier changes processes without telling you, or if it buys new equipment or adds new personnel that will have direct contact with the devices manufactured for your organization? Consider how you want to be informed of such changes, or whether the supplier can forgo informing you of each particular change, provided it follows pre-established procedures that both parties have agreed upon. Still, it is critical to clarify that you will not approve changes to processes or to equipment that may create variation affecting your product quality. For example, your supplier might say it’s installing new equipment to improve yields or increase efficiencies. This could slightly affect some inputs to your product, so the supplier has to provide a validation to show that you're still going to get the same product, with the same specifications that you requested initially. Design change also falls under change control, so if your supplier is going to change something in the design of its product, you have to be involved. You have to be very specific about how those changes need to be managed, as well as who needs to be involved in those decisions. 
  • Product acceptance activities — If a supplier is getting raw materials from different vendors, and that could impact your processes or product, your agreement should direct them to notify you of such changes before they take place, to avoid any potential problems.
  • Nonconforming products — You want to ensure the supplier has a system to segregate nonconforming products, and that said system looks at the problems' root causes, driving actions that will prevent those problems from happening again. Also, consider the volume of nonconforming products that would cause you concern: Do you want to be informed of each instance, as it occurs, or do you want to set a threshold of instances at which you should be alerted?
  • Complaints — If your supplier is getting too many complaints from its customers on a critical quality matter, you probably want to know about that. What kind of processes does the supplier use to manage those customer relationships? If they start getting a lot of complaints about a certain aspect that might affect you, do you require them to inform you? Granted, you're not going to hear about everything, but you should ask for as much as you can — the response could be indicative of how the relationship with your supplier is going to go.
  • Field corrective actions — If you engage in a field corrective action due to a supplier's mistake or non-conformance, how are they going to get involved? You have to define that in your agreement. For example, are they going to lead the recall, is it going to be you, or is it going to be a joint effort?
  • Environmental controls — You want to make sure your suppliers are following all applicable environmental controls. You might request this information as part of your audits or your desktop assessments, or you might want to require that the supplier send you periodic reports. The frequency with which you check environmental compliance, or whether such reports are necessary at all, depends on the product that each supplier provides.

All of the above items could be reported as part of your management review, but detailing reporting requirements in your quality agreements, ahead of time, likely will save you a lot of headaches. Most reputable suppliers will not balk at such requests.

Record-Keeping And Data Sharing

Your supplier quality agreement also should stipulate who will maintain which records. If your supplier is supposed to be doing certain activities, and you require documentation of those activities, it must be decided whether they are going to keep that information on site or send it to you as part of the traveler that accompanies the product. Remember, during an audit or inspection, you will be expected to have access to that information.

The same principle applies to statistical techniques on process parameters. If the supplier is tracking those metrics, you have to determine which information is associated with your processes and stipulate when and how you would like access to it. Similarly, if the supplier is having problems associated with your product, you want to ensure they're not waiting for you to audit them before reporting the issue. Ideally, they should provide that information as part of your regular assessments, as well as an explanation of how the issue was resolved through a Supplier Corrective and Preventive Action (SCAPA). You should request those reports periodically until theSCAPA is effectively closed.


If a supplier is going to handle distribution on your behalf, you need to be very specific about how they're going to handle it. Even if they're just going to ship certain components to you, you might want the components shipped under certain conditions. For example, you may have specific needs regarding temperature controls, packaging conditions, or certain distribution parameters. Transportation and packaging validations are important, and suppliers must adhere to those processes approved by the manufacturer.

Distribution management becomes even more critical as you ship overseas, procure products from overseas, or outsource services to other countries. With that increased complexity comes increased risk, so you need to re-evaluate: “Do we need to audit that more often, or do we need to ask them to do things a certain way?”


Risk-based supplier management is a constant process of organization, re-evaluation, and using the information at hand to quickly mitigate any problems that occur. As you conduct supplier assessments throughout the year and renew your contracts, you always need to ask yourself, “how is this working out? Are they being responsive, or not? Do we need to implement something special, or make a change?”

Accordingly, every aspect of the supplier relationship is critical as you define your quality agreements. Do an FMEA of your completed quality agreement and think of worst-case scenarios: Your supplier has agreed to handle record retention, but what happens if there’s a fire?  Are they going to back up those records electronically, or should we take the initiative and do that for them? Or, perhaps their processes look good on paper, but did you consider the quality of their environmental controls? If those controls are faulty and negatively impact the component you’re getting, you may not be shipping a final product at all. 

The bottom line when incorporating risk management into supplier quality management is to think about all the things that can go wrong, and put safeguards in place to prevent or mitigate them.