The ISO 13485 standard represents a Quality Management System base for many regulatory schemes.
With the recent publication of the new Medical Device and In Vitro Diagnostic Regulations, the regulatory framework surrounding Medical Devices evolves and re-enforces the control of external parties (Suppliers, Subcontractors).
The newest revision of the ISO 13485 standard published in March 2016 aims in the very same direction.
What is a Supplier?
There is no specific definition of “Supplier” in the ISO 13485 QMS standard.
The standard however refers back to the definitions given in ISO 9000:2015.
According to ISO 9000:2015, a Supplier is “an organization that provides a product or a service”.
ISO 13485:2016 specifies that a product is the “result of a process” and that it includes “services, software, hardware and processed material”.
If we translate it to the Medical Device industry, Suppliers include, for example:
- Raw material suppliers
- Sub-assembly suppliers
- Design/Manufacturing Subcontractors
- Any other service providers
What are the responsibilities of the Organization/Manufacturer?
In the Quality Management System section of the ISO 13485 standard (4.1), the following was and is still stated:
“When the organization chooses to outsource any process that affects product conformity to requirements, it shall monitor and ensure control over such processes”.
Control of outsourced process is not a new requirement; precisions were however added in the 2016 revision of the ISO 13485 standard. These precisions are that: “the organization shall retain responsibility of conformity to this International Standard and to customer and applicable regulatory requirements for outsourced processes. The controls shall be proportionate to the risk involved and the ability of the external party to meet the requirements in accordance with 7.4. The controls shall include written quality agreements”.
It clarifies the fact that the organization that subcontracts the activity remains responsible for it. It also formalizes the approach under which controls shall be implemented using a Risk-based approach.
Section 7.4 of ISO 13485:2016 is then giving more directions for organizations on the Purchasing process, including Suppliers’ control.
The ISO 13485:2003 standard does include requirements for Suppliers control. It is interesting to notice that the 2016 version of the ISO 13485 standard adds on more specific requirement to the process:
Precisions have been added for the documentation and the organization shall have:
- A procedure
- Records of suppliers evaluation/selection/monitoring,
- Purchasing information documents and records, including a written agreement as applicable that the supplier notify the organization of changes in the purchased product prior to implementation of any changes that affect the ability of the purchased product to meet specified purchase requirements
- Additional documentation is required to cover the full purchasing process (verification of purchased product).
The Criteria definition
The criteria for the evaluation and selection of Suppliers shall be based on the Supplier’s ability to provide product(s) that meet the organization requirements, on the performance of the supplier and on the effect of the purchased product on the quality of the medical device. The standard also specifies that the evaluation and section criteria shall be proportionate to the risk associated with the medical device.
The Risk-based approach
Both the above described Criteria and the actions implemented following the non-fulfilment of Purchasing requirements shall follow a risk based approach, proportionate to the risk associated with the purchased product.
The ultimate goals of these changes made in the control of suppliers within the ISO 13485:2016 are:
- to increase the harmonization with existing Quality System Regulatory requirements and ensure consistency between the different texts.
- to increase organizations’ suppliers control in order to meet standards and regulatory requirements.