Your approved supplier list (ASL) is one of the critical components of medical device supplier management. The ASL is an in-house record of all the suppliers you’ve qualified, as well as which items or services you’ve qualified them for.
But building an ASL is not as simple as Googling some potential suppliers and adding them to a spreadsheet in a forgotten folder somewhere in the company Dropbox.
There’s a process involved in qualifying suppliers for your ASL, and that’s what I’ll be walking you through in this article.
The purchasing clause in both the FDA’s Quality System Regulation (QSR) and ISO 13485 require medical device companies to establish procedures for ensuring purchased products or services meet their requirements.
These SOPs are an essential part of your quality management system, and you should have them in place before you begin qualifying suppliers. They are the guardrails that will guide you as you evaluate and choose suppliers.
As we continue on through this list, keep in mind that everything you do to qualify a supplier and put them on your ASL should be documented, so that you can easily demonstrate to an auditor you’ve followed your procedures for qualifying suppliers.
Your next step is to document what you’ll require from a given medical device supplier. If you need a specific part, for example, then you need to create a list of criteria that the supplier of that part must meet.
Supplier criteria will revolve around some key issues, including:
The product or service specifications that you need a supplier to meet
Whether they have a documented quality system in place
Whether they have supplier management procedures in place for their suppliers
The standards they’re certified to (like ISO 13485 or ISO 9001)
The volume they can produce for your company
After you have the criteria in place for a given part or component, you can begin your search for medical device suppliers that meet those requirements.
Once you find some prospective suppliers, you’ll want to send them a supplier questionnaire to gather more information about their ability to meet your criteria. You’re trying to get to the bottom of questions like:
Can they meet your internal specifications for this item? For instance, if you need a plastic bottle, what characteristics must that bottle have? What materials must it be made from? What dimensions must it have?
How many units can they make each year? Can they make enough product to meet your needs right now? Will they be able to scale with you or will you need to look for additional suppliers for this item as you produce more devices?
What regulations do they currently follow and what standards are they accredited to? If they’re ISO 13485 certified, you can be confident they already meet many of the requirements you’ll need them to. If they’re not ISO 13485 certified, that doesn’t mean you can’t use them, but you’ll need to include a lengthier set of questions regarding their QMS.
A detailed questionnaire helps both you and the prospective supplier. It will give them a better sense of whether or not they can do what you’re asking, and it will help you decide whether or not this supplier meets the criteria to go on the approved supplier list.
For each supplier, you’ll need to determine the level of risk they represent to the product and thus the extent of your responsibilities when it comes to monitoring them.
You can start with a critical vs. non-critical supplier framework.
Non-critical suppliers have no direct or indirect relationship with the product or manufacturing processes, such as a business that supplies your stationary or caters meals for you. These are still suppliers, but they don’t have to go on your approved supplier list.
Critical suppliers have a direct or indirect relationship with the product or process and they must be qualified and placed on your ASL if you want to order anything from them.
Critical suppliers are often broken down into three categories based on their potential impact on product safety. For example:
Tier 1 - Highest Risk: Includes any integral component of the device that impacts safety. Also includes contract manufacturers assembling the device. This would also include services like sterilization that impact the safety of the device.
Tier 2 - Medium Risk: Includes custom, device-specific components that don’t directly impact device safety. This tier also includes services like pest control and your logistics and shipping provider.
Tier 3 - Lowest Risk: Standard, “off-the-shelf” items. Any consultants you use that provide a service related to the product or processes would also fall under this tier.
One benefit of the tiered approach is that it demonstrates to auditors that you understand risk and are actively using a risk-based approach to supplier management.
Your supplier questionnaire is a way for medical device suppliers to tell you what they can do; an onboarding audit is a means of verifying the answers to that questionnaire.
Generally speaking, you’ll need to audit all of your Tier One suppliers before adding them to your approved supplier list. After that, you would generally audit them every one to two years to ensure they are still able to supply products that meet your specifications—and do so in a manner that is compliant with regulations.
Tier Two suppliers also likely need an upfront audit. However, you might audit them on a longer schedule, such as every three years.
For Tier Three suppliers, you probably won’t need to audit them before onboarding them. You also won’t be expected to do ongoing audits with them unless there is cause, such as a high number of complaints or a poor supplier scorecard.
The final thing that stands in the way of adding a supplier to your approved supplier list is crafting a formal agreement for their services.
Your supplier agreement is a legally binding document and it will govern your relationship for as long as you’re using that supplier. So, your agreements need to spell out more than just the price you’ll pay and the number of units the supplier will deliver.
There are a number of items that should end up in your agreements, but three of the most important are your:
Quality agreement. This is the high-level overview of both your responsibilities and those of the supplier. It ensures everyone knows what they need to do and how to do it.
No-change clause. This ensures your supplier can’t make a change to the product or service without informing you a certain amount of time in advance. This absolutely must be in your supplier agreement, as it protects you from unannounced changes in what you’re receiving.
Audit clause. In this clause, your supplier agrees to submit to an audit from your notified body. This is an important clause because, as we touched on earlier, it ensures your notified body has the access to suppliers required by MDR and IVDR.
The NBOG document and the MDSAP Audit Model are two excellent resources for crafting your agreements. The NBOG guidance is particularly useful because it’s a document that notified bodies use and it shows you exactly what they want in a supplier agreement.
Once your formal agreement is in place, you can add the supplier to your approved supplier list and begin ordering from them.
Bear in mind, however, that you can only order the part or service you have qualified a given supplier for. Just because a supplier is now on your ASL, that doesn’t mean you can order anything from them.
Getting off on the right foot is key to having a great relationship with your suppliers. And with Greenlight Guru’s MedTech Lifecycle Excellence Platform, you’ll have all the tools you need to manage your supplier relationships from start to finish.
With secure sharing, you can easily share key documents with suppliers, contract manufacturers, and consultants. From there, your team can assign follow-up tasks to external partners or even include them in document review and approval workflows.
So if you’re ready to take the stress out of medical device supplier management, get your free demo of Greenlight Guru today.
Benjamin Bancroft is a Medical Device Guru at Greenlight Guru who enjoys working on audits, CAPAs and Root Cause Analysis. He is a Quality and Regulatory Manager who began his career maintaining the QMS for multiple companies as a CAPA and audit SME. He enjoys helping customers successfully navigate regulations to...