Approving AWS as a supplier (ISO 13485)

#1
Hello,

My company needs to add AWS to our approved suppliers list (Level A / High Risk Category). Will it be sufficient to keep a copy of their ISO 9001 certification on file? Or do we need a specific quality agreement in place with them too?

Thanks!
 
Elsmar Forum Sponsor

Tagin

Trusted Information Resource
#2
a) What makes them a "Level A / High Risk Category" supplier for you? What risks do they pose to you products/services if they do not perform correctly?
b) What do your policies/procedures say has to be done to approve a "Level A / High Risk Category" supplier?

Does having a 9001 cert on file realistically suffice help you monitor/control for those risks?

If not, then you would likely want to consider other supplier monitoring/controls. Whether you can get AWS to jump through many hoops is problematic, unless you are a very large customer of theirs.

Alternatively, you might be able to argue that AWS is a recognized world leader in cloud hosting, etc. and therefore is de facto the best choice for the services you need, and as such, the choice to use AWS is in itself a supplier control. That is, being a top 5 world-class leader in an industry might be added to your policies as a way to approve a supplier. Then, ongoing monitoring (e.g., of uptime, bandwidth, # of issues, etc.) could suffice for maintaining that approved status. It seems more practical than a 9001 cert on file.

In general with cloud services, the issue isn't typically the provider's infrastructure, but rather the customer's use of it: improperly secured S3 buckets leaking data publicly, VMs spun up without proper firewall provisioning, not maintaining backups under separate AWS accounts from the VM accounts, etc.
 

Sravan Manchikanti

Starting to get Involved
#3
Alternatively, you might be able to argue that AWS is a recognized world leader in cloud hosting, etc. and therefore is de facto the best choice for the services you need, and as such, the choice to use AWS is in itself a supplier control. That is, being a top 5 world-class leader in an industry might be added to your policies as a way to approve a supplier. Then, ongoing monitoring (e.g., of uptime, bandwidth, # of issues, etc.) could suffice for maintaining that approved status. It seems more practical than a 9001 cert on file.
Hi Tagin,

Can you please elaborate this little more. How would the documentation look like in this case?

When classify the supplier like AWS as a critical supplier (Level A / High Risk Category ) based on the risk posed by the use of the AWS in the QMS and the product (SaMD), we need to have a sound supplier evaluation mechanism. But in the case of start-ups, they generally don't have a bandwidth or clout to conduct a supplier audit or something. In that case, can they use the SRS drawn for validating the purchased software (Ref ISO 4.4.6/7.5.6) as a questionnaire and fulfill the vendor assessment/supplier evaluation?

My question is is not just for AWS, there could be many other (may or may not 'popular') software's used in the SaMD product development like (Jira, Github, Asana and languages like phython, open source ML library like scikit-learn, pytorch) where we can't conduct a vendor assessment as like typical medical devices (by conducting a supplier audit at the raw material manufacturer site). How to bring them under purchasing control & supplier evaluation process (Section 7.4 of ISO 13485)?

Appreciate your response.
 

Tagin

Trusted Information Resource
#4
Hi Tagin,

Can you please elaborate this little more. How would the documentation look like in this case?

When classify the supplier like AWS as a critical supplier (Level A / High Risk Category ) based on the risk posed by the use of the AWS in the QMS and the product (SaMD), we need to have a sound supplier evaluation mechanism. But in the case of start-ups, they generally don't have a bandwidth or clout to conduct a supplier audit or something. In that case, can they use the SRS drawn for validating the purchased software (Ref ISO 4.4.6/7.5.6) as a questionnaire and fulfill the vendor assessment/supplier evaluation?

My question is is not just for AWS, there could be many other (may or may not 'popular') software's used in the SaMD product development like (Jira, Github, Asana and languages like phython, open source ML library like scikit-learn, pytorch) where we can't conduct a vendor assessment as like typical medical devices (by conducting a supplier audit at the raw material manufacturer site). How to bring them under purchasing control & supplier evaluation process (Section 7.4 of ISO 13485)?

Appreciate your response.
I was just suggesting various ideas. 7.4 says your org has to create the criteria, and i think c & d are what the concern is here:
The organization shall establish criteria for the evaluation and selection of suppliers. The criteria shall be:
c) based on the effect of the purchased product on the quality of the medical device;
d) proportionate to the risk associated with the medical device.
A company that uses AWS for backup storage of medical device software will have different concerns about effects and risks than a company that uses AWS to host a real-time medical web application.

My thinking is that in order to address c & d effectively, supplier criteria for evaluation and selection has to be more specific, more finely tuned, to 1) the particular service(s) that supplier will provide and 2) the specific use of the services for the specific medical device.

The typical one-size-fits-all supplier evaluation form is really not up to the task of evaluating these kinds of outsourced medical device suppliers.
 

Sravan Manchikanti

Starting to get Involved
#5
A company that uses AWS for backup storage of medical device software will have different concerns about effects and risks than a company that uses AWS to host a real-time medical web application.

My thinking is that in order to address c & d effectively, supplier criteria for evaluation and selection has to be more specific, more finely tuned, to 1) the particular service(s) that supplier will provide and 2) the specific use of the services for the specific medical device.
Thanks for the quick input.

I am talking about the second case where SaMD runs on AWS. It definitely pose high risk than the first option.

Whichever the case, what are the options left with the start-up for supplier evaluation when purchasing these software's used in the SaMD product development (OTS) where buyer don't have much say and settle for the available software (the other way to look at is product developed keeping these key software functionalities in mind) when it comes to fulfilling 13485 purchasing requirements.
 
Thread starter Similar threads Forum Replies Date
M Suitable form or questionnaire for approving consultants Document Control Systems, Procedures, Forms and Templates 9
N Understanding, Challenging & Approving Supplier Control Plans FMEA and Control Plans 7
R Question of Approving Documents ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
JoCam Approving a Test House on a Medical Device as a part of a 510k Submission 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
Q Approving Software Suppliers in an AS9100 Company AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
R Approving a New Hand Assembly Line at a Supplier Inspection, Prints (Drawings), Testing, Sampling and Related Topics 1
R Approving Suppliers by "Grandfathering" ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 14
N Role of Quality Function in Approving Work Instructions Document Control Systems, Procedures, Forms and Templates 4
Q AS9100 Clause 8.3 - Control of Nonconforming Product Process for Approving Personnel AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
T Approving Consulting Firms in a Medical Device Company ISO 13485:2016 - Medical Device Quality Management Systems 25
T Approving Suppliers - Approving Marketing Companies Other ISO and International Standards and European Regulations 10
P Originating and Approving Internal Procedures Document Control Systems, Procedures, Forms and Templates 9
L Approving myself as a Supplier - Should we be on our own ASL AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
M Gage R&R for Big Parts - Approving a Variable Gage using only 1 Part Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 7
G Does AS9100 require approving your Customer as a Supplier? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 8
J Re-approving documents when the responsible person leaves or changes responsibilities ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 14
A Qualifying and Approving Equipment for Welding AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
A Process for Approving Personnel Making Decisions - AS9100 Clause 8.3 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 8
B Approving Suppliers - Consultants AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 8
J Approving Suppliers under 7.4.1 - Approved Suppliers List - ISO 9001:2000 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
T Approving Suppliers under 7.4.1 - AS9100 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 20
Anerol C Who is Approving your Manufacturing Visual Aids / Process Sheets? Document Control Systems, Procedures, Forms and Templates 6
T Approving documents prior to issue - What guarantees their adequacy? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12
A AWS (American Welding Society) D17.1 & D17.2 Welding - Looking for help AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 7
W The 2nd printing of the AWS D17.1 2010 which was 2011 - Page missing? Various Other Specifications, Standards, and related Requirements 3
F Welder Recertification to AWS 17.1 Groove Weld AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 9
J Welding - WPS and PQR per AWS D17.1 Questions Various Other Specifications, Standards, and related Requirements 9
L AWS Certified Weld Inspector (CWI) Requirement Question Manufacturing and Related Processes 16
J AWS D17.1:2001 Fill In Form Various Other Specifications, Standards, and related Requirements 0
S AWS D17.1 - Fusion Welding - Qualification Test Record Various Other Specifications, Standards, and related Requirements 4
B Weld Specifications - EU vs. AWS - Are AWS procedures recognized by the EU? Manufacturing and Related Processes 2
T AWS or Other Alternative Welding Spec for HSLA 590 Steel (2mm thick)? Misc. Quality Assurance and Business Systems Related Topics 1
J Weld Penetration - ANSI/AWS D14.3-94 - Qualifying welding procedures Various Other Specifications, Standards, and related Requirements 8
J Supplier not responding to PPAP request APQP and PPAP 5
D Supplier audit Medical Device and FDA Regulations and Standards News 2
lanley liao Does all of the suppliers need to integrated into the supplier list qualified of the company? Oil and Gas Industry Standards and Regulations 2
S Distinction between a critical supplier and a Virtual manufacturer EU Medical Device Regulations 2
R AS9102 FAI Change in Material / Process Supplier AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
John Broomfield Five ways to botch your supplier management program Misc. Quality Assurance and Business Systems Related Topics 7
C Supplier survey - 200 to 250 duppliers Supplier Quality Assurance and other Supplier Issues 3
J Where is the definition of a critical supplier? ISO 13485:2016 - Medical Device Quality Management Systems 5
U Approved Vendor (supplier) List Supplier Quality Assurance and other Supplier Issues 8
M Supplier requirements - Major supplier is a Non-Profit registered with ICCBBA (FDA UDI) Supply Chain Security Management Systems 12
P Training department ideas and development for automotive supplier Training - Internal, External, Online and Distance Learning 6
B Software service provider as critical supplier ISO 13485:2016 - Medical Device Quality Management Systems 5
T AS9100D Clause 10.2.1g Supplier Corrective Action for each and every nonconformity? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
S Supplier protocol for the Quality Supplier Quality Assurance and other Supplier Issues 6
A API Spec Q1 Purchasing Process - Supplier Reevaluation based on Supplier Risks 5.6.1.4 Oil and Gas Industry Standards and Regulations 17
D Approved supplier list - Distributors question ISO 13485:2016 - Medical Device Quality Management Systems 6
G Supplier delivered recent PPAP, should he deliver yearly layout inspection? IATF 16949 - Automotive Quality Systems Standard 4

Similar threads

Top Bottom