ISO 13485:2016 Clause 7.4.2 regarding Supplier Quality Agreements

tebusse

Involved In Discussions
#1
I work for a very small medical device company (8 employees) that manufactures IVDs. I'm currently working on implementation of the new ISO 13485 requirements and need some assistance with clause 7.4.2 regarding Quality Agreements.

Specifically, what is the criteria regarding which suppliers require quality agreements? Do you base it on the supplier's risk level?

Also, for those suppliers with whom a quality agreement is not obtained, how do you ensure that the supplier informs the company of changes in the purchased product?

Any assistance would be most appreciated.

Regards, Tonia
 
Elsmar Forum Sponsor

SteveK

Trusted Information Resource
#2
I’m in the same boat. First off I prepared a four page formal Supplier Agreement (trying to keep it as simple as possible) and got some feedback from some of our main suppliers as to whether they would comply. However, since we have a large number of suppliers I thought I should really simplify matters. We send out an annual Supplier Questionnaire – yes/no questions as to whether they have a quality system, what products they supply, equipment used etc. Since these are so simple to complete we usually get the majority returned. So basically I just added a couple of lines i.e.

10. Quality Agreement

10.1 Do you agree to inform ACME of any changes to the product, service or process provided that could affect its quality or specification? YES / NO

10.2 That ACME is informed prior to implementation of any above change YES/NO

Seems to be working so far, and as far as I’m concerned it fulfils the ISO 13485:2016 requirement – though only time and an audit will tell.

Note that we are only a SME - circa 30 employees.

Steve
 

Marcelo

Inactive Registered Visitor
#3
This requirements was included more or less in the end of the development of the new standard...everyone agreed that it was necessary, but with very few examples in the medical device world. Anyway, we do have examples in other areas, and recently I've been suggesting that my clients follow the principles of the "Contract Manufacturing Arrangements for Drugs: Quality Agreements Guidance for Industry" from Pharma from the FDA (there a other examples in other areas, but this is what I think is most close to the medical device field for obvious reasons).

Regarding the criteria, yeah, it should be risk-based, depending on the risk to the patient/user/etc. and conformity to regulatory requirements, related to the supplied product or service.
 

tebusse

Involved In Discussions
#4
Thank you, Steve.

Your idea is simplistic compared to what I was thinking of implementing.

Since were on the subject, how are you dealing with clause 7.4.3 Verification of purchased product? Specifically, when your company becomes aware of changes how are you documenting if the changes affect product realization or the medical device?

Most of the changes we receive from vendors are not applicable to us. Therefore, I'm wondering if a memo to file would suffice.

Thank you again for your assistance.

Tonia
 

SteveK

Trusted Information Resource
#5
Hi Tonia,

A memo to file is basically what our Purchasing SOP indicates what should happen i.e. an amendment to the purchase order. Worst case we raise a supplier corrective action report (SCAR). It may then lead to a 'concession note' and then a re-work. In any case the information is recorded.

Steve
 

Mark Meer

Trusted Information Resource
#6
Specifically, what is the criteria regarding which suppliers require quality agreements? Do you base it on the supplier's risk level?
Criteria for supplier approval should be based on your own risk-assessment.

Obviously, certain supplied items are more critical than others, and so ideally your system should allow for the degree of supplier control to scale accordingly.

With regards to supplier agreements, I think it's sufficient to document a risk (probability + severity) assessment of a supplier non-conformance (NC), and then go from there. Specifically:
1. What is the probability that a NC is undetected by currently established controls (e.g. receiving & production controls)?
2. What is the worst-case severity if such a NC goes undetected and hence makes it into released devices?

Also, for those suppliers with whom a quality agreement is not obtained, how do you ensure that the supplier informs the company of changes in the purchased product?
The truth is, you can't. Which is why risk-assessment and robust internal controls (receiving/production) are important.

IMHO, supplier agreements aren't necessarily any guarantee either. Sign supplier agreements, sure...but I wouldn't depend on them.

MM
 

Timothy1

Involved In Discussions
#7
I am planning to insert the following statement as part of our PO std terms & conditions Will that meet the 13485 std's requirements (both for outsourced process under 4.1.5 as well as 7.4.2) Any comments/ suggestions appreciated

"Any changes to the product/ service since previous purchase, supplier/ service provider to notify "ABC company". By accepting this PO, supplier/ service provider agrees to comply with this clause"

we are a small organisation (4 staff in total). Our suppliers/service providers are giants Expecting a formal agreement as per FDA guidance may not work for us
 

Wolf.K

Involved In Discussions
#8
Hi,

I changed our SOP "Supplier evaluation and monitoring" to include as a first step in the procedure: supplier classification. We have four categories (A to D).

"All our suppliers are classified into one of four categories, labeled A to D, according to the risk the supplier poses to quality of our products and services. Category A comprises the highest risk, category D the lowest risk to product safety. The different categories require different control procedures and documentation requirements:

1. Category A: Critical supplier. Has to be added to Approved Supplier List. Very important for product safety. QMS certificate accreditation (ISO 13485, ISO 9001, or equivalent) required. Quality Agreement required. Annual supplier audit required.
1.1. Examples are: contract manufacturers, contract sterilization companies

2. Category B: Critical supplier. Has to be added to approved supplier list (ASL). Very important to product safety. Quality agreement not required. Supplier audits not required, as long as no nonconformities recur, and certificates for QMS (ISO 13485, ISO 9001, or equivalent) are available. Applies also to CM subcontractors of high-risk processes, audited regularly by CM (bound to us by QA). For companies supplying raw materials incorporated into our products, certificates like CoA as well as receiving inspection documentation, etc., to ensure compliance to specifications, are satisfactory.
2.1 Examples are: Raw material suppliers, contract sterilization companies (bound to CM by Quality Agreement)

3. Category C: Non-critical supplier. Has to be added to approved supplier list (ASL). Certificates are satisfactory.
3.1 Examples are: commercial lessor, suppliers of monitoring and measuring devices, test laboratories, certification agencies, consulting companies.

4. Category D: Non-critical supplier. No need to be added to ASL. All other suppliers.
4.1 Examples are: office supplies

Then the procedure goes on with the following chapters (initial supplier evaluation, ongoing supplier evaluation, quality agreements).

The category is picked during the initial supplier evaluation, during a risk assessment.

Hope this helps!
Wolf
 

Mark Meer

Trusted Information Resource
#9
I changed our SOP "Supplier evaluation and monitoring" to include as a first step in the procedure: supplier classification. We have four categories (A to D).

"All our suppliers are classified into one of four categories, labeled A to D, according to the risk the supplier poses to quality of our products and services. Category A comprises the highest risk, category D the lowest risk to product safety." ....
We more or less make a similar determination (part of evaluation), however don't have a strict categorisation.

Curious:
With regards to your risk assessment: is your consideration SOLELY based on final product safety? This simplifies things tremendously, but there may be other things worth considering. For example:

  1. What is the effect on quality & operations? For example, a material supplier may supply a part unrelated to safety, but critical to the aesthetics. If such a supplier, say, ships an entire NC batch that is the wrong color, what effect does this have on your operations? What is the turn-around time? Suppliers like this with low turn-around may allow for less strict controls, as the effects of a NC batch can be addressed more quickly.
  2. How easy are they to replace? If it would require a ton of time/resources to source another supplier (e.g. they are exclusive/custom, have specific qualifications, etc.), you may want to exercise more control.
  3. What internal controls do you have in place for identifying non-conformances? If your existing controls are robust (e.g. 100% receiving sampling), then maybe you can relax your categorical controls?

Just some other things that might be worth considering, other than strictly safety...
MM.
 
Last edited:

Wolf.K

Involved In Discussions
#10
Yes, currently during our risk assessments we only consider product (i.e. patient) safety as primary goal. Our notified body was satisfied, so we got our 13485:2016 certificate just recently (audit was in October, certificates received in January).

We have only 2 products and 2 contract manufacturers (class III and IIb), but we are the official manufacturer. So far our approach is ok. The categorization was an idea of our notified body auditor - to clarify and reduce the on-site audit requirements of our suppliers.

So far we just had minor trouble with raw material suppliers. Last year we did not get a part in the required quality - the supplier had to do rework three times. During this period of time, we ran out of stock. Bad for customer satisfaction. So we decided to increase the level of stock at our warehouse triggering a new production. As our products have a "best before date" of five years, this is probably the best insurance for us. We are growing, are not a startup anymore??

:) Wolf
 
Thread starter Similar threads Forum Replies Date
C ISO 13485 :2016 - CAPA - Does every CAPA need to be checked by regulations? ISO 13485:2016 - Medical Device Quality Management Systems 9
P ISO 13485:2016 MDSAP Certification Fee Survey ISO 13485:2016 - Medical Device Quality Management Systems 6
K Contamination Control - Class Is medical devices (Clause 6.4.2 ISO 13485:2016 (E)) ISO 13485:2016 - Medical Device Quality Management Systems 12
H ISO 13485:2016 Gap Analysis by NB ISO 13485:2016 - Medical Device Quality Management Systems 7
S SOP for ISO 13485:2016 Quality related Software validation ISO 13485:2016 - Medical Device Quality Management Systems 9
JoCam Difference between Approval and Registration - ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 2
K ISO 13485:2016, Clause 4.2.3 Medical Device File ISO 13485:2016 - Medical Device Quality Management Systems 4
T Document control ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 5
A We are ISO 13485:2016 should we be audited to ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 16
E Equipment Qualification - IQ/OQ per ISO 13485:2016 section 7.5.6 Process validation ISO 13485:2016 - Medical Device Quality Management Systems 7
S Clinical Evaluation - Is this an ISO 13485:2016 requirement? ISO 13485:2016 - Medical Device Quality Management Systems 4
L ISO 13485:2016 Clause 8.4 - Analysis of Audit Observations ISO 13485:2016 - Medical Device Quality Management Systems 8
S When is ISO 13485:2016 6.4.2 Contamination Control appropriate? ISO 13485:2016 - Medical Device Quality Management Systems 11
L Templates for three ISO 13485:2016 SOPs ISO 13485:2016 - Medical Device Quality Management Systems 8
C What falls under the 'Customer Property' according to ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 10
M Is it possible to get iso 13485:2016 certified as a one man band ISO 13485:2016 - Medical Device Quality Management Systems 1
F ISO 13485:2016 Quality Policy Requirements Other ISO and International Standards and European Regulations 3
M Contract Manufacturers and MDF Responsibilities, ISO 13485:2016, Clause 4.2.3 ISO 13485:2016 - Medical Device Quality Management Systems 3
J ISO 13485:2016 sample exam/test ISO 13485:2016 - Medical Device Quality Management Systems 3
M Informational Questionário – Análise crítica sistemática – ISO 13485:2016 (Portuguese-only) Medical Device and FDA Regulations and Standards News 0
M Informational ISO 13485:2016 under systematic review Medical Device and FDA Regulations and Standards News 5
C Updates on Documentation for outsourced OEM from ISO 13485:2003 to ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 4
GStough Informational SN EN ISO 9001:2015 and SN EN ISO 13485:2016 on Same Certificate? Registrars and Notified Bodies 7
E MDSAP Audit - Our QMS conforms to ISO 13485:2016 and FDA GMP Canada Medical Device Regulations 9
Ronen E Informational ISO 13485:2016 Transition Period End - 1 March 2019 ISO 13485:2016 - Medical Device Quality Management Systems 0
B ISO 9001:2015 vs ISO 13485:2016 for MDR Compliance EU Medical Device Regulations 4
T ISO 13485:2016 - Processes exempt from process validation ISO 13485:2016 - Medical Device Quality Management Systems 12
C Medical device manufacturing (class 2 ISO 13485:2016) - Is a Deviation allowed? Other Medical Device Related Standards 5
J EU ISO 13485:2016 Recertification Audit - Effect of 10 Minor Nonconformances EU Medical Device Regulations 2
E Template of a Management Review Agenda or Report in compliance with ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 6
J ISO 13485:2016 Section 6.2 - Documenting the process for establishing competence ISO 13485:2016 - Medical Device Quality Management Systems 6
Q Any good Checklists for ensuring SOPs cover ISO 13485:2016 and 21CFR 820? ISO 13485:2016 - Medical Device Quality Management Systems 3
H Transition to ISO 13485:2016 together with ISO 9001:2015 ISO 13485:2016 - Medical Device Quality Management Systems 12
B Classes/ Online Training on ISO 13485:2016 and FDA QSR Part 820 ISO 13485:2016 - Medical Device Quality Management Systems 5
T Software Validation Certificate (ISO 13485:2016) ISO 13485:2016 - Medical Device Quality Management Systems 19
D ISO: 13485:2016 Sec. 7.5.2 (C) - Requirements for cleanliness of product or contamination control ISO 13485:2016 - Medical Device Quality Management Systems 2
M Internal Audit Assessment Criteria - ISO 13485:2016 Internal Auditing 21
C Software validation (4.1.6 ISO 13485:2016) ISO 13485:2016 - Medical Device Quality Management Systems 20
L Does anybody have quiz's available? ISO 13485:2016 Training Material Training - Internal, External, Online and Distance Learning 2
G ISO 13485:2016 and regulatory requirements - Contract Manufacturing ISO 13485:2016 - Medical Device Quality Management Systems 22
S ISO 13485:2016 and GDRP EU 2016/679 ISO 13485:2016 - Medical Device Quality Management Systems 5
JoshuaFroud Interpretation of Clause 5.5.2 in ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 2
R CNC Software Validation requirements as per ISO 13485:2016 Other ISO and International Standards and European Regulations 8
A ISO 13485:2016 Applicable regulatory requirements ISO 13485:2016 - Medical Device Quality Management Systems 2
R ISO 13485:2016 Registration - NC on full cycle of internal audits ISO 13485:2016 - Medical Device Quality Management Systems 7
C Will anyone please share training material for ISO:13485:2016 for best practices Training - Internal, External, Online and Distance Learning 0
T ISO 13485: 2016 Internal Audit - Is sampling on projects allowed? ISO 13485:2016 - Medical Device Quality Management Systems 6
D Where I can find an ISO 13485:2016 Audit Schedule example? ISO 13485:2016 - Medical Device Quality Management Systems 4
S What records are required to show compliance to ISO 13485:2016? ISO 13485:2016 - Medical Device Quality Management Systems 1
B Non Applications in ISO 13485:2016 for component contract manufacturers ISO 13485:2016 - Medical Device Quality Management Systems 2

Similar threads

Top Bottom