ISO 13485:2016 Clause 7.4.2 regarding Supplier Quality Agreements

tebusse

Involved In Discussions
I work for a very small medical device company (8 employees) that manufactures IVDs. I'm currently working on implementation of the new ISO 13485 requirements and need some assistance with clause 7.4.2 regarding Quality Agreements.

Specifically, what is the criteria regarding which suppliers require quality agreements? Do you base it on the supplier's risk level?

Also, for those suppliers with whom a quality agreement is not obtained, how do you ensure that the supplier informs the company of changes in the purchased product?

Any assistance would be most appreciated.

Regards, Tonia
 
S

SteveK

I’m in the same boat. First off I prepared a four page formal Supplier Agreement (trying to keep it as simple as possible) and got some feedback from some of our main suppliers as to whether they would comply. However, since we have a large number of suppliers I thought I should really simplify matters. We send out an annual Supplier Questionnaire – yes/no questions as to whether they have a quality system, what products they supply, equipment used etc. Since these are so simple to complete we usually get the majority returned. So basically I just added a couple of lines i.e.

10. Quality Agreement

10.1 Do you agree to inform ACME of any changes to the product, service or process provided that could affect its quality or specification? YES / NO

10.2 That ACME is informed prior to implementation of any above change YES/NO

Seems to be working so far, and as far as I’m concerned it fulfils the ISO 13485:2016 requirement – though only time and an audit will tell.

Note that we are only a SME - circa 30 employees.

Steve
 

Marcelo

Inactive Registered Visitor
This requirements was included more or less in the end of the development of the new standard...everyone agreed that it was necessary, but with very few examples in the medical device world. Anyway, we do have examples in other areas, and recently I've been suggesting that my clients follow the principles of the "Contract Manufacturing Arrangements for Drugs: Quality Agreements Guidance for Industry" from Pharma from the FDA (there a other examples in other areas, but this is what I think is most close to the medical device field for obvious reasons).

Regarding the criteria, yeah, it should be risk-based, depending on the risk to the patient/user/etc. and conformity to regulatory requirements, related to the supplied product or service.
 

tebusse

Involved In Discussions
Thank you, Steve.

Your idea is simplistic compared to what I was thinking of implementing.

Since were on the subject, how are you dealing with clause 7.4.3 Verification of purchased product? Specifically, when your company becomes aware of changes how are you documenting if the changes affect product realization or the medical device?

Most of the changes we receive from vendors are not applicable to us. Therefore, I'm wondering if a memo to file would suffice.

Thank you again for your assistance.

Tonia
 
S

SteveK

Hi Tonia,

A memo to file is basically what our Purchasing SOP indicates what should happen i.e. an amendment to the purchase order. Worst case we raise a supplier corrective action report (SCAR). It may then lead to a 'concession note' and then a re-work. In any case the information is recorded.

Steve
 

Mark Meer

Trusted Information Resource
Specifically, what is the criteria regarding which suppliers require quality agreements? Do you base it on the supplier's risk level?

Criteria for supplier approval should be based on your own risk-assessment.

Obviously, certain supplied items are more critical than others, and so ideally your system should allow for the degree of supplier control to scale accordingly.

With regards to supplier agreements, I think it's sufficient to document a risk (probability + severity) assessment of a supplier non-conformance (NC), and then go from there. Specifically:
1. What is the probability that a NC is undetected by currently established controls (e.g. receiving & production controls)?
2. What is the worst-case severity if such a NC goes undetected and hence makes it into released devices?

Also, for those suppliers with whom a quality agreement is not obtained, how do you ensure that the supplier informs the company of changes in the purchased product?

The truth is, you can't. Which is why risk-assessment and robust internal controls (receiving/production) are important.

IMHO, supplier agreements aren't necessarily any guarantee either. Sign supplier agreements, sure...but I wouldn't depend on them.

MM
 

Timothy1

Involved In Discussions
I am planning to insert the following statement as part of our PO std terms & conditions Will that meet the 13485 std's requirements (both for outsourced process under 4.1.5 as well as 7.4.2) Any comments/ suggestions appreciated

"Any changes to the product/ service since previous purchase, supplier/ service provider to notify "ABC company". By accepting this PO, supplier/ service provider agrees to comply with this clause"

we are a small organisation (4 staff in total). Our suppliers/service providers are giants Expecting a formal agreement as per FDA guidance may not work for us
 

Wolf.K

Quite Involved in Discussions
Hi,

I changed our SOP "Supplier evaluation and monitoring" to include as a first step in the procedure: supplier classification. We have four categories (A to D).

"All our suppliers are classified into one of four categories, labeled A to D, according to the risk the supplier poses to quality of our products and services. Category A comprises the highest risk, category D the lowest risk to product safety. The different categories require different control procedures and documentation requirements:

1. Category A: Critical supplier. Has to be added to Approved Supplier List. Very important for product safety. QMS certificate accreditation (ISO 13485, ISO 9001, or equivalent) required. Quality Agreement required. Annual supplier audit required.
1.1. Examples are: contract manufacturers, contract sterilization companies

2. Category B: Critical supplier. Has to be added to approved supplier list (ASL). Very important to product safety. Quality agreement not required. Supplier audits not required, as long as no nonconformities recur, and certificates for QMS (ISO 13485, ISO 9001, or equivalent) are available. Applies also to CM subcontractors of high-risk processes, audited regularly by CM (bound to us by QA). For companies supplying raw materials incorporated into our products, certificates like CoA as well as receiving inspection documentation, etc., to ensure compliance to specifications, are satisfactory.
2.1 Examples are: Raw material suppliers, contract sterilization companies (bound to CM by Quality Agreement)

3. Category C: Non-critical supplier. Has to be added to approved supplier list (ASL). Certificates are satisfactory.
3.1 Examples are: commercial lessor, suppliers of monitoring and measuring devices, test laboratories, certification agencies, consulting companies.

4. Category D: Non-critical supplier. No need to be added to ASL. All other suppliers.
4.1 Examples are: office supplies

Then the procedure goes on with the following chapters (initial supplier evaluation, ongoing supplier evaluation, quality agreements).

The category is picked during the initial supplier evaluation, during a risk assessment.

Hope this helps!
Wolf
 

Mark Meer

Trusted Information Resource
I changed our SOP "Supplier evaluation and monitoring" to include as a first step in the procedure: supplier classification. We have four categories (A to D).

"All our suppliers are classified into one of four categories, labeled A to D, according to the risk the supplier poses to quality of our products and services. Category A comprises the highest risk, category D the lowest risk to product safety." ....

We more or less make a similar determination (part of evaluation), however don't have a strict categorisation.

Curious:
With regards to your risk assessment: is your consideration SOLELY based on final product safety? This simplifies things tremendously, but there may be other things worth considering. For example:

  1. What is the effect on quality & operations? For example, a material supplier may supply a part unrelated to safety, but critical to the aesthetics. If such a supplier, say, ships an entire NC batch that is the wrong color, what effect does this have on your operations? What is the turn-around time? Suppliers like this with low turn-around may allow for less strict controls, as the effects of a NC batch can be addressed more quickly.
  2. How easy are they to replace? If it would require a ton of time/resources to source another supplier (e.g. they are exclusive/custom, have specific qualifications, etc.), you may want to exercise more control.
  3. What internal controls do you have in place for identifying non-conformances? If your existing controls are robust (e.g. 100% receiving sampling), then maybe you can relax your categorical controls?

Just some other things that might be worth considering, other than strictly safety...
MM.
 
Last edited:

Wolf.K

Quite Involved in Discussions
Yes, currently during our risk assessments we only consider product (i.e. patient) safety as primary goal. Our notified body was satisfied, so we got our 13485:2016 certificate just recently (audit was in October, certificates received in January).

We have only 2 products and 2 contract manufacturers (class III and IIb), but we are the official manufacturer. So far our approach is ok. The categorization was an idea of our notified body auditor - to clarify and reduce the on-site audit requirements of our suppliers.

So far we just had minor trouble with raw material suppliers. Last year we did not get a part in the required quality - the supplier had to do rework three times. During this period of time, we ran out of stock. Bad for customer satisfaction. So we decided to increase the level of stock at our warehouse triggering a new production. As our products have a "best before date" of five years, this is probably the best insurance for us. We are growing, are not a startup anymore??

:) Wolf
 
Top Bottom