Get 4 FREE months of Conformio to implement ISO 27001

How to perform a supplier audit according to ISO 13485

In the ISO 13485:2016 Quality Management System (QMS), management of suppliers is a critical part of the success of the purchasing process. So, what do you need to do for supplier management, and how can a supplier audit help with this part of the purchasing process?

Criteria for evaluation and selection of suppliers:
  • Ability to meet requirements – How well does the supplier meet your requirements?
  • Supplier performance – How well does the supplier meet your needs?
  • Effect on quality – How much of an effect does the supplied product have on your medical device manufacturing?
  • Risk to the medical device – Along with quality, how does the supplied product affect the safety of the medical device?

ISO 13485:2016 supplier management requirements

One of the purchasing controls to ensure that you get the right products for your medical device manufacturing is supplier evaluation. Your supplier evaluation, and subsequent supplier monitoring, are intended to be based on the risks that each supplier poses to your ability to provide medical devices that meet customer and regulatory requirements.

Supplier evaluation is not intended to be a one-time thing: once a supplier is approved for use, monitoring of performance is crucial to ensure that they continue to meet your requirements. Failure to meet requirements needs to be addressed and corrected as soon as it is noticed. This approval, monitoring, and any necessary correction of suppliers needs to be demonstrated by records that are maintained to demonstrate that the suppliers are capable of meeting requirements.

While not strictly a requirement of the standard, many companies maintain a list of the suppliers who are currently approved for use by the purchasing department. This list, which includes the dates for re-evaluations, ensures that you always use a supplier who is in good standing with your company.

Criteria for evaluation and selection of suppliers

So, how do you make sure that suppliers will meet your needs? ISO 13485 contains a list of things to consider when approving a supplier. These include:

ISO 13485 supplier audit: How to evaluate your suppliers

Ability to meet requirements – How well does the supplier meet your requirements? Can they meet the tolerances you need? Are they compliant with any legal requirements that are necessary to provide their products? For example, if there is a certificate of quality or certificate of analysis for purchased material, are the tolerances listed on the certificate in accordance with your requirements?

Supplier performance – Along with technical requirements, how well does the supplier meet your needs? Are they delivering on time? Do they reply in a timely manner to your requests? Can you be sure this supply partner will get you what you need? For example, does the supplier have the appropriate and valid quality certificates (e.g., ISO 9001, ISO 14001, and ISO 13485)?

Effect on quality – How much of an effect does the supplied product have on your medical device manufacturing? If there is a great effect, and the product is highly influential on the quality of your medical device, then more care should be taken in choosing the right supplier. If there is little effect, such as when you have many suppliers for one type of part, then a less rigid approach might be considered.

Risk to the medical device – Along with quality, how does the supplied product affect the safety of the medical device? If it is critical for safe function and operation, then once again, this should increase the level of care in approving the supplier for use.

For more on the overall purchasing process in ISO 13485, see the article: How can ISO 13485 clause 7.4, Purchasing, enhance procurement?

How do you evaluate new medical device suppliers?

There can be many ways to evaluate if a supplier will meet your needs, or continue to fulfill your requirements. This may include having the supplier prove their capacity and quality using a questionnaire, a survey, or even a trial purchase order, which would allow you to check what they can supply and how good the product is. Another common tool used for approving a medical device supplier is a supplier audit.

Supplier audits, while not an ISO 13485 requirement, provide you with a view into how the processes of the supplier work. Like all management system audits, the supplier audit (also called a second-party audit) is intended to review the processes of the supplier by comparing what is actually happening in the processes against the planned arrangements of the processes—or, in other words, the requirements of the process.

Performing a supplier audit

The audit first reviews the process requirements to determine what should be happening, and then collects objective evidence of what is actually happening through observation, conducting interviews, and reviewing records. When this objective evidence is compared to the requirements, the audit can determine if the requirements are being met, which is called process conformity, or if the requirements are not being met, which is called process nonconformity. When a nonconformity exists in a process, then corrective action is needed to fix what is wrong.

Remember that the requirements you have placed on the supplier should be included in those checked during the audit. This is where the supplier audit differs from other management system audits. Instead of reviewing all processes of the supplier against ISO 13485, which is already done by the certification body if they have a certificate, you should focus on the processes that are critical to ensuring that the supplier meets your needs, such as how they deal with nonconforming products, how they ensure they meet legal requirements, and how they review your contracts to ensure that all requirements are met. The processes that are critical to your success are the processes you want to review in the supplier audit.

For example, ensuring traceability is very important in medical device manufacturing. Therefore, it is good to check during the supplier audit how the supplier has ensured traceability from the entry of raw materials to the finished product. Another example is ensuring cleanliness when it matters. During the supplier audit, it can be checked how the cleaning of the production part is prescribed, with which detergents, and how the cleaning process itself is validated.

Ensure your supplier audits give benefit

Along with limiting the scope of your supplier audits to those processes critical to you, it is also beneficial to have your audits focus on how to identify supplier improvements that can help them better meet your needs. This focus on opportunities for improvement, along with a collaborative approach to the audit, will not only help make the audit more beneficial to the supplier, but also help them to better meet your needs.

If the supplier also sees benefit in your approach, it will make the audit much more effective and efficient both for you and the supplier. It is in your best interest to make the supplier audit a win-win scenario.

To better understand the ISO 13485 supplier requirements, download this free white paper: Clause-by-clause explanation of ISO 13485.

Advisera Kristina Zvonar Brkic
Kristina Zvonar Brkic
Kristina Zvonar Brkic is an experienced consultant, auditor, assessor, and trainer for ISO 13485 and the EU MDR. She runs a thriving ISO 13485 consulting practice and helps companies and consultants to build their businesses. In her career, she also worked as an ISO 9001 and ISO 22716 consultant and lead auditor, and as an auditor and assessor for the MDD.

The portfolio of medical devices for which she has approval is plastic products with measuring function, various creams and gels, different systems for wound care, disinfectants, different catheters, panels for operating rooms and clean rooms, accessories and kits for performing surgical procedures of non-woven materials, medical gases, and various dental materials.