Ensure You Have
When Considering Vendors

You might remember seeing a movie in 2013 titled, “We Are the Millers.”   The movie contained some quite memorable scenes, particularly one in which the main character’s love interest shows up to meet the parents with a tattoo reading, “No Ragrets,” across his chest.  (It should have read, “No Regrets,” of course).  The boy clearly had no idea that it was so hilariously misspelled, but it did make me wonder… did the tattoo artist even realize the word was misspelled?

If this type of egregious mistake were to happen inside a regulated environment, our first reaction would be to check the vendor’s qualifications.  We would ask questions like “Was that tattoo artist qualified to provide ‘tattoo artistry’ as a service?”

Thank goodness, this process has been made easier for use with the International Organization for Standardisation (ISO) 13485:2016 for Medical Devices.  This updated version was published in March 2016 and has a transition period of three years.  One of the key changes in the update is the “strengthening of supplier control processes” to be more harmonized with the United States (US) Food and Drug Administration’s (FDA) 21 Code of Federal Regulation (CFR) Part 820.50, Purchasing Controls. This means that manufacturers of “Conformité Européene” (CE)-marked, FDA cleared medical devices will need to ensure all supplier quality-related procedures are compliant to both requirements.  Are you ready to dive into vendor qualification requirements?

What is required?
21 CFR Part 820.50 describes the establishment and maintenance of Purchasing Controls to ensure that all purchased product and services conform to specified requirements.  ISO 13485:2016 shares this requirement, but also reinforces that suppliers, contractors and even consultants should be qualified through a risk-based process.  How can this be achieved?

Where to begin?
To comply with both ISO 13485:2016 and FDA Quality System Regulations (QSR), a thorough Risk Assessment of the medical device needs to be documented.  This Risk Assessment should also align with ISO 14971 (Medical Device Risk Assessment) and list all potential risks associated with device in both in fault and ideal conditions that might occur prior to mitigation.  These risks should cover all aspects of the device including labeling, packaging and instrumentation.  Most commonly these risks are presented in a tabular format, an example of which is provided at the end of this blog. The Level of Control (LOC) also needs to be established; based upon the criticality of any device components or materials provided by the supplier (Low, Medium, High for example).

How to maintain?
After all suppliers have been qualified per criticality of material, a review maintenance schedule needs to be created.  This schedule will outline the schedule based on the established LOC; for example, suppliers with a high LOC should be reviewed more frequently than those with a low LOC.  Per the US FDA, the capabilities of product or service suppliers should be reviewed at intervals consistent with the significance of the product or service provided.  So, when you go to get that tattoo, or better yet, update that Quality System,  just make sure your vendors are qualified to ensure there are “No Ragrets!”