This article covers how the new ISO 13485 standard1 affects risk management for suppliers.
The 2016 revision to ISO 13485 may have profound implications for the medical device industry. The updated standard will alter the way device makers interact with suppliers, from supplier selection to the management of supplier relationships.
What the new Standard Says About Risk
One particularly notable change with ISO 13485:20162 is the addition of more explicit risk management requirements. Companies will be required to consider the risk associated with a device from conception through its use. Device makers must plan and implement corrective action when problems are detected. Risk management must be incorporated into every aspect of the quality management system.
"Whenever you bring expectation to the forefront, whereas you take what is implicit and make it explicit, which is really what the standard has done, then it definitely will have an impact on medical device manufacturers to reach those standards," says Alexander Crosby, Americas Program Manager-Medical Device for Intertek Business Assurance.3
Risk assessment has been part of this process for a long time, says Darrell Lehman, principal of DKL Solutions LLC and a former senior vice president at Intertek.4 "What this standard does is put it in context for the industry as well as put it in context for the supply chain and the life cycle of the product." Less is left to interpretation than in previous standards.
"It extends the process of risk-based analysis as well as risk-based control and risk management and puts the onus of control on the organization that's creating the product or service," says Lehman. "That's not only just the medical device that hits the market, but it could also be a company that's providing a critical service or a critical component to that device as it goes to market."
The abstract of the standard states: "The processes required by ISO 13485:2016 that are applicable to the organization, but are not performed by the organization, are the responsibility of the organization and are accounted for in the organization's quality management system by monitoring, maintaining and controlling the processes."5
For companies that supply goods or services to medical device companies, ISO 13485:2016 clarifies what they should be doing, and perhaps should have already been doing, to mitigate risk, says Lehman.
Safety is a paramount concern. A recent white paper by BSI Group6 noted the following: "ISO 13485:2016 maintains the need for organizations to focus improvement activities on the continuing suitability, adequacy and effectiveness of the quality management system and the safety and performance of the medical device."
The standard seems to be evolving to read closer to FDA requirements. "The way I think it is that the international standard for medical devices is harmonizing with the FDA QSR, 21 CFR Part 8207 where risk assessment is something we need to think about in everything we do," says Terry Hamm, vice president of quality assurance and regulatory affairs at GW Plastics, Inc.8 They make a Class II device, but this might pose a particular challenge for certain types of suppliers. "If you're making components in a molding environment, you may not be accustomed to this process. It is critical to define requirements, especially, risk assessment with your suppliers," he says.
The FDA recently announced they will accept audit reports from the Medical Device Single Audit Program (MDSAP)9 as a substitute for establishment inspection reports. The MDSAP was established to allow one regulatory body to satisfy the requirements of US FDA, Australia's Therapeutic Goods Administration, Brazil's Agencia Nacional de Vigilancia Sanitaria, Health Canada, Japan's Ministry of Health, Labour and Welfare and Pharmaceuticals and Medical Devices Agency. The MDSAP on-site report form features several entries regarding ISO 13485 compliance.10
Large device makers and suppliers may already manage risk in a fashion similar to what the new standard will require, says Mike Delpha, founder of Delpha Quality Consulting.11 However, for smaller companies with 25 to 100 employees, compliance may be more of a burden. "For them, the notion of normal risk assessment, risk analysis, when to fail, what the impact would be, how likely the impact would be, these are concepts they've never had to deal with formally," he says.
Implications for Supplier Selection
It can be a challenge to assess the level of risk each supplier could potentially add to your process. However, this is a critical exercise. Under the new standard, device makers are responsible for the potential risk suppliers bring to a device.
Although the updates to the standard are new this year, the concept of monitoring supplier risk is hardly new. In 2008, the Global Harmonization Task Force, a group of medical device industry representatives (now the International Medical Device Regulators Forum), revised their guidance document on the control of products and services obtained from suppliers in the medical device industry. In it they state: "Failure to have any evidence on-site or provide access to any objective evidence of the controls associated with products and services from suppliers could result in the manufacturer's quality management system being non-compliant."12
The MDSAP on-site assessment report form13 has an entry for "critical suppliers" that asks for name, address and product or service of critical suppliers that provide products or services used in the audited process.
Under EU regulations, quality management systems should address "resource management, including selection and control of suppliers and sub-contractors."14
When assessing potential suppliers, any supplier that is not aware of the new standard should be considered high risk, says Lehman. Meanwhile, suppliers who are certified to ISO 13485 themselves might be considered lower-risk. "If I was a supplier and I wanted to improve my value proposition to a group of companies, I would certainly want to be certified to this standard," says Lehman.
Any supplier involved in making an implantable product should be certified, says Delpha, because of the sensitive nature of these devices.
Some small suppliers may lack the resources to become certified, but even so, they cannot afford to just ignore the ISO 13485 revision. "If a small company is too burdened or does not need to do the 13485 certification, what I'm telling them to do is be able to provide evidence on request that they've done their risk analysis and risk management homework to make themselves more attractive," says Delpha.
Impact on Supplier Relationships
Once suppliers are selected, they must be monitored routinely. Device makers and suppliers must collaborate and communicate more than ever to make sure their risk management and quality management systems are compatible.
Suppliers who support medical device may have different interpretations of how to meet the requirements of ISO 13485:2016. "One thing we've typically seen suppliers do is say, 'well, we're not producing a medical device, so how much of this applies to us?'" says Crosby. "And it does become something of a thorny question, which is, how do you apply medical device risk management if you're not ultimately producing a medical device?"
Crosby encourages device makers to communicate with their clients about their role in the risk management puzzle. Be clear about how your supplier can contribute to risk mitigation and control. "The supplier over the course of time becomes somewhat educated to that and kind of understands where they sit in the ectosphere of the medical device," he says. Some suppliers may have a good handle on how the complexity of the product or service they provide contributes risk to the final medical device. However, it is difficult for suppliers to do this in a vacuum if they lack understanding of the final medical device. The more information device makers can give suppliers, the better. "We do see that to be very stovepiped," Crosby says. "That is not really an area where organizations typically work together to depict a holistic risk management picture." The 2016 revision of ISO 13485 is pushing for more continuous dialogue, monitoring and oversight. "There's opportunity for suppliers to be value-added participants in the risk management cycle."
This focus on continuous feedback is new. "Historically the standards, 13485 as well as the rest, asked the company to evaluate and select suppliers and then monitor their performance and help them get better when they do, or drop them," says Delpha. However, there was not much guidance on how that process should go. Now, companies have to be more cognizant of supplier failures. Errors must be documented and managed.
Some companies have been quick to step up their game. "We've gone through an evolution with supplier management," says Hamm. GW Plastics is now managing suppliers more rigorously, including audits of critical suppliers. They have three risk categories of suppliers, and they do separate risk management on each. "It's critical to clearly divide your suppliers," Hamm says.
Challenges Associated with Suppliers of Services
The risk associated with suppliers that provide services, rather than components, can be particularly difficult to define. For example, a supplier providing product labeling services might contribute a substantial amount of risk to the final medical device since improper labeling could result in direct patient harm.
"Usually from a quality management system perspective, when we look at resources, one of the big things is understanding any individual's contributions to or the impact on quality," says Crosby. For instance, if you have hired somebody and they happen to be moving boxes from point A to point B and their impact on the medical device is low, their understanding of that context may be low. However, if those boxes happen to contain sterile, sealed medical devices whereby there is a potential for damage and thus risk to the medical device, their context needs to be higher, he says.
Temporary labor is one intriguing example of a service that could potentially contribute a large degree of risk to a medical device. If you bring workers into your organization, you must ensure these individuals comply with your quality process. You can assign some of that responsibility to the firm providing workers although you are still ultimately responsible, says Lehman. "You might want to go to the contract firm and say, 'bring me people with these credentials that have already achieved this training that you're going to impart on them.'"
Ideally, the supplier of temporary labor should provide context on the impact to quality and potential risk associated with the activities workers perform, says Crosby.
A temporary staffing firm that trains workers would be a good choice, Hamm says, so long as his team has the chance to evaluate the training program. He would also prefer a firm with ISO 13485 certification. "If we had two comparable firms providing the same service and one was certified to ISO 13485 and one was not, we'd probably go 13485," says his colleague Sarah Brown, compliance manager at GW Plastics.15
"We're Intertek; that's part of our business is certification, so we certainly strongly believe in standards, and the application of 13485 throughout the supply chain is a good way of showing control," says Crosby. However, he adds that it is not necessarily the only way. For instance, some suppliers may have ISO standards that apply to their specialty—such as ISO 17100 for translation services.16 That can be an equivalent way of demonstrating quality control to an auditor. If a temporary labor firm had an in-house training function to educate workers on risk, FDA requirements and more, the performance of training also would demonstrate to auditors the firm is holding up its end of the risk management equation.
However, certification is certainly a more explicit way of showing control than other methods. "It is a good baseline that shows an operating system," says Crosby. "You basically have shown me that your supplier understands medical device, has a quality management system and what you would need to show me is that you have given them the information that they need, information on your device or the components of your device or the service that you're providing so that they can give you back the pieces you need with quality."
In an article published last year in QMed,17 Jim Ready, the manager of quality and regulatory systems at Nypro, Inc., said "A temporary labor company that holds an ISO 13485 certification demonstrates that they understand the specific quality and regulatory requirements of the medical device manufacturing environment and have made the commitment to train their temporary workforce to meet those standards."
Suppliers with ISO 13485 certification will be well-positioned to suit the needs of device makers. Although certification is not the only criterion companies should use in selecting a supplier, it is certainly an important one. Device makers are responsible for the risk their suppliers contribute to their products and certification to this standard is a signal a supplier is committed to mitigating risk.
- ISO 13485:2016. Medical Devices—Quality Management Systems—Requirements for Regulatory Purposes. ISO website. http://www.iso.org/iso/catalogue_detail?csnumber=59752. Accessed 16 November 2016.
- Conversation with Alexander Crosby, September 2016.
- Conversation with Darrell Lehman, June 2016.
- Op cit 1.
- Swanson, M. "The Differences and Similarities Between ISO 9001:2015 and ISO 13485:2016." BSI Group. White Paper.
- FDA Quality System (QS) Regulation/Medical Device Good Manufacturing Practices. Part 820-CFR-Code of Federal Regulations Title 21. FDA website. http://www.fda.gov/medicaldevices/deviceregulationandguidance/postmarketrequirements/qualitysystemsregulations/. Accessed 16 November 2016.
- Conversation with Terry Hamm, July 2016.
- Medical Device Single Audit Program (MDSAP) AS F0016.5.003: On-Site Assessment Report Form. FDA website. http://www.fda.gov/MedicalDevices/InternationalPrograms/MDSAPPilot/ucm377581.htm. Accessed 16 November 2016.
- Op cit 1.
- Conversation with Mike Delpha, July 2016.
- Quality Management System-Medical Devices-Guidance on the Control of Products and Services Obtained from Suppliers. IMDRF website. http://www.imdrf.org/docs/ghtf/final/sg3/technical-docs/ghtf-sg3-n17-guidance-on-quality-management-system-081211.pdf. Accessed 16 November 2016.
- Op cit 9.
- Proposal for a Regulation of the European Parliament and of the Council on Medical Devices and Amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009. http://data.consilium.europa.eu/doc/document/ST-9364-2016-REV-3/en/pdf. Accessed 16 November 2016.
- Conversation with Sarah Brown, July 2016.
- ISO 17100:2015 Translation Services—Requirements for Translation Services. ISO website. http://www.iso.org/iso/catalogue_detail.htm?csnumber=59149. Accessed 16 November 2016.
- Ready, J. "Four Ways to Ensure Your Temp Workers Preserve Quality." QMed. 2 April 2015.
About the Author
Walt Murray is CEO of ARC Experts LLC, a direct network of seasoned consultants in business, quality, EH&SMS and strategic growth for life science companies. He can be contacted at email@example.com.
Cite as: Murray, W. "How Will ISO 13485:2016 Impact Your Relationship With Suppliers?" Regulatory Focus. November 2016. Regulatory Affairs Professionals Society.