Medical Device Acquisition and Supplier Audit Checklist

Evaluating and selecting suppliers are integral parts of medical device acquisition and supplier audit processes, and ISO 13485 clause 7.4.1 dictates that medical device manufacturers must establish procedures to evaluate and select suppliers.

Reviewing supplier evaluation procedures should encompass several steps. First, ensure that a management representative has been appointed and their responsibilities and authorities clearly defined, documented, and implemented.

Purchasing Process
Purchase controls must be established and maintained to ensure suppliers provide high-quality materials and services. Audit teams must vouch that a process has been established and documented, with its requirements communicated to suppliers.

Determining whether nonconforming product and complaint reports relating to provided products are being properly investigated in order to identify their root causes is one of the tasks for medical device organizations that is intended to address product problems effectively.

Verify that procedures have been identified, documented, and implemented for controlling documents and records required by a medical device organization’s QMS. Also confirm that records and at least one copy of controlled documents will be kept for at least two years by this medical device organization. Finally, ensure there are procedures in place for evaluating supplier quality performance such as using a vendor scorecard.

Quality Management System (QMS)
A Quality Management System (QMS) enumerates policies, processes, and procedures a medical device company must abide by to ensure their products meet customer and regulatory expectations as well as track and address product defects effectively.

Corrective and Preventive Action (CAPA) processes are an integral component of medical device companies’ Quality Management Systems (QMS). CAPA processes involve steps for identifying defective parts during production processes, isolating them, determining their root causes, and making improvements that prevent similar issues from arising again.

Approved Supplier List (ASL). This essential component of a Quality Management System identifies suppliers that have been approved to supply medical devices and supplies to a company, providing information about each one’s quality system, workplace environment and cGMP compliance as well as any other criteria relevant to them. Medical device companies often require their suppliers maintain up-to-date ASLs as part of their internal supplier management processes.

Regulatory Requirements
Organizations should develop procedures to ensure purchased product conforms with specified purchasing information, which may involve monitoring and reevaluating suppliers as well as recording any actions arising from these activities.

If a supplier is considered high risk in terms of their quality, regulatory or business risk issues, they should be visited regularly – this applies to critical component suppliers, contract manufacturers and sterilization facilities alike.

Your approved suppliers list (ASL) should always remain up-to-date. A supplier could have gone out of business or been bought out and changed names. When purchasing from them again, their status should reflect this change on your ASL so you know they can do the job properly. A supplier performance scorecard or vendor scorecard may help; these tools divide suppliers into quantifiable categories and factors for evaluation.

Risk Assessment
Risk evaluation helps assess potential accidents, their probability, and any resulting consequences, while setting tolerance levels for these events. It forms an essential part of quality management systems.

Verify that during an audit of a medical device organization’s Management, Measurement, Analysis and Improvement and Design and Development processes that it has established an efficient system for collecting data from various sources that could help detect product and quality issues; such as service records or installation reports.

Check to make sure the medical device company has an established process for reviewing individual adverse event reports and post-production information to meet reporting requirements of MDSAP regulatory authorities, and assess if there is an internal mechanism for handling complaints not mandated for reporting by regulatory authorities.

As part of an audit of Design and Development process, ensure that the medical device organization possesses standard operating procedures for designing new products or modifying existing devices to comply with all MDSAP requirements. Furthermore, check that there is a method of notifying relevant MDSAP regulatory authorities when devices change are implemented or modified.