As an OEM, it is your responsibility to ensure the parts supplied to you are compliant with ISO regulations. That is no easy task. Ideally, your supplier’s quality systems are strong enough to identify risks, prevent defects, and to catch defects quickly if they do occur. This requires a robust quality management system.

In addition to the above ongoing elements, OEMs also need to be confident that their medical device suppliers are on track to meet the deadline for the upgraded ISO standards. With the deadline looming, how can you have confidence that your suppliers will be certified on time and not leave you with the crisis of an uncertified supplier?

This article — the first of two parts — provides a framework for evaluating medical device suppliers for two elements of quality: ISO certification and risk management for product realization. The second article will cover two additional elements of quality: the CAPA program and the cultural aspects of quality. Together, these four areas paint the big picture for what is required for an effective quality system.

Is Your Supplier On Track To Meet The ISO Deadline

Both the ISO 9001 and 13485 standards are being upgraded. OEMs will want to know whether their suppliers are on track to meet either the September 2018 deadline for ISO 9001 or the March 2019 deadline for ISO13485.

The main goal of the new standards is to upgrade supplier risk management. One way to do this is with a stronger focus on the need for controls throughout the supplier’s processes. A preventive culture, as opposed to a reactive culture, is more likely to reduce the probability of a defective part reaching the patient.

To achieve certification by the deadline, suppliers will need to efficiently use the time allotted and have a good plan. The deadline may seem distant, but the steps needed to become certified will require efficient use of the time remaining.

Many suppliers have questions about how to get started or what approach to take. We’ll describe two common approaches:  the internal team approach and the consultant approach.

The Internal Quality Team Approach

This approach can be used when the supplier has the internal resources available to handle the certification process. With this approach, generally the supplier appoints a Quality Management Representative to lead the certification project. Four important steps are needed to prepare for the upgrade.

When it Comes to Evaluating the Quality Systems of Your Medical Device Supplier, Where do you begin?

An effective quality program includes four critical elements:

  • Certification to ISO standards,
  • Risk management for product realization,
  • A strong CAPA (corrective and preventive actions) program, and
  • A culture where quality is a top priority, and operations and engineering functions work collaboratively to achieve quality.

In addition to the above ongoing elements, OEMs also need to be confident that their medical device suppliers are on track to meet the deadline for the upgraded ISO standards. With the deadline looming, how can you have confidence that your suppliers will be certified on time and not leave you with the crisis of an uncertified supplier?

This article — the first of two parts — provides a framework for evaluating medical device suppliers for two elements of quality: ISO certification and risk management for product realization. The second article will cover two additional elements of quality: the CAPA program and the cultural aspects of quality. Together, these four areas paint the big picture for what is required for an effective quality system.

As an OEM, it is your responsibility to ensure the parts supplied to you are compliant with ISO regulations. That is no easy task. Ideally, your supplier’s quality systems are strong enough to identify risks, prevent defects, and to catch defects quickly if they do occur. This requires a robust quality management system.

Contact the Notified Body as Needed for Guidance

Every supplier with an ISO certification is assigned a notified body. The notified body is the main point of contact during the transition process. The notified body is the company that audits against the new standards and will ultimately grant the certification. It can advise on the proper steps to follow and provide the checklists that will be used to evaluate the supplier. The supplier can ask the notified body to do an on-site assessment to determine if the current quality system can meet the new standard. While the notified body will guide the supplier through the transition, it is the supplier’s responsibility to proactively seek the input of the notified body as needed.

Attend a Transition Course

This course educates the Quality Management Representative about the changes and requirements needed to meet the new standard.

Become Lead Auditor Certified for the new Standard

This course teaches the Quality Management Representative how to audit to the new standard.

Perform the Gap Analysis

This analysis compares the requirements for the new standard against the supplier’s current procedures. The gaps between the two define where focus is needed for certification.

The Consultant Approach

When internal resources and/or expertise are lacking, suppliers may choose to hire a consultant to manage the certification process. The consultant has already attended the transition course, is certified as a lead auditor, can perform a gap analysis at your location, and get you moving in the right direction. The consultant can add depth of expertise when it is lacking internally. Often, consultants bring a wealth of knowledge and experience from their exposure to other companies. This approach can also streamline the process since the consultant already has the necessary coursework and certification to lead the process.

Regardless of what approach is used, it can be tempting to delay the project because the deadline seems generous. Delaying the project is a huge mistake. The time allotted by regulatory bodies is the time needed to successfully complete the certification by the deadline.

As an OEM, should you have confidence in your suppliers’ ability to meet the certification deadline? By this time, suppliers that are ISO 9001 certified should have had their first or second assessment performed to identify the gaps in their quality system that don’t meet the new standard. Suppliers that are ISO 13485 certified should already have a plan in place to achieve certification on time. The gap analysis should be done. Suppliers should be considering the lead auditor course and the transition course. Internal deadlines should be already be set, outlining the timeline for how the supplier will reach the big goal on time.

Risk Management For Product Realization

ISO standards require suppliers to have processes in place for risk management. This includes tools to assess the level of risk and plans for how to mitigate high-risk situations. The regulatory guidance for exactly how to manage risk is intentionally vague. This vague approach empowers suppliers to use whatever tools and processes are necessary to manage risk.

The effectiveness of supplier risk management plans can vary greatly among suppliers. When a defect occurs a second or even third time, the lack of properly identifying true cause of risk may be to blame. Certainly, experience is one way to learn to properly identify risk. 

The examples above are just a few of the many ways to incorporate risk management in your quality management system. Wherever there is risk, there must be a process to mitigate it.

Below is an example of a risk management tool called a pFMEA (Product or Process Failure Mode Effects Analysis). This tool is designed to identify potential risk or failure(s) in each process step, understand the effects of the risk or failure(s), define what can cause the risk or failure(s) to occur, and evaluate any current preventive controls in place to detect the risk or failure(s). The pFMEA also aids in understanding the severity of the risk or failure(s) and the potential frequency of the risk or failure(s), and uncovers the need for additional detection methods to mitigate the risk and failure(s).

Risk Management For Product Realization

ISO standards require suppliers to have processes in place for risk management. This includes tools to assess the level of risk and plans for how to mitigate high-risk situations. The regulatory guidance for exactly how to manage risk is intentionally vague. This vague approach empowers suppliers to use whatever tools and processes are necessary to manage risk.

The effectiveness of supplier risk management plans can vary greatly among suppliers. When a defect occurs a second or even third time, the lack of properly identifying true cause of risk may be to blame. The above examples are just a few of the many ways to incorporate risk management in your quality management system. Wherever there is risk, there must be a process to mitigate it.

Below is an example of a risk management tool called a pFMEA (Product or Process Failure Mode Effects Analysis). This tool is designed to identify potential risk or failure(s) in each process step, understand the effects of the risk or failure(s), define what can cause the risk or failure(s) to occur, and evaluate any current preventive controls in place to detect the risk or failure(s). The pFMEA also aids in understanding the severity of the risk or failure(s) and the potential frequency of the risk or failure(s), and uncovers the need for additional detection methods to mitigate the risk and failure(s).

What else can be done to speed up the learning curve and create effective risk management plans?

A good place to start is by benchmarking how other similar suppliers manage risk. There is no need to start from a blank page on a risk management plan when other component manufacturers have already figured this out. One key to successful risk management is to incorporate it throughout product realization. A strong risk management program starts with the initial customer contact, also called the feasibility stage, and continues throughout the entire process. In the feasibility stage, the supplier considers risk with such questions such as:

Do we have the right capabilities? Do we have the right machines?  Can we order the right material? Do we have the ability to detect defects? Next, resources are evaluated. Do we have the resources to produce this part? Can we produce it at the volume needed? Risk is further managed during receiving by inspecting incoming materials. Another way to reduce risk is by evaluating suppliers prior to selection.

Experience is one way to learn to properly identify risk. 

But, what else can be done to speed up the learning curve and create effective risk management plans?

  • A good place to start is by benchmarking how other similar suppliers manage risk. There is no need to start from a blank page on a risk management plan when other component manufacturers have already figured this out.
  • One key to successful risk management is to incorporate it throughout product realization. A strong risk management program starts with the initial customer contact, also called the feasibility stage, and continues throughout the entire process. In the feasibility stage, the supplier considers risk with such questions such as: Do we have the right capabilities? Do we have the right machines?  Can we order the right material? Do we have the ability to detect defects? Next, resources are evaluated. Do we have the resources to produce this part? Can we produce it at the volume needed? Risk is further managed during receiving by inspecting incoming materials. Another way to reduce risk is by evaluating suppliers prior to selection.

OEMs will want to understand what risk management tools their suppliers or potential suppliers are using and how the tools are being used. Some suppliers will mention the use of multiple risk management tools such as pFMEA, but may not be using them correctly, or may not make it an internal requirement. Does the supplier initiate the use of risk management tools, or is it done only upon customer request? The answer to this question will indicate whether or not risk management is incorporated into the Quality Management System.

 

ABOUT THE AUTHOR

Leo Gelera, Quality Manager

Leo joined FMI March of 2012. Leo began his career in medical device manufacturing specifically working for Abbott and Baxter Healthcare.  He dedicated his time to various Quality roles focusing on Quality System Improvements, Regulatory Compliance, and Lean Six Sigma Disciplines. He is a Certified Lead Auditor to the International Standards of Organization specific to Medical Devices as well as the FDA Code of Federal Regulation Requirements. Dedicated to Quality, Leo brings 15 years of Quality experience to FMI. He holds an Executive MBA in Risk Management from Colorado State University and is the appointed Quality Management Representative for the FMI Establishment.