The ISO 13485 standard represents a Quality Management System base for many regulatory schemes.
With the recent publication of the new Medical Device and In Vitro Diagnostic Regulations, the regulatory framework surrounding Medical Devices evolves and re-enforces the control of external parties (Suppliers, Subcontractors).
The newest revision of the ISO 13485 standard published in March 2016 aims in the very same direction.
What is a Supplier?
There is no specific definition of "Supplier” in the ISO 13485 QMS standard.
The standard however refers back to the definitions given in ISO 9000:2015.
According to ISO 9000:2015, a Supplier is "an organization that provides a product or a service”.
ISO 13485:2016 specifies that a product is the "result of a process” and that it includes "services, software, hardware and processed material”.
If we translate it to the Medical Device industry, Suppliers include, for example:
- Raw material suppliers
- Sub-assembly suppliers
- Design/Manufacturing Subcontractors
- Any other service providers
What are the responsibilities of the Organization/Manufacturer?
In the Quality Management System section of the ISO 13485 standard (4.1), the following was and is still stated:
"When the organization chooses to outsource any process that affects product conformity to requirements, it shall monitor and ensure control over such processes”.
Control of outsourced process is not a new requirement; precisions were however added in the 2016 revision of the ISO 13485 standard. These precisions are that: "the organization shall retain responsibility of conformity to this International Standard and to customer and applicable regulatory requirements for outsourced processes. The controls shall be proportionate to the risk involved and the ability of the external party to meet the requirements in accordance with 7.4. The controls shall include written quality agreements”.
It clarifies the fact that the organization that subcontracts the activity remains responsible for it. It also formalizes the approach under which controls shall be implemented using a Risk-based approach.
Section 7.4 of ISO 13485:2016 is then giving more directions for organizations on the Purchasing process, including Suppliers’ control.