Auditing your suppliers

If you are developing any sort of electronic device, it’s a good idea to audit your manufacturing suppliers. Not only do you want to ensure that they are manufacturing your device in the way you specified, but you also want to ensure the risks to your business and your customers are minimised.


As a supplier of contract medical device manufacturing services, Circuitwise is regularly audited and we audit our own suppliers as well, so we know a lot about the process. In this article, we share some of our knowledge and outline the role of audits in the development and manufacture of medical devices as set out in the ISO 13485 quality management standard.


Non-medical companies often have to comply with similar requirements for supplier auditing set out in ISO 90001. Even if your business does not have a quality system, the principles set out here are well worth applying.


Let’s start with being clear about who the “Manufacturer” of a medical device is. The Manufacturer is the person or company whose name goes on the box. It doesn’t matter if you are a virtual manufacturer, outsourcing every aspect of your product development and manufacturing. If you are the one marketing the product you are responsible for every aspect of the device. So you need to ensure your outsourced suppliers (including internal suppliers if you have a manufacturing division), are doing everything correctly on your behalf. That’s where quality control and auditing comes in.


ISO 13485 does not actually specify the need for audits of external suppliers (it does for internal audits). Rather, it specifies the need to control the purchasing process and verification of purchased products, as set out in section 7.4. However, audits are the accepted way of achieving these aims.


The main purpose of purchasing control is to ensure that the products, or sub-assemblies delivered, are in conformity to requirements. Processes that can affect conformity to requirement relates to everything from the design and development process, to the manufacturing process, distribution, and the quality system managing it.


Purchasing controls include supplier evaluation and selection, supplier management procedures and agreements, change controls, effective management of the risks associated with the outsourced manufacturing and procedures for verification of the delivered products or services.


A key element of the purchasing controls is the identification of critical suppliers. A critical supplier is one whose product or service could cause unreasonable risk to users or degradation in your product’s performance if it failed to meet its specified requirements. It is important to document your rationale for whether a supplier is critical or not, as regulatory authorities will look closely at the nature of your audit for each supplier, particularly any decision not to audit an ordinary supplier.


For active medical devices, typically electromechanical devices with embedded firmware, there are many parts that can affect the safety and performance of your device. A Failure Mode and Effects Analysis during the design phase of the product will go a long way to informing the criticality of your suppliers. Suppliers can then be categorised according to risk.


With these controls in place, the next step is to determine how best to audit a supplier. There is a range of stringency in audits, from simple surveys and supply of information to multi-day onsite inspections of manufacturing processes and the entire quality system. The choice of audit method should correspond to the criticality of the supplier.


Increasingly, audits are being conducted remotely, due to global auditing bodies and the effects of the pandemic. However, in some circumstances, the audit must take place at the supplier premises.


The factors leading to on-site audits can range from identified corrective actions relating to process control, customer complaints, the risk arising from critical items or in circumstances where the supplier cannot provide documented evidence of conformity to requirements (e.g. sterilisation of a device can’t be proven by inspection, only by demonstrating the process). The key thing is to document the rationale behind your decision to audit remotely or on-site.


One key point to note is if your supplier has been audited by a trusted third-party certified, such as a European Notified Body, then this third party will have done a lot of the work for you. Much of your audit can consist of simply reviewing the most recent audit report from the Notified Body. Your own audit then only has to cover any gaps in information that you want. So finding suppliers that are already certified to an ISO 13485 or ISO 9001 Quality Management System is a big plus.


The objective of the audit itself is to verify two things. Firstly, that the Manufacturer’s supplier controls are working. Secondly, that the supplier is able to provide a product or service that consistently meets the specified product requirements, as well as quality requirements. You are looking to ensure there are no surprises or unwarranted variability in the outcomes you are looking to achieve.


If an audit does uncover issues, then typically you will work together to agree on what corrective actions will be effective or even undertake root cause analysis. This will be followed up by adjustments to the product or process control plans and training programs for staff.


There is a lot of guidance on how to formulate an effective audit and you can even purchase checklists online. The practical process usually consists of asking the supplier a whole series of questions, typically aimed at demonstrating compliance with some particular clause of a standard and/or the quality agreement you have in place with them.


For medical devices, an audit will cover all requirements ISO 13485 that are relevant to suppliers, as well as any key standards specific to the manufacturing process. For example, in PCB assembly the key standard is IPC610. If you were auditing a supplier of ethylene oxide sterilisation for healthcare products the audit would include questions relating to ISO 11135-1.


PCB assembly lines at Circuitwise Electronics Manufacturing

Audits don’t necessarily cover every aspect of every standard. Normally the audit is crafted to be as useful as possible in targeting areas of concern. It may also pick out areas at random, just to check for unexpected flaws in the system.


One item that is useful to include in audits is to require evidence of the financial health of an organisation. If your critical supplier goes into liquidation, then your critical components are at risk of not being delivered.


At the end of each audit process, a report must be generated for the QMS records.

The frequency of auditing suppliers will relate to the criticality of the product/service being supplied and when any certifications provided by third-party audits of quality systems expire. Critical suppliers should be audited at least annually. It’s important to keep a track of when audits are due so they are not missed and you can prepare for them well in advance.


If you are distributing a medical product in Europe, your ISO 13485 quality management system will need to be audited by a notified body, which is an independent certifier accredited by a number of European governments. A key point to note is that these bodies can conduct unannounced spot audits at any time and these extend to any of your suppliers.


All of the above may seem like a lot of work, and it is. However, you need to keep in mind the purpose of auditing your suppliers. Ideally, you want your contract suppliers to be a seamless extension of your own business, your manufacturing division. You want them to be working as efficiently and effectively as possible doing exactly what you would do if they were in-house. In fact, ISO 13485 is very explicit in requiring that a manufacturer is in total control of its suppliers’ processes. Auditing is simply a rigorous method for ensuring you get this outcome and is well worth the effort.