Establish Quality Management System
SOP Purchasing
Qualify and manage suppliers ensuring purchased products meet quality requirements and regulatory standards.
Summary
Your Purchasing SOP establishes systematic processes for qualifying, evaluating, and managing suppliers to ensure that all purchased products and services meet quality requirements and do not compromise the safety, performance, or regulatory compliance of your medical devices.Why is SOP Purchasing important?
Purchasing controls exist because regulators recognize that supply chain quality directly impacts device safety and performance. Poor quality components or services can introduce risks that may not be detected until devices reach patients. The SOP ensures that third-party suppliers meet the same quality standards that apply to your internal processes. Your purchasing system demonstrates systematic supplier management rather than ad-hoc procurement decisions. It provides traceability for quality issues, enables effective corrective actions when supplier problems occur, and ensures consistent quality regardless of personnel changes. This protects both patients and your organization from supply chain-related quality failures.Regulatory Context
Under 21 CFR Part 820 (Quality System Regulation):
- Purchasing controls mandatory under Section 820.50
- Must evaluate and select suppliers based on ability to meet requirements
- Purchasing data must adequately describe product specifications
- Suppliers must notify of changes that affect conformance
- Incoming inspection and testing required under Section 820.80
Special attention required for:
- Change notification agreements with critical suppliers
- Incoming inspection requirements for purchased products
- Supplier audit and surveillance documentation
- Traceability requirements for purchased materials
Guide
Your Purchasing SOP establishes controlled procurement processes that ensure supply chain quality while maintaining efficiency. Focus on risk-based approaches that apply appropriate controls without creating unnecessary bureaucracy.Supplier Classification and Criticality Assessment
Implement systematic criteria for determining supplier criticality based on potential impact on device safety, performance, and regulatory compliance. Classify suppliers as critical if their products or services directly affect device characteristics or if no alternative suppliers exist. Apply enhanced controls only where justified by risk. Create clear definitions for critical versus non-critical suppliers with consistent application across your organization. Document criticality assessments to provide auditors with evidence of your risk-based approach to supplier management.Supplier Qualification and Evaluation
Develop standardized qualification processes that evaluate supplier capability, quality systems, resources, and performance history. Create qualification checklists and scoring systems that provide objective assessments while allowing flexibility for different supplier types and risk levels. Establish qualification criteria covering technical capability, quality system maturity, regulatory compliance, and business stability. Include verification methods such as documentation review, facility audits, or sample testing based on supplier criticality and risk assessment.Approved Supplier List Management
Maintain an Approved Supplier List (ASL) that provides clear status for all qualified suppliers including approval status, criticality classification, and any special requirements or restrictions. Include surveillance requirements and re-evaluation schedules based on supplier performance and risk level. Implement version control for your ASL with clear approval authority and change control procedures. Include procedures for adding new suppliers, updating existing supplier status, and removing or blocking suppliers when performance issues arise.Purchasing Controls and Documentation
Establish systematic purchasing procedures that ensure only approved suppliers are used for critical components or services. Create purchasing documentation requirements that adequately describe product specifications, acceptance criteria, and quality requirements. Include change notification agreements with critical suppliers requiring advance notice of any changes that could affect product conformance. Establish procedures for evaluating supplier-initiated changes and updating your own documentation when necessary.Incoming Inspection and Verification
Implement risk-based incoming inspection procedures that verify purchased products meet specified requirements. Establish inspection criteria, sampling plans, and acceptance procedures appropriate for different product types and supplier risk levels. Create nonconformance procedures for handling substandard purchased products including supplier notification, return processes, and impact assessment on your quality system. Include procedures for updating supplier evaluations based on incoming inspection results.Supplier Surveillance and Continuous Monitoring
Establish ongoing surveillance procedures for monitoring supplier performance including delivery performance, quality metrics, and compliance status. Implement annual supplier reviews that evaluate performance trends and update criticality assessments. Create procedures for responding to supplier performance issues including corrective action requests, enhanced surveillance measures, and supplier blocking when necessary. Include supplier performance data in management review reporting for trend analysis.Example
Scenario
MedTech Solutions needs to qualify cloud hosting services for their diabetes monitoring app and establish purchasing controls for critical software components and third-party services that could impact device performance or data security.Purchasing System Implementation
Supplier Criticality Assessment:- Cloud Hosting Provider: Critical (directly affects device availability and data security)
- Analytics Software: Critical (affects glucose calculation accuracy)
- Marketing Agency: Non-critical (no impact on device performance or safety)
- Legal Services: Non-critical (no direct impact on product quality)
- Technical Capability: Review infrastructure specifications, uptime guarantees, disaster recovery procedures
- Quality System: Evaluate ISO 27001 certification, SOC 2 Type II compliance, change management procedures
- Regulatory Compliance: Verify GDPR compliance, data residency requirements, security certifications
- Business Stability: Review financial statements, customer references, service level agreements
- Scoring: Rate each category 0-3, calculate average score of 2.8 (approved with surveillance)
- Service Specifications: Detailed SLA requirements, uptime guarantees, data backup procedures
- Acceptance Criteria: Performance monitoring thresholds, security audit requirements
- Change Notification: 30-day advance notice for infrastructure changes affecting service
- Quality Requirements: Compliance with medical device data handling requirements
- Monthly Performance Review: Uptime monitoring, security incident tracking, SLA compliance
- Quarterly Business Review: Service performance discussion, upcoming changes, improvement planning
- Annual Assessment: Full re-evaluation of qualification criteria, contract renewal process
- Continuous Monitoring: Automated alerting for service disruptions, security notifications
| Supplier | Category | Criticality | Status | Last Evaluation | Next Review | Surveillance |
|---|---|---|---|---|---|---|
| CloudHost Pro | Infrastructure | Critical | Approved | 2024-03-15 | 2025-03-15 | Monthly SLA review |
| DataAnalyze Inc | Software | Critical | Approved | 2024-02-20 | 2025-02-20 | Quarterly audit |
Q&A
How do I determine if a supplier is critical?
How do I determine if a supplier is critical?
Classify suppliers as critical if their products or services could directly impact device safety, performance, or regulatory compliance, or if they provide unique capabilities with no alternative suppliers available. Use systematic criteria and document your assessment rationale. Non-critical suppliers have no direct impact on device quality characteristics.
What information should be included in purchasing documentation?
What information should be included in purchasing documentation?
Include product specifications, acceptance criteria, quality requirements, and any special handling or storage requirements. For critical suppliers, add change notification requirements and quality system expectations. Ensure purchasing information adequately describes what you need to verify conformance to requirements.
How often should suppliers be re-evaluated?
How often should suppliers be re-evaluated?
Re-evaluate critical suppliers at least annually or when significant performance issues occur. Non-critical suppliers can be evaluated less frequently based on risk and performance history. Include supplier performance trends in management review for systematic oversight and continuous improvement.
What should be done when incoming products don't meet requirements?
What should be done when incoming products don't meet requirements?
Follow your nonconforming product control procedures, notify the supplier, and assess impact on your operations. Update the supplier’s evaluation score and consider enhanced surveillance or corrective action requirements. Document the nonconformance for trending analysis and supplier performance tracking.
What surveillance measures are appropriate for critical suppliers?
What surveillance measures are appropriate for critical suppliers?
Use risk-based surveillance including incoming inspection, performance monitoring, periodic audits, or quality assurance agreements. Higher-risk suppliers may require on-site audits, while lower-risk suppliers might only need performance monitoring. Tailor surveillance to supplier criticality and performance history.
How do I handle supplier-initiated changes?
How do I handle supplier-initiated changes?
Require advance notification for any changes that could affect product conformance, especially from critical suppliers. Evaluate each change for impact on your device requirements and update your own documentation as necessary. Include change notification requirements in supplier agreements and purchasing contracts.