Skip to main content
QMSQMS
QMS
  • Welcome to your QMS
  • Quality Manual
  • Procedures
    • GP-001 Control of documents
    • GP-002 Quality planning
    • GP-003 Audits
    • GP-004 Vigilance system
    • GP-005 Human Resources and Training
    • GP-006 Non-conformity, Corrective and Preventive actions
    • GP-007 Post-market surveillance
    • GP-009 Sales
    • GP-010 Purchases and suppliers evaluation
      • Templates
    • GP-011 Provision of service
    • GP-012 Design, redesign and development
    • GP-013 Risk management
    • GP-014 Feedback and complaints
    • GP-015 Clinical evaluation
    • GP-016 Traceability and identification
    • GP-017 Technical assistance service
    • GP-018 Infrastructure and facilities
    • GP-019 Non-product software validation
    • GP-020 QMS Data analysis
    • GP-021 Communications
    • GP-022 Document translation
    • GP-023 Change control management
    • GP-024 Predetermined Change Control Plan
    • GP-025 Usability and Human Factors Engineering
    • GP-027 Corporate Governance
    • GP-028 AI Development
    • GP-029 Software Delivery and Commissioning
    • GP-030 Cyber Security Management
    • GP-050 Data Protection
    • GP-051 Security violations
    • GP-052 Data Privacy Impact Assessment (DPIA)
    • GP-100 Business Continuity (BCP) and Disaster Recovery plans (DRP)
    • GP-101 Information security
    • GP-200 Remote Data Acquisition in Clinical Investigations
    • GP-026 Market-specific product requirements
    • GP-110 Esquema Nacional de Seguridad
  • Records
  • Legit.Health Plus Version 1.1.0.0
  • Legit.Health Plus Version 1.1.0.1
  • Legit.Health Utilities
  • Licenses and accreditations
  • Applicable Standards and Regulations
  • BSI Non-Conformities
  • Pricing
  • Public tenders
  • Procedures
  • GP-010 Purchases and suppliers evaluation

GP-010 Purchases and suppliers evaluation

Procedure flowchart​

Purpose​

To describe a systematic procedure for the evaluation and approval of suppliers, as well as their periodic reevaluation.

Scope​

All suppliers of software products and cloud services whose performance may directly or indirectly affect the quality of the medical device software we develop.

Definitions​

  • Software supplier: Organization providing software products, libraries, APIs, or cloud services.
  • Cloud service provider: Supplier providing SaaS, PaaS, or IaaS services.
  • SOUP (Software of Unknown Provenance): Third-party software not developed specifically for medical devices.

Responsibilities​

JD-001 General Manager (GM)​

  • To validate the suppliers' evaluation.
  • To approve the need for a new supplier.

JD-004 Quality Manager (QM)​

  • To propose and perform the evaluation of suppliers.
  • To manage the approved suppliers list.
  • To manage possible nonconformities related to suppliers.

JD-005 Technical Manager & Person Responsible for Regulatory Compliance (PRRC)​

  • To review the supplier evaluation.

JD-003 Design & Development Manager​

  • To request and collect the necessary information to evaluate and re-evaluate suppliers.

Inputs​

  • Need for a product or service from a supplier.

Outputs​

  • R-010-001 Suppliers evaluation - Detailed evaluation scorecard for each supplier
  • R-010-002 Approved suppliers list - Summary list of all approved suppliers with approval history

Development​

1. Need for a supplier​

When a need for a product or service is identified, anyone in the organization can communicate this need to the JD-001, who will study it. If the need is approved, the process of supplier selection and evaluation begins.

2. Types of supplier​

To understand the classification of suppliers, there are two dimensions to consider:

  1. Whether the supplier has an impact on the quality of the device (its safety or its performance) and whether or not the risk of that impact is fully controlled
  2. Whether or not the supplier offers a commercial and standardised product

The proposed taxonomy categorizes suppliers into 6 distinct classes, as the following matrix shows:

No impact to qualityImpacts quality, but it's controlledImpacts quality and is not controlled
Commercial and fully standardisedNon-Impact Vendor (NIV)Controlled Impact Vendor (CIV)High-Risk Impact Vendor (HRIV)
Non-commercial nor fully standardisedNon-Impact Subcontractor (NIS)Controlled Impact Subcontractor (CIS)High-Risk Impact Subcontractor (HRIS)

Examples for software suppliers​

Supplier TypeExamples
NIVGoogle Workspace, Slack, generic office tools
CIVGitHub, AWS, Azure, CI/CD platforms
NISUX/UI design consultants
CISSoftware development consultants, QMS consultants
HRIV/HRISNot approved - find alternative
Relationship with GP-019

For software suppliers, two parallel processes apply:

  • GP-010: Evaluates the supplier organization (capacity, certifications, reliability)
  • GP-019: Validates the software product (functionality, configuration, requirements)

Both approvals are required before using external software that impacts the medical device or QMS.

3. Minimum required score​

Based on the supplier category, the following minimum scores are required for approval:

Supplier typeRequired score
Non-Impact Vendor (NIV)≥6
Controlled Impact Vendor (CIV)≥8
Controlled Impact Subcontractor (CIS), Non-Impact Subcontractor (NIS)≥9
High-Risk Impact Vendor (HRIV) or Subcontractor (HRIS)Can't be approved

4. Supplier evaluation​

The JD-004 performs an evaluation of the suppliers based on the capacity, performance, risk and experience of each supplier. The evaluation is documented in R-010-001 Suppliers evaluation based on the following criteria:

Supplier scorecard​

FacetMin scoreMax score
Quality of services02
QMS Certification02
ISMS Certification02
Affordable price02
Experience02
Technical capacity02
International reach02

Scoring methodology​

The supplier evaluation uses a two-tier scoring system:

Step 1 - Value Assessment (1-10 scale):

Value RangeInterpretation
1-4Poor/Unsatisfactory - Does not meet expectations or significant concerns identified
5-7Acceptable/Average - Meets basic expectations with some limitations
8-10Good/Excellent - Meets or exceeds expectations with strong evidence

Step 2 - Score Conversion (0-2 scale):

Value RangeScoreInterpretation
1-40Does not meet criterion
5-71Partially meets criterion
8-102Fully meets criterion

Special cases:

  • For binary criteria (e.g., QMS Certification, ISMS Certification), the Value may be recorded as TRUE/FALSE, with TRUE = Score 2 and FALSE = Score 0.
  • The evaluator shall document the rationale for the Value assigned in the Comments column.

Conclusions​

Supplier approved​

If the supplier meets the minimum required score for its category:

  • The supplier is added to R-010-002 Approved suppliers list
  • The evaluation details are documented in R-010-001 Suppliers evaluation
  • The supplier can be contracted for the required product or service

The approved suppliers list (R-010-002) includes:

  • Supplier code and name
  • Service/product provided
  • Supplier type (NIV, CIV, NIS, CIS)
  • Criticality classification (critical/non-critical)
  • Approval history by year (approval date, next review, status)
On-site audits not required

Because we carry out quality controls of finished products, and due to the classification of our device and the results of our risk analysis, we are not required to conduct on-site audits of our suppliers.

Supplier not approved​

If the supplier does not meet the minimum required score for its category:

  • The supplier is not added to R-010-002 Approved suppliers list
  • The evaluation is documented in R-010-001 but marked as not approved
  • An alternative supplier must be identified and the evaluation process starts again

Security evaluation for IT suppliers (ENS op.pl.3, op.ext.2/3)​

In addition to the general quality scorecard above, all suppliers with impact on the security of the information system (IT suppliers) undergo a separate annual security evaluation. This evaluation is required by the ENS (Esquema Nacional de Seguridad) and is distinct from the general quality evaluation.

Scope

This security evaluation applies to all IT suppliers (not only critical ones), including cloud providers, communication providers, development tools, and any supplier whose service handles, transmits, or stores information of the system.

Security scorecard (5 criteria, 1-3 each)​

CriterionDescription1 (Deficient)2 (Acceptable)3 (Good)
Incident resolutionQuality and timeliness of incident resolutionSlow response, poor communicationAdequate response within SLAFast response, proactive communication
Contractual complianceCompliance with contractual terms and SLAsFrequent SLA breachesOccasional minor breachesFull compliance
Technical expertiseDemonstrated technical knowledge and capabilityInsufficient expertiseAdequate expertiseExpert level, proactive recommendations
Security issuesSecurity incidents or vulnerabilities caused by the supplierMultiple security incidentsMinor issues, well managedNo security incidents
Service availabilityAvailability of the service vs. committed SLAAvailability below SLAAvailability meets SLAAvailability exceeds SLA

Total score: Sum of 5 criteria = maximum 15 points.

Threshold: A score ≥12/15 is required for continued approval. Suppliers scoring below 12 require a corrective action plan or replacement.

Approval of high-risk components by RSEG​

When a supplier provides components classified as high-risk for information security (e.g., infrastructure providers, SIEM, EDR, identity management), the Responsable de Seguridad (RSEG) must approve the supplier before contracting, in addition to the standard evaluation. This approval verifies:

  • Certification status (ENS, ISO 27001, Common Criteria, LINCE, SOC 2)
  • Compensatory measures if no applicable certification exists
  • Acceptable risk level for the organization

Suppliers without security certification​

For critical suppliers that do not hold ENS, ISO 27001, or equivalent security certification, the organization sends a security questionnaire adapted from the official INCIBE/ISMS Forum template. This questionnaire covers:

  • Security policies and governance
  • Access control measures
  • Encryption and data protection
  • Backup and recovery procedures
  • Incident management capabilities
  • Business continuity planning
  • Security training and awareness
  • Audit and compliance

The completed questionnaire is stored as evidence in the supplier's evaluation record. If the supplier's responses reveal significant security gaps, the RSEG determines whether compensatory measures are sufficient or if an alternative supplier must be found.

Monitoring critical supplier SLAs (quarterly)​

For critical providers (currently: AWS, Google Workspace), the organization performs quarterly SLA tracking:

ProviderServiceCommitted SLAStatus page
AWSCloud infrastructure (ECS, S3, DocumentDB, etc.)99.99% availabilityhttps://health.aws.amazon.com/health/status
Google WorkspaceEmail, Drive, collaboration tools99.9% availabilityhttps://www.google.com/appsstatus/dashboard/
GitHubSource code repository, CI/CD99.9% availabilityhttps://www.githubstatus.com/

Quarterly process:

  1. The Responsable del Sistema checks the status pages and availability reports of each critical provider.
  2. Actual availability is compared against the committed SLA.
  3. Any incidents or SLA breaches are documented.
  4. The quarterly data feeds the annual security evaluation score (criterion: Service availability).
  5. The annual average availability is reported in the Quality Indicators (R-002-003).

6. Management Review​

The list of approved suppliers is reviewed and revalidated during each Management Review to ensure continued compliance and performance. This review includes:

  • Verifying that each supplier's type classification remains appropriate
  • Confirming that suppliers continue to meet the minimum required score for their category
  • Identifying any performance issues or non-conformities that occurred since the last review
  • Updating the approval status and setting the next review date to the following Management Review
Supplier non-conformities

If, at any given time, we detect a non-conformity related to the supplier's performance, the evaluation will be repeated, even if it does not correspond to the scheduled Management Review.

When appropriate, in case of non-compliance, the finding will be treated in accordance with the Procedure GP-006 Non-conformity. Corrective and preventive actions.

Orders and physical purchasing​

Not applicable

Due to the nature of our device, which is 100% software, all our suppliers are software and cloud service providers. As such, there is no physical product reception or traditional purchasing process.

We request access to a supplier's service or product through a contract or service agreement. For validation of the software products themselves, refer to GP-019 Software validation plan.

If in the future we need to purchase physical products or materials, this section will be updated to include the corresponding procedures for purchase orders, reception and verification of products.

Associated documents​

Records​

  • R-010-001 Suppliers evaluation - Contains the detailed evaluation scorecard for each supplier, including scores per criterion and approval decision
  • R-010-002 Approved suppliers list - JSON-based record with interactive year filtering. Contains all approved suppliers with their approval history per year, allowing historical tracking of approvals across Management Reviews
Record format

The approved suppliers list (R-010-002) uses a structured JSON format that enables:

  • Year filtering: View suppliers approved in any given year (2024, 2025, etc.)
  • Historical tracking: Each supplier maintains an approval history showing when they were approved and their next review date
  • Automatic statistics: Total suppliers, CIV/NIV counts, and criticality summary

This format ensures traceability of supplier approvals across multiple Management Review cycles.

Related procedures​

  • GP-006 Non-conformity. Corrective and preventive actions
  • GP-019 Software validation plan

Signature meaning

The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:

  • Author: Team members involved
  • Reviewer: JD-003 Design & Development Manager, JD-004 Quality Manager & PRRC
  • Approver: JD-001 General Manager
ㅤ

Previous
Copypasters
Next
Templates
  • Procedure flowchart
  • Purpose
  • Scope
  • Definitions
  • Responsibilities
    • JD-001 General Manager (GM)
    • JD-004 Quality Manager (QM)
    • JD-005 Technical Manager & Person Responsible for Regulatory Compliance (PRRC)
    • JD-003 Design & Development Manager
  • Inputs
  • Outputs
  • Development
    • 1. Need for a supplier
    • 2. Types of supplier
      • Examples for software suppliers
    • 3. Minimum required score
    • 4. Supplier evaluation
      • Supplier scorecard
      • Scoring methodology
    • Conclusions
      • Supplier approved
      • Supplier not approved
    • Security evaluation for IT suppliers (ENS op.pl.3, op.ext.2/3)
      • Security scorecard (5 criteria, 1-3 each)
      • Approval of high-risk components by RSEG
      • Suppliers without security certification
      • Monitoring critical supplier SLAs (quarterly)
    • 6. Management Review
    • Orders and physical purchasing
  • Associated documents
    • Records
    • Related procedures
All the information contained in this QMS is confidential. The recipient agrees not to transmit or reproduce the information, neither by himself nor by third parties, through whichever means, without obtaining the prior written permission of Legit.Health (AI Labs Group S.L.)