Skip to main content
QMSQMS
QMS
  • Welcome to your QMS
  • Quality Manual
  • Procedures
    • GP-001 Control of documents
    • GP-002 Quality planning
    • GP-003 Audits
    • GP-004 Vigilance system
    • GP-005 Human Resources and Training
    • GP-006 Non-conformity, Corrective and Preventive actions
    • GP-007 Post-market surveillance
    • GP-008 Product requirements
    • GP-009 Sales
    • GP-010 Purchases and suppliers evaluation
      • Templates
    • GP-011 Provision of service
    • GP-012 Design, Redesign and Development
    • GP-013 Risk management
    • GP-014 Feedback and complaints
    • GP-015 Clinical evaluation
    • GP-016 Traceability and identification
    • GP-017 Technical assistance service
    • GP-018 Infrastructure and facilities
    • GP-019 Software validation plan
    • GP-020 QMS Data analysis
    • GP-021 Communications
    • GP-022 Document translation
    • GP-023 Change control management
    • GP-024 Cybersecurity
    • GP-025 Corporate Governance
    • GP-050 Data Protection
    • GP-051 Security violations
    • GP-052 Data Privacy Impact Assessment (DPIA)
    • GP-100 Business Continuity (BCP) and Disaster Recovery plans (DRP)
    • GP-101 Information security
  • Records
  • TF_Legit.Health_Plus
  • Licenses and accreditations
  • External documentation
  • Procedures
  • Records
  • Procedures
  • GP-010 Purchases and suppliers evaluation

GP-010 Purchases and suppliers evaluation

Procedure flowchart​

Purpose​

To describe a systematic procedure in the purchasing process, as well as for the evaluation and reevaluation (periodical and planned) of suppliers.

Scope​

All the purchasing processes and suppliers whose performance may directly or indirectly affect the quality of the products we develope.

Responsibilities​

JD-001 General Manager (GM)​

  • To provide the organization and its members with the necessary resources to carry out their obligations in the most efficient way possible.
  • To validate the suppliers' evaluation.
  • Analyse and approve the need for a purchase.

JD-004 Quality Manager (QM)​

  • To manage possible nonconformities related to nonconforming product or a nonconformity in general.
  • To propose the evaluation of suppliers.
  • To analyze, document and propose new supplier companies.

JD-005 Technical Manager & Person Responsible for Regulatory Compliance (PRRC)​

  • To supervise the correct performance of the process in relation to the product and its final quality.
  • To review the supplier evaluation.

JD-003 Design & Development Manager​

  • To request and collect the necessary information to evaluate and re-evaluate suppliers.
  • To plan the purchases.

Inputs​

  • Need to purchase products or services.
  • Suppliers offers.

Outputs​

  • T-010-001 Supplier evaluation

Development​

Types of supplier​

To understand the classification of suppliers, there are two dimensions to consider:

  1. Whether the supplier has an impact on the quality of the device (its safety or its performance) and whether or not the risk of that impact is fully controlled
  2. Whether or not the supplier offers a commercial and standardised product

The proposed taxonomy categorizes suppliers into 6 distinct classes, as the following matrix shows:

No impact to qualityImpacts quality, but it's controlledImpacts quality and is not controlled
Commercial and fully standardisedNon-Impact Vendor (NIV)Controlled Impact Vendor (CIV)High-Risk Impact Vendor (HRIV)
Non-commercial nor fully standardisedNon-Impact Subcontractor (NIS)Controlled Impact Subcontractor (CIS)High-Risk Impact Subcontractor (HRIS)

This taxonomy is grounded in the principle of risk management, by differentiating suppliers based on their potential impact and the degree of risk control, we ensure compliance with regulatory requirements, and most importantly, uphold the safety and efficacy of their devices

Keep in mind

The classification of a supplier depends not only on what the supplier does but on what ways to mitigate the risk. For example, if we have two simultaneous suppliers so that one is a backup to the other, a supplier that might be one type would be another type. As you can see, this has nothing to do with the supplier itself. The same if we have signed a contract with one SLA or another: the same provider would be one type or another, depending on the SLA.

Suppliers evaluation​

Initially, for its approval as a supplier and on a periodic and planned basis (as it is reflected at the R-002-005 Quality calendar), the JD-004 performs an evaluation of the suppliers based on the capacity, performance, risk and experience of each of the suppliers. Said evaluation will be documented in the T-010-001 Suppliers evaluation based on the following criteria:

Supplier scorecard​

FacetMin scoreMax score
Quality of services02
QMS Certification02
ISMS Certification02
Affordable price02
Experience02
Technical capacity02
International reach02

Minimum required score​

Supplier typeRequired score
Non-Impact Vendor (NIV)≥6
Controlled Impact Vendor (CIV)≥8
Controlled Impact Subcontractor (CIS), Non-Impact Subcontractor (NIS)≥9
High-Risk Impact Vendor (HRIV) or Subcontractor (HRIS)Can't be approved

The evaluation will be proposed by the JD-004 and validated by the JD-001, by signing the record T-010-001 Suppliers evaluation.

This record consists of the list of current suppliers at the given time, showing wether the evaluation criteria is met.

Procedure​

Purchase documentation​

Who can communicate the need for a product?

Anyone is free to request a product or service that may have incidence in the quality of the finished product. The need must be communicated to the JD-001, who will study it.

The purchase process begins with the quote reception to the approved supplier.

Supplier selection​

We evaluate suppliers at the begining of the contracting process, and annually thereafter - or under duly justified necessity due to the incapacity of the supplier or due to a substantial change in its structure.

When we evaluate suppliers we are looking at:

  • Technical capacity to provide a product or service capable of meeting applicable requirements.
  • Performance as a supplier.
  • The effect of the component, material or service provided over the quality of our medical device and over our capability of meeting the applicable requirements.
  • The risk of our medical device and, therefore, its classification, as well as the applicable requirements.
Supplier non-conformities

If, at any given time, we detect a non-conformity related to the supplier's performance, the evaluation will be repeated, even if it does not correspond to those periodically planned.

When appropriate, in case of non-compliance, the finding will be treated in accordance with the Procedure GP-006 Non-conformity. Corrective and preventive actions.

There is one exception: if the JD-005 estimates that the non-conformity is not really related to the technical capacity of the supplier, the re-evaluation will not be required. Instead, we will carry out the appropiate actions following Procedure GP-006 Nonconformity. Corrective and preventive actions. This, however, must be justified in the T-006-001 Nonconformity report.

Record of suppliers​

The evaluation is carried out following the template T-010-001 Suppliers evaluation. The verification and record of approved suppliers is also recorded following the template T-010-001 Suppliers evaluation. The record shows wether the supplier meets the approval criteria.

Verification​

Verification of subcontractor​

We thoroughly evaluate suppliers classified as subcontractors before we start working with them. This initial evaluation is called verification.

During the verification, we may request the subcontractor any code previously developed or a list of success cases to assess their capacity. This request will be made by the JD-003.

Each subcontractor will be required to sign a collaboration agreement specifying their commitment to provide critical components or services for the manufacture and development of medical devices. This document will contain, at least:

  • Identifying details of the two companies.
  • Scope of the services or products.
  • The evidence of the supplier having a Quality Management System (QMS) based on ISO 13485; or an equivalent methodology that guarantees the compliance of the requirements. This methodology must be validated by us or even provided by us.
  • Our commitment to provide all the necessary documentation that guarantees the correct manufacture or service provision by the subcontractor company.
  • Commitment of the subcontractor to:
    • Deliver all the products or services in perfect conditions with respect to the purchase specifications.
    • Communicate immediately the non-conformities detected in the materials, processes, products or services described in the contract.
    • Be available to be audited by Authorities, Notified Bodies or us, announced or not.
    • Collaborate in everything required by the Authorities, Notified Bodies or us if non-conformities or incidents are detected.
    • If they have a certification, to send us a copy of their ISO 13485 certificate (or equivalent) validated by the company and the latest audit report.
    • Providing the specific documentation to allow us to demonstrate that the requirements have been met according to our needs (executable software, material data sheet, process map, copy of the general procedures and technical instructions applicable to the subcontracted process).
    • Send us a copy of the quality control record applied to the products or services.
    • Inform us and to require our written approval of any change that may modify the quality of the product or service.
    • To have and manage all the information that allows total traceability of the product and materials.
  • Contact details of the supplier and the members responsible in case of audits.

Finally, we request the AEMPS to incorporate this subcontractor in our previous operating license in accordance with the legal compliance requirements of the Procedure GP-008 Product requirements.

Verification of other suppliers​

Just like we verify subcontractors, we also verify other kind of suppliers.

We will carry out the verification proportionally to the risk analysis of the product or service.

It is the responsibility of the JD-003 to request and collect the necessary information for the execution of the aforementioned verification.

Purchase information​

Purchase order​

Due to the nature of our device, that is 100% software, all our suppliers so far are software and cloud service providers. As such, there is no reception, at least not like with phisical products.

We unequivocally request access to a supplier's service or product through a contract service.

Contract services contains at least the following information:

  • Sufficient product or service specification to guarantee the supplier's understanding
    • Our requirements
    • The supplier's product or service reference when applicable.
    • Service period
  • Requirements for the order acceptance, identifying procedures and equipment, if applicable.
    • Qualifications requirements of the supplier's personnel, if applicable.
    • Requirements of its QMS, when applicable.
  • Order quantity.
  • Planned delivery date or effective date of the agreement.

The supplier confirms its capacity to meet the specified requirements and commitments, by signing the contract service.

Reception and verification of the product or service​

Our device is 100% software. Thus, all our suppliers so far are software and cloud service providers. As such, there is no products reception for the manufacturing process, at least not like with phisical products.

Regarding services, we verify them at least annually, during the suppliers evaluation (according to the R-002-005 Quality Calendar). There are some services, like consultants, that are small projects performed in a short period of time. These services are verified when the project is finished to ensure they have been performed according to the established requirements and to pay the corresponding bill. The result of the verification is compiled during the suppliers evaluation activity (T-010-001 Suppliers evaluation).

Record of approved suppliers​

Our approved suppliers will be listed in the record following the template T-010-001 Supplier evaluation.

On-site audits not required

Because we carry out quality controls of finished products, and due to the classification of our device and the results of our risk analysis, we are not required to conduct on-site audits of our suppliers.

The approved suppliers will be required to provide a copy of the QMS certificate implemented in the company, if available, that we will archive within the supplier file as evidence of the evaluation and verification performed.

In the particular case of subcontractors, it will be recommended to have a QMS based on ISO 13485 or the required one based on the supplier activity, whether certified or not. If not, it will be required to have an equivalent methodology that guarantees the compliance of requirements.

Associated documents​

  • T-006-001 Non-conformity report
  • T-010-001 Suppliers evaluation
  • R-002-005 Quality Calendar
  • GP-006 Non-conformity. Corrective and preventive actions
  • GP-008 Product requirements

Signature meaning

The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:

  • Author: Team members involved
  • Reviewer: JD-003, JD-004
  • Approver: JD-001
Previous
Copypasters
Next
Templates
  • Procedure flowchart
  • Purpose
  • Scope
  • Responsibilities
    • JD-001 General Manager (GM)
    • JD-004 Quality Manager (QM)
    • JD-005 Technical Manager & Person Responsible for Regulatory Compliance (PRRC)
    • JD-003 Design & Development Manager
  • Inputs
  • Outputs
  • Development
    • Types of supplier
    • Suppliers evaluation
      • Supplier scorecard
      • Minimum required score
    • Procedure
      • Purchase documentation
      • Supplier selection
        • Record of suppliers
      • Verification
        • Verification of subcontractor
        • Verification of other suppliers
      • Purchase information
        • Purchase order
        • Reception and verification of the product or service
    • Record of approved suppliers
  • Associated documents
All the information contained in this QMS is confidential. The recipient agrees not to transmit or reproduce the information, neither by himself nor by third parties, through whichever means, without obtaining the prior written permission of Legit.Health (AI LABS GROUP S.L.)