MedDeviceGuideMedDeviceGuide
Back
Quality SystemsRegulatoryStandards & TestingISO 13485USEU

Supplier Audit Checklist for Medical Device Companies: ISO 13485, QMSR, Critical Suppliers, and Outsourced Processes

Comprehensive supplier audit checklist for medical device manufacturers — covering supplier risk classification, qualification, audit agenda, purchasing controls per ISO 13485 Clause 7.4 and FDA QMSR, quality agreements, outsourced sterilization/testing/software, CAPA follow-up, and evidence records.

Ran Chen
Ran Chen
Global MedTech Expert | 10× MedTech Global Access
2026-04-3014 min read

Why Supplier Audits Are a 2026 Regulatory Priority

FDA's Quality Management System Regulation (QMSR), effective February 2, 2026, incorporates ISO 13485:2016 by reference. A critical change: FDA inspectors can now review internal audit records and supplier audit records — areas previously off-limits under the former Quality System Regulation (QSR). This means your supplier audit documentation may be examined during your next FDA inspection.

ISO 13485 Clause 7.4 requires manufacturers to establish criteria for supplier selection, evaluation, monitoring, and re-evaluation based on the risk the purchased product poses to the medical device. The level of control must be proportionate to that risk.

This checklist provides a structured, audit-ready framework for supplier qualification, on-site auditing, ongoing monitoring, and evidence documentation. It is designed for medical device manufacturers preparing for both ISO 13485 certification and FDA QMSR compliance.

Supplier Risk Classification

Before auditing, classify each supplier to determine the appropriate level of oversight.

Risk Tier Classification Matrix

Tier Classification Definition Examples Audit Frequency Quality Agreement On-Site Audit
A Critical Directly affects device safety and effectiveness Contract sterilization, implant component manufacturers, contract manufacturers, critical software developers Annual + for-cause Required Required
B Major Influences product quality but not directly patient safety Raw material suppliers, packaging suppliers, non-critical component manufacturers Biennial or annual Recommended Recommended
C Minor Minimal impact on product quality Office supplies, non-critical consumables, general IT services As needed Not required Not required
D Indirect No direct product impact Facility maintenance, catering Periodic review Not required Not required

Risk Scoring for Classification

Factor High (3) Medium (2) Low (1)
Impact on device safety Direct patient contact or life-supporting function Affects device performance Minimal or no effect
Complexity of supplied product/service Custom-designed, requires validated process Standard product with custom specifications Off-the-shelf commodity
Regulatory sensitivity Sterilization, biocompatibility testing, software in device General testing, calibration services Standard industrial services
Substitutability Sole source, long qualification lead time Limited alternatives available Multiple equivalent sources
Supplier QMS maturity No ISO 13485 or QMSR compliance history ISO 9001 or partial medical device experience ISO 13485 certified, proven track record

Scoring: 13-15 = Tier A (Critical) | 9-12 = Tier B (Major) | 5-8 = Tier C (Minor) | <5 = Tier D (Indirect)

Supplier Qualification Checklist

Use this checklist during the initial evaluation of a new supplier.

Pre-Qualification Desktop Review

# Item Reference Evidence Required Pass/Fail
1 ISO 13485:2016 certificate (or equivalent QMS certification) ISO 13485 7.4.1 Current certificate, scope covers supplied product, accredited CB
2 FDA registration and device listing (if US supplier) 21 CFR 807 Registration confirmation
3 Regulatory compliance history (warning letters, consent decrees, import alerts) Risk assessment FDA database search, EUDAMED vigilance check
4 Financial stability assessment Risk assessment D&B report or equivalent
5 Business continuity and disaster recovery plan ISO 13485 7.4.1, risk management Documented BCP
6 Insurance and liability coverage Risk assessment Certificate of insurance
7 Prior audit reports (if sub-tier audits available) ISO 13485 7.4.1 Third-party or customer audit results
8 MDSAP certificate (if applicable) MDSAP requirements Current MDSAP certificate
9 Material/product specifications review ISO 13485 7.4.2 Specifications match requirements
10 Change notification agreement ISO 13485 7.4.2 Written agreement to notify of changes

Quality Agreement Requirements (Tier A and B Suppliers)

# Quality Agreement Clause Content Reference
1 Scope of agreement Products/services covered; responsibility allocation ISO 13485 7.4.2
2 Specifications and acceptance criteria Detailed product specifications, testing requirements ISO 13485 7.4.2
3 Change control Notification requirements and timelines for product/process changes ISO 13485 7.4.2, 7.3.9
4 Right to audit Customer's right to conduct on-site audits, with notice period ISO 13485 7.4.1
5 Record retention Minimum retention period (minimum device lifetime + regulatory requirement) ISO 13485 4.2.5
6 Complaint and adverse event notification Timeline for notifying customer of quality events ISO 13485 8.2.2
7 Corrective action responsibilities CAPA process and escalation procedures ISO 13485 8.5.2
8 Traceability requirements Lot/batch traceability, UDI compatibility ISO 13485 7.5.9
9 Sub-tier supplier control Requirements for supplier's own supplier management ISO 13485 7.4.1
10 Intellectual property and confidentiality IP protection, data handling Contract law
11 Termination and transition provisions Exit strategy, data return, transition support ISO 13485 7.4.1
12 Regulatory inspection support Obligation to support FDA/NB inspections related to supplied product QMSR, ISO 13485
Recommended Reading
Pre-Filled Syringes and Auto-Injectors: Drug-Device Combination Product Regulatory Strategy
Regulatory Standards & Testing2026-04-30 · 14 min read

On-Site Audit Agenda Checklist

Audit Preparation

# Preparation Item Responsible Completed
1 Confirm audit scope and objectives with supplier Lead Auditor
2 Send audit plan/agenda to supplier minimum 2 weeks before Lead Auditor
3 Review previous audit findings and CAPA status Audit Team
4 Review supplier's QMS documentation (quality manual, key SOPs) Audit Team
5 Prepare audit checklist customized to supplied product/service Lead Auditor
6 Confirm audit team composition (minimum 1 qualified lead auditor) QA Manager
7 Ensure auditor independence (no direct responsibility for the process being audited) QA Manager

Day 1: Opening and Quality Management System

Time Agenda Item Checklist Focus ISO 13485 Reference QMSR Reference
09:00 Opening meeting Introductions, scope confirmation, facility tour request
09:30 Quality management system overview Quality manual, quality policy, organizational structure, management responsibility 4.1, 5.1-5.6 §820.10 (incorporating ISO 13485 by reference)
10:30 Document control Document approval, distribution, revision control, external document control 4.2.3, 4.2.4 §820.10
11:30 Record control Record creation, storage, retrieval, retention, protection 4.2.5 §820.10
13:00 Risk management ISO 14971 integration, risk assessment for supplied product, risk control verification 7.1 §820.10
14:00 Design controls (if supplier performs design) Design inputs, outputs, verification, validation, transfer, changes 7.3 §820.30
15:00 Training and competence Training records, competence assessment, awareness of regulatory requirements 6.2 §820.25
16:00 Day 1 wrap-up Summarize findings, identify Day 2 focus areas

Day 2: Production, Purchasing, and Corrective Actions

Time Agenda Item Checklist Focus ISO 13485 Reference
09:00 Production process controls Process validation (IQ/OQ/PQ), work instructions, environmental controls, equipment maintenance 7.5.1, 7.5.2, 7.5.6
10:00 Traceability Material traceability, lot/batch tracking, UDI labeling (if applicable) 7.5.9
10:45 Purchasing controls (supplier's own suppliers) Supplier evaluation, sub-tier control, incoming inspection 7.4.1, 7.4.2, 7.4.3
11:30 Verification of purchased product Incoming inspection, CoA/CoC review, testing records 7.4.3
13:00 Nonconforming product NCR process, segregation, disposition, rework validation 8.3
13:45 Complaint handling Complaint intake, evaluation, MDR/vigilance reporting, trend analysis 8.2.2
14:30 CAPA system Root cause analysis, corrective actions, effectiveness checks, preventive actions 8.5.2, 8.5.3
15:15 Internal audit program Audit schedule, auditor qualification, findings, CAPA linkage 8.2.4
16:00 Closing meeting Present findings, nonconformities, observations, agreed timelines

Specialized Audit Checklists by Supplier Type

Outsourced Sterilization Supplier

# Audit Item Evidence to Review Reference
1 Sterilization process validation (IQ/OQ/PQ) Validation protocols and reports ISO 11135 (EtO), ISO 11137 (radiation), ISO 17665 (steam)
2 Routine sterilization records Process parameters, load configuration, cycle records Applicable sterilization standard
3 Biological indicator or dosimeter management BI lot release, dosimeter calibration Applicable standard
4 Parametric release capability (if applicable) Process parameters vs. product requirements ISO 11137-1
5 Environmental monitoring Facility cleanliness, microbial monitoring ISO 13485 6.4
6 Product release procedures Review and release criteria, quarantine procedures ISO 13485 7.5.10
7 Change control for sterilization process Notification of parameter or equipment changes Quality agreement
8 Radiation source qualification (gamma/e-beam) Source calibration, dose mapping ISO 11137-2

Contract Testing Laboratory

# Audit Item Evidence to Review Reference
1 ISO 17025 accreditation scope Accreditation certificate, scope covers required test methods ISO 17025
2 Test method validation/verification Validation protocols, accuracy, precision, specificity data ISO 13485 7.5.2
3 Equipment calibration and maintenance Calibration certificates, maintenance logs ISO 13485 7.6
4 Reference standard management Reference material certificates, storage conditions ISO 17025
5 Sample management and chain of custody Sample receipt, identification, storage, disposal ISO 17025
6 Data integrity and electronic records 21 CFR Part 11 compliance (if US market), audit trails 21 CFR Part 11
7 Proficiency testing results Inter-laboratory comparison reports ISO 17025
8 Subcontracted testing control Qualification of sub-contracted labs ISO 17025, ISO 13485 7.4

Software Development Supplier (SaMD / Embedded Software)

# Audit Item Evidence to Review Reference
1 IEC 62304 compliance Software lifecycle documentation, software safety classification IEC 62304
2 Software development planning Software development plan, milestones, deliverables IEC 62304 Clause 5
3 Software requirements specification SRS completeness, traceability to system requirements IEC 62304 Clause 5.2
4 Software architecture and design Architecture documents, design descriptions, unit interfaces IEC 62304 Clause 5.3
5 SOUP (Software of Unknown Provenance) management SOUP list, risk assessment, anomaly tracking IEC 62304 Clause 7.1
6 Verification and validation Test plans, test results, code reviews, integration testing IEC 62304 Clause 5.7, 5.8
7 Configuration management Version control, build records, release procedures IEC 62304 Clause 8
8 Problem resolution Defect tracking, root cause analysis, resolution verification IEC 62304 Clause 9
9 Cybersecurity practices Vulnerability management, SBOM, secure development lifecycle IEC 81001-5-1, FDA cybersecurity guidance
10 AI/ML model management (if applicable) Training data documentation, model validation, bias assessment FDA AI/ML guidance, PCCP if applicable

Post-Audit Actions and CAPA Follow-Up

Nonconformity Grading

Grade Definition Response Timeline Evidence Required
Major Systemic failure or direct impact on device safety/effectiveness 30 days: corrective action plan; 90 days: implementation evidence Root cause analysis, corrective actions, effectiveness verification
Minor Isolated noncompliance not directly impacting safety 60 days: corrective action plan; 120 days: implementation evidence Corrective action description, implementation evidence
Observation Area for improvement, not a noncompliance Next audit: status update Improvement action description

CAPA Follow-Up Template

NC # Description Grade Root Cause Corrective Action Due Date Status Effectiveness Check
NC-001 No evidence of incoming inspection for Component X Major Procedure exists but not followed for this component Retrain personnel; add incoming inspection checkpoint in ERP YYYY-MM-DD Open Verify at next audit
NC-002 Calibration overdue for test equipment #42 Minor Missed calibration schedule due to personnel change Calibrate immediately; update calibration schedule owner YYYY-MM-DD Closed Confirmed calibrated

Ongoing Monitoring Checklist

# Monitoring Activity Frequency Responsible Evidence
1 Review supplier quality scorecard (on-time delivery, reject rate, CAPA closure rate) Quarterly Supplier Quality Scorecard report
2 Review CoA/CoC for incoming lots Per receipt Quality Control Incoming inspection records
3 Monitor regulatory actions against supplier (FDA WL, import alerts) Monthly Regulatory Affairs Search results log
4 Review supplier's ISO 13485 surveillance/re-certification results Per supplier's audit cycle Supplier Quality Audit reports
5 Track open CAPAs from supplier audits Monthly Supplier Quality CAPA log
6 Evaluate supplier performance at management review Annually QA Manager Management review minutes
7 Re-assess supplier risk tier based on performance data Annually Supplier Quality Updated risk assessment
8 Review and update quality agreement Annually or upon change Regulatory Affairs / Supplier Quality Signed updated agreement
Recommended Reading
Clinical Evaluation Report Template: EU MDR CER Structure, Tables, and Evidence Traceability
Clinical Evidence EU MDR / IVDR2026-04-30 · 18 min read

FDA QMSR-Specific Considerations

Under QMSR (effective February 2, 2026), several changes affect supplier audit programs:

Change Impact on Supplier Audit Program Action Required
ISO 13485 incorporated by reference Supplier controls must now align with ISO 13485 Clause 7.4 terminology and structure Map existing QSR procedures to ISO 13485; update terminology
FDA can review supplier audit records All supplier audit reports and CAPA records are now inspectable Ensure documentation is complete, organized, and accessible
Risk-based approach formalized Level of supplier control must be documented and proportionate to risk Document risk classification rationale for every supplier
Management review must address supplier performance Supplier quality data feeds into management review Add supplier performance to management review agenda
CAPA now aligned with ISO 13485 Corrective and preventive actions separated; effectiveness checks required Update CAPA procedures; verify supplier CAPA effectiveness

Key Takeaways

  • Classify every supplier into risk tiers (A through D) using documented criteria — the classification drives audit frequency, quality agreement requirements, and verification intensity
  • Under FDA QMSR, supplier audit records are now inspectable — treat every audit as if the FDA will read it
  • Customize on-site audit checklists by supplier type: sterilization, testing, and software suppliers each require specialized focus areas
  • Quality agreements for Tier A critical suppliers must cover scope, specifications, change control, right to audit, complaint notification, traceability, and regulatory inspection support
  • Close the loop: every audit finding requires documented root cause analysis, corrective action, and effectiveness verification tracked to completion
  • Monitor supplier performance continuously through scorecards, not just during periodic audits — quarterly reviews catch problems before they become nonconformities
  • Update risk classifications annually based on performance data, regulatory actions, and business changes — a supplier's tier can change over time

Related Articles

RegulatoryDigital Health & AI

Best Regulatory Intelligence Software for Medical Devices 2026: Unbiased Comparison of 8 Platforms

An independent comparison of the top regulatory intelligence platforms for medical device and IVD manufacturers in 2026 — covering RegDesk, IQVIA, Cortellis, Obsidian, Basil Systems, ArisGlobal, Freyr RegIntel, and Veeva Vault Regulatory.

2026-04-30·24 min read
Quality SystemsRegulatory

Cleaning Validation for Reusable Surgical Instruments: Soil, Residue, Worst-Case Devices, and Acceptance Criteria

Protocol-level guide to cleaning validation for reusable surgical instruments — covering artificial soil selection, protein/hemoglobin/TOC endpoints, worst-case device families, manual vs automated cleaning, ANSI/AAMI ST98 acceptance criteria, sample size justification, and report structure.

2026-04-30·14 min read
IVD & DiagnosticsRegulatory

CLIA Waiver for IVDs: Submission Strategy, Study Design, and Dual 510(k) Pathway

Dedicated CLIA waiver playbook for IVD manufacturers — covering waived, moderate, and high complexity categories, CW submission content, flex studies, lay-user studies, the Dual 510(k) + CLIA Waiver pathway, review timelines, common deficiencies, and real-world examples.

2026-04-30·12 min read