Supplier Quality Management for Medical Devices: Audits, Qualification, and Controls

The complete guide to supplier quality management in the medical device industry — FDA requirements, ISO 13485 clause 7.4, supplier qualification, audit programs, supplier agreements, risk-based controls, and MDSAP expectations.

Why Supplier Quality Matters in Medical Devices

Medical device manufacturers rarely make everything in-house. The modern medical device supply chain involves dozens — sometimes hundreds — of suppliers providing raw materials, components, subassemblies, software, sterilization services, packaging, calibration, testing, and specialized manufacturing processes. A typical Class III implantable device might rely on 50 or more suppliers. A diagnostic instrument could involve suppliers across three continents.

This reliance on external suppliers creates a fundamental quality and regulatory challenge: your device is only as good as what goes into it, and you are responsible for what your suppliers provide. The FDA, Notified Bodies, and every major regulatory authority in the world hold the device manufacturer — not the supplier — accountable for the safety and performance of the finished device. Outsourcing a process or purchasing a component does not outsource responsibility.

The data is unambiguous. Supply chain failures are a major driver of medical device recalls, field corrective actions, and patient harm:

Component and material defects account for a significant portion of FDA Class I and Class II recalls. Contaminated raw materials, out-of-specification components, and undisclosed material changes have led to device failures in the field.
Undeclared supplier changes — a supplier modifies a manufacturing process, changes a sub-tier material source, or moves production to a new facility without notifying the device manufacturer — are a persistent root cause of device nonconformances discovered only after devices reach patients.
Counterfeit or substandard materials entering the medical device supply chain have been documented, particularly for electronic components and specialty metals.
FDA warning letters and 483 observations frequently cite inadequate purchasing controls. In a review of FDA warning letters to device manufacturers, failure to adequately evaluate suppliers and failure to establish adequate requirements for purchased products and services are among the most recurring findings.

The core principle: In regulatory terms, "you cannot inspect quality into a product" — and you certainly cannot inspect quality into your supply chain after the fact. Supplier quality management must be proactive, systematic, and risk-based.

The consequences of inadequate supplier controls are severe: product recalls, regulatory enforcement actions (warning letters, import alerts, consent decrees), liability exposure, patient harm, and destruction of market reputation. For companies operating in the EU under MDR, Notified Body audit findings related to supplier control can delay or block CE marking, with direct revenue impact.

Regulatory Basis for Supplier Controls

FDA 21 CFR 820.50 — Purchasing Controls

Under the legacy Quality System Regulation (QSR), Section 820.50 established the FDA's requirements for purchasing controls. Although the QMSR (effective February 2, 2026) now incorporates ISO 13485:2016 by reference as the baseline, understanding the FDA's historical expectations under 820.50 remains critical because FDA investigators have decades of enforcement history and interpretive guidance rooted in these provisions.

The original 21 CFR 820.50 required:

Procedures to ensure that all purchased or otherwise received products and services conform to specified requirements.
Evaluation of suppliers, contractors, and consultants — the manufacturer must evaluate and select potential suppliers based on their ability to meet specified requirements, including quality requirements. The evaluation must be documented.
Approved Supplier List (ASL) — a list of approved suppliers must be established, maintained, and controlled.
Requirements communicated to suppliers — specified requirements, including quality requirements, must be established and included in purchasing documents. Purchasing documents must include, where possible, an agreement that suppliers will notify the manufacturer of changes in product or service.
Records of acceptable suppliers — maintained as part of the Design History File (DHF) and Device Master Record (DMR) where applicable.

QMSR Transition

With the QMSR in effect, the FDA has adopted ISO 13485:2016 as the quality system standard, with FDA-specific supplements. For purchasing controls, this means ISO 13485 clause 7.4 is now the operative requirement in the United States. However, the FDA's supplemental requirements and the interpretive history of 820.50 continue to inform inspector expectations. Companies should not assume that satisfying the letter of ISO 13485 clause 7.4 alone will satisfy an FDA investigator who brings 30 years of 820.50 enforcement context to the audit.

Practical implication of the QMSR: If your QMS was already built to ISO 13485:2016 and you had robust purchasing controls, the transition should be largely administrative. If your system relied on the specific language of old 820.50 without aligning to ISO 13485, you need to map your existing procedures to clause 7.4 and close any gaps — particularly around the purchasing process, verification of purchased product, and supplier evaluation criteria.

ISO 13485:2016 Clause 7.4 — Purchasing

Clause 7.4 is the heart of supplier quality management under ISO 13485. It consists of three subclauses:

7.4.1 — Purchasing Process

The organization shall establish documented procedures to ensure that purchased product conforms to specified purchasing information. The organization shall:

Establish criteria for the evaluation, selection, monitoring, and re-evaluation of suppliers
Plan the monitoring and re-evaluation activities based on supplier evaluation results and risk associated with the product
Maintain records of evaluation results, monitoring, and re-evaluation, and any actions arising from these activities

7.4.2 — Purchasing Information

Purchasing information shall describe the product to be purchased, including where appropriate:

Product specifications, including requirements for acceptance, procedures, processes, and equipment
Requirements for qualification of supplier personnel
Quality management system requirements
The identification and revision status of applicable specifications, drawings, process requirements, inspection/verification instructions, and other relevant technical data
Requirements for design, test, inspection, verification, use of statistical techniques, and related instructions for acceptance
Requirements for notification of changes to the product or process by the supplier

7.4.3 — Verification of Purchased Product

The organization shall establish and implement the inspection or other activities necessary to ensure that purchased product meets specified purchasing requirements. The extent of verification activities shall be based on supplier evaluation results and risk associated with the product.

When the organization or its customer intends to perform verification at the supplier's premises, the organization shall state the intended verification arrangements and the method of product release in the purchasing information.

Records of verification shall be maintained.

EU MDR Supplier and Subcontractor Requirements

The EU Medical Device Regulation (2017/745) addresses supplier and subcontractor controls across multiple articles and annexes:

Article 10(9) requires manufacturers to have a quality management system that includes procedures for management of suppliers and subcontractors, including supply chain management and verification of adequacy of purchased products.
Annex IX, Section 2.2 (QMS assessment) requires the Notified Body to audit the manufacturer's management of suppliers and subcontractors, including verification of purchased products and processes.
Annex IX, Section 4.4 explicitly requires the QMS to cover "management of all resources, including selection and control of suppliers and sub-contractors."

The EU MDR also introduces economic operator obligations that affect the supply chain. Importers, distributors, and authorized representatives all have specific obligations regarding product verification and traceability that may flow through supplier agreements.

Notified Bodies under the EU MDR are particularly thorough in auditing supplier controls. The expectation is that the manufacturer's QMS includes documented evidence of supplier qualification, ongoing monitoring, and effective control of outsourced processes — especially for critical components, sterilization services, and any process that affects device safety or performance.

Notified Body unannounced audits at supplier sites: Under the EU MDR, Notified Bodies have the authority to conduct unannounced audits — not only at the manufacturer's premises, but also at the premises of critical suppliers and subcontractors. MDR Article 46 and Annex IX, Section 3.4 provide the basis for unannounced audits, and Notified Bodies increasingly interpret their mandate as extending to the manufacturer's supply chain where suppliers perform processes critical to device safety and performance (e.g., sterilization, critical component manufacturing, contract assembly). Manufacturers must ensure that their quality agreements with critical suppliers explicitly grant the right of access for Notified Body audits — including unannounced audits. If a supplier refuses Notified Body access, the manufacturer faces a compliance gap that can jeopardize CE marking. In practice, include a clause in every critical supplier quality agreement stating that the supplier agrees to permit audits by the manufacturer, the manufacturer's Notified Body, and competent authorities, with or without advance notice, as required by applicable EU regulations.

EU IVDR Supplier and Subcontractor Requirements

The In Vitro Diagnostic Regulation (EU 2017/746) — the IVDR — imposes supplier control obligations on IVD manufacturers that mirror those of the MDR. Specifically, Article 10(8)(d) of the IVDR requires IVD manufacturers to establish, document, implement, maintain, keep up to date, and continuously improve a quality management system that addresses, among other elements, the management of suppliers and subcontractors.

The parallel structure is intentional. The IVDR was developed alongside the MDR, and the European legislature applied the same principles of manufacturer accountability for the supply chain. Key IVDR supplier control provisions include:

Article 10(8)(d) — The QMS must cover "management of resources, including selection and control of suppliers and subcontractors."
Annex IX, Section 2.2 — The Notified Body's QMS assessment for IVD manufacturers includes evaluation of the manufacturer's management of suppliers and subcontractors, verification of purchased products, and adequacy of supplier controls.
Annex IX, Section 4 — Technical documentation requirements for IVD devices include information on the supply chain and outsourced processes, paralleling the MDR's Annex II.

For companies manufacturing both medical devices and IVDs, the practical implication is that a single, harmonized supplier quality management system can serve both regulatory frameworks. The supplier qualification, monitoring, quality agreement, and audit requirements are substantively the same. However, IVD manufacturers should be aware of IVDR-specific requirements for performance evaluation studies, common specifications, and companion diagnostics that may introduce additional supplier control obligations — for example, when a supplier provides reference materials, calibrators, or control materials that directly affect the analytical performance of the IVD device.

Practical note for IVD manufacturers: Do not assume that because your device is an IVD rather than a therapeutic device, supplier controls can be less rigorous. The IVDR applies the same level of scrutiny, and Notified Bodies auditing under the IVDR assess supplier management with the same rigor as under the MDR. Erroneous or unreliable IVD results caused by supplier-related failures — contaminated reagents, out-of-specification raw materials, or uncontrolled process changes at a supplier — can lead to misdiagnosis and inappropriate treatment, with direct patient safety consequences.

The Supplier Lifecycle

Effective supplier quality management follows a defined lifecycle. Each phase has specific activities, documentation requirements, and decision gates.

Phase 1: Supplier Identification and Selection

Before any formal qualification begins, you need to identify potential suppliers capable of meeting your technical, quality, regulatory, and commercial requirements.

Selection criteria should include:

Criterion	Considerations
Technical capability	Can the supplier manufacture the product or deliver the service to your specifications? Do they have the necessary equipment, processes, and technical expertise?
Quality system maturity	Does the supplier have a certified QMS (ISO 13485, ISO 9001, AS9100, etc.)? What is their quality culture?
Regulatory standing	Has the supplier been subject to regulatory enforcement actions? Are they registered with the FDA (if applicable)? Any open warning letters or import alerts?
Financial stability	Is the supplier financially viable for the term of the expected relationship? A supplier bankruptcy mid-production can be catastrophic.
Capacity and scalability	Can the supplier meet your current volume requirements and scale as needed?
Supply chain risk	Geographic location (natural disaster exposure, geopolitical risk), single-source dependencies, material availability
Regulatory compliance history	FDA inspection history (searchable via FDA's Inspection Classification Database), recall history, adverse event reports
Intellectual property protection	Are there adequate protections for proprietary designs, specifications, and confidential information?
Communication and responsiveness	Will the supplier be responsive to quality issues, change notifications, and audit requests?

Practical tip: Maintain a standard supplier evaluation questionnaire that covers all selection criteria. Many organizations use a weighted scoring system where each criterion receives a score and the composite determines whether the supplier advances to the qualification phase.

Phase 2: Supplier Qualification

Qualification is the process of generating objective evidence that a supplier can consistently meet your specified requirements. This is not a one-time check — it is a rigorous evaluation that may include multiple activities depending on the criticality of the product or service.

Qualification methods include:

Method	Description	When to Use
Supplier questionnaire / self-assessment	Structured questionnaire covering quality system, capabilities, certifications, and regulatory status	Initial screening for all suppliers; sufficient for low-risk commodity suppliers
Desktop audit (document review)	Review of supplier's quality manual, procedures, certifications, inspection reports, test data, and process validations	Medium-risk suppliers; supplement to questionnaire
On-site audit	Physical audit of supplier's facility — processes, equipment, quality system, production controls, personnel competency	Critical suppliers, high-risk products, outsourced processes
Remote audit (virtual)	Video-enabled audit of supplier's facility and records using secure video conferencing	When on-site audit is impractical; supplemental to desktop audit; post-COVID this has become more accepted by regulators for surveillance (not typically for initial qualification of critical suppliers)
Product qualification testing	Testing of sample products from the supplier against your specifications — dimensional, material, performance, biocompatibility, sterility, etc.	All suppliers providing product used in or on the device
Process validation review	Review of the supplier's process validation records (IQ, OQ, PQ) for processes that affect product quality	Suppliers performing special processes (welding, sterilization, coating, molding, etc.)
First article inspection (FAI)	Comprehensive inspection and testing of the first production run from a new supplier or after a significant change	New suppliers, new products, post-change verification
Reference checks	Contacting other customers of the supplier to assess performance history	Supplemental — useful for new supplier relationships

Documentation of qualification:

Supplier evaluation form with scored criteria
Audit report (if audit was performed)
Questionnaire responses and supporting documentation (certificates, quality manual, etc.)
Product qualification test results
First article inspection report
Decision record — approval, conditional approval, or rejection with rationale
Assignment of supplier criticality classification (see Risk-Based Approach section)

Phase 3: Supplier Approval and the Approved Supplier List

Once a supplier passes qualification, they are added to the Approved Supplier List (ASL). The ASL is a controlled document — a regulatory requirement under both the FDA and ISO 13485.

The ASL should include, at minimum:

Supplier name and location(s)
Products or services approved for
Scope of approval (which part numbers, specifications, or processes)
Approval date and next re-evaluation date
Supplier criticality classification (critical, major, minor)
Current approval status (approved, conditionally approved, on probation, disqualified)
Quality agreement reference
Certification status (ISO 13485, ISO 9001, etc.)

ASL management rules:

No purchases from suppliers not on the ASL for controlled products and services
Changes to the ASL require defined approval authority
The ASL must be accessible to purchasing personnel before purchase orders are issued
Conditional approvals must have defined conditions, timelines, and responsible parties
The ASL must be reviewed periodically as part of the supplier re-evaluation process

Phase 4: Ongoing Monitoring and Re-evaluation

Qualification is not a one-time event. ISO 13485:2016 explicitly requires ongoing monitoring and periodic re-evaluation of suppliers. The frequency and depth of monitoring and re-evaluation should be based on supplier criticality and performance.

Monitoring activities:

Activity	Frequency	Applies To
Incoming inspection results tracking	Every receipt	All product suppliers
Supplier nonconformance tracking	Continuous	All suppliers
On-time delivery tracking	Monthly/quarterly	All product suppliers
SCAR response and effectiveness review	Per event	Suppliers with nonconformances
Supplier scorecard review	Quarterly or semi-annually	Critical and major suppliers
Periodic surveillance audit	Annually or per risk-based schedule	Critical suppliers
Certificate and registration verification	Annually	All certified/registered suppliers
Regulatory status check (FDA warning letters, recalls)	Quarterly or semi-annually	Suppliers of critical components
Management review input	Annually (minimum)	Aggregate supplier performance data

Re-evaluation criteria:

The re-evaluation should assess whether the supplier continues to meet the original approval criteria. Consider:

Quality performance trends (incoming rejection rate, SCAR frequency and effectiveness)
Delivery performance trends
Responsiveness to quality issues and change notifications
Changes in the supplier's quality system, certifications, or regulatory status
Changes in the supplier's ownership, location, or key personnel
Any field issues or recalls traceable to the supplier's product or service

Key takeaway: Document the re-evaluation results and the decision — continue approval, place on probation, increase monitoring, or disqualify. The record must show that the decision was based on objective evidence, not convenience.

Phase 5: Supplier Decommissioning and Disqualification

When a supplier no longer meets your requirements — or when you transition to an alternative source — the disqualification and decommissioning process must be controlled.

Disqualification triggers:

Repeated quality failures that the supplier cannot or will not correct
Failure to respond to SCARs or implement effective corrective actions
Loss of critical certifications (ISO 13485 decertification, FDA warning letter, etc.)
Discovery of fraud, data integrity violations, or counterfeit materials
Financial insolvency or business closure
Strategic decision to change suppliers

Decommissioning steps:

Document the disqualification decision and rationale
Update the ASL to reflect disqualified status
Notify internal stakeholders (purchasing, production, engineering, quality)
Assess impact on current inventory and in-process devices (disposition of remaining supplier material)
Ensure alternative source is qualified before cutting over
Retain all supplier records per your record retention policy
If the disqualification involves product already in the field, assess the need for field actions or customer notifications

Risk-Based Approach to Supplier Controls

Not all suppliers require the same level of control. A supplier providing custom-machined titanium implant components demands far more oversight than a supplier providing office paper. ISO 13485:2016 explicitly requires that supplier controls be commensurate with the risk associated with the product or service.

Supplier Criticality Classification

A common and effective approach is to classify suppliers into tiers based on the risk their product or service poses to device safety, performance, and regulatory compliance.

Classification	Criteria	Examples	Typical Controls
Critical	Product or service directly affects device safety, performance, or regulatory compliance. Failure could result in patient harm.	Raw materials (biocompatible metals, polymers), sterile packaging, sterilization services, critical components (sensors, electrodes, circuits), outsourced manufacturing, software development	On-site qualification audit, quality agreement, incoming inspection (100% or AQL-based), periodic surveillance audits, supplier scorecard, SCAR process, change notification requirement
Major	Product or service affects device quality or regulatory compliance but failure is unlikely to directly cause patient harm	Non-critical components, calibration services, secondary packaging, labeling, testing laboratories, contract design services	Desktop audit or questionnaire-based qualification, quality agreement, incoming inspection (sampling), periodic re-evaluation, SCAR process
Minor	Product or service has minimal impact on device quality. Commodity items with widely available alternatives	Office supplies, standard hardware (non-device-contact), janitorial services, general IT services	Questionnaire or certificate review, purchase specification, receipt verification

Factors that determine classification:

Does the product or service contact the patient or user?
Does it affect the safety or performance of the finished device?
Is it a special process (sterilization, welding, coating, plating) that cannot be fully verified by subsequent inspection?
Is it subject to regulatory requirements (biocompatibility, electrical safety, software validation)?
Is the supplier a single source with no qualified alternative?
What is the historical quality performance of this supplier or product category?

Important: The classification should be documented and reviewed periodically. A supplier's classification can change — a previously minor supplier becomes critical if their component is redesigned to be patient-contacting, or if they become a single source.

Risk-Based Control Matrix

Organizations should maintain a control matrix that maps supplier classification to specific control activities:

Control Activity	Critical Supplier	Major Supplier	Minor Supplier
Initial on-site audit	Required	Case-by-case	Not required
Supplier questionnaire	Required	Required	Required
Quality agreement (SQA)	Required	Required	Not required (PO terms may suffice)
Incoming inspection	100% or AQL sampling (tightened)	AQL sampling (normal)	Receipt verification / COC review
Surveillance audits	Annual or biennial	Every 2-3 years or as triggered	Not required
Supplier scorecard	Quarterly	Semi-annually	Not required
Change notification requirement	Mandatory (contractual)	Mandatory (contractual)	Not required
SCAR process	Full SCAR with root cause, CAPA, effectiveness check	SCAR or simplified corrective action request	Return/replace
Management review reporting	Individual supplier performance	Aggregated performance data	Not reported individually

Supplier Audits

Supplier auditing is one of the most important — and most resource-intensive — elements of supplier quality management. Done well, audits provide direct evidence of a supplier's capability and compliance. Done poorly, they become a check-the-box exercise that creates a false sense of security.

Types of Supplier Audits

Audit Type	Description	Advantages	Limitations
On-site audit	Auditor(s) physically visit the supplier's facility to observe processes, review records, interview personnel, and inspect the production environment	Gold standard — direct observation of actual conditions; ability to see what is not documented; can observe shop floor culture	Costly (travel, auditor time); scheduling challenges; only a snapshot in time
Remote/virtual audit	Auditor conducts audit via secure video link — supplier uses camera to show facility, processes, records in real time	Reduced cost; no travel; faster scheduling; can cover geographically distant suppliers	Cannot freely explore the facility; dependent on what the supplier shows; technology limitations; not accepted by all regulators for initial qualification of critical suppliers
Desktop audit	Review of supplier-provided documentation — quality manual, procedures, certificates, test reports, validation records	Low cost; no travel; good for medium-risk assessment	No direct observation; relies entirely on documentation the supplier provides; limited ability to verify actual practice matches documented procedures
Questionnaire-based assessment	Structured self-assessment questionnaire completed by the supplier, with supporting evidence	Lowest cost; scalable to large supplier bases; good for initial screening	Self-reported data; no independent verification; suppliers may present an optimistic picture
Third-party audit (use of certification)	Reliance on the supplier's ISO 13485, ISO 9001, or other certification from an accredited registrar	No auditor resource required; performed by qualified professionals	Generic — does not assess supplier's capability for your specific product; certificate does not guarantee the supplier can meet your specifications

Audit Planning

Effective audit programs are planned, not reactive. The annual audit schedule should be driven by:

Supplier criticality classification — critical suppliers audited more frequently
Supplier performance history — poor performers audited more frequently
Time since last audit — no supplier should go beyond the maximum interval for their classification
Triggers — new supplier qualification, significant nonconformance, SCAR escalation, change notification, customer complaint traceable to supplier, regulatory finding
Resource availability — balance audit frequency against available qualified auditors

Audit preparation checklist:

Define audit scope and objectives
Assign qualified auditor(s) — auditors should be trained, independent of the supplier relationship, and knowledgeable about the product/process being audited
Review previous audit results, CAPAs, SCARs, incoming inspection data, and nonconformance history
Review applicable specifications, quality agreement, and purchase requirements
Prepare audit checklist tailored to the supplier's scope (not a generic checklist)
Communicate audit agenda and logistics to the supplier
Confirm audit date and attendees

Audit Execution

During the audit:

Opening meeting — state the audit scope, objectives, schedule, and ground rules
Document review — quality manual, procedures, records related to your product
Process observation — walk the production floor; observe the process as it operates; look for deviations from documented procedures
Record sampling — batch records, inspection records, calibration records, training records, nonconformance records, CAPA records
Personnel interviews — operators, quality personnel, management; verify that personnel understand their procedures and quality responsibilities
Traceability exercise — select a lot of product shipped to you and trace it through the supplier's system: raw material receipt, in-process records, final inspection, shipping
Closing meeting — summarize findings, classify observations (critical, major, minor), agree on timelines for corrective actions

Audit Reporting and Follow-Up

The audit report is a controlled record and should include:

Audit date, location, scope, and objectives
Auditor(s) identification and qualifications
Supplier personnel interviewed
Summary of findings — classified by severity
Observations with objective evidence
Corrective action requirements and timelines
Overall audit conclusion (satisfactory, conditionally satisfactory, unsatisfactory)
Recommendation for supplier approval status

Finding classification:

Severity	Definition	Expected Response
Critical	A finding that indicates a systemic failure that could directly affect product safety or regulatory compliance	Immediate containment; root cause analysis and CAPA within 30 days; may require shipment hold or supplier disqualification
Major	A finding that indicates a significant deficiency in the quality system or a failure to meet specified requirements	Root cause analysis and CAPA within 60 days; effectiveness verification required
Minor	A finding that indicates a minor deviation or opportunity for improvement	Corrective action within 90 days; may be addressed at next audit
Observation/OFI	An area where the supplier's practice, while compliant, could be improved	No formal corrective action required; noted for future reference

Follow-up is non-negotiable. Every finding requires a documented response from the supplier, review by the auditing organization, and verification that corrective actions were implemented and effective. Unresolved critical or major findings should trigger escalation — up to and including supplier disqualification.

Supplier Quality Agreements

A Supplier Quality Agreement (SQA) — sometimes called a Quality Technical Agreement or Supply Quality Agreement — is a binding document that defines the quality expectations, responsibilities, and obligations between the device manufacturer and the supplier. It goes beyond standard purchase order terms and conditions to address quality-specific requirements.

When Is an SQA Required?

An SQA should be in place for every critical and major supplier. For minor suppliers, standard purchase order terms may be sufficient. However, any supplier performing an outsourced process that affects product conformity should have an SQA, regardless of classification.

Key Clauses in a Supplier Quality Agreement

Clause	Content
Scope	Products, services, and processes covered by the agreement
Applicable standards and regulations	ISO 13485, 21 CFR 820, EU MDR, and any product-specific standards the supplier must comply with
Product specifications	Reference to drawings, specifications, material requirements, and acceptance criteria; how specifications are controlled and communicated
Change notification	Requirement for the supplier to notify the manufacturer of ANY change to product, process, materials, sub-suppliers, equipment, facility, or personnel that could affect product quality — with defined notification lead time (typically 60-180 days before implementation)
Change approval	Which changes require manufacturer's written approval before implementation (versus notification only)
Quality system requirements	Minimum QMS requirements (certification, documented procedures, calibration, training, etc.)
Right to audit	Manufacturer's right to audit the supplier's facility, records, and processes — including the right for regulatory authorities (FDA, Notified Bodies) to access the supplier's premises
Incoming inspection and acceptance	How product will be inspected/verified upon receipt; acceptance criteria; certificate of conformance (CoC) and certificate of analysis (CoA) requirements
Nonconformance management	Process for reporting, investigating, and dispositioning nonconforming product; supplier's obligation to participate in investigations
Corrective actions (SCAR)	Supplier's obligation to respond to SCARs within defined timelines; root cause analysis requirements; effectiveness verification
Traceability	Lot/batch traceability requirements; record retention periods (typically matching the device manufacturer's retention requirements — often the lifetime of the device plus regulatory minimums)
Record retention	Minimum record retention periods; supplier's obligation to maintain and provide records upon request
Confidentiality	Protection of proprietary information, specifications, and business data
Regulatory access	Agreement that the supplier will permit regulatory authority inspections (FDA, Notified Body, competent authorities) and cooperate with investigations
Sub-tier supplier control	Supplier's obligation to flow down quality requirements to their own suppliers and to notify the manufacturer of sub-tier supplier changes
Product identification and labeling	Requirements for lot marking, labeling, shipping documentation, and CoC/CoA
Handling of nonconforming material	Whether the supplier may ship nonconforming product with a concession/deviation, and the approval process required
Escalation and dispute resolution	Process for escalating quality issues; contacts and responsibilities at each level
Term and termination	Duration of the agreement; conditions for termination; post-termination obligations (last-buy provisions, record retention, transition support)

Best practice: The SQA should be a living document reviewed at least every two to three years, or whenever there is a significant change in the product, process, regulations, or business relationship. Do not let SQAs collect dust — an outdated SQA is worse than no SQA because it creates a false sense of documented control.

Incoming Inspection and Acceptance Activities

Incoming inspection is the verification activity performed when purchased product is received. It is the manufacturer's last checkpoint before supplier material enters production.

Designing an Incoming Inspection Program

The rigor of incoming inspection should be risk-based:

Supplier Classification	Incoming Inspection Approach
Critical supplier — new or unproven	100% inspection or tightened AQL sampling until performance is established
Critical supplier — proven performance	AQL-based sampling (normal level); may use skip-lot after sustained acceptable performance
Major supplier	AQL sampling (normal level); CoC/CoA review
Minor supplier	Receipt verification (correct product, quantity, no visible damage); CoC review if applicable

AQL (Acceptable Quality Limit) sampling per ISO 2859-1 (ANSI/ASQ Z1.4) is the industry-standard approach for determining sample sizes and accept/reject decisions. The AQL level should be defined in the purchase specification and quality agreement.

What to inspect depends on the product:

Raw materials: Material certification review (CoA), material identification testing (positive material identification, FTIR, etc.), dimensional verification
Components: Dimensional inspection, visual inspection, functional testing, material verification
Subassemblies: Functional testing, dimensional verification, workmanship inspection, electrical testing
Sterile packaging materials: Seal integrity, material properties, particulate testing, bioburden (if applicable)
Labels and labeling: Content verification against approved artwork, print quality, adhesion testing

Reduced and Tightened Inspection

Switching rules (per ISO 2859-1) allow you to move between normal, tightened, and reduced inspection based on supplier performance:

Tightened inspection: Triggered when two of five consecutive lots are rejected. Increases sample size and reduces the number of allowable defects. Applied to suppliers whose quality is deteriorating.
Reduced inspection: Allowed after sustained acceptable quality (typically 10 consecutive lots accepted under normal inspection). Decreases sample size. Applied to proven, high-performing suppliers.
Discontinue inspection: In some quality systems, inspection can be eliminated for proven, stable suppliers — but only if the risk assessment supports it, the supplier has a robust quality system, and the decision is documented and periodically reviewed.

Caution: Elimination of incoming inspection for a supplier should be the exception, not the rule. Even high-performing suppliers can experience process drift, material changes, or personnel turnover that affect quality. Maintaining at least a minimal sampling plan with periodic tightening provides a safety net.

Certificate of Conformance and Certificate of Analysis

Certificate of Conformance (CoC): A document in which the supplier certifies that the product shipped conforms to specified requirements. The CoC typically references the part number, revision, lot/batch number, quantity, and applicable specifications.

Certificate of Analysis (CoA): A document that includes actual test results — not just a conformance statement. A CoA shows the specific test performed, the specification limit, and the actual measured value for each test. CoAs are typically required for raw materials, chemicals, and products where material properties are critical.

Critical distinction: A CoC tells you the supplier says the product conforms. A CoA shows you the data. For critical materials, always require a CoA. Relying solely on a CoC for a critical material is a common audit finding.

Supplier Nonconformance Management and SCAR

When purchased product or a supplier's service fails to meet specified requirements, the nonconformance must be documented, investigated, and resolved through a structured process.

The SCAR Process

A Supplier Corrective Action Request (SCAR) is the formal mechanism for communicating quality problems to a supplier and requiring root cause analysis and corrective action.

SCAR process steps:

Identification and documentation — The nonconformance is detected (incoming inspection failure, production-line failure, customer complaint traceable to a supplier component, audit finding) and documented in the nonconformance management system.
Immediate containment — Quarantine suspect material. Assess whether nonconforming material has already entered production or been shipped in finished devices. If so, initiate an impact assessment.
SCAR issuance — Formal SCAR issued to the supplier with:
- Description of the nonconformance with objective evidence (photos, measurements, test results)
- Affected lot/batch numbers and quantities
- Reference to the specification or requirement that was not met
- Request for root cause analysis, corrective action plan, and timeline
Supplier investigation and response — The supplier performs root cause analysis (using appropriate tools: 5 Whys, fishbone diagram, fault tree analysis, 8D) and proposes corrective and preventive actions.
Review and approval — The manufacturer reviews the supplier's response for adequacy. Is the root cause credible? Do the corrective actions address the root cause? Are preventive actions included to prevent recurrence?
Implementation — The supplier implements the approved corrective actions.
Effectiveness verification — The manufacturer verifies that corrective actions were effective. This may involve monitoring subsequent incoming inspection results, conducting a follow-up audit, or reviewing the supplier's evidence of implementation.
Closure — SCAR is closed when corrective actions are verified effective. If corrective actions are ineffective, the SCAR is reopened or a new SCAR is issued.

SCAR escalation triggers:

Supplier fails to respond within the defined timeline
Root cause analysis is superficial or not credible
Corrective actions are ineffective (repeat nonconformance)
Supplier refuses to cooperate
Nonconformance involves a safety-critical characteristic

Escalation actions may include: increased incoming inspection, supplier probation, management-to-management escalation, sourcing qualification of an alternative supplier, or disqualification.

Supplier Performance Metrics and Scorecards

What gets measured gets managed. A supplier scorecard provides a structured, data-driven assessment of supplier performance that supports objective re-evaluation decisions and identifies suppliers that need improvement or replacement.

Core Metrics

Metric	Definition	Calculation	Target (Example)
Lot acceptance rate	Percentage of incoming lots accepted without nonconformance	(Accepted lots / Total lots received) x 100	> 98%
PPM defect rate	Parts per million defective	(Defective units / Total units received) x 1,000,000	< 500 PPM (varies by product)
On-time delivery rate	Percentage of deliveries received on or before the committed date	(On-time deliveries / Total deliveries) x 100	> 95%
SCAR response timeliness	Percentage of SCARs where the supplier responds within the required timeline	(On-time SCAR responses / Total SCARs issued) x 100	100%
SCAR effectiveness rate	Percentage of SCARs where corrective actions effectively prevented recurrence	(Effective SCARs / Total closed SCARs) x 100	> 90%
Change notification compliance	Percentage of changes where the supplier provided advance notification per the SQA	(Compliant notifications / Total changes identified) x 100	100%
CoC/CoA accuracy	Percentage of CoCs/CoAs received that are complete and accurate	(Accurate CoC-CoAs / Total received) x 100	> 99%
Audit score	Composite audit score from the most recent supplier audit	Per audit scoring methodology	No critical findings; no repeat major findings

Scorecard Structure

A practical scorecard weights the metrics based on their importance:

Category	Weight	Metrics
Quality	50%	Lot acceptance rate, PPM defect rate, SCAR effectiveness, CoC/CoA accuracy
Delivery	25%	On-time delivery rate
Responsiveness	15%	SCAR response timeliness, change notification compliance, communication quality
Compliance	10%	Audit score, certification status, regulatory standing

Scoring and action thresholds:

Overall Score	Rating	Action
90-100	Preferred	Eligible for reduced inspection, long-term agreements, new business
75-89	Approved	Standard controls; monitor for improvement opportunities
60-74	Probationary	Increased monitoring; improvement plan required; tightened inspection
Below 60	At risk	Formal improvement plan with defined milestones; begin qualifying alternative supplier; consider disqualification

Do not over-engineer scorecards. A scorecard with 25 metrics that nobody reviews is worse than a scorecard with 5 metrics that drive action. Focus on metrics that are meaningful, measurable, and actionable. Review scorecards with suppliers at defined intervals — the scorecard should be a tool for improvement, not just a report card.

Managing Outsourced Processes Under ISO 13485

ISO 13485:2016 clause 4.1.5 requires that when an organization chooses to outsource any process that affects product conformity to requirements, it shall ensure control over such processes. The type and extent of control shall be defined within the quality management system.

Outsourced processes are distinct from purchased products. An outsourced process is a process that the organization needs for its QMS but chooses to have performed by an external party. Common examples in medical devices include:

Sterilization — ethylene oxide, gamma irradiation, e-beam
Special processes — welding, brazing, coating, plating, heat treatment, surface finishing
Testing — biocompatibility testing, electrical safety testing, EMC testing, environmental testing
Software development — embedded firmware, SaMD development, verification and validation
Contract manufacturing — component fabrication, assembly, packaging
Design and development activities — contracted engineering, industrial design
Calibration — instrument and equipment calibration
Labeling and packaging — printing, label production, kitting

Control Requirements for Outsourced Processes

The level of control required depends on the risk associated with the outsourced process and the capability of the external party. At a minimum:

Define the process requirements — specifications, procedures, acceptance criteria, and any applicable standards
Qualify the external party — using the same supplier qualification process described earlier, with emphasis on process capability and quality system adequacy
Include the outsourced process in your quality agreement — with specific process requirements, change control, and right-to-audit provisions
Verify the output — through incoming inspection, review of process records, or verification at the external party's premises
Monitor the process — through ongoing performance data, audits, and process revalidation when changes occur
Maintain responsibility — your QMS documentation must address the outsourced process. Procedures, risk assessments, and design controls must encompass the outsourced process as if it were performed in-house. In an audit, you must be able to demonstrate that you understand and control the outsourced process.

Common audit finding: Manufacturers treat outsourced processes as if they are simply purchased products — they issue a purchase order and accept whatever comes back. This is a fundamental misunderstanding of ISO 13485. Outsourcing a process does not outsource responsibility. If sterilization is your outsourced process, your QMS must address sterilization validation, routine monitoring, parametric release criteria, and change control — even though the sterilization is physically performed at another facility.

MDSAP Expectations for Purchasing and Supplier Controls

The Medical Device Single Audit Program (MDSAP) audits supplier controls under the Purchasing process, which is one of the core processes in the MDSAP audit model. MDSAP auditors use a structured companion document that maps ISO 13485 requirements to the country-specific requirements of all five participating regulatory authorities (FDA, Health Canada, TGA, ANVISA, MHLW/PMDA).

What MDSAP Auditors Look For

MDSAP auditing of purchasing controls focuses on the following areas:

MDSAP Focus Area	What the Auditor Verifies
Purchasing process	Documented procedures for supplier evaluation, selection, monitoring, and re-evaluation are established and implemented
Supplier evaluation criteria	Criteria are defined and include ability to meet quality requirements; risk-based approach is applied
Approved Supplier List	ASL exists, is current, and includes all active suppliers of products and services affecting device quality
Purchasing information	Purchase orders and specifications include adequate product descriptions, quality requirements, and change notification requirements
Verification of purchased product	Incoming inspection or verification activities are defined and performed; extent is risk-based
Supplier monitoring	Ongoing monitoring data (incoming inspection trends, SCAR data, delivery performance) is collected and analyzed
Supplier re-evaluation	Re-evaluations are performed at planned intervals; results are documented; actions are taken when performance is inadequate
Outsourced processes	Controls over outsourced processes are defined, implemented, and effective
Records	All required records (evaluations, monitoring data, re-evaluations, purchasing documents, incoming inspection) are maintained

Country-Specific Additions

Each MDSAP participating country has specific expectations layered on top of ISO 13485:

FDA (US): Expects documented purchasing controls consistent with historical 820.50 expectations. Special attention to whether the manufacturer has adequate procedures to ensure purchased product conforms to requirements, and whether supplier evaluations are performed and documented.
Health Canada: Expects compliance with SOR/98-282 (Medical Devices Regulations), which requires that medical devices be manufactured in accordance with a quality system that addresses purchasing controls. Health Canada also expects evidence that the manufacturer controls imports and has procedures for handling non-conforming purchased product.
ANVISA (Brazil): Expects compliance with RDC 665/2022, which aligns with ISO 13485 but includes Brazilian-specific requirements for registration, labeling, and post-market activities that may affect supplier requirements.
TGA (Australia): Expects compliance with the Therapeutic Goods (Medical Devices) Regulations 2002 and alignment with ISO 13485.
MHLW/PMDA (Japan): Expects compliance with QMS Ministerial Ordinance No. 169, which closely follows ISO 13485 but adds Japan-specific requirements for quality management system documentation and regulatory reporting.

MDSAP Grading

MDSAP uses a standardized nonconformity grading system. For purchasing-related findings:

Grade 1 (Minor): An isolated lapse in the purchasing process that does not systematically affect product quality (e.g., one purchase order missing a specification revision, one supplier re-evaluation slightly overdue).
Grade 2 (Minor, systemic): A systemic issue in the purchasing process that has not yet resulted in nonconforming product but indicates a control weakness (e.g., multiple purchase orders missing change notification clauses, re-evaluations consistently overdue).
Grade 3 (Major): A failure in the purchasing process that has resulted or could result in nonconforming product (e.g., purchasing from a non-approved supplier, failure to perform incoming inspection on a critical component, no supplier evaluation records for a critical supplier).
Grade 4 (Major, systemic): A systemic failure in purchasing controls that has resulted in nonconforming product or a situation that could lead to patient harm (e.g., no supplier evaluation process at all, no incoming inspection program, complete absence of supplier monitoring).
Grade 5 (Critical): A purchasing control failure that has directly resulted in product reaching the market that poses a risk to patient safety.

Grade 3 and above findings require CAPA and can affect the MDSAP certificate.

Common FDA 483 Observations Related to Supplier and Purchasing Controls

Understanding the most frequent FDA findings related to supplier controls helps you focus your compliance efforts where they matter most. The following observations appear repeatedly in FDA Form 483s and warning letters:

1. Failure to establish procedures to ensure purchased product conforms to specified requirements. This is the foundational finding. If you do not have a documented procedure governing how you evaluate suppliers and verify purchased product, the FDA will cite it.

2. Failure to evaluate and select suppliers based on their ability to meet specified requirements. Specifically: no documented evidence that suppliers were evaluated before being approved. This includes situations where the manufacturer uses a supplier simply because they have always used them, without any formal evaluation.

3. Failure to establish an approved supplier list. Either no ASL exists, or the ASL is incomplete (missing suppliers of controlled products or services), out of date, or not used by purchasing to verify suppliers before issuing purchase orders.

4. Failure to include quality requirements in purchasing documents. Purchase orders that reference only a part number and quantity, without referencing the applicable drawing revision, specification, quality requirements, or change notification provisions.

5. Failure to establish requirements for notification of changes by the supplier. The manufacturer has no mechanism — contractual or otherwise — to require suppliers to notify them before making changes to products, processes, or materials.

6. Failure to perform incoming inspection or verification of purchased product. Product is received and placed into stock or production without any verification that it meets specifications. This is particularly serious for critical components and materials.

7. Failure to monitor and re-evaluate suppliers. Suppliers were initially qualified but never re-evaluated. No ongoing monitoring data (incoming inspection trends, nonconformance data) is collected or reviewed. Supplier qualification is treated as a one-time event.

8. Failure to adequately control outsourced processes. The manufacturer outsources a critical process (sterilization, testing, manufacturing) but does not treat it as an extension of their quality system. No quality agreement, no right-to-audit, no verification of the outsourced process output.

Prevention strategy: Conduct an annual internal audit of your purchasing controls specifically focused on these eight areas. If you find and fix these issues before the FDA does, you avoid the 483 observation and the regulatory consequences that follow.

Supply Chain Risk Management

Effective supplier quality management must extend beyond quality and compliance to encompass broader supply chain risks that can disrupt your ability to manufacture and deliver safe, effective devices.

Single-Source Risk

A single-source supplier — one for which no qualified alternative exists — represents a significant business and patient-safety risk. If that supplier experiences a quality failure, production disruption, natural disaster, or financial collapse, your production stops.

Mitigation strategies:

Dual-sourcing: Qualify at least two suppliers for all critical components and materials. This requires investment in qualification but provides resilience.
Safety stock: Maintain buffer inventory of single-source critical components to provide time to qualify an alternative if the primary source fails.
Long-term supply agreements: Contractual commitments that provide supply assurance and capacity reservation.
Continuous monitoring: Actively monitor single-source suppliers for early warning signs — financial instability, quality trends, capacity constraints, regulatory problems.
Last-buy provisions: Include contractual provisions that require the supplier to provide advance notice of product discontinuation and offer a final purchase opportunity.

Material Shortages and Disruptions

The medical device industry has experienced significant supply chain disruptions in recent years — semiconductor shortages, resin supply constraints, specialty metal availability, and logistics disruptions. These events have exposed the vulnerability of lean supply chains that optimize for cost and efficiency at the expense of resilience.

Proactive measures:

Map your supply chain beyond Tier 1 (your direct suppliers) to understand Tier 2 and Tier 3 dependencies
Identify materials and components with constrained global supply
Maintain strategic inventory buffers for critical, long-lead-time items
Diversify geographic sourcing to avoid concentration in a single region
Include force majeure and allocation provisions in supplier agreements
Participate in industry consortia and information-sharing networks that provide early warning of material shortages

Geopolitical and Regulatory Risk

Global supply chains expose medical device manufacturers to geopolitical risks: trade restrictions, tariffs, sanctions, export controls, and political instability in supplier countries. Regulatory changes in supplier countries can also affect the supply chain — for example, new environmental regulations that constrain the production of a critical chemical or material.

Key considerations:

Assess country risk for each supplier location
Monitor trade policy developments that could affect imported materials or components
Ensure compliance with export controls and sanctions (particularly relevant for suppliers in or shipping through sanctioned jurisdictions)
Diversify supply chain geography where feasible
Include compliance representations in supplier agreements

Sub-Tier Supplier Visibility

Most medical device manufacturers have limited visibility beyond their direct (Tier 1) suppliers. A Tier 1 supplier of machined components may source raw material from a Tier 2 supplier, who sources from a Tier 3 mining or refining operation. A change or disruption at any tier can affect the finished device.

Building visibility:

Require Tier 1 suppliers to disclose critical sub-tier sources as part of the quality agreement
Include flow-down requirements in SQAs: your quality and change notification requirements must flow from your Tier 1 supplier to their suppliers
Conduct periodic assessments of sub-tier supplier risks for critical material categories
Consider direct qualification of critical Tier 2 suppliers for high-risk material categories (e.g., biocompatible raw materials)

Best Practices and Practical Implementation Tips

Building a Supplier Quality Program From Scratch

If you are establishing a supplier quality program for the first time — or overhauling an inadequate one — here is a pragmatic sequence:

Inventory your suppliers. Create a complete list of every supplier of products and services that affect device quality. Include raw materials, components, contract manufacturers, testing labs, calibration services, sterilization providers, and outsourced process providers. Many organizations are surprised by the number of suppliers they actually use when they conduct this exercise.
Classify by risk. Apply the criticality classification described in this guide. Focus your immediate attention on critical and major suppliers.
Assess current state. For each critical supplier, determine what qualification evidence you currently have. Identify gaps.
Prioritize. You cannot audit, qualify, and implement quality agreements for all suppliers simultaneously. Prioritize based on risk: start with critical suppliers that have no qualification evidence, then move to major suppliers, then address gaps in monitoring and re-evaluation.
Draft your procedures. Write (or revise) your purchasing control, supplier qualification, incoming inspection, SCAR, and supplier monitoring procedures. Ensure they align with ISO 13485 clause 7.4 and the QMSR.
Implement quality agreements. Negotiate and execute SQAs with all critical and major suppliers. This takes time — plan for a 6-12 month implementation for a large supplier base.
Establish your incoming inspection program. Define inspection plans, AQL levels, and acceptance criteria for each purchased product.
Launch supplier scorecards. Start collecting data from Day 1, even if the scorecard is simple. You need a baseline to measure improvement.
Schedule audits. Build an annual audit plan based on supplier classification and risk.
Report to management. Include supplier quality data in your management review — it is a required input under ISO 13485.

Common Pitfalls to Avoid

Pitfall	Why It Is a Problem	Solution
Treating supplier qualification as a one-time event	Supplier quality degrades over time; personnel, processes, and materials change	Implement systematic monitoring and periodic re-evaluation
Relying solely on supplier certifications (ISO 13485 certificate)	A certificate means the supplier has a quality system — it does not mean they can make YOUR product to YOUR specification	Supplement certification review with product qualification testing and, for critical suppliers, on-site audits
Using generic audit checklists	Generic checklists miss product-specific and process-specific risks	Tailor checklists to the specific product, process, and risk profile of each supplier
Ignoring sub-tier suppliers	Changes at the Tier 2 or Tier 3 level can affect your product	Require flow-down of change notification and quality requirements; gain visibility into critical sub-tier sources
Failing to act on supplier performance data	Collecting data without analysis and action is waste	Define action thresholds in your scorecard; require corrective action when thresholds are breached
Undocumented purchasing decisions	"We've always used them" is not a qualification rationale	Document every supplier evaluation, selection, and approval decision with objective evidence
Allowing purchasing to override quality	Cost and delivery pressures lead to purchases from unqualified or probationary suppliers	Enforce ASL controls; require quality approval for any exception; track and report exceptions
Neglecting quality agreements	Without an SQA, you have no contractual basis for change notification, right to audit, or corrective action requirements	Prioritize SQA execution for all critical and major suppliers

Tools and Technology

While this guide focuses on the quality system and regulatory requirements — not specific software — modern supplier quality management is increasingly supported by technology:

eQMS platforms (electronic quality management systems) with supplier management modules that automate supplier qualification workflows, SCAR tracking, incoming inspection, and scorecard generation
Supplier portals that allow suppliers to submit documentation, respond to SCARs, and receive change notifications electronically
Risk management tools that integrate supplier risk data with product risk management per ISO 14971
Supply chain mapping and monitoring services that provide visibility into multi-tier supply chains and real-time risk alerts

Technology is an enabler, not a substitute for a well-designed quality system. A poorly designed process automated by software is still a poorly designed process.

eQMS Platform Capabilities for Supplier Management

Modern eQMS platforms offer integrated supplier management modules that go well beyond basic document storage. When evaluating an eQMS for supplier quality management, look for the following capabilities:

Capability	Description	Value
Supplier qualification workflow	Configurable workflows for supplier evaluation, qualification, and approval — including automated routing for questionnaires, document review, and approval signatures	Reduces cycle time and ensures consistent qualification process
Approved Supplier List management	Centralized, controlled ASL with status tracking, scope of approval, expiration dates, and automatic alerts for re-evaluation due dates	Prevents purchasing from unapproved suppliers; provides real-time ASL visibility
SCAR management	End-to-end SCAR workflow: issuance, supplier response capture, root cause review, corrective action tracking, effectiveness verification, and closure	Ensures no SCAR falls through the cracks; tracks response timeliness
Incoming inspection	Configurable inspection plans, sampling rules (AQL-based), data capture, accept/reject decisions, and automatic disposition routing	Standardizes incoming inspection; generates trend data for scorecards
Supplier scorecards and dashboards	Automated calculation of supplier performance metrics from inspection, SCAR, and delivery data; configurable weighting and thresholds	Enables data-driven supplier re-evaluation; reduces manual reporting effort
Document management	Controlled storage and distribution of quality agreements, specifications, certificates, and audit reports — with version control and access permissions	Single source of truth for all supplier-related documentation
Change management integration	Links supplier change notifications to internal change control processes; tracks impact assessment and approval	Ensures supplier changes are evaluated before implementation
Audit management	Audit scheduling, checklist management, finding tracking, CAPA linkage, and follow-up verification	Supports a systematic, risk-based audit program
Training records	Tracks auditor qualifications and training; ensures only qualified personnel perform supplier audits and evaluations	Demonstrates auditor competency during regulatory inspections

Supplier Portals

A supplier portal is a secure, web-based interface that provides suppliers with controlled access to relevant information and workflows within your quality system. Effective supplier portals enable:

Self-service document submission — Suppliers upload certificates, CoCs, CoAs, questionnaire responses, and qualification documents directly into the eQMS, eliminating email-based document exchange and reducing the risk of lost or misfiled documents.
SCAR collaboration — Suppliers receive SCAR notifications, submit root cause analysis and corrective action responses, and upload supporting evidence through the portal. The entire SCAR conversation is captured in the system with timestamps and audit trails.
Change notification acknowledgment — When you issue a specification change or quality requirement update, suppliers acknowledge receipt and acceptance through the portal, creating a documented record of notification.
Real-time status visibility — Suppliers can view their approval status, open SCARs, upcoming audit dates, and scorecard performance, fostering transparency and accountability.
Controlled information sharing — Specifications, drawings, and quality requirements are distributed through the portal with version control, ensuring suppliers always work from the current revision.

21 CFR Part 11 Considerations for Validated Supplier Management Software

When supplier management processes are executed electronically — supplier approvals, incoming inspection records, SCAR dispositions, audit reports — the records generated are subject to regulatory requirements for electronic records and electronic signatures.

In the United States, 21 CFR Part 11 establishes the criteria under which FDA considers electronic records and electronic signatures to be trustworthy, reliable, and equivalent to paper records and handwritten signatures. For supplier management software, key Part 11 requirements include:

Audit trails: The system must maintain a computer-generated, time-stamped audit trail that independently records the date and time of operator entries and actions that create, modify, or delete electronic records. For supplier management, this means every approval decision, SCAR disposition, inspection result entry, and ASL change must be traceable to a specific user and timestamp.
Access controls: The system must limit access to authorized individuals. Role-based access controls should restrict who can approve suppliers, modify the ASL, close SCARs, and enter inspection results.
Electronic signatures: When electronic signatures are used (e.g., to approve a supplier qualification or sign off on an audit report), the system must ensure that each electronic signature is unique to one individual, cannot be reused by or reassigned to anyone else, and is linked to the corresponding electronic record.
System validation: The system must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. Validation of supplier management software should include IQ/OQ/PQ protocols, documented user requirements, and periodic revalidation when the system is updated.
Record retention and retrieval: Electronic records must be readily retrievable throughout the required retention period. For medical device supplier records, retention periods are typically the lifetime of the device plus regulatory minimums.

Practical note: The EU Annex 11 (for medicinal products) and broader data integrity expectations under EU MDR also impose requirements on electronic quality system records. While Annex 11 is not directly applicable to medical devices, Notified Bodies increasingly expect data integrity controls consistent with these principles. Ensure your supplier management software meets data integrity expectations regardless of market.

Real-Time Supply Chain Monitoring Technologies

Beyond traditional eQMS platforms, a new generation of supply chain monitoring technologies is emerging that provides real-time visibility and early warning capabilities:

Supply chain risk monitoring services — Third-party platforms that continuously monitor global risk signals (natural disasters, geopolitical events, financial distress indicators, regulatory actions, cyberattacks) and map them to your specific supply chain, alerting you when a risk event affects one of your suppliers or their geographic region.
IoT-enabled shipment tracking — Sensors embedded in shipments that monitor temperature, humidity, shock, and location in real time during transit. Particularly valuable for temperature-sensitive materials (biologics, reagents, certain polymers) and for demonstrating chain-of-custody and environmental control compliance.
Blockchain-based traceability — Emerging applications of distributed ledger technology to create immutable records of material provenance, chain of custody, and certification status throughout the supply chain. While still maturing in the medical device industry, blockchain holds promise for counterfeit prevention and conflict minerals traceability.
Predictive analytics — Machine learning models that analyze historical supplier performance data, market signals, and external risk factors to predict potential quality or supply disruptions before they occur, enabling proactive intervention.
Digital supplier qualification platforms — Cloud-based platforms that aggregate supplier certification data, regulatory status, financial health indicators, and quality performance benchmarks across industries, enabling faster and more data-driven supplier evaluation and selection.

Making Supplier Quality Part of the Culture

The most effective supplier quality programs are not just procedures and records — they are embedded in the organization's culture:

Involve suppliers early. Engage critical suppliers during product development, not just at the point of procurement. Early supplier involvement in design reviews can prevent specification issues and manufacturability problems.
Treat suppliers as partners. The best supplier relationships are collaborative, not adversarial. Share quality data openly. Invest in supplier development when a capable supplier needs to improve.
Hold people accountable. Purchasing personnel should be evaluated partly on supplier quality outcomes, not just cost and delivery. Quality engineers should own the supplier audit program, not just attend audits when convenient.
Executive visibility. Supplier quality metrics belong in management review and executive dashboards. When leadership pays attention to supplier quality, the organization follows.
Continuous improvement. Regularly review your supplier quality program for effectiveness. Benchmark against industry peers. Update your procedures, criteria, and tools as your product portfolio and supply chain evolve.

Counterfeit Parts Prevention

Counterfeit components represent a serious and growing threat to the medical device supply chain. A counterfeit part — whether a remarked semiconductor, a fraudulently labeled raw material, or a knockoff mechanical component — can cause device failure, patient harm, and catastrophic regulatory consequences. Unlike a quality defect from a legitimate supplier, a counterfeit part is intentionally deceptive, making detection far more difficult.

The Scope of the Problem

Counterfeit components have been documented across multiple categories relevant to medical devices:

Electronic components — Remarked, recycled, or cloned integrated circuits, capacitors, resistors, and connectors. The semiconductor industry estimates that counterfeiting costs the global electronics industry billions annually. Medical devices that rely on specific electronic components (imaging systems, patient monitors, infusion pumps, diagnostic instruments) are directly exposed.
Specialty metals and alloys — Fraudulent material certifications for titanium, cobalt-chromium, stainless steel, and other biocompatible metals used in implants and surgical instruments. A counterfeit material certificate can result in a non-biocompatible material being implanted in a patient.
Fasteners and mechanical components — Substandard fasteners with forged grade markings have been detected in multiple industries, including aerospace and medical devices.
Raw materials and chemicals — Adulterated or substituted chemicals, reagents, and raw materials — particularly for materials sourced through brokers or secondary markets.

Detection Methods

No single method is sufficient. Effective counterfeit prevention requires a layered approach:

Method	Description	Application
Trusted distributor programs	Purchase components only from original equipment manufacturers (OEMs), authorized distributors, or franchised distributors — never from brokers or the open market for critical components	Primary prevention; the single most effective counterfeit mitigation strategy
Authentication and verification	Use manufacturer authentication tools (e.g., component manufacturer lot verification databases, holographic labels, serialized tracking) to verify component authenticity upon receipt	Incoming inspection for high-risk electronic components
Material identification testing	Positive material identification (PMI) using XRF, OES, or FTIR to verify that incoming materials match their certifications	Incoming inspection for metals, polymers, and specialty materials
Visual and physical inspection	Microscopic inspection for remarking evidence, inconsistent markings, poor packaging quality, or physical anomalies	Incoming inspection for all components; trained inspectors can detect many obvious counterfeits
Electrical testing	Functional and parametric testing of electronic components against manufacturer datasheets	Incoming inspection for active electronic components
X-ray and decapsulation analysis	Non-destructive (X-ray) or destructive (decapsulation) analysis of integrated circuits to verify die markings and internal construction match the claimed device	High-risk or suspect components; typically performed by specialized laboratories
Supply chain traceability	Full chain-of-custody documentation from manufacturer to point of use; require lot traceability and distributor documentation for every transaction	All critical components; contractual requirement in supplier agreements

Relevant Standards for Counterfeit Prevention

Several industry standards provide frameworks for counterfeit parts prevention, primarily developed for the aerospace and defense industries but increasingly adopted in medical devices:

SAE AS6174 — Counterfeit Materiel; Assuring Acquisition of Authentic and Conforming Materiel. Provides requirements for counterfeit materiel prevention, detection, response, and reporting. Applicable to all types of materials and components.
SAE AS6081 — Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition — Distributors. Establishes requirements for distributors to avoid the introduction of counterfeit electronic parts into the supply chain. Relevant when selecting and qualifying electronic component distributors.
SAE AS6171 — Test Methods Standard; Counterfeit Electronic Parts. Provides standardized test methods for detecting counterfeit electronic parts.
SAE AS5553 — Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition. Requirements for organizations that procure electronic parts to mitigate the risk of receiving counterfeit parts.

Practical note: While these SAE standards were developed for aerospace, the counterfeit risk in medical devices is analogous. The FDA has not issued specific guidance on counterfeit parts prevention for medical devices, but the expectation under purchasing controls (ISO 13485 clause 7.4 and 21 CFR 820.50) is that manufacturers verify the authenticity and conformity of purchased product. A counterfeit component that causes a device failure will be treated as a purchasing control failure by regulators.

Supplier Agreement Provisions for Counterfeit Prevention

Quality agreements with suppliers of critical components — particularly electronic components, specialty metals, and materials sourced through multi-tier supply chains — should include specific counterfeit prevention clauses:

Authorized source requirements — The supplier shall procure components and materials only from OEMs, authorized distributors, or sources approved in writing by the manufacturer.
Traceability documentation — The supplier shall provide full chain-of-custody documentation for all delivered products, including original manufacturer lot/date codes, distributor invoices, and certificates of conformance traceable to the original manufacturer.
Notification of suspect parts — The supplier shall immediately notify the manufacturer if counterfeit or suspect counterfeit parts are detected in the supplier's inventory or supply chain, whether or not they have been shipped to the manufacturer.
Quarantine and investigation — Upon detection of suspect counterfeit material, the supplier shall quarantine all affected inventory, conduct an investigation, and cooperate with the manufacturer's investigation.
Flow-down to sub-tier suppliers — Counterfeit prevention requirements shall be flowed down to all sub-tier suppliers in the supply chain.
Right to reject and remedies — The manufacturer reserves the right to reject and return any counterfeit or suspect counterfeit material at the supplier's expense, and to recover all costs associated with the counterfeit event, including recall costs, investigation costs, and consequential damages.

Conflict Minerals and Responsible Sourcing

Medical device manufacturers are subject to increasing legal and market expectations regarding the responsible sourcing of raw materials — particularly minerals associated with armed conflict, human rights abuses, and environmental degradation. Supplier quality management programs must incorporate conflict minerals due diligence as a standard element of supply chain governance.

Regulatory Framework

Dodd-Frank Act Section 1502 (United States)

Section 1502 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (2010) requires SEC-reporting companies to determine whether their products contain conflict minerals — tin, tantalum, tungsten, and gold (collectively "3TG") — originating from the Democratic Republic of the Congo (DRC) or adjoining countries. If so, the company must conduct supply chain due diligence, file a Conflict Minerals Report (Form SD) with the SEC, and describe the due diligence measures taken.

While the SEC reporting requirement applies to publicly traded companies, the due diligence expectations cascade throughout the supply chain. Even private medical device companies receive conflict minerals inquiries from their customers and are expected to trace 3TG minerals through their supply chains.

EU Conflict Minerals Regulation (2017/821)

Regulation (EU) 2017/821, effective since January 1, 2021, requires EU importers of tin, tantalum, tungsten, and gold to conduct supply chain due diligence aligned with the OECD Due Diligence Guidance. Unlike Dodd-Frank, which focuses on disclosure, the EU regulation imposes mandatory due diligence obligations on importers of the minerals and metals themselves. Medical device manufacturers that import raw materials containing 3TG minerals into the EU, or that source from EU-based smelters and refiners, must ensure compliance.

OECD Due Diligence Guidance

The OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas is the internationally recognized framework for conflict minerals due diligence. It establishes a five-step framework:

Establish strong company management systems
Identify and assess risks in the supply chain
Design and implement a strategy to respond to identified risks
Carry out independent third-party audit of supply chain due diligence
Report annually on supply chain due diligence

The Conflict Minerals Reporting Template (CMRT)

The Responsible Minerals Initiative (RMI) publishes the Conflict Minerals Reporting Template (CMRT), which is the industry-standard tool for collecting conflict minerals sourcing information from suppliers. The CMRT standardizes the exchange of information regarding the smelters and refiners in a company's supply chain.

How to use the CMRT in supplier management:

Distribute the CMRT to all Tier 1 suppliers of products that contain or may contain 3TG minerals
Require suppliers to complete and return the CMRT within a defined timeframe (typically 30-60 days)
Review CMRT responses to identify smelters and refiners in the supply chain
Cross-reference identified smelters against the RMI's Responsible Minerals Assurance Process (RMAP) conformant smelter list
Escalate with suppliers when CMRTs are incomplete, inconsistent, or identify non-conformant smelters
Maintain CMRT records as part of supplier documentation
Update CMRT data annually (at minimum) or when the supply chain changes

Expanding scope — cobalt and mica: Industry attention is expanding beyond 3TG to include cobalt (used in batteries, including medical device batteries) and mica (used in electronic components). The Extended Minerals Reporting Template (EMRT), also published by the RMI, covers cobalt. Medical device manufacturers should assess whether their products contain cobalt or mica and extend due diligence accordingly.

Flowing Conflict Minerals Requirements to Suppliers

Supplier quality agreements and purchasing documents should include:

A requirement that the supplier investigate and disclose the origin of 3TG minerals in products supplied to the manufacturer
A requirement to complete and return the CMRT (and EMRT, if applicable) upon request
A commitment to source 3TG minerals from RMAP-conformant smelters or to develop a plan to transition to conformant sources
A requirement to flow these obligations down to the supplier's own supply chain
A commitment to cooperate with the manufacturer's conflict minerals due diligence and reporting obligations

Environmental Compliance and Sustainability

Medical device supply chains are subject to a growing body of environmental regulations and sustainability expectations. Supplier quality management programs must address environmental compliance as a flow-down requirement and prepare for increasing ESG (Environmental, Social, and Governance) demands from regulators, customers, and investors.

Key Environmental Regulations Affecting the Medical Device Supply Chain

RoHS — Restriction of Hazardous Substances (EU Directive 2011/65/EU)

The RoHS Directive restricts the use of specific hazardous substances in electrical and electronic equipment (EEE), including medical devices (which were brought into scope under RoHS 2). The restricted substances include lead, mercury, cadmium, hexavalent chromium, polybrominated biphenyls (PBB), and polybrominated diphenyl ethers (PBDE), plus four phthalates (DEHP, BBP, DBP, DIBP).

For supplier management, RoHS requires:

Suppliers of electronic components, materials, and subassemblies must declare compliance with RoHS substance restrictions
Material declarations (typically using the IEC 62474 material declaration standard or IPC-1752A) should be required from all relevant suppliers
Supplier quality agreements should include a RoHS compliance clause, with the supplier warranting that delivered products comply with applicable substance restrictions
Incoming verification should include periodic analytical testing (XRF screening, chemical analysis) to verify RoHS compliance, particularly for new suppliers or suspect materials

REACH — Registration, Evaluation, Authorisation and Restriction of Chemicals (EU Regulation EC 1907/2006)

REACH regulates chemicals in the EU and requires manufacturers and importers to identify and manage risks linked to substances they manufacture, market, or use. Medical device manufacturers must:

Determine whether products placed on the EU market contain Substances of Very High Concern (SVHCs) above 0.1% w/w in any article
Communicate SVHC information through the supply chain
Require suppliers to disclose SVHC content and provide REACH compliance data
Monitor the REACH Candidate List (updated twice annually) and assess new SVHC listings against your supply chain

REACH compliance is a supply chain obligation — you depend on your suppliers to provide accurate substance data. Quality agreements should require suppliers to notify you of any changes in substance composition and to provide updated REACH declarations when the Candidate List is amended.

WEEE — Waste Electrical and Electronic Equipment (EU Directive 2012/19/EU)

The WEEE Directive establishes requirements for the collection, recycling, and recovery of electrical and electronic equipment, including medical devices. While WEEE primarily imposes obligations on producers (manufacturers/importers), it has supply chain implications:

Product design must consider end-of-life recyclability, which may affect material and component specifications communicated to suppliers
Suppliers may be required to provide material composition data to support WEEE compliance and recyclability assessments
Packaging suppliers must comply with packaging waste regulations in the markets where devices are sold

Supplier Flow-Down for Environmental Compliance

Requirement	Supplier Obligation	Documentation
RoHS compliance	Warrant that products comply with substance restrictions; provide material declarations	RoHS declaration of conformity; material declaration (IEC 62474 or equivalent)
REACH SVHC disclosure	Disclose SVHC content above 0.1% w/w; notify manufacturer of Candidate List changes affecting supplied products	REACH compliance statement; SVHC disclosure form; SCIP database notification (if applicable)
WEEE material data	Provide material composition data to support recyclability assessment	Material data sheets; IEC 62474 material declarations
Substance change notification	Notify manufacturer before any change in material composition, substance content, or regulatory status of supplied products	Integrated into change notification clause of quality agreement
Compliance representations	Warrant ongoing compliance with all applicable environmental regulations in all markets where the manufacturer sells the device	Environmental compliance clause in quality agreement

ESG and Sustainability Expectations

Beyond specific regulatory requirements, medical device companies face growing ESG (Environmental, Social, and Governance) expectations from investors, customers, healthcare systems, and regulators:

Carbon footprint and emissions — Large healthcare systems and group purchasing organizations (GPOs) are increasingly requesting carbon footprint data and emissions reduction commitments from medical device suppliers. Manufacturers may need to collect Scope 3 emissions data from their supply chains, which requires supplier cooperation and data sharing.
Sustainability reporting — Frameworks such as the Corporate Sustainability Reporting Directive (CSRD) in the EU, the Global Reporting Initiative (GRI), and the Task Force on Climate-related Financial Disclosures (TCFD) are driving companies to report on supply chain sustainability, including supplier environmental and social practices.
Supplier codes of conduct — Many medical device companies now require suppliers to adhere to a supplier code of conduct covering environmental stewardship, labor practices, anti-corruption, and human rights. Compliance with the code of conduct is increasingly included as a quality agreement requirement and audited alongside quality system requirements.
Circular economy — The EU is moving toward circular economy requirements for medical devices, including design for recyclability, use of recycled materials, and reduction of single-use device waste. These requirements will increasingly flow through supplier specifications and material requirements.

Strategic perspective: Environmental compliance and sustainability are no longer peripheral to supplier quality management — they are becoming core supply chain requirements. Forward-looking medical device companies are integrating environmental and ESG criteria into their supplier evaluation, qualification, and monitoring processes alongside traditional quality and regulatory criteria. Suppliers that cannot demonstrate environmental compliance and sustainability commitment will increasingly be at a competitive disadvantage.

Final thought: Supplier quality management is not a compliance exercise. It is a core business capability that directly affects patient safety, product quality, regulatory standing, and commercial viability. The organizations that invest in robust, risk-based supplier quality programs — and execute them consistently — experience fewer recalls, smoother audits, stronger supplier relationships, and better outcomes for patients. There are no shortcuts.

Frequently Asked Questions

How often should you audit medical device suppliers?

Audit frequency should be risk-based and driven by supplier criticality classification. As a general framework:

Supplier Classification	Initial Qualification Audit	Surveillance Audit Frequency
Critical	On-site audit required before approval	Annually or biennially
Major	On-site or desktop audit recommended	Every 2-3 years, or triggered by performance issues
Minor	Questionnaire or certificate review	Not required unless triggered by a specific concern

These intervals are starting points. Increase frequency for suppliers with declining performance, open SCARs, recent changes in ownership or processes, or regulatory findings. Decrease frequency (with documented justification) for long-established suppliers with sustained excellent performance. Trigger-based audits — conducted in response to a specific event regardless of schedule — are equally important and should be defined in your audit procedure.

What is a supplier quality agreement?

A Supplier Quality Agreement (SQA) is a binding document between the medical device manufacturer and a supplier that defines quality-specific expectations, responsibilities, and obligations beyond standard commercial terms. It covers topics such as product specifications, change notification requirements, right to audit, corrective action obligations, traceability requirements, regulatory access provisions, record retention, and sub-tier supplier control. An SQA is required for all critical and major suppliers under best practices aligned with ISO 13485 and FDA expectations. It is the contractual foundation that enables the manufacturer to exercise control over supplier quality and to hold the supplier accountable for meeting specified requirements.

What is the difference between a CoC and a CoA?

	Certificate of Conformance (CoC)	Certificate of Analysis (CoA)
Content	A declaration by the supplier that the shipped product conforms to specified requirements	A document containing actual test results — specific tests performed, specification limits, and measured values
Level of evidence	Supplier's assertion of conformance	Objective data showing what was measured and the result
Typical use	Components, subassemblies, hardware	Raw materials, chemicals, biologics, materials where properties are critical
Regulatory expectation	Acceptable for non-critical or low-risk purchased products	Expected (or required) for critical materials — relying solely on a CoC for a critical raw material is a common audit finding

In short, a CoC tells you the supplier says the product conforms. A CoA shows you the data. For critical materials and components, always require a CoA.

What is a SCAR?

A Supplier Corrective Action Request (SCAR) is the formal mechanism for communicating a quality problem to a supplier and requiring root cause analysis, corrective action, and preventive action. The SCAR process typically involves: (1) documenting the nonconformance with objective evidence, (2) issuing the SCAR to the supplier with a defined response deadline, (3) the supplier investigating root cause and proposing corrective/preventive actions, (4) the manufacturer reviewing and approving the response, (5) the supplier implementing corrective actions, and (6) the manufacturer verifying effectiveness. SCARs are tracked in the quality system and feed into supplier scorecards and re-evaluation decisions. A supplier's SCAR response timeliness and effectiveness are key performance indicators.

How do you classify critical vs. non-critical suppliers?

Supplier criticality classification is based on the risk that the supplier's product or service poses to device safety, performance, and regulatory compliance. Key classification factors include:

Does the product or service directly affect device safety or performance?
Does the product contact the patient or user?
Is it a special process that cannot be fully verified by subsequent inspection or testing?
Is the product or service subject to specific regulatory requirements (biocompatibility, electrical safety, sterility)?
Is the supplier a single source with no qualified alternative?
What is the potential patient impact if the supplier's product or service fails?

A typical three-tier model classifies suppliers as Critical (directly affects device safety/performance; failure could cause patient harm), Major (affects device quality or compliance but failure unlikely to directly cause patient harm), and Minor (minimal impact on device quality; commodity items with readily available alternatives). The classification must be documented, periodically reviewed, and updated when circumstances change.

What are the ISO 13485 requirements for purchasing controls?

ISO 13485:2016 clause 7.4 establishes three core purchasing control requirements:

Clause 7.4.1 (Purchasing Process): Establish documented procedures for supplier evaluation, selection, monitoring, and re-evaluation. Base the extent of controls on the risk associated with the purchased product. Maintain records of all evaluation and re-evaluation activities.
Clause 7.4.2 (Purchasing Information): Purchasing documents must fully describe the product to be purchased, including specifications, acceptance criteria, quality system requirements, personnel qualification requirements, and requirements for supplier notification of changes.
Clause 7.4.3 (Verification of Purchased Product): Establish inspection or verification activities to ensure purchased product meets specified requirements. The extent of verification must be risk-based. If verification is to be performed at the supplier's premises, this must be stated in the purchasing information.

Additionally, clause 4.1.5 requires that outsourced processes affecting product conformity be controlled within the QMS, and clause 7.5.9 requires documented procedures for the traceability of purchased product used in the finished device.

Can you outsource without auditing the supplier?

It depends on the criticality and risk. ISO 13485 requires that you evaluate and monitor suppliers, but it does not mandate that every supplier receive an on-site audit. The evaluation method should be commensurate with risk:

For critical suppliers — particularly those performing outsourced processes, manufacturing critical components, or providing sterilization services — an on-site audit is strongly recommended and, in practice, expected by regulators and Notified Bodies. Skipping the audit for a critical supplier is a regulatory risk.
For major suppliers, a combination of questionnaire, desktop audit, product qualification testing, and reliance on third-party certification may be sufficient, depending on the risk assessment.
For minor suppliers, a questionnaire or certificate review is typically adequate.

The key is that your decision is documented and risk-based. If you choose not to audit a supplier, document the rationale, the alternative evaluation methods used, and the risk justification. Be prepared to defend this decision during a regulatory audit or Notified Body assessment.

What is an Approved Supplier List?

An Approved Supplier List (ASL) is a controlled document that lists all suppliers authorized to provide products and services that affect device quality. The ASL is a regulatory requirement under both ISO 13485 and FDA purchasing controls. It should include the supplier name, location, products or services approved for, scope of approval, approval date, criticality classification, current status (approved, conditional, probationary, disqualified), quality agreement reference, certification status, and next re-evaluation date. No purchases of controlled products or services should be made from suppliers not on the ASL. The ASL must be accessible to purchasing personnel, maintained current, and reviewed periodically as part of supplier re-evaluation.

What does MDSAP expect for supplier controls?

MDSAP auditors evaluate purchasing controls as one of the core processes in the audit model, mapping ISO 13485 requirements to country-specific requirements of the five participating authorities (FDA, Health Canada, TGA, ANVISA, MHLW/PMDA). Specifically, MDSAP auditors verify that:

Documented procedures exist for supplier evaluation, selection, monitoring, and re-evaluation
Supplier evaluation criteria are defined and risk-based
An approved supplier list is maintained and current
Purchasing information adequately describes required products and quality requirements
Incoming inspection or verification is performed and risk-based
Ongoing monitoring data is collected and analyzed
Re-evaluations are performed at planned intervals with documented results and follow-up actions
Outsourced processes are controlled
All required records are maintained

MDSAP uses a five-grade nonconformity system (Grade 1 through Grade 5), with Grade 3 and above requiring CAPA and potentially affecting the MDSAP certificate. Common purchasing-related findings include absent or incomplete supplier evaluations, missing incoming inspection records, and failure to monitor supplier performance over time.

How do you handle a single-source supplier?

Single-source suppliers — those for which no qualified alternative exists — represent elevated risk because any disruption (quality failure, capacity constraint, financial insolvency, natural disaster, regulatory action) can halt your production with no immediate fallback. Managing single-source risk requires a multi-layered strategy:

Enhanced monitoring: Apply the highest level of ongoing monitoring to single-source suppliers — more frequent audits, tighter incoming inspection, closer scrutiny of performance trends, and proactive financial health monitoring.
Dual-source qualification: Invest in qualifying an alternative supplier wherever technically and commercially feasible. This is the most effective long-term mitigation.
Safety stock: Maintain a strategic buffer inventory of single-source critical components, sized to provide sufficient time to qualify an alternative if the primary source fails. The buffer size should be based on the estimated qualification timeline for an alternative.
Long-term supply agreements: Establish contractual commitments that include capacity reservation, last-buy and end-of-life notification provisions, and advance notice of any changes that could affect supply continuity.
Documented risk assessment: Include single-source dependencies in your product risk management file (ISO 14971) and your supply chain risk assessment. Ensure management review includes visibility into single-source risks and the status of mitigation actions.
Contingency planning: Develop and document a contingency plan for each single-source supplier that defines the actions to be taken in the event of a supply disruption — including pre-identified candidate alternative suppliers, expedited qualification plans, and communication protocols.