Supplier evaluation, approved supplier list, purchasing data, and incoming verification — 820.50 purchasing controls structure preserved.
Risk-based supplier controls (type and extent proportional to device impact), periodic re-evaluation at defined intervals, and quality agreements for critical suppliers.
Supplier re-evaluation records and quality agreements — approved supplier lists without re-evaluation criteria are a common gap.
Maps to
QMSR / ISO 13485: §820.50 Purchasing controls.
ISO 13485: §7.4 Purchasing
Requirement text
The organization shall evaluate and select suppliers based on their ability to supply product meeting requirements. Criteria for selection, evaluation, and re-evaluation shall be established. FDA-Plus: Purchasing controls must include quality agreements defining quality requirements. Verification of purchased product must be documented. Supplier performance must be monitored and re-evaluated at defined intervals.
Why this clause exists
A device manufacturer's quality system extends to every input it does not control directly, and the history of device recalls demonstrates that supplier failures can propagate into the finished product without detection when incoming controls are inadequate or when quality expectations are communicated only informally. Regulators structured purchasing controls around a proportionality principle — the rigor of supplier oversight must scale with the effect of the purchased product on the finished device and the patient — because applying identical controls to commodity fasteners and to a sterile component that contacts tissue is both impractical and insufficient at each extreme. ISO 13485:2016 § 7.4.1 formalizes this as a risk-based supplier classification requirement: the organization must determine the type and extent of control appropriate to each supplier category based on potential impact. QMSR adds FDA-Plus requirements for quality agreements with critical suppliers, making explicit what FDA investigators had long expected to find: written, mutually agreed commitments to quality requirements, not informal supplier relationships. Re-evaluation at defined intervals closes the loop that initial qualification opens — a supplier qualified five years ago under different management, different processes, and different regulatory context may no longer meet the criteria that justified its original approval. Periodic re-evaluation using incoming inspection results, supplier-provided quality data, and performance metrics is the mechanism that keeps the approved supplier list current rather than historical.
What changed
§820.50 — Part 820 (legacy)
"Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements. Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants. Each manufacturer shall: (1) Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented. (2) Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results. (3) Establish and maintain records of acceptable suppliers, contractors, and consultants. Purchasing data. Each manufacturer shall establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services. Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with § 820.40."
§7.4 — ISO 13485:2016 (current)
"7.4.1 Purchasing process The organization shall document procedures (see 4.2.4) to ensure that purchased product conforms to specified purchasing information. The organization shall establish criteria for the evaluation and selection of suppliers. The criteria shall be: a) based on the supplier's ability to provide product that meets the organization's requirements; b) based on the performance of the supplier; c) based on the effect of the purchased product on the quality of the medical device; d) proportionate to the risk associated with the medical device. The organization shall plan the monitoring and re-evaluation of suppliers. Supplier performance in meeting requirements for the purchased product shall be monitored. The results of the monitoring shall provide an input into the supplier re-evaluation process. Non-fulfilment of purchasing requirements shall be addressed with the supplier proportionate to the risk associated with the purchased product and compliance with applicable regulatory requirements. Records of the results of evaluation, selection, monitoring and re-evaluation of supplier capability or performance and any necessary actions arising from these activities shall be maintained (see 4.2.5). 7.4.2 Purchasing information Purchasing information shall describe or reference the product to be purchased, including as appropriate: a) product specifications; b) requirements for product acceptance, procedures, processes and equipment; c) requirements for qualification of supplier personnel; d) quality management system requirements. The organization shall ensure the adequacy of specified purchasing requirements prior to their communication to the supplier. Purchasing information shall include, as applicable, a written agreement that the supplier notify the organization of changes in the purchased product prior to implementation of any changes that affect the ability of the purchased product to meet specified purchase requirements. To the extent required for traceability given in 7.5.9, the organization shall maintain relevant purchasing information in the form of documents (see 4.2.4) and records (see 4.2.5). 7.4.3 Verification of purchased product The organization shall establish and implement the inspection or other activities necessary for ensuring that purchased product meets specified purchasing requirements. The extent of verification activities shall be based on the supplier evaluation results and proportionate to the risks associated with the purchased product. When the organization becomes aware of any changes to the purchased product, the organization shall determine whether these changes affect the product realization process or the medical device. When the organization or its customer intends to perform verification at the supplier's premises, the organization shall state the intended verification activities and method of product release in the purchasing information. Records of the verification shall be maintained (see 4.2.5)."
Δ Supplier evaluation criteria must be risk-proportionate and performance-based; adds mandatory ongoing supplier monitoring/re-evaluation loop and verification activities scaled to supplier risk.
Common gaps (what we see in audits)
- No Risk-Based Supplier Classification — All suppliers are treated the same regardless of the risk impact of their product or service on device quality. ISO 13485 clause 7.4.1 requires that the type and extent of control applied to the supplier be proportional to the effect on subsequent product realization or the final device. Without risk classification, critical suppliers may receive inadequate oversight while low-risk suppliers consume disproportionate resources.
- No Formal Supplier Re-Evaluation Program — Suppliers are qualified initially but never formally re-evaluated. ISO 13485 clause 7.4.1 requires criteria for re-evaluation and monitoring of supplier performance. Without periodic re-evaluation, supplier quality issues may go undetected until they result in nonconforming product.
- Missing or Inadequate Quality Agreements — Quality agreements with critical suppliers are absent or do not adequately define quality requirements, notification of changes, right to audit, and acceptance criteria. ISO 13485 clause 7.4.1 requires that quality requirements be communicated to suppliers, and industry practice expects formal quality agreements for critical suppliers.
- Purchasing Data Does Not Include Regulatory Requirements — Purchase orders and specifications sent to suppliers do not reference applicable regulatory requirements (e.g., biocompatibility standards for materials, sterility requirements, electronic record requirements). ISO 13485 clause 7.4.2 requires purchasing information to include applicable regulatory requirements.
- No Supplier Change Notification Process — There is no requirement for suppliers to notify the manufacturer of changes to their processes, materials, or facilities that could affect the purchased product. ISO 13485 and industry expectations require change notification agreements, especially for critical suppliers, to prevent unapproved changes from affecting device quality.