Maps to
QMSR / ISO 13485: §820.50
ISO 13485: §7.4
Requirement text
The organization shall evaluate and select suppliers based on their ability to supply product meeting requirements. Criteria for selection, evaluation, and re-evaluation shall be established. FDA-Plus: Purchasing controls must include quality agreements defining quality requirements. Verification of purchased product must be documented. Supplier performance must be monitored and re-evaluated at defined intervals.
What changed
Part 820 section 820.50 required manufacturers to establish and maintain procedures for purchasing controls, including evaluation of suppliers, contractors, and consultants. It required that each manufacturer establish requirements that must be met by suppliers, including quality requirements. The regulation required that purchasing data clearly describe the product or service ordered, and that manufacturers establish and maintain records of acceptable suppliers.
ISO 13485:2016 clause 7.4 significantly expands the supplier management framework compared to Part 820. Clause 7.4.1 (Purchasing Process) requires evaluation and selection based on ability to supply conforming product, with criteria for selection, evaluation, and re-evaluation established. It explicitly requires that the type and extent of control applied to the supplier be proportional to the effect of the purchased product on subsequent product realization or the final medical device — a risk-based approach to supplier controls. Clause 7.4.2 (Purchasing Information) requires that purchasing documents describe the product to be purchased, including product specifications, acceptance criteria, and QMS requirements. Clause 7.4.3 (Verification of Purchased Product) requires documented procedures for inspecting or otherwise verifying purchased product.
The QMSR adopts ISO 13485 clause 7.4 in its entirety. The key changes from Part 820 are: (1) the explicit risk-based approach to supplier controls (type and extent of control proportional to risk), (2) the explicit requirement for supplier re-evaluation at defined intervals (not just initial qualification), (3) the requirement for quality agreements with suppliers defining quality requirements, and (4) the expanded purchasing information requirements. Additionally, ISO 13485 clause 7.4.1 requires consideration of the supplier's ability to meet applicable regulatory requirements, adding a regulatory compliance dimension to supplier qualification.
Atomic constraints
- •Supplier evaluation and selection criteria must be documented.
- •An approved supplier list must be maintained.
- •Purchasing data must adequately describe the product ordered.
- •Verification of purchased product must be performed and documented.
- •Quality agreements must define quality requirements for critical suppliers.
- •Supplier performance must be monitored and re-evaluated periodically.
- •The type and extent of control applied to each supplier must be proportional to the effect of purchased product on subsequent product realization or the final device, requiring risk-based supplier classification per ISO 13485:2016 clause 7.4.1.
- •Criteria for re-evaluation of suppliers must be defined and re-evaluation must be performed at defined intervals, with records of the re-evaluation results maintained.
- •Purchasing information must include, where appropriate, the requirements for the quality management system to be applied by the supplier.
- •Purchasing information must include applicable statutory and regulatory requirements relevant to the purchased product.
- •Where the organization or its customer intends to perform verification at the supplier's premises, the purchasing information must state the intended verification arrangements and method of product release.
Common gaps
No Risk-Based Supplier Classification
majorAll suppliers are treated the same regardless of the risk impact of their product or service on device quality. ISO 13485 clause 7.4.1 requires that the type and extent of control applied to the supplier be proportional to the effect on subsequent product realization or the final device. Without risk classification, critical suppliers may receive inadequate oversight while low-risk suppliers consume disproportionate resources.
No Formal Supplier Re-Evaluation Program
majorSuppliers are qualified initially but never formally re-evaluated. ISO 13485 clause 7.4.1 requires criteria for re-evaluation and monitoring of supplier performance. Without periodic re-evaluation, supplier quality issues may go undetected until they result in nonconforming product.
Missing or Inadequate Quality Agreements
moderateQuality agreements with critical suppliers are absent or do not adequately define quality requirements, notification of changes, right to audit, and acceptance criteria. ISO 13485 clause 7.4.1 requires that quality requirements be communicated to suppliers, and industry practice expects formal quality agreements for critical suppliers.
Purchasing Data Does Not Include Regulatory Requirements
moderatePurchase orders and specifications sent to suppliers do not reference applicable regulatory requirements (e.g., biocompatibility standards for materials, sterility requirements, electronic record requirements). ISO 13485 clause 7.4.2 requires purchasing information to include applicable regulatory requirements.
No Supplier Change Notification Process
moderateThere is no requirement for suppliers to notify the manufacturer of changes to their processes, materials, or facilities that could affect the purchased product. ISO 13485 and industry expectations require change notification agreements, especially for critical suppliers, to prevent unapproved changes from affecting device quality.
Evidence signals
- •
FILE_EXISTS
(Supplier|ASL|Approved.*Supplier|Vendor|Purchasing|Quality.*Agreement)
- •
CONTENT_MATCH
Does this document describe supplier evaluation criteria, approved supplier management, purchasing controls, incoming inspection, and supplier re-evaluation procedures?
Audit defense
Supplier management for [your product] is controlled through [your document ID]. All suppliers on our ASL have been evaluated against defined criteria, with quality agreements in place for critical suppliers. Incoming inspection results and supplier performance metrics drive periodic re-evaluation.