Skip to main content

Supplier Controls & Purchasing

Overviewโ€‹

ISO 13485 Section 7.4 requires medical device manufacturers to control the quality of purchased products and services. Under MedDO, effective supplier controls are essential because the manufacturer remains responsible for the safety and performance of the final device, regardless of what components or services are outsourced.

Critical vs Non-Critical Suppliersโ€‹

Not all suppliers carry the same risk to device safety. ISO 13485 requires manufacturers to classify suppliers and apply controls proportionate to the risk of the purchased product or service:

Critical suppliers โ€” Suppliers providing materials, components, or services that directly affect device safety or performance:

  • Raw material suppliers (especially biologics, sterile components, active materials)
  • Contract manufacturers of device components
  • Sterilisation service providers
  • Contract testing laboratories
  • Software development partners (for SaMD components)

Non-critical suppliers โ€” Suppliers providing products or services with low impact on device quality (e.g. office supplies, non-product-contact packaging materials).

Supplier Qualification Processโ€‹

For critical suppliers, qualification typically includes:

Initial qualification:

  • Supplier questionnaire or self-assessment against defined requirements
  • Review of quality certificates (ISO 13485, ISO 9001, GMP certificates)
  • Sample testing (for material/component suppliers)
  • On-site audit (for high-risk suppliers)
  • Review of supply agreement and quality agreement

Quality Agreement A quality agreement between the manufacturer and critical suppliers documents: quality requirements; inspection and testing requirements; change notification obligations (suppliers must notify manufacturers of any changes to processes, materials, or facilities that could affect product quality); non-conformity notification and response requirements.

Supplier Audits ISO 13485 requires evaluation of critical suppliers on an ongoing basis. This includes: periodic re-qualification; audit of critical suppliers at a frequency proportionate to risk; unannounced audits for very high-risk suppliers.

Supply Chain Risk Management Under MedDOโ€‹

MedDO Annex I ยง 22 (combination devices) and the GSPR requirements generally require manufacturers to assess and manage risks arising from all components of the device, including purchased materials and components. Supply chain risk management activities should be integrated with the ISO 14971 risk management process:

  • Material or component changes from suppliers should trigger risk assessment
  • Supply disruption scenarios should be considered in business continuity planning

Official Sourcesโ€‹

Disclaimer

AI-assisted navigation aid only. Always verify against official Swissmedic and Fedlex sources. Not legal or regulatory advice.