Oct 19, 2018

Evaluating Potential Medical Device Suppliers, Getting Them Started, and Implementing Effective Controls

Storage Room

Once you have established what you are purchasing and what type of supplier you need, it’s time to find qualified partners. The goal here is to plan and implement a consistent, risk-based approach for engaging new suppliers.

It is important (and required in ISO 13485:2016) for you to have documented procedures, supplier evaluation and selection criteria, and a record of supplier evaluations you have performed along with subsequent actions. Section 7.4.1 of ISO 13485:2016 combines the words evaluation and selection, but these are actually separate activities. Each step needs its own criteria. When evaluating new suppliers, there are four key criteria to consider:



This is the second installment of a 4-part blog series on supplier management. In our first post we look at the risks associated with suppliers, and in subsequent posts we examine how to audit suppliers and evaluate their products. We’ve combined all four posts into one easy-to-read PDF. Download it here.


Supplier quality management is a risk-centric process, so we recommend that you start your analysis using the purchased product criteria. With purchased product criteria established, you can then create a list of potential suppliers and group them according to the risk they pose. You could start with simple criteria as shown in the table below or customize to suit your needs. Make sure your categories make sense to everyone. Even if you only have one supplier, it is important to go through this process and demonstrate that you applied the evaluation criteria and considered the risks associated with the purchased product and the supplier.

Monitoring Supplier Criteria

Not every component or service you buy falls under the scope of supplier quality management. For example, off-the-shelf screws or office supplies present very little or no risk and do not require scrutiny.

Selecting a new supplier and onboarding them

You’ve evaluated numerous medical device suppliers using your predefined criteria and have found a good fit. What’s next? Now you need to perform further due diligence and onboard them. This is where your predefined supplier criteria must be verified before the supplier can be moved to “approved” status on your Approved Supplier List (more on that later). When you are onboarding a low-risk supplier, very little additional qualification may be needed. High-risk suppliers, on the other hand, should be placed in “conditional” approval status until you have gathered all necessary information (evidence) from them.

During the “due diligence” phase, you should also draft a quality agreement. In all cases, the extent of the supplier onboarding process is based on risk. It is acceptable to begin accepting product from conditionally approved suppliers, but it is not recommended for high-risk suppliers.

Other common “supplier controls” covered during the onboarding phase include the sharing of product specifications, drawings, contracts, materials acceptance procedures, required supplier performance reporting, on-site verification activities, and audit frequency. All of these set expectations and the tone of the relationship.

Which of my medical device suppliers require a formal quality agreement?

Quality agreements define how relevant QMS activities for the purchased product will be completed and who is responsible for them. They are helpful in any supplier relationship and are required per clause 4.1.5 in ISO 13485:2016. The US FDA does not have specific guidelines for quality agreements but expects them to be in place, and FDA has used the term in warning letters. Likewise, the European Medical Device Regulation (MDR) does not have explicit quality agreement requirements.

Also, if you are procuring products from “sister” companies or divisions of your company, the quality agreement requirements are the same! FDA and other regulators make no distinction in where you source your products or materials. Companies often get cited for having cursory agreements in place with related companies or using business supply contracts as a replacement for quality agreements.

Make your quality agreements proportional to the risk posed by supplier and product. A quality agreement does not have to be a complicated 15-page document; in fact, it can range from simple standardized verbiage on purchase orders for low-risk products all the way up to a full contract for high-risk products/services. Your quality agreement should be clear about whether it covers the full QMS scope or just basic requirements, and it should detail who has responsibility in all QMS areas for the purchased product. Your quality agreement should not include confidentiality clauses, pricing, delivery requirements, or liability references – those are appropriate for other documents. Finally, all quality agreements should be “separable” from commercial contracts.

One word of caution. While it may be easier to use a boilerplate quality agreement for all suppliers, it makes sense to customize them to the specific purchased product. This takes longer but can help avoid misunderstandings. Build an outline using one of the relevant standards or regulations (ISO 13485 or FDA QSR).

Maintaining an Approved Supplier List

Purchased products that can impact product quality must be obtained from a supplier qualified to provide that specific item. Although maintaining an Approved Supplier List (ASL) is not required, it is common practice and expected by regulators. The US FDA frequently cites companies for having ASLs that don’t match up with individual supplier approval records.

Aside from preventing purchases from unauthorized suppliers, the ASL acts as a single reference document showing which suppliers have been approved to supply specific products. At a minimum, an ASL should include the name of the supplier, location, your risk-based supplier categorization, which specific products they can supply, and their approval status. This means, for example, that if Acme Nuts and Bolts is an approved supplier of bolts used in your products, you cannot buy nuts from them unless their product is listed in the ASL. This trips up many companies, because they assume that if a company is listed on the ASL, any products can be purchased from them. Not so.

The ASL should be an approved document. Choose a format that is effective for your organization, be it paper or electronic. Finally, make sure you define a process for updating, approving, distributing, and controlling the ASL.

Want to learn more about supplier management and evaluation? We’ve got additional information for you.

Did you enjoy this article? Continue reading our next post on medical device supplier auditing, or download all four posts in this series a single PDF here. Also, if you want to take the next step and enhance your knowledge on this topic, consider our comprehensive Medical Device Supplier Quality Management Training class. As always, we are available to assist with consulting and auditing related to supplier management and other aspects of QMS compliance.

Our team is here to help. Call 1.800.472.6477 or contact us online ›