Supplier Controls in a ISO 13485:2003 Environment

by Nadia Perreault

Section 7.4 of ISO13485 requires a documented procedure for purchasing to ensure that purchased products conform to specified requirements. This short sentence has a lot of meaning and caries a lot of weight. Unlike the AS 9100 Rev. B standard, ISO 13485 is not as clear spoken with regard to the expected level(s) of supplier controls a company must have in place to ensure successful application of this requirement. Section 7.4.1 defines the steps necessary to properly and thoroughly vet a supplier. Section 7.4.2 defines the information transfer to a supplier to ensure the supplier has the necessary information to properly complete the order (fulfilling their requirements).


The type and extent of control applied to the supplier and the purchased product shall be dependent upon the effect of the purchased product on subsequent product realization or the final product.

The organization shall evaluate and select suppliers based on their ability to supply product in accordance with the organization’s requirements. Criteria for selection, evaluation, and re-evaluation shall be established. Records of the results of evaluations and any necessary actions arising from the evaluation shall be maintained. (see 4.2.4)

(note: The underlined sentence above is done by the author for the purpose of emphasis, and is not found in the Standard.)


Once an organization determines the need for, and requirements of, a specific commodity or service, the appropriate members of organization set out to find the right match for their needs. “The control of suppliers is a process consisting of establishing criteria, evaluating, selecting, and on-going monitoring.” As defined by ISO 14969: 2004 titled Medical Devices- Quality Management Systems- Guidance for the application of ISO 13485:2003.

The initial step may be a web search, making inquiries within industry colleagues, or advertisements in industry related periodicals, to name a few. This investigative step does not indicate a suppliers’ ability and/or qualifications to fulfill an organizations requirements. This “selection” step is merely an introduction. Regardless, the method used to select a supplier must be recorded in some way.

The second step, the “evaluation”, may also take many forms. Suppliers may be evaluated via the certificates they hold (i.e. IS0 9001, AS 9100, ISO 13485, ISO 17015, etc.). The organizations Supplier Quality Engineer, Product Development Engineer, or a team of disciplines may make an on-site visit or conduct an audit. The organization may opt to try the commodity or service, and obtain feedback from the internal users as a method of selection. There are other, less rigorous methods as well, such as the supplier is dictated by the customer to the organization, or the supplier is a solo source.

ISO 14969 section states “Regardless of the method of evaluation, the organization is required to demonstrate that is has control over the purchased product or outsourced process by possessing objective evidence that the selection of a supplier was based on appraisals appropriate to the product or service being purchased and the supplier’s ability to enable the organization to meet the customer and regulatory requirements associated with the medical device.”

The last and on-going step is the “re-evaluation”. This process also takes on many forms. The most commonly used approach is some metric of the suppliers’ quality and delivery performance and the suppliers’ certifications.

ISO 14969 section goes on to say “The organization should define the frequency of supplier performance monitoring.” And also suggest that the organizations registration body conduct a visit to the supplier for the purpose of obtaining objective evidence that the outsourced processes are under control.


Purchasing information shall describe the product to be purchased, including where appropriate

  1. requirements for approval of product, procedures, processes and equipment,
  2. requirements for qualification of personnel, and
  3. quality management system.

The organization shall ensure the adequacy of specified purchase requirements prior to their communication to the supplier.

To the extent required for traceability given in, the organization shall maintain relevant purchasing information, i.e. documents (see 4.2.3) and records (see 4.2.4).


The organization purchasing documents should be clear and specific regarding any of the expectations of the organizations with regard to the products integrity. This information should include the less obvious customer requirements such as the need for certificates of calibration from calibration services, special labeling or packaging (i.e. no peanuts used in packaging), and environmental considerations (i.e. storage or transportation concerns due to heat, humidity, etc). In some cases, the purchasing documents may need to specify information regarding cleaning agents, if contamination may occur from standard cleaning operations. And of course these documents also contain the more obvious requirements such as a description, part number, quantity, revision level (if applicable), delivery date, etc. If traceability is a requirement, the degree and method of doing so should also be defined for the supplier.

The qualifications of the individuals tasked with relaying and reviewing purchasing requirements should also be defined within the individuals training record.


An organizations’ documented procedure associated with ISO 13485 purchasing requirement must define the criteria (various methods) an organization uses to select, evaluate, and re-evaluate its suppliers. Records of each of the steps shall be maintained to provide the necessary objective evidence that a given supplier has been appropriately scrutinized, and has the ability to fulfill the stated customer and regulatory requirements to ensure that purchased product and outsourced services conforms to specifications.

In January of 2009, the Global Harmonization Task Force (GHTF) expects to publish a document titled “Quality Management Systems, Medical Devices – Guidance on the Control of Products and Services Obtained from Suppliers. Both the FDA and Health Canada are stressing their concern regarding the risk associated with organizations outsourcing a fair amount of the manufacturing process without full knowledge of what went into the product. This risk is escalated when the outsourcing is done outside the United States where perhaps that country’s requirements are not as stringent.

The beginning of a strong partnership with suppliers is a robust supplier selection and purchasing process which depends on, those individuals tasked with defining and communicating product specifications, requirements, and risk considerations.


  • A Quality Eye on Suppliers (Medical Products Outsourcing Magazine May 2008)
  • Ensuring Supplier Quality (Quality Progress August 2008)
  • Purchasing Controls: Best Practice Guidelines (Biomedical Instrumentation & Technology May/June 2008)
  • ANSI/AAMI/ISO TIR 14969:2004 Medical Devices – Quality Management Systems- Guidance for the Application of ISO 13485:2003

Back to search results