Medical Device Supplier Qualification: FDA QMSR §820.50 and ISO 13485 §7.4 Requirements

Why Supplier Controls Are a Top FDA 483 Observation

Supplier controls consistently rank among the top five FDA 483 observation categories. The pattern is predictable: a device manufacturer has a supplier list, maybe a form they call a supplier qualification record, and a receiving inspection log. What they lack is a documented, risk-based supplier qualification program that demonstrates ongoing evaluation and control.

FDA QMSR §820.50 — which aligns with ISO 13485 §7.4 and became the governing framework as of February 2026 — requires substantially more than a list of approved vendors. It requires a systematic program: documented criteria for evaluating suppliers, records of that evaluation, quality agreements with critical suppliers, an approved supplier list with defined scope and re-evaluation schedules, and incoming inspection procedures tied to supplier risk.

The stakes are high. Nonconforming purchased product is a leading contributor to device failures and recalls. A supplier that ships out-of-spec components, changes manufacturing processes without notification, or fails to maintain their own QMS creates risk that propagates directly into finished devices. The regulatory framework exists to force manufacturers to manage that risk systematically, not reactively.

QMSR §820.50 and ISO 13485 §7.4: What the Standards Require

The QMSR adoption of ISO 13485 language in §820.50 means the supplier controls requirements are now more prescriptive than under the old Part 820.

§820.50 / ISO 13485 §7.4.1 — Purchasing Process: Manufacturers must establish documented procedures for evaluating and selecting suppliers. Evaluation criteria must be based on the supplier's ability to meet requirements and on their QMS capability. The type and extent of control must be proportionate to the risk associated with the purchased product. Records of evaluation and re-evaluation must be maintained.

§820.50 / ISO 13485 §7.4.2 — Purchasing Information: Purchase documents must clearly specify the requirements for the product being purchased — specifications, applicable standards, required QMS certifications, and any process approvals. These requirements must be reviewed before the purchase order is released.

§820.50 / ISO 13485 §7.4.3 — Verification of Purchased Product: Manufacturers must establish and implement inspection activities to verify that purchased product meets specified requirements. The extent of incoming inspection must be based on supplier risk and historical performance.

The critical emphasis under the QMSR alignment is risk-based tiering. Not all suppliers require the same level of control. A sole-source supplier of a critical active component requires more rigorous qualification and monitoring than a commodity supplier of packaging materials.

Building a Risk-Based Supplier Tier Structure

The most defensible supplier qualification programs are organized around a risk-based tier structure. Tier assignment drives the depth of initial qualification, the frequency of re-evaluation, and the extent of incoming inspection.

Tier 1 — Critical Suppliers: Suppliers of components, materials, or services that directly affect device safety, performance, or sterility. Includes contract manufacturers, critical component suppliers, sterilization service providers, and test laboratories. Requires full qualification audit, quality agreement, annual re-evaluation, and enhanced incoming inspection.

Tier 2 — Major Suppliers: Suppliers whose products affect device performance but not directly patient safety. Requires documented evaluation against defined criteria, periodic re-evaluation (typically every 2-3 years), and standard incoming inspection sampling.

Tier 3 — Standard Suppliers: Commodity and low-risk suppliers. Requires basic qualification documentation and standard incoming inspection or certificate of conformance review.

Tier assignments are not static. A supplier that accumulates nonconformances, changes their process without notification, or loses ISO 13485 certification should be escalated. The Approved Supplier List must reflect current tier assignments and approval status.

Quality Agreements: What Must Be Documented

Quality agreements are not optional for Tier 1 suppliers. ISO 13485 §7.4.1 explicitly requires that the type and extent of control applied to the supplier reflect the risk, and quality agreements are the primary mechanism for formalizing responsibilities between device manufacturer and critical supplier.

A complete quality agreement must address: specification control and change notification requirements; the supplier's obligation to notify the manufacturer before any change that could affect device quality; inspection rights and audit access; nonconformance and CAPA escalation thresholds; and record retention and access requirements.

Without a quality agreement, the device manufacturer has no contractual basis for enforcing any of these requirements. When a critical supplier changes a process without notification and nonconforming product ships, the absence of a quality agreement means you have no documented expectation to point to.

Approved Supplier List Requirements

The Approved Supplier List is the central reference document for the supplier controls program. A compliant ASL must contain, for each supplier: supplier name and contact information; scope of approval (what products or services the supplier is approved to provide); tier classification; approval status (active, conditional, or suspended); initial qualification date and basis; re-evaluation schedule and last re-evaluation date; and quality agreement reference for Tier 1 suppliers.

FDA investigators have cited ASLs that list suppliers without approval scope as evidence of an inadequate supplier controls program. The scope limitation is not bureaucratic — it is the mechanism that prevents a supplier from shipping an unapproved product variant and having it treated as conforming incoming material.

The ASL must be a living document that drives the re-evaluation calendar, not a static list that is updated only after something goes wrong.

Incoming Inspection: Connecting Supplier Risk to Receiving Controls

Incoming inspection is the final verification step before purchased product enters the manufacturing process. Under ISO 13485 §7.4.3, the extent of incoming inspection must reflect supplier risk tier.

For Tier 1 suppliers: Enhanced incoming inspection — certificate of conformance review plus dimensional or functional sampling using defined sampling plans (ANSI/ASQ Z1.4/Z1.9). For critical sterile components, incoming inspection may require sterility or bioburden testing.

For Tier 2 suppliers: Standard incoming inspection — certificate of conformance review and dimensional verification of critical dimensions.

For Tier 3 suppliers: Simplified incoming inspection — certificate of conformance review and visual inspection.

A compliant incoming inspection program requires documented procedures that specify, for each product keyword: the inspection type, the sampling plan, the acceptance criteria, the disposition of nonconforming material, and the records to be generated. Incoming inspection results must be recorded and tied to purchase orders and lot numbers for traceability.

Common 483 Observations and How to Avoid Them

The most frequent supplier controls 483 observations cluster around five failure modes:

1. 1No documented evaluation criteria: The qualification record exists, but there is no procedure specifying what criteria suppliers must meet. Fix: Establish written criteria before qualification.

1. 1Missing quality agreements for critical suppliers: Tier 1 suppliers without quality agreements. Fix: Inventory all Tier 1 suppliers and execute quality agreements before the next audit cycle.

1. 1ASL not maintained: Suppliers listed without approval scope, or the ASL does not reflect current status. Fix: Quarterly ASL review as a formal QMS process.

1. 1Incoming inspection not tied to risk: All suppliers receive the same incoming inspection regardless of tier. Fix: Implement tiered incoming inspection sampling plans.

1. 1No re-evaluation program: Suppliers were qualified once and never reevaluated. Fix: Add re-evaluation due dates to the ASL and establish a calendar-driven re-evaluation process.

All five of these observations are straightforward to address with documented procedures. The challenge is not complexity — it is building the infrastructure that makes these activities systematic rather than reactive.

The Supplier Controls Toolkit at supplier-controls-toolkit.vercel.app packages the six core documents — Supplier Qualification Procedure, Supplier Audit Checklist, Quality Agreement Template, Approved Supplier List Template, Supplier Performance Monitoring Dashboard, and Incoming Inspection SOP — into a single $247 download designed to close every one of these gaps.