What does ISO 13485 clause 7.4 require for supplier controls?

ISO 13485 clause 7.4 requires organizations to evaluate and select suppliers based on their ability to meet defined requirements (7.4.1), provide sufficient purchasing information describing what is being procured (7.4.2), and verify that purchased products and services conform to requirements before use (7.4.3). The entire clause must be implemented using a risk-based approach proportional to the supplier's impact on product quality and patient safety.

Do I need Quality Agreements with all my suppliers under ISO 13485?

ISO 13485:2016 does not explicitly mandate Quality Agreements by name, but they are widely expected by Notified Bodies and FDA investigators, particularly for critical (Tier 1) and major (Tier 2) suppliers. At minimum, Quality Agreements are essential for suppliers of critical components, contract manufacturers, sterilization providers, and any other supplier whose activities directly affect product conformity or patient safety.

How often should suppliers be re-evaluated under ISO 13485?

ISO 13485 requires periodic re-evaluation but does not prescribe a specific frequency — this must be defined in your procedure and should be risk-based. Best practice is annual re-evaluation for critical (Tier 1) suppliers, biennial re-evaluation for major (Tier 2) suppliers, and trigger-based re-evaluation for low-risk (Tier 3) suppliers. Re-evaluation must be documented regardless of the outcome.

What is the difference between clause 4.1 and clause 7.4 for outsourced suppliers?

Clause 7.4 governs the purchasing of products and services, while clause 4.1 governs control of outsourced processes that affect product conformity. If you outsource a process that is part of your QMS — such as contract manufacturing, sterilization, or design — clause 4.1 applies in addition to clause 7.4, requiring documented process controls, Quality Agreements, and integration of the outsourced activity into your overall QMS including CAPA and Management Review.

What are the most common ISO 13485 audit findings related to supplier controls?

The most common audit findings in supplier controls include: purchasing from suppliers not on the Approved Supplier List, missing or undocumented supplier evaluations, absent or expired Quality Agreements, no evidence of periodic re-evaluations, incoming inspection that is not risk-based, and failure to issue Supplier Corrective Action Requests (SCARs) in response to nonconformances. Most of these findings stem from treating supplier management as a procurement function rather than a quality function.

ISO 13485 Supplier Controls: Qualification, Monitoring & Purchasing

Pillar Guide | Estimated reading time: 15 minutes | Last updated: 2026-03-22

If there is one area where I see medical device companies fail their ISO 13485 audits more consistently than any other, it is supplier controls. Not design controls. Not CAPA. Supplier controls.

The reason is almost always the same: organizations treat supplier management as a procurement function rather than a quality function. ISO 13485 is unambiguous — the standard requires that you actively control the quality of what comes into your facility, not simply trust that your vendors will deliver compliant materials and services.

This pillar guide covers everything you need to know about ISO 13485 supplier controls — from the foundational clauses to the practical tools that help you build an audit-ready program. Whether you are building your QMS from scratch or hardening an existing supplier management program, this is your reference document.

Why Supplier Controls Matter in ISO 13485

The medical device supply chain is extraordinarily complex. According to the FDA, approximately 80% of the components in a finished medical device are sourced from external suppliers. That figure alone illustrates why clause 7.4 of ISO 13485:2016 is one of the most operationally significant sections of the entire standard.

When a device fails in the field, the root cause is traced back to a supplier-related issue in a significant portion of cases. A 2023 analysis of FDA device recalls found that component and material nonconformances contributed to over 35% of Class II recall actions, many of which could be traced to inadequate supplier oversight. These are not abstract compliance failures — they are patient safety events.

ISO 13485 clause 7.4 addresses this risk through three interlocking requirements: 1. Purchasing controls (7.4.1) — ensuring you buy only from qualified suppliers 2. Purchasing information (7.4.2) — specifying exactly what you need 3. Verification of purchased product (7.4.3) — confirming what you received meets requirements

Each element reinforces the others. A gap in any one of them creates a vulnerability that auditors will find — and that regulators will cite.

ISO 13485 Clause 7.4 Explained: The Full Requirement Breakdown

Clause 7.4.1 — Purchasing Process

Clause 7.4.1 is where supplier qualification lives. The standard requires that your organization evaluate and select suppliers based on their ability to meet your requirements, including quality requirements. Critically, ISO 13485 goes further than ISO 9001 by explicitly requiring you to document the criteria used for supplier selection, evaluation, and re-evaluation.

The key obligations under clause 7.4.1 are:

Define selection criteria — You must establish criteria for how you choose suppliers before you engage them. These criteria should be risk-stratified: a supplier of a critical implantable component warrants more rigorous evaluation than a supplier of office consumables.
Conduct and document evaluations — Evaluations must be documented. A verbal reference check or an email exchange does not constitute documented evidence of evaluation.
Maintain an Approved Supplier List (ASL) — While the standard does not use the term "Approved Supplier List" explicitly, the requirement to maintain records of evaluations and approvals is clear. Most auditors will expect to see a formal ASL.
Perform re-evaluations — Supplier approval is not a one-time event. You must define how often you re-evaluate suppliers and what triggers an unscheduled re-evaluation (e.g., a nonconformance, a change in their processes, or a lapse in performance).
Address suppliers who fail to meet requirements — Clause 7.4.1 also requires that you take appropriate action when a supplier does not meet your requirements, and that you maintain records of those actions.

The risk-based approach is non-negotiable under ISO 13485:2016. Unlike earlier versions of the standard, the 2016 revision explicitly links supplier evaluation rigor to the risk the supplier poses to product quality and patient safety. A one-size-fits-all supplier qualification process will not satisfy a well-trained auditor.

Clause 7.4.2 — Purchasing Information

Once a supplier is qualified, every purchase must be governed by clear purchasing information. Clause 7.4.2 requires that purchasing documents describe the product or service to be purchased with sufficient precision to ensure what arrives at your dock matches what you intended to order.

Purchasing information must include, as applicable: - Product specifications, drawings, or references to applicable standards - Requirements for qualification of personnel (e.g., certified welders, calibrated equipment operators) - Requirements for the supplier's QMS (e.g., ISO 13485 certification, ISO 9001 certification, or compliance with 21 CFR Part 820) - Requirements for documented procedures - Records to be provided (Certificates of Conformance, test reports, material certifications)

One practical point that many organizations miss: your purchasing documents must be reviewed and approved before they are released to the supplier. This means purchase orders, specifications, and supplier agreements all need to flow through a documented approval process. A blanket purchase order raised directly by a buyer without quality review is a common nonconformance finding.

Clause 7.4.3 — Verification of Purchased Product

The third pillar of clause 7.4 requires that you verify incoming purchased products and services against your purchasing requirements before they are used or released into production.

ISO 13485 is risk-based here as well. The type and extent of incoming inspection should be proportional to the risk of the purchased item and the supplier's performance history. A supplier with three years of zero nonconformances supplying a low-risk component may warrant a reduced inspection plan. A new supplier of a sterile barrier component should face rigorous incoming inspection until performance history is established.

Where you or your customer intend to perform verification at the supplier's premises, clause 7.4.3 requires that this arrangement be specified in the purchasing documents.

Building a Risk-Based Supplier Qualification Program

The phrase "risk-based" appears throughout ISO 13485:2016, and supplier controls are no exception. Here is the practical framework I use with clients to build a tiered qualification program.

Step 1: Classify Your Suppliers

Before you can qualify anyone, you need to classify your supply base by risk. A useful classification model has three tiers:

Tier	Risk Level	Examples	Qualification Requirements
1 — Critical	High	Sterile components, implantable materials, contract manufacturers, sterilization service providers	Full audit, QMS certification review, product testing, on-site evaluation, Quality Agreement
2 — Major	Medium	Non-sterile components with design specifications, calibration services, test labs	Questionnaire, documentation review, QMS certificate verification, Quality Agreement
3 — Standard	Low	Off-the-shelf consumables, non-product-contact materials, general services	Supplier self-assessment or certificate of conformance only

This tiered model satisfies the risk-based requirement of ISO 13485:2016 while keeping your qualification effort proportional to actual risk. Auditors respond well to a documented rationale that explains why a given supplier was assigned to a given tier.

Step 2: Define Qualification Activities by Tier

Qualification activities should be defined in your purchasing procedure. For Tier 1 suppliers, this typically includes:

Supplier audit — either on-site or remote (increasingly accepted post-COVID, provided the scope is documented)
QMS certificate verification — confirm the certificate is current, covers the relevant scope and site, and is issued by an accredited certification body
Quality Agreement — a binding document that specifies the supplier's quality obligations, change notification requirements, and record retention commitments
First Article Inspection (FAI) — evaluation of initial production samples against full specification
Product testing — independent verification of material properties, dimensions, sterility, or biocompatibility as applicable

Step 3: Formalize the Approved Supplier List

Your ASL is a living document. It should capture: - Supplier name and contact details - Approved site(s) and scope of approval - Tier classification - Date of initial approval - Next scheduled re-evaluation date - Current approval status (Approved / Conditional / Suspended / Disqualified)

Keep your ASL version-controlled and under document control. Auditors will ask to see it, and they will cross-reference it against your purchasing records to confirm you are only buying from approved sources.

Supplier Monitoring: Keeping Approved Suppliers Approved

Qualification gets a supplier onto your ASL. Monitoring is what keeps them there — or doesn't.

Ongoing supplier monitoring is one of the most commonly under-resourced elements of an ISO 13485 QMS. Many organizations invest heavily in initial qualification and then do almost nothing until it is time for an annual re-evaluation. That approach creates blind spots that can translate into field failures.

Key Monitoring Activities

1. Supplier Performance Metrics (KPIs)

Define measurable KPIs for each supplier and review them on a defined frequency. Common metrics include:

On-time delivery rate
Incoming inspection rejection rate
Nonconformance rate (supplier-caused NCRs)
CAPA response timeliness
Certificate of Conformance accuracy

Review these metrics in your Management Review (required under ISO 13485 clause 5.6) and use them to drive re-evaluation decisions.

2. Nonconformance Management

When a supplier-caused nonconformance occurs, you must issue a Supplier Corrective Action Request (SCAR). Your procedure should define: - Trigger criteria for issuing a SCAR - Required response time (typically 30 days for root cause, 60 days for full CAPA) - Escalation path if the supplier does not respond or the CAPA is ineffective - Criteria for escalating from a SCAR to a re-evaluation or disqualification event

3. Periodic Re-evaluations

Re-evaluation frequency should be risk-tiered. A common approach: - Tier 1 suppliers: Annual re-evaluation - Tier 2 suppliers: Biennial re-evaluation - Tier 3 suppliers: Re-evaluate upon a trigger event (e.g., new NCR, expiring certificate)

Document the re-evaluation outcome and update the ASL accordingly. A re-evaluation that results in no changes is still a record that must exist.

4. Change Notification

Your Quality Agreements with Tier 1 and Tier 2 suppliers should require them to notify you of any changes to their processes, materials, or facilities that could affect product quality. This is not an optional "nice to have" — undisclosed supplier changes have been the root cause of numerous device recalls.

Quality Agreements: The Contractual Foundation of Supplier Control

A Quality Agreement (sometimes called a Quality Technical Agreement or Supplier Quality Agreement) is a binding contract between you and your supplier that defines quality-related obligations not typically captured in a purchase order or commercial contract.

ISO 13485:2016 does not mandate Quality Agreements by name, but they are widely considered best practice and are increasingly expected by Notified Bodies and FDA investigators. Regulators in the EU, Canada, and Australia have explicitly referenced Quality Agreements in guidance documents relating to outsourced processes under ISO 13485 clause 4.1.

A complete Quality Agreement for a critical supplier should address:

Scope of agreement and applicable products/services
Supplier's quality system requirements (e.g., ISO 13485 certification)
Product specifications and acceptance criteria
Incoming inspection and release responsibilities
Change control and change notification obligations
CAPA and SCAR response requirements
Record retention requirements
Right-of-access for audits and inspections
Regulatory notification obligations (e.g., if the supplier is subject to FDA inspection)

Draft Quality Agreements with your legal and quality teams, and ensure they are reviewed and re-executed when there is a material change in scope or when the supplier undergoes significant organizational changes (e.g., acquisition, site relocation).

Outsourced Processes: Clause 4.1 and Its Intersection with Clause 7.4

Many organizations miss the interplay between clause 4.1 (General requirements) and clause 7.4. Clause 4.1 of ISO 13485:2016 requires that where an organization outsources any process that affects product conformity, it must ensure control over those outsourced processes. That control must be documented in the QMS.

The practical implication: if you outsource sterilization, contract manufacturing, design activities, or testing, those are not merely purchasing activities — they are outsourced QMS processes. They require:

A documented procedure describing how the outsourced process is controlled
A Quality Agreement (or equivalent contractual mechanism)
Evidence that you have assessed and verified the supplier's competency to perform the outsourced process
Integration into your overall QMS, including CAPA, change control, and Management Review

Auditors regularly cite organizations for treating contract manufacturers or sterilization providers as "just another supplier" when the extent of outsourcing warrants a much more rigorous controls approach.

Common Audit Findings in Supplier Controls — and How to Prevent Them

Based on my experience supporting 200+ clients across medical device manufacturing and service organizations, the following are the most frequently cited nonconformances in supplier controls audits:

Finding	Root Cause	Prevention
Purchasing from unapproved suppliers	ASL not enforced in purchasing system	System control: block POs to non-ASL suppliers
Supplier evaluations not documented	Evaluations done informally	Template-driven evaluation forms, stored in QMS
No re-evaluation records	Re-evaluations scheduled but not executed	Calendar-driven reminders in QMS; tie to Management Review
Quality Agreements missing or expired	Treated as one-time setup task	Annual review cycle; track in contract management system
SCAR process not followed	No clear SCAR triggers defined	Written procedure with defined trigger criteria and responsibilities
Incoming inspection not risk-based	Flat inspection rate for all suppliers	Tiered inspection plans documented in receiving procedure
Change notifications not received	Not required in supplier agreement	Mandatory change notification clause in all Tier 1/2 agreements

Regulatory Alignment: ISO 13485 vs. FDA 21 CFR Part 820

For organizations selling into the US market, understanding how ISO 13485 clause 7.4 aligns with FDA's Quality System Regulation is essential. The FDA's 2024 Quality Management System Regulation (QMSR, 21 CFR Part 820) harmonized significantly with ISO 13485:2016, but there are nuances to be aware of.

Requirement	ISO 13485:2016	FDA QMSR (21 CFR Part 820)
Supplier evaluation	Clause 7.4.1	§820.50(a)
Purchasing documents	Clause 7.4.2	§820.50(b)
Incoming verification	Clause 7.4.3	§820.80(b)
Outsourced processes	Clause 4.1	§820.50 (broadly)
Quality Agreements	Implied via 4.1	Referenced in FDA guidance

The QMSR's incorporation of ISO 13485 by reference means that a robust ISO 13485-compliant supplier control program will, in most cases, also satisfy FDA expectations. However, FDA's guidance documents — particularly the Supplier Controls guidance — contain additional expectations around documented procedures, record retention periods (minimum two years), and the treatment of critical suppliers of finished devices.

Building Your Supplier Controls SOP: What to Include

Your Purchasing and Supplier Controls procedure is the backbone of clause 7.4 compliance. At minimum, it should cover:

Scope — which purchases and suppliers are covered
Supplier classification criteria — the risk-based tiering logic
Qualification activities by tier — what is required before a supplier can be approved
ASL management — how the list is maintained, updated, and communicated
Purchasing document requirements — what must appear on every PO or specification
Incoming inspection — the risk-based inspection plan framework
Supplier performance monitoring — KPIs, review frequency, and escalation
SCAR process — triggers, response expectations, and escalation
Re-evaluation process — frequency, criteria, and documentation
Outsourced process controls — how clause 4.1 is implemented

Keep the SOP concise and actionable. A 40-page purchasing procedure that nobody reads is worse than a 10-page procedure that is consistently followed.

Practical Checklist: Are Your Supplier Controls Audit-Ready?

Use this checklist before your next ISO 13485 surveillance audit or Notified Body assessment:

[ ] All active suppliers appear on a current, version-controlled ASL
[ ] Each supplier on the ASL has a documented evaluation record with defined criteria
[ ] Risk-based tier classification is documented and rationale is on file
[ ] Tier 1 and Tier 2 suppliers have current, signed Quality Agreements
[ ] Quality Agreements include change notification obligations
[ ] Purchasing documents include product specifications, QMS requirements, and required records
[ ] Purchasing documents are reviewed and approved before release
[ ] Incoming inspection plans are risk-based and documented
[ ] Supplier KPIs are reviewed at defined intervals and at Management Review
[ ] SCAR process is defined with clear triggers and response expectations
[ ] Re-evaluation records exist for all suppliers due for periodic re-evaluation
[ ] Outsourced processes are identified and controlled per clause 4.1
[ ] All supplier qualification and monitoring records are retained per your record retention policy

If you have gaps against this checklist, prioritize them by risk tier. Address Tier 1 supplier gaps first — that is where auditors will focus their attention.

Final Thoughts: Supplier Controls as a Competitive Advantage

I have worked with organizations that view supplier controls as a compliance burden and those that view them as a competitive advantage. The latter category consistently performs better — not just in audits, but in product quality metrics, recall rates, and customer satisfaction scores.

A mature ISO 13485 supplier control program is one of the most direct levers a medical device organization has to protect patient safety and reduce quality costs. Every dollar invested in upstream supplier qualification and monitoring is worth multiples in avoided incoming inspection failures, production downtime, and field actions.

At Certify Consulting, we have helped more than 200 medical device manufacturers build supplier control programs that hold up under the scrutiny of FDA inspections, Notified Body assessments, and customer audits — with a 100% first-time audit pass rate across our client portfolio.

If your supplier control program has gaps, the time to address them is before your next audit — not during it.

For related guidance on building your overall QMS infrastructure, see our ISO 13485 implementation guide and our deep dive on ISO 13485 purchasing controls and approved supplier lists.

Last updated: 2026-03-22