Quality Services
Under 21 CFR 820.50, manufacturers are responsible for ensuring that purchased products and services conform to specified requirements. A supplier quality program that only screens new suppliers without monitoring ongoing performance is half a program — and an incomplete one from FDA's perspective.
Build Your Supplier ProgramSupplier Controls
Under 21 CFR 820.50, manufacturers must establish and maintain procedures for evaluating and selecting potential suppliers, contractors, and consultants based on their ability to meet specified requirements. The type and extent of controls applied must be commensurate with the effect of the product or service on the quality of the finished device. ISO 13485:2016 Clause 7.4 has similar requirements and additionally requires that manufacturers communicate to suppliers the requirements for products and services being purchased, including requirements for quality management systems, and that evaluation, selection, monitoring performance, and re-evaluation procedures be documented.
The most common supplier quality finding in FDA inspections is the absence of documented supplier qualification for critical suppliers — suppliers of components or services that directly affect device safety or performance. A supplier that provides a critical component without documented qualification evidence in the quality system represents a 21 CFR 820.50 violation regardless of how long the company has been using that supplier or how reliable the supplier's performance has been.
Not every supplier requires the same level of quality oversight. A supplier classification system allocates quality control effort proportionally to the impact of each supplier's output on finished device quality and safety. Critical suppliers — those whose components, materials, or services directly affect device safety, effectiveness, or regulatory compliance — require documented qualification, approved quality agreements, ongoing performance monitoring, and periodic re-qualification. Non-critical suppliers may require only basic vendor qualification documentation without on-site audits or ongoing monitoring programs.
Classification criteria should be documented in the supplier quality procedure and consistently applied. The classification matrix typically considers: the component's role in device function, the criticality of the supplied service (sterilization, contract manufacturing, testing labs), the supplier's regulatory status, and the availability of alternative suppliers. A single-source supplier of a critical component warrants higher oversight intensity regardless of its historical performance record — supply chain risk is a quality risk.
Supplier audits are the highest-intensity oversight mechanism in a supplier quality program. On-site supplier audits evaluate the supplier's quality system and manufacturing processes directly, producing evidence of supplier capability that can be documented in the qualification record. For critical suppliers — particularly contract sterilizers, contract manufacturers, and testing laboratories — initial qualification audits are best practice regardless of whether the supplier holds ISO 13485 certification or similar quality certifications.
ISO 13485 certification at a supplier is evidence of quality system capability, not evidence of compliance with your specific requirements. A contract manufacturer with ISO 13485 certification may have a non-compliant process for your specific component if that process has not been audited against your specifications. We conduct supplier audits scoped to the specific quality requirements of each supplier relationship, not against a generic checklist.
Get Started
Your device is only as good as the components and services that go into it. We build supplier quality programs that apply the right controls to the right suppliers — and that satisfy FDA's expectations for 21 CFR 820.50 compliance.