MDR supplier control is the set of documented QMS processes a manufacturer uses to ensure that components, materials, and services obtained from suppliers meet specified requirements. The legal obligation sits in MDR Article 10(9), which explicitly lists "selection and control of suppliers and sub-contractors" as a required QMS aspect. EN ISO 13485:2016+A11:2021 clause 7.4 operationalises that obligation through three sub-clauses: 7.4.1 purchasing process, 7.4.2 purchasing information, and 7.4.3 verification of purchased product. Startups that treat clause 7.4 as a single unified process. Scaled to the risk of each supplier rather than applied uniformly. Pass audits. Those that apply a generic template to every supplier produce the bulk of supplier-related non-conformities.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • Supplier control is the process area where a significant share of MDR audit findings surface, because suppliers touch every other QMS process and are the easiest place for reality to diverge from paperwork.
  • The legal anchor is MDR Article 10(9): the QMS must cover "resource management, including selection and control of suppliers and sub-contractors." The standard that provides presumption of conformity is EN ISO 13485:2016+A11:2021, clause 7.4.
  • Clause 7.4 breaks into three parts: 7.4.1 the purchasing process (criteria, selection, evaluation, re-evaluation, records), 7.4.2 purchasing information (specifications communicated to the supplier), and 7.4.3 verification of purchased product (how you confirm what you got is what you ordered).
  • The proportionality principle applies: a critical supplier (one whose failure would harm device safety or performance) is controlled more deeply than a non-critical one. A uniform control regime across all suppliers is both wasteful and non-compliant.
  • Outsourced processes that affect product conformity are not "purchased services." They are processes the manufacturer still owns under Article 10 and clause 4.1.5 of EN ISO 13485:2016+A11:2021.
  • MDR Annex I Section 10 on materials makes supplier control a patient-safety question for any device with a material-related risk. Not a paperwork question.

Why supplier control is where audits surface findings

Walk into any Notified Body audit and watch where the auditor spends time. Management review gets a polite twenty minutes. Document control gets a quick sampling. Supplier control gets hours.

The reason is structural. Supplier control is the seam between your QMS and everyone else's QMS. Or, in the startup case, between your QMS and suppliers who often do not have one at all. It is where the processes you control meet the processes you do not, and the documentation that travels across that boundary is the only thing standing between your device and a supplier decision you never heard about. A resin batch change. A sterilisation sub-contractor swap. A firmware update in a sensor module. None of these show up in your engineering team's sprint board. All of them can invalidate your technical documentation.

The other reason is that supplier control is the easiest place for theatre to replace substance. A template supplier questionnaire filled out three years ago and never revisited. A "supplier approval" process that is actually a purchase order. A supplier file that contains no evaluation and no re-evaluation. Every auditor has seen hundreds of these. They know exactly where to look.

A lean startup QMS does not solve this by adding more forms. It solves it by treating clause 7.4 as an honest process that scales with supplier criticality. And by knowing which suppliers actually matter.

Clause 7.4 requirements, in plain language

EN ISO 13485:2016+A11:2021 clause 7.4 has three sub-clauses. A startup QMS has to address all three, but the depth of each one scales with the risk the supplier presents to the finished device.

Clause 7.4.1, the purchasing process, requires the manufacturer to document procedures to ensure that purchased product conforms to specified purchasing information. This includes criteria for evaluating and selecting suppliers, evaluation and selection based on the supplier's ability to provide product meeting requirements, the performance of the supplier, the effect of the purchased product on the quality of the medical device, and the risk associated with the medical device. The standard also requires planning of monitoring and re-evaluation, proportionate to the risk, and records of the results of the evaluation, selection, monitoring, and re-evaluation.

Clause 7.4.2, purchasing information, requires that the information given to the supplier describes the product to be purchased, including where appropriate product specifications, product acceptance requirements, qualification requirements for supplier personnel, and QMS requirements. The manufacturer must ensure the adequacy of purchasing information before communicating it to the supplier, and must maintain relevant purchasing information.

Clause 7.4.3, verification of purchased product, requires the manufacturer to establish and implement the inspection or other activities necessary for ensuring that purchased product meets specified purchasing requirements. The extent of verification activities is based on the supplier evaluation results and proportionate to the risk associated with the purchased product.

Read those three sub-clauses together and a picture emerges. The standard does not tell you to have big binders. It tells you to know what you are buying, from whom, with what criteria, under what specification, and how you confirm you got what you asked for. That is the whole clause.

Supplier qualification. The startup-scale version

Supplier qualification is the 7.4.1 activity that produces the most startup confusion. The instinct is to build a single qualification template and run every supplier through it. That instinct produces either wasted effort on non-critical suppliers or inadequate scrutiny of critical ones, usually both at once.

The lean version starts with a classification decision for each supplier. Does this supplier affect the quality of the finished device? If yes, how directly? A sterilisation service that touches the finished product directly affects device quality. A contract manufacturer producing a regulated sub-assembly directly affects device quality. A sensor vendor whose component is integrated without further modification directly affects device quality. A software library vendor whose code runs inside the medical device software directly affects device quality. These are critical suppliers.

A critical supplier qualification includes, at minimum: confirmation of the supplier's QMS status (ISO 13485 certification, ISO 9001 certification, or a supplier audit by the manufacturer where neither certification exists), documentation of the supplier's capability to meet the specification, a signed quality agreement covering change notification, non-conformity reporting, and record retention, and a technical evaluation of a sample or initial lot before approving the supplier for production use.

A non-critical supplier. The office supplies vendor, the generic stationery supplier, the cleaning service for non-controlled areas. Gets a lightweight evaluation that records the selection decision and proportionate monitoring. Both are documented. Neither is theatre.

The failure mode Tibor sees most often is the missing quality agreement. A startup integrates a sensor module into a Class IIa device. The sensor vendor is a large industrial company that has never heard of MDR. No quality agreement exists. A year later, the vendor changes the sensor's firmware without notification because in their world, minor firmware updates do not require customer notification. In the medical device world, that change potentially invalidates the validation evidence and triggers a design change assessment. The manufacturer finds out at the next audit, or worse, after a field event. The fix. A written quality agreement negotiated before first purchase. Is cheap. Negotiating it after the fact, under audit pressure, is not.

Purchasing information. The specification discipline

Clause 7.4.2 is the clause that turns vague intent into enforceable requirements. "We need sensors" is not purchasing information. A purchase specification that names the part number, the revision, the acceptance criteria, the applicable standards, the required documentation (certificates of analysis, certificates of conformance, material declarations), and the required change notification clauses is purchasing information.

The proportionality principle applies here too. A critical component specification is detailed, technically precise, and reviewed before every purchase order or at every specification change. A non-critical item's specification can be a single line in the purchase order. What matters is that the information actually communicated to the supplier is adequate for them to deliver the right thing, and that the specification is retrievable for audit.

The startup failure mode in 7.4.2 is informal specification. Engineers email the supplier with a question, the supplier replies with a suggestion, the engineer orders based on the email thread, and no formal purchase specification ever exists. The component works. The audit asks for the purchase specification. The email thread is not a controlled document. A non-conformity is raised. The fix is procedural discipline: every purchase that affects device quality flows through a controlled specification, even if the specification is a one-page document that references the supplier's datasheet.

Verification of purchased product. What 7.4.3 actually means

Clause 7.4.3 is the clause startups most often under-implement. Verification of purchased product does not mean re-testing every incoming item. It means the manufacturer has determined, based on supplier evaluation and risk, what level of verification is appropriate, and then actually performs that verification.

For a critical component from a highly qualified supplier with a strong track record and detailed certificates of conformance, verification might be a documented review of the certificate and a visual inspection on receipt. For the same component from a less-qualified supplier, verification might include incoming sample testing. For a component used in a life-supporting device, verification might be 100% functional testing on receipt. The standard does not prescribe the level. It requires the manufacturer to decide, document the decision, and execute it consistently.

The receiving inspection records are the evidence that 7.4.3 is running. An audit will ask to see them. A QMS that has a beautifully written receiving inspection procedure and no records from the last six months has a live 7.4.3 finding.

Critical versus non-critical suppliers

The single most important supplier control decision a startup makes is the critical-versus-non-critical classification. Getting this right is what allows the QMS to apply clause 7.4 proportionately.

A supplier is critical when their product or service affects the safety or performance of the finished medical device. This includes, non-exhaustively: contract manufacturers, sterilisation providers, calibration laboratories whose measurements are used in product release decisions, component vendors whose parts are integrated into the device, software component or library vendors whose code runs in the medical device software, packaging suppliers where packaging performs a protective function (for example, sterile barrier packaging), and test laboratories whose results feed design verification or validation.

A supplier is non-critical when their product or service does not affect device safety or performance. Office supplies, non-controlled cleaning services, general business services, and generic IT services that do not host regulated data typically fall here.

The grey zone is where startups get into trouble. A cloud hosting provider that hosts the back-end of a Software as a Medical Device product is critical. The same provider hosting your marketing website is not. The same provider hosting regulated data used in clinical evaluation is somewhere in between and probably closer to critical. The classification is a judgment call that should be documented, defensible, and revisited when the role of the supplier changes.

Deep dive on contract manufacturers as critical suppliers: see post 301. Deep dive on outsourced sterilisation: see post 302. Deep dive on supplier audits under MDR: see post 326.

Outsourced processes. The trap under clause 4.1.5

Outsourced processes that affect product conformity are not the same as purchased product. EN ISO 13485:2016+A11:2021 clause 4.1.5 requires that when the manufacturer chooses to outsource any process that affects product conformity, the manufacturer must monitor and ensure control over such processes. The manufacturer retains responsibility for the outsourced process under the standard. The MDR reinforces this: Article 10 places the obligations on the manufacturer, and those obligations do not transfer to a sub-contractor by virtue of a purchase order.

In practice this means that if you outsource sterilisation, the sterilisation validation is your validation, the sterilisation records are part of your technical documentation, and the quality agreement with the sterilisation provider has to give you the access and change-notification rights you need to meet your own obligations. If you outsource software development for a regulated module, the development records are part of your design history, and the quality agreement has to cover the IEC 62304 lifecycle requirements. You cannot buy your way out of the obligation. You can only buy the execution.

The startup trap is treating outsourced processes like procurement. "We hired a firm to do it, so it is their problem." It is not. It remains the manufacturer's obligation, and the Notified Body will audit the manufacturer's control of the outsourced process, not just the contract.

Common mistakes startups make

  • Running every supplier through the same qualification template, producing either wasted effort on non-critical suppliers or inadequate scrutiny of critical ones.
  • Treating a purchase order as a supplier approval. The purchase order is a transaction. The supplier approval is a documented evaluation, and it has to exist before the first purchase order for a critical supplier.
  • Missing quality agreements with critical suppliers, especially non-MedTech suppliers who do not know to expect one.
  • Informal purchase specifications in email threads rather than controlled documents.
  • Receiving inspection procedures that exist on paper with no corresponding records.
  • Failing to re-evaluate suppliers on a planned schedule. Initial qualification is a moment in time. Clause 7.4.1 requires monitoring and re-evaluation.
  • Treating outsourced processes as purchased services, ignoring clause 4.1.5 and Article 10.
  • Missing the MDR Annex I Section 10 link: for devices with material-related risks, the supplier-delivered material specifications feed directly into the GSPR evidence on substances, biocompatibility, and material characteristics.

The Subtract to Ship approach to supplier control

The Subtract to Ship discipline (post 065) applied to supplier control produces a specific playbook. Start with an honest supplier list. Every supplier the company actually uses, including the ones nobody wrote down. Classify each one as critical or non-critical against the definition above, and write the reasoning for each. The resulting list is usually much shorter on the critical side than founders expect.

Then apply clause 7.4 proportionately. For each critical supplier: a one-page qualification record referencing the supplier's QMS certification or the audit that replaced it, a signed quality agreement with change notification and record retention terms, a controlled purchase specification, and a receiving inspection rule appropriate to the risk. For each non-critical supplier: a lightweight evaluation record and a note on monitoring frequency. No templates applied uniformly. No theatre. No gaps.

The test at the end is the same test every Subtract to Ship pass ends with. For every supplier control document, point to the MDR article or the clause of EN ISO 13485:2016+A11:2021 it satisfies. If it does not map to an obligation, cut it. If an obligation has nothing mapped to it, add the minimum that satisfies it. The resulting supplier control system is smaller than most startups expect and stronger than most auditors see.

Reality Check. Where do you stand?

  1. Can you produce, in one sitting, a complete list of your critical suppliers with a written justification for why each is critical?
  2. For each critical supplier, do you have a signed quality agreement covering change notification, non-conformity reporting, and record retention?
  3. For each critical supplier, do you have a documented qualification record that pre-dates your first purchase order?
  4. Do your purchase specifications exist as controlled documents, or do they live in email threads?
  5. Can you produce receiving inspection records for the last three months, and do they match the procedure?
  6. Have you re-evaluated each critical supplier within the interval your procedure specifies?
  7. For any outsourced process that affects product conformity, can you show how you monitor and control it under clause 4.1.5. Not just the contract?
  8. For devices with material-related risks, can you trace the MDR Annex I Section 10 evidence back to supplier-delivered material specifications and certificates?

If any question produced a "not yet," that is where the supplier control work is.

Frequently Asked Questions

Is EN ISO 13485:2016+A11:2021 clause 7.4 legally binding for medical device manufacturers? The legal obligation is MDR Article 10(9), which requires the QMS to cover selection and control of suppliers and sub-contractors. EN ISO 13485:2016+A11:2021 is the harmonised standard that gives presumption of conformity with that obligation. A manufacturer who conforms to clause 7.4 of the standard is presumed to meet the corresponding MDR requirements. Clause 7.4 itself is the tool; Article 10(9) is the law.

Do I need a quality agreement with every supplier? No. A quality agreement is expected for critical suppliers. Those whose product or service affects device safety or performance. For non-critical suppliers, the standard purchase terms are usually sufficient. The distinction has to be documented in the supplier classification, and the quality agreement scope has to match the supplier's actual impact on the device.

What if my critical supplier refuses to sign a quality agreement? Then the supplier cannot be used for that application, or the manufacturer must take on the risk and the compensating controls. This is a common startup problem with large industrial suppliers who do not serve the MedTech market. Sometimes the answer is a different supplier. Sometimes the answer is additional incoming inspection and change detection on the manufacturer's side. The decision has to be documented and defensible.

Does supplier control apply to open-source software components? Yes, when the open-source component is integrated into the medical device software. Clause 7.4 and the IEC 62304 SOUP (software of unknown provenance) requirements apply. The manufacturer cannot sign a quality agreement with an open-source project, so the compensating controls are a documented SOUP evaluation, version pinning, vulnerability monitoring, and integration testing. See post 779 on SOUP and open-source software in medical devices for the full treatment.

How often do I need to re-evaluate suppliers? The standard requires planned re-evaluation proportionate to the risk. In practice, critical suppliers are typically re-evaluated annually, non-critical suppliers less frequently. The interval has to be documented in the procedure and actually followed. Missing re-evaluations is one of the most common clause 7.4.1 findings.

Does clause 7.4 apply to distributors and importers? Distributors and importers have their own MDR obligations under Articles 13 and 14. From the manufacturer's perspective, a distributor or importer is not a supplier of product. They are downstream economic operators. Clause 7.4 applies to suppliers of components, materials, and services that feed into the manufacturer's own product realisation, not to the parties who take the finished device to market.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10 (general obligations of manufacturers, including paragraph 9 on the quality management system and the explicit requirement to cover selection and control of suppliers and sub-contractors), Annex I Section 10 (chemical, physical, and biological properties, including substances and materials). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016+A11:2021. Medical devices. Quality management systems. Requirements for regulatory purposes. Clause 4.1.5 (control of outsourced processes), clause 7.4 (purchasing), clause 7.4.1 (purchasing process), clause 7.4.2 (purchasing information), clause 7.4.3 (verification of purchased product). The harmonised standard providing presumption of conformity with MDR Article 10(9).

This post is part of the Quality Management Under MDR cluster in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. The MDR is the North Star. EN ISO 13485:2016+A11:2021 is the tool. Supplier control is where the two meet the real world, and where a lean, honest QMS shows its worth.