--- title: Supplier Qualification Under MDR: How ISO 13485 Structures the Evaluation Process description: EN ISO 13485 clause 7.4.1 requires supplier qualification proportionate to product impact. Here is the startup-scale qualification process. authors: Tibor Zechmeister, Felix Lenhard category: Quality Management Under MDR primary_keyword: supplier qualification MDR ISO 13485 canonical_url: https://zechmeister-solutions.com/en/blog/supplier-qualification-mdr-iso-13485 source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # Supplier Qualification Under MDR: How ISO 13485 Structures the Evaluation Process *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **Supplier qualification under MDR is the documented process a manufacturer uses to decide whether a given supplier is capable of consistently delivering a product or service that meets specified requirements, before that supplier is used for production. The legal anchor is MDR Article 10(9), which requires the QMS to cover selection and control of suppliers and sub-contractors. EN ISO 13485:2016+A11:2021 clause 7.4.1 operationalises that obligation: criteria for evaluation and selection, evaluation based on the supplier's ability to meet requirements, consideration of the supplier's performance and the effect on the finished device, monitoring and re-evaluation proportionate to risk, and records. A startup-scale qualification process runs this clause honestly. Deep where the supplier is critical, light where it is not. And documents the reasoning either way.** **By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.** --- ## TL;DR - Supplier qualification is the decision, made before production use, that a supplier is capable of meeting your specified requirements. It is not a purchase order and it is not a template filled in once. - MDR Article 10(9) puts the legal obligation on the manufacturer. EN ISO 13485:2016+A11:2021 clause 7.4.1 defines what a compliant qualification process has to contain. - Clause 7.4.1 requires five things: evaluation criteria, selection based on ability to meet requirements and the effect on device quality, consideration of risk, planned monitoring and re-evaluation, and records. - Proportionality is not optional. A critical supplier gets a deep qualification; a non-critical one gets a light one. Uniform qualification across all suppliers is both wasteful and a common source of audit findings. - Re-qualification is triggered by defined events (scope change, performance issues, supplier change, regulatory change) as well as by the interval set in the procedure. A frozen initial qualification is a finding waiting to happen. --- ## Why clause 7.4.1 is the clause that decides the rest Post 300 laid out the full scope of supplier control under clause 7.4. This post zooms into 7.4.1. The qualification step. Because that is the step that determines whether everything downstream in the supplier relationship has a foundation or not. A signed quality agreement with a supplier that was never properly qualified is a contract with an unknown. A receiving inspection rule for a component sourced from an unqualified supplier is an attempt to compensate for a decision that was never made. A supplier file without a qualification record is a file without a story. Auditors know this, and they start their supplier control sampling by asking to see the qualification evidence. If that is missing or thin, the audit moves in a predictable direction. The clause itself is not long. Read honestly, clause 7.4.1 of EN ISO 13485:2016+A11:2021 is a five-part instruction: establish criteria, evaluate and select against those criteria, weigh the effect on the finished device and the associated risk, plan monitoring and re-evaluation, and keep the records. Everything in a startup-scale qualification process is one of those five things or support for them. Anything else is decoration. ## What clause 7.4.1 actually requires Clause 7.4.1 of EN ISO 13485:2016+A11:2021 requires the manufacturer to document procedures to ensure that purchased product conforms to specified purchasing information. The clause then sets out specific criteria the manufacturer shall establish for the evaluation and selection of suppliers. The criteria must address the supplier's ability to provide product that meets the manufacturer's requirements. They must address the performance of the supplier. They must address the effect of the purchased product on the quality of the medical device. And they must address the risk associated with the medical device. The clause goes further. It requires planning of monitoring and re-evaluation of suppliers, where non-fulfilment of purchasing requirements shall be addressed with the supplier proportionate to the risk associated with the purchased product and compliance with applicable regulatory requirements. And it requires records of the results of evaluation, selection, monitoring, and re-evaluation of the supplier, and any necessary actions arising from these activities. Read that paragraph carefully, because a large share of supplier-related findings are the auditor pointing at one of those specific requirements and asking where the evidence is. "Show me the criteria." "Show me the evaluation." "Show me the re-evaluation." "Show me the records." Clause 7.4.1 is not abstract. It is a checklist the auditor will read back to the manufacturer. ## Criticality categorisation. The decision that shapes everything Before a qualification record can be written, the supplier has to be placed on the criticality scale. This is not a 7.4.1 requirement in so many words, but it is the only way to apply the clause proportionately, and the standard's language about risk and effect on device quality points directly at it. A critical supplier is one whose product or service directly affects the safety or performance of the finished device. Contract manufacturers producing regulated sub-assemblies. Sterilisation providers. Component vendors whose parts are integrated without modification into the device. Software library vendors whose code executes inside the medical device software. Calibration laboratories whose measurements feed release decisions. Test laboratories whose results feed design verification or validation. Packaging suppliers where the packaging has a protective function, such as a sterile barrier. A non-critical supplier does not affect device safety or performance. General office supplies. Cleaning services for non-controlled areas. Generic business IT for marketing systems that do not touch regulated data. These still have a place in the supplier list. The list has to be complete. But the qualification effort for them is proportionately small. Between the two sits a grey zone, and the grey zone is where startups lose time arguing instead of deciding. The honest move is to classify the grey-zone suppliers as critical until evidence shows otherwise, and to document the classification decision with its reasoning. A cloud provider that hosts Software as a Medical Device back-end services is critical. The same provider hosting the marketing site is not. The same provider hosting data used in clinical evaluation is critical. The decision travels with the use case, not with the vendor name. The qualification depth follows the criticality. A critical supplier gets a deep qualification that can withstand audit scrutiny. A non-critical supplier gets a lightweight evaluation that still produces a record. Both are defensible. Neither is theatre. ## Qualification methods. What counts as evaluation Clause 7.4.1 requires the manufacturer to evaluate the supplier's ability to meet requirements. It does not prescribe a single evaluation method. In practice, the qualification methods that work for startup-scale manufacturers fall into a short list. The first method is certification review. A supplier that holds a current ISO 13485 certificate from an accredited certification body, with a scope that covers the product or service being purchased, has already been evaluated by a third party against a recognised QMS standard. The qualification record captures the certificate number, issuing body, scope, and expiry date, and notes the review. For most critical MedTech suppliers who actively serve the MedTech market, this is the fastest legitimate path. The second method is ISO 9001 with gap assessment. A supplier that holds ISO 9001 but not ISO 13485 has a general QMS but not the device-specific elements. The qualification record captures the ISO 9001 certificate and documents the gap assessment: what the manufacturer checked to confirm that the supplier's processes cover the MedTech-specific requirements relevant to the purchased product. This is common for component vendors from industrial sectors adjacent to MedTech. The third method is a supplier audit by the manufacturer. When the supplier has no recognised certification but is critical to the device, the manufacturer can perform an on-site or remote audit against a scope agreed with the supplier. This is resource-intensive and should be reserved for critical suppliers where no other path exists. Post 326 covers supplier audits in depth. The fourth method, applicable mainly to non-critical suppliers, is a documented evaluation of performance history, references, or sample delivery, captured as a qualification record proportionate to the risk. For an office supplies vendor, this is a one-paragraph note. For a cleaning service in non-controlled areas, the same. A fifth situation. Software components without a vendor to qualify. Is handled through the SOUP route under IEC 62304 and is covered in post 779. The clause 7.4.1 logic still applies: the qualification evidence is the documented SOUP evaluation rather than a supplier certificate, and the record sits in the supplier file alongside the other qualifications. Whatever the method, the qualification record has to capture three things: the criteria that were applied, the evidence that was reviewed, and the decision (approve, approve with conditions, reject) with its justification. Clause 7.4.1's requirement for records of the results of evaluation and selection is not satisfied by a checkbox. It is satisfied by a short, honest narrative that an auditor can read and understand. ## Re-qualification triggers. Why the initial decision has a shelf life Clause 7.4.1 requires planned monitoring and re-evaluation of suppliers. Initial qualification is a snapshot. The supplier changes. The product changes. The regulatory environment changes. The re-qualification obligation exists because the standard expects the manufacturer to keep the decision current. Re-qualification is driven by two things: a scheduled interval and defined trigger events. Both belong in the procedure. The scheduled interval is usually annual for critical suppliers and less frequent for non-critical ones, but the number is less important than the fact that the interval is written down and actually followed. Missing re-qualification cycles is one of the most common clause 7.4.1 findings, and it is the kind of finding that is easy to prevent and impossible to retro-fit. The trigger events are the moments when the initial qualification stops being a reliable indicator of supplier capability. These include: expiry or withdrawal of the supplier's certification, a supplier-initiated change to the scope, process, or location of the service, a change to the purchased product (new revision, new material, new formulation), a change to the manufacturer's use of the supplier (new device, higher risk class, different application), a serious non-conformity in a delivered lot, a quality agreement breach, a reported incident traced to the supplier, and a regulatory change that affects the requirements. Any of these should generate a re-qualification activity, not a note in a folder. The discipline is not difficult. It is the discipline of treating supplier qualification as a living record rather than a historical one. ## The supplier file. What the auditor expects to find Clause 7.4.1 does not prescribe a specific file structure, but in practice the artefact that satisfies the records requirement is a supplier file, one per supplier, containing a defined set of documents. For a critical supplier the file contains: the criticality classification with reasoning, the initial qualification record with criteria, evidence reviewed, and decision, the supplier's QMS certification or the audit report that replaced it, the signed quality agreement, the approved purchase specification(s), the monitoring records (delivery performance, non-conformity history), the re-qualification records, and any corrective actions taken with the supplier. For a non-critical supplier the file is shorter: a criticality classification, a lightweight evaluation, and proportionate monitoring notes. The file does not need to be a physical binder. A clearly structured folder in a document management system works as well, provided the records are controlled, retrievable, and auditable. What matters is that an auditor can ask for "the file for supplier X" and receive a coherent answer in minutes, not days. A startup that cannot produce its supplier file in a short, calm demonstration has a live clause 7.4.1 finding whether the auditor raises it or not. ## Common mistakes startups make - Running every supplier through the same qualification template regardless of criticality, producing either waste on non-critical suppliers or inadequate depth on critical ones. - Treating the supplier's ISO 13485 certificate as the entire qualification. The certificate is input to the qualification; it is not the qualification record itself. - Qualifying a supplier once at the start of the company and never again, despite clause 7.4.1's explicit requirement for planned re-evaluation. - Skipping the criticality classification because "it is obvious," and then failing to explain the reasoning when an auditor asks why a particular supplier was treated as non-critical. - Capturing the qualification decision without the reasoning, producing a record that proves something was decided without showing why it was defensible. - Treating software-component suppliers as out of scope for 7.4.1 because the standard uses the word "product." Components that affect device quality. Including software components. Are in scope. - Keeping the supplier file up to date for the first year and letting it drift afterward, so that re-qualification cycles are missed and the file no longer reflects reality. ## The Subtract to Ship angle on supplier qualification The Subtract to Ship discipline (post 065) applied to clause 7.4.1 produces a specific shape. Start from an honest supplier list. Every supplier the company actually uses, including the ones that live in an accountant's expense report rather than a procurement system. Classify each one as critical or non-critical against the definition above, and write the reasoning. For every critical supplier, build a qualification record that contains the five things clause 7.4.1 requires. Criteria, evaluation, effect on device quality and risk, planned monitoring and re-evaluation, records. And nothing else. For every non-critical supplier, build a proportionate record that still makes the reasoning visible. Then delete every template section that does not map back to those five requirements. The test at the end is the same test every Subtract to Ship pass ends with. Point to clause 7.4.1 for each element of the qualification process, and confirm that each element answers one of the clause's requirements. If it does not, cut it. If a clause requirement has nothing mapped to it, add the minimum that satisfies it. The resulting qualification process is smaller than most startups build by default and more defensible than most auditors see in the field. ## Reality Check. Where do you stand? 1. Can you produce a complete supplier list with a criticality classification and written reasoning for each entry? 2. For each critical supplier, can you point to a qualification record that pre-dates the first production use? 3. Do your qualification records contain the five elements clause 7.4.1 requires. Criteria, evaluation, effect on device quality and risk, monitoring and re-evaluation plan, records? 4. Is the re-qualification interval written down in the procedure, and have the last cycles actually happened on time? 5. Do you have a defined list of trigger events that force re-qualification outside the scheduled interval, and has anyone used it in the last twelve months? 6. For software components and SOUP, is the qualification evidence captured in the supplier file rather than scattered through engineering notes? 7. If a Notified Body auditor asked to see "the file for supplier X" for your three most critical suppliers, could you produce a complete file in one sitting? Any "not yet" is where the qualification work is. ## Frequently Asked Questions **What is the difference between supplier qualification and supplier approval?** In everyday language the terms are used interchangeably, but in a clause 7.4.1 context qualification is the evaluation activity and approval is the decision that results from it. A qualified supplier is one whose qualification record shows an "approve" decision. The clause requires the evaluation, the decision, and the records of both. **Is an ISO 13485 certificate enough to qualify a supplier?** A valid, in-scope ISO 13485 certificate from an accredited body is strong evidence in a qualification record, and for many critical suppliers it is the fastest legitimate path. It is not the qualification itself. Clause 7.4.1 requires the manufacturer to document the review of that certificate against the specific purchased product and the effect on device quality, and to capture the decision. The certificate is input; the qualification record is the output. **How do I qualify a supplier who refuses to share audit documentation?** The refusal itself is a finding about the supplier's suitability. The options are to use a different supplier, to accept the limitation and document the compensating controls (stricter incoming inspection, more frequent monitoring, a contractual change-notification clause), or to proceed only for non-critical uses where the lack of transparency is tolerable. The decision and its reasoning go in the qualification record. **Does clause 7.4.1 apply to consultants and external quality experts?** Yes, when the consultant's work affects device quality. For example, a contract QA resource running processes, an external regulatory writer producing files that enter the technical documentation, or an IEC 62304 developer writing medical device software. The qualification is proportionate to the role and the effect on the device. Office consultants who do not touch the product are non-critical. **How often does re-qualification have to happen?** The standard requires planned re-evaluation proportionate to risk. The procedure has to name the interval, and the interval has to be followed. In startup practice, annual re-qualification for critical suppliers is common and defensible. The number is less important than the discipline of actually running the cycle and capturing the records. **Is supplier qualification the same across ISO 13485 and MDR?** The legal obligation is MDR Article 10(9). The standard that provides the operational requirements and presumption of conformity is EN ISO 13485:2016+A11:2021, clause 7.4.1. A qualification process that conforms to clause 7.4.1 and is implemented consistently satisfies the MDR obligation. The two are not separate regimes. They are a legal obligation and the harmonised tool that satisfies it. ## Related reading - [MDR Supplier Control Requirements: Using ISO 13485 Purchasing Controls as a Startup](/blog/mdr-supplier-control-iso-13485) – the full scope of clause 7.4 that this post drills into. - [How to Build a Lean QMS for an MDR Startup](/blog/build-lean-qms-mdr-startup) – the operational context in which supplier qualification sits. - [MDR Article 10(9) and Annex IX QMS Requirements in Detail](/blog/mdr-article-10-9-annex-ix-qms-requirements) – the legal anchor for every supplier qualification obligation in this post. - [Outsourced Sterilisation Under MDR and ISO 13485](/blog/outsourced-sterilisation-mdr-iso-13485) – a specific critical-supplier case where qualification evidence is load-bearing. - [Selecting and Qualifying Suppliers as a MedTech Startup](/blog/selecting-qualifying-suppliers-medtech-startup) – the founder-level companion on supplier selection under resource constraints. - [The Subtract to Ship Framework for MDR Compliance](/blog/subtract-to-ship-framework-mdr) – the methodology behind the proportionality approach used throughout this post. ## Sources 1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10 (general obligations of manufacturers), in particular Article 10(9) on the quality management system and the explicit requirement to cover selection and control of suppliers and sub-contractors. Official Journal L 117, 5.5.2017. 2. EN ISO 13485:2016+A11:2021. Medical devices. Quality management systems. Requirements for regulatory purposes. Clause 7.4.1 (purchasing process. Criteria for evaluation and selection, consideration of effect on device quality and risk, planned monitoring and re-evaluation, records), clause 7.4.2 (purchasing information), clause 7.4.3 (verification of purchased product). The harmonised standard providing presumption of conformity with MDR Article 10(9). --- *This post is part of the Quality Management Under MDR cluster in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. Supplier qualification is where clause 7.4.1 stops being a paragraph in a standard and starts being the evidence an auditor reads first.* --- *This post is part of the [Quality Management Under MDR](https://zechmeister-solutions.com/en/blog/category/quality-management) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*