Supplier qualification under EN ISO 13485:2016+A11:2021 clause 7.4 and MDR Article 10(9) is not a procurement task — it is a risk-based quality process. The less impact a supplier has on product safety, the lighter the qualification. The more impact, the deeper the scrutiny. Startups fail by treating every supplier identically and running out of time and money.

By Tibor Zechmeister and Felix Lenhard.

TL;DR

  • MDR Article 10(9) requires manufacturers to establish, document, implement, maintain, keep up to date and continually improve a quality management system, which under Annex IX includes supplier control.
  • EN ISO 13485:2016+A11:2021 clause 7.4 is the operational standard: evaluate, select, monitor, and re-evaluate suppliers based on the impact of the purchased product on the quality of the medical device.
  • Risk-based classification is the only workable approach for startups: critical suppliers get deep qualification (audit plus quality agreement), non-critical suppliers get light qualification (certificates plus monitored performance).
  • A quality agreement is the document that locks the relationship: roles, change notifications, complaint handling, audit rights, and retention. Startups who skip this pay for it during their first notified body audit.
  • The most common startup mistake is not under-qualifying suppliers — it is wasting qualification effort on commodity suppliers while letting one critical supplier slip through without an audit.

Why this matters

Every hardware MedTech startup hits the same wall: you have ten to forty suppliers before you realise what "supplier control" means in an ISO 13485 context. By that point, purchase orders have been flying for months, parts are in the building, and your first notified body audit is six months away. The founder asks "how bad is this?" and the honest answer is: it depends entirely on which suppliers are in the build, and whether you can reconstruct a defensible qualification story for them after the fact.

Tibor has audited this scenario perhaps a hundred times. The pattern is always the same — startups treat purchasing as a procurement problem until an auditor walks in. Then they discover that their sterilisation contractor has never been qualified, their critical implantable polymer was bought from a distributor with no upstream visibility, and their electronics assembler has no quality agreement. Three findings, one audit, sometimes a major non-conformity.

This post is how to avoid that. It is the startup version of clause 7.4 — the version that actually fits a ten-person company.

What MDR actually says

MDR Article 10(9) states that manufacturers of devices shall establish, document, implement, maintain, keep up to date and continually improve a quality management system that shall ensure compliance in the most effective manner and in a manner proportionate to the risk class and the type of device. Among the aspects the QMS shall cover, the article explicitly lists resource management, including selection and control of suppliers and sub-contractors.

MDR Annex IX sets out the conformity assessment based on a QMS and on assessment of technical documentation. For devices going through an Annex IX route (most Class IIa, IIb and III devices), the notified body assesses the manufacturer's QMS — including supplier control — as part of the certification.

EN ISO 13485:2016+A11:2021 clause 7.4 (Purchasing) is where the operational requirements live. Clause 7.4.1 requires the organisation to document procedures to ensure that purchased product conforms to specified purchasing information, and to establish criteria for the evaluation and selection of suppliers. Crucially, clause 7.4.1 requires these criteria to be proportionate to the risk associated with the purchased product and its effect on the quality of the medical device. Clause 7.4.2 covers purchasing information — specifications, quality requirements, quality agreements where appropriate. Clause 7.4.3 covers verification of purchased product — incoming inspection or equivalent.

There is no MDR article that says "you must audit every supplier." The regulation and the standard both work on proportionality: deeper control for higher-impact suppliers, lighter control for lower-impact ones. The startup's job is to define what "impact" means and to be consistent.

A worked example

A Class IIa wearable ECG startup in Munich has twenty-three suppliers on its bill of materials and service list. The founder asks: "Which ones do we need to audit?"

Wrong answer: "All of them." You will run out of money and calendar before you finish. Also wrong: "None of them — we'll trust ISO 9001 certificates." That is the answer that produces notified body findings.

Correct answer: classify them. Here is how a sensible risk-based classification looks for this device.

Critical suppliers (deep qualification required): - The contract electronics manufacturer who assembles the final device. Direct impact on safety. On-site audit, quality agreement, first-article inspection, ongoing performance monitoring. - The sterile packaging supplier. Direct impact on sterility claim. On-site audit, quality agreement, evidence of their own validated sterilisation process, ISO 11607 conformance. - The skin-contact adhesive supplier. Direct impact on biocompatibility under EN ISO 10993-1:2025. Biocompatibility data package, quality agreement, change-notification clause, material certificate per lot.

Significant suppliers (moderate qualification): - The PCB fabricator, the enclosure injection moulder, the battery supplier. ISO 9001 or ISO 13485 certificate on file, supplier questionnaire, incoming inspection plan, monitored performance. - The calibration lab for production test equipment. ISO/IEC 17025 accreditation on file, scope review, calibration certificates traceable to national standards.

Non-critical suppliers (light qualification): - Office supplies, shipping cartons that do not affect sterility, standard fasteners from a distributor. A line item in the approved supplier list, no audit, performance monitored through purchasing history.

Three suppliers get on-site audits. Seven get questionnaires and certificates. Thirteen get a line item and a watchful eye. The startup spends its limited qualification budget where it changes the risk profile of the device, and the notified body auditor sees a coherent, defensible system. That is the whole point of clause 7.4.

The Subtract to Ship playbook

1. Build a supplier criticality matrix — one page, no more. Columns: supplier name, what they provide, impact on device safety, impact on device performance, impact on regulatory compliance, criticality classification. Three rows of classification: critical, significant, non-critical. Define each classification in writing so your next hire uses the same logic. The one-page version beats the thirty-page version every time because the thirty-page version is never read.

2. Define qualification methods per tier — also one page. Critical: on-site audit, quality agreement, initial sample inspection, ongoing monitoring, re-qualification every two to three years. Significant: questionnaire, certificate review, initial sample inspection, ongoing monitoring, re-qualification every three to five years. Non-critical: approved supplier list, performance monitoring. Write these methods once and apply them consistently.

3. Audit the suppliers who actually matter — in person. Critical supplier audits cannot be done by email. You need to walk the floor, look at their incoming inspection, review their non-conformance log, and talk to their quality manager. Two days on-site for a critical supplier is worth more than two weeks of email exchanges. For small startups, the founder or the QA lead should personally conduct at least the first audit of each critical supplier.

4. Use quality agreements, not just purchase orders. A purchase order says "ship us this part." A quality agreement says who is responsible for what: change notification, material traceability, complaint handling, record retention, right to audit, regulatory status changes. Template quality agreements exist for MedTech — start from one, adapt, sign. Without a quality agreement, you have no contractual teeth when a supplier changes a process and your device fails PMS. With one, you have both teeth and a clear audit trail.

5. Lock in change notification — this is the single highest-leverage clause. Your quality agreement must require the supplier to notify you before they change materials, process parameters, sub-tier suppliers, or manufacturing sites. The reason: an undisclosed supplier change is how startups end up with failed biocompatibility results at post-market. If your adhesive supplier changes the curing process without telling you, your ISO 10993 package is no longer valid and you may have a vigilance event on your hands.

6. Qualify outsourced processes like manufacturing processes. Sterilisation, welding, calibration, electronics assembly — any outsourced process that affects the device is both a supplier and a process subject to validation. EN ISO 13485 clause 7.5.6 applies. This is where startups get caught: they treat sterilisation as "just a service" and miss the process validation. Treat outsourced processes with the same rigour you would treat an in-house process.

7. Monitor performance and re-qualify. Clause 7.4.1 requires ongoing monitoring, not just initial qualification. A simple spreadsheet tracking on-time delivery, non-conformances, complaints traced to the supplier, and CAPA involvement is enough. Review it at management review. Re-qualify on the schedule you defined in step 2.

8. Handle distributors honestly. If you buy a critical material from a distributor, your real supplier is the upstream manufacturer. Either get visibility to the upstream manufacturer through the distributor (material certificates, change notifications passed through) or classify the distributor risk explicitly and accept it. The worst option is pretending the distributor is the manufacturer.

Reality Check

  1. Do we have a documented criticality classification for every supplier on our approved supplier list?
  2. Can we name, right now, our three to five most critical suppliers — and explain why they are critical in terms of device safety?
  3. Do we have a signed quality agreement with every critical supplier?
  4. Have we personally audited each critical supplier, or do we have a defensible reason why we have not?
  5. Does each quality agreement include a change-notification clause with a defined notice period?
  6. Are our outsourced processes (sterilisation, assembly, calibration) qualified as both suppliers and validated processes?
  7. Do we have incoming inspection records or equivalent verification for critical parts?
  8. Do we monitor supplier performance and review it at management review — with evidence?

Frequently Asked Questions

Does an ISO 13485 certificate from a supplier mean we do not need to qualify them? No. An ISO 13485 certificate is evidence that can inform your qualification, but it does not replace your own evaluation. Your qualification must be proportionate to the impact of that supplier on your device — the standard does not let you delegate that judgement to a certificate.

Can we use a questionnaire instead of an on-site audit for a critical supplier? Only if you can defend the decision. If the supplier is geographically distant and you have strong alternative evidence — detailed technical documentation, process validation reports, reference from other MedTech customers — a remote audit may be acceptable. A pure questionnaire for a critical supplier is a red flag for any notified body auditor.

What is the minimum viable supplier file? Supplier questionnaire or audit report, evidence of quality system (certificate or equivalent), quality agreement (for critical and significant suppliers), change-notification provision, incoming inspection plan, performance monitoring record, and re-qualification cadence. Anything less invites findings.

Do we need to qualify our cloud hosting provider? If your device is SaMD and the cloud provider hosts components that affect device performance or patient safety, yes — as an outsourced process under clause 7.5.6 and as a supplier under clause 7.4. The qualification looks different from a hardware supplier (data centre certifications, SLAs, security posture, change control) but the logic is identical.

How often should critical suppliers be re-audited? There is no fixed rule. Two to three years is a common and defensible cadence for critical suppliers, triggered sooner by performance issues, significant changes, or quality incidents. Document your cadence rule and follow it.

Can we use the same supplier qualification process as a medical device contract manufacturer we work with? You can align, but you cannot inherit. You are the legal manufacturer. Your supplier qualification decisions are yours to defend, even if you piggyback on a CMO's existing qualifications as supporting evidence.

Sources

  1. Regulation (EU) 2017/745 on medical devices, consolidated text. Article 10(9); Annex IX.
  2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. Clauses 7.4, 7.5.6.
  3. EN ISO 10993-1:2025 — Biological evaluation of medical devices — Part 1: Evaluation and testing within a risk management process.