All terms
ManufacturingManufacturing & Supply
Supplier Controls
Procedures to ensure purchased products and services conform to requirements.
Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026
Definition
Per 21 CFR 820.50 and ISO 13485 Section 7.4, manufacturers must evaluate, select, and monitor suppliers based on the supplier's ability to meet specified requirements. What the regulation says
The FDA, under 21 CFR 820.50, mandates that manufacturers establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements. Similarly, ISO 13485:2016 clause 7.4 requires organizations to establish criteria for the evaluation, selection, monitoring, and re-evaluation of suppliers based on their ability to provide product that meets requirements. The EU MDR, in Annex I, places responsibility on manufacturers for the quality system and the actions of their suppliers.What this means in practice
Supplier audits, agreements, and incoming inspection comprise the typical control set. Supply chain risk now includes cybersecurity concerns for software suppliers.Examples
- A medical device manufacturer performing an on-site audit of a contract sterilizer to verify compliance with ISO 11137 and relevant regulatory standards.
- A manufacturer conducting a stringent incoming inspection of critical raw materials for an implantable device, including lot sampling and material verification tests.
- A software as a medical device (SaMD) company requiring its cloud service provider to demonstrate compliance with relevant cybersecurity frameworks like NIST SP 800-53 or ISO 27001.
Common pitfalls
- •Failing to document the rationale for supplier selection and evaluation can lead to non-conformities during audits.
- •Assuming that a supplier's certification to a quality standard, like ISO 9001, automatically fulfills all MedTech regulatory requirements is a common mistake.
- •Neglecting to periodically re-evaluate suppliers, especially after changes in their processes or products, can result in compromised product quality.
- •Not having clear quality agreements in place with suppliers can lead to disputes regarding responsibilities and specifications.
- •Overlooking cybersecurity requirements for software and IT suppliers can introduce significant risks to medical devices and patient data.
Frequently asked questions
The primary goal is to ensure that all purchased or otherwise received products and services conform to specified requirements, ultimately safeguarding the safety and efficacy of medical devices.
Cross-references
Part of
Related terms
Shared paths + categoryStandards
ISO 13485
International standard for medical device quality management systems.
Quality & Risk
Quality System Regulation(QSR / 21 CFR 820)
FDA's current good manufacturing practice (cGMP) requirements for medical devices.
Cybersecurity
Software Bill of Materials(SBOM)
A machine-readable inventory of all software components, including open-source and third-party libraries, used to build a medical device.
Manufacturing
Stability Testing
Studies that establish how device performance and packaging hold up over time.
Manufacturing & Supply Chain · adjacent
Quality & Risk
Change Control
Formal QMS process for evaluating, approving, and implementing changes that could affect product quality or compliance.
Manufacturing & Supply Chain · adjacent
Manufacturing
Cleanroom Classes (ISO 14644)
ISO 14644 classification of cleanrooms by airborne particulate cleanliness (ISO 1 through ISO 9).
Manufacturing & Supply Chain
Latest in MedTech
Primary references
3 sourcesLink health: 3 verified· last checked 2026-06-20
eCFR·1IMDRF/GHTF·1FDA·1
- 121 CFR 820.50VerifiedeCFRecfr.gov
- 2GHTF/IMDRF Process Validation GuidanceVerifiedIMDRF/GHTFimdrf.org
- 3FDA - Device ManufacturingVerifiedFDAfda.gov
Inline markers like [1] jump to the matching reference above.