All terms

    Supplier Controls

    Procedures to ensure purchased products and services conform to requirements.

    Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

    Definition

    Per 21 CFR 820.50 and ISO 13485 Section 7.4, manufacturers must evaluate, select, and monitor suppliers based on the supplier's ability to meet specified requirements.
    What the regulation says
    The FDA, under 21 CFR 820.50, mandates that manufacturers establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements. Similarly, ISO 13485:2016 clause 7.4 requires organizations to establish criteria for the evaluation, selection, monitoring, and re-evaluation of suppliers based on their ability to provide product that meets requirements. The EU MDR, in Annex I, places responsibility on manufacturers for the quality system and the actions of their suppliers.

    What this means in practice

    Supplier audits, agreements, and incoming inspection comprise the typical control set. Supply chain risk now includes cybersecurity concerns for software suppliers.

    Examples

    • A medical device manufacturer performing an on-site audit of a contract sterilizer to verify compliance with ISO 11137 and relevant regulatory standards.
    • A manufacturer conducting a stringent incoming inspection of critical raw materials for an implantable device, including lot sampling and material verification tests.
    • A software as a medical device (SaMD) company requiring its cloud service provider to demonstrate compliance with relevant cybersecurity frameworks like NIST SP 800-53 or ISO 27001.
    Common pitfalls
    • Failing to document the rationale for supplier selection and evaluation can lead to non-conformities during audits.
    • Assuming that a supplier's certification to a quality standard, like ISO 9001, automatically fulfills all MedTech regulatory requirements is a common mistake.
    • Neglecting to periodically re-evaluate suppliers, especially after changes in their processes or products, can result in compromised product quality.
    • Not having clear quality agreements in place with suppliers can lead to disputes regarding responsibilities and specifications.
    • Overlooking cybersecurity requirements for software and IT suppliers can introduce significant risks to medical devices and patient data.

    Frequently asked questions

    The primary goal is to ensure that all purchased or otherwise received products and services conform to specified requirements, ultimately safeguarding the safety and efficacy of medical devices.

    Cross-references

    Part of

    Shared paths + category

    Latest in MedTech

    Primary references

    3 sources
    Link health: 3 verified· last checked 2026-06-20
    eCFR·1IMDRF/GHTF·1FDA·1
    1. 1
      21 CFR 820.50
      Verified
      eCFRecfr.gov
    2. 2
      GHTF/IMDRF Process Validation Guidance
      Verified
      IMDRF/GHTFimdrf.org
    3. 3
      FDA - Device Manufacturing
      Verified
      FDAfda.gov

    Inline markers like [1] jump to the matching reference above.