Good supplier management is one of the most important methods of building a safe and effective medical device. A single device may be made up of dozens of parts and components coming from several different suppliers, and many medical device companies outsource the manufacturing of their device to a contractor.

However, even though the manufacturing of parts and components—or the entire device—may be outsourced, the responsibility for the device still lies with the legal manufacturer. That’s why good supplier management is critical not only to the safety and effectiveness of your devices, but also to your ability to meet regulatory requirements on purchasing controls.

Every supplier is different, but critically important suppliers will need a higher level of management. And one of the ways you can manage that supplier relationship is through a supplier audit.

What is a supplier audit?

A supplier audit is one of the methods medical device companies may use to evaluate a potential supplier or ensure ongoing regulatory compliance and production quality. A supplier audit may include a review of the supplier’s facilities, production processes, quality control, and quality system.

Why do you need to carry out supplier audits?

From a business standpoint, it’s always a good idea to understand where your parts and components are coming from, and to have confidence in the ability of your suppliers to meet your exact specifications.

However, in medtech, there are also regulatory requirements for supplier management that your company is obliged to follow. Both the FDA’s 21 CFR Part 820 and ISO 13485:2016 require all medical device companies to implement purchasing controls.
• Part. 820.50 states, “Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.”
• Clause 7.4.1 of ISO 13485: 2016 likewise directs companies to “document procedures to ensure that purchased product conforms to specified purchasing information.”

Although supplier audits aren’t the only tool medical device companies have to meet these requirements, they are one of the most important. For example, both Part 820 and ISO 13485 require companies to evaluate suppliers on the basis of their ability to meet specified requirements. For some suppliers, an initial supplier audit of their facilities and quality system will be necessary to meet the evaluation requirement.

When do you audit your suppliers?

Typically, supplier audits will occur during the supplier evaluation process and then at specified intervals, known as scheduled supplier audits.

The schedule will be determined by your supplier agreement. These scheduled audits are a good way to ensure your suppliers are still adhering to the standards or regulations you expect them to. The goal of these audits is to determine whether your process and quality management requirements are being carried out.

For example, that might mean an inspection of the supplier’s facility to ensure their clean room areas are actually sterilized and not being contaminated in any way. But you may also want to see their process for handling nonconforming products or ensuring the traceability of their products from raw material to final product.

Your scheduled audits are also a good opportunity to follow up on any supplier corrective action requests (SCARs) you’ve raised in the past, especially if you’ve raised the same one multiple times. It’s a chance for visual confirmation that your supplier has taken action to fix the issue.

Which suppliers must be audited?

Medical device companies should be taking a risk-based approach to supplier management, which means determining the risk involved for each supplier and tailoring supplier management activities based on that risk.

For instance, many companies will begin with a critical vs. noncritical framework for suppliers.

Noncritical suppliers have no direct or indirect relationship with the product or manufacturing processes, such as a business that supplies your stationery or caters meals for you. These are still suppliers, but they don’t have to go on your approved supplier list (ASL).

Critical suppliers have a direct or indirect relationship with the product or process, and they must be qualified and placed on your ASL if you want to order anything from them.

Critical suppliers are then broken down into more categories based on their potential effect on product safety. I like to use the following three tiers.

Tier 1—highest risk: Includes any integral component of the device that affects safety. Also includes contract manufacturers that assemble the device. This would also include services like sterilization that affect the device’s safety.

Tier 2—medium risk: Includes custom, device-specific components that don’t directly affect device safety. This tier also includes services like pest control and your logistics and shipping provider.

Tier 3—lowest risk: Standard, “off-the-shelf” items; any consultants you use that provide a service related to the product or processes would also fall under this tier.

This framework allows companies to choose their monitoring activities based on risk. You wouldn’t audit noncritical suppliers, for example. However, for critical suppliers, you would likely need to regularly perform scheduled audits on your tier one and tier two suppliers.

Manage all your supplier relationships in one place

Medtech companies with a single device can easily need dozens of suppliers—larger businesses might have hundreds of them. Managing all of those relationships, especially when you’re taking an individualized, risk-based approach, can be a headache for even the most organized company.

But with the right supplier management solution, you can bring all your suppliers into a single system and navigate all your relationships with ease. With Greenlight Guru Quality, for example, you’ll have a dedicated supplier management workspace that’s connected to the rest of your QMS software. You’ll be able to see all your suppliers in a single view, search by name or ID number, filter by criticality or status, and quickly find what you’re looking for.

You’ll also be able to attach supporting documents to individual suppliers, add contact information, and set reminders for upcoming events like audits, scorecards, or renewals. And you can do it all in the same QMS software you use for risk management, product development, and all your other related QMS processes.

A free Greenlight Guru demo is available here.

Published July 9, 2025, by Greenlight Guru.