ISO 13485 Supplier Audit: Must-Check Areas for Medical Device Companies

An ISO 13485 Supplier Audit Typically Includes:

Reviewing the supplier’s Quality Management System (QMS)

Verifying compliance with ISO 13485 and applicable regulatory requirements

Assessing risk management and control of outsourced processes

Evaluating production, process, and quality controls

Checking how changes are managed and communicated

Reviewing how nonconformities and corrective actions are handled

Monitoring supplier performance and ongoing compliance

The results of a supplier audit are used to:

• Approve and qualify new suppliers
• Monitor existing supplier performance
• Identify risks within the supply chain
• Support regulatory inspections and audits
• Ensure continued product safety, quality, and compliance

Key ISO 13485 Clauses Relevant to Supplier Audits

• Clause 4.1.5 – Control of outsourced processes
• Clause 7.4 – Purchasing controls
• Clause 7.4.1 – Purchasing process
• Clause 7.4.2 – Purchasing information
• Clause 7.4.3 – Verification of purchased product
• Clause 8.4 – Analysis of data
• Clause 8.5 – Improvement (CAPA)

Supplier audits help demonstrate compliance with these clauses by providing objective evidence of supplier capability and control.

1. Supplier Classification and Risk Assessment

Before conducting any audit, organizations must verify that suppliers are properly classified and risk-ranked.

What Auditors Should Check

• Documented supplier classification criteria
• Risk-based rationale for audit frequency and depth
• Consideration of:
• Product criticality
• Impact on device safety and performance
• Regulatory impact
• History of nonconformities

Best Practices

• Critical suppliers (e.g., sterilization, PCB manufacturing, software development) should undergo on-site audits
• Low-risk suppliers may be assessed via questionnaires or remote audits
• Risk classification should be periodically reviewed and updated

2. Quality Management System (QMS) Compliance

A core objective of any supplier audit is to verify the supplier’s QMS maturity and alignment with ISO 13485.

Must-Check Areas

• ISO 13485 certification status and scope
• QMS documentation structure
• Quality manual and quality policy
• Management responsibility and accountability
• Internal audit program effectiveness
• Management review records

Red Flags

• Certification not covering supplied products or services
• Outdated procedures
• Weak internal audit findings or a lack of follow-up

3. Control of Documents and Records

Effective document and record control ensures traceability, consistency, and regulatory compliance.

Audit Focus Areas

• Document approval, revision, and distribution controls
• Obsolete document management
• Record retention policies
• Accessibility and integrity of records

Key Questions to Ask

• How are procedures approved and updated?
• How is document change communicated to personnel?
• Are electronic records validated and protected?

4. Personnel Competence and Training

Human error is a significant contributor to quality failures. Auditors must assess whether personnel are qualified and trained for their assigned roles.

Must-Check Elements

• Job descriptions linked to competency requirements
• Training matrices
• Training effectiveness evaluations
• Records for initial and ongoing training
• Awareness of regulatory and quality requirements

Best Practices

• Training effectiveness verified through observation or testing
• Regular refresher training for critical processes
• Clear linkage between training and process performance

5. Design and Development Controls (If Applicable)

For suppliers involved in design, software development, or R&D, design controls are critical.

Audit Scope Should Include

• Design and development planning
• Design inputs and outputs
• Design reviews
• Verification and validation activities
• Design transfer controls
• Design change management

Regulatory Expectation

Design controls must align not only with ISO 13485 but also with FDA 21 CFR 820.30 and EU MDR requirements when applicable.

6. Purchasing and Sub-Supplier Controls

Suppliers themselves often outsource processes. ISO 13485 requires them to control their own supply chain.

What to Audit

• Supplier qualification and approval processes
• Sub-supplier risk assessments
• Purchasing specifications
• Flow-down of regulatory and quality requirements
• Monitoring of sub-supplier performance

Common Nonconformities

• Lack of control over critical sub-suppliers
• Missing quality agreements
• No defined acceptance criteria

7. Production and Process Controls

Production controls ensure consistent output that meets specifications.

Key Audit Areas

• Process flow and controls
• Work instructions and standard operating procedures
• Process validation (where required)
• Environmental controls (cleanrooms, ESD, contamination control)
• Equipment qualification and maintenance

Special Processes

Processes that cannot be fully verified by inspection (e.g., sterilization, welding, molding) must be validated.

8. Equipment, Calibration, and Maintenance

Measurement accuracy directly impacts product quality.

Must-Check Points

• Equipment qualification records
• Preventive maintenance schedules
• Calibration programs
• Traceability to national/international standards
• Handling of out-of-tolerance equipment

Red Flags

• Overdue calibrations
• Missing calibration certificates
• No impact assessment for failed equipment

9. Material Control and Traceability

Traceability is a cornerstone of medical device compliance.

Audit Focus Areas

• Incoming material inspection
• Material identification and segregation
• Batch and lot traceability
• Status labeling (accepted, rejected, quarantine)
• Handling of customer-supplied material

Regulatory Importance

Traceability supports effective recalls, investigations, and regulatory reporting.

10. Change Control and Configuration Management

Uncontrolled changes are a major regulatory risk.

Must-Check Elements

• Change control procedures
• Risk assessments for changes
• Customer notification requirements
• Validation or verification of changes
• Configuration management for software and complex devices

Best Practices

• Formal change impact analysis
• Regulatory impact assessment included
• Clear approval authority

11. Nonconformance and CAPA Management

An effective CAPA system reflects a mature quality culture.

Audit Areas

• Nonconformance identification and documentation
• Root cause analysis methods
• CAPA implementation and verification
• Effectiveness checks
• Trending and data analysis

Common Weaknesses

• Superficial root cause analysis
• CAPAs not linked to risk
• No verification of effectiveness

12. Complaint Handling and Feedback (If Applicable)

For suppliers receiving complaints or performance feedback:

Must-Check Areas

• Complaint intake and evaluation procedures
• Regulatory reporting responsibilities
• Escalation processes
• Feedback loops with customers

Regulatory Expectation

Complaint handling must support vigilance and post-market surveillance activities.

13. Risk Management Integration

ISO 13485 requires risk-based thinking throughout the QMS.

Audit Focus

• Use of ISO 14971 principles
• Risk identification and mitigation
• Linkage between risk management and process controls
• Updates based on nonconformities and complaints

Best Practices

• Living risk management files
• Risk-based decision-making evident across processes

14. Quality Agreements and Communication

Clear communication prevents misunderstandings and compliance gaps.

Must-Check Documents

• Quality agreements
• Defined roles and responsibilities
• Escalation and communication pathways
• Regulatory inspection support obligations

15. Audit Reporting and Follow-Up

A supplier audit is only effective if findings are addressed.

Best Practices

• Clear, objective audit reports
• Classification of findings (critical, major, minor)
• Defined timelines for corrective actions
• Verification of CAPA effectiveness
• Risk-based follow-up audits

Before onboarding a new supplier, it is also important to review the Essential Questions to Ask a New Supplier Before You Start to ensure alignment with quality and regulatory expectations.

1. Inadequate supplier risk classification

Suppliers are not properly categorized based on their impact on product safety, performance, or regulatory compliance, leading to insufficient audit depth and oversight.

2. Weak change control processes

Changes to materials, processes, equipment, or software are not formally assessed, documented, or communicated, increasing the risk of unintended product impacts.

3. Poor documentation practices

Procedures, records, and work instructions are incomplete, outdated, or inconsistently followed, making it difficult to demonstrate compliance.

4. Ineffective CAPA systems

Root cause analysis is weak, corrective actions do not address the true cause of issues, or effectiveness checks are missing or inadequate.

5. Lack of process validation

Special processes that cannot be fully verified by inspection are not validated, or validation activities are incomplete or outdated.

6. Insufficient training records

Training requirements are not clearly defined, records are missing or incomplete, and training effectiveness is not evaluated.

Recognizing these trends allows auditors to better target critical processes, reduce compliance risks, and strengthen supplier quality oversight.

To better understand the purpose and value of supplier audits, read What Is a Supplier Audit? Why It’s Crucial Before Starting Production before initiating production activities.