Devine Guidance

Not all Suppliers Need Audits

By Dr. Christopher Joseph Devine

Why audit suppliers? We explain why some audits are necessary while most are not.

Dr. D has some very good news for the readers. Medical device manufacturers are not required to audit their suppliers. But hey, if you do not believe the doctor, Dr. D has taken the time to cut-and-paste the requirement from §820.50 (Purchasing Controls).
Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.

(a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants. Each manufacturer shall:

  1. Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.
  2. Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.
  3. Establish and maintain records of acceptable suppliers, contractors, and consultants.
(b) Purchasing data. Each manufacturer shall establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services.

Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with 820.40.

Now, that you have taken the time to read it, please point out to the doctor where it mentions that an audit of suppliers are mandatory. How about ISO 13485:2003? Will you find the need to audit suppliers scripted there? Once again, the good doctor has taken the opportunity to cut-and-paste Clause 7.4.1 of ISO 13485:2003 (Purchasing Process).

• The organization shall establish documented procedures to ensure that purchased product conforms to specified purchase requirements.

• The type and extent of control applied to the supplier and the purchased product shall be dependent upon the effect of the purchased product on subsequent product realization or the final product.

• The organization shall evaluate and select suppliers based on their ability to supply product in accordance with the organization’s requirements. Criteria for selection, evaluation and re-evaluation shall be established. Records of the results of evaluations and any necessary actions arising from the evaluation shall be maintained (see 4.2.4).

Can you point out where supplier audits are mandated by clause 7.4.1? Of course you can’t, because the requirement does not exist. So why bother auditing suppliers? The salient requirement is to evaluate supplier and select premised on requirements. How a device manufacturers does this is entirely up to them. In this issue of Devine Guidance, the doctor is going to explain why some audits are necessary and most are not. Enjoy.
Let’s start with understanding risk
You would not buy a car without test driving it first, so why would a device manufacturer attempt to purchase product from a new supplier without visiting and kicking the proverbial tires? For medical device manufacturers, it is incumbent upon the organization to investigate the capabilities of potential suppliers prior to the commencement of any procurement activities. I strongly recommend starting with the moderately famous and extremely useful D & B, and no, I am not a paid spokesperson for this service. The Dunn & Bradstreet report provides a condensed business synopsis on potential suppliers and can save an organization from much grief and pain if potential suppliers have cash flow issues, pending litigation, or other significant problems that can influence their business both short and long term. Remember; if a potential supplier is experiencing business problems, those problems will quickly become the problem of your organization, if the decision is made to proceed with the relationship. Now I am not implying the D & B should be the all-encompassing selection tool; however, it should carry some weight in regards to the selection process.
The second important factor relating to risk is the potential failure of a procured component and the influence a failed component could have on the finished medical device. I strongly recommend, early in the design and development process, linking the component failure risk back to the design and preferably to the design Failure Mode and Effects Analysis (dFMEA). Additionally, best-in-class industry practices drive the alignment of suppliers into categories premised on risk and organizational need (reference Table 1.0). For example, when selecting a supplier for providing a disposable manufacturing aide such as finger cots, the selection and evaluation process will differ dramatically from that of a contract manufacturer. 
Requirements drive supplier evaluation process
You would not buy a house without sharing with your real-estate agent some basic requirements as to what your needs are, i.e., size, rooms, location, etc. Well, guess what? The supplier selection process cannot commence until basic requirements and needs are defined by your organization. For all of you engineers used to working from a napkin drawing, once your ideas are captured and formulated, a formal document really needs to be created, e.g., component specification. Additionally, when defining these requirements the approach pursued must be cross-functional. Yes, engineers are driving the train because they are tasked with owning the design and development. However, quality, regulatory, manufacturing, procurement, materials, supply chain, marketing, etc. are key stakeholders; and should provide input into the selection process. Furthermore, if a candidate supplier possesses a quality system certified by a recognized registrar or notified body, the premise of the initial supplier visit can be focused on process and overall business capabilities. Finally, because developing suppliers and qualifying material is expensive, never let one functional group be the sole stakeholder in the selection process. The final decision to approve and add a supplier to your organization’s Approved Vendor’s List (AVL) must be a collaborative one.
Different Approaches to Supplier Audits
Yes, believe it or not there are different types of supplier audits. Remember, there is no one-shoe-fits-all approach. Let’s face it there are some suppliers you are going to need to visit. High-risk suppliers (quality, regulatory, or business-risk related), critical component suppliers, sterilization facilities, and contract manufacturers should be on the list for an on-site audit. Yes, trust is important; however, there is too much risk at stake by not visiting these suppliers. In fact, Dr. D recommends an annual visit for suppliers considered high-risk. 
The doctor also recommends developing a core set of quality/compliance related questions that can be used for all audits. These questions should align with ISO 13485 or 21 CFR, Part 820, as applicable. The balance of questions for an on-site audit should be commodity specific. For example, if the audit is being performed at EO sterilization facility, then the process-related questions should be ISO 11135-1 centric. If the audit is of a testing laboratory or a metrology supplier, the process-related questions should be ISO/IEC 17025 centric.
So what are the different types of supplier audits that can be used to establish evidence that the approach to supplier selection and supplier management is effective? The doctor has identified four types of assessments that are defendable during and audit or inspection, providing the supporting SOP adequately defines the process:
  1. On-site supplier audit (full QMS & process assessment);
  2. On-site focused audit (targeting a specific problem or process);
  3. Mail-in audit (basic supplier questionnaire used to compile QMS and basic business information); and
  4. Telephone (desk-top) audit (Request for a copy of the ISO certificate(s); quality manual; and list of SOPs supporting the QMS).
The next logical question needing to be asked is; “What is the frequency of supplier re-evaluations?” The doctor’s answer is, “It depends.” The doctor recommends auditing critical suppliers at least once a year. However, just like initial supplier audits, re-evaluation audits need to be premised on risk (business, quality, and regulatory). Table 1 reflects the categorization of suppliers premised on risk.
Table 1.0 – Supplier Categorization Premised on Risk

 Category & Assessment 


 Re-Audit Frequency

Category 1: Annual On-Site Assessment Mandatory – Due to Risk

 • Contract Manufacturers, Sterilization Facility 


Category 2: On-Site Assessment Mandatory  (Premised on Schedule & Risk)

• Components Identified as Critical Premised on the Device FMEA

• Laboratory Services Providers

• Analytical Test Labs

• Calibration/Metrology Provider

• Notified Bodies 

 Two Years

Category 3: On-Site Assessment is optional (Premised on Risk) / Mail-In Survey Required

• Non-Critical Custom Material, Process, and/or Component

• Offsite Record Storage

• Environmental Services Provider 

 Three Years

Category 4: Mail-In Survey is optional (providing certifications are current) 

Current ISO 9001 or ISO 13485 Certificates; Lead Auditor Certificate; Resume, etc., are acceptable in lieu of survey.

• Standard Catalog Component Manufacturers

• Low-Risk Components

• Distributors of Catalog Components 

• Consultants

• Facility Services, i.e., Janitorial Services, Pest Control, etc. 

 When Certificates Expire

Category 5: No Requirement for Quality System Assessments – Purchase Order Only


• Transportation Services (UPS, USPS, etc.)

• Disposable Supplies (wipes, finger cots, etc.) 


I think the most important takeaway, from this edition of DG is the understanding that supplier audits are important tools; however, regulations and standards give device manufacturers much flexibility when implementing a supplier audit program that is effective for their organization. Should suppliers by audited? Absolutely; however, the doctor recommends pursuing a common-sense approach when scripting an audit program. If you need help, feel free to contact Dr. D

In closing, the doctor hopes you have found some value in this week’s guidance. Cheers from Dr. D. and best wishes for continued professional success. 


  1. Code of Federal Regulation. (2012, April). Title 21 Part 820: Quality system regulation.  Washington, D.C.: U. S. Government Printing Office.
  2. Devine. C. (2009, July). Exploring the effectiveness of defensive-receiving inspection for medical device manufacturers: a mixed method study. Published doctoral dissertation. Northcentral University. Prescott Valley, AZ.  
  3. Devine, C. (2011). Devine guidance for complying with the FDA’s quality system regulation – 21 CFR, Part 820. Charleston, SC: Amazon.
  4. Devine, C. (2011). White paper – effective supplier management in support of the medical device industry. Copyright 2011 and available upon request from Dr. C. J. Devine.
  5. ISO 13485:2003. (2004, February). Medical devices – quality management systems – requirements for regulatory purposes (ISO 13485:2003).

About The Author

Dr. Christopher Joseph Devine, President, Devine Guidance International