QMSR Supplier Quality Requirements: Complete Management Guide
Supplier quality management under QMSR is more explicitly risk-based than under QSR. ISO 13485:2016 Clause 7.4 requires
Reading time: 14 minutes | Last updated: December 2025
Supplier quality management under QMSR is more explicitly risk-based than under QSR. ISO 13485:2016 Clause 7.4 requires that supplier evaluation and control be "proportionate to the risk associated with the medical device"—a principle that sounds straightforward but requires systematic implementation.
Additionally, supplier audit records are now subject to FDA inspection, changing the documentation standards for supplier qualification activities.
This guide provides comprehensive coverage of QMSR supplier quality requirements—an area where competitors provide surprisingly little detail.
In this article:
- Key QMSR changes to supplier requirements
- Risk-based supplier classification framework
- Supplier evaluation and qualification process
- Ongoing supplier monitoring requirements
- Supplier audit documentation for FDA inspection
- Practical implementation guidance
Key Changes from QSR to QMSR
What QSR Required
21 CFR 820.50 required:
- Procedures for evaluating suppliers, contractors, and consultants
- Evaluation based on ability to meet specified requirements
- Type and extent of control required based on evaluation results and product impact
- Documented agreement that suppliers agree to notify of product/service changes
What QMSR Requires
ISO 13485:2016 Clause 7.4 requires:
- Evaluation and selection based on ability to supply product meeting requirements
- Criteria for selection, evaluation, and re-evaluation established
- Risk proportionate control based on impact on product quality and risk associated with the medical device
- Documented purchasing information describing product to be purchased
- Verification of purchased product
The Significant Differences
1. Explicit risk-based approach
QSR mentioned "type and extent of control" but didn't explicitly require risk assessment. ISO 13485 requires controls "proportionate to the risk."
2. Re-evaluation requirements
QSR required initial evaluation. ISO 13485 explicitly requires ongoing re-evaluation.
3. Supplier audit records inspectable
Under QSR, 21 CFR 820.180(c) explicitly exempted supplier audit records from FDA inspection. QSIT procedures reinforced this exemption. Under QMSR, 820.180(c) has been revised to remove this exemption, and QSIT will be officially withdrawn February 2, 2026.
Risk-Based Supplier Classification Framework
Classification Approach
Effective supplier management requires categorizing suppliers by risk level and applying proportionate controls. Here's a practical framework:
Critical Suppliers (High Risk)
Definition: Suppliers whose products or services directly impact device safety, performance, or regulatory compliance.
Examples:
- Critical component suppliers (implant materials, active pharmaceutical ingredients)
- Sterilization service providers
- Contract manufacturers of finished devices
- Testing laboratories providing release testing
- Software suppliers (embedded software, QMS software)
Control requirements:
- Comprehensive initial qualification (audit, capability assessment)
- Documented quality agreements
- Incoming inspection or certificate of analysis verification
- Ongoing performance monitoring with defined metrics
- Periodic re-evaluation (audit or assessment)
- Change notification and approval requirements
Major Suppliers (Medium Risk)
Definition: Suppliers whose products or services significantly impact product quality or QMS effectiveness.
Examples:
- Non-critical component suppliers
- Packaging suppliers
- Calibration service providers
- Contract design services
- Raw material suppliers
Control requirements:
- Initial qualification (questionnaire, certification review)
- Quality agreements for critical quality characteristics
- Sampling inspection or certificate verification
- Performance tracking
- Re-evaluation based on performance and changes
Minor Suppliers (Low Risk)
Definition: Suppliers whose products or services have minimal impact on product quality.
Examples:
- Office supplies
- General maintenance services
- Non-critical equipment suppliers
- Commodity materials with no quality impact
Control requirements:
- Basic qualification (approved supplier list)
- Standard purchasing controls
- Periodic review of supplier list
- Upgrade classification if issues arise
Risk Assessment Criteria
When classifying suppliers, consider:
Product/Service Impact Factors:
- Direct vs. indirect impact on device function
- Criticality to device safety
- Regulatory requirements (e.g., traceability requirements)
- Patient contact or exposure
- Sterility impact
Supplier Risk Factors:
- Supplier quality history
- Industry reputation
- Certification status (ISO 13485, ISO 17025, etc.)
- Geographic and supply chain risks
- Financial stability
- Single source vs. multiple source availability
Document your classification rationale. FDA may ask why suppliers are categorized as they are.
Supplier Evaluation and Qualification Process
Initial Evaluation
Step 1: Define requirements
Before evaluating suppliers, clearly define:
- Product/service specifications
- Quality requirements
- Regulatory requirements (if applicable)
- Delivery and service requirements
- Documentation requirements
Step 2: Identify potential suppliers
Sources for supplier identification:
- Industry referrals
- Trade associations
- Customer recommendations
- Certification body registries
- Industry publications
Step 3: Preliminary assessment
For critical and major suppliers, conduct preliminary assessment:
- Supplier self-assessment questionnaire
- Certification verification (ISO 13485, ISO 9001, etc.)
- Financial stability review
- Reference checks
Step 4: Capability assessment
For critical suppliers, assess capability through:
- On-site audit
- Remote audit (if justified by risk)
- Process capability data review
- Sample evaluation
Step 5: Qualification decision
Document qualification decision including:
- Evaluation summary
- Risk classification with rationale
- Approved products/services scope
- Conditions or limitations (if any)
- Required quality agreement elements
Quality Agreements
For critical and major suppliers, establish documented quality agreements. Note: ISO 13485:2016 Clause 4.1.5 explicitly requires written quality agreements for outsourced processes (contract manufacturing, sterilization, etc.). For other critical suppliers, quality agreements are best practice and strongly recommended covering:
Product/Service Requirements:
- Specifications and acceptance criteria
- Test/inspection requirements
- Certificate of conformance/analysis requirements
- Traceability requirements
Quality System Requirements:
- Applicable quality standards
- Right to audit
- Record retention requirements
- Regulatory notification requirements
Change Control:
- Change notification requirements
- Change approval process
- Implementation timeline requirements
Problem Resolution:
- Nonconformance handling
- Corrective action requirements
- Root cause analysis expectations
- Communication protocols
Ongoing Supplier Monitoring
Performance Metrics
Track supplier performance using metrics appropriate to risk level:
Critical suppliers (track all):
- On-time delivery rate
- Quality acceptance rate (incoming inspection/receiving results)
- Certificate accuracy
- Corrective action response time and effectiveness
- Nonconformance frequency and severity
Major suppliers (track selected):
- On-time delivery rate
- Quality acceptance rate
- Corrective action responsiveness
Minor suppliers:
- General performance observations
- Issue frequency
Re-evaluation Process
ISO 13485 requires ongoing re-evaluation. Define:
Re-evaluation frequency:
- Critical suppliers: Annual comprehensive review
- Major suppliers: Annual performance review
- Minor suppliers: Biennial review or triggered by issues
Re-evaluation triggers (any supplier):
- Significant quality issues
- Delivery performance decline
- Certification changes
- Organizational changes (ownership, location)
- Corrective action failure
- Product/service changes
Re-evaluation activities:
- Performance data review
- Audit (for critical suppliers requiring periodic audits)
- Certification status verification
- Quality agreement review
- Classification reassessment
Supplier Corrective Action
When supplier issues occur:
For critical quality issues:
- Contain affected product/material
- Notify supplier immediately
- Require root cause analysis
- Require corrective action plan
- Verify implementation
- Assess effectiveness
- Document outcome
For repeat issues:
- Escalate to supplier management
- Require systemic corrective action
- Consider increased controls (inspection, audits)
- Evaluate supplier classification
- Document escalation decisions
Supplier Audit Documentation for FDA Inspection
What FDA May Request
Under QMSR, FDA investigators may request:
- Supplier audit reports
- Audit findings and observations
- Supplier corrective action documentation
- Evidence of corrective action verification
- Auditor qualification records
Documentation Standards
Supplier audit documentation should:
Demonstrate systematic approach:
- Audit scheduled per your audit program
- Scope appropriate to supplier risk and products/services
- Audit criteria clearly defined
Document findings clearly:
- Distinguish findings (nonconformities) from observations
- Reference specific requirements for each finding
- Include objective evidence supporting findings
Track corrective action:
- Supplier corrective action plan documented
- Implementation evidence obtained
- Effectiveness verification documented
- Closure documented with rationale
Maintain auditor records:
- Auditor training and qualification
- Auditor independence (not auditing their own suppliers)
Common Audit Documentation Problems
Problem: Audit reports that identify issues but show no corrective action follow-up.
Solution: Track all findings to closure with evidence before closing audit.
Problem: Auditor qualification not documented.
Solution: Maintain auditor training records showing ISO 19011 or equivalent training.
Problem: Audit scope doesn't match supplier risk.
Solution: Document scope rationale based on supplier classification and products supplied.
Problem: Findings without clear requirement references.
Solution: Each finding should cite the specific requirement (ISO clause, specification section, quality agreement provision) that was not met.
Practical Implementation Guidance
For Companies Starting Fresh
Phase 1: Framework Development (Week 1-2)
- Define supplier classification criteria
- Create classification risk matrix
- Develop evaluation procedures for each classification level
- Create quality agreement template
Phase 2: Supplier Assessment (Week 2-4)
- Inventory current suppliers
- Classify each supplier using your framework
- Document classification rationale
- Identify evaluation gaps
Phase 3: Gap Closure (Week 4-8)
- Conduct evaluations for suppliers lacking adequate qualification
- Establish quality agreements with critical suppliers
- Define monitoring metrics and reporting
- Schedule re-evaluations per your defined frequency
For Companies Updating Existing Programs
Assessment:
- Review current supplier qualification records against ISO 13485 Clause 7.4
- Assess risk-basis documentation for supplier control decisions
- Review supplier audit records for FDA inspection readiness
- Identify gaps in evaluation, monitoring, or documentation
Updates:
- Add risk classification rationale to supplier records
- Update quality agreements to include all required elements
- Strengthen audit documentation with findings, corrective actions, and closure evidence
- Document auditor qualifications
For Companies with Limited Resources
If you can't audit every critical supplier:
Alternative assessment approaches:
- Third-party certification verification (ISO 13485 certificate scope review)
- Detailed supplier self-assessment with evidence requirements
- Remote/desktop audits using documentation review and video
- Industry consortium audits or shared audit reports
Document your rationale for using alternatives to on-site audits. Risk-based justification is key.
Supplier Quality Integration with Other QMS Processes
Connection to CAPA
Supplier issues may trigger CAPA:
- Repeated supplier nonconformances
- Supplier issues affecting product in field
- Systemic supplier problems
Ensure your CAPA procedure includes supplier issues as potential triggers.
Connection to Risk Management
Supplier risk should integrate with product risk management:
- Supply chain risks in risk analysis
- Single-source supplier risks
- Supplier quality capability in process risk
Connection to Management Review
Supplier performance should be reviewed in management review:
- Supplier quality metrics and trends
- Significant supplier issues and corrective actions
- Supplier changes affecting quality
- Re-evaluation outcomes
Related Resources
- Complete QMSR Compliance Guide 2025-2026
- Risk Management Under QMSR: Practical Implementation Guide
- How to Conduct a QMSR Gap Analysis (Free Template)
- What to Expect in Your First QMSR Inspection
Need help strengthening your supplier quality program for QMSR?
QMS.Coach provides supplier quality program development and assessment. Our team has extensive experience with supplier auditing and can help you build inspection-ready supplier documentation.
Book a Free 15-Minute Consultation →
QMS.Coach LLC | neel@qms.coach