News & Commentary on ISO Management System Standards

    ISO 13485: Critical Subcontractors & Crucial Suppliers

    Photo of a manufacturing plant filled with medical devices and equipment 


    What suppliers to the Medical Device Sector need to know

    EU Regulations, EN Standards, Notified Body activities (including Surprise/Unannounced Audits), UK Regulations post-Brexit, MDSAP – all are changes that will impact your company’s Medical Device Management System (MDMS).  What strategy should you, as a supplier to the sector, adopt to implementing the ISO 13485 Standard and to compliance with the other applicable standards and requirements?chain


    Your ISO 13485-compliant MDMS will need to take the possibility of Unannounced Visits by Notified Bodies into account and, perhaps, introduce a Procedure to handle such an eventuality.

    New call-to-action


    The distinction between Critical Subcontractors and Crucial Suppliers 

    Distinguishing between critical subcontractors and crucial suppliers is crucial in the medical device industry because they have different impacts on the device's production, quality, and adherence to regulations. 

    Critical subcontractors directly contribute to designing, developing, or making crucial parts of the device.  As their work and potential mistakes could significantly impact the device's safety, effectiveness, or compliance with regulations, it is essential to have adequate controls to manage the associated risks. 

    On the other hand, crucial suppliers provide necessary materials or services for manufacturing but don't directly influence the device's specific design or function.  While their contributions are important for maintaining overall quality, they don't require the same level of examination as critical subcontractors because they don't directly impact the device's functionality. 

    When these distinctions are clearly understood, medical device manufacturers can allocate resources, manage risks, and implement custom controls more effectively. 

    Critical Subcontractors and Crucial Suppliers Defined 

    The European Commission Recommendation specifies that a critical subcontractor or a crucial supplier must be audited "if this is likely to ensure more efficient control, in particular, if the main part of the design development, manufacturing, testing or another crucial process is located with the subcontractor or supplier" (clause 2, point c and Annex III, point 2). 

    Note: As we point out in our ISO 13485 training, the difference between the choice of the words critical and crucial is of no consequence.  In the real world, you can use the terms interchangeably. 

    What is a Critical Supplier? 

    The official definition of "critical supplier" is provided by the Notified Bodies Operations Group (NBOG) Guide' Guidance for Notified Bodies auditing suppliers to medical device manufacturers' (NBOG 2010- 1):    

    2.2 Critical supplier 

    A critical supplier is a supplier delivering materials, components, or services that may influence the safety and performance of the device. 

    Note: In the context of the audit of medical device manufacturers, a critical supplier is a supplier of a product or service, the failure of which to meet specified requirements could cause unreasonable risk to the patient, clinician, or others or could cause significant degradation in performance.  This can include suppliers of services needed for compliance with QMS or regulatory requirements, e.g., internal audit contractors or Authorized Representatives. 

    What is a Critical Subcontractor? 

    The usual interpretation is to consider that: 

    A Critical Subcontractor is 1) responsible for all or part of a Medical Device's design, 2) performs all or part of the manufacturing processes, or 3) carries out all or part of an activity concerning regulatory requirements (e.g., post-market data collection), and 

    A Crucial Supplier provides finished devices or critical subassemblies essential to the performance of the MD or critical raw materials. 

    The manufacturer must provide the Notified Body with the list of critical subcontractors and crucial suppliers per their risk management system.  This list is reviewed during the planned audits of the certification cycle.  There is no regulatory requirement for critical subcontractors and crucial suppliers to be informed of their inclusion on such a list. 

    What Different Regulatory Bodies Say About Critical Subcontractors and Crucial Suppliers 

    Regulatory bodies worldwide, albeit with differing emphasis, stress the importance of ensuring the quality, reliability, and safety of medical devices, including components and materials supplied by critical subcontractors and crucial suppliers.  

    Here's a quick look at what some of the most prominent regulatory bodies have to say about the topic: 

    European Union (EU) Regulations (MDR/IVDR): 

    The EU's Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR) include strict guidelines for managing the supply chain and overseeing critical subcontractors and suppliers in medical device manufacturing. 

    These regulations highlight the manufacturer's responsibility to follow specific rules and procedures and require careful supervision of critical subcontractors and suppliers. 

    For example, Article 10 of the MDR and Article 16 of the IVDR make it mandatory for manufacturers to establish robust quality management systems. These systems must include procedures to monitor, verify, and validate the involvement of critical subcontractors and suppliers. 

    To ensure compliance, Article 22 and related annexes in both regulations require manufacturers to keep detailed technical documentation that demonstrates compliance.  This documentation should cover control and information from suppliers.  

    Additionally, the regulations require monitoring device performance, conducting post-market surveillance, and meeting ISO 13485 standards. 

    FDA (US Food and Drug Administration): 

    The FDA currently does not have a direct definition for "critical supplier" or "critical subcontractor" in its regulations or official guidelines related to medical devices and other regulated products.  However, it emphasizes the importance of supplier controls and maintaining a reliable supply chain in terms of quality, safety, and effectiveness. 

    It expects medical device manufacturers to evaluate and select suppliers based on their ability to meet specified requirements and holds them responsible for ensuring that components, raw materials, and services provided by critical subcontractors do not compromise the safety and effectiveness of the device. 

    For example, the FDA's Quality System Regulation (QSR) under 21 CFR Part 820 includes provisions related to supplier controls, emphasizing the need for manufacturers to evaluate and select suppliers, define criteria for supplier acceptance, and ensure the quality of purchased components. 

    The Guidance, "Contract Manufacturing Arrangement for Drugs: Quality Agreements," on the other hand, discusses quality agreements between parties involved in drug manufacturing, emphasizing control over components and suppliers. 

    International Organization for Standardization (ISO): 

    ISO 13485, the standard for medical device management systems, does not directly mention "critical subcontractors" or "crucial suppliers" in specific clauses.  However, it does provide guidelines and criteria related to supplier management. 

    For instance, ISO 13485 Clause 7.4.1 focuses on the Purchasing Process, outlining the general requirements and requiring organizations to establish documented procedures to ensure that purchased products (components, materials, etc.) meet specified requirements.  

    Additionally, ISO 13485 Clause 7.4.2 emphasizes Purchasing Information, stating that this information must describe the product to be purchased, including applicable requirements for product approval, procedures, processes, and equipment.  While it does not directly mention critical subcontractors or crucial suppliers, it indirectly relates to the specific criteria for evaluating these suppliers. 

    There's also ISO 13485 Clause 7.4.3, which addresses the Verification of Purchased Products.  This clause deals with ensuring that purchased products meet specified purchase requirements.  

    Although it also doesn't directly mention critical subcontractors or crucial suppliers, it implies the need for verification processes, potentially covering how to evaluate these types of suppliers. 

    Lastly, the requirements outlined in Clauses 7.4.1 and 7.4.3 for establishing supplier evaluation criteria and verifying purchased products are relevant to Supplier Evaluation and Re-evaluation, including critical subcontractors or crucial suppliers, even though these specific terms are not directly mentioned. 

    Other Regulatory Bodies: 

    Regulatory bodies in different countries or regions have specific guidelines or requirements regarding critical subcontractors and suppliers in the medical device industry.  

    Health Canada, for example, underscores risk evaluation and traceability, requiring manufacturers to uphold detailed records of supplier qualifications while ensuring compliance with Canadian Medical Devices Regulations (CMDR) for suppliers. 

    The Ministry of Health, Labour and Welfare (MHLW) of Japan, on the other hand, emphasizes risk control and quality assurance, requiring manufacturers to secure compliance with Japan's Pharmaceutical Affairs Law (PAL) for suppliers.  They are also asked to maintain vigilance and reporting procedures for supplier-related issues affecting device safety. 

    In South Africa, the South African Health Products Regulatory Authority (SAHPRA) prioritizes risk-centered strategies and quality assurance, requiring manufacturers to document supplier assessments thoroughly.  Compliance with South African regulations for medical devices and health products by suppliers is strongly encouraged. 

    Meanwhile, Australia's Therapeutic Goods Administration (TGA) highlights a risk-focused approach and traceability, demanding manufacturers maintain comprehensive records concerning supplier management while emphasizing compliance with Australia's regulatory standards for medical devices. 

    Examples of Critical Subcontractors and Crucial Suppliers 


    Critical Subcontractors
    Crucial Suppliers


    Electronic component manufacturer providing specialized microchips or electronic components crucial for the functionality of medical devices, such as pacemakers or implantable sensors.

    Raw material supplier providing raw materials like metals, plastics, or polymers used in manufacturing various components of medical devices, including surgical instruments or device casings.
    Contract manufacturer for device assembly  responsible for assembling critical components into the final medical device, ensuring proper integration and functionality. Packaging material provider offering sterile packaging materials crucial for maintaining the sterility and integrity of medical devices during storage and transportation.
    Software development firm integral to the operation of medical devices, including firmware for diagnostic equipment or software for managing patient data in healthcare systems. Adhesive supplier supplying specialized medical-grade adhesives used in assembling components of devices like wound closure materials or catheters.
    Specialized material supplier providing materials like biocompatible polymers, coatings, or unique alloys critical for manufacturing specific medical device components. Precision tooling supplier providing precision tools, molds, or equipment necessary for the production of intricate medical device components or parts.
    Testing and validation service provider conducting testing, validation, and verification of critical device components or functionalities to ensure compliance and reliability. Contract sterilization services offering services using methods like gamma irradiation or ethylene oxide (EO) gas crucial for ensuring device sterility and safety.
    Battery manufacturer specialized in producing custom batteries critical for powering implantable medical devices or portable medical equipment. Biological reagents supplier that provides crucial biological reagents or biochemicals used in diagnostic assays or laboratory testing kits.
    Sensor technology developer that provides advanced sensor technologies crucial for accurate monitoring and data collection in medical devices like glucose monitors or wearables. Cable and connector manufacturer that supplies high-quality cables and connectors used for electrical connections in various medical devices.
    Contract Research Organization (CRO) that conducts essential clinical trials or research studies integral for validating the efficacy and safety of medical devices. Sterile packaging label supplier that supplies labels or printing solutions for sterile packaging, ensuring compliance and information accuracy.
    Microfluidics lab that develops microfluidic systems or chips for applications in diagnostic devices or lab-on-a-chip technologies. Tubing and extrusion supplier that supplies medical-grade tubing or extruded materials essential for catheters, IV sets, or fluid delivery systems.
    Embedded Software Development firm that specializes in creating embedded software for controlling and managing functionalities in complex medical devices like imaging equipment. Surgical Glove Supplier that pprovides high-quality surgical gloves essential for maintaining a sterile environment during medical procedures.
    Biocompatibility testing lab conducts critical biocompatibility testing on materials used in medical devices to ensure compatibility with human tissues. Pump and valve manufacturer that supplies pumps and valves critical for regulating fluid flow or pressure in medical devices like infusion pumps or respiratory equipment.
    Precision machining workshop that provides precision machining services for fabricating intricate and precise components for medical devices. Antimicrobial coating supplier that offers antimicrobial coatings applied to medical device surfaces to prevent infections and improve safety.
    Surgical instrument manufacturer that specializes in producing precision surgical instruments or tools used in various medical procedures. Medical gas supplier that provides medical-grade gases like oxygen, nitrogen, or anesthesia gases crucial for various medical procedures.
    Optical component supplier that provides essential optical components or lenses used in medical imaging devices or diagnostic equipment. Laboratory equipment supplier that supplies laboratory equipment and instruments used in medical research or diagnostic laboratories.
    Regulatory consulting firm that offers consultancy services to assist in navigating complex regulatory requirements and obtaining approvals for medical devices. Injection molding service provider that provides injection molding services for manufacturing plastic components used in medical devices.
    Packaging design specialist that specializes in designing packaging solutions compliant with regulatory standards and ensuring the protection of medical devices during transit. Surface treatment service provider that offers surface treatment or finishing services to improve the durability and performance of medical device components.
    Microelectronics fabrication facility that fabricates microelectronics components and circuits crucial for miniaturized medical devices or implantable technologies. Thermal management solution provider that provide solutions for managing thermal conditions in medical devices to prevent overheating or ensure temperature control.
    Implant coating service provider that offers specialized coatings applied to implantable medical devices for enhanced biocompatibility or drug elution. Electromechanical component supplier that supplies electromechanical components used in devices like motors, switches, or actuators for various functionalities.
    Manufacturing automation solutions provider  that develops automation systems crucial for streamlining and optimizing manufacturing processes in medical device production. Wearable sensor manufacturer that develops sensors and components integrated into wearable devices for health monitoring or diagnostics.
    Wireless connectivity provider that offers wireless communication modules or technologies essential for connectivity in IoT-enabled medical devices. Chemical supplier for sterilization that provides chemicals or supplies necessary for sterilization processes, ensuring device safety and compliance.


    Advice for Critical Subcontractors or Crucial Suppliers 

    For businesses nominated as, or aiming to become, critical subcontractors or crucial suppliers in the medical device industry, it's essential to understand the significant responsibility involved before entering or taking a more active role in the market.  

    Here are some things you can do to make sure your business is going to be up for the task: 

    1. Understand Regulatory Requirements: Stay updated with regulations, standards, and guidelines relevant to your industry. Take special notice of regulatory requirements concerning the quality, safety, and efficacy of materials, components, or services.
    3. Implement an ISO Compliant Quality Management System (QMS): Implement and maintain quality management systems conforming to industry standards (e.g., ISO 13485) for consistency, reliability, and traceability in their processes.
    5. Document a Unannounced Audit Procedure: Be sure to include 1) instructions for greeting a Notified Body Auditor (and not refusing them entrance to the premises) and 2) arrangements for a Guide (and nominated substitute) to accompany the Auditor at all times.
    7. Ensure Product and Service Quality: Ensure the consistent supply of high-quality materials, components, or services that meet specified standards and specifications. Implement quality control measures, testing, and validation processes to verify the reliability and compliance of their offerings.
    9. Implement Proper Risk Management: Conduct risk assessments related to their products or services to identify, mitigate, and manage potential risks associated with their contributions to medical devices.
    11. Collaborate and Communicate: Build transparent and open communication channels with medical device manufacturers to align with their expectations, address concerns, and collaborate effectively. Participate in continuous dialogue to understand changing requirements and adapt accordingly.
    13. Ensure Proper Documentation and Traceability: Maintain comprehensive documentation, including records of processes, materials, and any changes made, ensuring traceability and accountability. Provide necessary documentation and certifications to support the compliance and quality of their offerings.
    15. Invest in Continuous Improvement and Innovation: Invest in research and development to improve products or services and ensure you're always up-to-date with the latest advances in technology and industry standards.
    17. Build a Resilient Supply Chain: Develop contingency plans to address potential disruptions, ensuring continuity of supply and minimizing adverse impacts on medical device production.
    19. Comply with Ethical and Environmental Standards: Ensure that ethical practices and environmental regulations are followed in manufacturing processes, ensuring sustainability and ethical sourcing of materials.
    21. Conduct Periodic Audits and Aim for Certification: Participate in audits and attain relevant certifications (if applicable) to demonstrate adherence to quality and regulatory standards.

    Advice for Medical Device Manufacturers with Critical Subcontractors and Crucial Suppliers? 

    If your business deals with critical subcontractors and crucial suppliers in the medical device industry, ensuring they meet strict quality and regulatory standards is essential.  

    Here's an example of a medical device supplier audit checklist that you can use to help your business evaluate would-be subcontractors or suppliers: 

    1. Assess critical subcontractors and crucial suppliers before engaging in business. Verify their capabilities, quality systems, and adherence to regulatory requirements.  Use the audit checklist to evaluate their compliance.
    3. Establish comprehensive quality agreements outlining expectations, responsibilities, quality standards, and regulatory compliance. Ensure alignment with your business's quality management system.
    5. Conduct periodic audits of critical subcontractors and crucial suppliers. Use the audit checklist to review their processes, facilities, documentation, and adherence to quality standards.
    7. Identify potential risks associated with critical suppliers and subcontractors. Mitigate these risks through proper monitoring, contingency planning, and collaboration.
    9. Continuously monitor the performance of subcontractors and suppliers against predefined metrics. Encourage ongoing improvement initiatives based on audit findings and feedback.
    11. Maintain open communication channels to address concerns, resolve issues, and share best practices. Collaboration fosters a mutually beneficial relationship, ensuring quality and compliance.
    13. Regulatory Compliance: Ensure that critical subcontractors and crucial suppliers comply with applicable regulations, standards, and guidelines specific to the medical device industry.
    15. Emphasize robust documentation and traceability of materials, processes, and products. Ensure that critical subcontractors and suppliers provide necessary documentation supporting compliance and quality.
    17. Establish procedures to promptly address non-conformities identified during audits. Work collaboratively to rectify issues and prevent a recurrence.
    19. Regularly review and evaluate the performance of critical subcontractors and crucial suppliers. Use this feedback to improve processes and enhance collaboration.

    EU Recommendations on Assessments and Audits by Notified Bodies

    In 2013, the European Commission published a Recommendation (2013/473/EU) regarding assessments and audits to be performed by Notified Bodies in the medical device field. The purpose of the unannounced audits is to assure day-to-day compliance with the manufacturer’s product and quality management systems.  

    Note: Under medical device regulations, the ‘manufacturer’ is the organization placing the product in the market and, consequently, the holder of the Marketing Authorizations.  Significant suppliers to the ‘manufacturer’ of goods and services wherever in the supply chain may be designated as ‘Critical Subcontractors and Crucial Suppliers’, as appropriate.

    A key aspect of this Recommendation is the mandatory requirement of unannounced audits for all manufacturers certified under one of the European medical device directives (AIMDD, MDD, IVDD and MDR, IVDR) at least once in every three years.

    In 2014, various European regulatory authorities, such as the Medicines and Healthcare Products Regulatory Agency (MHRA) in the UK, Health Products Regulatory Authority (HPRA) in Ireland and others, required that Notified Bodies fully implement their unannounced audit programs.  It is interesting to note in passing how a Regulatory Authority can convert a Recommendation, which by definition is non-mandatory, into a mandatory requirement!

    Unannounced audits must be performed at least once every three years, last at least a whole day, and should be conducted by a team of at least two auditors. They may take place on the premises of the manufacturer, of critical subcontractors, or of crucial suppliers.


    Graphic showing the full list of ISO 13485 auditor training and certification courses that deGRANDSON offers including purpose and duration.

    Available ISO 13485 courses image map. Just click on any course you are interested in to learn more about them including the course content, learning materials, etc.


    Path to ISO 13485 Certification Infographic


    Who’s Responsible and Who Pays for Unannounced Audits?

    The European Commission Recommendation states that the costs associated with unannounced audits are paid for by the manufacturer, including the audits performed on the premises of its critical subcontractors/crucial suppliers.

    If the manufacturer refuses to pay, the contract between Notified Body and the manufacturer may be breached, resulting in a suspension or even the withdrawal of certificates.

    Notified Bodies have processes and procedures for the management and control of unannounced audits, as well as the training of relevant staff. This adds to the conformity assessment costs, and manufacturers should factor these additional costs into their budgets.

    Who will be affected by unannounced audits?

    Examples of candidates for unannounced audits include:

    • Original Equipment Manufacturers (OEM)
    • Suppliers or subcontractors involved in the design and development of medical devices or software development
    • Suppliers or subcontractors providing processes that require validation, such as sterilization, sterile packaging, virus inactivation
    • Suppliers or subcontractors providing critical raw materials that are not fully verified by receiving inspection and testing, e.g. component or raw material for an implant, animal tissue materials

    And samples may be taken during an unannounced audit at the supplier’s premises. The EU Recommendation requires performing tests at the premises of critical subcontractors or crucial suppliers. Such samples may only be taken at the site of the supplier with the manufacturer’s consent.


    View Our ISO 13485 Lead Implementer Course


    What about Contractual Agreements with the Manufacturer?

    Many suppliers have proprietary processes and systems. Without a direct relationship (including a Confidentiality Agreement) established between a Notified Body and a firm’s supplier, how do Notified Bodies plan on conducting unannounced audits of proprietary processes? The unannounced auditing of critical suppliers has to be ensured by the legal manufacturer in supply contracts with the supplier.

    And, if the supplier does not allow the auditor to see all the processes that are used for manufacturing the product certified by the Notified Body, the audit team will document this in their audit report and recommend to the certification board the suspension of the certification.

    What format will the Unannounced Audit take?

    Mandatory elements to be audited in all unannounced audits include:

    • Conformity of selected device with the technical documentation and with legal requirements,
    • Traceability of all critical components and materials,
    • Traceability system,
    • Conformity of manufacturing activity ongoing at the time of the unannounced audit with legal requirements, and
    • Conformity of manufacturer’s documentation relevant for the manufacturing activity with legal requirements.

    Although the company is not notified of the planning of an unannounced audit by the Notified Body beforehand, the methodology is identical to that of an announced audit within the certification cycle. 

    At the end of the audit, if any non-conformities are found, they will be presented to the company. The testing of any samples identified during the audit, and their transport to the place where they will be tested, is the responsibility of the manufacturer.

    The UK Position

    Until the new Regulatory position on medical devices and IVDs is finalized and notified by the MHRA (and no due date has as yet been published), supply chain providers to UK-based manufacturers of medical devices are advised to follow the guidance and recommendations in this post.

    New call-to-action


    Related Articles

    deGRANDSON Global is an ISO Certified Educational Organization

    New call-to-actionIn October 2021 we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.


    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts