ISO 13485: Critical Subcontractors & Crucial Suppliers

    Photo of a manufacturing plant filled with medical devices and equipment 


    What suppliers to the Medical Device Sector need to know

    EU Regulations, EN Standards, Notified Body activities (including Surprise/Unannounced Audits), UK Regulations post-Brexit, MDSAP – all are changes that will impact your company’s Medical Device Management System (MDMS).  What strategy should you, as a supplier to the sector, adopt to implementing the ISO 13485 Standard and to compliance with the other applicable standards and requirements?

    Your ISO 13485-compliant MDMS will need to take the possibility of Unannounced Visits by Notified Bodies into account and, perhaps, introduce a Procedure to handle such an eventuality.

    New call-to-action

    EU Recommendations on Assessments and Audits by Notified Bodies

    In 2013, the European Commission published a Recommendation (2013/473/EU) regarding assessments and audits to be performed by Notified Bodies in the medical device field. The purpose of the unannounced audits is to assure day-to-day compliance with the manufacturer’s product and quality management systems.  

    Note: Under medical device regulations, the ‘manufacturer’ is the organization placing the product in the market and, consequently, the holder of the Marketing Authorizations.  Significant suppliers to the ‘manufacturer’ of goods and services wherever in the supply chain may be designated as ‘Critical Subcontractors and Crucial Suppliers’, as appropriate.

    A key aspect of this Recommendation is the mandatory requirement of unannounced audits for all manufacturers certified under one of the European medical device directives (AIMDD, MDD, IVDD and MDR, IVDR) at least once in every three years.

    In 2014, various European regulatory authorities, such as the Medicines and Healthcare Products Regulatory Agency (MHRA) in the UK, Health Products Regulatory Authority (HPRA) in Ireland and others, required that Notified Bodies fully implement their unannounced audit programs.  It is interesting to note in passing how a Regulatory Authority can convert a Recommendation, which by definition is non-mandatory, into a mandatory requirement!

    Unannounced audits must be performed at least once every three years, last at least a whole day, and should be conducted by a team of at least two auditors. They may take place on the premises of the manufacturer, of critical subcontractors, or of crucial suppliers.



    Available ISO 13485 courses image map. Just click on any course you are interested in to learn more about them including the course content, learning materials, etc.


    Critical Subcontractors and Crucial Suppliers defined

    The European Commission Recommendation specifies that a critical subcontractor or a crucial supplier must be audited “if this is likely to ensure more efficient control, in particular, if the main part of the design development, manufacturing, testing or another crucial process is located with the subcontractor or supplier” (clause 2, point c and Annex III, point 2).

    Note: As we point out in our ISO 13485 training, the difference between the choice of the words critical and crucial is of no consequence.  In the real world, you can use the terms interchangeably.

    What is a Critical Supplier?

    The official definition of "critical supplier" is provided by the Notified Bodies Operations Group (NBOG)Guide ‘Guidance for Notified Bodies auditing suppliers to medical device manufacturers’ (NBOG 2010- 1).   

    2.2 Critical supplier

    A critical supplier is a supplier delivering materials, components, or services that may influence the safety and performance of the device.

    Note: In the context of the audit of medical device manufacturers, a critical supplier is a supplier of a product or service, the failure of which to meet specified requirements could cause unreasonable risk to the patient, clinician or others, or could cause significant degradation in performance. This can include suppliers of services, which are needed for compliance with QMS or regulatory requirements, e.g. internal audit contractors or Authorized Representatives.

    What is a Critical Subcontractor?

    The usual interpretation is to consider that

    • A critical subcontractor ensures all or part of the MD's design or performs all or part of the manufacturing processes, or carries out all or part of an activity in relation to regulatory requirements (e.g.: post-market data collection), and
    • A crucial supplier provides finished devices or key subassemblies essential to the performance of the MD or critical raw materials.

    The manufacturer must provide the Notified Body with the list of critical subcontractors and crucial suppliers as per their risk management system. This list is reviewed during the planned audits of the certification cycleThere is no regulatory requirement for the critical subcontractors and crucial suppliers to be informed of their inclusion on such a list.

    For more on ISO 13485 Certification for critical subcontractors or crucial suppliers, see ISO 13485 for those not making Medical Devices.


    Path to ISO 13485 Certification Infographic


    Who’s Responsible and Who Pays for Unannounced Audits?

    The European Commission Recommendation states that the costs associated with unannounced audits are paid for by the manufacturer, including the audits performed on the premises of its critical subcontractors/crucial suppliers.

    If the manufacturer refuses to pay, the contract between Notified Body and the manufacturer may be breached, resulting in a suspension or even the withdrawal of certificates.

    Notified Bodies have processes and procedures for the management and control of unannounced audits, as well as the training of relevant staff. This adds to the conformity assessment costs, and manufacturers should factor these additional costs into their budgets.

    Who will be affected by unannounced audits?

    Examples of candidates for unannounced audits include:

    • Original Equipment Manufacturers (OEM)
    • Suppliers or subcontractors involved in the design and development of medical devices or software development
    • Suppliers or subcontractors providing processes that require validation, such as sterilization, sterile packaging, virus inactivation
    • Suppliers or subcontractors providing critical raw materials that are not fully verified by receiving inspection and testing, e.g. component or raw material for an implant, animal tissue materials

    And samples may be taken during an unannounced audit at the supplier’s premises. The EU Recommendation requires performing tests at the premises of critical subcontractors or crucial suppliers. Such samples may only be taken at the site of the supplier with the manufacturer’s consent.


    View Our ISO 13485 Lead Implementer Course


    What about Contractual Agreements with the Manufacturer?

    Many suppliers have proprietary processes and systems. Without a direct relationship (including a Confidentiality Agreement) established between a Notified Body and a firm’s supplier, how do Notified Bodies plan on conducting unannounced audits of proprietary processes? The unannounced auditing of critical suppliers has to be ensured by the legal manufacturer in supply contracts with the supplier.

    And, if the supplier does not allow the auditor to see all the processes that are used for manufacturing the product certified by the Notified Body, the audit team will document this in their audit report and recommend to the certification board the suspension of the certification.

    What format will the Unannounced Audit take?

    Mandatory elements to be audited in all unannounced audits include:

    • Conformity of selected device with the technical documentation and with legal requirements,
    • Traceability of all critical components and materials,
    • Traceability system,
    • Conformity of manufacturing activity ongoing at the time of the unannounced audit with legal requirements, and
    • Conformity of manufacturer’s documentation relevant for the manufacturing activity with legal requirements.

    Although the company is not notified of the planning of an unannounced audit by the Notified Body beforehand, the methodology is identical to that of an announced audit within the certification cycle. 

    At the end of the audit, if any non-conformities are found, they will be presented to the company. The testing of any samples identified during the audit, and their transport to the place where they will be tested, is the responsibility of the manufacturer.

    Recommended actions for Medical Device Manufacturers

    If your company is or is intending to become a supplier to a medical device manufacturer, we suggest:

    • Review or establish in your Supplier Contract whether your company is listed as a critical subcontractor, or a crucial supplier, in the documentation submitted to the Notified Body. And ensure that there is an obligation to inform you of any change in your status on such a list.
    • Ask your customer to share their risk assessment information in relation to the product and/or services you provide.
    • Develop a protocol/procedure for dealing with an unannounced audit.
    • Train relevant staff in the protocol/procedure.
    • Do a simulated unannounced visit (with your consultant as the auditor, perhaps) to give staff practice in the protocol/procedure and to ensure that your arrangements are robust.

    The UK Position

    Until the new Regulatory position on medical devices and IVDs is finalized and notified by the MHRA (and no due date has as yet been published), supply chain providers to UK-based manufacturers of medical devices are advised to follow the guidance and recommendations in this post.

    New call-to-action


    Related Articles

    deGRANDSON Global is an ISO Certified Educational Organization

    New call-to-actionIn October 2021 we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.


    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts