ISO 13485: Critical Subcontractors and Crucial Suppliers

Photo of an industrial plant manufacturing medical devices 

What recent and imminent changes need to be included in an updated MDMS?

EU Regulations, EN Standards, Notified Body activities (including Surprise/Unannounced Audits), Brexit, MDSAP – all are changes that will impact your company’s Medical Device Management System (MDMS).  What strategy should you adopt to ease your transition to the ISO 13485 Standard and to compliance with the other changes where applicable?

Your ISO 13485:2016 Implementation will need to take the possibility of Unannounced Visits by Notified Bodies into account and, perhaps, introduce a Procedure to handle such an eventuality.

EU Recommendations on Assessments and Audits by Notified Bodies

In 2013, the European Commission published a Recommendation (2013/473/EU) regarding assessments and audits to be performed by Notified Bodies in the medical device field. The purpose of the unannounced audits is to assure day-to-day compliance with the manufacturer’s product and quality management systems.  

Note: Under medical device regulations the ‘manufacturer’ is the organization placing the product in the market and, consequently, the holder of the Marketing Authorizations.  Significant suppliers to the ‘manufacturer’ of goods and services wherever in the supply chain are designated ‘Critical Subcontractors and Crucial Suppliers’, as appropriate.

A key aspect of this Recommendation is the mandatory requirement of unannounced audits for all manufacturers certified under one of the European medical device directives (AIMDD, MDD, IVDD and MDR, IVDR) at least once in every three years.

In 2014, various European regulatory authorities, such as the Medicines and Healthcare products Regulatory Agency (MHRA) in the UK, Health Products Regulatory Authority (HPRA) in Ireland and others, required that Notified Bodies fully implement their unannounced audit programs.  It is interesting to note in passing how a Regulatory Authority can convert a Recommendation, which by definition is non-mandatory, into a mandatory requirement!

Unannounced audits must be performed at least once every three years, last at least a whole day, and should be conducted by a team of at least two auditors. They may take place on the premises of the manufacturer, of critical subcontractors, or of crucial suppliers.


View Our ISO 13485 Lead Implementer Course


Critical Subcontractors and Crucial Suppliers

The European Commission Recommendation specifies that a critical subcontractor or a crucial supplier must be audited “if this is likely to ensure more efficient control, in particular if the main part of the design development, manufacturing, testing or another crucial process is located with the subcontractor or supplier” (clause 2, point c and Annex III, point 2).

What is a Critical Supplier?

The official definition of "critical supplier" is provided by the Notified Bodies Operations Group (NBOG)Guide ‘Guidance for Notified Bodies auditing suppliers to medical device manufacturers’ (NBOG 2010- 1).   

2.2 Critical supplier

A critical supplier is a supplier delivering materials, components, or services that may influence the safety and performance of the device.

Note: In the context of the audit of medical device manufacturers, a critical supplier is a supplier of a product or service, the failure of which to meet specified requirements could cause unreasonable risk to the patient, clinician or others, or could cause significant degradation in performance. This can include suppliers of services, which are needed for compliance with QMS or regulatory requirements, e.g. internal audit contractors or Authorized Representatives.

What is a Critical Subcontractor?

The usual interpretation is to consider that

  • A critical subcontractor ensures all or part of the MD's design, or performs all or part of the manufacturing processes, or carries out all or part of an activity in relation to regulatory requirements (e.g.: post-market data collection), and
  • A crucial supplier provides finished devices, or key subassemblies essential to the performance of the MD, or critical raw materials.

The manufacturer must provide the Notified Body with the list of critical subcontractors and crucial suppliers as per their risk management system. This list is reviewed during the planned audits of the certification cycle.  There is no regulatory requirement for the critical subcontractors and crucial suppliers to be informed of their inclusion on such a list.

For more on ISO 13485 Certification for critical subcontractors or crucial suppliers, see ISO 13485 for those not making Medical Devices.

ISO 13485 Implementation

Who’s Responsible and Who Pays for Unannounced Audits?

The European Commission Recommendation states that the costs associated with unannounced audits are paid for by the manufacturer, including the audits performed on the premises of its critical subcontractors/crucial suppliers.

In case the manufacturer refuses to pay, the contract between Notified Body and the manufacturer may potentially be breached, resulting in a suspension, or even the withdrawal of certificates.

Notified Bodies have processes and procedures for the management and control of unannounced audits, as well as the training of relevant staff. This adds to the costs of the conformity assessment and manufacturers should factor these additional costs into their budgets.

Who will be affected by unannounced audits?

Examples of candidates for unannounced audits include:

  • Original Equipment Manufacturers (OEM)
  • Suppliers or subcontractors involved in the design and development of medical devices or software development
  • Suppliers or subcontractors providing processes that require validation such as sterilization, sterile packaging, virus inactivation
  • Suppliers or subcontractors providing critical raw materials that are not fully verified by receiving inspection and testing, e.g. component or raw material for an implant, animal tissue materials

And samples may be taken during an unannounced audit at the supplier’s premises. The EU Recommendation requires performing tests at the premises of critical subcontractors or crucial suppliers. Such samples may only be taken at the site of the supplier with the manufacturer’s consent.



Choose from our ISO 13485 Courses


What about Contractual Agreements with the Manufacturer?

Many suppliers have proprietary processes and systems. Without a direct relationship (including a Confidentiality Agreement) established between a Notified Body and a firm’s supplier, how do Notified Bodies plan on conducting unannounced audits of proprietary processes? The unannounced auditing of critical suppliers has to be ensured by the legal manufacturer in supply contracts with the supplier.

And, if the supplier does not allow the auditor to see all the processes that are used for manufacturing the product certified by the Notified Body, the audit team will document this in their audit report and recommend to the certification board the suspension of the certification.

What format will the Unannounced Audit take?

Mandatory elements to be audited in all unannounced audits include:

  • Conformity of selected device with the technical documentation and with legal requirements,
  • Traceability of all critical components and materials,
  • Traceability system,
  • Conformity of manufacturing activity ongoing at the time of the unannounced audit with legal requirements, and
  • Conformity of manufacturer’s documentation relevant for the manufacturing activity with legal requirements.

Although the company is not notified of the planning of an unannounced audit by the Notified Body beforehand, the methodology is identical to that of an announced audit within the certification cycle. 

At the end of the audit, if any non-conformities are found, they will be presented to the company. The testing of any samples identified during the audit, and their transport to the place where they will be tested, is the responsibility of the manufacturer.

Recommended Actions for Medical Device Manufacturers

If your company is or is intending to become a supplier to a medical device manufacturer, we suggest:

  • Review or establish in your Supplier Contract whether your company is listed as a critical subcontractor, or a crucial supplier, in the documentation submitted to the Notified Body. And ensure that there is an obligation to inform you of any change in your status on such a list.
  • Ask your customer to share their risk assessment information in relation to the product and/or services you provide.
  • Develop a protocol/procedure for dealing with an unannounced audit.
  • Train relevant staff in the protocol/procedure.
  • Do a simulated unannounced visit (with your consultant as the auditor, perhaps) to give staff practice in the protocol/procedure and to ensure that your arrangements are robust.

The UK Position

Until the new Regulatory position on medical devices and IVDs is finalized and notified by the MHRA (and no due date has as yet been published), supply chain providers to UK-based manufacturers of medical devices are advised to follow the guidance and recommendations in this post.

New call-to-action

NOTE: First published November 2017; Reviewed and updated March 2021

Related Articles

deGRANDSON Global is an ISO Certified Educational Organization

InISO 21001 ISO 29993 ISO 29994 October 2021 we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

  • ISO 21001, Educational Organizational Management System,
  • ISO 29993, Learning Services outside formal Education,  and
  • ISO 29994, Learning Services – additional requirements for Distance Learning.

We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.


Written by Dr John FitzGerald

Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
Find me on:

Subscribe to Email Updates

Recent Posts