The Critical Supplier Audit Playbook

Evidence, Questions, and Red Flags

A critical supplier audit is one of the most important oversight activities a medical device manufacturer performs.

These suppliers directly affect product safety and performance, so auditing them requires a structured, evidence-driven, and risk-based approach.

The following playbook provides a framework for planning, conducting, and following up on critical supplier audits.

1. Preparation: Define the Scope and Objectives 
   Start with a clear understanding of why the supplier is critical. Are they providing sterilisation services? Writing embedded software? Manufacturing a finished component? The audit scope should be built around the processes that directly affect product conformity. Review previous audit reports, supplier performance data, complaint trends, and any relevant CAPA or change records before arriving on site.
   

2. Documentation Review: Build the Baseline 
   Begin the audit with a thorough review of documentation. Key records include supplier quality agreements, validation reports, process change logs, training records, calibration certificates, and design documentation (if applicable). Pay particular attention to ISO 13485 §7.4.1 (supplier selection and evaluation), §4.1.5 (outsourced processes), and any records demonstrating compliance with regulatory requirements such as MDR Annex IX or MDSAP Task 9.2.2.
   

3. Process Witnessing: Go Beyond the Paperwork 
   Critical supplier audits should involve direct observation of key processes. Watching a sterilisation cycle, software build process, or packaging validation run reveals far more than a document review alone. This also allows the auditor to verify that documented procedures are being followed in practice — a common source of nonconformity.
   

4. Risk and Change Management: Ask the Hard Questions 
   A core focus area is how the supplier manages risk and change. Ask how process risks are identified, documented, and mitigated. Review how change requests are assessed for regulatory impact and how customers are notified. Evidence of formal change-control boards, documented impact assessments, and risk file updates should all be expected.
   

5. Supplier CAPA: Verify Effectiveness, Not Just Existence 
   A CAPA process that exists on paper but fails in practice is one of the most damaging weaknesses a critical supplier can have. Ask for evidence of root cause analysis, containment actions, verification of effectiveness, and follow-up reviews. Trace CAPAs to related complaints, nonconformities, or audit findings to ensure closed-loop control.
   

6. Red Flags: What Should Trigger Concern 
   Some findings warrant particular attention and should trigger immediate escalation or follow-up. These include: 
   - Lack of documented validation for critical processes 
   - Evidence of uncontrolled change implementation 
   - Poor linkage between risk management and operational controls 
   - Repeated CAPA failures or ineffective root cause analysis 
   - Absence of traceability from supplied materials to finished devices
   

7. Follow-Up: Drive Improvement, Not Just Compliance 
   A critical supplier audit does not end with the report. Follow-up actions — from CAPA verification to schedule adjustments — are essential. Consider risk-based re-audits, joint improvement projects, or supplier development plans as part of your long-term oversight strategy.

A well-planned and well-executed critical supplier audit is one of the most powerful tools a manufacturer has. It strengthens the reliability of your supply chain, improves device safety, and demonstrates to regulators that you are in control of your outsourced processes — exactly what MDSAP, ISO 13485, and MDR expect.

Build audits that stand up to scrutiny.