What Makes a Supplier ‘Critical’

(and why it changes everything about your audit)

In medical device manufacturing, suppliers are not just business partners — they are extensions of your quality management system. Their processes, controls, and decisions can directly affect patient safety, product performance, and regulatory compliance. Yet, while all suppliers matter, some matter more than others. These are your critical suppliers, and understanding who they are — and how to audit them — can make the difference between a compliant, resilient QMS and one that fails under scrutiny.

One of the most common misconceptions in the industry is that “critical supplier” is a universal regulatory term. It isn’t. The only regulatory framework that formally defines the concept of a critical supplier is the Medical Device Single Audit Program (MDSAP). According to the MDSAP Audit Model (Task 9.2.2.1), a critical supplier is:

This definition matters because it shifts the emphasis from simple purchasing control to risk-based evaluation. A supplier who provides sterile barrier systems, software used in safety-related functions, or validated sterilisation services is clearly “critical.” A printer supplying instruction-for-use leaflets may not be.

Other regulatory frameworks do not use the term “critical supplier” explicitly. ISO 13485:2016 requires organisations to “establish criteria for the selection, evaluation, and re-evaluation of suppliers” (§7.4.1) and to control outsourced processes (§4.1.5), but leaves the terminology open. EU MDR 2017/745 and IVDR 2017/746 expect manufacturers to demonstrate adequate supplier control, particularly for critical suppliers in the context of Notified Body assessments under Annex IX, but the term itself appears only in guidance, not law. The upcoming FDA QMSR (2026) aligns with ISO 13485 language and similarly stops short of defining supplier criticality.

To identify which suppliers fall into this category in your own QMS, ask three key questions:

1. Does this supplier’s output directly affect the safety or performance of our device?

2. Does this supplier perform a process required by regulation or essential to conformity assessment?

3. Would a failure at this supplier result in a significant quality, regulatory, or patient safety impact?

If the answer to any of these is yes, that supplier is functionally critical — regardless of whether the term appears in your QMS.

Once identified, critical suppliers must be treated differently from general vendors. This applies not only to supplier qualification but also to ongoing oversight and auditing. The audit depth, frequency, and follow-up expectations should all scale with the risk they present.

Audits of critical suppliers typically require:

• On-site visits rather than purely remote assessments.

• Process witnessing — observing production, testing, or sterilisation steps directly.

• Validation evidence review, including equipment qualification, software validation, and process capability data.

• Change-control scrutiny, especially where changes could affect device conformity.

• Traceability checks, ensuring supplier documentation integrates cleanly into your device master records.

Auditing critical suppliers is more than a compliance requirement — it is a strategic exercise.

These audits often reveal systemic weaknesses, hidden risks, and opportunities for improvement that would never emerge from a paper-based review.

They also strengthen your regulatory position: demonstrating proactive supplier control is a key expectation under MDSAP, Annex IX MDR, and ISO 13485 §7.4.

In short, knowing which suppliers are truly critical — and auditing them accordingly — transforms supplier management from an administrative activity into a core part of risk management and product safety.