Medical devices are rarely made by one company anymore.
A single finished device might involve contract manufacturers, component suppliers, software vendors, sterilization partners, packaging providers, testing labs, and logistics partners. That makes supplier quality one of the most important — and most underestimated — parts of med tech compliance.
QMSR makes this even more important. FDA's updated quality system regulation incorporates ISO 13485:2016, which places strong emphasis on controlled processes, outsourced activities, supplier management, and risk-based quality oversight.
Here is the practical issue: manufacturers are still responsible for the quality of the finished device, even when critical work happens outside their walls.
That means supplier files cannot just be a folder of certificates and onboarding forms. They need to show an active control system. Who approved the supplier? What risks do they introduce? What specifications were flowed down? How is performance monitored? What happens when they change a process, material, facility, or sub-supplier?
This matters because supplier changes can quietly become product changes. A new resin. A different adhesive. A changed sterilization cycle. A packaging material substitution. Each one can create downstream regulatory, quality, or safety implications.
What manufacturers should pay attention to:
Supplier quality should be connected to product risk. Not every supplier needs the same level of control, but every critical supplier needs the right level of evidence.
Bottom line: In the QMSR era, supplier quality is not procurement housekeeping. It is part of the device's safety story.