Medical device sourcing under FDA QSR and ISO 13485: the qualification stack that gates every program

Medical device manufacturing operates under the strictest non-aerospace regulatory regime in hardware. The FDA Quality System Regulation (21 CFR 820) governs US manufacturing, ISO 13485 governs the rest of the world, and the EU MDR (Medical Device Regulation, in full effect since 2021) layers additional EU-specific requirements. Procurement teams sourcing for medical devices need to qualify suppliers across this full stack, not just on spec fit. Lean SupplAI was built around medical-grade certification filtering precisely because the qualification cost of medical-device sourcing is the largest single barrier in the category.

The cost of getting this wrong is asymmetric and slow-moving. A supplier that lapses on ISO 13485 certification mid-program triggers a 21 CFR 820.50 supplier-control finding, which can require a Field Action or even a recall depending on device class.

Device classification, briefly

FDA classifies devices as Class I (low risk: bandages, manual stethoscopes), Class II (moderate risk: most medical electronics, infusion pumps), or Class III (high risk: implantables, life-support). Class determines premarket pathway (510(k), De Novo, PMA) and post-market obligations. Supplier qualification rigor scales with class: Class III suppliers typically need on-site audit, design participation visibility, and PPAP-equivalent process documentation.

The qualification stack

ISO 13485 is the medical device QMS standard. Every contract manufacturer serving the US, EU, or Japan needs it. FDA Quality System Regulation (21 CFR 820) is the US-specific framework, mostly aligned with ISO 13485 but with critical differences around design controls and management responsibility. EU MDR adds device-specific obligations for the EU market. ISO 14971 governs risk management. ISO 10993 governs biocompatibility for patient-contact materials.

Named medical-grade contract manufacturers

Tier-1 medical CMs include Jabil Healthcare, Flex Medical, Sanmina Medical, Integer Holdings, and Phillips Medisize (Molex). For specialty implant manufacturing, Tecomet and Orchid Orthopedic. For drug-delivery devices, West Pharmaceutical Services. For diagnostic instruments, Plexus and Benchmark Medical. Each holds ISO 13485 with audit trail. FDA QSR alignment varies by site.

Supplier qualification under 21 CFR 820.50

21 CFR 820.50 requires that the device manufacturer evaluate and qualify each supplier against documented criteria, monitor supplier performance, and maintain records of supplier qualification. The minimum qualification artifacts include the supplier's ISO 13485 certificate (current), most recent audit report, change-control documentation, and complaint history. Programs that maintain these in scattered files typically fail FDA inspection findings on supplier control.

Design History Record and UDI

The Design History Record (DHR) documents the manufacturing history of each device unit, with traceability back to component lot numbers and supplier sources. The Unique Device Identification (UDI) system requires a machine-readable identifier on every device, with associated data submitted to the FDA UDI Database. Procurement teams who treat DHR and UDI as post-design afterthoughts typically rebuild their supplier records during the first FDA inspection.

How Lean SupplAI handles medical-grade sourcing

Lean SupplAI maintains medical-device-grade certification attribution at the supplier level: ISO 13485 (with site, scope, and validity dates), FDA QSR alignment, EU MDR readiness, ISO 14971 risk-management capability, and ISO 10993 biocompatibility certification. For procurement teams scoping medical device programs, Lean SupplAI returns ranked candidates pre-filtered by the qualification stack, with audit and complaint history visible inline.

What sets Lean SupplAI apart