Who is a critical supplier in the context of ISO 13485?

When developing medical software compliant with the Medical Device Regulation (MDR), an auditor might ask you if you have any critical suppliers. Who is a critical supplier in the context of ISO 13485 and MDR? Let’s dive into it.

Critical supplier of medical software – a challenging definition

Critical supplier is a term commonly used by notified bodies and generally applied in medical industry practice.

Notified Bodies Operations Group (NBOG) defines a critical supplier as a “supplier delivering materials, components, or services that may influence the safety and performance of the device”, causing unreasonable risk to the patient, clinician, or other users of the said medical device (source: NBOG).

Basically speaking, it’s a company that you, a legal manufacturer, decided to work with to develop medical software. It won’t be any company, though – only those whose potential malfunction can pose a risk to the users of your device. We will share some examples later on, but for now, let’s focus on defining this concept.

Critical supplier – ISO 13485 and Medical Device Regulation definition

You might wonder, does ISO 13485 define a critical supplier? Unfortunately, there isn't a definition of the critical supplier in this standard. Also, you won't find the words "critical supplier" in the MDR (2017/745) or IVDR (In Vitro Diagnostic Regulation – 2017/746). So, why do auditors ask about critical suppliers? It's due to the section "Purchasing" (7.4) in ISO 13485. This mentioned section requires a risk-based approach to managing suppliers, especially those providing critical components or services that significantly influence the quality or safety of a medical device.

Demands for critical suppliers in ISO 13485

When developing medical software, you can use products and services of external companies, specialising in, e.g., software development or regulatory compliance. ISO 13485 (the regulation you must comply with to (CE mark your medical software) requires documentation of the procedures involving third-party suppliers, particularly related to their evaluation and monitoring.

As a legal manufacturer, you are obliged to monitor and re-evaluate your suppliers based on the criteria you have established. ISO 13485 marks that the criteria shall be:

• based on the supplier’s ability to provide a product that meets the organisation’s requirements,

• based on the performance of the supplier,

• based on the effect of the purchased product on the quality of the medical device,

• proportionate to the risk associated with the medical device (source: ISO 13485).

Because you are dealing with a critical supplier responsible for crucial elements of your medical software, you would have to spend time controlling risks posed by this cooperation. Thus, the best solution would be to choose a critical supplier, a company which is already ISO 13485 certified, ensuring they meet the necessary quality management standards from the outset.

How do you identify critical suppliers?

Considering a product or service provider as a critical supplier is a matter for each legal manufacturer of medical software. When considering the companies that supply you with external services, think about services that:

• are related to your intended use,

• can influence the safety of the medical device. 

In general, your critical supplier could be a component supplier, raw material supplier, or manufacturing partner. In SaMD's (Software as a Medical Device) case, a critical supplier could be a software provider or a cloud service provider.

What is the difference between critical and non-critical suppliers?

How do we distinguish between critical suppliers and non-critical suppliers? You can consider some aspects, such as safety, risk management, regulatory importance, or the criteria for choosing a company to work with. In the table below, you will find crucial information.

How to choose a critical supplier for your medical software?

Choosing the right software development company as your critical supplier is challenging. You have to take into account many matters. Not to mention that the notified bodies may audit critical suppliers as part of the conformity assessment process (especially if they are not ISO 13485 certified) to make sure that your medical software is safe.

To make this choice slightly easier, we have prepared a list of the most important requirements for choosing a critical supplier.

1. ISO 13485 certification – first and foremost, we advise you to look for companies that have tried, tested, and certified quality management systems compliant with ISO 13485 and/or ISO 9001.

2. ISO 14971 integration – It would be helpful if you choose a software development company experienced in integrating risk management in compliance with ISO 14971 (as it's one of the MDR requirements).

3. Matching your criteria – as we have mentioned before, ISO 13485 demands that you set supplier evaluation criteria. When considering software development companies, think about their technical capabilities and if they match your needs.

4. Experience in SaMD development – Another piece of advice for you is to look for information about the company's experience in developing SaMD in compliance with MDR. If they have previously worked on such projects, they are ready to work in line with all the necessary requirements.

To sum up, we suggest you thoroughly analyse the company you want to work with on your medical software. Bear in mind that if their work poses a risk to the safety of your product, you have to consider them a critical supplier. We encourage you to talk with the potential software development company, ask them any questions you might have, and check their ISO certificates and case studies of past projects.

Looking for a trusted software development company?

At Revolve Healthcare, we specialise in creating medical software that is compliant with MDR (2017/745) and IVDR (2017/746). We are ISO 13485 certified and experienced with working with ISO 14971, IEC 62366, and IEC 62304.

We can support you through:

• regulatory consultations,

• product design,

• software development,

according to your needs and requirements.

We would be happy to discuss your idea for medical software and assist you through the process of introducing it to the EU or U.S. market.