An investigator with the US Food and Drug Administration (FDA) is reminding MedTech manufacturers to monitor their suppliers and adequately consider any risks they pose when deciding whether to do business with them.
A failure to adequately control suppliers routinely “pops up” as a problem spot for medical device companies during FDA facility inspections, said Laureen Geniusz, who is also a consumer safety officer in the agency’s Office of Medical Device and Radiological Health Inspectorate, or OMDRHI. She pointed out that the purchasing controls portion of the Quality System Regulation, Sec. 820.50, “continues to be extremely important” because components from vendors make up “part of the product.”
Geniusz added that there have been numerous recalls of devices because of supplier issues and errors, including working under unclear MedTech company expectations and making components while using inaccurate specifications. Her comments came during an “investigator insights” panel at MedCon 2025.
While some manufacturers are “very, very good” at clearly defining the supplier evaluation and oversight process, others “have it very poorly defined, or have it defined and are just not following it,” Geniusz said. “Before you define or decide how you’re going to evaluate and monitor your supplier, you need to know the risk, [because if there’s] lower risk, there’s less monitoring, less oversight, [but if there’s] more risk, then you need a bit more.”
Geniusz explained that an FDA investigator would want to know how a company documents its oversight of vendors and any procedures around that. For example, the investigator would consider, “Did you make that risk assessment so you can go down the right path? And when was this risk assessment initially assigned?” she said, noting that manufacturers typically make risk assessments during the product design phase.
Companies should then use risk assessment tools to decide how best to qualify and monitor suppliers, but “that’s where I do see some weaknesses,” Geniusz said. “But hopefully you do find out what the risk is.”
After calculating risk, “determine what type of evaluation you need to do with the supplier, which is anything from a desk audit, onsite audit, questionnaire, an ISO certification, or a combination of any of those,” she said. “Most companies, at a minimum, use a questionnaire, and [the FDA is not] telling you in the regulations to spell out exactly what [tools] you need. You should determine that based on the risk of the product or process.”
Geniusz further urged manufacturers to be “careful” with supplier questionnaires. “Ask the questions that are appropriate and relevant to the information you need to know,” she said, adding that such questions should produce the best feedback and information.
[Editor’s Note: Risk management, particularly when applied to purchasing controls, can prove to be a daunting task for makers of medical devices. Give QualityHub a shout if your company needs assistance around risk management, risk assessments, and other related quality systems activities.]
