Is Your Supplier Quality Agreement FDA-Ready?
Your supplier just changed a raw material specification. Did they tell you first? Did you approve it?
If you can't answer both questions with absolute certainty, you have a supplier control problem. And the FDA is paying close attention to exactly this issue.
That $2.3 million includes consultant fees, system overhauls, and the staff time you'll burn demonstrating corrective actions. Most companies take 12-18 months to close out these findings.
Deadline alert: The FDA's Quality Management System Regulation (QMSR) goes into full effect February 2, 2026. Your supplier quality agreements need to be updated, and your suppliers need to acknowledge the new requirements.
Why Supplier Control Keeps Appearing in Warning Letters
In fiscal year 2024, the FDA issued 47 warning letters to medical device manufacturers, a 96% increase from 2023. Purchasing controls appeared in roughly 40% of them.
The pattern is consistent:
- No written quality agreement with critical suppliers
- Quality agreements that don't require change notification
- Suppliers making changes without manufacturer approval
- Missing supplier evaluation and monitoring procedures
The FDA doesn't care that "we've worked with this supplier for 20 years" or "they're ISO certified." What they care about is documented evidence that you control your supply chain and that your suppliers notify you before making changes that could affect your product.
What the Regulations Actually Require
21 CFR 820.50 (Purchasing Controls)
The current regulation states that manufacturers must:
- Establish and maintain procedures to ensure purchased product conforms to specified requirements
- Evaluate and select suppliers based on their ability to meet requirements
- Define the type and extent of control based on evaluation results
Critically, Part 820.50(b) requires manufacturers to have documented agreements that address the supplier's change notification process.
ISO 13485:2016 Section 7.4.2
ISO 13485 is more explicit. Section 7.4.2 requires organizations to have a written agreement with suppliers that includes arrangements for supplier notification when changes occur that affect the purchased product. This is a SHALL requirement, not a suggestion.
QMSR Harmonization (Effective February 2, 2026)
The new QMSR harmonizes with ISO 13485, making the change notification requirement even more explicit. If your quality agreements don't already include change notification terms, they need to be revised, and your suppliers need to acknowledge the new terms, before the February 2 deadline.
The 12 Must-Have Clauses in Your Quality Agreement
A compliant supplier quality agreement requires specific provisions. Here's what needs to be in there:
| # | Clause | What It Covers |
|---|---|---|
| 1 | Scope and Applicability | Which products, specifications, facilities. List part numbers, not "all products." |
| 2 | Quality System Certification | ISO 13485 or equivalent. Requirements for maintaining and notifying if it lapses. |
| 3 | Change Notification & Approval | Advance notice for material/process/location changes. Written approval required. |
| 4 | CAPA Process | Who investigates, who approves, what timeline for implementation. |
| 5 | Right to Audit | Audit frequency, notice period, records access, right to bring regulators. |
| 6 | Document Retention | Retention period aligned with regulatory requirements (device lifetime + 2-10 years). |
| 7 | Communication Protocols | Quality contacts, backup contacts, emergency escalation path. |
| 8 | Nonconforming Product | Notification, containment, root cause investigation, disposition authority. |
| 9 | Risk Notification | Safety/quality/compliance issues communicated within 24 hours. |
| 10 | Regulatory Compliance | Commit to FDA/EU MDR compliance. Notify of inspections or warning letters. |
| 11 | Training Requirements | Training requirements for critical suppliers' personnel. |
| 12 | Sub-Tier Supplier Control | Flow down requirements to sub-tier suppliers with change notification. |
The Change Notification Gap (Where Most Companies Fail)
Most companies have some form of quality agreement with their suppliers. What they don't have is an effective change notification process.
Here's the typical failure pattern:
- Quality agreement says something vague like "Supplier shall maintain quality standards"
- Supplier changes a raw material source (maybe to save cost, maybe because their original supplier went out of business)
- Supplier doesn't notify you because they don't think it's "significant"
- You discover the change during a complaint investigation or audit
- FDA discovers the change during YOUR audit
- Warning letter cites inadequate purchasing controls
The fix is specificity. Your change notification clause needs to list exactly what triggers notification:
- Raw material source or specification changes
- Manufacturing process changes (equipment, parameters, sequence)
- Facility or location changes
- Quality system changes
- Subcontractor changes
- Regulatory status changes (certifications, inspections, etc.)
And it needs to be clear: Supplier notifies BEFORE implementing the change, waits for your written approval, and documents the entire process.
The QMSR Deadline: What You Need to Do Now
If you haven't updated your supplier quality agreements for QMSR compliance, here's your action plan:
- Identify all critical suppliers (those providing components, materials, or services that affect product safety or performance)
- Pull existing quality agreements
- Gap assessment: Do they meet the 12-clause checklist above?
- Draft updated quality agreement template incorporating QMSR requirements
- Legal review (if needed)
- Prepare supplier communication explaining the updates
- Send updated agreements to suppliers
- Follow up on acknowledgments
- Document any suppliers who refuse to sign (this is a risk that needs mitigation)
- Finalize agreements with critical suppliers
- Update purchasing procedures to reference new agreement requirements
- Train purchasing and quality staff on new requirements
The February 2 deadline is firm, so you're working with limited time.
The Audit Question You Don't Want to Fumble
"Show me a recent example of a supplier change and how your change notification process worked."
— Common FDA investigator questionIf you can't produce:
- The supplier's advance notification
- Your risk assessment of the change
- Your written approval (or rejection)
- Documented verification that the change didn't affect product quality
...you're going to have a finding.
Run a mock scenario now: Pick a critical supplier, walk through what would happen if they notified you of a material change, identify gaps in your process, and fix them before the auditor asks.
How This Works at Aligntra
When we help clients prepare for audits, supplier control is one of the first things we check. It's not the most technically complex requirement, but it's one of the easiest for auditors to verify, and one of the most common sources of major findings.
Our gap assessment identifies:
- Which suppliers lack adequate quality agreements
- Whether existing agreements meet current regulatory requirements (21 CFR 820, ISO 13485, QMSR)
- Gaps in change notification processes
- Missing supplier evaluation and monitoring procedures
We've seen clients avoid warning letters by catching these gaps 60 days before an audit. The approach is straightforward: a checklist, executed methodically.
Key Takeaways
- A supplier quality agreement is a control mechanism, not just paperwork
- The 12-clause checklist is your minimum viable agreement
- Change notification is where most companies fail. Be specific about what triggers notification
- QMSR deadline is February 2, 2026. Update agreements before then
- $2.3M is the average cost to remediate a supplier control warning letter
Ready to assess your supplier agreements?
Our gap assessment identifies missing clauses, outdated agreements, and change notification gaps before auditors do.
Get a Gap AssessmentReferences
- FDA Enforcement Data 2025, "Average Cost of Warning Letter Remediation," FDA.gov (Accessed: January 2026)
- FDA Medical Device Warning Letters FY2024, FDA.gov (Accessed: January 21, 2026)
- FDA Warning Letter Analysis: "Purchasing Controls in Medical Device Manufacturing," Emergo by UL Solutions (2024)
- 21 CFR Part 820.50 - Purchasing Controls, FDA Quality System Regulation
- ISO 13485:2016, Medical devices — Quality management systems — Requirements for regulatory purposes, Section 7.4.2 "Purchasing information"
- FDA Final Rule: "Quality Management System Regulation; Amendments to Certain Medical Device Regulations," Federal Register Vol. 89, No. 24 (February 2, 2024) - Compliance deadline: February 2, 2026