If you opened up the new 21 CFR Part 820 and went looking for §820.50, I have a small bit of news: it isn’t there. The “Purchasing Controls” section that taught a generation of quality managers how to maintain an approved supplier list is now part of Subparts C through O, which are uniformly and unceremoniously [Reserved]. The topic didn’t disappear — but the address did.
Where did purchasing go? Into ISO 13485 §7.4, where it’s now governed by three subclauses, considerably more language about risk, and one quietly significant change that’s going to come up in your next audit whether you like it or not.
What §7.4 Actually Requires
The three subclauses are tidy on paper. §7.4.1 (Purchasing Process) tells you to establish criteria for selecting, evaluating, monitoring, and re-evaluating suppliers — and explicitly says those criteria must be proportionate to the risk the supplied product or service poses to the safety and performance of the device. §7.4.2 (Purchasing Information) requires you to describe what you’re buying clearly enough that someone other than you could reproduce the order, and — where applicable — to get a written agreement that the supplier will notify you before changing the product. §7.4.3 (Verification of Purchased Product) requires you to verify what arrives meets what you ordered, with activities — again — proportionate to risk.
If you read that and thought “this is what §820.50 already required,” you’re not wrong. The skeleton is recognizable. But ISO 13485 added some things FDA’s prior version left implicit, and a few of those have real teeth.
What Changed From the Old QSR
Risk is no longer optional language
The old §820.50 didn’t use the word “risk” at all. It told you to evaluate suppliers “on the basis of their ability to meet specified requirements,” and to “define the type and extent of control” based on the evaluation. ISO 13485 §7.4 says all of those things — but it also says, repeatedly, that everything must be proportionate to the risk associated with the medical device. That’s not a cosmetic edit. It means your purchasing procedure now has to explain how you decided that your widget supplier needed an annual on-site audit while your office supply vendor needed an emailed certificate of conformance. The decision wasn’t arbitrary before, but now it has to be documented as risk-based.
Monitoring is a verb, not a checkbox
The old QSR was largely concerned with initial supplier qualification. ISO 13485 §7.4.1 explicitly requires ongoing monitoring and re-evaluation, and — this is important — requires you to record instances where a supplier fails to meet purchasing requirements and feed those into your risk management process. So when your sterilization vendor’s tray runs out of spec for the third time this quarter, that’s not just a non-conformance to log and move on from. It’s a data point that should be visible in your risk file.
Change notification got more visible
Old §820.50(b) asked for an agreement “where possible” that suppliers would notify you of changes. ISO 13485 §7.4.2 asks for the agreement “as applicable” — slightly different phrasing, effectively the same expectation. The change here isn’t the language. The change is what FDA can now see. Because §820.180(c) is gone (see the documentation post), supplier audit reports — which used to live behind that inspection exemption — are now fair game when an investigator comes through. Quality agreements with weak change-notification clauses are going to be read by people who weren’t allowed to read them before.
Verification at the supplier’s place is its own paragraph
§7.4.3 explicitly addresses what to do when verification happens at the supplier’s facility — you have to state the arrangements and the release method in the purchasing information. The old §820.50 didn’t break this out. If your incoming inspection plan relies on a contract manufacturer’s release records, that arrangement belongs in your purchasing documents, not a side-bar email thread.
FDA didn’t add anything
This is worth saying out loud. There’s no §820.50 supplement in the QMSR. Unlike Records (§820.35) or Labeling (§820.45), where FDA stepped in with additional requirements on top of ISO 13485, purchasing is governed entirely by §7.4 — through incorporation by reference (see the §820.7 post). What ISO 13485 says is the whole of what FDA expects. When the factory itself is outsourced, §7.4 also works alongside ISO 13485 §4.1.5, which I dug into in the contract-manufacturer post.
What You Actually Need to Do
If you have an existing approved supplier list and procedure, you’re not starting from zero — but you should walk it through three questions. First: does your procedure explain why each supplier sits where it does on your tier or risk classification? Not “Tier A,” but the reasoning that put them there. Second: is supplier performance flowing into your risk management process, not just into a quarterly KPI report? Third: would your quality agreement language about change notification embarrass you if FDA read it tomorrow? Because they might.
Also: if you’ve been treating §820.50 as the canonical source of purchasing requirements, mentally retire that citation. It still shows up in old internal procedures and supplier templates, but in the eyes of FDA inspectors trained on the QMSR, the language is §7.4. Your procedures will probably want to follow suit — not because the underlying requirements changed dramatically, but because clarity about which words you’re following matters when someone asks.
The Bottom Line
There’s something almost gentle about the way §820.50 was retired. No fanfare, no dramatic rewrite — just a quiet “Reserved” and a redirection to a clause most of us have been reading anyway, because we were also chasing ISO certification. But pay attention to the parts that did shift: proportionate to risk, recorded non-fulfillment, monitoring as an ongoing verb, and supplier audit reports now visible to FDA. The old discipline is still here. It just acquired some new neighbors.