QMS for Life Sciences
Elsmar Cove Forum Sponsor

Do purchasing controls apply to non-medical parts?

My company designs and develops software that is considered a medical device.

The software can be setup on most computers (there are some performance requirements and prerequisites) - but in general, the user can just use his computer for the software.

My company also offers the service of providing a computer to use with the software (and a few other HW parts). Neither the computer nor any of the HW parts are however considered a medical device.

Do you think that we could get away with saying that section 7.4 of 13485:2016 (Purchasing) does not apply to our organizations as the only items that are purchased are these HW parts (that are not the medical device).
Or are we required to fulfill 7.4 for sold parts that are not considered a medical device?


Involved In Discussions
Hi there,

We faced a similar situation recently when putting together our Purchasing SOP. We decided that purchasing controls would apply to all of our products regardless of whether they are products affecting the final finished device. Applying this to your situation, I would say the computers would be under your QMS, but the stringency of supplier control would not apply to the computers as they are not considered medical devices. Hope it helps.

Ronen E

Problem Solver
Staff member
In implementing ISO 13485, no organisation can rightfully claim that s. 7.4 is N/A because every commercial organisation purchases something. For example: premises, utilities, office supplies, furniture, IT.

What clause in s. 7.4 (or otherwise) leads you to think that s. 7.4 applies only to items that are (or are included in) medical devices?

I do agree that the level of scrutiny doesn't have to be the same for all purchased items, but this is usually proportional to the risk that purchased items not complying with purchasing requirements pose to the user/patient. Surely if you supply a non-compliant computing platform (even if you only on-sell it) to your customers, and as a result your SW fails, it is a risk you'd at least want to consider.


Staff member
Super Moderator
Hi Doris...
Aside what is said rightly above if you can see "7.4.1. a) based on the supplier’s ability to provide product that meets the organization’s requirements;"
You will appreciate that the criteria shall be your organization requirement, and this will come from your risk based controls as said in "7.4.1.d) proportionate to the risk associated with the medical device."
So you will agree now that 7.4 applies to you and you will have necessary criteria established as evaluated by your organization.
Thank you for your responses - I think I know what to do now.

Actually, we have always handled section 7.4 only in relation to our medical devices. Never has an auditor asked to see purchasing information on coffee or office supplies. Also, I would have thought that there would be a reference from section 6 (Resource management) to 7.4 if it were to apply to it also.

But that does not really matter because as you have pointed out I can apply a risk based approach to all of our suppliers - and I get to decide the criteria! The first criteria will be that suppliers of coffee and office supplies do not require any controls.
I can then define the controls required by each type of supplier.

And don't worry - we have it well defined which computing platforms are compliant so that's not an issue.

Thank you so much for your help!

Ronen E

Problem Solver
Staff member
we have it well defined which computing platforms are compliant so that's not an issue.
Just to clarify, I referred to items that are non-compliant with purchasing requirements (i.e. defective). Even if a given model is generally defined as compliant, one could still get non-compliant units from their supplier if they don't properly control purchasing.
Top Bottom