ISO 13485 Clause 7.3.2 - Purchased Data Approval and Record Requirements


Looking for second opinions on the requirements for approval and record requirements for purchased data that arose in an internal audit.

We have approved suppliers, documentation controlled part specifications and drawings for raw materials, contracts for routine contracted services etc. so am happy with the level of control of specifications and suppliers.

I have always considered that the clause of ISO 13485 7.3.2 "The organization shall ensure the adequacy of specified purchase requirements prior to their communication to the supplier." as approval of the purchase order (in addition to the approval of documented specifications etc).

Particularly as in some cases the purchased data is only documented in the PO form as there is no part specification; e.g. calibration or a service. My interpretation was that the approval of the PO was ensuring the adequacy of specified purchase requirements.

We have been challenged by purchasing dept that
a) approval of the PO is not required by ISO 13485 and
b) if we must approve POs; only 2 people have access to create a PO and these individuals review the PO as part of the process so no signature is required.

Similarly I have reviewed the 21 CFR part 820:50 requirements which state "purchasing data shall be approved in accordance with 820.40" 820.40 in turn relates to documentation control and review/approval of documents prior to issuance. So we meet that requirement for specifications, drawings etc but not for POs which do not have a specification, drawing or contract.

I suppose my interpretation was always approve the PO; to ensure control over purchased goods, correct part #, quantity etc.

Would be interested to know if this is in fact over the top and approval (printed & signed) is not required.

Thanks all!


Inactive Registered Visitor
Re: 7.3.2 Purchased Data

The adequacy requirements is there to guarantee that your purchasing information clearly reflect the organization need.

So, the questions here are:

- What is the related need?

- Does the purchasing information clearly reflect this need?

You may answer these two questions in one document, but more commonly, they are in different documents.

Then, you need to define where your purchase information is located. If it's in the PO, then you would need to approve it (you can look for formal interpretation RFI 104 for ISO 9001 which says "4.2.3 a) - Does documented purchasing information that is part of the quality management system, have to be approved according to 4.2.3 a)? - YES).

(To make things more clear, the process would be something like this: someone identify a need, register the need somewhere, then this need is translated into purchase information, which is registered somewhere, then a check is made to make sure that this purchase information clearly reflects the need, then the purchased information is approved, and then it can be sent).


Re: 7.3.2 Purchased Data

Thank you Marcelo.

I agree we have most of the requirements documented in documentation controlled specifications, drawings etc but it is the Purchase Order that links the requirements to the supplier
a) Specifies the part number and revision, i.e. orders to the listed specification
b) lists the requirement if there is no specification for calibration, translations, product testing and so on

Don't mind challenging my thought process at all.
Good to check in with other quality people as sometimes in a small company the correct interpretation of the standard is not the popular one!

Top Bottom