Approved Supplier List (ASL)

Q: Is an ASL legally required?

No. Neither ISO 13485, QMSR, nor EU MDR explicitly require an 'ASL.' They do require supplier evaluation and records; an ASL is the industry-standard method to show compliance.

Q: What if I don’t maintain a single ASL?

You may comply using decentralized files or ERP, but regulators expect to see a consolidated record. Most companies maintain an ASL for audit readiness.

Q: Who must be on the ASL?

Suppliers of materials, components, or services affecting product safety, performance, or compliance — e.g., sterilization, packaging, software, calibration, testing labs.

Q: How often should suppliers be re-evaluated?

Risk-based. Critical suppliers typically reviewed annually, low-risk every 2–3 years. Performance issues or regulatory changes may trigger earlier review.

Q: Do auditors really ask for the ASL?

Yes. FDA, Health Canada, and EU Notified Bodies routinely ask for the ASL at the start of inspections or audits as evidence of purchasing controls.

Approved Supplier List (ASL) is a controlled record of suppliers and service providers that a medical device manufacturer has formally evaluated, qualified, and authorized to use. While the term ASL does not appear in ISO 13485:2016, FDA’s Quality Management System Regulation (QMSR, 21 CFR 820), or the EU MDR, maintaining such a list is considered an industry best practice and is often expected by auditors and inspectors as practical evidence of compliance with purchasing control requirements.

ISO 13485 §7.4
FDA QMSR
EU MDR Art. 10(9)

Regulatory context

ISO 13485:2016 §7.4: Requires evaluation, selection, monitoring, and re-evaluation of suppliers using defined, risk-based criteria. Records must be maintained.
FDA QMSR (effective Feb 2026): Incorporates ISO 13485 by reference; FDA inspectors will expect proof of supplier qualification and control.
EU MDR 2017/745, Article 10(9): Requires a QMS that ensures control of suppliers and subcontractors. Notified Bodies almost always review supplier control processes during audits.

Key point: None of these regulations literally require an “ASL,” but an ASL (spreadsheet, database, or ERP register) is the most efficient way to demonstrate that only qualified suppliers are used.

What an ASL typically includes

Supplier name, location, and scope of supply (e.g., sterilization, software development, packaging).
Risk classification (critical, major, minor) and evaluation method used (audit, questionnaire, certificate review).
Status (approved, conditional, suspended, removed) and date of last evaluation/re-evaluation.
References to quality agreements, audit reports, or certificates.
Performance data (KPIs, defect rates, complaint history, SCAR/CAPA status).

Why it matters

Audit readiness: Auditors often request “your current ASL” as the quickest evidence that supplier controls are in place.
Traceability: Demonstrates that only approved suppliers were used for materials, components, or services affecting device safety/performance.
Risk management: Supports ISO 14971 hazard analysis by documenting supplier-related risks and mitigations.
Operational control: Links procurement systems to supplier approval status, reducing the risk of purchasing from unqualified vendors.

Approved Supplier List — FAQs

Is an ASL legally required?

No. Neither ISO 13485, QMSR, nor EU MDR explicitly mention an “ASL.” However, they require supplier evaluation and documented controls. An ASL is the most common, audit-defensible way to demonstrate this.

What if I don’t maintain a single ASL?

You may still comply if supplier approvals are documented in another controlled system (e.g., ERP, decentralized supplier files). But regulators and auditors expect to see a consolidated record — most companies call this an ASL.

Who must be on the ASL?

Any external provider whose materials, components, or services can affect product safety, performance, or compliance (e.g., sterilization contractors, packaging vendors, software developers, calibration labs).

How often should suppliers be re-evaluated?

On a risk-based schedule. Critical suppliers are typically reviewed annually, while low-risk suppliers may be reviewed every 2–3 years. Triggers such as performance issues, nonconformities, or regulatory updates require earlier review.

Do auditors really ask for the ASL?

Yes. While not named in regulations, it is a routine request by FDA, Health Canada, and Notified Body auditors as a starting point for sampling supplier files and verifying compliance with purchasing controls.