I believe you have made this more complicated than necessary.
First, you should ignore MDSAP. The MDSAP program doesn't create any requirements for a supplier. It is only an auditing method. If you meet the regulatory requirements of each region is which you market a device, then you will pass an MDSAP audit.
So, the first question is whether you know of any regulatory requirements to define a critical supplier.
Based on your description, you seem to have eight categories of suppliers not four. It appears that each of four (highest risk, high risk, moderate risk, and low risk) could have the attribute "critical" Yes/No). You mention "high-risk critical suppliers".
With these eight categories, you, presumably, have at least eight sets of controls. In my experience, for many of them (probably six – the suppliers that are critical and the suppliers that are highest risk or high risk) you require both third party certification to a QMS standard and you also conduct periodic QMS audits. I also suspect that you don't have the resources to manage this approach to supplier control.
You mention the ISO 13485:2016 risk-based approach to supplier management. (In my opinion, the authors of ISO 13485:2016 made a mess of the word risk.) Because ISO 13485:2016 does not use the phrase "risk-based approach", "risk-based", etc. in clause 7.4 it appears you have implemented a non-existent requirement. The requirement is that supplier evaluation and selection criteria are "proportionate to the risk associated with the medical device".
My recommendation is that you use the GHTF definition of a critical supplier from GHTF/SG4/N84:2010, 5.3. Critical supplier means a supplier delivering materials, components, or services, that may influence the safety and performance of the product.
The best method to determine a critical supplier is to look at your list of essential design outputs from 820.30(d). Any material, component, or service that supports an item on the list is critical. Any supplier that provides a critical material, component, or service is a critical supplier.
In my opinion, you should have only two categories of supplier. Critical and non-critical. The controls should be at incoming inspection (sampling plans – use c=0 with switching rules), external controls (independent test houses to verify CoAs), and audits of the process to create certs (CoA or CoC to ensure they are complete and correct) when you rely on them for acceptance.
If you are concerned about correct implementation of the supplier's QMS, then require that the supplier send you the third party audit report. (It cannot be confidential to the supplier, since you have required conformance to the QMS.)
In my opinion, too many companies equate compliance with complexity. Unfortunately, a complex implementation is not sustainable.
------------------------------
Dan O'Leary CQA, CQE
Swanzey NH
United States
------------------------------
Original Message:
Sent: 12-Jul-2019 09:09
From: Karen Zhou
Subject: Supplier questions
Hi everyone,
Happy Friday to you all. I have a few questions regarding supplier management in a small medical device startup company.
One of my concerns is the loose usage of the term "critical supplier". We manufacture electrical medical equipment. There are many pieces like PCBs, connecting cables that are deemed critical components. Due to the special nature of the device, many of our suppliers are single-source ( meaning if they were to go out of business tomorrow, there are no easy replacements or at least the replacements would not come without incurring significant costs and time). In a risk-based approach as per ISO 13485:2016, we classify them as high-risk critical suppliers. At the same time, we have many critical component suppliers that are low risk because they are requite replaceable and they have good industry reputation. They would not be evaluated like the high-risk critical suppliers as mentioned above. In both cases, they are critical suppliers.
For the 4 classes of suppliers, we have highest risk, high risk, moderate risk, and low risk. In the world of MDSAP, which ones are critical suppliers? The high-risk critical suppliers or the low-risk critical suppliers? We also have a QMS process that is outsourced like subassembly manufacturing, it is a very high risk supplier. But does it make sense to classify them in the same category with suppliers of PCBs?
I look forward to any insights.
Thank you.
------------------------------
Karen Zhou
------------------------------