This is a rich area for discussion. It is common (in Medical Device manufacturing of complex devices, at least) to have suppliers assigned one of (a small number of) classifications "tiers", based on something. From "first principles" found in something like 13485, this is often based on the possible contribution of the provide items' (or services') contribution to the risk profile of the finished goods. This is commonly done for MD manufacturers because eventually someone (a regulator, a NB) is going to come along and ask questions about how certain elements of a QMS are satisfied, and supplier control processes are a straightforward mechanism for addressing elements of 13485, 21 CFR 820, etc.
In practical terms, the tiers approach can be more difficult to implement. Some possible reasons may be that the supplier of very low risk components or services may need a lot of hand-holding because of their importance for profitability, there could be unreasonable (from the supplier side) expectations because the manufacturer is pushing for them to implement risk controls instead of addressing the risks themselves, or a "higher tier" supplier (that is, one with some high level of 'criticality') may be the "only game in town" and just not willing to play with you. Often, I've seen problems when the Supplier Control process is assumed to be controlling risks (14971-risks, business risks) in some area that ultimately belongs to a different group.
I can offer and example of a service provider, in a case where it would be theoretically ideal to rely on a tiered approach and simply rely on "first-in-class customer service" (verified through audits, assessments) for a "mission critical" service, yet can fall apart quickly. There exist many software service companies that offer hosted implementations of software systems which implement activities that most of us would recognize as serving a purpose in a QMS. I'll pick something obvious: Corrective and Preventive Action process... this is one area that the FDA will always hit during any audit, and NBs will do the same. It is easy to find any number of software service providers who offer some sort of CAPA workflow and records retention system.
If (and when) something goes wrong with the software system, usually there is some sort of "support" line to contact... but mileage will vary as to how well the helpdesk actually addresses the issue. For those of us with Software project experience, it is usually the case that an issue is not handled in any manner that looks anything like how a medical device manufacturer would treat a non-conformance. Usually the supplier controls processes for a medical device manufacturer echo the non-conformance process at the manufacture. Imagine if there was a non-conformance on the manufacturing floor, and the second step was to find out it was closed, with no other information... this is what it is like to deal with software service suppliers. Many such suppliers have been eliminating their own technical experts, so even getting defects evaluated is a black box (often more like a black hole). I only mention this because if such a service provider is in the "top tier", good luck having them live up to the expectations you would theoretically have for them. They aren't going to respond to Supplier-NCRs, and they aren't suddenly going to change their service approach just for you, when it was some VPs plan to fire their entire development team and outsource their helpdesk.
