Search the Elsmar Cove!
**Search ALL of** with DuckDuckGo Especially for content not in the forum
Such as files in the Cove "Members" Directory

Can a single supplier fit two or more categories for risk?

Ed Panek

VP QA RA Small Med Dev Company

We have a supplier we classified as category I (critical) that was our electronics board manufacturer. We have specific audit requirements for our categories I, II and III.
From the single first time buy we overbought. We changed our firmware and used this company to reflash the boards. I no longer use this supplier for the original use of board manufacturing and now we use them mostly for reflashing firmware. The reflashing of boards we do not consider the same risk as manufacturing the boards from scratch.

Can a single supplier fit two or more categories for risk? I want to argue we dont require an onsite audit of them since we are not using them to make boards and only reflash already made boards.OTOH I want to keep them as class I in case we do eventually order more boards. Should I break the company in half? 1) makes new boards 2) reflashes boards?

What should I do?


Staff member
Super Moderator
What ever fits you best.
You are more concerned about your risk and hence your supplier can fit into two or more category, based on your assessment of each type of risk. You therefore apply the controls accordingly.
Make your QMS work for you. Don't be a slave to QMS


Quite Involved in Discussions
I would keep them a category I supplier but write a deviation or memo explaining why you will not be auditing them at this time. The supplier should be audited prior to receiving the higher risk parts through.
Top Bottom