Critical suppliers and MDSAP

racglobal

Starting to get Involved
#1
Hi everyone,

As a person running my small company's regulatory and quality, one of my concerns is the loose usage of the term "critical suppliers" at my company and also elsewhere on the web. Thus, there was a confusion in my company of mainly engineers (with no experience in the medical device industry ) that all our suppliers are critical because the supplied components are deemed critical. So to avoid using "critical suppliers" with them, after consulting with a couple of industry insiders, I am using "criticality" of components as one consideration of the risk of the supplier (to be consistent with ISO 13485:2016's risk-based approach), and other considerations include supplier alternatives, history of the suppliers or all the soft factors. We have suppliers that deliver "critical" components but these suppliers also have many alternatives so they are considered "low-risk suppliers" who supply critical components. We also have suppliers that deliver "critical" components but then they may be the only suppliers on the market or where the components are difficult to make so I call them "high-risk suppliers of critical components" On the MDSAP, the auditor will ask you for critical suppliers, but in the context of my supplier classification, who are considered the critical suppliers? The high-risk critical suppliers or the low-risk critical suppliers? There are 4 levels we can categorize into: 2 levels of critical suppliers (high risk, low risk) and 2 levels of non-critical suppliers (high risk, low risk). I would appreciate any guidance on this.
 

Ronen E

Problem Solver
Staff member
Super Moderator
#2
The confusion starts with the term "critical", not only critical suppliers. Sadly, there isn't too much consistency in defining and applying this term. Ask yourself honestly how methodical and unambiguous is your usage of "Critical Components". If you search Elsmar, you might find posts where I've written about this topic in more detail.

"ISO 13485:2016's risk-based approach" is another widely misunderstood/misused/abused concept. A careful reading of the standard's text may reveal that it doesn't apply to "everything" but rather to a pretty limited aspect of the QMS. But why would auditors bother sticking to the standard's language or original intent?... It's much more fun to just generalise and terrorise.
 
#3
This is a grey area. Usually sterilization suppliers and outsourced suppliers ( if they perform all the work for a medical device) are considered critical. I have seen that EU authorized representatives are considered critical and are included on CE Mark certificates.
 

yodon

Staff member
Super Moderator
#4
Generally agree with the previous posts. I'd suggest that critical component suppliers may not necessarily be critical suppliers. I'm not completely in agreement that any activity outsourced to a supplier would pull them into the critical supplier category. I will say that it's been my experience that outsourced software development suppliers are considered critical suppliers.
 

Ronen E

Problem Solver
Staff member
Super Moderator
#6
I have seen that EU authorized representatives are considered critical
Now why the heck would an EC Rep be considered "critical"? What is it that they are required to do (under the MDD, which is still current) that has such a massive effect on anything?... EC Reps essentially exist so that CAs have someone to lay their hands on if something goes terribly wrong. Mostly a legal aspect, if you ask me. It's not like they'd be able to save the day, right?
 

mpfizer

Involved In Discussions
#7
The confusion starts with the term "critical", not only critical suppliers. Sadly, there isn't too much consistency in defining and applying this term. Ask yourself honestly how methodical and unambiguous is your usage of "Critical Components". If you search Elsmar, you might find posts where I've written about this topic in more detail.

"ISO 13485:2016's risk-based approach" is another widely misunderstood/misused/abused concept. A careful reading of the standard's text may reveal that it doesn't apply to "everything" but rather to a pretty limited aspect of the QMS. But why would auditors bother sticking to the standard's language or original intent?... It's much more fun to just generalise and terrorise.

Hi
could you please let me know to which limited aspects of the QMS does the risk based approach apply to.
Thanks
Michelle
 

Top Bottom