Critical Suppliers - As defined by MDSAP.

[Reliable Source]

According to MDSAP-AU-P0002.008 Audit Approach, the definition of a Critical Supplier is as follows.

Critical Suppliers:

For the purposes of MDSAP, “critical suppliers” include, but are not limited to:

- those entities that supply the organization with finished devices, i.e., a device, or accessory to any device, that is suitable for use or capable of functioning, whether or not it is packaged, labeled, or sterilized,
- suppliers of products, including services, that impact design outputs that are essential for the proper functioning of the device; and
- suppliers of products and services that require process validation.

The company I work for is struggling at trying to comply with this new MDSAP requirement without having to re-structure our entire supplier management system. You see, besides purchasing build-to-print parts from our suppliers, we also buy a lot of Off-The-Shelf (OTS) products which are re-labeled with our company name from outside distributors. In doing so, we're thinking we now have to classify all our suppliers as Critical Suppliers based primarily on bullet one of the MDSAP criteria above. That seems crazy to me. I would think that the term Critical Supplier would be a distinction reserved for suppliers who provide products or services that directly contribute to the safety and/or performance of our products, but clearly NOT every distributor we purchase accessories from.

Does someone out there have any suggestions on how to navigate compliance with this requirement without a ton of remediation? If so, please advise....

 

[yodon]

Interesting questions. Not going to suggest this is a definitive answer, but I would like to continue the discussion and add my thoughts.

purchasing build-to-print parts from our suppliers,

Are you saying that these parts are essential for proper functioning of the device (thereby pushing them into the critical column)?

we also buy a lot of Off-The-Shelf (OTS) products which are re-labeled with our company name from outside distributors.

And are you saying that these supply the organization with finished devices (or an accessory)?

Taking a step back, what does it mean to be a "critical supplier"? What do your procedures say? There are no set rules other than executing a quality agreement. Generally, for CMs, I think there's an expectation that an audit is conducted (but I don't know that I've seen that as a "shall" anywhere). Effectively, the approval and oversight is "elevated."

For your build-to-print parts (that are essential...) do you have a quality agreement with the provider to not change anything without prior notice? Do you have elevated controls in place to receive the parts?

For the OTS parts, I'm guessing a quality agreement would likely be unobtainable? How do you accept these products?

 

[Reliable Source]

Based on the MDSAP definition of "Critical Supplier" defined within the "Overview/Terminology Section (page 11), the first bullet point is the one most in question. "those entities that supply the organization with finished devices, i.e., a device, or accessory to any device, that is suitable for use or capable of functioning, whether or not it is packaged, labeled, or sterilized".

We buy "Finished Devices" (basically accessories to use with our products) from our distributors who re-label with our company name and we in-turn sell to our customers. Since the definition above states that "those entities that supply the organization with "Finished Devices..." we are currently interrupting that to mean any accessory we buy from any distributor that we have re-labeled with our name. That represents the bulk of our suppliers. I just have trouble believing that was the intent of the MDSAP authors. Perhaps, we don't need to replicate their definition in our QMS because it was referenced under the "Overview" section and not the requirements section of the standard.

Our procedures currently point more towards suppliers that we outsource to as "Critical Suppliers", but certainly not suppliers of boxes or bags. We do have both Supplier and Distributor Quality Agreements that address your questions above.

Since their definition of "Critical Suppliers" is not in the form of a "shall" statement, do you think we can modify it slightly by limiting our definition to suppliers of finished products designed by us vs. all finished products?

From my standpoint, our company does have organizational and quality obligations to consider, and therefore, we cannot risk the costs and resources on a misinterpretation of the standard.

 

[yodon]

I certainly wouldn't try to change the definition.

Maybe this "case study" we encountered might help. We were developing a laser product and we specified a particular OTS diode by the supplier's part number. All was good for a while until there started being complaints from end users of excess pain and heat. As we investigated, the supplier changed the diode resulting in excessive laser energy being delivered. There was no quality agreement with this supplier because they were a large commercial parts supplier. There *should* have been additional controls in place to verify the part specifications, not just that the part received was the ordered part number.

Circling back, you have a quality agreement with those suppliers, so I think you've taken at least one step towards elevated controls.

Were they qualified and approved based on any regulatory clearance (510(k), CE mark, etc.) or arrangements (FDA registered manufacturer, ISO 13485 certification)? Those might be additional steps in elevated controls.

Do you do anything in particular for receiving? Considering my example above, is there any reason to take closer looks at what was received?

As they are already approved and you have a history of presumably good service / products from them, you can still leverage that as part of ongoing approvals.

Again, other than having quality agreements, the standards / relevant guidance docs are fairly vague when it comes to requirements for approval and management of "critical" suppliers. The intent, I believe, is to ensure those suppliers do get some elevated controls. Your procedures need to be flexible enough to enable doing what's best.

 

[Tagin]

We buy "Finished Devices" (basically accessories to use with our products) from our distributors who re-label with our company name and we in-turn sell to our customers. Since the definition above states that "those entities that supply the organization with "Finished Devices..." we are currently interrupting that to mean any accessory we buy from any distributor that we have re-labeled with our name. That represents the bulk of our suppliers. I just have trouble believing that was the intent of the MDSAP authors.

I think it was precisely the intent: if all the controls on these accessories are at the supplier, then your company is placing all reliance on the supplier, and so that supplier would become a critical supplier.

 

[Reliable Source]

Tagin,

Thanks for your response. It got me thinking that perhaps I can limit and control the number of Critical Supplier under our Supplier Management System to those with little to no oversite by my company. And if I put that wording into our own definition of what a Critical Supplier mean, then I have regained control of the situation. Using this logic, the more inspection, testing, or other methods of product verification I apply to the purchase parts, the less likely that supplier would be considered critical to our processes.

I'm thinking that a statement regarding our company's oversight should definitely be an element in our definition of Critical Suppliers. Isn't it funny how the level of customer's oversight over the supplier isn't even an element of the current MDSAP "Critical Supplier" definition?

Let me ask you this. Do you think we need adopt the MDSAP definition for "Critical Suppliers" stated above, in order to be MDSAP compliant? Or should we just develop our own definition based on our own logic and business/quality objectives in hope that our NB Auditor agrees with our decision?