Critical suppliers (Definition of) and MDSAP (Medical Device Single Audit Program)

racglobal

Involved In Discussions
Hi everyone,

As a person running my small company's regulatory and quality, one of my concerns is the loose usage of the term "critical suppliers" at my company and also elsewhere on the web. Thus, there was a confusion in my company of mainly engineers (with no experience in the medical device industry ) that all our suppliers are critical because the supplied components are deemed critical. So to avoid using "critical suppliers" with them, after consulting with a couple of industry insiders, I am using "criticality" of components as one consideration of the risk of the supplier (to be consistent with ISO 13485:2016's risk-based approach), and other considerations include supplier alternatives, history of the suppliers or all the soft factors. We have suppliers that deliver "critical" components but these suppliers also have many alternatives so they are considered "low-risk suppliers" who supply critical components. We also have suppliers that deliver "critical" components but then they may be the only suppliers on the market or where the components are difficult to make so I call them "high-risk suppliers of critical components" On the MDSAP, the auditor will ask you for critical suppliers, but in the context of my supplier classification, who are considered the critical suppliers? The high-risk critical suppliers or the low-risk critical suppliers? There are 4 levels we can categorize into: 2 levels of critical suppliers (high risk, low risk) and 2 levels of non-critical suppliers (high risk, low risk). I would appreciate any guidance on this.
 

Ronen E

Problem Solver
Moderator
The confusion starts with the term "critical", not only critical suppliers. Sadly, there isn't too much consistency in defining and applying this term. Ask yourself honestly how methodical and unambiguous is your usage of "Critical Components". If you search Elsmar, you might find posts where I've written about this topic in more detail.

"ISO 13485:2016's risk-based approach" is another widely misunderstood/misused/abused concept. A careful reading of the standard's text may reveal that it doesn't apply to "everything" but rather to a pretty limited aspect of the QMS. But why would auditors bother sticking to the standard's language or original intent?... It's much more fun to just generalise and terrorise.
 

DannyK

Trusted Information Resource
This is a grey area. Usually sterilization suppliers and outsourced suppliers ( if they perform all the work for a medical device) are considered critical. I have seen that EU authorized representatives are considered critical and are included on CE Mark certificates.
 

yodon

Leader
Super Moderator
Generally agree with the previous posts. I'd suggest that critical component suppliers may not necessarily be critical suppliers. I'm not completely in agreement that any activity outsourced to a supplier would pull them into the critical supplier category. I will say that it's been my experience that outsourced software development suppliers are considered critical suppliers.
 

Ronen E

Problem Solver
Moderator
I have seen that EU authorized representatives are considered critical
Now why the heck would an EC Rep be considered "critical"? What is it that they are required to do (under the MDD, which is still current) that has such a massive effect on anything?... EC Reps essentially exist so that CAs have someone to lay their hands on if something goes terribly wrong. Mostly a legal aspect, if you ask me. It's not like they'd be able to save the day, right?
 

mpfizer

Involved In Discussions
The confusion starts with the term "critical", not only critical suppliers. Sadly, there isn't too much consistency in defining and applying this term. Ask yourself honestly how methodical and unambiguous is your usage of "Critical Components". If you search Elsmar, you might find posts where I've written about this topic in more detail.

"ISO 13485:2016's risk-based approach" is another widely misunderstood/misused/abused concept. A careful reading of the standard's text may reveal that it doesn't apply to "everything" but rather to a pretty limited aspect of the QMS. But why would auditors bother sticking to the standard's language or original intent?... It's much more fun to just generalise and terrorise.


Hi
could you please let me know to which limited aspects of the QMS does the risk based approach apply to.
Thanks
Michelle
 

myusoffice

First Time Right...
It is the responsibility of the manufacturer to define a critical supplier. This should tie back to your supplier evaluation and control. The extent of both ISO 13485:2016 and MDSAP requirements is really the involvement of a supplier may be through an outsourced process such as sterilization, software development, or design and development activities, subassembly subcontracting, OEM, etc. Again, it is you who defines what is critical and what is not. One can always challenge your thought process behind the decision you made but then there is always a term called "Continuous Improvement". Hope this helps.
 

JoshuaFroud

Involved In Discussions
Having recently completed a Stage 2 MDSAP audit, I can relate to your paint. I can however share the definitaion of critical supplier we used which got us successfully through the audit;

Critical Supplier:
A supplier delivering materials, components or services, which may influence the safety and performance of the product.
Note: In the context of the audit of medical device manufacturers, a critical supplier is a supplier of a product or service, the failure of which to meet specified requirements could cause unreasonable risk to the patient, clinician or others, or could cause a significant degradation in performance. This can include suppliers of services which are needed for compliance with QMS or regulatory requirements.
 
Top Bottom