I changed our SOP "Supplier evaluation and monitoring" to include as a first step in the procedure: supplier classification. We have four categories (A to D).
"All our suppliers are classified into one of four categories, labeled A to D, according to the risk the supplier poses to quality of our products and services. Category A comprises the highest risk, category D the lowest risk to product safety. The different categories require different control procedures and documentation requirements:
1. Category A: Critical supplier. Has to be added to Approved Supplier List. Very important for product safety. QMS certificate accreditation (ISO 13485, ISO 9001, or equivalent) required. Quality Agreement required. Annual supplier audit required.
1.1. Examples are: contract manufacturers, contract sterilization companies
2. Category B: Critical supplier. Has to be added to approved supplier list (ASL). Very important to product safety. Quality agreement not required. Supplier audits not required, as long as no nonconformities recur, and certificates for QMS (ISO 13485, ISO 9001, or equivalent) are available. Applies also to CM subcontractors of high-risk processes, audited regularly by CM (bound to us by QA). For companies supplying raw materials incorporated into our products, certificates like CoA as well as receiving inspection documentation, etc., to ensure compliance to specifications, are satisfactory.
2.1 Examples are: Raw material suppliers, contract sterilization companies (bound to CM by Quality Agreement)
3. Category C: Non-critical supplier. Has to be added to approved supplier list (ASL). Certificates are satisfactory.
3.1 Examples are: commercial lessor, suppliers of monitoring and measuring devices, test laboratories, certification agencies, consulting companies.
4. Category D: Non-critical supplier. No need to be added to ASL. All other suppliers.
4.1 Examples are: office supplies
Then the procedure goes on with the following chapters (initial supplier evaluation, ongoing supplier evaluation, quality agreements).
The category is picked during the initial supplier evaluation, during a risk assessment.
Hope this helps!