Supplier classification levels for Service suppliers and Software vendors.

[san777das]

Hello All

I work as a Quality engineer in an medical device startup and I am in the process of making classification levels for the suppliers that we use for products, software and services. I currently have 3 types of supplier classifications ( Type-1, 2 and 3) with Type-1 being the critical and Type-3 being the OTS components.

How can i include the service suppliers and software vendors in these categories?
I assume the pest control supplier, calibration suppliers should fall either in Type-1 and 2 since these would impact the safety of the product. But I am not sure where the software vendors (eQMS, ERP, analytical software vendors, etc) would fall under?

Your help would be appreciated.
Thanks

 

[Tidge]

In the Medical Device industry, there is an expectation that raw material/component suppliers get classified based on the safety risk of the raw materials they deliver, as documented in the RMF, modulo what level of controls will be implemented at the supplier. [this is the "out" for having OTS parts from suppliers you can't negotiate with, you will need more than supplier controls for certain OTS parts to guarantee safety]

Similarly for Services, if the service impacts the risk profile of the devices... there is an expectation that appropriate controls will be put in place. The RMF can help, but you will need to apply critical thinking to get the 'right' answers. For example: pest-control is rarely (in my experience) mentioned in a product RMF, but it is always mentioned in the QMS. So I'd create a scale 1-3 that allows for sources other than a product RMF.

Software is just a special type of component., and software can also support the DMR (in production, for products) as well as QMS. I'd apply a similar 1-3 scale.

It is common that for business reasons (i.e. not product, not QMS) some suppliers get an elevated ranking due to business importance.

 

[LUFAN]

Mark Durivage, whose author and writer of some ASQ books wrote a helpful article a number of years back that I still reference often. It more or less creates a matrix of your risk classification and allows you to then pair that with types of suppliers to assign specific qualification and requirements based on that combination. You could create software as its own type of supplier type, or follow his example where he has something like ERP/GMP software in that combination of Medium Risk / Manufacturer of Products and Materials.

Article here: https://qscompliance.com/wp-content...g-Risk-Based-Thinking-To-Manage-Suppliers.pdf

 

[Ed Panek]

Suppose you are unsure of the proper classification being assigned. In that case, you can exercise your disaster recovery plans explicitly with a failure of that software provider (Cloud outage, virus, Data leak, bankruptcy, etc.) This will serve the purpose of the test and align your risk estimate. At the end of the test, you should be able to align the outcome with your prediction.

 

[yodon]

A theme with the previous posts is to use common sense. For commercial software suppliers, you're not going to be able to do anything to "control" them (and hopefully you're not sending them supplier surveys). (If you are outsourcing software development for part of your medical device, that's a whole different story). Do realize that software used in the execution of the QMS needs to be validated so do spend your time there!

Do ensure you have latitude to apply common sense to vendor qualification and approval. Doing an on-site inspection of a pest control shop does nobody any good.