Supplier approved list - Notified body, regulatory body

Hi Everyone,
I am wondering if notified body is considered as a consultant therefore considered a low risk?
Or since they audit and provide services they would be considered "critical" in supplier control?

Thanks,

I have been with a company that received a nonconformity for this very reason. Registrars provide you with a service. You pay for their audits and they provide you with assessments, audit reports, and certifications.

Even the FDA or other regulatory bodies provide a service. You pay them and they provide you with registration. Sure, this is not optional and these regulatory agencies are often the sole-source of these registrations, but they still provide the service.

For regulatory, you can justify a lightweight supplier approval by stating they are the sole-source and it is legally required. You certainly aren't going to be able to exercise controls over the FDA, and no reasonable auditors would expect you to.

For registrars, for which you can choose one of many, the situation is a little different. I typically approved registrars based upon their certifications, years in business, etc.

How these fit into your system will depend on how you have your supplier classifications set up. I believe you could list these as high risk if you wanted, and justify the lack of typical high-risk controls based upon the uniqueness of these types of service suppliers.

We have got some similar non-conformance related to your question. API auditor stated that, "It is not evident that the facility has defined controls on the outsourced process of Third Party Inspections/ regulatory body. We simply replied that, "Customer nominated third party inspections cannot be considered as outsource process. This is client nominated TPI hence we cannot apply control. Similarly, we can not apply controls over the regulatory body as well. This is similar case to API Q1 9th edition clause number 5.6.1.2C-3. These TPI agencies are certification bodies and as a company we have no right to question a certification body."

We added in our documentations that,"TPI services are proprietary in nature and approve by customer, hence audit of TPI agencies is not applicable in our QMS".

So, coming to your question, this is up to you now that how you are going to write in your QMS and how you are going to present it according to your scenerio.

thanks for the response. In my previous company notified body was considered critical while in my current company they are considered low risk, so I was surprised to consider them more of consultant category, since they're really not consulting, they audit you for your ISO 13485/ MDR compliance and plays a critical role/ risk for the organization. They need to provide certification to ensure they're approved as regulatory body.

You could also argue that during the closing meeting and really the audit itself and management review, the audit work output is 100% verified completely. It's not like they provide a service you are not involved in and don't heavily review on the spot and during other QMS activities.