Control of Outsourced Processes

(EN) ISO 13485:2016 Control of Outsourced Process is manufacturer’s responsibilities don’t change with respect to designing and manufacturing a safely
performing device even if a related activity is outsourced. According to the Medical Device European Directives, the manufacturer is the party that has the responsibility for all aspects of the medical device, from designing it to putting it on the shelf, regardless if a third party performs one or more
tasks in this process. Other international regulations echo this definition. A supplier is a party that supplies a product, service, or information, but is not included in the manufacturer’s quality management system (QMS). This broad definition can apply to any type of organization that helps to
implement the activities that satisfy quality system requirements, but are not part of the manufacturer’s QMS. A critical supplier is one that delivers those materials, components, or services that influence the safety and performance of the device. A manufacturer may have its own idea of what is critical to the device, but regulators are focused on the safety and performance of the finished product. Regardless of the critical nature of the supplier in this definition, the strategies for controlling the supplied part or service may vary by using all available evidence of the suppliers’ control.

Manufacturer’s Responsibilities with Respect to Outsourced Activities and Suppliers

The basic definition of the manufacturer’s responsibility for the device does not change even if different jurisdictions spell out the manufacturer’s responsibilities slightly differently. However, there is one common theme across many jurisdictions: manufacturers can delegate tasks to outside
suppliers, but a manufacturer cannot delegate its responsibilities under the regulations. The manufacturer’s responsibilities in the EU are mentioned in the Directives and guidance documents, which state that a manufacturer can delegate tasks, but it cannot delegate responsibility. The Canadian medical device regulations are similar, placing responsibility for meeting regulatory safety, effectiveness, and QMS requirements for the finished device on the manufacturer. In the United States, the definition of who is subject to registration, while consistent with the European definition of “manufacturer,” expands the definition to the specific developer, the initial importer, and the re-packager or re‐labeller of the device. Requirements for the control of outsourced activities are explicit in the QSR, although this definition doesn’t explicitly refer to outsourced activities performed on behalf of the manufacturer. This means that a manufacturer remains responsible for all the QMS functions. As a result, a manufacturer needs to be able to show that it can maintain responsibility over the suppliers’ activities.

This may be counter intuitive and challenging, especially when the organization that puts the product on the market under their name or brand is not directly, technically, and concretely involved in any of the design, manufacture, storage, shipping, and after sale activities. Indeed, some “manufacturers” never see the products they distribute under their names. Also, the suppliers may have expertise that the manufacturers themselves do not have, so the manufacturer should maintain its trust and confidence in the supplier through processes to maintain control and sound rationales.
A business model should not be adopted by a manufacturer simply because it works within regulatory limits, because many business models can satisfy regulatory requirements. However, the manufacturer must absolutely ensure that regardless of the business model, the regulatory requirements are satisfied and it can establish that the finished product is safe and performs when put on the market.

Activities that Can Help a Manufacturer Maintain Control of Outsourced Activities Process as per ISO 13485

There are different ways that a manufacturer can maintain control of an outsourced process. First, the manufacturer should have systematic processes for maintaining this control. Typically a sound QMS system has these processes. The ISO 13485 standard, the Medical Device Directive, and the U.S. QSR all require procedures and corresponding records, as evidence of implementation. Depending on the outsourced activity, it’s not always feasible to have the same one‐size‐fits‐all process. A manufacturer may instead develop an ad‐hoc approach depending on the scope of the outsourced activity, sometimes involving team work, to verify the supplier can perform the work while the manufacturer maintains control. This process is essential when considering critical suppliers. A legal manufacturer must demonstrate increasingly robust procedures, depending on the critical nature of the supplier, activity, or part. A risk‐based approach is therefore necessary, based on the potential impact of a failure of the delegated task on the safety and performance of the device, and the ability of the supplier and the legal manufacturer to detect the failure.

Initial Selection of Suppliers as per ISO 13485

The legal manufacturer also maintains control over the suppliers when the suppliers are initially selected. A manufacturer can choose its own suppliers, although it should have a set process. To show this process, the manufacturer should keep documentation from the potential suppliers and show the selection criteria and decision rationale for choosing one supplier over another. Some questions the manufacturer can ask when determining the criticality of the supplier are:


How critical is the device itself;
How can the delegated activity fail to meet the specifications;
Are there any applicable standard for the component, part, or process;
Is it a custom or off‐the‐shelf material, component, or part;
Is it a finished device, material, component, or semi‐finished device requiring further processing;
Does it involve special processes that a product inspection can verify (i.e. requiring process
validation) or not;
Does the manufacturer have in‐house expertise to fully understand and assess the contractor
capability to make the product per specifications; and

Is it the only possible source for the considered product.

When the manufacturer has the selection criteria for choosing a supplier, it should verify the supplier’s ability to meet the criteria it chose. The GHTF outlines four steps to this initial verification. First, the manufacturer should plan for the evaluation and selection criteria. Second, the manufacturer should communicate with the potential suppliers and refine any requirements that need to be refined. Third, the manufacturer should evaluate the potential supplier’s ability to meet the selection criteria. Finally, the manufacturer can make the decision to accept the supplier based on this  valuation.

Auditing Suppliers

Auditing a critical supplier is sometimes the only way to confirm the capability of a supplier to meet the manufacturer’s needs, and it can build confidence in a supplier. It allows the manufacturer to assess the consistent implementation of the suppliers’ procedures that control the process. It may identify opportunities for improvement beyond the minimal compliance. It also allows the manufacturer to see the immersed part of the iceberg, so to speak, the visible part being the received product and its documents.

Supplier Contract as per MDR and ISO 13485

The contract is the cornerstone of the relationship between the manufacturer and its supplier. It spells out the scope of the agreement, relationship of the parties, the products it applies to, and many other important aspects of the manufacturer‐supplier relationship. A list of 15 items that the contract
should address, at a minimum, can be found in the NBOG Best Practices Guide, 2010‐1. According to the US regulation, the contract must ensure that the supplier cannot change something that could potentially affect the safety or performance of the device without informing the manufacturer so it
can assess the impact of such changes. It is common to see the clarification in the contract that such a change must be authorized by the legal manufacturer.


When the contractor and the legal manufacturer agree that some parts of the process are proprietary and can’t be provided to the manufacturer, they must also agree about conditions under which the manufacturer could access the data. Competent Authorities or Notified Body may always request the information from the manufacturer, so the supplier should be aware of those conditions as well. If the device is subject to design or type examination for CE marking, the Notified Body will likely request this data. The notified body may receive the data directly from the manufacturer and keep it confidential so that only the assessment outcome is shared. Therefore, the manufacturer must provide the data.

Process Validation

Where special processes are part of the subcontracted service or product, in order to fulfill its obligations the manufacturer must ensure that the processes are properly validated and that the process is routinely performed according to the validated parameters. It such case, the manufacturer
must have access to the study protocol and the report that demonstrate the process validation. The manufacturer should keep this data as a good practice. The information provided with the product by the contractor should confirm the coherence between the validated parameters and the applied process.

Incoming Inspections as per GMP / ISO 13485

Verifying the purchased product or service, through the incoming inspection process by the manufacturer has particular strategic importance for the control of this product or service. A more extensive incoming inspection demonstrates evidence that the part or product complies with its
specifications. Instead, where incoming inspection is done on a sampling basis or there is only an administrative/quality assurance document review, the approach must be consistent with other evidence of control of the product’s conformity. The “dock to stock” and “supplier to client” business model, especially, require thorough evidence of controls. The manufacturer’s employee or representative verifies the purchased product at the supplier’s facility. In such case, these verification records pertain to the manufacturer’s QMS and should be available at the manufacturer’s facility.
Routine Monitoring, Supplier Corrective Actions The manufacturer can also maintain control through routine monitoring of the suppliers and requests
for supplier corrective actions. Open and transparent communication is expected. The definition of controls prior to implementing the outsourcing agreement doesn’t guarantee a good relationship without any issues. Based on this monitoring, the manufacturer should be able continually to reevaluate the supplier with respect to the considered device or service. Monitoring should be implemented according to a pre‐established procedure according to ISO 13485 and the U.S. QSR.

According to a risk‐based approach, it should be designed to review the consistency of the current supplier’s practices with the specifications and updating specifications as needed based on issues with the device that the supplier, the manufacturer, and/or the user experienced. External factors, such as new and revised regulations, requirements of targeted markets, or corporate policies can cause an update of the specifications. When the manufacturer requests corrective and preventative actions, the plan should ensure communication of the actual results of these actions and reviewing their effectiveness. This underlines the importance that the manufacturer and the supplier communicate well.

Supplier’s Certified Quality Management System

More information to keep in the supplier selection record is whether this supplier already has a certified QMS. A supplier that is, for example, ISO 13485‐ certified means that a third party evaluated the supplier’s QMS and found it meets the specific standard criteria. While a QMS certificate gives
confidence in the supplier’s good practices, its value must not be overestimated with regards to the actual control of the outsourced activities. A  supplier’s ISO 13485 certificate must not be considered the only method of control of the supplier’s activities. It does not waive any need for the manufacturer to establish the controls ensuring the compliance of the outsourced activity and the safety and performing of the finished device.

Risk‐Based Approach

Finally, a manufacturer can take a risk‐based approach to select, monitor, and maintain control over its suppliers and the subcontracted activities. A good rule of thumb is that the more critical the supplier is to the safety and performance of the device, the more evidence of control the
manufacturer must maintain over it. This is especially true for activities that the Directives specify, like sterilization.

Certification: The Notified Body’s Perspective

Notified bodies and and other regulatory bodies audit manufacturers and their QMS’ for a device to gain CE marking and market entry into Europe or Canada. In terms of suppliers, third parties will audit a manufacturer to confirm that the manufacturer has objective evidence of control over the suppliers’ products or services, and that this evidence is readily available at a manufacturer’s site. One way that manufacturers can show control over the suppliers’ products or services is through the contract with the supplier. Contracts can be audited by a third party certification body, like a notified body, when it audits the manufacturer. Notified bodies check for some specifics within the contract between the manufacturer and its supplier. For example, the notified body will look at:


The scope of the agreement between the manufacturer and the supplier;
The procedures the manufacturer will use to maintain control over the supplier;
Any details pertaining to who is responsible for each piece of documentation;
The tractability of raw materials and components from the supplier to the manufacturer;
Ways the manufacturer and the supplier will communicate;
The details of the product or service that the supplier gives to the manufacturer; and
The criteria the manufacturer will use to accept the supplier’s product.
The contract between the supplier and the manufacturer ensures that both parties are on the same
page regarding their relationship with each other.

When a service or activity is outsourced, the legal manufacturer’s QMS should demonstrate an overall compliance with the requirements in the directives and standards. This includes the manufacturer’s control over its suppliers. As a result, as part of a manufacturer’s audit, the notified body will decide if it needs to audit the supplier along with the manufacturer. Some criteria that notified bodies use are:

The outcome of the manufacturer’s purchasing process audit and if there is enough evidence of control available for that process;
The critical nature of the outsourced product or service and the effect it may have on the subsequent product realization or final product;
Any response to post market information;
Certification of the supplier’s QMS is taken into account, shown by a certificate from a notified body or Health Canada‐approved registrar that is considered more trustworthy than otherwise, but it is not definitive.
Generally, notified bodies assume that a critical supplier should be audited unless the manufacturer shows adequate justification that the notified body doesn’t need to audit the supplier. Medical device manufacturers should not only maintain control over their suppliers, but also provide
evidence that they are maintaining control. Evidence of control will help the manufacturer prove to a notified body that they abide by the regulatory responsibilities.

 

Is it required to have agreement with critical outsourcing vendors for MDR CE Marking?  How to resolve the issue if the vendor is a monopoly supplier / manufacturer?