Control of Outsourced Processes (not properly described in the quality manual)

[Edugar]

Quote:

Originally Posted by db

Quote to me, from the standard where this is a requirement? I do not see that in my copy of ISO 13485. I don't think this is a valid nonconformity.

Yes, you are right. It would be a NC if the Outsourced processes were not properly controlled. In this situation I guess the auditor wanted a clearer description.

[DRDDO]

Quote:

Originally Posted by Edugar

Yes, you are right. It would be a NC if the Outsourced processes were not properly controlled. In this situation I guess the auditor wanted a clearer description.

Hi Edugar
I really agree with you,
although the requirement is not specifice required outsource process in QM but it is good business practcie to indicated in QM,
for example: Sterile produce done by ABC company!
We are not lawer, we are medical device maker,
Auditor want to make clear as you say.
what do you think?
DRDDO

[somashekar]

Quote:

Originally Posted by Edugar

Hello all,

We received the following minor non conformity in our last 13485 audit from our notified body: “the outsourced processes and their control are not properly described in the quality manual”.

In order to address this feedback, we are looking at different options to make our current approach of managing the outsourced processes more transparent to all involved parties. One simple approach would be to do a procedure.

- Do you think that it is the best way to show that organization controls the outsourced processes?
- Do you have any example of “control of outsourced processes” procedure to share?

Appreciate your input.

We have a section in the manual which lists the processes outsourced and the type of controls exercised by the organization on these. The type and extent of controls are an annex to our procedure for "Verification of purchased products".
Typically we have identified all such processes which would be classified as 'special process' and if they are outsourced, then the controls we exercise are detailed in the annex. Here we have also identified purchasing activity of some vital performing modules and controls over them are detailed. (ex: power supply module, NIBP module., to name a few)
This has worked very well for us and like your case, is an action over a minor from our CB some years back.

[Peter Selvey]

As an auditor I have often recieved client questions about the difference between an outsourced process and normal purchasing.

Recent someone asked me about retention period of documents in suppliers, and I saw things a little differently.

Reading Clause 1.2 of ISO 13485 leads me to believe that an "outsourced process" should be considered as being "inside" the medical device manufacturer's ISO 13485 quality system, whereas normal purchased product can be considered "outside".

The implication of this is that for any subcontractor performing an "outsourced process", your quality system needs to somehow extend into thier facility to make sure that the relevant parts of ISO 13485 and regulations are met. So for example, such a supplier would need to keep a calibration record of the micrometer used in production for 5 years if the final product is sold in Europe. How you do this is up to you, but typically agreements (contracts) would need to be in place, maybe requests to be ISO 13485 certified or follow your procedures, include them under your internal audit scope etc etc. These would form basis of "suitable controls".

On the other hand, a normal parts supplier has no (legal) obligation to meet any requirements from ISO 13485, e.g. no need to keep calibration records for 5 years.

This distinction of "inside" and "outside" helps to clarify many things. However, there is no guidance I can find to help decide what is an "outsourced process", i.e. what to pull inside your quality system.

I would consider it wise that any supplier whose failure can lead directly to harm should be considered an outsourced process. Medical devices are normally designed with many levels of protection, this combined with production tests means that most supplier failures would not directly lead to harm; thus for a typical manufacturer with in-house design, assembly, inspection and test (and sterilization), the number of outsourced processes should not that many.

If any of these key areas get outsourced, or you purchase a part that is critical and cannot be verified before shipping, consider it an "outsourced process".

Any thoughts?

[RCW]

"Outsourced Processes" applies to other fields besides medical devices. As posted earlier they are also referred to as "special process" and I see this a lot in the aerospace arena.

I was trying to follow Peter Selvey's explanation of "outside" versus "inside" and apply it to special processes. From what Peter was describing, if I had a piece of sheet metal fabricated with some holes in it, that would be an outsourced process. However I have not seen this specified as a special process in the aerospace field. Processes such as anodize and chem film are definitely outsourced processes (in my facility) and considered special processes.

What I'm stating is what I have run across. Others might disagree or have other opinions contrary to this. (Tax and license extra, your mileage may vary, void where prohibited by law. )

[Peter Selvey]

As far as I am aware, special process and outsourced process are not the same thing, i.e. a special process in a supplier does not automatically mean it must be an outsourced process. This would extend to far down the supply chain to be practical.

Also while the main text for "outsourced process" in Clause 4.1 of ISO 13485 is identical to ISO 9001, there is some additional text in Clause 1.2 which is unique for ISO 13485 (medical devices):

The processes required by this International
Standard, which are applicable to the medical
device(s), but which are not performed by the
organization, are the responsibility of the organization
and are accounted for in the organization’s quality

management system [see 4.1 a)].

The phrase "accounted for in the organization's quality management system" took some new meaning for me when I was asked about retention periods of quality records in suppliers. One interpretation could be that an "outsourced process" is any process where the application of controls effectively ensures ISO 13485 and regulatory requirements are implemented at the supplier (for example, retention period of records).

Retention periods are a relatively minor issue (despite being a favorite point for auditors), but since they are a specific regulatory requirement, it is an excellent test case, and other opinions/thoughts are welcome.

[John Martinez]

Quote:

Originally Posted by Peter Selvey

The processes required by this International
Standard, which are applicable to the medical
device(s), but which are not performed by the
organization, are the responsibility of the organization
and are accounted for in the organization’s quality

management system [see 4.1 a)].

The phrase "accounted for in the organization's quality management system" took some new meaning for me when I was asked about retention periods of quality records in suppliers. One interpretation could be that an "outsourced process" is any process where the application of controls effectively ensures ISO 13485 and regulatory requirements are implemented at the supplier (for example, retention period of records).

Retention periods are a relatively minor issue (despite being a favorite point for auditors), but since they are a specific regulatory requirement, it is an excellent test case, and other opinions/thoughts are welcome.

A manual is PART of the system. Regarding processes (whether outsourced or not), 4.1 and 4.2.2 are applicable. If the outsourced process is described in a purchasing procedure (not required), then I would submit that it IS "IN" the management system. Again, need more info from the original poster.

[zhang126]

Quote:

Originally Posted by db

Quote to me, from the standard where this is a requirement? I do not see that in my copy of ISO 13485. I don't think this is a valid nonconformity.

See Article 4.1