In directive 2007/47/EC the following was added to Annex II 3.2c of the European Medical Device Directive 93/42/EEC:
It [=quality system] shall include in particular an adequate description of […] the organization of the business and in particular […] where the design, manufacture and/or final inspection and testing of the products, or elements thereof, is carried out by a third party, the methods of monitoring the efficient operation of the quality system and in particular the type and extent of control applied to the third party
A lot of the larger international medical device companies are organized as a franchise or multi-site organization. The term organization is used to designate that the company maintains a quality management system by which all sites are governed. For these organizations one site may be responsible for placing the device on the market, as identified on the labeling of the device, whereas other sites are responsible for the development or manufacturing of the device.
Definition of a Manufacturer
The definition of manufacturer is similar in the European Medical Device Directive, the Canadian Medical Device Regulations and Global Harmonization Task Force (SG1(PD)/N055R6). The wording in the European Medical Device Directive (93/42/EEC) is:
The natural or legal person with responsibility for the design, manufacture, packaging and labeling of a device before it is placed on the market under his own name, regardless of whether these operations are carried out by that person himself or on his behalf by a third party
On the other hand ISO 13485:2003 clause 4.1 specifies
Where an organization chooses to outsource any process that affects product conformity with requirements, the organization shall ensure control over such processes. Control of such outsourced processes shall be identified within the quality management system.
One could argue that as there is no outsourcing outside the scope of the management system, control of outsourced processes by the manufacturer to other sites is not required. GHTF’s guidance on 'Outsourced Processes' (GHTF SG3(PD)N17/R7) specifies a supplier as anyone that is independent from the manufacturer’s quality management system. This includes a supplier that may be part of the manufacturer’s organization but operates under a separate quality management system but excludes a supplier that operates under the same quality management system.
Type of Control
The need for control within a multi-site organization is identified by the ISO Technical Committee 176 on Quality Management and Quality Assurance and specified in the ISO Guidance on 'Outsourced Processes' (ISO/TC 176/SC 2/N 630R2 November 2003):
In some situations, the organization might not "purchase" the outsourced process in the traditional sense. […] it might, for example, receive the service from a corporate head office or from another division within a group of organizations, without any monetary transaction taking place. Under these circumstances, however, ISO 9001:20006 Clauses 7.4 and 4.1 are still applicable
There are good arguments to defend that the manufacturer should execute some type of control on the other sites that execute outsourced processes on behalf of the manufacturer. As the manufacturer has the responsibility of putting the device on the market it must assure that the product conforms to the essential requirements of safety and effectiveness. This must be assured through control of the design process, including the design change process. This does affect the relation between the manufacturer and the designer site as well as the operational site. The intent of Clause 4.1 is to emphasize that when an organization chooses to outsource a process that affects product conformity with the requirements, it can not simply ignore this process, nor exclude it from the quality management system. Likewise, the manufacturer should not make any exclusions in its quality system, even though some processes are executed by other sites. The manufacturer has to demonstrate that it exercises sufficient control to ensure that this process is performed in accordance to the relevant regulatory requirements and the requirements of the organization's quality management system. Outsourced processes will interact with other processes affecting product quality. These interactions need to be managed and defined (see ISO 13485:2003 clause 4.1
and [f]).