How Specific in an ISO 13485:2016 Scope for a Contract Manufacturer

MJ_Connors

Registered
Hi,

Long time lurker.

The issue at hand is a contract manufacturer used by my organization currently makes the "device" in a drug-device combo product. They have now come to us and stated they would like to expand activities to include the "drug" part as well. This would include, among other things, the creation of the drug-excipient solution, application to the device, pre-sterile testing and primary packaging. This is not a small amount of effort.

I have told them they would need to revise their current ISO 13485:2016 cert scope to include the drug application part (beyond the existing "manufacture of <X TYPE> of medical devices" yadda yadda). Naturally, they push back and say that would be too much work (as if the rest of the process of transferring a drug application technology *isn't* work?).

Our notified body (not the CM's) is notably strict on these topics, and will most definitely pay them a visit as part of the critical supplier audit. I see a deviation coming when their ISO scope does not include this incredibly high-risk activity.

They respond that their NB (a notably soft one) has advised them it's not necessary.

My question to the minds here: How specific would you get in the scope of activities here, especially in a high-risk situation?

p.s. the more I write this out, the more clear it seems to me, but maybe that's my problem?
 

John C. Abnet

Teacher, sensei, kennari
Leader
Super Moderator
Hi,
I have told them they would need to revise their current ISO 13485:2016 cert scope to include the drug application part (beyond the existing "manufacture of <X TYPE> of medical devices" yadda yadda). Naturally, they push back and say that would be too much work (as if the rest of the process of transferring a drug application technology *isn't* work?).

Good day @MJ_Connors , and congrats on stepping out of the shadows.

May I inquire as to what their current scope states? (if you feel uncomfortable sharing, simply paraphrase it).

Thanks in advance.

Be well.
 

MJ_Connors

Registered
Good day @MJ_Connors , and congrats on stepping out of the shadows.

May I inquire as to what their current scope states? (if you feel uncomfortable sharing, simply paraphrase it).

Thanks in advance.

Be well.

Hi,

Thanks for taking the time to review.

It's a fairly generic along the lines of:

"...contract manufacturing activities of minimally invasive medical devices and components"

Looking at this, they don't even have the D-D combo listed either. If that was in the scope, that could be considered to include the application process. Yeah, the more I look, the less confident I feel.
 
Who currently manufactures the drug part? Another contract manufacturer? If there is no benefit to your organization to make the change, that is an easy no.
 

Sidney Vianna

Post Responsibly
Leader
Admin
My question to the minds here: How specific would you get in the scope of activities here, especially in a high-risk situation?
Well, the "mandatory" document governing this is the (broken link removed)

How Specific in an ISO 13485:2016 Scope for a Contract Manufacturer

But, the reality is: Most many some certification bodies don't take their responsibilities seriously and slap generic scope statements in their certificates and their lead auditors are derelict in their duties of ensuring the scope of certification reflects the nature of the system being certified.

You are the customer of the contract manufacturer, so, act as one and DEMAND what you mentioned. If the crap hits the fan, it is your organization's name and brand associated with the risks in the marketplace. Risk. Think.

Good luck.
 

MJ_Connors

Registered
Who currently manufactures the drug part? Another contract manufacturer? If there is no benefit to your organization to make the change, that is an easy no.

Hi,

Sorry, I'm not fully clear on what you mean by "manufacture the drug part".

The drug active pharmaceutical ingredient (API) is manufactured by a completely unrelated 3rd party. No problems there.

The CM would have to store the API, mix the solution of drug and excipient, apply it to the device and then perform non-sterile product testing (including testing of aspects of the drug coating such as purity as well as the consistency of the coating process) prior to primary packaging. Each part of the process has significant inherent risks involved.

Contingent in these are numerous supporting requirements which must be met, such as suitable environmental requirements for storage (some APIs require long-term storage in -80 deg C refrigeration), contamination controls, employee competency etc. This isn't just snapping a new module in place; there is considerable direct and indirect regulatory requirements that must be considered (in addition to local laws regarding handling, storing, dispensing and disposing of controlled APIs).

As far as the "benefit" to my organization, a NB non-conformity against the certification scope means no manufacturing, even if it is an administrative issue. That entails the CM needing to be recertified under thei NB for the new scope before supplying us the revised certs for resubmission to our NB for approval. So benefit of forcing this before, as opposed to after a subcontractor audit, could mean avoiding months of delays.

But, the reality is: Most many some certification bodies don't take their responsibilities seriously and slap generic scope statements in their certificates and their lead auditors are derelict in their duties of ensuring the scope of certification reflects the nature of the system being certified.

You are the customer of the contract manufacturer, so, act as one and DEMAND what you mentioned. If the crap hits the fan, it is your organization's name and brand associated with the risks in the marketplace. Risk. Think.

Good luck.

This is the current state of things.

You've hit the nail on the head about the (in)difference in application of many ISO principles by different NBs, especially where I am located. The tendency here with *local* NB representatives/auditors is towards "eh, good enough", which I do not subscribe to (as opposed to my NB's actual EU-based reviewers traveling to audit the facilities), hence my preference for working with a more stringent NB. In my experience, this pays *huge* dividends down the road when filing vigilance reports and addressing local regulators questions, and I would imagine likewise with the upcoming PSURs requirements under MDR.

Another consideration is that our DE Certs will eventually list the product as a D-D combo, but nowhere in the chain of critical supplier certs in the Technical Information File would there be a corresponding QMS certificate with a scope of activities listing a "Manufacturer of drug-device combination products". It remains how well that would be accepted by the various EU national ministries :-/ I'm not hopeful that they'd be understanding.

Yeah, it's looking more like this is going to be an issue I will need to force, but it will be a contentious issue for more political reasons.

Thanks.
 

MJ_Connors

Registered
To clarify my question, I was wondering what the benefit is to switch API manufacturing from your "completely unrelated 3rd party" to this other contract manufacturer.

Hi, unfortunately that's not an option at all.

The API is a drug. It's made by a pharma company whose business is making drugs. In my case, the contract manufacturer is (very) experienced in building minimally invasive devices, but knows nothing of pharma. (I know, risks ahead!)

To use an (maybe awkward) example, Apple sells phones. They don't make them, their contract manufacturer Foxconn does. Apple wants its phones to be compatible with Facebook, since Apple's customers tell them that they like to use Facebook. From what I understand your question to be, and translating it into this example, you're asking if I can have Foxconn take over the core programming of the Facebook app themselves to make it compatible with Apple phones, and essentially cutting Facebook itself completely out of the process.

It's not in Apple's interest to have Foxconn take responsibility for making what (software) gets loaded onto the phone; just that the phone is capable of being an open platform to accept a wide range of software. Foxconn has their expertise, Facebook has theirs. Apple is happy to leave it that way.

As the "Apple" in that example, that's the position I find myself in. I'm asking my "Foxconn" to declare that their stated activities include the capability to build a product that "Facebook" can be loaded onto (based on the specs which I have given them), even preload Facebook onto the phone and then deliver it to the customer. I'm obviously skipping several steps, but that's how I interpret your question.

If I'm wrong, *please* correct me. Thanks!
 
Your contract manufacturer "would like to expand activities to include the "drug" part as well. This would include, among other things, the creation of the drug-excipient solution, application to the device, pre-sterile testing and primary packaging."

What organization performs "creation of the drug-excipient solution, application to the device, pre-sterile testing and primary packaging"? Is it your organization or another contract manufacturer?
 

MJ_Connors

Registered
Your contract manufacturer "would like to expand activities to include the "drug" part as well. This would include, among other things, the creation of the drug-excipient solution, application to the device, pre-sterile testing and primary packaging."

What organization performs "creation of the drug-excipient solution, application to the device, pre-sterile testing and primary packaging"? Is it your organization or another contract manufacturer?

Cool.

Short answer: my organization is legal product owner but design and manufacturing are outsourced, so we're not doing any handling of the device up to sterilization. That leaves the application of the coating solution (API+solvent+excipient) to the CM.

The alternate option would be to bring coating application process in-house (we actually have the institutional knowledge and core competencies for manufacturing, testing and analysis to bring this in house, but costs are such that it's more affordable for the CM to do it).
 
Top Bottom