ISO 13485:2016 QMS: Outsourced Processes

[Jscivi]

Hello,
I am a biomedical engineer and I am currently starting a medical device start-up in Europe with a colleague and I am in charge of putting into place the QMS (ISO 13485:2016) of the company. I have little experience in that field (apart from some exposition in a previous start-up I worked for), but I have been reading a lot of various standards and quality manuals from other companies to get an idea on how it works. I am therefore happy to have found your forum!

To be brief, we develop a medical device (Class IIa, for CE Mark) that can be controlled by a smartphone-based application, that we are also developing.

We plan on sub-contracting the manufacturing of the medical device. Basically, we would only provide the products specifications of the device (but not the design of the internal electronics/mechanics) to the supplier. The supplier will be in charge of designing the electronics/mechanical systems + manufacturing + testing.
Our company will be mostly focused on the mobile application development.

My question is the following:


While developing the QMS, in particular defining the difference processes and procedures, how do we manage processes/procedures that will be undertaken by our supplier? In particular, what are the various scenarios if the supplier:
- Doesn’t have a QMS
- Has a QMS as per ISO 9001
- Has a QMS as per 13485

For example (Regarding manufacturing), if the supplier doesn’t have a QMS, do we need to write procedures regarding the manufacturing of the device and ask the supplier to comply to them (+ make audits)? And if he has a QMS, does that mean that we don’t need to write any procedures regarding manufacturing, and assume everything is good? Or do we still need to write a procedure and then make sure that the supplier's QMS complies with it?

Thank you in advance for your time and help!

 

[yodon]

Re: QMS: Outsourced Processes

There's yet a 4th scenario (derivative of the 3rd):
- Has a QMS per 13485 but not registered through an accredited Notified Body
- Has a QMS per 13485 but IS registered through an accredited Notified Body

If not with an accredited NB (or any of the other scenarios), they would be subject to audit by your NB.

In all cases, you're ultimately responsible so you have to ensure all the required elements are fulfilled. The path of least resistance is having a CM that is registered with an accredited NB. (The field is shrinking so be aware!)

 

[somashekar]

Re: QMS: Outsourced Processes

You cannot define the processes and procedures if you are not experienced in manufacturing activities. So you select someone who is, and who understand your requirement. Certainly he must have a QMS per ISO 13485, for its a medical device. Make sure he understands validation and is able to identify what process validations are essential in your device manufacturing. (Perhaps with your manufacturing consultant if you can). Evaluation and selection here is the top choice, as other controls are governed from here on.
Subject the prototype you get from him through your evaluation and be responsible to freeze the procedure. Your manufacturer must be bringing up any change going ahead with your prior communication and necessary re-validation having your approval. He must also be open to your audit (directly or through a third party) as well as be open to regulatory audit. Set up such a good contract manufacturing agreement. Identify his product release procedure and records approval have the competent persons identified.

 

[Marcelo]

Re: QMS: Outsourced Processes

- Has a QMS per 13485 but not registered through an accredited Notified Body
- Has a QMS per 13485 but IS registered through an accredited Notified Body

I assume you wanted to say Certification Body. Certification bodies certificate QMSs. NBs are only related to compliance with European requirements.

 

[yodon]

Re: QMS: Outsourced Processes

I assume you wanted to say Certification Body. Certification bodies certificate QMSs. NBs are only related to compliance with European requirements.

Ugh... yes, thanks for clarifying. Too many bodies and authorities and...

 

[Ronen E]

Re: QMS: Outsourced Processes

I assume you wanted to say Certification Body. Certification bodies certificate QMSs. NBs are only related to compliance with European requirements.

Many (most?) NBs are also accredited certfication bodies, so the distinction becomes almost academic. I guess that the confusion comes from the use of the word "accredited". NBs (in their position as a NB, not as a CB) are not "accredited" but are instead "notified" by the Member State they are registered in.

I think that Don's advice to look for NB-certified CMs is good regardless, due to the MDD clause that states that a NB auditing a manufacturer (the spec developer in that case) needs to take into account assessments made under the CE framework of interim stages in the device's manufacture, i.e. any relevant assessment already done by a NB. The practical meaning of that clause is to avoid double auditing under the same rules, so if the CM is already certified by a NB it means another NB won't reaudit it without a solid cause.

 

[Ronen E]

Hello,
I am a biomedical engineer and I am currently starting a medical device start-up in Europe with a colleague and I am in charge of putting into place the QMS (ISO 13485:2016) of the company. I have little experience in that field (apart from some exposition in a previous start-up I worked for), but I have been reading a lot of various standards and quality manuals from other companies to get an idea on how it works. I am therefore happy to have found your forum!

To be brief, we develop a medical device (Class IIa, for CE Mark) that can be controlled by a smartphone-based application, that we are also developing.

We plan on sub-contracting the manufacturing of the medical device. Basically, we would only provide the products specifications of the device (but not the design of the internal electronics/mechanics) to the supplier. The supplier will be in charge of designing the electronics/mechanical systems + manufacturing + testing.
Our company will be mostly focused on the mobile application development.

My question is the following:


While developing the QMS, in particular defining the difference processes and procedures, how do we manage processes/procedures that will be undertaken by our supplier? In particular, what are the various scenarios if the supplier:
- Doesn’t have a QMS
- Has a QMS as per ISO 9001
- Has a QMS as per 13485

For example (Regarding manufacturing), if the supplier doesn’t have a QMS, do we need to write procedures regarding the manufacturing of the device and ask the supplier to comply to them (+ make audits)? And if he has a QMS, does that mean that we don’t need to write any procedures regarding manufacturing, and assume everything is good? Or do we still need to write a procedure and then make sure that the supplier's QMS complies with it?

Thank you in advance for your time and help!

Hello Jscivi and welcome to the Cove

With regards to the contract manufacturer's QMS, I assume you meant "has no doumented QMS". In the most general sense, a QMS is a collection of policies, processes and practices. Almost all contemporary manufacturers have a QMS within that broad meaning. A manufacturer in the medical industry which has absolutely no QMS would be rare (however, if you do find such one I would definitely avoid it!).

Further, I would advise you to also avoid manufacturers that have a documented, uncertified QMS (either standard), unless the manufacturers possessing the subject-matter knowledge, equipment, expertise etc. that are required specifically for your type of device are rare (in that case you'll obviously have to compromise). Some of them might actually be good, but in your position you don't have the ability to verify that they're compliant and that their quality practices suffice, and the ride will be rougher. Having a certified QMS will be a better starting point (not meaning in any way that it will guarantee a smooth ride).

In my opinion a certification to ISO 13485 is not essential. Definitely the MDD and ISO 13485:2003 don't currently require that of suppliers. Having an ISO 13485 certification might be an advantage over an ISO 9001 one, but not an overwhelming one so you have to evaluate the situation as a whole. The important thing is that the manufacturer has a QMS certified by a reliable, accredited/notified organization.

Regarding your relationship with the manufacturer -

As a specification developer, your QMS doesn't need to go into the nuts and bolts of processes you outsource. As already highlighted, the ultimate responsibility is yours so you must evaluate the outputs and ensure that the official (MDD) requirements are met. What I normally do when I construct QMSs for specification-developer start-ups (your situation is quite common) is place the controls over the contract manufacturer's processes in the Purchasing Control procedure, usually under a dedicated section (apart from the general controls that apply to all suppliers). Process Control / Manufactuing Control procedures are typically very light in such cases. When design is also outsourced but it's a unique/proprietary design (ie it's not an OBL situation, where you actually purchase a ready-made design owned by the CM) I include Design Control procedures even though you don't do it yourself, because it's a critical component and you need to have the design documentation anyway. This will ensure that individual design outputs (eg Design Input) are reviewed for adequacy and approved in real time and the design history is captured in full.

You may be invovled in creating / adjusting the Work Instructions, if you have any meaningful input and the CM is receptive of that, but that is not a must. After all, you hire them because they have the expertise and experience, and you don't. I would also not take the position of "policing" the routine activities at the manufacturer's premises. You do need a strong supplier evaluation and selection process and you need to follow through to ensure that you choose the right CM. Don't go to sleep after that - periodic monitoring and even on-site auditing are legitimate and important; just don't overdo it.

In short:
1. Put a lot of attention into the initial establishment of relationship with the right manufacturer (and have a backup ready).
2. Once the contract is set up let them do their work and contribute when asked for it. Intervene only if serious breakdowns occur.
3. Monitor the outputs (all key documentation) and audit the manufacturer's performance on a periodic basis.

I hope I covered the main aspects, let me know if something doesn't make sense to you or seems to be missing.

Cheers,
Ronen.

 

[Jscivi]

Hello,
Thank you all for your responses. In particular Ronen for the clarifications and recommendation when selecting the Supplier in terms of its QMS.

It actually responds to my main questions. I might repost another question in the near future if I have other questions.

Thank you again to you and all the others.

Have a great day!

 

[pkost]

I think the status of the subcontractor is somewhat irrelevant.

From the description provided, OP will be "manufacturer" as defined by the directive and therefore responsible for product.

OP must develop a specification for the subcontractor, detailing his requirements. OP must the assure himself that his subcontractor is capable of meeting the requirements to his satisfaction. This is achieved by:
1. Defined Product specification
2. Supply/Technical agreements
3. Supplier assessment
4. Supplier performance review (ongoing)

The supplier assessment can be a number of methods depending on the risk of the supplier; it can be cursory based on the contractor holding appropriate certifications i.e. 13485 or 9001. Or it could be a site audit by OP.

In defining processes for your QMS state how you control the processes through oversight and governance

 

[Dtbal]

Hello guys,

Need some guidance here.
We are a Class I medical device start up firm. We have outsourced our industrial design (plastics) to a contract manufacturing vendor, which is ISO 9001 certified. They are fairly co-operative in sharing their manufacture control documents for the plastic and mechanical parts (final assembly and testing will still be done in our premises.
What additional type of controls and documentation should we put place in place (at our end and vendor end) so that we are able to satisfy quality requirements as per ISO13485 norms? Or do we absolutely have to manufacture from only ISO 13485 certified vendors?

Thanks