Outsourced Purchasing for Contract Manufacturing vs more typical/simple Supplier Management

[John Walters]

A medical device company (A) decides to utilize contract manufacturing to produce their medical device.
The services that the contract manufacturer (B) will perform include: Purchasing components (some with specific suppliers or subspecifications specified by A and some not), Incoming Parts Inspection, Assembly, In Process and Final Acceptance Testing, Distribution, and Production Process Monitoring and Control.

Company A will purchase the medical device from contract manufacturer B, and so will need an in-house Purchasing process within their QMS, but this will only handle internal business needs, Product Design, and the purchasing of finished systems from contract manufacturer B.

The manufacturing tasks seem to clearly include outsourced service/processes for Incoming Parts Inspection, Assembly, In Process and Final Acceptance Testing, Distribution, and Production Process Monitoring and Control.

The manufacturing tasks seem to also include an outsourced service/process for the Purchasing of components required for the manufacturing of the medical device, but it is not clear to me how or why this is different from similar issues in an otherwise typical n-tier supply chain that didn't outsource manufacturing.

Questions:
1) Wouldn't outsourcing of manufacturing typically include outsourcing of purchasing for the parts needed for manufacturing? (I understand that you could supply the parts directly or hire a separate company to purchase and supply the manufacturer, but I am thinking of a more typical case.)

2) How is this outsourcing of purchasing process for contract manufacturing different from the purchasing process (conducted by various suppliers) of sub-components in the normal n-tier supply chain of individual parts (regardless of who manufactures the final medical device or the individual parts at any level)?

I ask, as I am not sure how to define/limit the scope of activities in a QMS for the purchasing activities at the contract manufacturer. It seems like we need to define the outsourcing of purchasing process to the contract manufacturer (because the purchasing of production parts needs to be controlled by some form of purchasing process), but if this is the case, it also seems like we would do the same all the way down our supply chain for every part (which seems ludicrous / inappropriate). I am not understanding the rationale/principle for justifying that one of these is not an outsourced process (or when to stop saying it is), while one of them is.

I know that 13485 expects QMS process effort to be identified and implemented proportional to Risk (Product Safety, Product Quality, Product Compliance, Process Compliance), but it does not otherwise provide guidance on when the Outsourcing of purchasing process is needed vs simple ordinary supply chain purchasing.

3) Does the subsequent provision of the product make the difference (product will next be distributed/released to customer/market vs component just supplied to next level in normal supply chain)?

4) Does the level of the product make the difference (final medical device, vs components)?

5) Does the level of part specification make the difference (outsource purchasing as far down as you identify part specifications)?

6) Does the level of supplier specification make the difference (outsource as far down as you identify part suppliers)?

7) Any combination of the above or some completely different distinction?

Thanks in advance for any wisdom!

 

[Sidney Vianna]

I know that 13485 expects QMS process effort to be identified and implemented proportional to Risk (Product Safety, Product Quality, Product Compliance, Process Compliance), but it does not otherwise provide guidance on when the Outsourcing of purchasing process is needed vs simple ordinary supply chain purchasing.

I moved the thread to the ISO 13485 Forum. In this day and age of disrupted supply chains, I see a HUGE risk that would require mitigation, in my point of view: Despite your organization providing the components specifications for the contract manufacturer (CM) to purchase against, I can almost guarantee that due to shortages and pricing fluctuations, the CM's buyers would be enticed to accept "slight" different componentry for your assemblies and, chances are, you as the legal manufacturer would have no idea of what is happening. How do you mitigate that risk?

 

[indubioush]

Hmmm, where to start?

4.1.5 When the organization chooses to outsource any process that affects product conformity to
requirements, it shall monitor and ensure control over such processes. The organization shall retain
responsibility of conformity to this International Standard...

This may be best explained in examples.

Example 1
Company A is the legal manufacturer of an implantable medical device. Company B is the contract manufacturer. Company A selects, evaluates, and approves suppliers and performs all purchasing of medical device components. Company A sends all components to Company B. There is a written agreement that Company B will only use the components that Company A provides.

Example 2
Company A is the legal manufacturer of an implantable medical device. Company B is the contract manufacturer. Company A selects, evaluates, and approves suppliers. Company B orders components from the suppliers approved by Company A. There is a written agreement that Company B will only purchase components from the suppliers that Company A has approved.

Example 3
Company A is the legal manufacturer of an implantable medical device. Company B is the contract manufacturer. Company B selects and evaluates suppliers and sends this information to Company A for approval. There is a written agreement that Company B will only purchase components from the suppliers that Company A has approved. The written agreement is periodically amended to list new approved suppliers.

Example 4
Company A is the legal manufacturer of a medium-risk medical device. Company B is the contract manufacturer. There is a written agreement that Company B will only use suppliers that meet certain criteria. There is also an agreement that each lot history record contain full traceability to the material level and supplier information. Company A reviews each history record to confirm that all material and supplier requirements have been met.

Example 5
Company A is the legal manufacturer of a low-risk medical device. Company B is the contract manufacturer. There is a written agreement that Company B will only use suppliers that have a quality system. Periodically, Company A will audit Company B, and during this time, Company A will assess whether the requirements listed in the agreement continue to be met.

 

[somashekar]

A medical device company (A) decides to utilize contract manufacturing to produce their medical device.
The services that the contract manufacturer (B) will perform include: Purchasing components (some with specific suppliers or subspecifications specified by A and some not), Incoming Parts Inspection, Assembly, In Process and Final Acceptance Testing, Distribution, and Production Process Monitoring and Control.

Company A will purchase the medical device from contract manufacturer B, and so will need an in-house Purchasing process within their QMS, but this will only handle internal business needs, Product Design, and the purchasing of finished systems from contract manufacturer B.

The manufacturing tasks seem to clearly include outsourced service/processes for Incoming Parts Inspection, Assembly, In Process and Final Acceptance Testing, Distribution, and Production Process Monitoring and Control.

The manufacturing tasks seem to also include an outsourced service/process for the Purchasing of components required for the manufacturing of the medical device, but it is not clear to me how or why this is different from similar issues in an otherwise typical n-tier supply chain that didn't outsource manufacturing.

Questions:
1) Wouldn't outsourcing of manufacturing typically include outsourcing of purchasing for the parts needed for manufacturing? (I understand that you could supply the parts directly or hire a separate company to purchase and supply the manufacturer, but I am thinking of a more typical case.)

2) How is this outsourcing of purchasing process for contract manufacturing different from the purchasing process (conducted by various suppliers) of sub-components in the normal n-tier supply chain of individual parts (regardless of who manufactures the final medical device or the individual parts at any level)?

I ask, as I am not sure how to define/limit the scope of activities in a QMS for the purchasing activities at the contract manufacturer. It seems like we need to define the outsourcing of purchasing process to the contract manufacturer (because the purchasing of production parts needs to be controlled by some form of purchasing process), but if this is the case, it also seems like we would do the same all the way down our supply chain for every part (which seems ludicrous / inappropriate). I am not understanding the rationale/principle for justifying that one of these is not an outsourced process (or when to stop saying it is), while one of them is.

I know that 13485 expects QMS process effort to be identified and implemented proportional to Risk (Product Safety, Product Quality, Product Compliance, Process Compliance), but it does not otherwise provide guidance on when the Outsourcing of purchasing process is needed vs simple ordinary supply chain purchasing.

3) Does the subsequent provision of the product make the difference (product will next be distributed/released to customer/market vs component just supplied to next level in normal supply chain)?

4) Does the level of the product make the difference (final medical device, vs components)?

5) Does the level of part specification make the difference (outsource purchasing as far down as you identify part specifications)?

6) Does the level of supplier specification make the difference (outsource as far down as you identify part suppliers)?

7) Any combination of the above or some completely different distinction?

Thanks in advance for any wisdom!

All of your above questions and any more has to be thought, brainstormed and documented in detail in the quality agreement, about which it is mentioned in Clause 4.1.5. What ever are the type and extent of controls decided has to be agreed with your contract manufacturer (B) and such records have to be maintained.

 

[somashekar]

I moved the thread to the ISO 13485 Forum. In this day and age of disrupted supply chains, I see a HUGE risk that would require mitigation, in my point of view: Despite your organization providing the components specifications for the contract manufacturer (CM) to purchase against, I can almost guarantee that due to shortages and pricing fluctuations, the CM's buyers would be enticed to accept "slight" different componentry for your assemblies and, chances are, you as the legal manufacturer would have no idea of what is happening. How do you mitigate that risk?

A very valid point.
ISO 13485 has covered this within the Clause 7.4.2 by way of written agreement about Change control notification. This can effectively be brought within the quality agreement as required in the Clause 4.1.5. Design and development outputs must also consider such risks in the design review activities and cover them by provision of alternatives within the Bill of Materials. What ever happens dynamically the organization shall retain the responsibility to medical device safety and performance, customer requirement and regulatory requirement. Therefore, the interaction between the organization and the CM must be periodically reviewed and necessary changes must be bought into the quality agreement by way of amendments.

 

[Hi_Its_Matt]

I think @indubioush hit the nail on the head with his examples. I have worked for OEMs, contract design companies, and contract manufacturers, and in my experience, Example 2 is probably the most common (but I am also biased towards higher risk devices).

Example 1, to me, seems like a logistical nightmare. There are a dozen reasons I can think of why it would better to have the contract manufacturer purchase components, instead of the legal manufacturer. (Improved inventory control, strong existing relationships with sub-tier suppliers, and pricing discounts from those suppliers are just three reasons.)

Examples 3-5 would be a bit non-standard, because supplier evaluation and approval is really part of the design process. The legal manufacturer should definitely involve its contract manufacturer in the supplier selection and evaluation process, but the legal manufacturer should be leading the activity (primarily because they know more about the risks involved with the device and individual components).

Wouldn't outsourcing of manufacturing typically include outsourcing of purchasing for the parts needed for manufacturing

Yes.
The legal manufacturer/device designer specifies the parts and assemblies that make up the design, and the suppliers of those parts/assemblies. The CM then just purchases those parts and assemblies when they build the final device.

The level of control and specification diverges when you start talking about off-the-shelf versus custom assemblies.

For an off-the-shelf assembly, the designer simply specifies the manufacturer/provider of that assembly. He doesn't go deeper and specify the individual components and suppliers for the parts that make up the assembly.
(Take for example an ethernet cable. If your device has a standard CAT-5 ethernet cable within it, then the legal manufacturer/designer will likely just specify the supplier of the CAT-5 cable. They likely wouldn't specify the sub-tier suppliers of the bare copper wire, the wire insulation, the support element, the foil shield, the outer sheath, and the terminal connectors. Let alone the sub-sub-tier supplier of the plastic beads from which the wire insulation is made.)

For a custom assembly, the legal manufacturer will likely specify both (1) the supplier that builds the assembly, and (2) the specific parts and sometimes the sub-tier suppliers that the assembly supplier is allowed to use.
(For example, for a custom cable harness, the designer will likely specify the supplier of the cable harness, fully specify the harness itself - the wire gauge, wire length, insulation requirements, terminal connectors, etc, and possibly even who can provide those wires/connectors, etc).