The 2003 version of ISO 13485 is organized differently than the 1996 version. Much of the change is related to the prescribed process approach (as opposed to procedures or elements) and such a risk-based decision-making process throughout the QMS. A QMS for medical devices is based on—and focuses on—meeting regulatory requirements. The standard requires the establishment of a QMS that identifies and manages processes. This is typically demonstrated through a pictorial- based process map.

ISO 13485:2003 clause 4.1 states, “Where an organization chooses to outsource any process that affects product conformity with requirements, the organization shall ensure control over such processes. Control of such outsourced processes shall be identified within the quality management system.”

It is crucial that manufacturers seeking ISO 13485:2003 certification understand and implement the requirements related to outsourced processes. The content, process, and method described here is one approach. Many others are acceptable to auditors, but this approach clearly identifies an organization's outsourced processes and the controls that may be exercised over them.

Identification and Control

In some ways, the identification and control of outsourced processes is new in ISO 13485:2003. Supplier qualification was required by ISO 13485:1996 and ISO 9001:1994, but the specification and delineation of an outsourced process is a new concept.^2,3 It is a bit different than the typical supplier qualification process that has always been required.

It is important to understand the expectations and requirements regarding identification of and controls over outsourced processes. Understanding these requirements is essential to applying suitable evaluation methods that allow an organization to assess the effectiveness of its QMS. Understanding the requirements is also essential to properly developing the scope of and exclusions to a company's QMS. In turn, the QMS's scope and exclusions are crucial when guiding an auditor in the development of an audit plan.

A useful guidance document was published by ISO Technical Committee 176/SC 2.⁴ This group works to provide interpretation and guidance regarding implementation and to explain the terms and requirements in the standard. The document provides guidance on ISO 9001:2000 subclause 1.2, Application. This is an area of misunderstanding and confusion among manufacturers.

ISO 13485:2003 permits an organization to exclude from its QMS any requirements (limited to clause 7, Product Realization) as follows: “Where exclusions are made, claims of conformity to this International Standard are not acceptable unless these exclusions are limited to requirements within clause 7, and such exclusions do not affect the organization's ability, or responsibility, to provide product that meets customer and applicable regulatory requirements.”¹

The customer, the product, and the requirements related to the product dictate whether an exclusion is justified. These exclusions must be included in the QMS. ISO 13485:2003, clause 4.2.2, Quality Manual, states, “The organization shall establish and maintain a quality manual that includes … the scope of the quality management system, including details of and justification for any exclusions.”1 A situation where an exclusion is not justifiable is when the organization excludes a requirement on the basis that the activity has been outsourced.

Exclusions as defined above are different from areas of nonapplicability; however, both must be justified in a company's quality manual. For example, an allowable exclusion may be taken in the area of design controls if the regulatory requirements allow the company to market a device without complying with design controls (such as certain Class I devices in the United States).

Exclusions, in many cases, depend on both the class of the device and the country. This area is outside the scope of this article and will not be dealt with in depth here. Nonapplicability allows an organization to omit from its QMS those activities that are not applicable because of the nature of the device. For example, an organization that provides a nonsterile device does not need to address the requirements of sterilization and sterilization validation.

Many manufacturers believe that if they do not perform a particular process (such as subcontracting out an entire manufacturing process), they do not need to address the process and can exclude it from their QMS. On the contrary, if a process is outsourced, it cannot be excluded, ignored, exempted, or claimed as not applicable. Even though it is an outsourced process, it is still the manufacturer's responsibility. Outsourced processes are included in Section 4.1, and the only allowable exclusions are found in Section 7. Section 4 of the standard describes the basic documentation requirements, and Section 7 details product-related processes for which an organization may not conduct the activity (or process) themselves. So it follows that outsourced processes aren't exempt from the requirements of the standard.

Therefore, outsourced processes, even though they are conducted by or purchased from an outside vendor, must be identified, and the controls must be described in the QMS. An outsourced process does not need to be defined in the top-level quality manual, but it does need to be included in the quality system documentation. One option is to have a separate lower-level standard operating procedure (SOP) titled “Control of Outsourced Processes.” Another is to include the process in the supplier qualification SOP as a separate section.

Manufacturers should not identify the particulars and details regarding outsourced processes in the quality manual. Rather, the processes and controls should be processes identified and described in lower-level procedures or SOPs. The quality manual should be a high-level document, because a company does not want its customers or other outsiders to know what processes it outsources. It is sufficient to state in the quality manual that outsourced processes are identified in the QMS and to reference a procedure where the processes are identified.

Control of Outsourced Processes

A second guidance document was published in November 2003 by ISO Technical Committee 176/SC 2.⁵ This document provides guidance on the intent of ISO 9001:2000 and ISO 13485:2003 clause 4.1 on the control of outsourced processes. It defines an outsourced process as a process that the organization has identified as being needed for its QMS, but which the company has chosen to be carried out by an external party. The process can be performed by a supplier that is totally independent from the organization or which is part of the same parent organization, i.e., corporate outsourcing. The outsourcing can be either temporary or permanent. Even if a process is outsourced, it must be included in the QMS.

The nature of the controls will depend on the importance of the outsourced process, the risk involved, and the competence of the supplier. Controls should be defined through specification documents and requirements for the supplier. Manufacturers must also ensure that the controls are appropriate. This can be difficult to assess if the reason for outsourcing is that the organization does not have the necessary competency in-house. In this case, specialists can be recruited to assist in making this assessment.

The controls over outsourced processes differ for each type of process. A risk-based concept can be applied to outsourced processes.

Supplier controls address part of the requirement for risk management throughout product realization. The QMS is essentially a series of interrelated processes, each with its input, process, and output. Many manufacturers misunderstand what outsourced processes are and what the controls over them should be. If a process is risk based, then it requires more than just supplier qualification. This is true whether the organization actually purchases the service from another company or receives the service from a corporate office or another division.

Manufacturers must demonstrate that sufficient controls are in place to ensure that outsourced processes are performed according to the requirements of the standard. Outsourced processes also should be included on the company's organizational process map. This can be done by identifying each outsourced process on the process map and depicting where the interactions exist. A good way to do this is to color code the outsourced processes and their inputs and outputs on the process map. Another way is to list processes in an input-output table and link the internal processes to the external processes.

Because the requirements and controls over outsourced processes can vary significantly, it is essential to determine the appropriate level of control. Manufacturers must consider the supplier's competence and ability to carry out the process as well as the organization's reasons and internal requirements for outsourcing.

If the reason for outsourcing is the company's own resource constraints, then the controls may be different than if the reason is that the company lacks technical expertise. Manufacturers must ask why they are outsourcing a process. Answering the following questions can help identify the reason:

• Does the company lack adequate resources?

• Is the company facing a temporary short-staffing issue?

• Does the company lack the expertise or infrastructure or equipment to carry out the process?

A manufacturer should always ensure that, if the organization lacks in-house expertise to carry out a process, it has the expertise to ensure that the supplier of the process is appropriately qualified to execute it.

Outsourced Processes

Outsourced processes can include anything from contracting out the manufacturing of an entire finished sterile device to subcontracting just the design of a new device to performing a simple painting process. Manufacturers usually understand that processes such as design and certain special processes such as plating, painting, heat treating, or coating fall under ISO 13485 as outsourced processes. However, some outsourced processes are often overlooked, including hiring and training, internal auditing, calibration, lab testing, customer surveys, call centers, purchasing, field service, equipment preventive maintenance, installation, and records archiving.

Given the various types of processes, it follows that a variety of controls may be applied. Such controls may include the following:

• Contracts, validation, evaluation, and prequalification of suppliers.

• Assessment of supplier processes and the QMS.

• Purchase specification requirements and monitoring of supplier quality performance.

• Requirements for supplier inspections or testing demonstrating product conformity.

• Inspection of the supplied product (either first-article or ongoing) and third-party validation of product performance.

• Training.

• Routine review of documentation or records (such as device history records, certificates of conformance, and raw data).

The controls should be based in part on a risk assessment of product or supplier criticality.

For example, consider that Company XYZ does not have the staffing to recruit, interview, hire, and provide initial orientation training for its fast-growing organization. It chooses to outsource these functions. The controls exercised may include the following:

• A contract with the supplier defining the competency requirements and expectations of its employees.

• Copies of job descriptions to enable the organization to adequately determine competency levels based on expected requirements.

• Copies of records that Company XYZ expects to be completed as part of the orientation training (safety, company rules, benefits, etc.).

The control over this process may be drastically different from the controls over a sterilization vendor. The controls for a sterilization vendor surely include a contract, but they also include execution and approval of the validation, review of actual records routinely provided as part of each sterilization batch, and an audit of the supplier to review the QMS at its facility.

Now consider that Company XYZ is owned by a larger parent corporation. The parent performs procurement operations and negotiation of contracts for goods and services to provide buying power and lower the cost of goods. This may also include the qualification and evaluation of a particular supplier. This is a process that Company XYZ outsources to the parent. The controls that Company XYZ exercises over the outsourcing to the parent company should be commensurate with the risk of process execution.

Supplier qualification and approval may be different at the two company entities. For example, its risk of component failure may be greater if Company XYZ produces a Class III implantable device while the parent company produces only a Class I instrument. So, Company XYZ must ensure that the parent company's supplier qualification process ensures that the suppliers chosen can provide the required materials at the needed specifications and tolerances.

The controls may be as simple as an intercompany agreement between the two entities describing the approval requirements of Company XYZ. They may also be complex and include a formal contract, auditing of the parent corporation to ensure that proper evaluation mechanisms and procedures are in place, and first-article inspection or continuing incoming inspections to ensure that procured materials meet specifications.

A useful guide for outsourcing the complete manufacture of a sterile finished medical device is to create a contract that addresses who is responsible for creating, controlling, and changing the following activities and documentation:

• Specifications.

• Failure mode and effects analysis.

• Verification testing.

• Supplier evaluation and the approved supplier list.

• Incoming, in-process, and final inspection.

• Manufacturing documentation, tooling, preventive maintenance, and calibration.

• Labeling initiation and control.

• Sterilization validation.

• Process validation.

• Biocompatibility testing.

• Device master record controls.

• Final product release.

• Deviations.

• Customer complaints investigation.

Table I could be used to identify Company XYZ's outsourced processes and the applicable controls it has in place for each process. The table is useful in demonstrating the identification and controls of outsourced processes. It is meant to show examples of processes. However, it is not all-inclusive of the controls over each type of process. Each organization should specify its own processes and controls in an SOP that is documented within the QMS. It is important to note that initial evaluation, reevaluation, and monitoring of the performance of the supplier should always be done.

Conclusion

ISO 13485:2003 requires a manufacturer to identify its outsourced processes and the controls applied to them. The 2003 version prescribes a new approach that focuses on the process rather than procedures or elements. Manufacturers seeking ISO 13485:

2003 certification must understand and implement the requirements related to outsourced processes. The intent is to focus on meeting regulatory requirements through a process-based as well as a risk-based approach to the implementation of the organization's QMS. A firm must understand the expectations and requirements, apply suitable evaluation methods, and properly develop the scope and exclusions of its QMS. An outsourced process cannot be excluded or stated as not applicable, and the organization must demonstrate that sufficient controls are in place to ensure adequate control of processes. Because there are various types of processes, there must be various types of controls, and the controls must be based in part on a risk assessment. The approach presented here clearly identifies an organization's outsourced processes and their controls.

Debbie Iampietro is president of QRC Consulting Associates (Conway, NH). She can be reached at [email protected].

References

1. ISO 13485:2003, “Medical Devices— Quality Management Systems—Requirements for Regulatory Purposes” (Geneva: International Organization for Standardization [ISO], 2003).

2. ISO 13485:1996, “Quality Systems—Medical Devices—Particular Requirements for the Application of ISO 9001” (Geneva: ISO, 1996).

3. ISO 9001:1994, “Quality Systems—Model for Quality Assurance in Design, Development, Production, Installation and Servicing” (Geneva: ISO, 1994).

4. ISO Technical Committee 176/SC2 Guidance Document 2N 524R4, “Guidance on ISO 9001:2000 Subclause 1.2, Application” (Geneva: ISO, 2005).

5. ISO Technical Committee 176/SC2 Guidance Document 630R2, “Guidance on Outsourced Processes” (Geneva: ISO, 2003).

Copyright ©2006 Medical Device & Diagnostic Industry