Guide to Outsourcing

Manufacturers are responsible for meeting compliance and quality standards, even for those parts that have been outsourced. So, too, are they responsible for risk management. That means they have to find ways to assimilate their outsourcing partners into their risk management activities. OEMs must oversee all risk management activities and maintain the required records. No matter which processes are outsourced, it is the OEM that is ultimately accountable.

“The issues are the same with risk management as they are with quality management. It's just a little more critical,” says Harvey Rudolph, global program manager for medical devices at Underwriters Laboratories Inc. (Northbrook, IL).

By using risk analysis in all aspects of business, a company can set up stronger relationships with its outsourcers. Risk management helps to verify that vendors are meeting requirements. And it supplies information to the rest of the organization about the product, so that firms are aware of any problems and can respond appropriately.

In fact, the tools for risk management can help OEMs when it comes to creating a product. “If done correctly, [risk management] is an incredibly strong tool,” says Frances Akelewicz, president of Practical Solutions Inc. (New Providence, NJ). “It needs to be included in the first steps of the design, but also in manufacturing, purchasing, contract review, etc.” Outsourcers often have in-depth programs to assist OEMs with risk management. “The goal is to have an extensive list of to-dos. If I'm taking on a medical device, there are literally 50,000 discrete to-dos—and that is not an exaggeration,” says Randy Keene, president and CEO of Avail Medical Products in Fort Worth, TX. Yet even knowing there is help, manufacturers may have questions about how to get an outsourcer to understand their needs, when to include the outsourcer in the process and when not to, and what adjustments may need to be made.

Building a Relationship

Any outsourcing job is going to present challenges, according to Patricia L. Murphy, eastern regional manager for medical certification in the United States for Kema Quality. Kema Quality is a notified body based in Arnhem, The Netherlands. Murphy says there are several things to look for to make such a job successful. The OEM needs to ensure that the contract manufacturer is appropriate for the work. “Make sure it has the right people and that the company has time to focus on your project,” she says. According to Murphy, the outsourcer may already have a robust risk management system in place, but that system might not be appropriate for the risk associated with a finished medical device. “Risk management is tough. You want to make sure you are conducting risk management discussions from the beginning of the project.”

In addition, Murphy stresses that the contractor should run a good business and be able to sustain services required for the device. “It may not address risk associated with the actual finished device,” she says, “ but [the company] may need to understand the risk associated with having to do repairs or servicing of the device if the contractor is involved.”

Other aspects of choosing a contractor may include the company's size and its ability to give attention to the project. “Some contracting houses have 50 customers or more,” says Akelewicz. That is not necessarily a detriment, but the OEM should realize that it might have to work a bit harder to ensure that the contractor is focusing on its project.

Ultimately, however, trust is the key to having a good product. “To me, it comes down to partnership,” says Keene. “If we are going to build a full finished medical device and the customer thinks of [Avail] as just a vendor, then there will be problems. If a customer thinks of us as a partner, then the product will succeed.”

The OEM needs to understand that its idea of an acceptable level of risk is not necessarily the same as an outsourcer's. “Right from the start, outsourcing partners must have collaboration and must define clearly how the product is being used, the risk involved with the product, and how it needs to be tested for product release,” says Tom Black, president of OEM sales and marketing for B. Braun OEM Division, B. Braun Medical Inc. (Bethlehem, PA). “They have to define the requirements of the product: what is critical for manufacturing. The specification must be well defined up front.” Actually, both the OEM and the outsourcer need to understand this point. The best place to ensure that there is no confusion about responsibility and risk mitigation is in the project contract.

Sign a Contract. William McLain, a principal consultant with Keystone Regulatory Services (Leola, PA), agrees. “If a company is going to do it right, it needs to have a pretty good relationship with the contract manufacturer, and there needs to be some type of an agreement, so risk management is addressed beforehand,” he says. “When you deal with it up front and lay out your needs, the process is much smoother.”

Items within the contract will vary depending on the type of product and the closeness of the relationship. The OEM should realize that contractors often have their own risk management systems in place and that the project will most likely be carried out using those specifications. “Because we deal with several hundred customers, we have to use our documentation 99% of the time,” says Black. B. Braun usually adapts OEM processes and procedures to its own system. “We can't have different documentation systems for every project, so we'll often take the companies' specs and put them in our files. Ultimately, however, the company has to agree to our manufacturing specs.”

One thing the firms need to agree on is the level of reporting. “There are always holes in what the customer wants, things that it has not identified,” says Keene. “So we will have a meeting where we discuss the project and those holes. We send in a gap analysis team.”

“OEMs want the contractor to be active in communicating with them,” says Murphy. “The contract should include reporting of changes so that the spec owner has the opportunity to assess even small issues that may affect the final product,” she says. “The spec holder needs to decide beforehand what the contractor should report.”

For example, say an OEM is building a biocompatible device and chooses to outsource the manufacturing. During production, the outsourcer decides to switch raw material suppliers. The new supplier's material may have a slightly different makeup; if the impurities change that could affect the device. A change in vendor is important to report.

Agree on Complaint Handling. Contractors should also be willing to report whether they have had complaints from previous customers about materials or subcomponents. James Beretta, marketing service manager for Automated Tooling Systems (ATS; Cambridge, ON, Canada), says full disclosure is the most important aspect of building a contract manufacturing relationship. “We demonstrate our expertise by showing documentation and procedures, but we'll also tell them where we've fallen down. This is a tricky business, and everyone has messed up. Sometimes it's not even our fault that a product has failed, but we need to let our clients know about those things. We need the customer to trust us.”

Complaint-handling procedures and event reporting should be clearly stated in the contract. It is crucial that everyone understands the risks attached to what they are doing and takes responsibility. Depending on the project, most complaint investigations are likely to occur at the subcontractor level. So there should be an agreement on auditing to be sure the contractor is fulfilling its requirements.

“A lot of effort needs to be spent clearly educating the contract house on the nuances of the product,” says Akelewicz. She stresses that training is not enough. “The design of the process must be married to the design of the project.”

Acceptable Risk Levels—and How to Meet Them

It is important that OEMs understand the levels of their own risk acceptability and are able to communicate those to the vendors. The contractors need to build to those specifications with the OEM's vulnerabilities in mind.

Typically a vendor will conduct experiments or a process capability test to assess the limits of its ability to design or manufacture the product, explains Murphy. It is important to remember that the contract manufacturer may also be assessing the acceptable level of risk to its reputation. “Both parties are accepting, if nothing else, a financial risk,” says David A. Vogel, president of Intertech Engineering Associates Inc. in Norwood, MA.

Beretta explains that ATS determines risk based on the contractor's experience and the type of service the OEM wants. “If you are installing an air conditioner, you don't want to hire two guys who have never done it before—the exposure to risk is too high.” Likewise, he says, if ATS has not done a similar project, it will try to get some experience through prototypes or concurrent engineering. “Sometimes if the risk is too high, we will tell the client that ATS can't do it. Then the customer has a chance to go elsewhere.”

If the OEM and the contract manufacturer accept the limits—that is, if the outcome fits within risk mitigation activities—then production can begin. However, Murphy says, if not, then the two groups should be working together to minimize that spread. If both companies take the time to improve processes, notes Murphy, the OEM will get a better product and the contract manufacturer will have further defined its process so that it can also help its other customers.

Another set of complications can arise when the outsourced project moves from the design phase into manufacturing. “During design there are a lot of opportunities for risk management, as long as the manufacturer has a strong presence on the design team. It is difficult, but you have a running chance,” says Akelewicz. “Where it gets more complicated and difficult,” she continues, “is when you outsource the manufacturing—or even sterilization and packaging.”

Akelewicz explains that even with in-house manufacturing, it is a struggle to keep things from slipping through the cracks. Those little changes no one thinks about, she says, could create an issue once the final product is ready. “The only control you have at that point is the relationship that you've built, the contract you've signed, and the processes that are in place.”

Keene says that Avail has several processes in place, whether the client wishes to be involved or not. “The quality system dictates those processes. If there is a resin change, there is a process that has to be accomplished. There has to be full transparency from both sides.”

Auditing is a good tool to help a manufacturer manage a project. But, Akelewicz cautions, sometimes it doesn't go far enough. “Audits are snapshots—that's what they are supposed to be. But they don't give you day-to-day control.”

Vogel concurs. “The contract manufacturer will always know more about the field operations than the spec owner.”

Akelewicz recommends a deeper level of auditing. “It's important, although currently not required, to test the product at its design level for the first few lots from the outsourcer.” Normal product release testing, she says, does not suffice because release testing is built on the assumption that all the necessary controls are in place, so design-level testing is not needed. “Sometimes the little things that creep in are not measurable.”

The only way to mitigate those little things, she says, is to spend time with the supplier processing complaints that are related to manufacture. “I don't mean handing the contractor the complaints and having it investigate them,” Akelewicz clarifies. “I mean going to the next level and coming together as a joint team.” Companies need to look at problems, such as process drift, and discuss whether the issues were planned for, whether they were predicted, etc.

“I don't often see that level of effort,” Akelewicz says. “What I tend to see them do is say, ‘Well, complaint rates are going down,' and feel that everything is fine.” But, she says, looking at complaint rates is just scratching the surface. Companies need to look deeper into manufacturing performance. For example, if the scrap rates have increased, it could indicate a potential defect. Likewise, measuring operating equipment efficiencies is an underused but valuable tool.

During meetings, have the contractor list everything it has done relative to the product, Akelewicz recommends. Even small issues should be reported, she says, “because you never know what will jump out at you.”

For example, say the contract manufacturer wants to adjust a multiple-step cleaning process based on recent studies of efficiency. The spec owner will want to discuss what tests to perform before the change is made. It is critical to ensure not only that the spec owner is involved in testing, but also that the right tests are performed. “You've got to look at all nuances,” Akelewicz continues. “You might want to do a test to look for microscopic cracks or pits that haven't been seen before. Pitting could make it more difficult to use the new cleaning process.”

In another case, Akelewicz describes a project where a minor change brought a successful product to a halt. “There was one project where we were working with a contract manufacturer on a product that was needed in the market and was almost immediately successful. Business was booming and to meet the increased and unexpected demand, the manufacturer sped up the line. It started missing defects; suddenly we began getting more complaints. Luckily, the defect was low risk, but we threw a lot of money out the window just because a line speed was changed.”

Let Standards Be Your Guide

There are several guidance documents that can help device makers improve risk management. “Risk management is one of the newer items to come along,” says McLain. So meeting its requirements could be a challenge.

Based on the type of device, says Murphy, the contract manufacturer should have the highest quality system certification applicable to the product. “If you are making a critical component or implantable,” she says, “ISO 13485 is better than [ISO] 9001.”

“The 2003 version of ISO 13485 has a requirement to do risk management,” McLain says. And in July of this year, he says, compliance measures will need to be in place. Manufacturers that have not implemented risk management will have to scramble. “Larger companies may have already had time and resources to address this issue, but smaller companies without regulatory personnel may need to work very hard to get their processes in place in time for the changeover this summer,” he says. Companies have to know what concerns the notified bodies. If risk management is not in place for both design and manufacturing, a device or quality management system may not get approved.

To meet the risk management requirements, ISO 13485 suggests following the harmonized standard, ISO 14971. (ISO 14971 is mentioned in the clinical studies section of ISO 13485 for hazard reduction, says Akelewicz.) According to Rudolph, ISO 14971 is the best standard to follow to practice risk management. “It is a complete approach. It is detailed and requires manufacturers to assess risk acceptability over time.” However, ISO 14971 is not an accredited standard, says Murphy, so most companies do not seek external review for compliance. “An outsourcer can make a statement that it has implemented [the standard], but that is about it.” Outsourcers that do not worry about the standard are at a disadvantage.

ISO 14971 is a very logical and helpful document, adds Vogel. It provides tools to identify risks and to evaluate whether those risks are acceptable. If the risks are unacceptable, the standard explains how to come up with control measures that will both reduce the probability or severity of those risks and reevaluate whether they are low enough. The manufacturer repeats the process until residual risks are low enough to be acceptable.

The best reason to follow ISO 14971, however, is because the standard is harmonized. That means the same practices and procedures outlined in the document will hold for products being made for the global market. “There are a million things to think about when trying to design and manufacture products outside the United States. It is nice to know that following ISO 14971 means there is one less thing to worry about,” says Vogel.

“It is even more important now for companies to have their arms around risk management,” McLain says. “FDA has said that it will not inspect subcontractors unless they are making the finished device.” However, FDA is asking questions about risk management for vendors, and OEMs will need to implement management systems for every contractor.

When choosing an outsourcer, says Rudolph, it is helpful to make sure that its risk management functions are in place. If an OEM is 13485 certified, it needs to make sure that the contract manufacturer has a similar certification. The companies could seek certification together, says Rudolph. “You can have combined certification; certainly with risk management it would be appropriate to obtain certification together. You want to look at everything as a whole.”

Another way for an OEM to gain control of its contract manufacturer's risk management may be to involve the outsourcer in certification training. “One of the best examples I've seen of good risk management came from a company that went through risk management training with its outsourcer,” explains Rudolph.

The contractor should become an extension of the OEM, Black says. “When we enter into a project, we want the customer's personnel to feel as though they are just going to one of their own satellite facilities. We need to meet with the people behind the product. Expectations need to be understood up front. Likewise, they need to understand our expectations and how our systems are developed and run.”

Small OEMS Need Big Plans

More and more companies are contracting to gain expertise in design and manufacturing. McLain, whose firm often works with small companies, says, “It is important that you go into a relationship with eyes wide open. Companies that are small may not have a regulatory staff on board—they are too busy making ends meet.”

Keene says the customer—large or small—has to get 100% of its contract manufacturer's attention. However, size does mean a company has more resources and that could give them a leg up on risk management. “It is more likely for a large company to have formal processes, because it has more products and more experience in risk management activity, whereas smaller companies are learning from product to product,” says Murphy.

A small company may also often be at a disadvantage when beginning to market or outsource products outside the United States. According to McLain, risk management requirements in the United States are not quite as well-defined as they are in Europe. “U.S. companies that have been doing business for years are now concerned with risk management,” he says. “They will come to me and say, ‘Well, it was never an issue before. Why do I have to worry about it now?'”

However, small manufacturers that tend to outsource more may be in a better position to coordinate risk management, because people in small companies talk to each other. “In a small firm, people wear different hats, and it's great to see a technical discussion evolve into a business discussion,” says Akelewicz. “There is more honesty and interaction. In larger firms, maybe you can't reach someone, or there may be turf battles.” When it comes to selecting an outsourcer, she adds, sometimes it is better to select one that matches the OEM in size so that the businesses can grow together.

Whether large or small, manufacturers have to choose a good outsourcer at the outset, because changing is difficult if not impossible. “For the most part, I would advise against changing outsourcers,” says Rudolph.

Taking the Risky Out of Business

The longer an OEM is with a contract manufacturer, the better the outsourcing process will become. “You're going to get happier the longer you have a relationship with a contract manufacturer,” says Vogel.

If a manufacturer is running a successful company, chances are it already has most risk management processes in place; they may simply not be integrated or described as well as they should be, says McLain. If a company's product has a critical component, the OEM will want to oversee contract manufacturing rigorously, and it will probably apply risk management principles to do so. “When the risk management process is working well, it should almost be
automatic,” he says.

In light of the varied subtleties, especially the ones concerning regulation, it may be wise to hire one more outsourcer for the project development process—a regulatory consultant. “So much of what I do is putting out fires,” says McLain. “Companies that do not have their own regulatory staff really need to have an expert on hand from the beginning.” Akelewicz is more adamant: “It is a major mistake not to include a quality professional in these processes. It's a different mindset than most companies are used to. You put your business people in a very awkward position if you don't have that expertise sitting there with you.”

Although risk management must be considered up front when it comes to outsourcing, it is really meant to be a dynamic tool used over time, says Akelewicz.

“There are some pretty big assumptions made on both sides of the process. If something starts to shift, you need to go back and rethink.” She also explains that even having the most robust risk management process does not mean a company will never have an adverse event. “We are human. We can't always predict all these things, but hopefully using the process will provide some warnings before it's too late.”

Heather Thompson is senior associate editor of MD&DI.

Copyright ©2006 Medical Device & Diagnostic Industry