Q: Question about FDA outsourcing rules: ISO 13485 requires that when an organization chooses to outsource a process that affects product conformity with requirements, the organization must ensure control over such processes. It also says that control of outsourced processes should be identified within the Quality Management System (QMS).
In the medical device world, outsourcing usually has been understood as something related to a complete (finished) device, i.e. contract manufacturing. But ISO 13485:2016 says that an outsourced process is ANY process that is part of an organization’s QMS and is performed by a party external to the organization.
Could you tell me how this approach compares to any FDA outsourcing rules, and does the Agency offer any definition of the term “outsourcing”?
A: FDA has a specific definition of outsourcing as it relates to the drug industry but not one for medical devices. Despite that, FDA is quite clear on its expectations for outsourcing in the device industry.
21 CFR Part 820.50 for Purchasing Controls is the section of the Quality System Regulation that covers outsourcing, supplier management, and supplier quality.
Part 820.50 states that “each manufacturer shall establish and maintain procedures to ensure that all purchased product and services conform to specified requirements.” The regulation discusses suppliers, contractors, and consultants.
Any supplier, contractor or consultant must be controlled. The manner of control is left up to you.
FDA does not limit what or who needs to be controlled. Any supplier, contractor or consultant must be controlled. The manner of control is left up to you, the regulated firm, to determine.
I can tell you that FDA’s concept of suppliers is very broad. Among those included are:
- Contract manufacturers of components, raw materials, sub-assemblies and finished devices
- Suppliers of packaging and labeling materials and processes
- Contractors who perform sterilization, lyophilization, polishing, annealing, welding, soldering, etc.
- Service providers or contractors who perform installation and service of devices
- Suppliers who install and validate equipment and processes, including computer systems
- Contractors of electronic systems (such as data storage, hosting, and monitoring of system networks)
- Training contractors
You are correct that most people still think of FDA’s focus as being on contract manufacturers. That’s because FDA has issued several FDA 483s and Warning Letters to firms for failing to ensure that — during their assessment of their contract manufacturers of finished devices, sterilizers, and major components of sub-assemblies — these contractors were actually following their procedures.
In these instances, FDA’s primary concern was process validation. Specifically, FDA wanted the cited firms to ensure — via audits — that the contract facility 1) had validation procedures 2) was following those procedures and 3) that their validation documentation proved they had done an adequate job of validating their processes.
Still, referring back to the broad coverage of 21 CFR Part 820.50, you should ensure you have documented control procedures for all your suppliers and outsourced operations, not just those who might supply you with finished devices or major components. That approach will get you in good position to meet FDA outsourcing rules and expectations.
Answered by Denise Dion, Vice President of Regulatory and Quality Services for EduQuest, who served 18 years at the U.S. FDA as an expert field investigator and who contributed to the development of FDA’s Quality System Inspection Technique (QSIT). Denise is the lead instructor for EduQuest’s two-day training class, QSR Compliance Basics: Complying with FDA’s 21 CFR Part 820 Quality System Regulation.