Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

Greetings - 

I have a question pertaining to ISO 13485 exclusions, specifically regarding clause 7.5.6 Validation of processes for production and service provision.

My company currently employs contract manufacturers to build our class I products. Since we do not manufacture on-site, the company excluded ISO 13485 clause 7.5.6. However, during a recent re-certification audit, the auditor noted that while we do not manufacture, we are responsible for the manufacturing process, which includes process validation. Note, the contract manufacturers do conduct process validations that would be applicable to our products. Therefore, the auditor noted we cannot exclude clause 7.5.6 from our QMS.

I do understand the auditor's logic, but is this correct? If so, what supporting language may I utilize to get executive management on board with revising our exclusions as I'm encountering a lot of resistance.

Thank you.

ISO 13485 requires that OEMs control outsourced process validation via clause 7.4 purchasing controls.  Important clauses of ISO 13485 establishing this are:

a) Clause 1 reminding us that processes (such as process validation) required by ISO 13485 that are applicable to the organization, but not performed by the organization, are still the responsibility of the organization and are to be accounted for in the organization's QMS by monitoring, maintaining, and controlling such processes; and

b) Clause 4.1.5 requiring that if an organization outsources any process (e.g., manufacturing, process validation, or other process) that affects product conformity to requirements, then the organization must ultimately "retain responsibility" for the corresponding ISO 13485 conformity in accordance with clause 7.4.

Remember also a semantical, yet important, aspect: ISO 13485 provides for "exclusion" of requirements only with respect to design and development controls, and only when an applicable regulatory requirement permits such an exclusion.  In contrast, ISO 13485 provides for "non-applicability" with respect to the basic nature of the device (e.g., ISO 13485's sterile device requirements are not applicable for a non-sterile device) or due to activities not undertaken by (i.e., not required of) the organization.

In the context of outsourced process validation, this final bit about activities not undertaken can I suppose be subject to interpretation.  Yet the requirements I mentioned in points (a) and (b) remain in force regardless, thus rendering such differences moot. To assure clarity on this with respect to outsourced process validation, I recommend that organizations keep clause 7.5.6 applicable. Then in the Quality Manual and/or in a process validation SOP, first acknowledge the organization's general obligations [points (a) and (b)] above, and then state that outsourced process validation will be controlled via clause 7.4 purchasing controls and a corresponding written quality agreement.

Hope this helps.

------------------------------
Kevin Randall, ASQ CQA, RAC (U.S., Europe, Canada)
Principal Consultant
Ridgway, CO
United States
© Copyright 2021 by ComplianceAcuity, Inc. All rights reserved.
------------------------------

Original Message:
Sent: 28-Jun-2021 11:33
From: Anonymous Member
Subject: ISO 13485 exclusion - Validation of processes

This message was posted by a user wishing to remain anonymous

Greetings -

I have a question pertaining to ISO 13485 exclusions, specifically regarding clause 7.5.6 Validation of processes for production and service provision.

My company currently employs contract manufacturers to build our class I products. Since we do not manufacture on-site, the company excluded ISO 13485 clause 7.5.6. However, during a recent re-certification audit, the auditor noted that while we do not manufacture, we are responsible for the manufacturing process, which includes process validation. Note, the contract manufacturers do conduct process validations that would be applicable to our products. Therefore, the auditor noted we cannot exclude clause 7.5.6 from our QMS.

I do understand the auditor's logic, but is this correct? If so, what supporting language may I utilize to get executive management on board with revising our exclusions as I'm encountering a lot of resistance.

Thank you.

Forgot to mention one more thing:  ISO/TC 210 has advised that, "...outsourcing a process does not provide a justification for excluding it from your QMS...".

------------------------------
Kevin Randall, ASQ CQA, RAC (U.S., Europe, Canada)
Principal Consultant
Ridgway, CO
United States
© Copyright 2021 by ComplianceAcuity, Inc. All rights reserved.
------------------------------

Original Message:
Sent: 28-Jun-2021 14:51
From: Kevin Randall
Subject: ISO 13485 exclusion - Validation of processes

ISO 13485 requires that OEMs control outsourced process validation via clause 7.4 purchasing controls.  Important clauses of ISO 13485 establishing this are:

a) Clause 1 reminding us that processes (such as process validation) required by ISO 13485 that are applicable to the organization, but not performed by the organization, are still the responsibility of the organization and are to be accounted for in the organization's QMS by monitoring, maintaining, and controlling such processes; and

b) Clause 4.1.5 requiring that if an organization outsources any process (e.g., manufacturing, process validation, or other process) that affects product conformity to requirements, then the organization must ultimately "retain responsibility" for the corresponding ISO 13485 conformity.

Remember also a semantical, yet important, aspect: ISO 13485 provides for "exclusion" of requirements only with respect to design and development controls, and only when an applicable regulatory requirement permits such an exclusion.  In contrast, ISO 13485 provides for "non-applicability" with respect to the basic nature of the device (e.g., ISO 13485's sterile device requirements are not applicable for a non-sterile device) or due to activities not undertaken by (i.e., not required of) the organization.

In the context of outsourced process validation, this final bit about activities not undertaken can I suppose be subject to interpretation.  Yet the requirements I mentioned in points (a) and (b) remain in force regardless, thus rendering such differences moot. To assure clarity on this with respect to outsourced process validation, I recommend that organizations keep clause 7.5.6 applicable. Then in the Quality Manual and/or in a process validation SOP, first acknowledge the organization's general obligations [points (a) and (b)] above, and then state that outsourced process validation will be controlled via clause 7.4 purchasing controls and a corresponding written quality agreement.

Hope this helps.

------------------------------
Kevin Randall, ASQ CQA, RAC (U.S., Europe, Canada)
Principal Consultant
Ridgway, CO
United States
© Copyright 2021 by ComplianceAcuity, Inc. All rights reserved.

Original Message:
Sent: 28-Jun-2021 11:33
From: Anonymous Member
Subject: ISO 13485 exclusion - Validation of processes

This message was posted by a user wishing to remain anonymous

Greetings -

I have a question pertaining to ISO 13485 exclusions, specifically regarding clause 7.5.6 Validation of processes for production and service provision.

My company currently employs contract manufacturers to build our class I products. Since we do not manufacture on-site, the company excluded ISO 13485 clause 7.5.6. However, during a recent re-certification audit, the auditor noted that while we do not manufacture, we are responsible for the manufacturing process, which includes process validation. Note, the contract manufacturers do conduct process validations that would be applicable to our products. Therefore, the auditor noted we cannot exclude clause 7.5.6 from our QMS.

I do understand the auditor's logic, but is this correct? If so, what supporting language may I utilize to get executive management on board with revising our exclusions as I'm encountering a lot of resistance.

Thank you.

You said, "However, during a recent re-certification audit, the auditor noted that while we do not manufacture, we are responsible for the manufacturing process, which includes process validation. Note, the contract manufacturers do conduct process validations that would be applicable to our products. Therefore, the auditor noted we cannot exclude clause 7.5.6 from our QMS".

It would be interesting to know what the auditor said. In particular, did the auditor offer an opinion only or write a nonconformance. A properly written non-conformance states the requirement, how the QMS fails to meet the requirement, and the supporting audit evidence. If you provide the requirement cited in the non-conformance, that would be enlightening.

There are two issues that your question raised. Is your company responsible the contract manufacturer's process validation. Does your company's QMS require process validation.

Look at the two paragraphs below from ISO 13485:2016, 1.
The processes required by this International Standard that are applicable to the organization, but are not performed by the organization, are the responsibility of the organization and are accounted for in the organization's quality management system by monitoring, maintaining, and controlling the processes.

If any requirement in Clauses 6, 7 or 8 of this International Standard is not applicable due to the activities undertaken by the organization or the nature of the medical device for which the quality management system is applied, the organization does not need to include such a requirement in its quality management system. For any clause that is determined to be not applicable, the organization records the justification as described in 4.2.2.

You company is responsible for the process validation. The QMS must account for monitoring, maintaining, and controlling the validated processes. In particular these are outsourced processes in your QMS. The controls include ISO 13485:2016 7.4.1 & 4.1.5. (Don't go crazy over the quality agreement. It can be simple and, if separate, one page.)

Process validation is not applicable in your QMS. Document the non-applicability following ISO 13485:2016, 4.2.2.a.

------------------------------
Dan O'Leary CQA, CQE
Swanzey NH
United States
------------------------------

Original Message:
Sent: 28-Jun-2021 11:33
From: Anonymous Member
Subject: ISO 13485 exclusion - Validation of processes

This message was posted by a user wishing to remain anonymous

Greetings -

I have a question pertaining to ISO 13485 exclusions, specifically regarding clause 7.5.6 Validation of processes for production and service provision.

My company currently employs contract manufacturers to build our class I products. Since we do not manufacture on-site, the company excluded ISO 13485 clause 7.5.6. However, during a recent re-certification audit, the auditor noted that while we do not manufacture, we are responsible for the manufacturing process, which includes process validation. Note, the contract manufacturers do conduct process validations that would be applicable to our products. Therefore, the auditor noted we cannot exclude clause 7.5.6 from our QMS.

I do understand the auditor's logic, but is this correct? If so, what supporting language may I utilize to get executive management on board with revising our exclusions as I'm encountering a lot of resistance.

Thank you.

Agree with what has been said already... I'm going forget ISO 13485 for a minute and point out when regulatory comes knocking on your door and they ask to see your process validations.... Oops... here take this 483. Then if you don't have validation specialist/team to respond to that FDA observation properly, you'll end up with a warning letter.

My point is process validations are required by ISO and FDA. If you have a cm, then you need to make sure they have process validations in place that you could use. Which then brings me to think are you approving vendors, suppliers, manufacturers etc.. this needs to all be captured in your QMS.

Oh, one last thing to mention... the FDA can inspect your cm and any observations they find (483's) will fall back on you.

------------------------------
Lance Tovar
RA/QA Specialist
Roy UT
United States
------------------------------

Original Message:
Sent: 28-Jun-2021 11:33
From: Anonymous Member
Subject: ISO 13485 exclusion - Validation of processes

This message was posted by a user wishing to remain anonymous

Greetings -

I have a question pertaining to ISO 13485 exclusions, specifically regarding clause 7.5.6 Validation of processes for production and service provision.

My company currently employs contract manufacturers to build our class I products. Since we do not manufacture on-site, the company excluded ISO 13485 clause 7.5.6. However, during a recent re-certification audit, the auditor noted that while we do not manufacture, we are responsible for the manufacturing process, which includes process validation. Note, the contract manufacturers do conduct process validations that would be applicable to our products. Therefore, the auditor noted we cannot exclude clause 7.5.6 from our QMS.

I do understand the auditor's logic, but is this correct? If so, what supporting language may I utilize to get executive management on board with revising our exclusions as I'm encountering a lot of resistance.

Thank you.

I think the key here is that even though you don't manufacturer, you are responsible to see that the regulations are followed. You can, and probably should, in this situation do this through your supplier controls.

Back when I worked for a virtual company, we simply had "policies" on what we needed and then either asked for copies from the supplier or reviewed the materials and documents in our supplier audits (and documented in our reports that we did so). Which leads me to another pet peeve - supplier audits that simply repeat ISO 13485. As a customer, you should be diving deep into whatever it is said supplier does for you, and the related deliverables, rather than repeating what their notified body already does. <rant mode off>

Typically, you can spell all this out in your Quality Agreements...(and yes, FDA will accept this if you do it correctly)

Ginger

------------------------------
Ginger Glaser RAC
Chief Technology Officer
MN
------------------------------

Original Message:
Sent: 29-Jun-2021 14:20
From: Lance Tovar
Subject: ISO 13485 exclusion - Validation of processes

Agree with what has been said already... I'm going forget ISO 13485 for a minute and point out when regulatory comes knocking on your door and they ask to see your process validations.... Oops... here take this 483. Then if you don't have validation specialist/team to respond to that FDA observation properly, you'll end up with a warning letter.

My point is process validations are required by ISO and FDA. If you have a cm, then you need to make sure they have process validations in place that you could use. Which then brings me to think are you approving vendors, suppliers, manufacturers etc.. this needs to all be captured in your QMS.

Oh, one last thing to mention... the FDA can inspect your cm and any observations they find (483's) will fall back on you.

------------------------------
Lance Tovar
RA/QA Specialist
Roy UT
United States

Original Message:
Sent: 28-Jun-2021 11:33
From: Anonymous Member
Subject: ISO 13485 exclusion - Validation of processes

This message was posted by a user wishing to remain anonymous

Greetings -

I have a question pertaining to ISO 13485 exclusions, specifically regarding clause 7.5.6 Validation of processes for production and service provision.

My company currently employs contract manufacturers to build our class I products. Since we do not manufacture on-site, the company excluded ISO 13485 clause 7.5.6. However, during a recent re-certification audit, the auditor noted that while we do not manufacture, we are responsible for the manufacturing process, which includes process validation. Note, the contract manufacturers do conduct process validations that would be applicable to our products. Therefore, the auditor noted we cannot exclude clause 7.5.6 from our QMS.

I do understand the auditor's logic, but is this correct? If so, what supporting language may I utilize to get executive management on board with revising our exclusions as I'm encountering a lot of resistance.

Thank you.

For a manufacturing process requiring process validation where the process and the process validation are both outsourced to a contract manufacturer, I remember where I once (and only once) tried to convince a senior-level FDA inspector during an OEM inspection that process validation didn't apply to the OEM.  That position didn't go over well, to say the least, even though we even had the contract manufacturer under supplier controls.  I ultimately had to write FDA a formal follow-up rescinding the assertion.

I've also run into the same expectation from ISO auditors.  Moreover, Anon's original question in this thread shows yet another ISO auditor who expects the OEM to keep clause 7.5.6 applicable when process validation is outsourced.

Accordingly, I strongly advise against declaring that clause 7.5.6 (or 21 CFR 820.75 for FDA) doesn't apply when required process validation is outsourced.  Instead, wisely learn from the experiences voiced in this thread: Keep clause 7.5.6 applicable when required process validation is outsourced.  Then monitor, maintain, and control the outsourced process validation as demanded by clause 1, being certain to do so in association with clause 7.4's controls as demanded by clause 4.1.5.

Stepping back a bit:  If I'm an OEM whose outsourced manufacturing process and devices require process validation, and who must thus retain accountability and responsibility for that outsourced process validation, and who must therefore monitor, maintain, and control that outsourced process validation (consequently requiring the OEM to have, or have access to, competence in process validation), then I ask myself: How does it make sense to declare that process validation doesn't apply to the OEM?

And if we conclude that outsourced process validation doesn't apply to the OEM, then that same logic would seem to mean that clause 8.2.4 doesn't apply when an OEM outsources its internal audits; and that clause 7.3 doesn't apply when an OEM utilizes a contract design firm; and that clause 7.5.3 doesn't apply when an OEM hires a contract installer to install its devices when the devices require installation according to specifications that the OEM is responsible to own and control; and that clause 7.6 third paragraph doesn't apply when an OEM uses a contract calibration lab; and that clauses 8.2.2 and 8.2.3 don't apply if an OEM hires a contract complaint handling group to process complaints and submit adverse event reports.

I think there's a very slippery slope at the threshold between applicable and non-applicable ISO clauses, and it quickly leads to rapid departure from the basic intent of ISO 13485.  Based on ISO and FDA enforcer interpretations such as those recorded in this thread, it seems best to stay clear of the "not-applicable" designation unless the fundamental nature of the device or OEM intrinsically don't require any party to attend to a particular ISO clause or FDA regulation in relation to the subject device.

------------------------------
Kevin Randall, ASQ CQA, RAC (Europe, Canada, U.S.)
Principal Consultant
Ridgway, CO
United States
© Copyright 2021 by ComplianceAcuity, Inc. All rights reserved.
------------------------------

Original Message:
Sent: 28-Jun-2021 11:33
From: Anonymous Member
Subject: ISO 13485 exclusion - Validation of processes

This message was posted by a user wishing to remain anonymous

Greetings -

I have a question pertaining to ISO 13485 exclusions, specifically regarding clause 7.5.6 Validation of processes for production and service provision.

My company currently employs contract manufacturers to build our class I products. Since we do not manufacture on-site, the company excluded ISO 13485 clause 7.5.6. However, during a recent re-certification audit, the auditor noted that while we do not manufacture, we are responsible for the manufacturing process, which includes process validation. Note, the contract manufacturers do conduct process validations that would be applicable to our products. Therefore, the auditor noted we cannot exclude clause 7.5.6 from our QMS.

I do understand the auditor's logic, but is this correct? If so, what supporting language may I utilize to get executive management on board with revising our exclusions as I'm encountering a lot of resistance.

Thank you.

100% agree

------------------------------
Lance Tovar
RA/QA Specialist
Roy UT
United States
------------------------------

Original Message:
Sent: 30-Jun-2021 16:28
From: Kevin Randall
Subject: ISO 13485 exclusion - Validation of processes

For a manufacturing process requiring process validation where the process and the process validation are both outsourced to a contract manufacturer, I remember where I once (and only once) tried to convince a senior-level FDA inspector during an OEM inspection that process validation didn't apply to the OEM.  That position didn't go over well, to say the least, even though we even had the contract manufacturer under supplier controls.  I ultimately had to write FDA a formal follow-up rescinding the assertion.

I've also run into the same expectation from ISO auditors.  Moreover, Anon's original question in this thread shows yet another ISO auditor who expects the OEM to keep clause 7.5.6 applicable when process validation is outsourced.

Accordingly, I strongly advise against declaring that clause 7.5.6 (or 21 CFR 820.75 for FDA) doesn't apply when required process validation is outsourced.  Instead, wisely learn from the experiences voiced in this thread: Keep clause 7.5.6 applicable when required process validation is outsourced.  Then monitor, maintain, and control the outsourced process validation as demanded by clause 1, being certain to do so in association with clause 7.4's controls as demanded by clause 4.1.5.

Stepping back a bit:  If I'm an OEM whose outsourced manufacturing process and devices require process validation, and who must thus retain accountability and responsibility for that outsourced process validation, and who must therefore monitor, maintain, and control that outsourced process validation (consequently requiring the OEM to have, or have access to, competence in process validation), then I ask myself: How does it make sense to declare that process validation doesn't apply to the OEM?

And if we conclude that outsourced process validation doesn't apply to the OEM, then that same logic would seem to mean that clause 8.2.4 doesn't apply when an OEM outsources its internal audits; and that clause 7.3 doesn't apply when an OEM utilizes a contract design firm; and that clause 7.5.3 doesn't apply when an OEM hires a contract installer to install its devices when the devices require installation according to specifications that the OEM is responsible to own and control; and that clause 7.6 third paragraph doesn't apply when an OEM uses a contract calibration lab; and that clauses 8.2.2 and 8.2.3 don't apply if an OEM hires a contract complaint handling group to process complaints and submit adverse event reports.

I think there's a very slippery slope at the threshold between applicable and non-applicable ISO clauses, and it quickly leads to rapid departure from the basic intent of ISO 13485.  Based on ISO and FDA enforcer interpretations such as those recorded in this thread, it seems best to stay clear of the "not-applicable" designation unless the fundamental nature of the device or OEM intrinsically don't require any party to attend to a particular ISO clause or FDA regulation in relation to the subject device.

------------------------------
Kevin Randall, ASQ CQA, RAC (Europe, Canada, U.S.)
Principal Consultant
Ridgway, CO
United States
© Copyright 2021 by ComplianceAcuity, Inc. All rights reserved.

Original Message:
Sent: 28-Jun-2021 11:33
From: Anonymous Member
Subject: ISO 13485 exclusion - Validation of processes

This message was posted by a user wishing to remain anonymous

Greetings -

I have a question pertaining to ISO 13485 exclusions, specifically regarding clause 7.5.6 Validation of processes for production and service provision.

My company currently employs contract manufacturers to build our class I products. Since we do not manufacture on-site, the company excluded ISO 13485 clause 7.5.6. However, during a recent re-certification audit, the auditor noted that while we do not manufacture, we are responsible for the manufacturing process, which includes process validation. Note, the contract manufacturers do conduct process validations that would be applicable to our products. Therefore, the auditor noted we cannot exclude clause 7.5.6 from our QMS.

I do understand the auditor's logic, but is this correct? If so, what supporting language may I utilize to get executive management on board with revising our exclusions as I'm encountering a lot of resistance.

Thank you.

As others have noted, you cannot specifically exclude process validation. 

That being said, you only need to validate if the product cannot be fully inspected. If you can make an argument that the critical to quality aspects of the device can be fully inspected and demonstrate that they are through risk management & controls, then your contract mfg would just provide that data in lieu of a validation.

As with anything, your mileage here may vary. You may get a conservative auditor/inspector who demands that if you aren't going to 100% inspect your Class I product you aren't meeting the requirement.

------------------------------
Joshua Lust
Director of Quality Assurance & Regulatory Affairs
Caledonia MI
United States
------------------------------

Original Message:
Sent: 28-Jun-2021 11:33
From: Anonymous Member
Subject: ISO 13485 exclusion - Validation of processes

This message was posted by a user wishing to remain anonymous

Greetings -

I have a question pertaining to ISO 13485 exclusions, specifically regarding clause 7.5.6 Validation of processes for production and service provision.

My company currently employs contract manufacturers to build our class I products. Since we do not manufacture on-site, the company excluded ISO 13485 clause 7.5.6. However, during a recent re-certification audit, the auditor noted that while we do not manufacture, we are responsible for the manufacturing process, which includes process validation. Note, the contract manufacturers do conduct process validations that would be applicable to our products. Therefore, the auditor noted we cannot exclude clause 7.5.6 from our QMS.

I do understand the auditor's logic, but is this correct? If so, what supporting language may I utilize to get executive management on board with revising our exclusions as I'm encountering a lot of resistance.

Thank you.