Regulatory Open Forum

 View Only
Rimsys 2024 RegEx AMA
Back to discussions
Expand all | Collapse all

ISO 13485 QMS Processes

  • 1.  ISO 13485 QMS Processes

    This message was posted by a user wishing to remain anonymous
    Posted 22-Jan-2021 09:02
    This message was posted by a user wishing to remain anonymous

    Hi,

    We currently are a manufacturer of Class II devices, which we manufacture through contract manufacturing.  My question is, as it relates to "Process Validation", would our QMS include this as a procedure?  Or would we rely on the controls we have with the contract manufacture (e.g. supplier controls etc.) to control this function.  Please advise as I am not 100% clear on "Process Validation"


  • 2.  RE: ISO 13485 QMS Processes

    Posted 22-Jan-2021 09:40
    Pursuant to clause 4.1.5, if the organization outsources process validation via a contract manufacturer, then the organization must, by way of clause 7.4 (purchasing), monitor and ensure control of the process validation work, and must retain responsibility for conformity to ISO 13485's process validation requirements.  The contract manufacturer may or may not be fluent in proper process validation.  But in any event, the organization should have a full process validation procedure prescribing proper process validation fundamentals (e.g., modeled after the GHTF's process validation guidance), and then use the procedure pursuant to clause 7.4 (purchasing) for directing, and or assessing, the contract manufacturer's process validation work.

    ------------------------------
    Kevin Randall, ASQ CQA, RAC (Europe, U.S., Canada)
    Principal Consultant
    ComplianceAcuity, Inc.
    Ridgway, CO
    United States
    www.complianceacuity.com
    © Copyright 2020 by ComplianceAcuity, Inc. All rights reserved.
    ------------------------------

    Original Message


  • 3.  RE: ISO 13485 QMS Processes

    Posted 22-Jan-2021 14:47
    Hi,

    Yes, you need to have Process Validations a part of your 13485 QMS and if you're contracting out those procedures, then your company needs to be making sure your cm is following your procedures, or have procedures of their own. Your company should have found this out/known this when they audited your contracted manufacturer (cm) for approvals. 
    Also, side note.... Process Validations is part of 21 CFR 820.70.... so now we're talking regs and not ISO standards. FDA will rip you apart for not validating processes inside your company and ISO certificates can be pulled for not complying to standards.. 

    Hope this helps.

    ------------------------------
    Lance Tovar
    RA/QA Specialist
    Roy UT
    United States
    ------------------------------

    Original Message


  • 4.  RE: ISO 13485 QMS Processes

    Posted 23-Jan-2021 15:34
    Kevin and Lance are both spot on - 

    I will add my direct experience with FDA inspectors requesting and delving deeply into CM manufactured process validations.  Process validation has continued to see increased scrutiny from inspectors - and it is probably a good idea to conduct a gap analysis for compliance with 820 and 13485 requirements to confirm whether you have a functional process (both for your own processes, as applicable - as well as thru vendor control) and appropriate risks.  If not, a CAPA and or Quality Plan are likely warranted as an immediate mitigation.

    ------------------------------
    Scott Bishop
    Houston TX
    United States
    ------------------------------

    Original Message


  • 5.  RE: ISO 13485 QMS Processes

    Posted 25-Jan-2021 06:59
    Hi Anon,

    I think this will possibly evoke a response from several members, but I would not agree that you need your own QMS process for process validation here. Since you are not performing the processes, why would you have that? 

    HOWEVER, you are responsible to make sure your contract manufacturer is compliant to the regulation. This is the reason that FDA requires registration for contract manufacturers as well. They can conduct an inspection there and if official action is indicated (due to noncompliance) it will affect your product. 

    In addition, you should keep in mind that the need for process validation is limited (those processes that cannot be fully verified or you choose not to verify). For more information, see comment 143 (and the rest of section iii) of the preamble to 21CFR820. 

    I know there are those that may argue that you need this process in your own QMS to make sure a supplier follows it. I would disagree. You qualify your suppliers for the processes that you need them to do for you. You could have as part of your agreement (or a supplier quality agreement) that they agree to meet the requirements of ISO 13485/21CFR820. Then you make sure they do that as part of your supplier controls. In other words, you outsource the processes AND any need to validate those processes.

    Comments?

    ------------------------------
    Regards,
    Mark Swanson, ASQ CBA, CMQ/OE, CQE ASQ, MBA
    Becker MN
    United States
    ------------------------------

    Original Message


  • 6.  RE: ISO 13485 QMS Processes

    Posted 25-Jan-2021 17:22
    Edited by Lance Tovar 25-Jan-2021 17:39
    Mark,

    I agree and disagree. ISO:13485:2016 section 4.1.5 states, "When the organization chooses to outsource any process that affects product conformity to requirements, it shall monitor and ensure control over such processes. The organization shall retain responsibility of conformity to this International Standard and to customer and applicable regulatory requirements for outsourced processes. The controls shall be proportionate to the risk involved and the ability of the external party to meet the requirements in accordance with 7.4. The controls shall include written quality agreements."

    Then to support this clause... ISO:13485:2016 section 7.3.3 subpart (e) states, "other requirements essential for design and development of the product and processes."

    Process Validations is part of the DHF/DMR.. You mentioned, quality agreement, and supplier controls, which both are critical elements inside ISO:13485 standard and 21 CFR... not controlling process validations will get an ISO certification pulled, receive a 483, or worse.

    Without process validations, how will you prove that your product is Safe, or does what it claims to do? doesn't matter whether you do validations in-house, or contract out... your QMS needs to prove that it controls it's process validations.

    I will agree that, a company can choose which processes to validate, or not.. That depends on the criticality of the process... what are the level of risks? Just remember, you never have to justify why you validate a process, but always have to justify/explain why you're NOT validating a process.

    ------------------------------
    Lance Tovar
    RA/QA Specialist
    Roy UT
    United States
    ------------------------------

    Original Message


  • 7.  RE: ISO 13485 QMS Processes

    Posted 26-Jan-2021 07:12
    Hi Lance,

    Be careful here that you are not confusing DESIGN validation with PROCESS Validation. It is design validation that is required in the design process to show the product meets the user requirements and is safe/effective. Process validation is ONLY required for those processes where you cannot (or choose not) to fully verify the output of the process.

    ------------------------------
    Regards,
    Mark Swanson, ASQ CBA, CMQ/OE, CQE ASQ, MBA
    Becker MN
    United States
    ------------------------------

    Original Message


  • 8.  RE: ISO 13485 QMS Processes

    Posted 26-Jan-2021 16:06
    A detailed discussion of the relationship between process validation and design validation might be outside the scope of Anon's question, so we may need to start a new thread on that topic if further discussion is in order.  But I would like to quickly say that it's important to remember how ISO 13485 (and the FDA) pervasively require design controls to involve not just the design of the medical device, but also the design of the manufacturing process for the device.  The manufacturing process is part of the design output.  ISO 13485 specifically requires design inputs for the manufacturing process.  This remains true even when the manufacturing process is outsourced.  All design inputs and outputs require corresponding design verification and, where applicable, design validation.  Though it is true that there are different formal definitions for "process validation" verses "design validation", it is also true that, when designing manufacturing processes (even those that are outsourced), the design validation (where required) is closely related to, if not one and the same with, the manufacturing process validation (where required).  This dynamic has been referred to as "concurrent engineering".  To know when such design validation is required for a manufacturing process, we look to the aforementioned basic triggers for process validation.

    ------------------------------
    Kevin Randall, ASQ CQA, RAC (U.S., Europe, Canada)
    Principal Consultant
    ComplianceAcuity, Inc.
    Ridgway, CO
    United States
    www.complianceacuity.com
    © Copyright 2020 by ComplianceAcuity, Inc. All rights reserved.
    ------------------------------

    Original Message


  • 9.  RE: ISO 13485 QMS Processes

    Posted 26-Jan-2021 07:44

    Thank you Mark. 

     

    It is important to reinforce that companies hire outside contractors for their specific expertise and capabilities.  This does not mean that you give up responsibility that the operation be compliant and performed properly, but it also doe not mean that you must dictate how they do the job for which you have hired them.  This is the reason that Purchasing controls become critical.

     

    Thank you,

     

    Lee

    Lee Leichter

    President

    P/L Biomedical

    10882 Stonington Avenue

    Fort Myers, FL 33913 USA

    Office: +1-239-244-1448

    Cell: +1-239-994-6488

    Email: leichter@plbiomedical.com

     

     




    Original Message


  • 10.  RE: ISO 13485 QMS Processes

    Posted 25-Jan-2021 20:12

    Couple further comments:

     

    1. From a purely normative ISO 13485 perspective, it is certainly acceptable to do as Mark prefers.  Specifically, such an approach is normatively permitted pursuant to the final paragraph of ISO 13485 clause 1.  Yet from a practical standpoint, such an approach requires at least one, but probably both, of the following: a) the organization has someone fluent/competent enough in process validation to be able to, without the aid of a process validation procedure spelling out required fundamentals, successfully assure the integrity of the contract manufacturer's process validation work; and/or b) the contract manufacturer has someone fluent/competent AND FAITHFUL enough to be able to, without direction from the organization, properly validate the process.  As hinted at in my initial reply, my experience has been that these two prerequisites are hard to come by.  Accordingly, for practical intents and purposes, I still recommend that the organization "should" have a full process validation procedure prescribing proper process validation fundamentals, and then use the procedure for directing, and or assessing, the contract manufacturer's process validation work.  But again, if the organization and contract manufacturer truly both know what they're doing regarding process validation, then Mark's approach could certainly work, and is in fact an approach that I've successfully applied myself before.  But for many organizations, it's just not going to be a realistic path to success in process validation without the infrastructural safeguards established by a well-written process validation procedure. I've learned to be leery of placing too much trust in a contract manufacturer's ability and/or willingness to properly deal with process validation.

     

    1. Anon's association of ISO 13485 with a "Class II" device suggests that the jurisdiction may not be the U.S. where ISO 13485 isn't required (MDSAP nuances notwithstanding), but instead perhaps a different jurisdiction that does require ISO 13485, such as Health Canada.  So, I'm not sure we should be citing FDA's 21 CFR 820.75 process validation requirements in this discussion.  Although FDA has announced its plans of formally recognizing/adopting ISO 13485, that objective has yet to be realized and is still afar off in the future due to FDA's slow-moving rulemaking process, slowed even further by the COVID-19 issue.  I'm also thinking that the topic of process validation triggers seems to be creeping outside the scope of Anon's question, so I'll save a detailed response to those comments until Anon requests a broadened scope, or until we start a separate thread.  Yet on that topic of process validation triggers, I need to briefly say that, although ISO 13485's process validation triggers overlap with FDA's, we must not forget that there are significant differences.  Consequently, although the preceding discussion seems to be equating ISO 13485 and FDA process validation requirements, we should be careful to avoid such an equation.  Now I'm chuckling a bit as I realize that this may further show how a good process validation procedure is a great idea...

    Cheers everyone. :)

    ------------------------------
    Kevin Randall, ASQ CQA, RAC (U.S., Europe, Canada)
    Principal Consultant
    ComplianceAcuity, Inc.
    Ridgway, CO
    United States
    www.complianceacuity.com
    © Copyright 2020 by ComplianceAcuity, Inc. All rights reserved.
    ------------------------------

    Original Message


  • 11.  RE: ISO 13485 QMS Processes

    Posted 26-Jan-2021 07:36
    Edited by Mark Swanson 26-Jan-2021 10:22
    Thanks for the couple of comments. I actually think my proposal is very practical.

    If I hire a contract manufacturing firm and transfer my process to them, I would expect them to have both a process validation process and the appropriate competent personnel to write, review and execute the process validation (if required). As part of my controls, I reviewed their certification and perhaps hired someone (either internally or as a consultant) to audit their QMS. It is not that hard to find competent people to do those tasks. This happens all the time with both virtual companies and other entrepreneurial people that don't want to get entangled in the infrastructure of the manufacturing side.  This is why contract manufacturers exist.

    The biggest piece here will be to work through the risk management (specifically process risk) as most often it seems like the design side is worried about giving the external contract manufacturers too much information (again, your agreement should certainly have the appropriate confidentiality protections). Certainly a person familiar with the design can review a process validation and see if it follows the QMS process the contract manufacturer has outlined.

    The point I am trying to make is that your QMS should have the processes necessary for YOUR QMS to do the things YOU do. Too often organizations create a process because an auditor told them they need that process (which they never use and there is no evidence of conformity--no records). It would be better to focus the limited resources of a smaller organization on getting good at what you actually do (e.g., supplier controls/reviewing supplier processes) than spending any time on creating a QMS process you will never actually use. Otherwise, why would you outsource the activity if you could just do it yourself? That why it seems like the practical answer to me to rely on their process.

    ------------------------------
    Regards,
    Mark Swanson, ASQ CBA, CMQ/OE, CQE ASQ, MBA
    Becker MN
    United States
    ------------------------------

    Original Message


  • 12.  RE: ISO 13485 QMS Processes

    Posted 26-Jan-2021 15:48

    Many thanks Mark for your additional emphasis on the merits of not having a detailed (or any) process validation procedure when process validation is outsourced.  As noted before, that approach is certainly permitted by ISO 13485, and as mentioned, is one that I, and I'm sure many others, have used before.  That approach certainly has its own practical and very valuable merits.

    My general preference remains that it's a good idea in my opinion to have a proper process validation procedure in place for the reasons I stated before and because I feel there is value in being proactively prepared for the likely eventuality that the process validation stars don't always stay perfectly aligned regarding process validation competencies and cooperation between the organization and its contract manufacturers.  I also think that such a procedure can bonify an organization's claimed ability to responsibly, properly, oversee the contract manufacturer.  That in turn can boost regulators' confidence and reduce their suspicions when they review the contract manufacturer's process validation work during audits of the OEM.  For example, I remember being in a recent agency inspection involving recall where the investigator was suspicious of the contract manufacturer's process validations.  A good process validation procedure can be a useful and objective way to systematically show that the organization takes its process validation oversight seriously, and that it has the organic competence to distinguish proper process validation from deficient process validation.  But as acknowledged before, there may certainly be scenarios where an abbreviated or delegated process validation procedure is acceptable.  Thanks again Mark for your valued insights.



    ------------------------------
    Kevin Randall, ASQ CQA, RAC (U.S., Europe, Canada)
    Principal Consultant
    ComplianceAcuity, Inc.
    Ridgway, CO
    United States
    www.complianceacuity.com
    © Copyright 2020 by ComplianceAcuity, Inc. All rights reserved.
    ------------------------------

    Original Message


Related Content