John Beasley, MSc, RAC (US) Your's is a great question Dan. With the ISO/FDIS 13485:201x (QMS - Medical Devices - Regulatory Requirements) coming, our attention will expand with the scope, which changed from "design through distribution, and support" to "organizations involved in any aspect of the product lifecycle".

One reference for you is the FDA interim guidance for "convenience kits", published in 1997, which is not unlike your scenario; finished medical devices are purchased and then bundled (kitted) as a convenience to the user. The regulatory controls take into account those regulatory requirements already met for each individual device.

As always, the level of control will be commensurate with the level of risk.

Aaron Liang I think if you are dealing with third party items, you would manage them as any other supplier of materials for your product. For example, an organization could sell a device system which includes devices which are finished devices fabricated by a third party which has obtained its own separate regulatory clearance from our system. Under supplier qualification requirements from the FDA QSR(820.50, 820.60) an organization would have a mechanism for evaluating and managing materials used to fabricate their finished medical devices. Although the items in this case are already finished devices and therefore do not require further fabrication/assembly they are still inputs to build the final device system just as with any other materials. Therefore, they should be controlled with other suppliers of goods and services under our quality management system (i.e. perform supplier qualification, inspection and product release) because under the quality system, they are a supplier of goods that are used to fabricate our finished medical device system. Of course, as John said the level of controls you would apply would depend on the type of 3rd party items and the level of risk they pose to the finished medical device your organization offers.

Ee Bin Liew yes, in ISO13485 even in the current version there are references to 'purchased product', so you can look to 7.4 Purchasing for further details. In the upcoming version this section's text is clarified so it will help you more.

but what I sense you're looking for is a regulatory requirement. Standards are voluntary, regulatory requirements are not. So unless there are regulatory requirements in your local jurisdiction that adopts ISO13485 then you can refer to it. Another method - since you are aiming to be compliant to the Standard hence you require your 3rd party product suppliers to adhere as well. If you're stuck with them not heeding then the issue could be the commercial agreement which had not stipulated it. Update that agreement template and perhaps this potential issue might be mitigated in the long run. hope it helps.

Cheers,
Ee Bin

Karen Boyd, ASQ CQA Combining John and Aaron's comments make an ideal approach, IMO. Supplier qualification, risk assessment, and the control / management of both are critical and intertwined elements of 3rd party product compliance and facets of overall product / process quality. Any outsourced product / process and the associated supplier(s) is the responsibility of the originating organization or OEM to maintain.

ADNAN ASHFAQ interesting thanks for this

Kirk Becker Hello Dan,
The most simplistic answer to your question, if your question is targeted for a medical device, is when the supplier ships the item to a consumer - that supplier MUST follow the appropriate regulations as determined by the classification (I II III ) of the device (Supplier must be FDA registered in the USA as well). If the supplier is shipping a component to another location where that component is combined with others - the supplier must adhear to the receipient company's quality requirements in addition to the suppliers own such as outlined in ISO 13485.

Hope this helped