Joe Zott It is a fantasy that I have heard from some startups. I have never heard of it being acceptable. What I have seen work is 1) The med device company wraps their QMS around the contract manufacturer's and outsources pretty much everything to the CM. The med device company still needs to have their own QMS, the CM's QMS needs to be compliant to companies QMS, and the med device company needs to practice sufficient supplier control on the CM. 2) The med device company becomes a distributor only. So their name appears on the product as the distributer. They can continue to own the IP, but all product responsibilities are the CMs. Not sure how the CM can demonstrate design controls unless they designed the product, but I have heard of CMs agreeing to do this.The CM takes on a lot of risk, but they now have great control of the product. The med device company doesn't need a QMS, but I hardly would call them a med device company at this point.

Anna Lisa Somera Thanks, Joe. Sounds like a fantasy to me as well. I contacted BSI and they said both parties would need their own QMS systems for ISO 13485 certification.

This pretty much addresses the question...from the GHTF/SG3/N17 Quality Management System – Medical Devices – Guidance on the Control of Products and Services Obtained from Suppliers:
“Within existing regulatory frameworks the term “manufacturer” may be defined differently. However, each regulatory authority ultimately holds one “manufacturer” of medical devices or entity primarily responsible for meeting regulatory quality management system requirements. This “manufacturer” or entity, that has the ultimate responsibility for its quality management system, cannot relinquish (contractually or otherwise) its obligation and responsibility over any or all functions within the quality management system. This means the responsibility for complying with the quality management system requirements cannot be delegated to any supplier of products and services.”

Though, even as the manufacturer of record, it does make life a lot easier, especially with risk management, to select a contract manufacturer or supplier that is also ISO 13485 certified. While it doesn't relieve the burden, it certainly lightens it.

Robert Barber Both parties need their own QMS and both parties need to register their facilities with regulatory authorities as well as any other critical suppliers in the supply chain (e.g. contract sterilization). There needs to be a Supplier Agreement (Quality Agreement) in place to define the interfaces between the two parties and agreed responsibilities of each. The company with its name on the product and places it on the market is legally liable.

There are many reasons for an organization to have a QMS and once these reasons are understood, then the statement makes sense: "I always though a company should have their own QMS."

Ali Bora Bingöl That is totally wrong. Because, and just at the begining, that kind of a QMS approach is against the eight principals of QMS. One party is the supplier, not the manufacturer herself! How can someone apply the principals? And, further, if you don't have your own "control" or "management" over the QMS, it will be impossible to claim that you have established, applied and sustained a QMS.

On the other hand, application of basic quality objectives, goals, management review etc. will be impossible.

There are other ways to "manage" QMS of manufacturers who outsource most of their processes.

Julie Omohundro I guess I think there is a perspective from which "using the CM's QMS" does make some sense, although I'm guessing this is not what this person was thinking. Your QMS must address the activities that you carry out that can impact quality. For example, if you don't install your device, your QMS won't include installation. With a CM, you aren't carrying out many of the activities. However, as noted, you are still responsible. So, in a sense, your QMS becomes one big SOP on how you assure that your suppliers are in compliance with applicable requirements, rather than a lot of SOPs describing how you are in compliance. I am speaking conceptually here more than what I think FDA or an ISO auditor might think. However, I think this perspective may be one source of these fantasies.

As for who is a manufacturer and who is a distributor and what is "really" a medical device company...I think a combination of outsourcing and increasingly innovative business arrangements have made quite a mess of all that, and I don't pretend to know how to tell who's on first any more. I'm just happy to not be responsible for figuring it out.

I don't believe there is a regulatory requirement that the contract manufacturer be ISO certified. But, if they are not, there is a larger responsibility upon the manufacturer to ensure the products they receive from their supplier are suitable for their QMS.

James (Jim) Dent, LSSBB, DTMx2 @Anna: although you've gotten your answer from BSI; could you describe what your business does if it outsources all their design and manufacturing? The standard does permit exclusions to some of their clauses, with reasonable explanations for the exclusions.

Victoria Trafka I agree with many of the comments above. I can't see how a medical device company could have no quality system at all. The company could rely on the contract manufacturer and/or the contract design firm for certain aspects of the QMS, but they would have to have some procedures of their own.

Anna Lisa Somera Thanks for all of the comments, everyone. This is a great discussion!

Julie Omohundro Anna, it is indeed a great discussion. Thanks for bringing your question to this Group.

And now we are all breathlessly awaiting your response to Jim's question above...

Anna Lisa Somera My company is developing a sterile medical device to be used in surgery. Still in the feasibility stage. Some design is in-house, but some will be outsourced. Manufacturing will be completely outsourced. No shipping or receiving will be at the start-up. All of that will be outsourced. We will have our own quality system-- I'm taking no chances on that. We will have a quality agreement with our outsourced partners and ensure control of their processes on our product.

James (Jim) Dent, LSSBB, DTMx2 @Anna: have you confirmed with the FDA relative to your original question? You will still need to comply with 21 Part 820, and several other Parts. ISO 13485 is separate from the FDA requirements, with 'some' overlap.

Julie Omohundro Anna, does this mean your company is a start-up?

Julie Omohundro Oh, sorry. I just saw where you said that already. Many startups do not want to invest significantly in a QMS. Often the fantasy of relying on the CM's QMS is accompanied by another one, which is that an established device company will snap up the device before it gets to that point. Although sometimes this fantasy does become a reality, but probably more often than not, not.

They may also skimp on design controls. This practice is so widespread that I think established companies are usually resigned to the prospect of having to construct design controls retrospectively, whenever they acquire a start-up's product.

Also common is the decision to market a new device in the EU, rather than the US, because it's rumored to be easier. This may be true for the marketing of many individual devices, so it's a strategy that often works well for an established device company. It is also often true that it is easier to pass a notified body's inspection for ISO 13485 certification than an FDA inspection for compliance with the QSR. However, if your device is not Class III, I think (somebody please correct me if I'm wrong here?) it is also true that you can get on the US market and stay there for some period of time (perhaps over 2 years if you are lucky) before you come up for FDA inspection. In that case, it can be "easier" for a start-up to get on the market in the US, so some startups will role the dice, and hope their device gets snapped up before that happens.

Also, as far as I can tell, there is no direct regulatory consequence for not following design controls pre-market in the US. If you get them in place so that the design will be controlled post-market, what happened pre-market is water under the bridge. (This is based on my personal observation; again, someone please correct me if I'm wrong in generalizing it.)

Mia Spiegelman BSc, RAQC In Canada you can also get your name on the device as a manufacturer by having the fabricator use their ISO to licence it and then you would complete a private label application. This way the initial cost is 0$ to get the licence for the company that ends up being the manufacturer on label. I believe USA is different.

Somebody has to be responsible in the eyes of the regulators. As a contract developer/manufacturer we would never do a deal like that. We would help the company implement their own QMS (and get audited to it if they want or need ISO13485). It might be fairly thin depending on the nature of the company involved and their exit plan.

Mark Schnapf From my experience with startup companies and large med device companies, I must agree with what Scott has shared. Depending on the nature of the device 21 CFR FDA states there may not be a need for a full QMS. But I really don't exactly know where this applies (someone let me know of an example if they have one). Regardless, there are areas of 21 CFR FDA and ISO 13485 that may not apply to a particular device. Yet all devices I have encountered bringing to market or integrating into a new QS followed the entire template of the company's QMS. The QMS had been audited within 2 years of it's establishment by the FDA. I am not exactly sure regarding the design controls happening later if a company expects to be purchased in the early stages of it's onset. But, I don't believe the FDA will see justification of the absence in an audit. Especially with the added emphasis on risk management that is upon us.

I would believe parts of this may be true and relative to all QMS. However since most business models are adoptable to fit portions of QMS based on the varying scope of the business and market which it operates. I believe I have seen with many organizations both small scale and global scale that a mixture of different QMS do carry over. Concepts are assumed the same so what worked here must also work there. Consider the variables that exist and adopt those changes within your QMS system so that it meets all regulatory standards, both domestically and abroad.

Helen Gerhard The company that owns the product and puts it into interstate commerce (or international commerce) has the responsibility to control the process. Even if they use a contract manufactuer that actually manufacturer the product, the company has a responsibility to produce safe and effective product and that requires control over the manufacturing process. Thus, the QMS of the manufacturer of record (who contracts the CM to do the work) must be able to show they have processes in place which may point to and approves the CM's processes. Often the manufacturer of record accepts the product (based on the device history record which in turn must show it meets the DMR.) I reaalize I'm using the FDA's terminology but the same general principles are found in ISO 13485. The manufacturer of record does not even need to be the distributor (that may be contracted as well) but the control needs to be seen in that direction as well. The same could be said for the contract design. Also, I believe that CMDCAS does require the product to be manufactured under one of the acceptable registrar's certification (at least that's the way we set it up at the last place I was Quality Manager.)

Anna Lisa Somera Great discussion, folks. Thanks for all of the comments.

Helen Gerhard One thing I read above is it is believed that design controls are not required pre-market. If you are speaking to FDA (and is true for ISO 13485) then pre-market design controls are critical. FDA has stated over and over again that once a product concept has left research and is in the development stage (with intent to bring it to market ... no matter who does that,) then design controls including inputs, outputs, scheduled design reviews, design verification, design validation, and design transfer must be fully documented. One thing that companies do that is problematic in FDA's eyes is their definition of equivalence for design validation. FDA expects the validation to be performed on initial production runs and equilvalents to those (if used to meet this requirement) must meet everything that the initial production run includes (e.g. IFU, final labeling, final packaging, final verified product design, etc.) This cannot be done with research or development materials unless they can be shown that they meet the final verified design requirements that become a DMR. Final design validation is also on the whole device, not on parts...that's why initial production runs are designated as the standard. So yes ... even start-ups need robust design controls in place if they are to meet regulatory requirements.

Helen Gerhard I should have also included documented design changes (e.g. if an input is changed during development then that must be documented through the design change process.)

Stephen Price Not true.

Stephen Price Obviously, your source is not credible. Believe half of what you see and nothing of what you hear.

Stephen Price Credible sources first.

Julie Omohundro Helen, to clarify, I didn't say that design controls are not "required" pre-market, but that I know of no regulatory consequences for not meeting those requirements pre-market.

I think this section of the QSR is essentially unenforceable as written. What exactly is FDA going to do if a start-up hasn't followed design controls, but nonetheless has data that clearly demonstrate their product is substantially equivalent or S&E for its intended use? Not clear/approve the product? I know of no case where this has happened. Furthermore, at that point, I can't think of any purpose it would serve, at least not within the context of that particular device.

I think the best FDA can do is require that proper controls be put in place at the point of clearance/approval. This is well and good for the device as it goes forward post-market, but ultimately negates much of the value of design controls, especially when it comes to facilitating innovation.

I also think that FDA has been largely, if not totally, spared from having to address truly egregious non-compliance at the point of clearance/approval, for the sad and simple reason that the start-ups that grossly fail to follow design controls virtually never make it to that point.

Julie Omohundro Reading through your comment again, you are moving the goal post about 6 inches. By the time you get to final design validation, the design phase is virtually over. If you haven't followed design controls until that point, that is where you can implement them retrospectively on paper and sail on from there to clearance/approval. But it is way too late to actually implement them as intended, or in a way that would have added real value to the design process.

Helen Gerhard First, I apologize if I mischaracterized your statement. That was not my intention. Second, If you are talking for Clearance/Approval to be the 510(k) stage then that is often prior to the full design controls being implemented (e.g. there's usually more to the story.) Indeed, I have seen product that had passed the 510(k) process that then has taken over a year to reach the actual marketplace (fully documented design controls required up to and including validation. Third, there are regulatory consequences although they do not appear until the audit of the company postmarket. Design control are often cited on 483s. If that is what you meant (that the consquences of not having the design controls fully documented pre-market only occur post-market) then I agree. If the design controls are only implemented on paper retrospectively then that is often exactly what is cited on a 483. Hence, the requirement is there pre-market but the consequence only occurs post-market. I have seen product that was pulled out of production and recalled because their design controls were not in place appropriately. Perhaps this is a case where the two of us have different experience.

Russell James Please don't discourage the start ups and individuals that are prepared to innovate but don't have all the required resources. This is not a fantasy, there are FDA registered contract manufacturers in the USA that can provide these services.

Some have the capability and will accept the additional liability to provide sterile medical devices for surgery on an OEM basis. The product label would be the start up name and indicate it was manufactured by the CM.

These experienced CM services are ideal for start ups providing lower risk and reduced time to market in addition to services like shipping, receiving, field service and repairs.

Julie Omohundro Helen, no apology needed. Commenting on LinkedIn isn't my day job either, so I skim and miss stuff and make typos and misspeak. Just wanted to be clear on what I was saying. That said, once again...I didn't say there were no regulatory consequences for not having design controls fully documented pre-market; I said there were no regulatory consequences for NOT FOLLOWING design controls pre-market.

When you saw the product pulled out of production and recalled because their design controls were not in place appropriately, then what happened? Did they all get into a time machine and go back and identify all the design inputs they were supposed to have identified BEFORE they started designing? Did they go back in time and put together the design & development plan they were supposed to have developed BEFORE they started designing? Did they go back in time and hold the design reviews they never had?

You can "fully document" design controls any time you want, but you only get one chance to actually follow them, and that is WHILE YOU ARE IN THE PROCESS OF DESIGNING THE PRODUCT. Once it's been designed, you have missed your chance and, short of a time machine at your disposal, that chance is 100% gone, forever.

Julie Omohundro Russell, I have not seen a single comment that even remotely implies that start-ups should not use CMs.

Russell James Julie, perhaps you missed the first comment

Julie Omohundro Russell, nope. Read every word. Joe goes to considerable lengthy to describe what he thinks will work for startups and individuals that are prepared to innovate but don't have all the required resources. How do you think that providing them with this guidance would be discouraging to them? Are you saying they might opt not to put their innovative product on the market unless they can be called a medical device company?

Russell James Start ups using a CM's QMS is not a fantasy
It can be an acceptable reality

Julie Omohundro Perhaps, but expressing the opinion that a start-up should not use a CM's QMS is not at all the same thing as suggesting that they should not use CMs.

Nearly all. There are some functions which are solely the responsibility of the person or company placing the product on the market and cannot be delegated to a CM. But yes it is not only possible but commonplace.

Helen Gerhard That was my point. The company has a regulatory responsibility to show they have control over how their product is designed, manufactured, and distributed. I was a QM at a company with 12 people, only two of which were involved in operations and quality. Our QMS embraced our contract design, contract manufacturer, and contract distribution chains. When the FDA came and inspected our QMS (which was very lean as it pointed to the processes at our contract partners) they said it was one of the best such systems they'd seen. The only problems we faced was where our management had agreed to let the distributor take on contracted activities that were required by FDA to be a responsibiity of the manufacturer. I had told my management we couldn't do that and they had insisted it was 'ok because it's in the contract.' No so. Those had to be realigned within our QMS. The mistake cost resources that could have been used for other activities.

Robert Barber I'm just picking up on the other point made in the original question "the label would bear the company's name, but the manufacturer's address". Under EU rules, the term "manufacturer" does not mean "the place that physically assembles the device", but "the person who places the device on the (EU) market under their own name" - usually referred to as the "legal manufacturer". So in the EU the label would have to bear the company's (= legal manufacturer's) name and address (this is who the customer needs to contact if they have a complaint, for example). It can get very confusing when marketing a device with labelling to suit the requirements of different regions, some who also require "country of origin" to be identified as well as having different interpretations of the term "manufacturer". OEM devices can be tricky because there will usually be 2 companies identified on the labelling, but the regulators are only interested in the one that is legally responsible - this being the company whose name and address appears next to the "black factory" symbol. The bottom line is that the label design should not confuse the customer as to who is ultimately the legal manufacturer - and where they can seek help if there is a problem.

Deryk Flood

Here is one good article about this topic:
https://www.qmswrapper.com/blog/cup-of-joe-44-whose-monitoring-responsibility-is-when-you-have-outsourced-production