Case Studies on Plausibility of Medical Device Supply Chains

We encounter many situations where new certification applications or changes to a certified organization simply don’t make sense to the point of not being plausible. In these cases, we have to rely on our experience and intuition to catch these red flags and challenge the information provided until we can clarify that the scenario seems acceptable from a certification standpoint.

Red Flags in Applications

The root cause of these anomalies is typically the client’s lack of understanding of:

• Their relative role (see ISO 13485:2016 clause 4.1.1, 3rd paragraph):
1. For example, where the legal manufacturer and a manufacturing site have common ownership. Especially in the US, we hear terminology that may only be usable in certain jurisdictions (e.g. “design owner” or “design responsible” or “OEM”/”PLM” is used as a synonym for legal manufacturer).
2. In some cases, the supply chain is simply not finalized (e.g., the applicant cannot tell us if a product sent for sterilization will be sent back to the manufacturing site for release or will be directly drop-shipped to the distributors).
• Their responsibility in that role, i.e.:
1. They are responsible for the outsourced processes per ISO 13485:2016 clause 4.1.5. There is no such thing as a “completely outsourced” process – this is especially problematic if a legal manufacturer does not understand the applicable regulatory and quality requirements and completely relies on a consultant to keep their QMS and product technical documentation afloat.,
2. In case they (also) provide services per customer specification (e.g., contract manufacturers, etc.), the scope of their activity may be regulated by the agreement with their customers,
3. Sites serving multiple industries (e.g., medical device, defense, aviation, and/or automotive) may need to consider if the medical device-related activities can be audited to a sufficient level for meaningful objective evidence. For example, if an injection molding machine (at the manufacturer or one of their suppliers) or adjacent machines in a common room are used to produce medical device parts and to fulfill defense contracts as well. Such situations may inadvertently lead to unintended non-conforming medical device parts/products.  In extreme cases, a non-auditable supplier may need to be replaced.
4. They cannot claim that a clause of ISO 13485 is excluded or not applied if they do not apply parts of a clause (e.g., manufacturers trying to justify that clause 7.5.10 Customer Property is not applicable because certain types of customer property – either physical goods or patient health information – are not applicable while  some types are relevant; similarly, they cannot claim clause 8.2.6 Monitoring and measurement of product not applicable just because the last paragraph (specific to implants) is not applicable).
5. They cannot exclude processes, products or services that have an influence on the safety and quality of products [in the scope of certification] per IAF MD9 clause 8.2.1).
Note: an organization, however, can – in most certification schemes – choose not to include entire device groups (and their dedicated processes) in the scope of a given certification with a given CAB. A notable example of this situation is when a manufacturer works with multiple CABs to certify parts of their QMS (including parts of their product portfolio).
• Parties/stakeholders in their supply chain, such as:
1. Not understanding the difference between the designation of sites/facilities within the QMS versus suppliers external to the certified organization, especially in case of common ownership (e.g., “internal supplier”, “common corporate QMS”, etc.).
2. Not appreciating the importance of proper and unambiguous identification of the parties in the supply chain, including the legal name, trade name(s) and addresses of all sites of all parties. Often, we see that especially in case of common ownership, sites in the application are identified by the colloquial name of the owner followed by the city or state name (e.g. ACME Medical – Texas) to identify sites. For sure, legal entities in different countries (e.g. a legal manufacturer in the US and their manufacturing site in Mexico) will have distinct names (as they have to be incorporated in the given country to conduct business and the form of corporation have different names in each country). Trade names are not arbitrary strings, they have to be associated with the legal name in the business registration in the given state’s corporate registry. If the given site (especially suppliers) has QMS certificates, it’s beneficial to use the exact name and address on the certificate (we often see manufacturers omitting the form of corporation, which should always be included).
3. Not being fully aware of downstream (and in some case some upstream) suppliers, especially if that party is not primarily a supplier (e.g., a distributor – customer - who does translation of the instructions for use to a given language or who also participate in complaint intake and classification or in-country market approvals and registration)

Business and Logistics Considerations

If we see that a given supplier (who is not a single source like a sterilization service provider) is very far away from the manufacturing site, and the product then returns to the manufacturing site (especially if the product needs to cross country borders), we will likely ask for confirmation. Some manufacturers don’t consider the supply chain to its full depth (i.e., tier 2 and below). This can result in a general lack of clarity and control over the outsourced processes.

The general expectation is that the manufacturer controls the process down to any necessary level for whatever is custom made for them. For example, an active device manufacturer may outsource the manufacturer of a subassembly to their tier 1 supplier, who in turn, may further outsource the manufacturing of the PCB included in the subassembly. If the PCB fab is manufactured by the same tier 2 supplier, and the populated components are all off-the-shelf (e.g., resistors, standard microprocessors, etc.), then this is considered sufficient level. However, if the board contains for example a custom ASIC (application specific integrated circuit) chip, then the control of the tier 3 supplier may also be required. The supplier quality agreements have to be in-line with the supply chain strategy (e.g., it should allow the tier 1 supplier to further outsource, control inheritance of quality requirements – e.g., record retention – to all depths of the supply chain, should control the level of autonomy of a given level of supplier in supplier selection and control, etc.).

Company Size vs Range of Activities

In some cases, the employee count (representing the company size) suggests insufficient resources to implement and maintain a QMS for the applied scope, both in terms of activities and product groups. If we see, for example, a 10-person startup located in a commercial strip mall office who claim to have no outsourced process and manufacture a digital active device with a gamma sterilized sterile consumable, we will ask questions, like how can you afford to do your PCBA fabrication and gamma sterilization in-house? How do you have the personnel to manufacture all parts and operate all the different technologies to make all parts of the device? Most of the time it turns out that the client (especially if this is their first project) did not consider some of the above pitfalls and did not fill out their application form completely/consistently, and in fact, they have a reasonable supply chain structure.