Outsourcing quality and regulatory functions can reduce your personnel overhead and allow the use of competent staff on an as-needed basis. Such suppliers include quality consultants providing guidance on quality management systems, regulatory affairs consultants managing regulatory strategy and submissions, outsourced quality management system functions, or contract supplier and internal auditors. Contract staff brings a new perspective, along with unique and eclectic experience to your organization. However, this approach is not without risk. By applying quality system best practices to outsourced quality and regulatory functions and performing a risk-based business assessment, you can minimize these risks. This article focuses on selection and management of quality and regulatory suppliers according to ISO 13485:2016, the European Union Medical Devices Regulation (2017/745) and FDA Regulation 21 CFR 820.
Checks and Balances
You’ve decided to outsource quality or regulatory activities to a consultant or third-party firm. While they claim relevant experience and suitable qualification, how do you, as the legal manufacturer, ensure they meet the regulatory requirements for a supplier? These organizations meet the criteria of a supplier and must be managed by your organization as such. To avoid conflict of interest, you must manage them as a supplier. You cannot allow a supplier to conduct its own selection and evaluation or even a portion thereof. This is a frequent conundrum for outsourced quality processes and one that auditors are increasingly identifying as a nonconformance. Outsourcing these, or any critical functions, carries a business risk. Therefore, I recommend leveraging the requirements for supplier controls to ensure quality, compliance and minimization of business risks.
Quality and Compliance Risk
Regardless of the type of activities you outsource to a quality or regulatory consultant, you must ensure they are qualified to provide the service and are able to meet any associated regulatory requirements. You’ve likely addressed these same concerns with other suppliers; the following are some recommendations to help you apply common supplier control measures to these unique suppliers:
- Audit your supplier according to your approved supplier management procedure. Use a risk-based approach to assessing the supplier. That is, if the supplier is managing a critical process such as complaint handling, corrective and preventive action, or design, consider them a critical supplier. An on-site audit of a critical supplier is an opportunity for one of your own employees to learn about the outsourced activity. Consider outsourcing all audit activities (internal and supplier audits) to a separate organization to ensure full independence during each audit. Depending on the service provided, the following activities may be performed during your audit of the supplier:
- Evaluation of the supplier’s own documentation (insurance, procedures, policies, employee manual)
- Review a sampling of records generated for all activities performed by the supplier
- Evaluation of training documentation (certifications, degrees, other external qualifications such as CVs or resumes for staff)
- Tour and critical assessment of the supplier facility, if applicable (adequate storage of documents to prevent loss and deterioration, adequate infrastructure including communication and information technology arrangements, and suitable location for the service provided)
- Staff interview (determine what each staff member does and what they have learned from previous, relevant positions)
- Evaluate the way the service provider manages the regulatory requirements for personnel qualification within their organization. I recommend you maintain or assess personnel records for the supplier’s employees to demonstrate employees are qualified for the work they are performing. To ensure impartiality, do not rely on qualification documents generated by the provider. Ensure that you are notified of any personnel changes as related to your company. This allows you to assess the qualifications of new staff performing work for your company and also enables you to gauge the turnover of your service provider. High turnover may be a sign of instability, ethical concerns, or unqualified or disgruntled staff, all of which carry substantial business and quality risks that may extend to your organization.
- Assess where a supplier’s inexperience may cost you. In some cases, those costs multiply. For example, if you outsource quality functions and a supplier mismanages quality processes, you first pay for the mistake and then you pay again when the supplier implements corrective actions! A qualified supplier will often identify preventive actions before a nonconformance occurs. Ask a potential supplier about their preventive action processes.
Outsourcing quality and regulatory functions minimizes your HR burden and allows access to experienced staff when you may not have the requirements to warrant a full-time employee. However, without the proper due diligence, there are hazards. When selecting quality and regulatory contractors, don’t let your eagerness or their self-promotion rush your decision to partner with them. When selecting a regulatory or quality consultant, I recommend the following to minimize business risk:
- Thoroughly probe a consultant’s knowledge and experience. Does the consultant have relevant experience? Even when restricted by confidentiality agreements, the supplier should be able to convey some details regarding services provided to relevant businesses or involving similar products. Conversely, you may be at risk if the consultant provides such detail that they risk the confidentiality of existing clients.
- Research a potential consultant’s claims. For example, if a client claims success with numerous 510(k) clearances, evaluate the 510(k) summaries and resulting claims. While the consultant may be responsible for the clearance, a clearance with no clear advantage over the predicate device may indicate an underdeveloped regulatory strategy.
- Verify that your business risks are minimized with adequate contracts for employees of the service organization. That is, the service provider’s employee contracts are likely written primarily in the interest of the service provider’s interests. Is your business protected with suitable confidentiality clauses for the provider’s employees? Your contract with the supplier alone may not adequately protect you from actions taken by a provider’s employee or ex-employee that could compromise your company’s protected information or confidentiality. Request a copy of your service provider’s employee contract template to review when you are creating the content of your contract with the service provider.
- Reach a mutual understanding of transparency. You should be able to access records and information related to your business at any time. And, you should be able to rapidly assimilate outsourced functions into your organization if needed. As you grow and succeed, moving these activities into your own company is inevitable. If processes seem confusing or complicated, it may mean your supplier is not being transparent or your supplier may be equally confused by their own processes!
- Verify that the supplier has the resources necessary to meet your needs. If you require substantial assistance in a particular area, does the supplier have the required and competent staff to do so? A good supplier of quality and regulatory services should hold themselves to the same level of resource management and employee competence that is expected of a medical device manufacturer.
- Be wary of a quality consultant leveraging audit success as an indicator of his or her qualification. In the current and changing landscape of medical device regulation, the sampling of records performed in an ISO 13485, MDSAP or FDA audit is not significant evidence of the consultant’s expertise. The consultant should be able to use other experience and information to demonstrate competence.
- Do your research. Don’t be afraid to reach out to the provider’s past or existing clients if they are willing. If not, there is still research you can perform with publicly available information. For example, some providers maintain social media accounts (e.g. LinkedIn, Facebook, and Glassdoor) or listings in MedTech directories where information may be posted. In some cases, you can locate information regarding the consultant’s work through FDA databases such as the 510(k) database or FDA establishment registration database.
In summary, consider applying the same resources, assessment and focus for suppliers providing quality and regulatory services as you do for contract manufacturers and other critical suppliers. The criticality of such services and growing regulations affecting supplier controls warrant the additional time and resources to do so. For more information, refer to supplier and purchasing requirements outlined in Section 7.4 of ISO 13485:2016, US Code of Federal Regulation 21 CFR 820.50, and Article 10 & Annex IX of the EU MDR.