• Risk-management tolerance
• Technical and manufacturing capability
• Design-control capability
• Root-cause analysis

Medical device manufacturers are required to deliver safe and effective products, so many factors must be considered when selecting a contract-manufacturer partner. When used in conjunction with comparative analysis, these five keys can help device manufactures avoid pitfalls and make a data-driven decision by evaluating the potential risks associated with outsourced manufacturing:

• Quality management system (QMS)
• Risk-management tolerance
• Technical fit/manufacturing capability
• Design-control capability
• Root-cause analysis tools for driving continuous improvement

When selecting a contract manufacturer (CM), companies should perform a comparative analysis of the options. Comparative analysis for a potential CM can be completed quickly with minimal expense.

Preliminary work can be completed much like a desk audit, and the result should narrow the list of CMs. Site audits should be performed to compare the CM’s ability to meet specific needs. Audits can prevent an organization from entering into a contractual partnership plagued by high costs associated with poor quality.

Quality management system

Performing an audit of a potential CM’s quality management system (QMS) can establish the firm as an approved, certified, or qualified supplier. To start, request a copy of the organization’s quality manual in preparation for a potential audit. Use comparative analysis as a filtering tool to compare the quality manuals of three to six potential CMs. Differences will surface during this exercise, and some firms may deny the request, which may be indicative of the transparency (or lack thereof) to be expected if the relationship moves forward. Comparing quality manuals from multiple firms can identify differences and determine how the CM will meet the predetermined requirements.

During a QMS evaluation and comparison, focus on how the CM has elected to meet the ISO 13485 requirement established in section 4.1 (a) to “identify the processes needed for the quality management system and their application throughout the organization” and section 4.1 (b) which requires the CM to “determine the sequence and interaction of these processes.”

Many firms have failed to define key processes, let alone the sequence, interaction, and associated control strategy for these processes. When a firm attempts to meet this QMS requirement, it is typically expressed as a diagram referred to as the “model of a process-based quality management system” with graphic representation of Plan-Do-Check-Act methodology. Although not the intent of the guidance, the example from the standard is often copied into a quality manual. Comparative analysis can determine whether the requirement has been missed or whether the firm has invested the time required to define key processes, sequence and interaction, and the control strategy associated with these processes. (See Figure 1.) This requirement has implications on the quality culture of the organization and the strength its management team.

Review the quality policy and quality objectives with the management team. Ensure that there is documented, objective evidence that all employees have been trained to the quality policy and objectives. Evidence of training does not necessarily translate to training effectiveness. Ask the management team to show that the quality policy and objectives are understood and have been implemented throughout the organization. An all-employee survey that includes a written response where employees describe what the quality policy and objectives means is an effective tool to ensure that the principles have been internalized. Reviewing the strength of the QMS can be an early indicator of things to come. Medical device manufacturers should look for a CM whose approach aligns with its own QMS.

Risk-management tolerance fit

To avoid the cost of poor quality, evaluate the strength of the CM’s risk-management program. In ISO 13485 section 7.1 (d), the requirement states that “the organization shall establish documented requirements for risk management throughout product realization.” This section also indicates “…ISO 14971 [for] guidance related to risk management.” It is not uncommon for an organization to struggle with compliance to these requirements, and it can be a challenge to establish rules regarding when to use a particular risk-management tool. Questions to ask include: When should a preliminary hazard analysis be performed? When should a design Failure Mode and Effects Analysis be generated? Under what circumstances would a Fault Tree Analysis be used? What are the rules of engagement for risk priority numbers (RPN) in terms of when risk mitigation activity is absolutely necessary? What is the firm’s working definition of “As Low As Reasonably Practical” (ALARP)?

It can be difficult to align the risk-management approaches of two companies. One entity may be more tolerant of risk than the other. If the potential CM’s comfort level of residual risk varies greatly, it may be more willing to accept higher RPN outcomes than the device company’s system allows without the need for mitigation, reduction, or the elimination of the source(s) of the risk. This difference should make a device company extremely uncomfortable, and it is an early warning sign that the relationship may lead to significant costs of poor quality.

When reviewing the strength of a risk-management program, evaluate how the firm has applied risk management into the essential QMS elements: internal audits, nonconforming product, complaints, corrective and preventive action (CAPA), and change management. Not all issues that must be documented in these essential systems demand the same attention. Evaluate whether the firm applied a risk assessment that provides a documented evaluation based on frequency and severity that offers a documented, defendable rationale regarding when issues will be investigated and when issues will be escalated to the CAPA system. In addition, determine what provisions have been defined by the organization that clearly state who has responsibility to review and approve activities commensurate with risk.

The Tech Group has established and maintained a system based on the following tables (see Tables 1 and 2) that, along with definitions for each frequency and severity category, govern this activity using leveling. Tech Group uses three levels (Level 1, 2 and 3), where the higher level corresponds to higher risk. Individuals with greater education, background, training and experience are required to review and approve these issues.

When seeking a medical device contract manufacturer, look for evidence of the best practices described above as another early indicator of systems. Upon reviewing these policies, determine whether the CM has the freedom to operate with little to no intervention. Recognize that shortcomings in this area would require oversight along with a secondary review and approval of the issues if a partnership were entered into with this entity.

Evaluating technical and manufacturing capabilities

When using comparative analysis to evaluate manufacturing capability, several factors can help avoid risk. Evaluate whether or not the particular product offering is a core competency or whether the technology associated with product realization would be a stretch for a potential CM. Questions to ask include:

• Has the CM produced product with similar features and characteristics?

• Does the CM’s technical staff possess the education, background, training, and experience to be successful with this endeavor?

• Does the facility and infrastructure align with the overall contamination control strategy for the product?

•Does the CM have a history of successfully producing the projected volumes?

• Is the CM willing and able to share On Time In Full (OTIF) and Right The First Time (RTFT) data for similar products produced for other customers?

• Does the CM have a robust equipment calibration, qualification, process validation, preventive maintenance, and statistical process control system in place?

• Does the CM have the ability to perform manual, semiautomated and fully automated assembly; final acceptance activities; and final packaging and labeling?

Obtain answers to these questions during an audit of the manufacturing site. Past performance can be a predictor of future performance and dealing with a company that has a history of high costs associated with poor quality is not a decision that should be taken lightly.

Must-have: strong design-control system

A potential CM must be evaluated for the strength of its design control system. Has the firm established and does it maintain a compliant design-control system that could be leveraged in an effort to design and develop components, subassemblies, medical devices, pharmaceutical primary packaging components, combination product constituents, and combination products? It is quite common to see the traditional cascading waterfall diagram from the Global Harmonization Task Force embedded in a local design control procedure.

However, has the firm established and maintained procedures that govern the activity that occurs prior to entering formal design controls, and is this documented objective evidence generated in this early phase typically referred to as research? If a design-control system has been established, does the system end with product launch or does it include post-market surveillance activities designed to provide input to management review that is intended to drive continuous improvement as the product and process is “monitored and measured” in accordance with section 8.2.3 and 8.2.4 of ISO 13485? (Figure 2)is a graphic representation of an overall design control process that can be established and maintained in an effort to comply with design-control regulation.

Problems require robust root-cause analysis tools

Any organization can appear to be in a state of control for a period of time, but the true measure of control associated with sustaining manufacturing is long-term supply OTIF and RTFT without disruption. When problems arise, how will the organization respond? How has it responded previously?

Problems offer critical opportunities to demonstrate the organization’s ability to deploy root-cause analysis tools established especially for such occasions.

An effective CM will deploy resources based on risk derived from a quick evaluation that defines the frequency and severity associated with a given event. (See Tables 1 and 2.) Although an investigation can be performed at any time as part of a QMS, Level 1 (low-occurrence, low-risk) issues per procedure do not require investigations. Level 2 issues require documented justifications when investigations are not performed. Level 3 (high-occurrence, high-risk) issues require investigations as well as documented justifications if the issues are not escalated into the CAPA system.

These principles and methodologies, along with a robust investigation worksheet that combines proven quality tools, enable a CM to be compliant while at the same time applying risk management throughout all product realization.

When evaluating a potential CM, spend adequate time in the essential quality systems to determine the strengths or weaknesses associated with the firm’s ability to recognize a problem, quickly and methodically determine the root cause, effectively contain the problem, apply corrections, and issue corrective and preventive actions that drive significant continuous improvement.

Measuring success

A robust quality agreement will include guidance and rules of engagement associated with the essential quality systems and should define specific roles and responsibilities of each organization and identify shared responsibilities. One way to do this is to create a RACI matrix. (See RACI box on page 36.)(RACI is an acronym derived from Responsible, Accountable, Consulted, and Informed.)

As for defining formal governance expectations, this works best when the activities involve individuals from the working, management, and executive teams. These meetings are key to driving continuous improvements and accountability to a predetermined and agreed upon scorecard that measures the success of the partnership.

Using the keys described above along with comparative analysis can greatly affect the CM selection process by uncovering issues prior to entering a contractual partnership.

Responsible/Accountable/Consulted/Informed (RACI)

R(esponsible) – Who is responsible for actually doing it? Those who do the work to achieve the task, although others can be delegated to assist in the work required. Responsible (R) team members must complete the task or objective or make the decision. Several people can be jointly responsible.

A(ccountable) – Who has authority to approve or disapprove it? Those who are ultimately accountable “owner” for the correct and thorough completion of the deliverable or task, and the one to whom Responsible (R) is accountable. These people must make sure that Responsible (R) team member(s) are assigned in the matrix for all related activities. Accountable (A) team members must sign off or approve when the task, objective or decision is complete.

C(onsulted) – Who has needed input about the task? Those whose opinions are sought; and with whom there is two-way communication. They are notified about a task prior to it being performed. and they need to give input before the work can be done and signed-off on.

I(nformed, kept) – Who needs to be kept informed about the task? Those who are kept up-to-date on progress, often only on completion of the task or deliverable; and with whom there is just one-way communication. Notified about a task after it has been performed. Informed (I) team members need updates on progress or decision, but they do not need to be formally consulted, nor do they contribute directly to the task or decision.

S(upport) – Who needs to support the task? When charts include this category, they are referred to as “RASCI charts” but otherwise are identical to RACI charts.