What You Need to Know About Contract Manufacturing
An FDA Veteran Describes What You Need to Know Before Working With a New Outsourcing Partner
The medical device industry is a very dynamic one, with new companies being set up constantly—bringing either new, unique devices or better designed me-too products to market on a regular basis.
Most of these companies are set up by entrepreneurs whose strength lays in the concept and design of the product, not manufacturing expertise. Setting up a manufacturing plant typically does not make sense to a new company with one or two products, and many require specialized equipment or machinery. Medical devices requiring software, molding or complex milling operations could require 10s or 100s of thousands of dollars in OEM investment to set up a manufacturing operation.
Overall, it usually does not make good business sense to use valuable resources that should be allocated for research and development and marketing to set up a manufacturing facility, especially since today’s medical device climate offers no shortage of highly qualified contract manufacturers willing to provide their expertise to manufacture products.
Many new companies are often confounded by the responsibilities they have in assuring that their medical devices and operations are compliant with FDA regulations and standards. In addition, many don’t realize that handing over manufacturing operations to another company doesn’t let the OEM off the hook for assuring FDA compliance in the manufacturing process.
The Road to Compliance
In FDA regulatory lingo, the smaller OEM handing off manufacturing duties is often referred to as a Specifications Developer. The specifications (spec) developer is usually the person (or company) that comes up with the specifications for the medical device and will want to market the device. Basically, the spec developer is responsible for assuring that the company is in FDA compliance when obtaining FDA 510(k) clearance or PMA (pre-market application) approval prior to marketing the device. (Note: In some cases, the device maybe exempt from the 510[k] or PMA process; these are usually fall in the area of a Class I device.)
The spec developer must register with the FDA, and once the product has obtained FDA clearance/approval, the device must be listed with the FDA. These tasks are most often performed by a spec developer’s regulatory specialist or consultant.
If the OEM is handing off manufacturing to an outsourcing service provider, many new smaller companies wonder, is the spec developer required to assure that the device is manufactured under QSR/cGMP (quality system regulations/current good manufacturing practices)—even when the OEM company is not actually doing any of the manufacturing?
If a spec developer takes the approach that it does not have any responsibility for the manufacturing quality, the OEM is being incredibly shortsighted. The assumption would be that the contract manufacturer is responsible for ensuring full FDA compliance for the manufacturing operations and that the finished device meets the device’s required specifications.
Unfortunately, the FDA is not making this same assumption. In reality, the FDA expects that the spec developer will make sure the contract manufacturer is QSR/cGMP compliant.
In the past, the FDA required a contract service provider that manufactures a finished medical device to register with the FDA as a contract manufacturer. Once registered with the FDA, the agency would then have the contract manufacturer in its database and periodically schedule the firm for compliance audits. These audits used to be conducted for all registered medical device manufacturers—including contract manufacturers—once very two years.
Now, however, the FDA sets up its auditing schedule by using a risk-based auditing schedule, which relies more on the potential risk of a device. Surveillance audits can run between once every two years to once every five years at present.
The contract manufacturer’s customers (ie, spec developers) are not informed by the FDA when the agency has audited the company unless a major problem with compliance is found. In such a case, the FDA would notify the spec developer regarding the situation.
The spec developer is also open to an FDA audit. The FDA typically audits the QSR sections with which the spec developer would be expected to comply. These sections include (but are not be limited to) design control, change control, device master record and, if the spec developer was also the distributing the device, complaint handling, medical device reporting procedures and corrections and removal procedures. If the spec developer would also be installing the devices and handling the service and repairs, then the FDA would also evaluate additional procedures that the agency would expect the company to have established and implemented.
The FDA would also want to determine if the spec developer had conducted its own audit of the contract manufacturer. Please be aware that the results of the audit should remain confidential and do not have to be shown to the FDA, per QSR regulations 21CFR820.180(c).
Note: This section of 21CFR820 does not apply to the reports required by 820.22 quality audits, or supplier audit reports used to meet the requirements of 820.50(a) (“Evaluation of Suppliers, Contractors, and Consultants”), but it does apply to procedures established under these provisions. Under the request of a designated employee of the FDA, an employee in management with executive responsibility must certify in writing that the management reviews and quality audits required under this part, and supplier audits (where applicable), have been performed and documented, the dates on which they were performed and also any required corrective action that was taken.
Determining Each Party’s Role in Compliance
The FDA has recently changed its policy on contract manufacturers. The FDA is now only requiring contract manufacturers that manufacture the finished medical device and also distribute the device for the spec developer to be registered with the FDA. In other words, if you are a contract manufacturer that makes a finished medical device and you ship it back to the spec developer for distribution, the FDA no longer expects you to register with the FDA as a contract manufacturer. (Visit http://www.fda.gov/cdrh/registration/ whomust.html#2 to learn more about which domestic contract manufacturers must register with the FDA.)
With this change in registration requirements, the FDA is now putting more accountability on the spec developer to assure that its contract manufacturer is in compliance with QSR/cGMP regulations. Basically, the agency is expecting that the OEM will view the contract manufacturer as an extension of its own operations. The spec developer is expected to audit the contract manufacturer, and if QSR compliance problems arise, they will be addressed by the contract manufacturer and brought into compliance.
The spec developer has a lot more to lose in assuming that the contract manufacturer is in FDA compliance. For example, if a problem with a device develops that may cause an injury to the patient or user, and the spec developer had not conducted its own audit of the contract manufacturer’s facility, it would appear to the FDA (and others) that the OEM’s due diligence was minimal or not existing, thereby greatly increasing the OEM’s liability exposure.
In a recent inspection of one OEM by the FDA, the agency learned the name and location of the OEM’s contract manufacturer and additionally found out that the spec developer had visited its outsourcing partner during initial negotiations but—not familiar with FDA regulatory requirements—had not conducted an audit as part of the due diligence process. This contract manufacturer was ISO certified and was already supplying finished medical devices to other companies. However, the FDA had never audited this contract manufacturer—in fact, the contract manufacturer was not registered with the FDA.
The FDA decided to audit this contract manufacturer for QSR compliance. The audit resulted in the company receiving a very extensive 483 (the list of observations that the investigator finds during the inspection that are in violation with the QSR regulations). This 483 resulted in the company being issued a Warning Letter.
One lesson gleamed from this experience is that just because a company is ISO certified, there is no guarantee that it would be able to pass an FDA inspection. Though the FDA’s QSR and the ISO:13485 or ISO:9000/2003 are similar in wording, the ways in which the FDA and ISO conduct their audits are entirely different— often resulting in incredibly different outcomes.
It may not be so unusual—especially for a company’s first FDA audit—to receive a warning letter. What was more unusual in this case, however, was that the FDA also issued the spec developer a warning letter because its contract manufacturer was operating in violation of the QSR regulations, and the agency noted the OEM should have audited the supplier and asked for corrective actions.
This is the newest FDA policy. The agency now requires the spec developer to take responsibility for the compliance of its contract manufacturer. If the contract manufacturer is not in compliance and is not working to achieve the necessary compliance, the spec developer would be expected to find another source that is in compliance. If a spec developer continued to use a contract manufacturer that was not in compliance, the company would more or less be accepting this with the understanding that the devices being distributed were, in fact, adulterated.
If a medical device is manufactured while a company is not in QSR/cGMP compliance, the device would be considered adulterated even if it met all the required specifications. The fact that a company was manufacturing a device while it did not have a compliant quality system makes the devices being manufactured designated as adulterated, according to the FDA regulations.
Optimal Manufacturing Agreements
Specification developers looking for a contract manufacturer should be aware of this change in the FDA policy. The spec developer must increase its due diligence on how a contract manufacturer is selected. Under the most recent regulations, a contract manufacturer’s FDA compliance problem will now become a problem for its customers—the spec developers. Therefore, a spec developer can no longer take things for granted and assume it will be immune from the regulatory compliance problems of its contractor.
Depending on the spec developer’s level of experience in dealing with FDA issues (a full understanding of what would be necessary to ensure full FDA compliance), the OEM should stipulate the following areas of concern in a supplier agreement with the contract manufacturer:
1. The contract manufacturer should be registered with the FDA. (Note: In 2005, the FDA changed its rules regarding which types of contract manufacturers must be registered. Visit www.fda.gov for more information.)
2. A comprehensive quality system that is compliant with QSR/cGMPs is documented, and if there are intentions to sell to the European Union and Canada, the company is certified to the ISO:13485 and Canadian standards.
3. The contract manufacturer will notify the OEM of any past FDA regulatory actions, FDA 483 observations or Warning Letters that were issued, in addition to any pending or ongoing FDA investigations.
4. The OEM will be notified in writing if there are any changes in any of the device raw materials or specifications, prior to making these changes.
5. If a potential problem is found concerning the manufacturing process that may have affected the finished medical device(s), the OEM will be notified immediately.
6. The contract manufacturer ensures that it has an enforced insurance policy.
7. As part of its quality system compliance, the contract manufacturer must make sure that all automated processes have been validated.
8. The software in the operating systems of manufacturing equipment has been validated.
9. The OEM is allowed to audit the operations for QSR compliance.
10. The OEM is allowed to watch the manufacturing operations of its devices with unannounced visits.
Ensuring compliance up front will lead to fewer problems down the road for both parties.