FAQ – Process validation at suppliers

After more than 20 years in medical devices, I still get many questions regarding process validation at suppliers for medical devices. I summarized some of them briefly below and added my personal view of an adequate answer.

?Q: Do processes at suppliers need to be validated?

A: Yes, ISO 13485:2016, clause 7.5.6, does not make a difference if processes are conducted internally or externally (“The organization shall validate any processes for production and service provision where the resulting output cannot be or is not verified by subsequent monitoring or measurement and, as a consequence, deficiencies become apparent only after the product is in use or the service has been delivered”).

?Q: Who is then responsible that validations at suppliers are conducted?

A: Finally, it is the manufacturer of the final finished medical device, i.e., the company placing the product on the market (sometimes called “legal” manufacturer). Responsibilities should be clearly specified between supplier and manufacturer, for example within a quality system agreement.

?Q: Is it sufficient that the supplier has the validation onsite available or does he need to hand-over the validation to the manufacturer?

A: He needs to hand-over the full process validation to the manufacturer. This is defined in EU 2017/745 (MDR), annex II, 3 (“[the TD includes] … complete information and specifications, including the manufacturing processes and their validation, their adjuvants, the continuous monitoring and the final product testing. Data shall be fully included in the technical documentation).

?Q: My supplier wants to protect his intellectual property. Is he allowed to hide information or make it illegible?

A: No, at least not in Germany. This is stated in a document from German authorities (Question 9 in the following: https://www.bundesgesundheitsministerium.de/fileadmin/Dateien/3_Downloads/N/NAKI/NAKI_02-05_FAQ-NAKI-UG-3.pdf (Blacking out or making parts of the technical documentation unrecognizable, e.g. affecting the intellectual property of the OEM, is not permitted).

?Q: But what would be a solution to protect his knowledge while still fulfilling the requirements?

A: There is a solution if you will dive a bit deeper: The validation is part of the technical documentation (TD) as per EU 2017/745 (MDR) annex II. This TD serves as evidence, that the general safety and performance requirements (GSPR) from annex I are fulfilled. Regarding process validation, the manufacturer must therefore verify that the supplier did validation and that the validation was done as per state-of-the-art, i.e., ISO 13485:2016 and/or GHTF guideline for process validation (GHTF/SG3/N99-10:2004). This includes verification that IQ, OQ and PQ was conducted including, for example, correct product acceptance criteria, correct materials, justified and sufficient statistical sampling plans, and the challenging of process limits. While product acceptance criteria, materials, and sampling plans are surely not a secret of the supplier but requirements of the manufacturer, the supplier may still want to protect his process limits. This actually means, that his validation package may document the limits in percentage (for example lower process limit 80%, upper limit 120% in OQ and nominal setting 100% in PQ) instead of the real settings in mm, sec or °C. Doing this, the manufacturer will find evidence that OQ and PQ were conducted as required and the supplier would not have to communicate the real value of process parameter!

Q: What if my supplier will just reject doing IQ, OQ, PQ?

A: Changing supplier is an option but usually the least possible. Once you understood the reason(s) beyond his rejection you may know the way out. Is it a lack of money, knowledge or time? If there is a lack of money, you’ll have to reconsider the pricing. If it is a lack of knowledge, you may be able to train him. Once he understood process validation, he may understand the real value behind IQ, OQ and PQ and he may even be able to use the new knowledge for other customers too (win-win).

If it is a lack of time, you may just decide to do his validation partially without him: An IQ at the supplier can be done by asking the supplier for information (take the phone and ask him about basic IQ elements like calibration, maintenance, software) and using the own templates to document “his” IQ. The PQ at a supplier is simple. PQ is nominal production, i.e., you may just test his first batches (initial runs) to show that he is able to produce product under anticipated conditions. For sure you must plan and document such PQ, but this is not an issue for you. The one thing remaining would be OQ. There, you must tell him to produce products at upper and lower settings. You will write the plan, he will produce, you will test (or he if you are not able to) and you will report the results. For sure not easy, but it should be possible to achieve such OQ with the suppler.

?Q: Is there any other option?

A: No, unless you or he will verify his products fully, i.e., 100%.

?If you are interested in training or more information…feel free to contact me anytime! Trainings are available including practical workshops via TüV SüD Akademie.