[ARTICLE] Control of outsourced Design & Development activities

MedTech companies producing medical devices, while remaining the legal manufacturer from a regulatory standpoint, traditionally outsource the production of their medical devices to contract manufacturers. It is now also becoming increasingly common to see legal manufacturers outsource significant parts of their design and development (D&D) activities, in particular those related to the development of software and electronics. Similarly to a subcontracted manufacturer, it is essential for the legal manufacturer to ensure a suitable level of control over the entity the outsourced development has been entrusted with, hereafter referred to as the “contract designer”.
This article aims to present the different possible approaches that may be applied and the associated risks incurred, as well as at presenting Medidee’s recommendations for MedTech companies considering to outsource Design & Development activities (D&D).

The different type of schemes for subcontracting Design & Development activities

We have observed different types of schemes for subcontracting Design & Development activities, ranging from “high-end contract design and development with a reputable ISO 13485-certified contractor” to “my engineer has a friend handling the software design in his spare time”.
The downside to the first scenario is of course the associated costs. The clear risk with the second extreme scheme is that although such an option may initially appear attractive from a financial standpoint, the probability that the contract designers performs the Design & Development activities following a process that does not fulfill the expected quality requirements (ISO 13485, and other applicable standards such as ISO 62304) is very high.
In this case, the D&D process would have to be reviewed – or in the worst-case scenario entirely restarted with an alternative, more reliable contract designer – implying additional costs that could add up to well more than what was saved in the first place, in addition to potentially incurring considerable delays.
Thus, opting for an initially cheaper solution may easily result in “real” costs well above what would have been the case if a known, trustworthy contract designer would have been chosen.
We also observe that when design activities are contracted to a high-end certified company, the probability of compliance is also sometimes challenged because of a lack of clarity from the legal manufacturer on what he actually expects, especially in terms of risk management.
The MDR requires legal manufacturers of medical devices other than investigational devices to integrate amongst others the D&D of the device within a quality management system (QMS) (MDR Article 10(9)(g). The IVDR contains a near identical requirement for legal manufactures of IVD devices other than devices for performance evaluation (IVDR Article 10(8)(g)).
ISO 13485:2016, the reference standard for medical device QMS, states in clause 4.1.5:
When the organization chooses to outsource any process that affects product conformity to requirements, it shall monitor and ensure control over such processes. The organization shall retain responsibility of conformity to this International Standard and to customer and applicable regulatory requirements for outsourced processes. The controls shall be proportionate to the risk involved and the ability of the external party to meet the requirements in accordance with 7.4 (i.e. Purchasing process). The controls shall include written quality agreements.
The process of D&D is by essence a process that affects product conformity, and thus legal manufacturers outsourcing development activities should view contract designers as critical service providers on which a risk-proportionate level of control must be ensured. This implies a risk analysis and risk management activities in relation to the outsourcing of design activities.


It is essential that a robust quality agreement be established between the two parties

Importantly, the legal manufacturer remains responsible in case of non-conformities with applicable standards and regulatory requirements. As a consequence, it is essential that a robust quality agreement be established between the two parties. Depending on the external party’s perceived ability to meet applicable requirements, additional controls may be necessary.
It therefore essential to properly qualify the contract designer as a critical service provider as per section 7.4 of ISO 13485. The maturity of both the legal manufacturer’s and the contract designer’s QMS is a key consideration in these processes.
The main schemes for establishing a quality agreement are either that the legal manufacturer accepts some specific provisions of the QMS of the contract designer; or that the legal manufacturer’s QMS is extended to the contract designer. It can also go both ways, with certain Design & Development activities addressed by the contract designer’s QMS, and others by that of the legal manufacturer.
In any event, a thorough and robust quality planning should be performed. Where the contract designer is responsible for establishing the design and development and/or the verification and validation plans, these must be approved by the legal manufacturer. The dispositions for design review and the authorities therein should also be made clear from the beginning.
Furthermore, it is important to clearly define which of the legal manufacturer’s or contract designer’s procedures will be used for each specific design and/or development process.
For instance, it could be agreed that the design verification activities will be performed according to the contract designer’s SOP for design control, whereas the design validation activities are to be performed as per the legal manufacturer’s SOP. Such an approach may require an in-depth integrative analysis of the two QMS’s to ensure compatibility of the processes.
The legal manufacturer’s risk management activities must account for the risks incurred by the outsourcing of Design & Development activities and the control measures implemented to mitigate them. These will be heavily influenced by the degree of maturity of the contract designer’s QMS. Indeed, a legal manufacturer with a mature and approved QMS may lean more on its own QMS if a contract designer were to present an immature QMS, and vice-versa. A situation where both actors present young, immature QMS’s should in all cases certainly be avoided.
The quality agreement between the two parties should therefore provide a detailed description of the arrangements, responsibilities, and authorities listed above. It shall moreover account for the control measures determined to be necessary to ensure the subcontracted D&D activities are performed as per the requirements.
It shall be noted that MDR holds provisions for the inspection of the premises of subcontractors by competent authorities in the context of their market surveillance activities(MDR Article 93(3)(b)). Furthermore, for medical devices for which the assessment of conformity requires the involvement of a Notified Body, the Notified Body may proceed, where applicable, to audit the contract designer during the conformity assessment procedure (MDR Article Annex IX(2.3) or during periodic surveillance audits (MDR Article (3.3); (3.4)).

Legal manufacturers should carefully consider the levels of controls that will be necessary and their implications in terms of costs in time and money – i.e. the “real” costs – before selecting a partner who will be entrusted with the Design & Development activities of their device

Medidee’s recommendation is that legal manufacturers should carefully consider the levels of controls that will be necessary and their implications in terms of costs in time and money – i.e. the “real” costs – before selecting a partner who will be entrusted with the D&D activities of their device. We would also strongly advise legal manufacturers against carrying out their first MedTech development with a novice contract designer.
Still, it is to be noted that a small contract designer may also decide in good faith to invest the actual effort to upgrade its practices, to train its personal and obtain an ISO 13485 certification. Simply, this type of decision belongs to major strategic moves and cannot be half implemented. Should a small contract designer decide to go this way, he/she should do it completely and correctly plan the future cost that this move will induce.
Are you a legal manufacturer seeking to outsource part or all of your design and development activities? Medidee will assist you in identifying and qualifying an appropriate partner for this process, in setting up the quality planning to ensure the requirements of ISO 13485 and the MDR are met, and in the establishing a robust quality agreement suitable to your specific needs.
We also help contract designers to build and implement a plan towards the new market of MedTech.
Contact us now !
This article was written by Dr Jérôme Randall.