When processes leave the company – maintaining transparency
In the medical device industry, outsourcing processes has long been the standard practice. Manufacturers need to focus on their core competencies while ensuring that all externally sourced activities meet the same high quality and compliance requirements as internal processes. EN ISO 13485:2021 provides a framework for this as well.
Processes in the life cycle of a medical device that are not performed by the company itself, but instead carried out by an external service provider or another organisation on behalf of the manufacturer, are also relevant outsourced processes with regard to product quality and/or compliance with regulatory requirements.
However, not every external service provider automatically means an outsourced process. A process is outsourced if its result directly or indirectly influences the quality of the product or the fulfilment of regulatory requirements.
As a manufacturer, you are obligated to control and document outsourced processes just as rigorously as internal operations – because, as a manufacturer, you bear full responsibility for the quality and conformity of your medical devices at all times.
In this article, we show you which classic and critical processes are typically outsourced, how they can be positioned in the value chain, and what manufacturers must consider throughout the entire product lifecycle.
Positioning of outsourced processes in EN ISO 13485
ISO 13485 defines outsourced processes as activities that a manufacturer requires to meet regulatory and customer requirements, but which are not performed in- house and are instead carried out by an external provider. The standard obliges manufacturers to control these processes in the same way as internal processes. Responsibility always remains with the manufacturer.
In EN ISO 13485:2021, section 4.1.5 describes the manufacturer’s responsibility in relation to outsourced processes and sets out a key requirement for the quality management system. When a manufacturer transfers processes to external organisations that influence product conformity or the fulfillment of regulatory compliance, the responsibility for their effectiveness and compliance remains entirely with the manufacturer. Outsourcing therefore does not relieve the manufacturer of the obligation to ensure that the relevant processes in question are at all times subject to appropriate control.
To ensure this control, both EN ISO 13485 and the MDR require the manufacturer to establish appropriate measures and objective evidence to control outsourced processes. These include, for example, contractual agreements that clearly define responsibilities and quality requirements (EN ISO 13485:2021, Section 4.1.5; MDR Art. 10(9) and Annex IX, Chapter I).
Furthermore, a systematic approach to the qualification, selection, evaluation and monitoring of suppliers and service providers is necessary to ensure that they are permanently able to meet the specified requirements (ISO 13485:2021, Sections 7.4.1 and 7.4.3; MDR Art. 10 (9)).
As key instruments for monitoring outsourced processes, the standard refers, among other things, to audits, regular performance reviews, as well as technical acceptance activities and inspection/testing of the delivered products or services (ISO 13485:2021, Sections 7.4.3 and 8.4). The MDR complements these requirements by obligating manufacturers to integrate outsourced activities into the quality management system, post-market surveillance and, where applicable, vigilance processes, so that compliance with safety and performance requirements is ensured throughout the entire product lifecycle (MDR Art. 10(9), Art. 83–86).
The nature and extent of these controls must be risk-based, i.e., proportionate to the risk associated with the respective outsourced process. Processes with a significant impact on product quality or patient safety require more intensive monitoring than low-risk activities.
Classic examples of outsourced processes
Depending on their business model, manufacturers can outsource parts or even the entire value chain. This ranges from outsourcing individual manufacturing steps to comprehensive end-to-end services.
Engaging external partners creates additional interfaces that require clearly defined responsibilities, documented requirements and effective supplier monitoring. At the same time, outsourcing can provide access to specialised expertise, scalability and efficiency gains; however, it also introduces increased regulatory requirements and risks that must be managed carefully.
Manufacturers typically outsource selected processes to leverage specialised expertise or to reduce the burden on internal resources. The examples below illustrate the types of processes that are most frequently outsourced.
Development (partially outsourced)
The development of medical devices is frequently outsourced because it may require highly specialised expertise and advanced technologies that not every manufacturer can maintain in-house. External development service providers often bring many years of experience, established processes and multidisciplinary teams, which can make product development more efficient and innovative. In addition, outsourcing enables flexible scaling of resources – particularly during early- stage development or in especially complex development phases. Finally, outsourcing specific sub-areas is particularly relevant whenever a dedicated qualification or expertise is required that cannot be provided internally (e.g. clinical or biological evaluations).
Traditional manufacturing
Traditional manufacturing to the manufacturer’s own specifications is also frequently outsourced by using specialised contract manufacturers to gain scalability and cost advantages. Responsibility for the specifications remains with the manufacturer, while the operational manufacturing may be fully performed by supplier, which makes structured control approach essential.
To ensure product quality, measures such as supplier qualification, regular audits, process capability analyses and strictly regulated acceptance testing are advisable. In addition, clear quality agreements (QSV/QAA) and a risk-based supplier monitoring plan support consistent control. This helps ensure that the contract manufacturer produces in compliance and that the medical device meets all applicable regulatory requirements.
Assembly or sub-processes
Assembly – and in some cases individual sub-processes – is often outsourced because specialised manufacturing steps can be performed efficiently and with a high level of technical expertise. These include, for example, precise welding processes such as laser or ultrasonic welding, which require special machine expertise and clear process parameters.
Clean room processes are also frequently performed out externally when sensitive components must be manufactured or assembled under controlled environmental conditions. Printing and labelling processes likewise belong to typical outsourced activities, as they often rely on specialised equipment and quality assurance technologies.
For these types of processes, specific validation requirements usually apply – the manufacturer remains responsible for ensuring compliance and must implement appropriate controls such as process approvals, supplier audits and continuous monitoring of process performance.
Critical outsourced processes with enhanced requirements
Certain activities are considered particularly critical because they have a significant impact on the safety of the medical device.
Sterilisation
Outsourced sterilisation processes are among the most strictly regulated areas within medical device manufacturing as they directly affect the safety and effectiveness of the product.
Whether ethylene oxide sterilisation, gamma irradiation or steam sterilisation – manufacturers must ensure that each process is fully validated and compliant with applicable standards. This includes extensive microbiological controls that must regularly demonstrate that the required sterility is reliably achieved.
In addition, continuous requalification of the processes is necessary to appropriately address changes in materials, batches or equipment. Robust supplier management with clearly defined responsibilities and documented objective evidence is essential to ensure ongoing compliance with regulatory requirements.
Laboratory tests
Many manufacturers outsource laboratory testing to external service providers in order to use specialist expertise and capacity efficiently. Typical outsourced activities include, for example, biocompatibility testing, microbiological testing, chemical analysis and material testing.
It is essential that the selected laboratories are qualified and, ideally, accredited to ISO/IEC 17025. ISO/ IEC17025 specifies requirements for competence, quality assurance and testing procedures to ensure reliable results.
If formal accreditation is not available, appropriate evidence of technical competence should at least be provided. Careful selection and regular review of laboratories helps ensure the quality of outsourced testing and minimises risks for manufacturers and end users.
Testing & measurement
Manufacturers are increasingly outsourcing testing and measurement activities to specialised external service providers, primarily to leverage technical expertise. Particularly critical outsourced activities include EMC testing, electrical safety according to IEC 60601, software penetration testing and transport validation.
For such tests, it is essential that the laboratories or testing service providers have verifiable qualifications and comply with appropriate standards. Accreditations, standard compliance and regular evidence of competence ensure reliable results.
Possible outsourced processes throughout the entire product life cycle
Outsourcing is not limited to development and manufacturing; it can extend across the entire product lifecycle. In after-sales and service, it is common to outsource maintenance, repairs and calibration services to external providers. These service providers must also be fully integrated into the manufacturer’s quality management system.
Regulatory Affairs are also often outsourced – at least in part: External experts may assess new regulatory requirements, prepare global regulatory submission dossiers, and liaise with authorities. According to ISO 13485, such activities are likewise considered outsourced processes and are subject to corresponding control requirements.
In distribution and logistics, outsourced centers may take over storage, temperature monitoring, packaging and shipping operations. In these cases, the manufacturer must ensure traceability, complete documentation and control of transport conditions.
Supplier management
Figure1 Supplier management for outsourced processes
Supplier management is a key component in ensuring product quality, especially when processes or components are outsourced. ISO 13485 requires manufacturers to assess, qualify and monitor their suppliers on a risk basis, particularly when critical or safety-related components are involved.
Section 7.4 of ISO 13485 describes the requirements for structured and risk-based supplier management. Manufacturers must evaluate, select, monitor and periodically re-evaluate suppliers to ensure that purchased products and services meet defined requirements. In addition, the section requires clear and complete procurement information, as well as appropriate methods for verifying purchased products.
For outsourced processes, the service provider is considered a supplier and must be assessed in advance with regard to its impact on product safety and categorised as a critical or non-critical supplier. Critical suppliers require formal qualification, often including audits, process assessments, and a review of data integrity.
For safety-related components, risk management additionally requires an assessment of possible failure modes and the implementation of appropriate controls across the supply chain. Contractual agreements must clearly define quality requirements, traceability, reporting channels and obligations in the event of changes. Key performance indicators, regular reviews and continuous monitoring can ensure that even critical suppliers deliver consistently reliable results.
Conclusion: Targeted control of outsourced processes
Outsourced processes offer significant advantages – flexibility, cost efficiency and access to specialised expertise. However, regulatory responsibility always remains with the manufacturer.
The key success factors are:
- Clear specifications
- Systematic supplier qualification
- Contract management including quality agreements
- Risk assessment of outsourced activities
- Regular monitoring and audits
- Complete documentation in accordance with ISO 13485
By integrating these components into your QMS, manufacturers establish a robust system that ensures quality and compliance across the entire value chain – even when key processes are performed externally.
We would be happy to support you in implementing and maintaining effective supplier management system.
Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only.
