Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Guest
Hello,
Sadly, we cannot offer legal assistance or legal advice, because in California GDPR doesn't apply. We can help you though with guidance related to GDPR versus CCPA - please consult this article: https://advisera.com/articles/gdpr-vs-ccpa-what-are-the-main-differences/
Best regards,
Tudor
A Quality Agreement sets out the framework for a reliable, transparent, and well-controlled cooperation between the Manufacturer and the Subcontractor. Its purpose is to define responsibilities clearly, communication channels, documentation requirements, and quality expectations for all outsourced activities that may affect the medical device or any of its components. This is particularly important in the medical device field, where any outsourced part of the manufacturing process must be performed with the same level of quality, control, and regulatory compliance as if it were carried out by the original Manufacturer itself, in accordance with ISO 13485, Regulation (EU) 2017/745, and any other applicable requirements. Although certain activities may be subcontracted, the original Manufacturer remains fully responsible for the final medical device and for ensuring that it is safe, compliant, and consistently produced to the required standard, regardless of where a specific part of the process or product is performed. For this reason, the Quality Agreement plays an essential role in ensuring alignment between the parties, maintaining product quality, and building mutual trust and confidence throughout the cooperation. You can see a part of the Quality agreement on the following link: https://advisera.com/13485academy/documentation/quality-agreement-for-subcontractor/
Dear Giuseppe,
Thank you for your interest!
Unfortunately, we currently do not offer any courses or training in French. However, we have noted your interest for future updates.
If you need any further assistance or have questions about our products, feel free to schedule a meeting with our representative here: https://app.hubspot.com/meetings/marko5.
Stamping processes can definitely be aligned with ISO 13485, as long as they are clearly defined, properly controlled, and validated when needed as part of the quality management system. The main question is whether the outcome of the stamping process can be fully checked afterward. If the critical features cannot be completely confirmed through inspection or testing alone, then process validation is usually necessary.
In day-to-day practice, this means the stamping process should be supported by solid documentation. This would normally include procedures, work instructions, setup parameters, inspection criteria, training records, maintenance records, and production records. If validation is required, there should also be a validation protocol, predefined acceptance criteria, documented test results, and an approved final report.
Traceability is another important part of compliance. It should be possible to connect each batch or lot to the raw material used, the tooling, the machine, the operator, the inspection results, and the final release decision. This provides evidence that the stamped parts were produced under controlled conditions and met the required specifications.
Risk management should also be built into the process, not handled separately. Common risks in stamping include tool wear, dimensional variation, burrs, cracking, contamination, setup mistakes, and mix-ups between parts. These risks should be identified and controlled through practical measures such as defined process parameters, in-process checks, tool maintenance, segregation of nonconforming product, and proper change control.
When it comes to examples from industry, public information alone is usually not enough to confirm whether a company is truly operating in line with ISO 13485. In practice, compliance is shown through objective evidence within the quality system, not simply by the fact that stamping is being used.
In summary, if the only interaction with the supplier organisation is the provision of goods or services and the laboratory’s role is limited to verifying the supplier’s certificate or specifications, the main risk relates to the acceptance of those supplied items. In such cases, the laboratory should ensure that the review of supplier certificates, acceptance of supplied goods, and any related technical decisions are performed by competent personnel who are independent of the supplier organisation.
More broadly, the laboratory must still retain full technical independence for method selection, data interpretation, and the approval and reporting of results, and should not rely solely on the shared CTO when a supplier relationship exists.
You asked: 1. Is it acceptable under ISO/IEC 17025 for a laboratory CTO to simultaneously hold the CTO role in a critical supplier organisation?
ISO/IEC 17025 does not prohibit a person from holding senior roles in more than one related organisation. A CTO serving both the laboratory and a supplier organisation can therefore be acceptable. However, the laboratory must identify and manage the resulting risk to impartiality (section 4.1). In the scenario you describe, where the CTO is involved as the analyst reviewing the supplier’s certificate or specifications for supplied goods, accreditation bodies would expect the laboratory to ensure that the final acceptance of supplied items and related technical decisions are made independently of the supplier organisation.
You asked: 2. What risks to impartiality would an accreditation body likely expect us to identify and control in this situation?
The main risks relate to potential influence over the acceptance of supplied goods or services, including reliance on supplier certificates without independent review, preferential acceptance of the supplier’s products, or pressure to accept goods that do not fully meet requirements. There may also be perceived conflicts of interest if the same individual has responsibilities in both organisations. ISO/IEC 17025 requires laboratories to identify and control both actual and perceived risks to impartiality.
You asked: 3. What types of governance or structural controls would typically be expected to mitigate this arrangement?
Controls typically include documenting the supplier relationship as an impartiality risk; conflict of interest declarations; ensuring that the review of supplier certificates and the acceptance of supplied goods are carried out by competent personnel independent of the supplier; and maintaining laboratory authority over method selection, data interpretation, and approval and reporting of results. The supplier should also be evaluated independently through the laboratory’s normal process for control of externally provided products and services.
You asked: 4. Are there examples of acceptable structures where a laboratory shares senior technical leadership with a supplier or related organisation?
Yes. Similar arrangements occur where laboratories operate within engineering or technical organisations that also supply products or services used by the laboratory. Accreditation bodies generally accept these structures provided the laboratory demonstrates that decisions affecting the acceptance of supplied items, testing activities, and reporting of results are independent from the supplier’s commercial interests and appropriately controlled through the laboratory’s impartiality and supplier management processes.
Lastly, you asked:
Any guidance on how accreditation bodies typically view this structure would be greatly appreciated."
Accreditation bodies generally do not prohibit shared roles between related organisations, but they will expect the laboratory to clearly identify the relationship as a potential impartiality risk and demonstrate that appropriate controls are in place. Their primary concern is that the laboratory retains independent authority over technical decisions and the acceptance of supplied goods or services.
Where a shared CTO is involved, they will normally look for evidence that the review of supplier certificates, acceptance of supplied items, and the approval and reporting of laboratory results are performed by competent personnel who are independent of the supplier organisation. If these controls are clearly defined and implemented, such structures are commonly accepted during accreditation assessments.
For distributors, reporting on shipment performance is logical.
For manufacturers/suppliers, you can prepare a quality ppm report.
These two scorecards can be prepared for supplier evaluations.
If the external laboratory is already accredited for ISO 17025, there is no need for further formalization on your organization's end.
The main difference is that ISO/IEC 27701:2025 is a stand-alone standard, whereas the 2019 version was an extension of ISO/IEC 27001. This means organizations can now be certified for their Privacy Information Management System (PIMS) without requiring an existing ISO/IEC 27001 certification.