I was wondering if anyone would know how extensive risk management would be for my company. We are an electronic conctract manufacturing company without design.

To our understanding we would have to just apply risk management to our processes during the product realization stages.

We're not quite sure where to start. Some people with previous experience with the automotive industry and is suggesting to apply some of the risk management strategies they used there, which seems too extensive to us. :bonk:

Any suggestions? :confused:

-Candace

To our understanding we would have to just apply risk management to our processes during the product realization stages. I would think so, but this isn't my forte. Hopefully one of the others can help.

I have seen several contract manufacturers use the PFMEA to address risk management.

There´s some discussion on this thread: ISO 14971 Risk Management questions and comments (http://elsmar.com/Forums/showthread.php?t=33028)

Maybe I'll be smacked with some info I've missed, but I've actually read through these discussions. They're not exactly clear cut to me for contract manufacturers. This is why I've decided to make my own post specifically for my type of company.

Under the MDD, you as a contract manufacturer have no regulatory responsibility for risk management. This governs your activity for devices manufactured and sold within the EU, or sold in much of the rest of the world.

(If you have an ISO 13485 certificate and make medical devices, you should have the MDD on hand, and be familiar with it...)

Your agreement with your customer, however, may include certain contractural obligations. What you and your customer agree to is your business.

If your products are actually being made within FDA jurisdiction, or sold into the US market, the FDA might apply a slightly more rigorous standard whereby they would expect you to share in risk responsibility in regard to certain issues if you also have Manufacturer activity and therefore "should know better", or if the processes you perform have special expectations in regard to validation. Sterilization is such an FDA-highly-regulated contract manufacturing activity. So is sterile-barrier packaging.

Maybe I'll be smacked with some info I've missed, but I've actually read through these discussions. They're not exactly clear cut to me for contract manufacturers.

The main point of these discussions are....medical devices have to be safe during their entire lifecycle. This can only be accomplished using risk management. If you´re the manufacturer, you have to guarantee that all the activities related to the device are risk-safe, this incluedes suppliers, contracts of services, whatever..this might be done in a variety of ways, for example using the ifnromation from the supplier, service provider, etc as an input for risk management, or, for another example, requiring that they have a risk management system in place (this is the "system parity" trend). If you´re not the manufacturer, then you should ask the manufacturer what he requires, which might be(in the right case in my opinion) just what i said above.

I was wondering if anyone would know how extensive risk management would be for my company. We are an electronic conctract manufacturing company without design.

To our understanding we would have to just apply risk management to our processes during the product realization stages.

We're not quite sure where to start. Some people with previous experience with the automotive industry and is suggesting to apply some of the risk management strategies they used there, which seems too extensive to us. :bonk:

Any suggestions? :confused:

-Candace
We are in a similar situation and we have done quite a good job on this and continue on the lines of ISO 14971. Some of the steps that has given us directions are :
1. Share with customer the complete product realization flowchart and seek his inputs from the risk management angle.
2. Request, acquire, study and understand the product performance and all possible risks from the design owners and apply this learning to the risk management process.
3. Visit the risk management document each time an ECN is issued from customer and this activity has been documented in the risk management procedure.
4. Extend the controls identifed in the risk management to any outsourced processes if necessary.
Hope this gives you some leads ....

The "Manufacturer" that puts the product on the market is responsible for risk management which includes the manufacturing process risks. So the manaufacturer should perform the pFMEA within it design process.

That mean that as a contract manufacturer you can not change the manufacturing process, without approval of the "manufacturer" as by changing the process you may induce change the process risks. Risk assessment should be part of every change to the manufacturing process. Contract manufacturers should be very much aware of this.

The quality performance of your manufacturing process should also be fed back into the pFMEA, as during the design process the engineers can only guess what the risks and the actual frequency of non-conformances will be.

In short: manufacturers and contract manaufacturers should work closely together in managing the production process risks.

If you are certified to ISO 13485, then section 7.1 of the standard applies. "The organization shall establish documented requirements for risk management throughout product realization. Records arising from risk management shall be maintained." This means that an auditor could expect you to provide risk management records for your company's involvement in the product realization process (i.e. production risks). This is most often demonstrated thru a processFMEA. It is unlikely that your clients will be able to meet this requirement without the involvement of the contract manufacturer as they are unlikely to be famillar with the risks inherent to your company's manufacturing processes. In otherwords, if they were experts on manufacturing the product, they wouldn't need a contract manufacturer.

If you are certified to ISO 13485, then section 7.1 of the standard applies. "The organization shall establish documented requirements for risk management throughout product realization. Records arising from risk management shall be maintained." This means that an auditor could expect you to provide risk management records for your company's involvement in the product realization process (i.e. production risks). (...)

Yes, but QualitySysISOAdmin's company's risk is in regard to their product...which, at the point when they deliver it as a contract manufacturer, is not yet a medical device. It becomes a medical device when its marketer/design-owner brings it to market, per MDD Article I Section 2(f).

A contract manufacturer's risk extends only to whether the object they make meets its explicit specs. They are not responsible for the product as a medical device, in regard to its clinical interaction with the patient and the medical risks arising therefrom. They do not have the knowledge basis for that responsibility, which in any case belongs to the product's marketer/design-owner.

Sorry, I don't see it this way. ISO 13485 7.1 and ISO 14971 are quite clear on the subject. Risk management must involve the entire product realization process and product life-cycle. You are correct that the contract manufacturer will not be able to assess the clinical risks. In most cases the designer of the device will not be able to assess the production risks as they are not the ones producing the device. The risk management file does not have to be a single physical file. It can be made of several parts. Very often auditors will expect contract manufacturers to demonstrate how they have assessed the risks that their production processes will not meet specification. I would not expect them to have the complete risk management file, they should have a portion pertaining to the production risks. Of course, the legal manufacturer must be able to assemble the complete risk management file in a timely fashion. Just because the contract manufacturer does not complete the device, does not obviate them from risk management. This is why risk management appears in 7.1 of the standard, not 7.3

Interesting posts in this thread....

In a recent ISO 13485 surveillance audit, there was a finding against my company for not having implemented risk analysis throughout product realization (aka no manufacturing risk analysis was ever performed). My company is a contract manufacturer and is not "The Manufacturer" for any medical device.

"The Manufacturers" have never provided any manufacturing risk data. I doubt that they ever would because, as posted earlier, they are not totally aware of the steps needed to manufacture the product. I agree that "The Manufacturer" is ultimately responsible for risk management of the product. However, it looks like I need to implement a risk management system for the manufacturing process.

The main objective of performing risk managment in the manufacturing process is that the manufacturing process does not add additional hazardous situations/risks, and do not modify already controlled risks, to the product.

This simple phrase is a great rationale for any discussions on the subject.

Just using the last cited post as an example:

However, it looks like I need to implement a risk management system for the manufacturing process.

Yeah, you´re right :-)

I'm also having expectations that actually sitting down to determine possible risks BEFORE the product is manufactured just might eliminate some (or many?) of those last minute assembly problems that always show up. Just trying to steer the ship away from a reactive mode and towards a preventive mode.

Hey, this might actually be beneficial!! Just don't tell my mangement -- it might burst their bubble. :lol:

I'm also having expectations that actually sitting down to determine possible risks BEFORE the product is manufactured just might eliminate some (or many?) of those last minute assembly problems that always show up. Just trying to steer the ship away from a reactive mode and towards a preventive mode.

Yes, performing risk management before the production launches will surely help mitigate those risks.

But please keep in mind that the best way to minimize manufacturing problems is to make a good design transfer with a tem composed at least of the designers, manufacturing people and quality and risk managers. What usually happens is that they do not talk to each other and when you see it, you design a product that you cannot manufacture :-)

One of the weaknesses of the Euro approach to device regulation is that they do an even less coherent job than the FDA of clearly defining who's responsible for what in the private-label-distributor/marketer/Manufacturer/contract manufacturer space.

Another weakness in my opinion...some might see it favorably...is the less-commonly-brought-into-play mechanism for the regulatory overseers of RCW's customer to be made aware that their overseen company (who utilizes RCW as a contract manufacturer) isn't adequately handling their responsibilities to provide RCW with the information they need at transfer, and to supervise RCW, and therefore is marketing products that shouldn't even be marketable.

Often the FDA, upon finding poor controls at a Manufacturer, will show up at their contract manufacturer soon thereafter...or vice versa. Of course, the FDA's weakness is that they can only accomplish .0001% of the work their system should require.