Risk Management for Small Contract Manufacturers

[ckusnierek]

Hi, I have been lurking for a few years and have to say the information within this forum has been a great resource.

I made a mistake and in my initial QM. I exempted my company from Risk Management. Being a contract manufacture I thought that risk assessment and management was solely the responsibility if the customer.

Well my auditor was happy enough to point out that the standard says "SHALL" and I must perform risk management.

Well where do I start? and how do I implement it? All the information and resources I can find refer to design risk management and long term safety etc...

We are a small shop and I want to make this as simple as possible.
I suppose I could create a checklist, list all a products process and possible failure points.

What I mean is from a manufacturing side would risk be defined as any process or operation failure that could cause the product to not meet customer specifications?

If so, am I not already doing that thru monitoring and measurement of process & products?

And if I were to assign a risk level would they not all be "sever" since any missed operation would cause the product to not meet requirements?

I'm am just really struggling with how to effectively implement this requirement. If any one could point me in the right direction it would be greatly appreciated.

-Chris

[arios]

First of all, I am glad to be in touch with someone from Indiana. That's a pretty place. (I love Goshen)

It looks like you are talking about a medical device related product under ISO 13485. It would be good for you to acquire the ISO 14971 standard which explains the process in detail, but will try to make a brief summary of what you need:

1. Create a SOP for risk management
2. In your SOP make reference to what is known as risk management file. A risk management file can exist or be crated for a product family.
3. In your risk management file you can include the risk management plan (which defines criteria for acceptability), a "checklist" with the 34 or so questions that points out the ISO 14971 standard (annex C if I remember well) which is used to analize the intended use of the device and its relationship to other factors like materials used, environment with which the device is exposed, etc.
4. Your risk analysis tool which can be on the form of an FMEA. Since you are a contract manufacturer, the life cycle of the product can be limited to manufacturing and you can consider the risk that your process can leave traces of manufacturing materials (e.g. burrs, grease, etc). I would consider your customer responsible for design, final disposal and other aspects outside your scope.

Now, it is possible that your customer has already done the risk assessment for your operations or part of them. If he has, you may not need to reinvent the wheel and use what has been created already and make reference to that in your SOP.

Here is Elsmar I have seen very nice examples of the templates that form a risk management file. I hope some body can locate them for us.

Greetings from this side of the border!
Alberto

[ckusnierek]

Thanks so much Alberto!

So I can group part families? IE Taps, Drills Reamers etc...???

That would make it much easier for me considering the risk management files seems to sound lengthy.

We are a "niche" manufacture specializing in Tap, drills, reamers and K-wires.

[arios]

I would group by families if they are intended for a similar application and produced by the same process, and include notes as necessary on the file if an exception deserves further consideration or explanation, e.g. if one needs a different heat treatment from another one.

[ckusnierek]

Quote:

In Reply to Parent Post by arios

I would group by families if they are intended for a similar application, and include notes as necessary on the file if an exception deserves further consideration.

Well in our case a family consists of essentially every instrument to perform a specific surgery. From K-wire to drill to tap to screw/implant.

All totally different parts

[yodon]

Um, I'd like to maybe look at this from a different angle. As you say, you are a contract manufacturer. Thus, you build what your customer says to build. Your customer is, indeed, responsible for the risk management of the PRODUCT (medical device). Your responsibilities are in product realization. So exactly what SHALL did they cite that is your responsibility? You may not have any clue as to the harm the device could do to a patient / user / operator. Note that 14971 states very clearly:

The requirements contained in this International Standard provide manufacturers with a framework within which experience, insight and judgment are applied systematically to manage the risks associated with the use of medical devices.

So Risk Management has to address how a patient can be harmed. Does the manufacturing process have a role in risk management? Sure. Typically what we've seen / done is to have a process FMEA for the manufacturing process FOR THAT PRODUCT to determine, as others have said, how the process could contribute to a failure to meet requirements. But this then has to be tied back to how that failed requirement can harm a patient. I don't see that you would necessarily have the information to do that.

The only 'shall' in 13485 I know of for risk management is:

The organization shall establish documented requirements for risk management throughout product realization. Records arising from risk management shall be maintained (see 4.2.4)

I don't see how you, as contract manufacturer, would be responsible for this! I know you will need to participate. You're right, you can't assess the risk severity or probability. I think there's some misunderstanding / miscommunication going on.

[MIREGMGR]

Quote:

In Reply to Parent Post by yodon

The requirements contained in this International Standard provide manufacturers with a framework within which experience, insight and judgment are applied systematically to manage the risks associated with the use of medical devices.

My bold added above.

EN ISO 14971:2007 defines "manufacturer" in 2.8 as a "natural or legal person with responsibility for the design, manufacture, packaging, or labelling of a medical device, assembling a system, or adapting a medical device before it is placed on the market or put into service, regardless of whether those operations are carried out by that person or on that persons' behalf by a third party."

My bold added above.

As a contract manufacturer, you are that third party. Risk management is the fundamental responsibility of the manufacturer...your customer...and not you.

(100% agreement with Yodon.)

***

Have you discussed with your customer if they already have a comprehensive risk analysis? You might find that they've already performed an analysis that includes your operations...in which case you might be able to improve their risk file by reviewing the production-related aspects and suggesting improvements.

I certainly agree with Arios regarding the desirability of family analysis when large numbers of somewhat related products are involved.

[ckusnierek]

Our auditor was very vague in explaining this to me. I argued that as a contract manufacture we may have a knowledgeable guess as to the how the device is to be used but we cannot determine risks based on speculation.

He argued back that we could simply perform risk assessment on the corporate level meaning will we incur liabilities? Do you have the capitol/resources to meet customer requirements? I thought this was asinine but being our auditor I kept my mouth shut.