Medical Device File Risks for Contract Manufacturer

[Renea Koski QAM]

I am reviewing my MDF for our product families. For reference, we are a Contract Manufacturer for surgical instruments and we do not label these products or sell to end users. Our ISO 13485:2016 excludes Design and sterilization.
In my MDF files I have a risk analysis section with a section associated to the risks to the patient and end user. My boss feels we should not list such risks since essentially we are not the "manufacturers" and we do not hold the 510K for these products. What are your thoughts? I am just trying to cover my bases and make sure I am including all associated risks but my boss thinks it could open a can of worms.

Also on this note. . . If there is an adverse incident involving an instrument we "manufacturer" and an MDR is reported to FDA from our customer, are we also supposed to file an MDR or have any involvement in that MDR? My boss says we have no liability since we are not considered the "manufacturer" and we do not hold the 510K for that product.

Any advice would be appreciated.

 

[yodon]

In my MDF files I have a risk analysis section with a section associated to the risks to the patient and end user.

How are you ensuring your risk analysis (harms, severity, etc.) is aligned with the legal manufacturer's risk approach? From what you said, I'm inclined to at least lean toward what your boss said.

That said, I think a CM absolutely has some participation in the risk management process, in particular, risks that can occur from manufacturing (generally a PFMEA). BUT, it should be a collaborative effort, not done just on your own.

If there is an adverse incident involving an instrument we "manufacturer" and an MDR is reported to FDA from our customer, are we also supposed to file an MDR or have any involvement in that MDR?

The legal manufacturer (ostensibly your client) is responsible for reporting. If you become aware of such an event, you are obligated to communicate that to your customer. I would separate 'liability' from 'reporting' since you may be liable if there can be proof of negligence in manufacturing.

There's a clause in the standard that says "If an investigation determines activities outside the organization contributed to the complaint, relevant information shall be exchanged between the organization and the external party involved." So there is an expectation that you would support them.

 

[Orca1]

As a contract manufacturer, you have certain responsibilities in the risk management process, even if you do not hold the 510k for the products or label them.

According to ISO 14971:2019, risk management is a complex subject and each stakeholder can place a different value on the acceptability of risks in relation to the anticipated benefits. The standard also states that risks can be related to injury, not only to the patient, but also to the user and other persons. Risks can also be related to damage to property (for example objects, data, other equipment) or the environment (ISO 14971-2019, 1 Scope. (2)).

As a contract manufacturer, you are a stakeholder in the risk management process. ISO 14971:2019, 4.4 Risk management plan, states that risk management activities shall be planned and the manufacturer shall establish and document a risk management plan in accordance with the risk management process. This plan includes activities for verification of the implementation and effectiveness of risk control measures and activities related to collection and review of relevant production and post-production information.

---

According to the FDA's Medical Device Reporting (MDR) regulation (21 CFR Part 803), manufacturers, importers, and user facilities have obligations to report certain types of adverse events to the FDA.

Manufacturers and Importers: Must submit MDRs when they become aware that one of their devices may have caused or contributed to a death or serious injury. They must also report when one of their devices has malfunctioned in a way that would likely cause or contribute to a death or serious injury if the malfunction were to recur.

User Facilities: Must submit MDRs when they become aware that a device used at the facility may have caused or contributed to a patient death or serious injury.

If your company is not considered the "manufacturer" under the FDA's definition, and you do not hold the 510k for the product, your company may not have the obligation to file an MDR. However, it's important to note that the FDA expects malfunctions, injuries, and deaths associated with device functions to be reported as adverse events under 21 CFR Part 803.