Risk Assessment and Risk Management for Contract Manufacturer

T

TNHunter

I have a disagreeent in house as to whether or not risk assessment must be done on product we manufacture.

We are a contract manufactuerer, we do no design. My engineering manager insists that risk mangement does not apply to us, since we do not design the product. My standing is that 7.1 Product Realization risk management isrquired "throughout product realization". to include the manufacturing of product and not only design functions.

Your thoughts please.:thanks:
 
M

MIREGMGR

Re: Risk managment for contract manufacturer

Risk management definitely applies to both the product design phase and the manufacturing phase, and to product use and the post-marketing phase in general as well.

However, you as a contract manufacturer are not directly responsible for any of the above. That would be true even if you performed product design as an element of your contracted deliverables.

Rather, your customer is responsible for all aspects of risk management. They of course might choose to include performance by you of elements of the risk management task in the contract, and you might agree to that. The contractural creation of such responsibilities to your customer, though, does not make you regulatorily responsible. That responsibility remains with your customer, irrespective of what they hire their vendors to do for them.
 

somashekar

Leader
Admin
Re: Risk managment for contract manufacturer

I have a disagreeent in house as to whether or not risk assessment must be done on product we manufacture.

We are a contract manufactuerer, we do no design. My engineering manager insists that risk mangement does not apply to us, since we do not design the product. My standing is that 7.1 Product Realization risk management isrquired "throughout product realization". to include the manufacturing of product and not only design functions.

Your thoughts please.:thanks:
You have a requirement to meet here being the contract manufacturer and being certified to ISO 13485 on your own merit, the process based risk management should be your domine and you as a contract manufacturer and having a good QMS per the ISO 13485 must be able to acquire the design risk management file (RMF) from your customer who owns the design. Many controls within the design RMF would be directed to manufacturing methods, checks, validations and such other aspects that will have direct bearing upon your domine. Taking inputs from these and from your manufacturing expertice it is your further documenting the RMF covering the manufacturing phase and such other phase through which you have your role. It is one of the vital live controlled document within your product realization activities ...
 

Marcelo

Inactive Registered Visitor
Re: Risk managment for contract manufacturer

Medical device risk management has to be performed thru the product lifecycle so the device remains with an acceptable risk all the time. In the case of manufacturing, a manufacturing process risk management is needed to guarantee that the manufacturing process will not introduce new risks or modify estimated risks or the implemented risks controls in the device. As pointed out by MIREGMGR, the medical device risk management process is the responsibility of the "manufacturer". As a contract manufacturer, this would mean that your client would have to perform the risk management, but could also require that you perform your part, or any other arrangement that still guarantee that the risk management process is performed for the whole lifecycle.
 
M

MIREGMGR

Re: Risk managment for contract manufacturer

My assumption was that the circumstances were consistent with scenario "B" of http :// www .zlg.nrw.de/download/ab/309_0607_B16EN.pdf - OBSOLETE BROKEN 404 LINK(s) UNLINKED - PLEASE HELP - REPORT POSTS WITH BROKEN LINKS

which is a relatively good discussion of the usually accepted interpretation of MDD and 13485 requirements regarding private label manufacturing and OEM manufacturing as those terms are usually defined within the EC.

My understanding is that in scenarios "B" and "C", at least, the OEM manufacturer does not have primary regulatory responsibility to the appropriate authorities for risk management in regard to either design or realization. As noted, of course, the OEM manufacturer may have contractural responsibility to their customer for specified risk management activities and participation.

The FDA's definition of contract manufacturing differs considerably, and generally the FDA assigns even less responsibility to contract manufacturers. However, by relatively recent precedent, contract manufacturers within FDA jurisdiction may be regarded as having substantial responsibility for risk management, potentially extending to elements of design and post market activities, if the contract manufacturer should have known that the product marketer was not competent to take on the responsibilities in question. As far as I know, no legal equivalent to this adaptive FDA stance exists within EC regulation.
 
Last edited by a moderator:
O

ontheopenroad

Re: Risk managment for contract manufacturer

As a contract manufacturer and recently implementing ISO 13485, we had the same issue. We exclude design from the scope of our QMS, but of course the requirement for risk management is in product realization, not design.

Our Risk Analysis is primarily a pFMEA, and analyzing the risk associated with manufacturing processes and not meeting the customer's specified requirements, not design risk. The other thing that I did was ask our customers to provide us with copies of their risk analyses so that we could implement any controls necessary to prevent failure to their devices.

:2cents:
 
M

MIREGMGR

Re: Risk managment for contract manufacturer

Our Risk Analysis is primarily a pFMEA, and analyzing the risk associated with manufacturing processes and not meeting the customer's specified requirements, not design risk. The other thing that I did was ask our customers to provide us with copies of their risk analyses so that we could implement any controls necessary to prevent failure to their devices.

These are totally sensible actions, but (if not required by your contract with your customer) in my interpretation are business management steps, not fulfillment of a regulatory responsibility.

Risk management has lots of applications in good business management...we apply it all the time to purchasing and financial transactions, purely for internal managerial clarity. That activity on our part is firewalled from our customer relationships and regulatory responsibilities, though.
 

Marcelo

Inactive Registered Visitor
Re: Risk managment for contract manufacturer

Our Risk Analysis is primarily a pFMEA, and analyzing the risk associated with manufacturing processes and not meeting the customer's specified requirements, not design risk

This is the problem.

The risk management regulatory requirements deals with safety of end users and patients.

So, what is required is that the management of the risks relted to the manufacturing process and the their outcomes in the finished device (not on not meeting the customer's specified requirements).

This not meeting the customer's specified requirements is clearly related to the business aspect, but not to the regulatory one.
 
O

ontheopenroad

Re: Risk managment for contract manufacturer

The risk management regulatory requirements deals with safety of end users and patients.

So, what is required is that the management of the risks relted to the manufacturing process and the their outcomes in the finished device (not on not meeting the customer's specified requirements).

This not meeting the customer's specified requirements is clearly related to the business aspect, but not to the regulatory one.

A contract manufacturer cannot dictate to a customer the design aspects of a device to minimize risks associated with design and use of the device. A contract manufacturer can only meet the requirements that a customer has determined and specified (e.g., test result must meet certain criteria, instructions for use must match specified copy).

If the design owner determines that a certain aspect of the device is critical, and that the manufacturing process affects the ability to meet that criteria, then it is incumbent upon the contract manufacturer to minimize the risk of causing a defect within the manufacturing process (e.g., validation, inspection, test, etc.)

This is the stance that I took with my registrar, and they concurred. It is the same stance that I took with advisory notices, MDR reporting, and post-market surveillance. The contract manufacturer has a limited role in some aspects of 13485. They can't be ignored, disregarded, or excluded, and they are not "not-applicable", but they can only be implemented in asmuch as is within specified agreements with the customer.
 

somashekar

Leader
Admin
Re: Risk managment for contract manufacturer

A contract manufacturer cannot dictate to a customer the design aspects of a device to minimize risks associated with design and use of the device. A contract manufacturer can only meet the requirements that a customer has determined and specified (e.g., test result must meet certain criteria, instructions for use must match specified copy).

If the design owner determines that a certain aspect of the device is critical, and that the manufacturing process affects the ability to meet that criteria, then it is incumbent upon the contract manufacturer to minimize the risk of causing a defect within the manufacturing process (e.g., validation, inspection, test, etc.)

This is the stance that I took with my registrar, and they concurred. It is the same stance that I took with advisory notices, MDR reporting, and post-market surveillance. The contract manufacturer has a limited role in some aspects of 13485. They can't be ignored, disregarded, or excluded, and they are not "not-applicable", but they can only be implemented in asmuch as is within specified agreements with the customer.
It is indeed a defined limited role when it comes to RM for the contract manufacturer. However a customer comes to an ISO 13485 contract manufacturer based on the expertice and competence of him to manufacture per design and then the customer can expect to see the manufacturer apply the process risk management and ask to review the same before any commercial agreements can be signed. Manufacturer could as well ask for the design risk management files from the customer to review and understand what have been mapped and together a value added risk management is evolved, always keeping in mind the patient and user. It should be both interactive, live and form one of the basic first level shared document between customer and manufacturer.
 
Top Bottom