Risk Management in Outsourcing Company

L

Luwak

Our company provides production outsourcing services for another company. All product and process design is done by our customer and they also carry out a risk analysis. In this case, can we make a statement that for the involved products we do not carry out a risk analysis, since this is already done by the customer? If so, would it be advisable to include a statement that mentions that residual risk has been analyzed and found acceptable?

Thanks in advance!
 
somashekar

somashekar

Leader
Admin
Luwak said:
Our company provides production outsourcing services for another company. All product and process design is done by our customer and they also carry out a risk analysis. In this case, can we make a statement that for the involved products we do not carry out a risk analysis, since this is already done by the customer? If so, would it be advisable to include a statement that mentions that residual risk has been analyzed and found acceptable?

Thanks in advance!
Click to expand...
NO Sir ...
You will adopt the risk analysis and own it / review it to keep it current. As and when you are faced with changes, corrective actions, customer complaints., or a new risk is seen by you, which hitherto was not in consideration, you will update the risk analysis and communicate to the customer or communicate to the customer and get the risk analysis updated..
 
Y

yodon

Leader
Super Moderator
somashekar said:
NO Sir ...
You will adopt the risk analysis and own it / review it to keep it current.
Click to expand...

Hmm.... I will respectfully disagree with somashekar. The product owner is the owner of the risk analysis. As a contributor to the product, you have an obligation to support those efforts. I will agree with somashekar in that you should definitely communicate any new information regarding risks / hazards to your customer.

You asked "can we make a statement that for the involved products we do not carry out a risk analysis" Where would you make such a statement and to what purpose? The contract with your customer should define your responsibilities in regards to risk analysis. I guess I'm asking what the genesis of the question is.
 
Richard Regalado

Richard Regalado

Trusted Information Resource
Luwak said:
Our company provides production outsourcing services for another company. All product and process design is done by our customer and they also carry out a risk analysis. In this case, can we make a statement that for the involved products we do not carry out a risk analysis, since this is already done by the customer? If so, would it be advisable to include a statement that mentions that residual risk has been analyzed and found acceptable?

Thanks in advance!
Click to expand...

What if your customer is in say Canada and you are in say Syria. Can you honestly state that the risk assessment done by the customer is adaptable to your situation and environment?
 
somashekar

somashekar

Leader
Admin
yodon said:
Hmm.... I will respectfully disagree with somashekar. The product owner is the owner of the risk analysis. As a contributor to the product, you have an obligation to support those efforts. I will agree with somashekar in that you should definitely communicate any new information regarding risks / hazards to your customer.

You asked "can we make a statement that for the involved products we do not carry out a risk analysis" Where would you make such a statement and to what purpose? The contract with your customer should define your responsibilities in regards to risk analysis. I guess I'm asking what the genesis of the question is.
Click to expand...
Let me clarify here that by "own" I mean that the risk analysis is under your document control system, even perhaps as a document of external origin. You will not disown risk analysis, but will be a participative partner to the extent of your review and use of the same in your production services.
 
Mikishots

Mikishots

Trusted Information Resource
I'm in agreement with Yodon. Prequalification is the most common method of mitigating risk. It is understood that the owner of the product is ultimately responsible for the quality of the product. Of course, as Yodon mentioned, communication is key - the contract should clearly stipulate the conditions under which the subcontractor is to notify the product owner regarding events such as location change, main employee or organizational shift, new machines or other prcess equipment etc.
 
L

Luwak

yodon said:
You asked "can we make a statement that for the involved products we do not carry out a risk analysis" Where would you make such a statement and to what purpose? The contract with your customer should define your responsibilities in regards to risk analysis. I guess I'm asking what the genesis of the question is.
Click to expand...

Since we cannot exclude risk management from our quality system as a whole, we will need a risk management procedure. (we also make other products that we own completely and besides that I wonder if excluding risk management would be possible at all). I would say that in this procedure we describe how the risk management is carried out (FMEA etc.) and we refer to a list of products and their actual risk analyses. In this list we could make the mentioned statement for the products from our outsourcing customer.

Now for the analyses that are carried out by our customer, we can just include the simple statement as described, or we could copy and paste the risk analyses from our customer. The latter has several difficulties:
  1. Our customer is not willing to give us all the risk analyses. However, I think we can convince them if we can make a good case that we need them to be compliant.
  2. I have seen some examples of risk analysis from our customer and let's just say that they are not completely up to scratch.. I don't want to be in the position where I have to answer questions about these analyses since I am not responsible for them and I can't even make changes to them.
  3. If the risk management methodology is not exactly the same on our side and on customer's side, this can lead to confusion.
  4. As always with this kind of information, how are we going to arrange that we stay up to date with all the latest revisions..
We will inform our customer if there are changes on our side that affect the production process. We already have an agreement that obliges us to get permission for any change in the process. In such a case, customer should decide whether or not a new risk analysis has to be carried out.
 
Ronen E

Ronen E

Problem Solver
Moderator
Hi,

Sounds like your company is acting as a contract manufacturer (CM) in this instance, and at the same time it is also an independent legal manufacturer of medical devices.

I think you have 2 options wrt the CM device(s):

1. Exclude risk management altogether (unless spelled-out under the contract's scope), and, in Soma's words, "be a participative partner" in the clients RM process. Med dev CM are typically bound by regulation only via contract, flowing from their clients legal obligations. That would be the easiest route, but carries the risk of having 2 different quality levels in the organization - one for your own products and another for the CM'd ones.

2. Implement your RM procedures, to the last letter, on all your products, regardless of ownership. More work, but it'll streamline the operations and avoid the double standard and confusion / potential mistakes associated with it. Should you take such a path, the design owner's files could come very handy in your own process (the same way your manufacturing-related inputs would come handy for them).

Cheers,
Ronen.
 
L

Luwak

Thanks Ronen, taking all input together I think we will decide on your option 1. Not only is it less work, I think it will actually reduce confusion since there will be no 2 risk analyses for the same product. If we carry out risk a analysis ourselves for the CM devices, in theory we could end with a different/worse conclusion than our customers.. and then what to do? And to be honest, our customers have much more expertise when it comes to application of the product and can therefore make a better assessment of the involved risks in that area.

The only thing that rests us to do is to put a clause in our agreements with the customers that they are responsible for the risk management and to update when there is any change or any action to be taken on our side as a result from this. This discussion made me realize that the agreements with our customers should probably have a more prominent role during audits to explain certain decisions about our quality system.
 
N

Nash27

Involved In Discussions
:bigwave:
Hi Ronen, always feel good to ask you the Question:
We do contract manufacturing ideally repackaging bulk Class IIa non-sterile products in pharmacy display boxes. We have controlled environment, but not a clean room. In the TF I have risk analysis of those products received from the manufacturer.

At what level I should conduct my risk analysis?
Can I just write a plane risk management report and state possible risks and applied control?
How much importance I need to give to determine overall residual risk assessment?

Cheers

Nash
 
You must log in or register to reply here.

Similar threads

K
QA involvement with Quality Agreements for Outsourced processes
Replies
3
Views
371
William55401
William55401
K
Management of Outsourced QC?
Replies
5
Views
595
Enternationalist
Enternationalist
D
The use of actual test data or a Pass/Fail sample, that is the question. What is the right answer?
2
Replies
14
Views
730
Dan Watson
D
K
Template For Quality Agreement for Outsourced QC?
Replies
0
Views
207
KarenA01
K
B
Recertification of service company due to company relocation but with production premises
Replies
5
Views
274
Quality-Nation
Q
Top Bottom