Are risks in supply chain and development activities within scope of MDD?

silentmonkey

Starting to get Involved
#1
We are aiming for CE mark through compliance with MDD and the assessor has provided some feedback pertaining to our risk management activities. The verbatim we've been given is:

The assessor determines that the provided documentation does not provide evidence on conformity to essential requirements of Annex I of 93/42/EEC in respect to:
- Missing Identification of risks in supply chain and during development activities (e.g. HW, SW development)


I am debating internally whether or not this is a real finding as I do not see how risks in supply chain and during development activities has an impact on product safety. We have started developing a SupplyChainFMEA to address this finding and the risks identified thus far relate to operational and economic risks such as the severity and likelihood of supplier shortages. I do not think this is the correct solution as Annex I of MDD talks mainly about the safe design and construction... no where does it talk about risks in supply chain.

The only way I can make sense of this is if the assessor has just worded the finding poorly and is actually referring to downstream supply chain risks such as product reliability during transport/storage.

Is the assessor's finding legitimate?
If so, what clause or section in the MDD is it referring to?
Do you have any suggestions as to how we can address this finding?
 
Elsmar Forum Sponsor

yodon

Staff member
Super Moderator
#2
Just speculating here but, for software, there is a certain level of expectation. 62304 (software) is a harmonized standard and so if it was followed, you have a presumption of conformity. It's been my experience that just asserting compliance is insufficient; they expect an assessment from an independent test lab. So if you outsourced software development to Joe's Waffle House and Software Development, they may push back. 62304 *does* drive a software-centric risk management process.

If you identified critical components then proper purchasing (incoming) procedures would drive an elevated level of receiving requirements (eliminate the possibility of counterfeit components). That's about all I can come up with for supply chain risks. One could argue that a shortage of parts would lead to the inability to produce product and thus delay therapy. A bit of a stretch but with the COVID / ventilator story, I can see that idea being pressed.

I presume you did follow ISO 14971 for product risk management?
 

silentmonkey

Starting to get Involved
#3
Just speculating here but, for software, there is a certain level of expectation. 62304 (software) is a harmonized standard and so if it was followed, you have a presumption of conformity. It's been my experience that just asserting compliance is insufficient; they expect an assessment from an independent test lab. So if you outsourced software development to Joe's Waffle House and Software Development, they may push back. 62304 *does* drive a software-centric risk management process.

If you identified critical components then proper purchasing (incoming) procedures would drive an elevated level of receiving requirements (eliminate the possibility of counterfeit components). That's about all I can come up with for supply chain risks. One could argue that a shortage of parts would lead to the inability to produce product and thus delay therapy. A bit of a stretch but with the COVID / ventilator story, I can see that idea being pressed.

I presume you did follow ISO 14971 for product risk management?
Thanks for the input Yodon! I think we are OK on the software development side of things.

Yes we will be classifying certain suppliers as critical if their components are critical to the safe and effective function of the product and there aren't sufficient controls in place to detect a loss of quality in the critical component, so this is driven by our risk management activities.

Indeed we have been following ISO 14971 for product risk management and this is where things get even more sticky. ISO 14971 defines safety as freedom from unacceptable risk; risk is defined as a combination of likelihood of harm and severity of that harm; harm is defined as injury or damage to the health of people, or damage to property or environment. In this context, supply chain risks are not within scope except for the point you raised about inability to produce product and delayed therapy which I agree is a bit of a stretch...

I am keen to engage with the assessor to clarify the finding and request that the assessor identifies the specific clause which he claims we are not fulfilling but there's some push back on this.
 

levatorsuperioris

Involved In Discussions
#4
Before you go guns ablazing against the NB, alot of assessors are looking down a shopping list of things they are looking for.
Notified Bodies and MDSAP AOs are required to audit critical suppliers unless they can duly justify not doing it through controls and in place with the manufacturer...

Worst case here is if you don't meet the standard the NB will have to audit the critical supplier before certification, given COVID, this basically may kill your chances before the MDD leaves effect. I suspect that I am reading between the lines in what you describing not only are you in territory of a real finding but also on precarious ground where things could get really ugly.
 
Thread starter Similar threads Forum Replies Date
A IEC 62304 safety classification, External Controls and off-label use related risks IEC 62304 - Medical Device Software Life Cycle Processes 5
D ISO 14971:2019 vs MDR Annex 1, Requirement #4 - "Manufacturers shall inform users of any residual risks" ISO 14971 - Medical Device Risk Management 5
Robert Stanley I'm @ RISK of not showing my RISKS! ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 20
Richard Regalado Top 10 operational risks of 2019 for business continuity planning Business Continuity & Resiliency Planning (BCRP) 6
A Managing overseas travel risks to food handlers Food Safety - ISO 22000, HACCP (21 CFR 120) 3
T ISO 14971-2019 doubt - Evaluate if estimated risks are acceptable ISO 14971 - Medical Device Risk Management 9
M Informational US FDA – URGENT/11 Cybersecurity Vulnerabilities in a Widely-Used Third-Party Software Component May Introduce Risks During Use of Certain Medical Dev Medical Device and FDA Regulations and Standards News 0
Jacquie Collins 6 Risks and Opportunities ISO 14001:2015 ISO 14001:2015 Specific Discussions 6
D How to Identify the Risks and Opportunities required for QMS Processes? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
M Are Risks and Opportunities Required as Part of the Process Definition ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
H Addressing of Undesirable side-effects, harms, risks and side-effects in clinical evaluation report (CER) EU Medical Device Regulations 12
M Informational How To Avoid Compliance & Timeline Risks When Selecting A Medical Device Supplier Medical Device and FDA Regulations and Standards News 0
M Informational Understanding Costs And Risks For HFE Usability Studies — Part 1: Testing In-House Medical Device and FDA Regulations and Standards News 0
M FDA News Safety Alert – USFDA warns about safety risks of teething necklaces, bracelets to relieve teething pain or to provide sensory stimulation Medical Device and FDA Regulations and Standards News 0
B ISO 17025 8.5 Actions to address risks and opportunities ISO 17025 related Discussions 7
A Risks and Opportunities associated to Legal Compliance - 6.1.3 ISO 14001:2015 Specific Discussions 4
O Examples of the external and internal issues and their risks and opportunities IATF 16949 - Automotive Quality Systems Standard 2
A Risks related to Method Validation and Stability Studies Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 2
qualprod ISO 9001 Risk control method - What could be the better way to control risks? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
R Redundancy between Process risks and Process Performance indicators ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
Q Risks and opportunities that could be associated with the purchasing department ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
Q ISO 14001:2015 Clause 6.1: Actions to address Risks & Opportunities ISO 14001:2015 Specific Discussions 2
Sidney Vianna Guidance on Management of Psychosocial Risks in the Workplace Occupational Health & Safety Management Standards 5
H Depth in the organization for Interested Parties and Risks & Opportunities ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
A Compliance Obligations - Implementing 6.1.1 and 6.1.3 NOTE - Determine risks and... ISO 14001:2015 Specific Discussions 1
I Is risk acceptability really needed if all risks must be reduced as far as possible? ISO 14971 - Medical Device Risk Management 6
Q ISO 9001:2015 - Clarification in 6.1.2 Note 1 (Options to Address Risks) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
Q Practical guide to scan for Risks in all QMS systems without missing any ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
Q Risks Examples in Top Management ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
oldqamanager How will you handle Clause 6.1 - Risks and Opportunities for AS9100 Rev. D Auditors? Risk Management Principles and Generic Guidelines 22
Q SWOT Outputs - Risks, Opportunities and Improvements ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
Q Source of practice to Evaluate Risks? (ISO 9001:2015) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
Q Opportunities only derived from Risks? Detecting Risk & Opportunities in ISO 9001 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
A Does KPI for Processes need to be correlated with the specific Risks for Processes? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
R Actions To Address Risks and Opportunities IATF 16949 - Automotive Quality Systems Standard 1
W Chinese Authorized Representative - What are the regulatory risks? China Medical Device Regulations 3
M Informational Is Identification of Risks and Opportunities required for QMS Processes? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 96
V Deleting Risks if a particular Risk has been Eliminated ISO 14971 - Medical Device Risk Management 3
A Informational Confusion about Risks for Processes in ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 44
R OHSAS 18001:2007 Section 3 - Controlling Work Place Risks Occupational Health & Safety Management Standards 3
D Biological and Chemical Risks to the user in the Hazard Analysis ISO 14971 - Medical Device Risk Management 1
C Risks involved in requesting Cert to ISO9001:2015 right when released ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
R Risks to Health - Patient and Clinician ISO 14971 - Medical Device Risk Management 4
Marc The Risks of Generic Drugs Coffee Break and Water Cooler Discussions 24
Ajit Basrur FDA issues Guidance Document - Benefits-Risks Factors to consider for 510(K) US Food and Drug Administration (FDA) 1
x-files [QMS] Identification and Evaluation of Aspects, Impacts and Risks... ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
S How are risks managed according to AS9100? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
L Residual risks which the PMCF study is based on ISO 14971 - Medical Device Risk Management 7
J Risks Analysis of an Active Implantable Muscle Stimulator ISO 14971 - Medical Device Risk Management 8
Q Risk Factors Checklist identifying the Risks for meeting the Customer Indent AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4

Similar threads

Top Bottom