Contract Manufacturers and MDF Responsibilities, ISO 13485:2016, Clause 4.2.3

Morlock

Involved In Discussions
#1
Good day all. I posted this as a piggyback comment in a separate thread, but figured it might get more visibility as a standalone thread, so here we go:

I work for a contract medical device component manufacturer. During a recent ISO 13485:2016 surveillance audit, we got dinged for not having an MDF for each component that we process, with the intent being an MDF would allow us to more effectively apply risk management to the finished device, within the scope of our responsibility within the product lifecycle as a whole (i.e. "different risks or processing controls for Class 1 versus Class 3 devices" was the example offered by the auditor). We claimed N/A to Clause 4.2.3 during our initial re-certification audit last year, and this was deemed acceptable by the auditor then. This time, it wasn't... I've been told that, technically, we can't "N/A" anything not within Clauses 6, 7, or 8.

Is it the interpretation of ISO 13485:2016, Clause 4.2.3 that we, as a contract component manufacturer, have to hold the entire MDF (presumably sourced from our clients) for their finished devices, or are we to create an MDF that only reflects the scope of the component we service (perhaps something along the lines of a MDF/DHR hybrid)? I requested "one or more files either containing or referencing documents including" clause 4.2.3.a-f, and am getting quite a bit of pushback from our clients, who are reluctant to send over this information, and claim that it is THEIR responsibility to maintain this, not ours. How do I mitigate this? If our clients refuse, what options do we have so that we're still in compliance?

Thanks all.
 
Elsmar Forum Sponsor

Ronen E

Problem Solver
Staff member
Moderator
#2
I've been told that, technically, we can't "N/A" anything not within Clauses 6, 7, or 8.
That is true.

or are we to create an MDF that only reflects the scope of the component we service
That's the way to go.

There's no added value (for anyone IMO) in you pulling info upstream from your clients. I mean that in the way of formal documentation and presentation under 4.2.3; there is of course value in you thoroughly understanding your "User Needs" (7.3), but that's a different story.
There's some value in you letting information downstream into THEIR files, so upon audit a more complete picture may emerge. It might be a good marketing practice, but likely needs to be balanced with commercial (proprietary) considerations.
 

Morlock

Involved In Discussions
#3
Thanks Ronen. The plan going forward is to hold the IFUs as a way to understand and document the "User Needs" (a recommendation from the auditor and a couple of colleagues). That way we can directly reference the IFU as well as the provided spec docs within our risk assessment. This should satisfy 4.2.3.a. The other sub-clauses will be addressed as they pertain to our internal processes.

Follow-up questions: How often should the IFU/MDF/risk assessment be reviewed, and who's responsibility is it to ensure the IFU we have on file is current? I would think that a significant change to any of OUR processes would trigger a review of any related risk management docs, obviously, but what about changes to the IFU from the customer's perspective? Should they send us a new doc every time their IFU is updated? Or would updating us only if their user needs change be sufficient?

Thanks all!
 

Ronen E

Problem Solver
Staff member
Moderator
#4
Your MDF should be kept up to date at all times (by way of having all contributing processes include instructions to update the MDF at the relevant spots), and I would recommend a proactive, comprehensive review at least once in every 12 months (maybe 6 months if you have a lot of changes).

Similarly, risk management files should be considered "live" and updated in real time wherever anything significant changes.

If you intend to rely on your customers' IFUs, you should definitely have the latest revisions on file at all times (within reason). If you can add a clause to the contract saying that they will share with you every new revision as it is released, that's recommended. Otherwise you'd have to proactively reach out once in a while to check whether the revision you have is still the latest. I would say at least twice in every 12 months, preferably once a quarter, unless these IFU's update quite seldom (then maybe check once a year).
 
Thread starter Similar threads Forum Replies Date
K Do Contract Manufacturers need a complaint procedure? Medical Device and FDA Regulations and Standards News 9
T Selection Of Contract Manufacturers Supplier Quality Assurance and other Supplier Issues 2
A Requirements for Contract Manufacturers Other Medical Device and Orthopedic Related Topics 3
Nikki9154 MDSAP inquiry for China Contract Manufacturers ISO 13485:2016 - Medical Device Quality Management Systems 5
JoCam FDA Registration for Sub-contract manufacturers Medical Device and FDA Regulations and Standards News 2
K ANVISA B-GMP Auditing requirements for Contract Manufacturers Other Medical Device Regulations World-Wide 1
A What if Contract Manufacturers does not have an ISO 13485 certificate? Where will the NB audit take place, at legal mfg. site or contract mfg. site? Other Medical Device Regulations World-Wide 3
B Non Applications in ISO 13485:2016 for component contract manufacturers ISO 13485:2016 - Medical Device Quality Management Systems 3
J Medical Devices sourced from Contract Manufacturers - Who is the legal manufacturer? EU Medical Device Regulations 13
H Who is the Legal / Labeled Manufacturer? (Contract Manufacturers shipping to the EU) ISO 13485:2016 - Medical Device Quality Management Systems 1
S Is FDA Establishment Registration for Bulk packaging Contract Manufacturers ? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
Q FDA Requirements for Contract Manufacturers and OTC products US Food and Drug Administration (FDA) 4
C FDA requirements for Contract Manufacturers Document Control Systems, Procedures, Forms and Templates 1
T PPAP Requirements for Contract Manufacturers APQP and PPAP 4
M New Medical Device Contract Manufacturers Excise Tax Requirements US Food and Drug Administration (FDA) 8
B DMR (Device Master Record) For Contract Manufacturers 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 8
somashekar CMDCAS ISO 13485 for Contract Manufacturers Canada Medical Device Regulations 7
A How are Contract Manufacturers different from OEM Manufacturers? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 20
M Implementing Risk Management for Contract Manufacturers - ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 12
C Risk Management for Small Contract Manufacturers ISO 14971 - Medical Device Risk Management 20
Q ISO 14971 for Contract Manufacturers - Extensive risk management ISO 14971 - Medical Device Risk Management 16
L FDA CAPA Requirement for Contract Med. Dev. Manufacturers Other US Medical Device Regulations 4
T Korean requirements for foreign medical device contract manufacturers? Japan Medical Device Regulations 2
V Records of Obsolete Medical Device(s) for Contract Manufacturers Records and Data - Quality, Legal and Other Evidence 6
M FDA Medical device reporting (Manufacturer in US; contract manufacturer OuS) US Food and Drug Administration (FDA) 0
R Looking for an efficient contract management solution Contract Review Process 1
W Staffing/Contract Labor Provider Service Industry Specific Topics 3
I Is SRN required for a contract manufacturer (CE-Marking product)? EU Medical Device Regulations 2
H Contract Manufacturer as Design Owner ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 6
MedicalDevicesCanada How to find a medical device contract manufacturer, MDSAP certified? Canada Medical Device Regulations 4
shimonv Working with a contract manufacturer ISO 13485:2016 - Medical Device Quality Management Systems 3
G How to implement H&S and Quality Control Requirements in Contract for Potential Supplier? Contract Review Process 6
S Who is technically and legally a "Contract Manufacturer"? ISO 13485:2016 - Medical Device Quality Management Systems 4
J NCR- Failure of contract review process - NADCAP audit AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
E Component manufacturer or contract manufacturer ? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 7
B Does FDA Registration QSR need to cover non-medical devices for contract repackager? US Food and Drug Administration (FDA) 1
J Need a contract monitoring Tool General Information Resources 0
Y Procedures on Contract Review Document Control Systems, Procedures, Forms and Templates 3
C SharePoint Contract Management Software General Information Resources 0
A Medical Device Contract Manufacturer - Does the CM need to register with FDA? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
M How Specific in an ISO 13485:2016 Scope for a Contract Manufacturer ISO 13485:2016 - Medical Device Quality Management Systems 9
chris1price Contract Sterilization Service Providers ISO 13485:2016 - Medical Device Quality Management Systems 5
H Obligations as a contract manufacturer during an MDSAP audit ISO 13485:2016 - Medical Device Quality Management Systems 11
H 510k with Contract Manufacturer Other US Medical Device Regulations 2
bryan willemot Contract Review and risk managment AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
J Can signed agreements over-ride review of every "contract" under ISO 13485:2016? ISO 13485:2016 - Medical Device Quality Management Systems 2
E Contract manufacturer FDA requirements foreign company US Food and Drug Administration (FDA) 6
M We are looking for a Contract Manufacturer US Food and Drug Administration (FDA) 2
L Sample Procedure from Contract Manufacturer Prospective ISO 14971 - Medical Device Risk Management 1
I Is the contract mfg. mentioned in legal manufacturer EC certificate? CE Marking (Conformité Européene) / CB Scheme 4

Similar threads

Top Bottom