SBS - The best value in QMS software

Contract Manufacturers and MDF Responsibilities, ISO 13485:2016, Clause 4.2.3

Morlock

Involved In Discussions
#1
Good day all. I posted this as a piggyback comment in a separate thread, but figured it might get more visibility as a standalone thread, so here we go:

I work for a contract medical device component manufacturer. During a recent ISO 13485:2016 surveillance audit, we got dinged for not having an MDF for each component that we process, with the intent being an MDF would allow us to more effectively apply risk management to the finished device, within the scope of our responsibility within the product lifecycle as a whole (i.e. "different risks or processing controls for Class 1 versus Class 3 devices" was the example offered by the auditor). We claimed N/A to Clause 4.2.3 during our initial re-certification audit last year, and this was deemed acceptable by the auditor then. This time, it wasn't... I've been told that, technically, we can't "N/A" anything not within Clauses 6, 7, or 8.

Is it the interpretation of ISO 13485:2016, Clause 4.2.3 that we, as a contract component manufacturer, have to hold the entire MDF (presumably sourced from our clients) for their finished devices, or are we to create an MDF that only reflects the scope of the component we service (perhaps something along the lines of a MDF/DHR hybrid)? I requested "one or more files either containing or referencing documents including" clause 4.2.3.a-f, and am getting quite a bit of pushback from our clients, who are reluctant to send over this information, and claim that it is THEIR responsibility to maintain this, not ours. How do I mitigate this? If our clients refuse, what options do we have so that we're still in compliance?

Thanks all.
 
Elsmar Forum Sponsor

Ronen E

Problem Solver
Staff member
Moderator
#2
I've been told that, technically, we can't "N/A" anything not within Clauses 6, 7, or 8.
That is true.

or are we to create an MDF that only reflects the scope of the component we service
That's the way to go.

There's no added value (for anyone IMO) in you pulling info upstream from your clients. I mean that in the way of formal documentation and presentation under 4.2.3; there is of course value in you thoroughly understanding your "User Needs" (7.3), but that's a different story.
There's some value in you letting information downstream into THEIR files, so upon audit a more complete picture may emerge. It might be a good marketing practice, but likely needs to be balanced with commercial (proprietary) considerations.
 

Morlock

Involved In Discussions
#3
Thanks Ronen. The plan going forward is to hold the IFUs as a way to understand and document the "User Needs" (a recommendation from the auditor and a couple of colleagues). That way we can directly reference the IFU as well as the provided spec docs within our risk assessment. This should satisfy 4.2.3.a. The other sub-clauses will be addressed as they pertain to our internal processes.

Follow-up questions: How often should the IFU/MDF/risk assessment be reviewed, and who's responsibility is it to ensure the IFU we have on file is current? I would think that a significant change to any of OUR processes would trigger a review of any related risk management docs, obviously, but what about changes to the IFU from the customer's perspective? Should they send us a new doc every time their IFU is updated? Or would updating us only if their user needs change be sufficient?

Thanks all!
 

Ronen E

Problem Solver
Staff member
Moderator
#4
Your MDF should be kept up to date at all times (by way of having all contributing processes include instructions to update the MDF at the relevant spots), and I would recommend a proactive, comprehensive review at least once in every 12 months (maybe 6 months if you have a lot of changes).

Similarly, risk management files should be considered "live" and updated in real time wherever anything significant changes.

If you intend to rely on your customers' IFUs, you should definitely have the latest revisions on file at all times (within reason). If you can add a clause to the contract saying that they will share with you every new revision as it is released, that's recommended. Otherwise you'd have to proactively reach out once in a while to check whether the revision you have is still the latest. I would say at least twice in every 12 months, preferably once a quarter, unless these IFU's update quite seldom (then maybe check once a year).
 
Thread starter Similar threads Forum Replies Date
T Selection Of Contract Manufacturers Supplier Quality Assurance and other Supplier Issues 2
A Requirements for Contract Manufacturers Other Medical Device and Orthopedic Related Topics 3
Nikki9154 MDSAP inquiry for China Contract Manufacturers ISO 13485:2016 - Medical Device Quality Management Systems 4
JoCam FDA Registration for Sub-contract manufacturers Medical Device and FDA Regulations and Standards News 2
K ANVISA B-GMP Auditing requirements for Contract Manufacturers Other Medical Device Regulations World-Wide 1
A What if Contract Manufacturers does not have an ISO 13485 certificate? Where will the NB audit take place, at legal mfg. site or contract mfg. site? Other Medical Device Regulations World-Wide 3
B Non Applications in ISO 13485:2016 for component contract manufacturers ISO 13485:2016 - Medical Device Quality Management Systems 3
J Medical Devices sourced from Contract Manufacturers - Who is the legal manufacturer? EU Medical Device Regulations 13
H Who is the Legal / Labeled Manufacturer? (Contract Manufacturers shipping to the EU) ISO 13485:2016 - Medical Device Quality Management Systems 1
S Is FDA Establishment Registration for Bulk packaging Contract Manufacturers ? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
Q FDA Requirements for Contract Manufacturers and OTC products US Food and Drug Administration (FDA) 4
C FDA requirements for Contract Manufacturers Document Control Systems, Procedures, Forms and Templates 1
T PPAP Requirements for Contract Manufacturers APQP and PPAP 4
M New Medical Device Contract Manufacturers Excise Tax Requirements US Food and Drug Administration (FDA) 8
B DMR (Device Master Record) For Contract Manufacturers 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 8
somashekar CMDCAS ISO 13485 for Contract Manufacturers Canada Medical Device Regulations 7
A How are Contract Manufacturers different from OEM Manufacturers? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 20
M Implementing Risk Management for Contract Manufacturers - ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 12
C Risk Management for Small Contract Manufacturers ISO 14971 - Medical Device Risk Management 20
Q ISO 14971 for Contract Manufacturers - Extensive risk management ISO 14971 - Medical Device Risk Management 16
L FDA CAPA Requirement for Contract Med. Dev. Manufacturers Other US Medical Device Regulations 4
T Korean requirements for foreign medical device contract manufacturers? Japan Medical Device Regulations 2
V Records of Obsolete Medical Device(s) for Contract Manufacturers Records and Data - Quality, Legal and Other Evidence 6
A Medical Device Contract Manufacturer - Does the CM need to register with FDA? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
M How Specific in an ISO 13485:2016 Scope for a Contract Manufacturer ISO 13485:2016 - Medical Device Quality Management Systems 9
chris1price Contract Sterilization Service Providers ISO 13485:2016 - Medical Device Quality Management Systems 5
H Obligations as a contract manufacturer during an MDSAP audit ISO 13485:2016 - Medical Device Quality Management Systems 5
H 510k with Contract Manufacturer Other US Medical Device Regulations 2
bryan willemot Contract Review and risk managment AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
J Can signed agreements over-ride review of every "contract" under ISO 13485:2016? ISO 13485:2016 - Medical Device Quality Management Systems 2
E Contract manufacturer FDA requirements foreign company US Food and Drug Administration (FDA) 6
M We are looking for a Contract Manufacturer US Food and Drug Administration (FDA) 2
L Sample Procedure from Contract Manufacturer Prospective ISO 14971 - Medical Device Risk Management 1
I Is the contract mfg. mentioned in legal manufacturer EC certificate? CE Marking (Conformité Européene) / CB Scheme 4
S Can a Contract Manufacturer "release" product on behalf of client to the market? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
R FCC certification (contract manufacturer) TL 9000 Telecommunications Standard and QuEST 1
C Contract Review with Multiple Line items ISO 13485:2016 - Medical Device Quality Management Systems 7
M Contract manufacturer MDR Quality Management System (QMS) Manuals 1
A Medical Device Contract Manufacturing Requirements and Information - Help wanted ISO 13485:2016 - Medical Device Quality Management Systems 5
G Is ISO 9001:2015 certification worth it for a company that does only contract manufacturing? Quality Management System (QMS) Manuals 14
K Reporting a Change of Contract Manufacturer for a 510(k) cleared device Other US Medical Device Regulations 5
Nicole Desouza Contract / Customer Order Review Checklist Needed Manufacturing and Related Processes 12
O Identifying KPI for AS9100 8.1.4 - Prevention of Counterfeit Parts - PCB assembly contract manufacturer AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 16
M Medical Device Master File - We are a contract manufacturer ISO 13485:2016 - Medical Device Quality Management Systems 7
D Software Validation - Contract manufacturer of Components (PCBA's) Qualification and Validation (including 21 CFR Part 11) 7
Ed Panek Moving from Contract Manufacturing to Production In-House ISO 13485:2016 - Medical Device Quality Management Systems 3
J Contract Sterilization - Our company is a contract manufacturer Manufacturing and Related Processes 8
R Contract Manufacturer/OEM Supplier - We are a specification developer for a kitted product 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
S Legal Manufacturer FDA Reporting Obligations for Using New Contract Sterilization Site Other Medical Device Regulations World-Wide 0
L REACH Compliance - Small, family-owned contract manufacturer REACH and RoHS Conversations 16

Similar threads

Top Bottom