Good day all. I posted this as a piggyback comment in a separate thread, but figured it might get more visibility as a standalone thread, so here we go:
I work for a contract medical device component manufacturer. During a recent ISO 13485:2016 surveillance audit, we got dinged for not having an MDF for each component that we process, with the intent being an MDF would allow us to more effectively apply risk management to the finished device, within the scope of our responsibility within the product lifecycle as a whole (i.e. "different risks or processing controls for Class 1 versus Class 3 devices" was the example offered by the auditor). We claimed N/A to Clause 4.2.3 during our initial re-certification audit last year, and this was deemed acceptable by the auditor then. This time, it wasn't... I've been told that, technically, we can't "N/A" anything not within Clauses 6, 7, or 8.
Is it the interpretation of ISO 13485:2016, Clause 4.2.3 that we, as a contract component manufacturer, have to hold the entire MDF (presumably sourced from our clients) for their finished devices, or are we to create an MDF that only reflects the scope of the component we service (perhaps something along the lines of a MDF/DHR hybrid)? I requested "one or more files either containing or referencing documents including" clause 4.2.3.a-f, and am getting quite a bit of pushback from our clients, who are reluctant to send over this information, and claim that it is THEIR responsibility to maintain this, not ours. How do I mitigate this? If our clients refuse, what options do we have so that we're still in compliance?
Thanks all.
I work for a contract medical device component manufacturer. During a recent ISO 13485:2016 surveillance audit, we got dinged for not having an MDF for each component that we process, with the intent being an MDF would allow us to more effectively apply risk management to the finished device, within the scope of our responsibility within the product lifecycle as a whole (i.e. "different risks or processing controls for Class 1 versus Class 3 devices" was the example offered by the auditor). We claimed N/A to Clause 4.2.3 during our initial re-certification audit last year, and this was deemed acceptable by the auditor then. This time, it wasn't... I've been told that, technically, we can't "N/A" anything not within Clauses 6, 7, or 8.
Is it the interpretation of ISO 13485:2016, Clause 4.2.3 that we, as a contract component manufacturer, have to hold the entire MDF (presumably sourced from our clients) for their finished devices, or are we to create an MDF that only reflects the scope of the component we service (perhaps something along the lines of a MDF/DHR hybrid)? I requested "one or more files either containing or referencing documents including" clause 4.2.3.a-f, and am getting quite a bit of pushback from our clients, who are reluctant to send over this information, and claim that it is THEIR responsibility to maintain this, not ours. How do I mitigate this? If our clients refuse, what options do we have so that we're still in compliance?
Thanks all.