Exclusion of clause 8.2.3 Reporting to regulatory authorities

[Pola]

Hello,


We are a design and manufacturing process provider for our legal manufacturer customers. Our clients are responsible for introducing a medical device to the market and have the manufacturer's status (according to MDR).

Due to the fact that our company is preparing for the certification process until 13485: 2016. I wonder if we can exclude clause 8.2.3 (Reporting to regulatory authorities) from our QMS?

From my point of view, as a supplier, we are not responsible for reporting incidents to the competent authorities, we are only responsible for helping the manufacturer to resolve the matter and implement appropriate corrective actions (which is included in the contract).

May I know your opinion on this?
Thank you in advance for your help.

 

[somashekar]

You have a very clear and valid justification for 8.2.3 to be non-applicable....

 

[Enternationalist]

Think about this practically. Are you in a position where you could be receiving complaints? If you cannot receive complaints, then this might not apply to you. However - you probably could receive complaints, even if you don't intend to.

The standard's requirement is that your organization shall document procedures for providing notification - if you want your procedure to be that you get in contact with your client and ensure you make the notification through them, that's a possibility; but that's probably more worry than it's worth.

Imagine your company receives a complaint that somebody has died due to a mistake in a product you have worked on; your client is unaware of the complaint. The authorities need to know about this within X hours, varying on the region. What are you actually going to do? Are you in a position that you can get in contact with your client immediately and coordinate a response, and be certain that it's gone through? If you rely entirely on your clients, you may not have enough information on your end to know what is urgent and what is not - is there a risk of creating an incident reporting problem for your client?

Even if you do argue that you're not the manufacturer, this situation is plausible and critical enough that I think you're ethically obliged to have something in place, regardless of if it's technically required by the wording of the standard. It doesn't have to be complicated. Know what you're going to do if this ever happens.

 

[somashekar]

Think about this practically. Are you in a position where you could be receiving complaints? If you cannot receive complaints, then this might not apply to you. However - you probably could receive complaints, even if you don't intend to.

The standard's requirement is that your organization shall document procedures for providing notification - if you want your procedure to be that you get in contact with your client and ensure you make the notification through them, that's a possibility; but that's probably more worry than it's worth.

Imagine your company receives a complaint that somebody has died due to a mistake in a product you have worked on; your client is unaware of the complaint. The authorities need to know about this within X hours, varying on the region. What are you actually going to do? Are you in a position that you can get in contact with your client immediately and coordinate a response, and be certain that it's gone through? If you rely entirely on your clients, you may not have enough information on your end to know what is urgent and what is not - is there a risk of creating an incident reporting problem for your client?

Even if you do argue that you're not the manufacturer, this situation is plausible and critical enough that I think you're ethically obliged to have something in place, regardless of if it's technically required by the wording of the standard. It doesn't have to be complicated. Know what you're going to do if this ever happens.

All these are captured in the clause 7.2.3 and this intent is within that. This is also effectively mentioned in the clause 8.3.3
As far as the clause 8.2.3 is concerned, it is a clear non-applicable based on the information in the first post here.

 

[Sidney Vianna]

Even if you do argue that you're not the manufacturer, this situation is plausible and critical enough that I think you're ethically obliged to have something in place, regardless of if it's technically required by the wording of the standard. It doesn't have to be complicated. Know what you're going to do if this ever happens.

If you are not the market-facing legal manufacturer, as a supplier, you would not even know the countries where the medical device is being sold in and the regulatory agencies in need of notification. Any supplier bypassing the legal manufacturer of a device and contacting a regulatory body directly could be in huge risk of a major legal imbroglio.

I agree about the possible non-applicability of the clause in this context.

 

[Enternationalist]

If you are not the market-facing legal manufacturer, as a supplier, you would not even know the countries where the medical device is being sold in and the regulatory agencies in need of notification. Any supplier bypassing the legal manufacturer of a device and contacting a regulatory body directly could be in huge risk of a major legal imbroglio.

I agree about the possible non-applicability of the clause in this context.

Fair enough - definitely shouldn't be bypassing the manufacturer. Gun jumped.

 

[ChrisM]

If you are the
"a design and manufacturing process provider "
how would anyone even know who you were to contact you in case of an incident? The legal manufacturer is the company whose name and details appear on the product, IFU etc.

I agree fully with somashekar that "You have a very clear and valid justification for 8.2.3 to be non-applicable.... "
You should in any event be stating which clauses of ISO13485 are non-applicable to your business/ISO registration and this clause should be on that list

 

[Billy Milly]

My 2 cents - incidents (vigilance) are not the only possible reporting obligations. For example, we need to register the "business type" in our country. Also, CA is not the only regulatory authority, there are many more.
Based on provided info, I would explicitly exclude vigilance reporting and maybe also product registration (depends on your national requirements), but not the whole clause.