Risk Management (again) for a Contract Manufacturer

T

Titan Medical

#1
Okay, i know this is the same song and dance as many other RM threats i searched out. This one has a slightly different tune tho...

So we are a contract manufacturer that produces prototype medical devices. We do not do implanables what so ever. we are a very new organization. we just started in april of 2009. so we are new to the game. had our first audit by a registrar and of course they found some nitpicky little things. The most major finding was our Risk Management procedure. It just failed outright.
Now, all we do are prototypes of medical devices as i said earlier. No implantables whatsoever. Our customer has done most of the Risk Management as they have done most the work but manufacturing the parts. So, not sure what it is i can implament the RM on. We do a LOT of one-offs. In fact, since we have started, i may have seen the same part 3 times. so i really dont have much in the way of "families" of parts to do a Risk Assessment on, which is what the auditor said we should do. Anyone have any info on how best to implement this?
As some quick background, i'm new to ISO 13485. Never done this before, so any and all help i can get would be awesome. Thanks.
 
Elsmar Forum Sponsor
M

MIREGMGR

#2
Risk management of course is primarily the responsibility of the Manufacturer under both ISO 13485 and the MDD, and the FDA QSR. Contract manufacturers may in some cases have some degree of sole or shared risk responsibility when the nature of the process being conducted entails a substantive degree of process related risk and either the contract manufacturer is expected to be the process equivalent of a Subject Matter Expert, and/or the process is separately regulated.

Assuming that your customers have full responsibility for both product and process related risks pertaining to their products, exclusion of risk management from your responsibility under 13485 does not occur automatically, merely because you do not perform activities that qualify as Manufacturing under the MDD, or end-user-related Product Realization under 13485. Manufacturing and elements of Product Realization are not excluded from the scope of your NB's overview unless you have pre-arranged to specifically exclude them from your ISO 13485 instance.

If you didn't have a discussion with your NB's sales team prior to your first audit process regarding what your company will be doing and what your quality system needs to be, in sufficient detail that the distinction between contract manufacturing and Manufacturing was mutually clear, shame on them for not being more helpful to you.
 

Peter Selvey

Staff member
Super Moderator
#3
"Risk management of course is primarily the responsibility of the Manufacturer under both ISO 13485 and the MDD, and the FDA QSR. Contract manufacturers may in some cases have some degree of sole or shared risk responsibility"

--> this is not technically correct. ISO 13485, ISO 14971 are both only applicable to the manufacturer of the medical device. Responsibility cannot be transferred. Although it is common practice that subcontractors are certified to ISO 13485, it is not actually technically correct, and there are several complications in doing so and some fudges are necessary. Risk management is a key example since many aspects such as the level of acceptable risk can only be decided by the legal manufacturer of the end medical device.

From a legal standpoint, the manufacturer of the end medical device should, usually by agreement or contract, bring you into thier quality system as an outsourced process. In doing so, they should specify which parts of ISO 13485 and ISO 14971 they would like you take care of. Blanket statements saying all of ISO 13485 should be avoided, since again there are usually things you cannot decide as a subcontractor.

So, talk to your client (the legal medical device manufacturer), get them to define what parts of ISO 13485 and ISO 14971 they want you to take care of; make sure your system actually does this, then show the agreement and practical implementation to your certification body during your next audit.

If you need to reply to a non-conformity, write up a plan to do this and submit the plan, rather than rush any implementation.

If you certification body insists that you must apply all of ISO 14971, point them to the definition of a manufacturer (2.8), and then to the scope (1) and then ask them to explain how this can apply to a subcontractor.
 
Last edited:

Marcelo

Inactive Registered Visitor
#4
This one has a slightly different tune tho...
Your original comment seems to be regarding the fact that you only make prototypes of medical devices. What kind of prototype, exactly, and for what purpose?

Prototypes in general are used to verify that requirements have been met. Regarding risk management, you can use prototypes to identify the implementation and/or effectiveness of risk control measures. So, depending on the use prototype, it will have a big impact on the final product safety.
 

Peter Selvey

Staff member
Super Moderator
#5
Let's try a practical example:

Manufacturer JJJ makes an infusion pump. They ask subcontractor BBB to design the power supply/battery system, including the alarm system for power supply/battery failure, which is critical for safety.

Does BBB need to comply with ISO 13485?
Does BBB need to comply with ISO 14971?

If yes, how does it work in practice, say for:

ISO 14971:
3.2 - management reponsibilty - who sets the policy for acceptable risk? If you say BBB, then JJJ could be in trouble; if you say JJJ then BBB fails to comply with this clause.
3.3 - qualification - does BBB need to source people with clinical experience of the medical device? If no, BBB clearly fails the clause.
3.5 - RM file - does BBB need to keep a seperate file for the power supply? If no, what should they do to comply with this clause?
4.2 - intended purpose - is this for the power supply? If no, what should they do? The clause clearly refers to the intended purpose of the medical device, but BBB is not experienced with infusion pumps.
5 - risk evaluation - can BBB make decisions for JJJ? If no, what should they do?
etc etc ...

In ISO 9001, a final product can be built from modules from different organizations, and each organization can run fully independent ISO 9001 systems by virtue interface specifications. Each organization treats it's "product" as only the module they are responsible for.

ISO 14971 does not work this way - the responsibility of the end product manufacturer is embedded into the standard at so many points, and the decisions being so heavily reliant on the end product itself that it is impractical to run ISO 14971 in this modular way.

ISO 13485 is the same, but since it is based on ISO 9001 there is only a limited amount of fudging necessary to make it work in practice.

This does not prevent the subcontractor from being heavily involved in the risk management process, even to a point where they run the whole process. But ultimately there can only be one risk management process for each medical device, and the responsibility for this process remains with the legal manufacturer.
 
M

MIREGMGR

#6
(...) the responsibility for this process remains with the legal manufacturer.
Yes, agreed. :)

Certainly true with the FDA as well.

Risk management of course is primarily the responsibility of the Manufacturer under both ISO 13485 and the MDD, and the FDA QSR. Contract manufacturers may in some cases have some degree of sole or shared risk responsibility
--> this is not technically correct.
Under FDA interpretations and applications of 14971 under QSR, I have to differ. This is easily shown to be the FDA's position by means of a review of recent Warning Letter activity, which has included a number of instances where a contract manufacturer was subjected to enforcement action after the FDA's determination that their customer was not exercising sufficient control over them, and a further determination that the process they were implementing and their prior or current other activities were such that they should know the rules.

The FDA never, to the best of my knowledge, expects a contract manufacturer to report on their analysis of risks. The FDA does, however...in some circumstances...expect a contract manufacturer to recognize and prevent or avoid risks, when their expertise should be such that those risks are recognizable by them.
 
Last edited by a moderator:
Thread starter Similar threads Forum Replies Date
B ISO 17025:2017 risk management Risk Management Principles and Generic Guidelines 0
S Risk Management Review ISO 14971 - Medical Device Risk Management 4
S Risk Management and other Files ISO 14971 - Medical Device Risk Management 8
silentmonkey Overall Benefit/Risk Analysis - Risk Management VS Clinical Evaluation ISO 14971 - Medical Device Risk Management 3
Aymaneh Medical Device Cybersecurity Risk Management IEC 27001 - Information Security Management Systems (ISMS) 2
A 21 CFR 820 - Risk Management - Looking for some guidance US Food and Drug Administration (FDA) 3
Sravan Manchikanti Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
N Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
T How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
adir88 MDR requirement: Risk Management Plan for "each device" ISO 14971 - Medical Device Risk Management 5
D Risk Analysis & Technical File - What detail goes in the Risk Management Report ISO 14971 - Medical Device Risk Management 5
C AS9100 Rev D 8.1.1 & APQP - Operational risk management process AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
B ATP 5-19 "Risk Management" Misc. Quality Assurance and Business Systems Related Topics 2
N Risk Management besides mandated FDA requirements 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
M Identifying Hazards - Risk management process ISO 14971 - Medical Device Risk Management 6
R Risk Management in the Medical Device Industry ISO 14971 - Medical Device Risk Management 4
F Linking an ISO 31000 Risk management SOP to ISO 17025 ISO 17025 related Discussions 2
Ronen E The unbearable insensitivity of risk management language Other Medical Device and Orthopedic Related Topics 1
S ISO 14971 Risk Management - Questions for Hazard identification ISO 14971 - Medical Device Risk Management 2
M Risk/Benefit vs. benefit-risk - Revising an SOP covering Risk Management with the MDR in mind EU Medical Device Regulations 10
A Defining Expected Service Life in Risk Management File Reliability Analysis - Predictions, Testing and Standards 5
R Linking the Processes of Continual Improvement, Change Management, Risk Management, Action Planning, etc? Preventive Action and Continuous Improvement 5
D Risk management according to ISO 14971 - When to document risk controls? ISO 14971 - Medical Device Risk Management 10
J Software for Techfiles and Risk management ISO 14971 - Medical Device Risk Management 1
M Informational ISO TC 210 IEC SC 62A JWG 1 Medical device risk management – São Paulo meeting 2019 Medical Device and FDA Regulations and Standards News 6
M Medical Device News ISO TC 210 IEC SC 62A JWG 1 Medical device risk management – São Paulo meeting 2019 Medical Device and FDA Regulations and Standards News 0
D Where does FMEA fit in your ISO 14971 Risk Management process? ISO 14971 - Medical Device Risk Management 13
M Informational ISO TC 210 JWG 1 meeting in São Paulo – Revision of ISO 14971 and ISO TR 24971 – Medical Device Risk Management Medical Device and FDA Regulations and Standards News 0
T Risk Management Report as per MDR Requirements EU Medical Device Regulations 4
S Medical Device Cybersecurity Risk Management File ISO 14971 - Medical Device Risk Management 2
M Medical Device News Health Canada Notice of intent: Strengthening the post-market surveillance and risk management Canada Medical Device Regulations 1
Q Evidence of precautions (clinical evaluation report, risk management report) EU Medical Device Regulations 6
Q Risk / benefit Analysis in Risk Management Report CE Marking (Conformité Européene) / CB Scheme 12
A How to view supplier APQP timeline and do risk management APQP and PPAP 4
O Medical Device EMC Risk Management CE Marking (Conformité Européene) / CB Scheme 4
S ISO 13485:2016 - How I can integrate a risk management approach in our SOPs ISO 13485:2016 - Medical Device Quality Management Systems 1
B Time necessary for all Risk Management activities ISO 14971 - Medical Device Risk Management 2
W Virtual Manufacturer and Risk Management ISO 14971 - Medical Device Risk Management 3
O CQE Handbook - Missing Section VII - Risk Management Misc. Quality Assurance and Business Systems Related Topics 1
F Medical Device HACCP (Hazard Analysis and Critical Control Point) Risk Management ISO 14971 - Medical Device Risk Management 2
J Differences between a Risk Management Plan vs. Production Part Approval Process AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
M Free Risk Management Webinar - Design for Quality - May 2017 Risk Management Principles and Generic Guidelines 1
J Will this fulfill the AS9100D Risk Management Requirement AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 7
A Including all Processes in Risk Management - ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 8
F Risk Management vs. FMEA ISO 14971 - Medical Device Risk Management 11
T Using Risk Management in ISO 10993 - Medical Device Accessory 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
Q Risk Management - Additional Process in ISO 9001:2015? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
alonFAI How to define a Risk Based Approach for Supplier Management per ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
J What ever happened to Medical Device Risk Management, anyway? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 17

Similar threads

Top Bottom