Risk Management in Outsourcing Company

L

Luwak

#1
Our company provides production outsourcing services for another company. All product and process design is done by our customer and they also carry out a risk analysis. In this case, can we make a statement that for the involved products we do not carry out a risk analysis, since this is already done by the customer? If so, would it be advisable to include a statement that mentions that residual risk has been analyzed and found acceptable?

Thanks in advance!
 
Elsmar Forum Sponsor

somashekar

Staff member
Super Moderator
#2
Our company provides production outsourcing services for another company. All product and process design is done by our customer and they also carry out a risk analysis. In this case, can we make a statement that for the involved products we do not carry out a risk analysis, since this is already done by the customer? If so, would it be advisable to include a statement that mentions that residual risk has been analyzed and found acceptable?

Thanks in advance!
NO Sir ...
You will adopt the risk analysis and own it / review it to keep it current. As and when you are faced with changes, corrective actions, customer complaints., or a new risk is seen by you, which hitherto was not in consideration, you will update the risk analysis and communicate to the customer or communicate to the customer and get the risk analysis updated..
 

yodon

Staff member
Super Moderator
#3
NO Sir ...
You will adopt the risk analysis and own it / review it to keep it current.
Hmm.... I will respectfully disagree with somashekar. The product owner is the owner of the risk analysis. As a contributor to the product, you have an obligation to support those efforts. I will agree with somashekar in that you should definitely communicate any new information regarding risks / hazards to your customer.

You asked "can we make a statement that for the involved products we do not carry out a risk analysis" Where would you make such a statement and to what purpose? The contract with your customer should define your responsibilities in regards to risk analysis. I guess I'm asking what the genesis of the question is.
 

Richard Regalado

Trusted Information Resource
#4
Our company provides production outsourcing services for another company. All product and process design is done by our customer and they also carry out a risk analysis. In this case, can we make a statement that for the involved products we do not carry out a risk analysis, since this is already done by the customer? If so, would it be advisable to include a statement that mentions that residual risk has been analyzed and found acceptable?

Thanks in advance!
What if your customer is in say Canada and you are in say Syria. Can you honestly state that the risk assessment done by the customer is adaptable to your situation and environment?
 

somashekar

Staff member
Super Moderator
#5
Hmm.... I will respectfully disagree with somashekar. The product owner is the owner of the risk analysis. As a contributor to the product, you have an obligation to support those efforts. I will agree with somashekar in that you should definitely communicate any new information regarding risks / hazards to your customer.

You asked "can we make a statement that for the involved products we do not carry out a risk analysis" Where would you make such a statement and to what purpose? The contract with your customer should define your responsibilities in regards to risk analysis. I guess I'm asking what the genesis of the question is.
Let me clarify here that by "own" I mean that the risk analysis is under your document control system, even perhaps as a document of external origin. You will not disown risk analysis, but will be a participative partner to the extent of your review and use of the same in your production services.
 

Mikishots

Trusted Information Resource
#6
I'm in agreement with Yodon. Prequalification is the most common method of mitigating risk. It is understood that the owner of the product is ultimately responsible for the quality of the product. Of course, as Yodon mentioned, communication is key - the contract should clearly stipulate the conditions under which the subcontractor is to notify the product owner regarding events such as location change, main employee or organizational shift, new machines or other prcess equipment etc.
 
L

Luwak

#7
You asked "can we make a statement that for the involved products we do not carry out a risk analysis" Where would you make such a statement and to what purpose? The contract with your customer should define your responsibilities in regards to risk analysis. I guess I'm asking what the genesis of the question is.
Since we cannot exclude risk management from our quality system as a whole, we will need a risk management procedure. (we also make other products that we own completely and besides that I wonder if excluding risk management would be possible at all). I would say that in this procedure we describe how the risk management is carried out (FMEA etc.) and we refer to a list of products and their actual risk analyses. In this list we could make the mentioned statement for the products from our outsourcing customer.

Now for the analyses that are carried out by our customer, we can just include the simple statement as described, or we could copy and paste the risk analyses from our customer. The latter has several difficulties:
  1. Our customer is not willing to give us all the risk analyses. However, I think we can convince them if we can make a good case that we need them to be compliant.
  2. I have seen some examples of risk analysis from our customer and let's just say that they are not completely up to scratch.. I don't want to be in the position where I have to answer questions about these analyses since I am not responsible for them and I can't even make changes to them.
  3. If the risk management methodology is not exactly the same on our side and on customer's side, this can lead to confusion.
  4. As always with this kind of information, how are we going to arrange that we stay up to date with all the latest revisions..
We will inform our customer if there are changes on our side that affect the production process. We already have an agreement that obliges us to get permission for any change in the process. In such a case, customer should decide whether or not a new risk analysis has to be carried out.
 

Ronen E

Problem Solver
Staff member
Moderator
#8
Hi,

Sounds like your company is acting as a contract manufacturer (CM) in this instance, and at the same time it is also an independent legal manufacturer of medical devices.

I think you have 2 options wrt the CM device(s):

1. Exclude risk management altogether (unless spelled-out under the contract's scope), and, in Soma's words, "be a participative partner" in the clients RM process. Med dev CM are typically bound by regulation only via contract, flowing from their clients legal obligations. That would be the easiest route, but carries the risk of having 2 different quality levels in the organization - one for your own products and another for the CM'd ones.

2. Implement your RM procedures, to the last letter, on all your products, regardless of ownership. More work, but it'll streamline the operations and avoid the double standard and confusion / potential mistakes associated with it. Should you take such a path, the design owner's files could come very handy in your own process (the same way your manufacturing-related inputs would come handy for them).

Cheers,
Ronen.
 
L

Luwak

#9
Thanks Ronen, taking all input together I think we will decide on your option 1. Not only is it less work, I think it will actually reduce confusion since there will be no 2 risk analyses for the same product. If we carry out risk a analysis ourselves for the CM devices, in theory we could end with a different/worse conclusion than our customers.. and then what to do? And to be honest, our customers have much more expertise when it comes to application of the product and can therefore make a better assessment of the involved risks in that area.

The only thing that rests us to do is to put a clause in our agreements with the customers that they are responsible for the risk management and to update when there is any change or any action to be taken on our side as a result from this. This discussion made me realize that the agreements with our customers should probably have a more prominent role during audits to explain certain decisions about our quality system.
 

Nash27

Involved In Discussions
#10
:bigwave:
Hi Ronen, always feel good to ask you the Question:
We do contract manufacturing ideally repackaging bulk Class IIa non-sterile products in pharmacy display boxes. We have controlled environment, but not a clean room. In the TF I have risk analysis of those products received from the manufacturer.

At what level I should conduct my risk analysis?
Can I just write a plane risk management report and state possible risks and applied control?
How much importance I need to give to determine overall residual risk assessment?

Cheers

Nash
 
Thread starter Similar threads Forum Replies Date
B ISO 17025:2017 risk management Risk Management Principles and Generic Guidelines 0
S Risk Management Review ISO 14971 - Medical Device Risk Management 4
S Risk Management and other Files ISO 14971 - Medical Device Risk Management 8
silentmonkey Overall Benefit/Risk Analysis - Risk Management VS Clinical Evaluation ISO 14971 - Medical Device Risk Management 3
Aymaneh Medical Device Cybersecurity Risk Management IEC 27001 - Information Security Management Systems (ISMS) 2
A 21 CFR 820 - Risk Management - Looking for some guidance US Food and Drug Administration (FDA) 3
Sravan Manchikanti Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
N Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
T How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
adir88 MDR requirement: Risk Management Plan for "each device" ISO 14971 - Medical Device Risk Management 5
D Risk Analysis & Technical File - What detail goes in the Risk Management Report ISO 14971 - Medical Device Risk Management 5
C AS9100 Rev D 8.1.1 & APQP - Operational risk management process AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
B ATP 5-19 "Risk Management" Misc. Quality Assurance and Business Systems Related Topics 2
N Risk Management besides mandated FDA requirements 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
M Identifying Hazards - Risk management process ISO 14971 - Medical Device Risk Management 6
R Risk Management in the Medical Device Industry ISO 14971 - Medical Device Risk Management 4
F Linking an ISO 31000 Risk management SOP to ISO 17025 ISO 17025 related Discussions 2
Ronen E The unbearable insensitivity of risk management language Other Medical Device and Orthopedic Related Topics 1
S ISO 14971 Risk Management - Questions for Hazard identification ISO 14971 - Medical Device Risk Management 2
M Risk/Benefit vs. benefit-risk - Revising an SOP covering Risk Management with the MDR in mind EU Medical Device Regulations 10
A Defining Expected Service Life in Risk Management File Reliability Analysis - Predictions, Testing and Standards 5
R Linking the Processes of Continual Improvement, Change Management, Risk Management, Action Planning, etc? Preventive Action and Continuous Improvement 5
D Risk management according to ISO 14971 - When to document risk controls? ISO 14971 - Medical Device Risk Management 10
J Software for Techfiles and Risk management ISO 14971 - Medical Device Risk Management 1
M Informational ISO TC 210 IEC SC 62A JWG 1 Medical device risk management – São Paulo meeting 2019 Medical Device and FDA Regulations and Standards News 6
M Medical Device News ISO TC 210 IEC SC 62A JWG 1 Medical device risk management – São Paulo meeting 2019 Medical Device and FDA Regulations and Standards News 0
D Where does FMEA fit in your ISO 14971 Risk Management process? ISO 14971 - Medical Device Risk Management 13
M Informational ISO TC 210 JWG 1 meeting in São Paulo – Revision of ISO 14971 and ISO TR 24971 – Medical Device Risk Management Medical Device and FDA Regulations and Standards News 0
T Risk Management Report as per MDR Requirements EU Medical Device Regulations 4
S Medical Device Cybersecurity Risk Management File ISO 14971 - Medical Device Risk Management 2
M Medical Device News Health Canada Notice of intent: Strengthening the post-market surveillance and risk management Canada Medical Device Regulations 1
Q Evidence of precautions (clinical evaluation report, risk management report) EU Medical Device Regulations 6
Q Risk / benefit Analysis in Risk Management Report CE Marking (Conformité Européene) / CB Scheme 12
A How to view supplier APQP timeline and do risk management APQP and PPAP 4
O Medical Device EMC Risk Management CE Marking (Conformité Européene) / CB Scheme 4
S ISO 13485:2016 - How I can integrate a risk management approach in our SOPs ISO 13485:2016 - Medical Device Quality Management Systems 1
B Time necessary for all Risk Management activities ISO 14971 - Medical Device Risk Management 2
W Virtual Manufacturer and Risk Management ISO 14971 - Medical Device Risk Management 3
O CQE Handbook - Missing Section VII - Risk Management Misc. Quality Assurance and Business Systems Related Topics 1
F Medical Device HACCP (Hazard Analysis and Critical Control Point) Risk Management ISO 14971 - Medical Device Risk Management 2
J Differences between a Risk Management Plan vs. Production Part Approval Process AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
M Free Risk Management Webinar - Design for Quality - May 2017 Risk Management Principles and Generic Guidelines 1
J Will this fulfill the AS9100D Risk Management Requirement AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 7
A Including all Processes in Risk Management - ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 8
F Risk Management vs. FMEA ISO 14971 - Medical Device Risk Management 11
T Using Risk Management in ISO 10993 - Medical Device Accessory 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
Q Risk Management - Additional Process in ISO 9001:2015? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
alonFAI How to define a Risk Based Approach for Supplier Management per ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
J What ever happened to Medical Device Risk Management, anyway? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 17

Similar threads

Top Bottom