In the real world, many contract manufacturers perform the PFMEA
only. They think the legal manufacturer is responsible for the ISO 14971.
When you bring official responsibility into the picture, you need to consider:
1. What is the applicable regulatory (geographical) domain, and what are the applicable requirements.
2. What is spelled out in any written contract.
In relation to your statement:
- ISO 14971 (more accurately EN ISO 14971) is officially relevant in the EU, less in other domains.
- Even in the EU, EN ISO 14971 application is not mandatory.
- The legal manufacturer is indeed responsible for regulatory compliance in the vast majority of cases and issues.
- In some (rather rare) instances under the USA regulation the contract manufacturer bears the primary regulatory responsibility (however, that regulation doesn't have a blanket risk-management requirement, certainly not for ISO 14971 compliance)
- Much of the above can be altered by the specific manufacturing contract, which would then be binding for both sides (however, no such contract can relieve both sides from an explicit regulatory requirement).
FMEAs (and the likes) from contract manufacturers can and should be fed into the risk management process.