No, you really cannot perform risk management as expected by ISO 14971, in which case it’s really not applicable to you.
However, we might take care with some things.
First, it might be clear that, for each medical device, regulations expect that “someone” performs risk management activities per ISO 14971. This “someone” is the organization with responsibility for fulfilling regulatory requirements for the device – this changes in each regulatory system, but can be generally seem as the “owner” (I will use this from now on) of the device idea and design and who wil sell the device. Just as an example, a lot of regulations call this entity the “manufacturer” of the device. If we make a quick link to ISO 13485, this entity is also responsible for the system.
Being responsible does not mean that you yourself need to perform the expected action (the right to perform is authority, and it can be delegated – in this case you are still responsible, but someone will act on your behalf).
So, what’s the case of a contract manufacturer?
Generally, contract manufacturers perform manufacturing activities in behalf of the device owner. The owner is stil responsible for the manufacturing process, however the contract manufacturer performs this process. The owner has to control the process, for example, in his quality system, as this “external” process is really the same as a process performed at the owner plant.
And how do we see this in terms of ISO 14971? ISO 14971 (and the risk management process it details) is to be applied by the device owner. The owner is the only one which has:
1 – responsibility for performing this process,
2 – responsibility for the device lifecycle
3 – a full view of the device lifecycle, including it’s intended use, which is required by the risk management process as the focus of the risk management process is – what harm can happen during device use that will harm people/property/environment?
So, the owner is responsible for the risk management process, and, although he can delegate the authority to perform the risk management process, the ones which perform the delegated process have to have the same “level” of knowledge as the owner or use the knowledge of the owner to perform the process.
On another hand, the manufacturing process the contract manufacturer performs has to be part of the risk management process of the full device (meaning, from an ISO 14971 perspective, it’s expected that this process does not create other hazards/hazardous situations for the device, nor modify already estimated risks). As the contract manufacturer is the expert in his process, it’s really expected that the owner requires the help of the contract manufacturer to perform his risk management process.
Another problem here, and that might be related to the original question, is related to certification.
If you are a contract manufacturer and is, for some reason, seeking or having been certified by ISO 13485, it might be seen that YOU have to perform risk management activities, for example, as per ISO 14971.
The main problem with this is – nor ISO 13485, nor ISO 14971 are really intended to be applied by entities other than the device owner. For certification purposes, the CBs “bend” a little the objective of the the standards to make it possible that entities other then device owners apply them, which creates a lot of those problems.
Anyway, even if you as a contract manufacturer is applying ISO 13485, I would say that you can define (and should try to convince your manufacturer) that risk management as required by ISO 13485 (which is for the whole medical device) is not your responsibility, and so you cannot really perform it. As a suggestion, you might perform a risk analysis of the process you perform to be used by an input from the device owner, if the owner wants your input to perform his device risk management process.
