ISO 14971 for contract manufacturer

We are a contract manufacturer of orthopedic implants. We have had a few customers require conformance to ISO 14971 in quality agreements. I think it is exceedingly difficult for us to comply. ISO 14971 requires maintaining a risk management file for the entire product lifecycle. However, we only perform the manufacturing phase of the product lifecycle. How would I evaluate and mitigate the design risks without a DHF? We have no access to any of the instrumentation utilized with these implants. How do I evaluate use risk without an understanding of the entire system of implants and instruments. How do I evaluate the risks related to labeling. I don't have the IFU or surgical technique guide.

Also, the risk management file must be evaluated and updated as necessary based upon post-market surveillance. However, we don't distribute the devices. We just send them to the legal manufacturer. We never receive any of the complaints or adverse events.

I suppose if the legal manufacturer shared all the necessary information with us, then we could prepare the risk management file for them. I guarantee that we would charge a lot for this consulting effort. I highly doubt any customer would want to do this. These requirements seem to be written into quality agreements without any real understanding of what ISO 14971 requires. Has anyone else had this experience? Of course, we can assist them with the risks related to manufacturing phase of the product lifecycle. We have pFMEAs that we could share that could assist with this. I seem to be spending more of my time trying to teach customers why ISO 14971 can't be applied in our circumstance. Some still want to insist on compliance to ISO 14971. I think that customers need to define responsibility for the risk management file in the quality agreement, rather then try to assign it to everyone. Anyone else have experience with this?

It should be a collaborative effort. They should have the basics (process, harms / severity, acceptability criteria, etc.). Your role, as you note, would likely be limited to a Process FMEA and then providing the production data for the postmarket analysis work.

This should be ironed out early in the contract and/or quality agreement. They cannot push everything on you since they are responsible for establishing acceptability. Indeed, the more they want to push on you, the more you should charge!

Your feedback should include production data. That can be used by the OEM as another input for risk. For example, if a high failure rate is seen at point X in production and it also matches complaint data in post market surveillance that's a clue to process improvements.

Agreed, we can participate in the development of the risk management file. We can provide valuable input on the risks related to the manufacturing of the device. However, I don't think this fulfills the requirement of the quality agreement which is requiring full compliance with ISO 14971. Wouldn't that mean that I have to demonstrate compliance to all clauses of the standard? As stated before, I don't think this is feasible.

Maybe, arguably, you are in full compliance for your parts?

If there's a question or concern, why not update the Quality Agreement?

Customer won't agree to change. Customer's always right, even when there wrong.