Outsourcing risk management to service providers. Wouldn’t that be convenient?
But is that allowed? And how much sense does it make anyway? Conversely, what should you as a service provider not be burdened with under any circumstances?
This article provides the answers. It suggests how manufacturers and service providers can divide their activities and gives practical tips for both.
1. Risk management for service providers
a) Which service it is about
Many medical device manufacturers use external companies, for example, for the
- development of the entire device (OEM manufacturers could also be considered as such a developer),
- development of components,
- production of devices and components, or
- sterilization.
b) Which risk management activities are concerned
ISO 14971 determines the activities involved in risk management. These include:
- definition of the risk policy and the criteria for risk acceptance
- identification of hazards
- assessment of risks
- definition and implementation of measures
- verification of implementation and effectiveness of measures
- review of all risk management activities
c) What is the challenge?
Service providers develop, produce, or process components and devices (e.g., clean or sterilize them). If errors occur during this process, the component and, therefore, the entire device may not behave as specified. For example, it could break, radiate, or be contaminated.
This leads directly or indirectly to hazards. There are hazardous situations and harms with a certain probability and severity – i.e. risks for patients, users, or third parties.
Several questions arise:
- Which activities should and may the (legal) manufacturer have carried out by service providers in risk management?
- What activities should the service providers be required to perform?
- Who ultimately bears responsibility?
2. The ideal division
a) What service providers can do
A company must obviously be familiar with the component (or device) it is developing or producing on behalf of a customer. It must know,
- what the specifications of this component or device are,
- what behavior is that is not compliant with the specification,
- what the causes of this misbehavior may be (e.g., architecture or inputs of the component), and
- the probability of this misbehavior occurring.
It is precisely these analyses that the service provider should carry out. They are part of risk management.
b) What service providers cannot do (so well)
On the other hand, the service provider (in his role) is not an expert on the further chain of causes (see red line in Fig. 1): He cannot (as well) assess
- how a defective component affects the device (if he is not the service provider for the entire device),
- what harm a defective device can cause to patients, users, and third parties,
- with what probability these harms occur and what severity they have (i.e., how big the risks are), and
- whether these risks are acceptable.
In the post-market phase, the service provider typically only has information that is specific to his component or device.
c) Recommendation for the division of activities
For example, manufacturers and their contractors can divide risk management activities as follows:
| Activity | Manufacturer | Service Provider | Comment |
| Define risk acceptance criteria | X | Depends on the benefit | |
| Determine the devices benefits | X | Originates from clinical evaluation | |
| Create a risk management plan | X | (X) | If applicable for partial activities |
| Evaluate usability risks | X | (X) | Only if usability service provider |
| Identify causes for non-specification-compliant behavior of the device or component | X | X | Only for the service provider’s component; for the device, its architecture must be known |
| Identify hazards | X | (X) | Assumes that the service provider knows the application and medical context |
| Assessing risks | X | (X) | Assumes that the service provider knows the medical context |
| Identify and evaluate production risks | X | (X) | Only for the part produced by the service provider |
| Collect and evaluate information in the post-market phase | X | (X) | Only for the service provider component (collect rather than evaluate) |
3. Tips
a) For service providers
Tip 1: Define cooperation with the manufacturer
Service providers should define rules for
- Specification of the components (or device) to be developed or produced
- Requirements for documentation (which is part of the service provider’s output)
Contractors should not take on activities for which the necessary information or competence is lacking.
Tip 2: Use FMEA
For service providers, FMEA (dFMEA, pFMEA) is the most important method of “risk analysis.”
Tip 3: Expand your portfolio
Companies that act as service providers for the development or production of medical devices can expand their services portfolio and support manufacturers in risk management as service providers (consultants).
However, this is a different role. It requires different competencies and insight into the device and its use.
b) For manufacturers
Tip 1: Clearly define cooperation
Manufacturers should take care to outsource activities “consistently.” For example, the service provider developing a component should
- document the component and its development, as well as its architecture
- identify the possible causes and effects of faults in this component,
- estimate the probabilities of these errors.
All this information is the output of the service provider and serves as input for the manufacturer, especially for risk management.
The input for the service provider consists of
- the specification of the component to be developed,
- specifications for the development,
- documentation of the activities (i.e., specification of the output).
Quality assurance agreements usually define rules for this collaboration.
Tip 2: Remain realistic
The temptation is great to outsource everything to the contractors. However, the responsibility for the medical device remains with the manufacturer. It is therefore advisable to review the service providers as contractually agreed, e.g., as part of supplier audits.
Manufacturers are legally obliged to control their suppliers.
Tip 3: Describe the division in the risk management plan
Manufacturers must describe in the risk management plan which party carries out which activity as part of risk management.
4. Summary
Outsourcing often makes sense …
Everyone should do what they do best. That’s why it often makes sense for manufacturers to outsource activities such as the development, production or processing of components or entire devices to service providers.
Responsibility for the devices, however, remains with the manufacturer. Responsibility for risk management also remains with the manufacturer.
… if the service provider has the competence to do so
Manufacturers should, therefore, only outsource risk management activities to service providers to the extent that they have the necessary competence. This includes the competence to identify the causes and types of out-of-specification behavior of the components that the service provider develops, produces, or processes. And the probability of this out-of-specification behavior occurring.
However, this off-specification behavior does not correspond to harm. Consequently, service providers support risk management but do not assess risks in the sense of ISO 14971.
