Outsourcing risk management to service providers. Wouldn't that be convenient?
But is that allowed? And how much sense does it make anyway? Conversely, what should you as a service provider not be burdened with under any circumstances?
This article provides the answers. It suggests how manufacturers and service providers can divide their activities and gives practical tips for both.
Many medical device manufacturers use external companies, for example, for the
ISO 14971 determines the activities involved in risk management. These include:
Service providers develop, produce, or process components and devices (e.g., clean or sterilize them). If errors occur during this process, the component and, therefore, the entire device may not behave as specified. For example, it could break, radiate, or be contaminated.
This leads directly or indirectly to hazards. There are hazardous situations and harms with a certain probability and severity – i.e. risks for patients, users, or third parties.
Several questions arise:
A company must obviously be familiar with the component (or device) it is developing or producing on behalf of a customer. It must know,
It is precisely these analyses that the service provider should carry out. They are part of risk management.
On the other hand, the service provider (in his role) is not an expert on the further chain of causes (see red line in Fig. 1): He cannot (as well) assess
In the post-market phase, the service provider typically only has information that is specific to his component or device.
For example, manufacturers and their contractors can divide risk management activities as follows:
Activity | Manufacturer | Service Provider | Comment |
Define risk acceptance criteria | X |
| Depends on the benefit |
Determine the devices benefits | X |
| Originates from clinical evaluation |
Create a risk management plan | X | (X) | If applicable for partial activities |
Evaluate usability risks | X | (X) | Only if usability service provider |
Identify causes for non-specification-compliant behavior of the device or component | X | X | Only for the service provider's component; for the device, its architecture must be known |
Identify hazards | X | (X) | Assumes that the service provider knows the application and medical context |
Assessing risks | X | (X) | Assumes that the service provider knows the medical context |
Identify and evaluate production risks | X | (X) | Only for the part produced by the service provider |
Collect and evaluate information in the post-market phase | X | (X) | Only for the service provider component (collect rather than evaluate) |
Tab. 1: Division of risk management activities between manufacturer and service provider
Service providers should define rules for
Contractors should not take on activities for which the necessary information or competence is lacking.
For service providers, FMEA (dFMEA, pFMEA) is the most important method of "risk analysis."
Companies that act as service providers for the development or production of medical devices can expand their services portfolio and support manufacturers in risk management as service providers (consultants).
However, this is a different role. It requires different competencies and insight into the device and its use.
Manufacturers should take care to outsource activities "consistently." For example, the service provider developing a component should
All this information is the output of the service provider and serves as input for the manufacturer, especially for risk management.
The input for the service provider consists of
Quality assurance agreements usually define rules for this collaboration.
The temptation is great to outsource everything to the contractors. However, the responsibility for the medical device remains with the manufacturer. It is therefore advisable to review the service providers as contractually agreed, e.g., as part of supplier audits.
Manufacturers are legally obliged to control their suppliers.
Manufacturers must describe in the risk management plan which party carries out which activity as part of risk management.
Outsourcing often makes sense ...
Everyone should do what they do best. That's why it often makes sense for manufacturers to outsource activities such as the development, production or processing of components or entire devices to service providers.
Responsibility for the devices, however, remains with the manufacturer. Responsibility for risk management also remains with the manufacturer.
... if the service provider has the competence to do so
Manufacturers should, therefore, only outsource risk management activities to service providers to the extent that they have the necessary competence. This includes the competence to identify the causes and types of out-of-specification behavior of the components that the service provider develops, produces, or processes. And the probability of this out-of-specification behavior occurring.
However, this off-specification behavior does not correspond to harm. Consequently, service providers support risk management but do not assess risks in the sense of ISO 14971.