Christian Rosenzweig

Let service providers take care of risk management?


Outsourcing risk management to service providers. Wouldn't that be convenient?

But is that allowed? And how much sense does it make anyway? Conversely, what should you as a service provider not be burdened with under any circumstances?

This article provides the answers. It suggests how manufacturers and service providers can divide their activities and gives practical tips for both.

1. Risk management for service providers

a) Which service it is about

Many medical device manufacturers use external companies, for example, for the

  • development of the entire device (OEM manufacturers could also be considered as such a developer),
  • development of components,
  • production of devices and components, or
  • sterilization.

b) Which risk management activities are concerned

ISO 14971 determines the activities involved in risk management. These include:

  • definition of the risk policy and the criteria for risk acceptance
  • identification of hazards
  • assessment of risks
  • definition and implementation of measures
  • verification of implementation and effectiveness of measures
  • review of all risk management activities

c) What is the challenge?

Service providers develop, produce, or process components and devices (e.g., clean or sterilize them). If errors occur during this process, the component and, therefore, the entire device may not behave as specified. For example, it could break, radiate, or be contaminated.

This leads directly or indirectly to hazards. There are hazardous situations and harms with a certain probability and severity – i.e. risks for patients, users, or third parties.

Several questions arise:

  • Which activities should and may the (legal) manufacturer have carried out by service providers in risk management?
  • What activities should the service providers be required to perform?
  • Who ultimately bears responsibility?

2. The ideal division

a) What service providers can do

A company must obviously be familiar with the component (or device) it is developing or producing on behalf of a customer. It must know,

  • what the specifications of this component or device are,
  • what behavior is that is not compliant with the specification,
  • what the causes of this misbehavior may be (e.g., architecture or inputs of the component), and
  • the probability of this misbehavior occurring.

It is precisely these analyses that the service provider should carry out. They are part of risk management.

b) What service providers cannot do (so well)

On the other hand, the service provider (in his role) is not an expert on the further chain of causes (see red line in Fig. 1): He cannot (as well) assess

  • how a defective component affects the device (if he is not the service provider for the entire device),
  • what harm a defective device can cause to patients, users, and third parties,
  • with what probability these harms occur and what severity they have (i.e., how big the risks are), and
  • whether these risks are acceptable.

In the post-market phase, the service provider typically only has information that is specific to his component or device.

c) Recommendation for the division of activities

For example, manufacturers and their contractors can divide risk management activities as follows:



Service Provider


Define risk acceptance criteria



Depends on the benefit

Determine the devices benefits



Originates from clinical evaluation

Create a risk management plan



If applicable for partial activities

Evaluate usability risks



Only if usability service provider

Identify causes for non-specification-compliant behavior of the device or component



Only for the service provider's component; for the device, its architecture must be known

Identify hazards



Assumes that the service provider knows the application and medical context

Assessing risks



Assumes that the service provider knows the medical context

Identify and evaluate production risks



Only for the part produced by the service provider

Collect and evaluate information in the post-market phase



Only for the service provider component (collect rather than evaluate)

Tab. 1: Division of risk management activities between manufacturer and service provider

3. Tips

a) For service providers

Tip 1: Define cooperation with the manufacturer

Service providers should define rules for

  • Specification of the components (or device) to be developed or produced
  • Requirements for documentation (which is part of the service provider's output)

Contractors should not take on activities for which the necessary information or competence is lacking.

Tip 2: Use FMEA

For service providers, FMEA (dFMEA, pFMEA) is the most important method of "risk analysis."

Tip 3: Expand your portfolio

Companies that act as service providers for the development or production of medical devices can expand their services portfolio and support manufacturers in risk management as service providers (consultants).

However, this is a different role. It requires different competencies and insight into the device and its use.

b) For manufacturers

Tip 1: Clearly define cooperation

Manufacturers should take care to outsource activities "consistently." For example, the service provider developing a component should

  • document the component and its development, as well as its architecture
  • identify the possible causes and effects of faults in this component,
  • estimate the probabilities of these errors.

All this information is the output of the service provider and serves as input for the manufacturer, especially for risk management.

The input for the service provider consists of

  • the specification of the component to be developed,
  • specifications for the development,
  • documentation of the activities (i.e., specification of the output).

Quality assurance agreements usually define rules for this collaboration.

Tip 2: Remain realistic

The temptation is great to outsource everything to the contractors. However, the responsibility for the medical device remains with the manufacturer. It is therefore advisable to review the service providers as contractually agreed, e.g., as part of supplier audits.

Further information

Manufacturers are legally obliged to control their suppliers.

Tip 3: Describe the division in the risk management plan

Manufacturers must describe in the risk management plan which party carries out which activity as part of risk management.

4. Summary

Outsourcing often makes sense ...

Everyone should do what they do best. That's why it often makes sense for manufacturers to outsource activities such as the development, production or processing of components or entire devices to service providers.

Responsibility for the devices, however, remains with the manufacturer. Responsibility for risk management also remains with the manufacturer.

... if the service provider has the competence to do so

Manufacturers should, therefore, only outsource risk management activities to service providers to the extent that they have the necessary competence. This includes the competence to identify the causes and types of out-of-specification behavior of the components that the service provider develops, produces, or processes. And the probability of this out-of-specification behavior occurring.

However, this off-specification behavior does not correspond to harm. Consequently, service providers support risk management but do not assess risks in the sense of ISO 14971.

Find out what Johner Institute can do for you

A quick overview: Our


Learn More Pfeil_weiß

Always up to date: Our


Learn More Pfeil_grau

Privacy settings

We use cookies on our website. Some of them are essential, while others help us improve this website and your experience.