Original Publication: 

The Empirical Value of Risk Management

Surveys indicate that the number of vendors and suppliers that seek to obtain risk management compliance certifications is growing. The trend may mean good news for OEMs.  

Two important standards define the quality systems used in the medical device industry: ISO 13485:2003 and ISO 14971:2000 (up for revision in 2007). These standards specify the important requirements for process and software validation, as well as risk management. 

First, Do No Harm 

Hippocrates risk management directive from Epidemics to, “first, do no harm”, forms a fundamental basis for decision making a medical context. The benefits of a risk-based approach to quality systems are significant. These benefits are the primary reason that the concept was documented in ISO 14971 and formally introduced to medical device quality systems via ISO 13485. 

     Previously, the quality system regulation and quality system standards seemed to suggest that risk-related processes were primarily encountered in the design and development departments of device companies. However, with the publication of ISO 13485:2003, risk management has become a requirement for essentially all product realization activities. Guidance on the implementation of ISO 13485 (ISO/TR 14969) indicates that risk management activities draw from, and can affect the performance of, quality management system activities that are even outside of product realization. In fact, guidance developed by the Global Harmonization Task Force (SG3/N15R8), along with statements by FDA, confirm the broader application of risk management. 

     In 2003, the Regulatory Affairs Professionals Society (RAPS) published an update predicting the impending effects of ISO 13485:2003 and ISO 14971:2000 for product and service outsourcing, including: 

• Vendor risk management

• Definition of critical vendor

• Risk-based vendor audits

• Risk management for professional services

     According to the update, “There is tremendous opportunity for companies to use 13485…to improve product quality and enhance business performance.” 

     Certification to ISO 13485 among critical vendors is often referred to as quality system parity, indicating an equivalent level of quality system certification between manufacturer and supplier. Research shows that such equivalency is a key qualification to support risk management requirements and business process improvement initiatives. 

     More than one-third (36%) of the total supplier base to medical device manufacturers has ISO 13485:2003 certification. Perhaps more importantly, ISO 13485 certification among nonexempt suppliers (suppliers of components such as springs and molded parts that are not exempt from destructive and incoming inspection) is more than 50%.1 

     Figure 1 shows the current percentage of suppliers certified to ISO 13485. Figure 2 shows that additional suppliers plan to seek such certifications within the next 12–24 months. Although certification to ISO 13485 is not necessarily a guarantee of competence, the growth of quality system parity across all classes of critical suppliers indicates the value of certification for both finished-device manufacturers and their suppliers. 

Hip to Risk 

The hip implant is among the most successful medical devices ever introduced and, in many ways, this device is emblematic of the medical device industry in general. Specifically, aging populations in the United States, Europe, and Japan mean a growing market for total hip replacements (along with other devices). However, more replacements also means more risk. For instance, the American Academy of Physical Medicine and Rehabilitation forecasts that the annual number of total hip replacements will increase by more than 60% over the next 30 years (from approximately 234,000 procedures in 2004). Although these procedures represent an opportunity for improved quality of life, they also represent potential patient harm, which heightens the public visibility of the device industry. 

     Increased visibility and perception of risk can often lead regulators to take more-conservative approaches and interpretations. Evidence of this can be found in the recent up-classification of hip implants to Class III. Standards such as ISO 13485:2003 and ISO 14971:2000 have codified this risk-based approach for every facet of a device company’s operations that touch the quality system. 

The Rise of Outsourcing 

One area that provides evidence for the expanding influence of risk management is supplier qualification and control. Outsourcing in the medical device industry enjoys unprecedented growth. Although powerful economic forces are driving the move to outsourcing, companies are still faced with stringent regulatory requirements—largely as a matter of definition under ISO 13485 and ISO 14971. 

     Specifically, ISO 13485:2003 addresses the responsibility of the manufacturer when it states:  

     The processes required by this International Standard, which are applicable to the medical device(s) [and IVDs], but which are not performed by the organization, are the responsibility of the organization, and are accounted for in the organization’s quality management system. 

     In other words, outsourced processes are governed by the same standards that govern the quality system of the manufacturer, including validation, audits, and risk management. ISO 14971 (directly referenced in the 13485 standard) goes one step further when, in section 2.6, it defines the manufacturer as the “natural or legal person with responsibility for the design, manufacture, packaging, or labeling of a medical device, assembling a system, or adapting a medical device before it is placed on the market and/or put into service, regardless of whether these operations are carried out by that person himself or on his behalf by a third party.” From the standpoint of the accepted risk management standard, therefore, the device manufacturer and the contract supplier are considered one and the same. 

     Manufacturer responsibility for outsourced operations is clearly defined under ISO 13485 and ISO 14971, especially for critical services such as design, manufacture, packaging, and labeling. The appropriate execution of this responsibility is further defined by notified bodies and FDA through audit feedback and written guidance. 

Quality System Parity and Supplier Risk Management 

With the growth of outsourcing and the associated regulatory requirements, an increasing emphasis has been placed on quality system parity between manufacturer and supplier. In fact, registrars such as TÜV Rheinland actively encourage manufacturers to source from suppliers that are ISO 13485 certified. Their belief is that supplier certification to ISO 13485 should be sufficient for qualification. 

     According to Notified Body Guidance (NB-MED)/2.5/Rec1, when auditing, notified bodies are instructed to consider “whether there is sufficient evidence provided of the competence of the subcontractor to undertake supply of the part, material, or service in relation to the medical device(s) in question” and specifically, “the control exercised by the manufacturer over the subcontractor and the certification held by the subcontractor.” In addition to use for CE mark audits, these recommendations have also been adopted by Health Canada in its CMDCAS audits. 

     Also, notified bodies are instructed to take into account relative supplier risk by considering the following: 

• Whether the subcontractor has a substantial involvement with the design or production of the device.

• Whether the subcontractor is undertaking the supply of a part, material, or service that may affect the compliance of the device with the essential requirements. 

     Captured in this assessment are obvious suppliers such as contract manufacturers and sterilization suppliers, as well as less- obvious services such as language translation. For instance, according to notified body KEMA Quality B.V., because of certain compliance implications for devices and diagnostics, notified bodies should consider translation as an outsourced service subject to the same scrutiny as other suppliers. Notified bodies must subject medical translation providers to the vendor risk management considerations of ISO 13485 and ISO 14971. 

     The combination of risk management requirements and enforcement pressure has produced a steady increase in certification to ISO 13485 among critical suppliers. Equally important, the growth of quality system parity among nonexempt component suppliers indicates the value of risk management across all supplier classes. Evidence of this development was recently confirmed through industry surveys. 

Assessing Empirical Value 

Results of two separate industry surveys recently conducted by Crimson Life Sciences indicate that supplier certification to ISO 13485 has reached record highs since its introduction.1 According to the surveys (a total of 429 supplier companies participated, spanning a broad range of product and service types), certification to ISO 13485:2003 has grown to 36%. Moreover, nearly 20% of suppliers who are currently certified to ISO 9001 have plans to obtain ISO 13485 certification within the next two years. 

     Underlying this overall growth are some surprising specifics. At one point industry experts, including notified bodies, typically believed that ISO 13485 certification would be found primarily with OEM contract manufacturers (who are required to certify) and other exempt suppliers. (Exempt suppliers provide services such as sterilization and welding that are exempt from destructive testing.) In these cases, quality system parity is an important means to demonstrate conformance with essential requirements. 

     However, the survey results indicate that more than half (55%) of ISO 13485 certifications are attached to nonexempt suppliers. Because their product specifications are validated as part of the manufacturer’s acceptance activities, these companies are not required to certify. However, these companies now make up a majority of ISO 13485–certified suppliers in part because of the risk management value inherent in certification. 

Quality System Parity—More than Just Risk Management 

The rapid growth of quality system parity between manufacturers and suppliers indicates its significant value to both. There are several benefits to OEMs of supplier certification to ISO 13485. These include increased supplier control, audit support, improved risk management, and more-efficient supply chains. 

     Increased Supplier Control. One obvious means to increase supplier control and decrease risk is to hold suppliers to the same standard as the manufacturer. In fact, most manufacturer supplier surveys include a specific reference to ISO 13485—a clear message to potential vendors regarding the value of certification. 

     Audit Support. The costs and risks associated with notified body inspection of suppliers can be substantially reduced if the auditor is satisfied that the supplier has been properly qualified. A certified quality system can provide important evidence in this regard. 

     Improved Risk Management. A risk-based quality systems approach (as defined by ISO 14971) at the supplier level supports effective risk management at the manufacturer level. In addition, ISO 13485 requirements for process validation and software validation mean that these important risk management issues are also addressed at the supplier level.  

     Supply-Chain Efficiency. Reduced inspection requirements and regulatory overhead provide a more-efficient supply chain. Quality system parity between manufacturer and supplier is the most direct route to achieving these benefits. 

Is Parity Sufficient? 

In many cases, quality system parity may not be enough. On one hand, manufacturers are under intense pressure to satisfy auditors, which is partially why ISO 13485 omits the requirement for continual improvement contained in the closely related ISO 9001 standard. 

     On the other hand, suppliers do not enjoy this same luxury, and manufacturers typically expect conformity combined with continual improvement. For this reason, suppliers often certify to ISO 13485 to demonstrate quality system parity and certify to ISO 9001 to demonstrate commitment to delivering ongoing value. 

Are All Certifications Equal? 

When judging the value of a supplier’s certification, manufacturers should determine who has audited and registered the supplier. Industry experts recommend asking the following questions: 

• Does the supplier’s registrar appear on the FDA list of accredited third parties, www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfthirdparty/accredit.cfm?

• Is the supplier’s registrar associated with a notified body? Registrars who meet these prerequisites provide the best assurance of audit quality and quality system parity. 


The growing importance of risk management can be observed in standards (ISO 13485:2003 and ISO 14971:2000), enforcement policies, and industry trends (supplier certification to ISO 13485). The value of risk management is clear through the prevalence of quality system parity among suppliers—even those whose compliance is voluntary. 


1. Marc H Miller, “Quality System Parity Research Synopsis and White Paper” (Brighton, MA: Crimson Medical Translation, 2007). 

Research Available from Crimson 

The research referenced in this article (Quality System Parity, Research Summary & White Paper) is available free of charge in the Resources/Regulatory Updates section of the Crimson website (www.crimsonlanguage.com). 

About the Author 

Marc H. Miller is the President of the Crimson Life Sciences division of TransPerfect Translations. Crimson is the only translation organization in the world certified to ISO 9001:2000, ISO 13485:2003, and endorsed to ISO 14971:2000. Crimson’s translation risk management processes have received official Notified Body endorsement and are patent pending. Crimson is the world’s largest translation practice devoted exclusively to Class II and Class III medical devices and List A and List B IVDs. TransPerfect is the world’s largest privately held, diversified language services provider with 44 offices worldwide. 

More information, regulatory guidance, industry publications, and valuable resources (including Crimson’s online Labeling Symbols Library) can be found at: www.crimsonlanguage.com.



Crimson Life Sciences has become
TransPerfect Medical Device Solutions.

You will be redirected to the TransPerfect website in