Here’s a scenario that plays out more often than it should: a startup device company hires a contract manufacturer, hands off the build, and breathes a quiet sigh of relief. The contract manufacturer is ISO 13485 certified. They have their own QMS. Surely they’ve got this.
They do not “have this.” Or rather — they have their part of it, but the part that matters most to FDA still belongs entirely to you.
With the QMSR now in effect and ISO 13485:2016 incorporated by reference into 21 CFR Part 820, this is a good time to be precise about who is responsible for what when manufacturing is outsourced. The answer is more nuanced than “the contract manufacturer handles manufacturing compliance” — and the stakes of getting it wrong are entirely the legal manufacturer’s to bear.
First: What Do These Terms Actually Mean?
The term legal manufacturer doesn’t appear in the QMSR by that name, but the concept is well established: it’s the entity whose name appears on the device label, who holds the regulatory clearance or approval (your 510(k), PMA, or De Novo), and who is ultimately accountable to FDA for the device’s safety and effectiveness. If something goes wrong with the device, the legal manufacturer is the one receiving the 483 observations and the warning letters.
A contract manufacturer (CM) is an entity that performs specific manufacturing activities — fabrication, assembly, sterilization, packaging, or some combination — under contract from the legal manufacturer. The contract manufacturer may be ISO 13485 certified. They may have an excellent QMS. They are still, in the eyes of FDA, a supplier of a critical outsourced process.
The important distinction: both the legal manufacturer and the contract manufacturer may independently be subject to 21 CFR Part 820. If the contract manufacturer is manufacturing finished devices, they have their own QMS obligations. But the legal manufacturer’s oversight obligations don’t disappear because the contract manufacturer is also regulated. You cannot satisfy your supplier control requirements simply by pointing at your CM’s certification.
What the Legal Manufacturer Always Owns
Certain responsibilities live with the legal manufacturer regardless of how much manufacturing is outsourced. These are not transferable through a quality agreement. They are:
Regulatory submissions. The 510(k), PMA, or De Novo belongs to the legal manufacturer. The contract manufacturer’s name is not on it. If the submission needs to be updated because of a manufacturing change, that’s the legal manufacturer’s responsibility to evaluate and act on.
FDA establishment registration and device listing. The legal manufacturer must register with FDA and list their devices annually. The contract manufacturer registers their own establishment, but the legal manufacturer cannot outsource their own registration obligation.
The Design History File (DHF). Design responsibility — and the documentation that proves design controls were followed — stays with the legal manufacturer unless design activities were explicitly contracted out and even then must be under the legal manufacturer’s QMS control. ISO 13485 Clause 7.3 is unambiguous that the organization is responsible for design and development, with outsourced design covered by Clause 4.1.5 controls.
Medical Device Reports (MDRs). Under 21 CFR Part 803, the legal manufacturer is the one required to submit MDRs to FDA for reportable adverse events. The contract manufacturer may surface information through the complaint handling process, but the legal manufacturer owns the MDR obligation. This is why your quality agreement must include provisions for the contract manufacturer to notify you promptly of any potential reportable events — including complaints they receive directly.
Complaint handling and post-market surveillance. The legal manufacturer’s complaint system is what §820.35 governs. The contract manufacturer may handle some service records, but the legal manufacturer must have a functioning complaint intake, investigation, and trending process. Complaint records — including those UDI fields we covered in the §820.35 post — belong in the legal manufacturer’s QMS.
Labeling. The device label must display the legal manufacturer’s name and address. As discussed in the §820.45 post, labeling control is one of the areas where FDA added requirements beyond ISO 13485. The legal manufacturer controls the label. The contract manufacturer executes the labeling process under documented procedures — but the legal manufacturer approves what goes on that label.
What ISO 13485 Clause 4.1.5 Requires
Under the QMSR, ISO 13485 is federal law (see §820.7), which means Clause 4.1.5 — the outsourced processes clause — carries the full weight of regulatory obligation.
Clause 4.1.5 requires that when an organization outsources any process that affects product conformity, it must ensure control over those processes. The controls must be:
- Proportionate to the risk involved — manufacturing a Class III implantable device requires more rigorous oversight than having a third party apply a barcode label
- Proportionate to the CM’s ability to meet requirements — a newly qualified supplier warrants closer monitoring than one with a decade of clean audits
- Documented in written quality agreements — not a handshake arrangement, not a purchase order with vague quality clauses
The quality agreement between a legal manufacturer and contract manufacturer should clearly define: scope of work and which QMS requirements apply to each party; who owns which records and where they are maintained; notification requirements for changes, deviations, and potential reportable events; acceptance criteria for released product; audit rights; and provisions for what happens when the CM goes out of business or is acquired. That last one gets skipped more often than you’d expect, and it tends to surface at the worst possible moment.
What the QMSR Changed — and What It Didn’t
The fundamental accountability structure — legal manufacturer bears ultimate responsibility — is unchanged from the old QSR. What the QMSR changes is the evidentiary environment around that accountability.
Under the old QSR, the §820.180(c) exemption meant that FDA generally could not inspect quality audit reports and supplier audit records. That exemption is gone. As we covered in the §820.35 post, your supplier audit reports are now available for FDA review. This means your contract manufacturer audit program — how often you audit, what you find, whether findings are addressed — is visible to investigators. A thin audit report for a critical CM, or a significant finding with no documented follow-up, is now an inspection risk.
ISO 13485 Clause 7.4 (purchasing controls) is also now legally binding through §820.7. The requirements for supplier evaluation, selection criteria, purchasing data, and verification of purchased product apply with the full force of the regulation — not as best practice, but as law.
Common Pitfalls Worth Avoiding
“They’re ISO 13485 certified, so we’re covered.” A CM’s ISO 13485 certification demonstrates that they have a functioning QMS. It does not satisfy the legal manufacturer’s Clause 4.1.5 control obligations. You still need a quality agreement, an audit program, and ongoing monitoring. The certification is useful input to your supplier evaluation; it is not a substitute for oversight.
Letting the CM own the Device Master Record. The DMR — the compilation of specifications, drawings, production procedures, acceptance criteria, and labeling required under ISO 13485 — must be accessible and controlled by the legal manufacturer. If your contract manufacturer holds the authoritative copy and your access to it depends on the contract relationship remaining intact, you have a serious continuity risk.
Insufficient design transfer documentation. The handoff from development to contract manufacturing is one of the highest-risk moments in the product lifecycle. ISO 13485 Clause 7.3.8 (design transfer) requires documented evidence that design outputs have been verified as suitable for manufacturing before transfer. This is not a one-time approval signature — it’s a documented process that captures what was transferred, how manufacturing feasibility was confirmed, and what the acceptance criteria are.
Not requiring the CM to notify you of changes. A contract manufacturer who makes a process change without notifying the legal manufacturer is a scenario that ends with regulatory consequences for the legal manufacturer. Your quality agreement must include unambiguous change notification requirements, including supplier-initiated changes that could affect device safety, performance, or regulatory status.
The Bottom Line
Outsourcing manufacturing is a legitimate business strategy and, done well, a perfectly compliant one. The QMSR and ISO 13485 don’t prohibit it — they establish the framework for doing it responsibly. That framework requires the legal manufacturer to maintain genuine, documented, risk-proportionate control over what the contract manufacturer does on their behalf.
Your name is on the label. Your name is on the 510(k). Your name is what FDA writes on the Form 483. The contract manufacturer is a critical partner, but they are not a regulatory firewall.
If you haven’t reviewed your quality agreements against the QMSR’s now-legally-binding ISO 13485 requirements — particularly Clauses 4.1.5 and 7.4 — that review is overdue. And if your agreements still reference the old QSR, it’s definitely time for an update.
Work with Red Hen Admin
Ready to put this into practice?
Whether you need an independent quality system audit or hands-on QMS consulting, Red Hen Admin can help — remote and on-site in Southern California.