Under MDR Article 10(9) and Annex IX, the legal manufacturer is fully responsible for devices placed on the market, even when production runs at a contract manufacturer. EN ISO 13485:2016+A11:2021 clause 4.1.5 requires you to identify, control, and monitor every outsourced process as if you were doing it yourself, and clause 7.4 binds you to documented purchasing controls and supplier agreements.

By Tibor Zechmeister and Felix Lenhard.

TL;DR

  • MDR Article 10(9) makes the legal manufacturer accountable for a QMS that covers the entire device lifecycle, including work performed by contract manufacturers.
  • EN ISO 13485:2016+A11:2021 clause 4.1.5 requires documented control of any outsourced process, proportionate to its effect on the device.
  • Clause 7.4 requires written purchasing controls and supplier agreements that define responsibilities, specifications, change notification, and records access.
  • A CMO is not a regulatory shield. Non-conformities found at a CMO during a notified body audit become your non-conformities.
  • Notified bodies can, and do, audit at CMO sites when an outsourced process is critical to conformity.
  • A lean startup can run a compliant CMO relationship with one quality agreement, one scorecard, and a scheduled on-site visit.

Why this matters

Most MedTech startups do not own a cleanroom. They do not own an injection moulder, a PCB assembly line, or a sterile packaging sealer. They design the device, write the software, run the clinical evaluation, and then pay a contract manufacturer to produce the physical product. That is a perfectly legitimate business model, and under MDR it is explicitly allowed.

What is not allowed is thinking the CMO absorbs your regulatory risk. The name on the Declaration of Conformity is yours. The CE mark is yours. If the CMO's sterilisation validation is wrong, the field safety corrective action is yours to run. Founders who misread this produce clean-looking technical files and then fail Stage 2 audits when the notified body asks to see the evidence that controls at the CMO actually work.

This post walks through how MDR Article 10(9) and Annex IX assign responsibility, how EN ISO 13485 clauses 4.1.5 and 7.4 operationalise it, and what a lean quality agreement plus ongoing oversight actually looks like in a ten-person startup.

What MDR actually says

MDR Article 10(9) requires manufacturers of devices, other than investigational devices, to establish, document, implement, maintain, keep up to date and continually improve a quality management system that ensures compliance in the most effective manner and in a manner proportionate to the risk class and type of device. The article lists the aspects that the QMS must address, including resource management, risk management, clinical evaluation, product realisation, and verification of UDI assignments. There is no carve-out for outsourced work. Everything in Article 10(9) applies whether the process runs in your building or at a contract manufacturer's building.

MDR Annex IX sets out conformity assessment based on a QMS and assessment of technical documentation. When a notified body audits under Annex IX, the scope of that audit includes sites where critical processes take place. If your sterilisation is outsourced, the notified body can audit the sterilisation site. If your final assembly is outsourced, they can audit the assembler. The notified body's certificate will reflect this scope.

EN ISO 13485:2016+A11:2021 clause 4.1.5 states that the organisation shall ensure control over any outsourced process that affects product conformity to requirements. The control shall be proportionate to the risk involved and the ability of the external party to meet the requirements, and shall include quality agreements where applicable.

EN ISO 13485:2016+A11:2021 clause 7.4 (purchasing) requires the organisation to establish criteria for evaluating and selecting suppliers, to evaluate and select suppliers based on their ability to supply product that meets specified requirements, to monitor and re-evaluate suppliers, and to ensure that purchased product meets specified purchase requirements. Purchasing information shall describe the product to be purchased, including product requirements, acceptance criteria, competency requirements, and QMS requirements where relevant.

Plain-language translation: if someone outside your company does something that affects whether the device is safe and performs as intended, you must (a) pick them on documented criteria, (b) write down what they owe you, (c) monitor whether they deliver it, and (d) be able to prove all of the above to a notified body.

A worked example

A seven-person cardiovascular startup in Graz has a Class IIb reusable surgical instrument. They design it. They do not manufacture it. They work with three external parties:

  1. A German precision machining shop that produces the stainless-steel components.
  2. An Austrian cleanroom assembler that puts the device together and does final cleaning.
  3. A Belgian ethylene oxide sterilisation provider that sterilises finished devices in validated loads.

The founder's first instinct is to treat these as "suppliers" and move on. During the readiness review before Stage 1, the notified body scope letter comes back with all three sites listed as "critical subcontractors" and flagged for potential on-site audit.

Here is what the startup does:

Machining shop. Quality agreement covers raw material certificates, dimensional tolerances traced to the design output drawings, first article inspection per lot, change notification before any process change, and access for notified body audits. The shop is evaluated annually based on defect rate and on-time delivery.

Cleanroom assembler. Quality agreement covers cleanroom environmental monitoring, a validated cleaning process (with the validation protocol jointly reviewed), operator training records, batch records retained for the required period, and a joint deviation handling process. The assembler is re-qualified every two years with an on-site visit.

ETO sterilisation provider. Quality agreement references the sterilisation validation (with protocols owned jointly), bioburden monitoring frequency, load release criteria, and parametric release conditions where applicable. A formal sterilisation dossier sits in the technical file, co-signed by both parties.

When the notified body conducts the Stage 2 audit, they spend one day at the startup's office and one day at the cleanroom assembler. They ask to see the quality agreement, the supplier scorecard, the last three deviations at the assembler and how the startup handled them, and the batch records for the last commercial lot. Because the startup treated the assembler as an extension of their own QMS rather than a black box, the audit closes with two minor findings, both on the startup side, none at the assembler.

That is the picture you are aiming for.

The Subtract to Ship playbook

You do not need a forty-page supplier quality manual. You need the minimum that actually controls risk and is defensible to a notified body. Here is the lean version.

1. Classify each external party by impact on conformity. Critical, major, minor. Critical means the work directly affects safety or performance (sterilisation, final assembly, software coding of a regulated module). Major means it affects but with downstream checks (machining of a component that is 100% inspected on receipt). Minor means commodity (office supplies, generic screws). Only critical and major need quality agreements. Put this classification in one spreadsheet.

2. Write one quality agreement template and adapt it per supplier. The template covers: scope of work, applicable specifications, change control (supplier must notify you before any process, material, or location change), deviation and non-conformance handling, CAPA coordination, records retention, subcontracting rules (supplier cannot subcontract critical work without your written approval), right of audit including by your notified body and competent authorities, and confidentiality. One template, one signature loop per supplier. Done.

3. Replace re-qualification theatre with a real scorecard. Track four metrics per critical supplier: defect rate, on-time delivery, deviations opened and closed, change notifications received. Review quarterly. A 30-minute meeting with yourself and your head of quality is enough. Trigger re-qualification (on-site visit, re-approval) when metrics drift or when the supplier signals a significant change.

4. Put the CMO inside your QMS, not next to it. The CMO's batch records feed your design history and device history records. Their deviations trigger your CAPA process. Their operators are trained against your work instructions (or they demonstrate equivalence in theirs). This is what clause 4.1.5 means by "control proportionate to risk." A cleanroom assembler touches every finished device, so the control is tight. A screw vendor does not, so the control is receiving inspection and a data sheet.

5. Plan the notified body's visit to the CMO before it happens. When you prepare for your Stage 2 audit, write to each critical CMO, tell them the audit window, confirm their availability, and remind them which documents you may need to show the auditor. No CMO should be surprised by an audit landing on their reception desk. That is a founder conversation you cannot delegate.

6. Do not over-promise on paper. If the quality agreement says "weekly production reports" and you actually read them once a quarter, a notified body will find that gap in ten minutes. Write agreements you will actually execute.

This whole system can live in one shared folder: classification spreadsheet, quality agreement per critical supplier, scorecard per critical supplier, and an annual management review section that reviews supplier performance. That is clause 4.1.5 and 7.4 done honestly, without a bureaucracy that will strangle you.

Reality Check

  1. Do you have a written list of every external party that performs work affecting product conformity, classified by impact?
  2. Does every critical supplier have a signed quality agreement that covers change control, records access, and audit rights?
  3. Can you produce a supplier scorecard for each critical CMO for the last four quarters?
  4. If your notified body asked to audit your sterilisation provider next week, would the provider be ready and contractually obliged to cooperate?
  5. Are deviations at your CMOs flowing into your CAPA system, or are they dying in the CMO's own QMS?
  6. Have you verified that no critical CMO has subcontracted work without your knowledge?
  7. Does your management review include supplier performance as a standing agenda item?
  8. Is your classification of suppliers proportionate to the risk of the device, or is it copy-pasted from a template?

Frequently Asked Questions

Does the CMO need its own ISO 13485 certificate? Not mandatorily, but it helps. If a critical CMO holds EN ISO 13485:2016+A11:2021 certification, your supplier evaluation burden is lighter because an accredited body has already assessed their QMS. If they do not, you must assess them yourself more deeply and more often. Either way, the legal responsibility under MDR Article 10(9) stays with you.

Can my notified body refuse to audit a CMO that will not cooperate? Yes. And they will typically refuse to issue or maintain your certificate if they cannot audit a critical subcontractor whose work is in scope under Annex IX. This is why right of audit must be in the quality agreement before you sign.

What happens if the CMO changes a process without telling me? That is a contractual breach and a regulatory problem. Your quality agreement should require advance notification of any process, material, equipment, or site change. If an unauthorised change is discovered, you open a non-conformance, assess impact on product already shipped, and decide whether a field action is needed.

Do I need a quality agreement with a component distributor? Usually no, if the distributor is not performing any process on the product. A purchase order with agreed specifications and change notification terms is typically enough. The threshold is clause 4.1.5's "affects product conformity."

How deep should the quality agreement be for a small CMO? Proportionate to risk, not to CMO size. A ten-page agreement with a tiny but critical sterilisation provider is more defensible than a fifty-page agreement with a commodity supplier.

Who owns the process validation at a CMO? You do, as the legal manufacturer. The CMO may execute the validation protocols, but you are responsible for reviewing, approving, and owning the results. Put this explicitly in the quality agreement.

Sources

  1. Regulation (EU) 2017/745 on medical devices, consolidated text. Article 10(9), Annex IX.
  2. EN ISO 13485:2016+A11:2021, Medical devices. Quality management systems. Requirements for regulatory purposes. Clauses 4.1.5, 7.4.