Sponsored By

Outsourcing: A Blueprint for GMP Compliance

You can customize a GMP strategy that meets FDA requirements and the specific needs of your unique outsourcing situation.

Kevin M. Randall

March 1, 2008

19 Min Read
Outsourcing: A Blueprint for GMP Compliance



Outsourced medical device production offers a manufacturer the opportunity to enhance its production bandwidth, its technological capabilities, and ultimately, its profit margins. It is no surprise then that outsourcing continues to be an increasingly common business strategy used in today's U.S. medical device marketplace. In fact, it was deduced that outsourcing accounted for the production of approximately 20% of all devices sold in the United States during 2005 amid an estimated $4.4 billion contract manufacturing market.1 Looking ahead to 2010, the market for outsourced manufacturing is estimated to grow at 15% annually.1

Many firms are outsourcing the fabrication of devices destined for the U.S. market. Properly managing the current good manufacturing practice (GMP) requirements set forth in FDA's quality system regulation is a critical part of any successful outsourcing business endeavor. Yet pinpointing the applicable GMP obligations can be tricky. Every outsourcing scenario has unique aspects that affect stakeholder GMP responsibilities. For example, some manufacturers keep part of the process in-house and outsource the rest. Other manufacturers outsource the entire production process to a second party. Some may even outsource the design and development process.

As industry grapples with outsourcing GMP challenges, some interesting trends are developing. Overall, supplier control problems are on the rise.2 And FDA is stepping up enforcement in response to increased product recalls, nonconforming devices, and FDA warning letters related to inadequate control of outsourcing.3

When assessing outsourcing GMP obligations, it is important to remember that variability from one scenario to the next precludes the use of a canned approach. No two outsourcing GMP compliance plans are identical, but the thought process is always the same. This article suggests a blueprint intended to help tailor a customized GMP strategy to meet the needs of a company's own unique outsourcing situation.

Blueprint Overview


Figure 1. (click to enlarge) Managing GMP tasks during outsourcing.

When preparing to tackle the GMP puzzle associated with an outsourcing effort, it helps to keep in mind a broad overview of how to manage the process. Figure 1 shows four important logistical milestones to help address the right GMP tasks and issues at the right time.

The milestones in Figure 1 as well as the nuts and bolts of the GMP-compliance blueprint are discussed in more detail in the following sections. But one thing is worth mentioning immediately: All parties involved in the outsourcing process should strongly consider waiting to finalize the business contract between the stakeholders until it is known precisely which GMP obligations apply to each stakeholder. When outsourcing is involved, it is vital to unambiguously incorporate the respective GMP responsibilities into the contract because of the collaborative effort that is necessary to maintain safe and effective medical devices.

Define Stakeholder Roles and Assess Risk

To properly manage the many GMP implications in an outsourcing arrangement, it is critical at the outset to clearly identify all stakeholders and the exact roles each will play. This is essential because the nature, extent, and resulting risk of the roles played by each stakeholder dictate which GMP requirements apply, and to what degree. Primary stakeholders in outsourcing relationships are the OEM and the contract manufacturer (CM), each assuming the roles that most benefit its business goals.

The outsourcing effort should be managed within the context of a modern and active risk management program such as one fashioned after ISO 14971.4 One way to systematically estimate the risk associated with the proposed outsourcing arrangement is to do a failure mode and effects analysis (FMEA) for the device and for the outsourced process. A baseline residual risk can then be recorded in the risk management system and monitored as the product and outsourcing arrangement evolve. As discussed later in this article, residual risk is an important factor in tailoring the proper GMP solutions for each stakeholder.

Which Stakeholders Are Subject to GMP?

The GMP requirements applicable to medical devices intended for U.S. commercialization are codified in Title 21, Code of Federal Regulations (CFR) part 820—Quality System Regulation (QSR). It is important to note that QSR in this article refers to the entire regulation. It should not be confused with the QSR that is used to define quality system record in 21 CFR 820.186.

The GMP requirements found in the QSR apply to domestic and foreign manufacturers of finished medical devices unless there is an approved exemption in effect as codified in 21 CFR 862 to 892 or in 21 CFR 820.30(a). Manufacturers of components as defined by 21 CFR 820.3(c) are also exempt from the QSR pursuant to 820.1(a)(1), but are encouraged to use the QSR as a guide. It is important to consult an FDA guidance document or a competent GMP expert to help formally determine whether the stakeholders in a particular situation are in fact engaged in the manufacture of finished medical devices or whether they instead qualify for any GMP exemptions.

Many thought-provoking questions can arise when considering GMP requirements in today's diverse outsourcing marketplace. For example, what does it really mean to be a manufacturer of finished medical devices? Does this only apply to the OEM who developed the device and whose name and branding are on the label? Is an OEM still a finished device manufacturer even if it only performs initial fabrication of nonfunctional subassemblies prior to handing off to a contract manufacturer that finishes the process? And what about the contract fabricator that is merely performing fabrication on the OEM's behalf? Do finished device manufacturers include companies hired to perform device sterilization? What if a third party acquires concurrent marketing rights from the OEM by which the third party relabels and sells the device under its own brand?



To find the right answers to these questions, start by looking at some key definitions from FDA (see the sidebar, “Definitions.”) In light of common contemporary outsourcing arrangements, note the additional explanations for specification developers and relabelers from FDA definitions and guidance.

Most OEMs meet the definition of specification developer. Consequently, the OEM also qualifies as the finished device manufacturer even though the company may perform no manufacturing. Obviously this distinction bears considerably on the GMP obligations of the OEM.

In many cases, the contract manufacturer to which the OEM entrusts production also meets the definition of finished device manufacturer based on the nature of the delegated operations. Consequently, such a contractor is also subject to GMP requirements along with the OEM. Indeed FDA may hold both the OEM and contractor jointly responsible for the GMP requirements applicable to the activities performed depending on the circumstances.5

Also apparent from these FDA definitions is that a third party that private-labels or own-brands an OEM's product by replacing the OEM's name, artwork, and brand name with its own versions does not become a specification developer in the traditional sense. Such a third party is instead defined as a relabeler if it performs the rebranding operations itself, whereas if the OEM performs the rebranding operations for the third party, the third party is called a private label distributor. Per the FDA definitions, a relabeler is a finished device manufacturer that is consequently subject to GMP requirements. Distributors, however, are typically exempt from GMP requirements.

Note also that the exemption in the relabeler definition refers to a distributor that merely adds its name to existing OEM or own-brander labeling without making any other changes. This interpretation is in light of FDA guidance stating that a distributor that only adds a label bearing its name and address is exempt from the GMP requirements.5 Care should be taken not to confuse the GMP-exempt activities of such distributors with the GMP-eligible activities of a true relabeler.


Table I. (click to enlarge) Applicability of GMP to outsourcing stakeholders.

Table I provides a list of some common outsourcing stakeholders and whether they are typically subject to GMP.

With an understanding of how to decide whether a stakeholder is subject to GMP, another question arises: What specific GMP tasks apply to each stakeholder given the fact that there may be multiple stakeholders in the outsourcing partnership who are concurrently subject to GMP?

What GMP Tasks Apply to Each Stakeholder?

The Underlying Philosophy. The QSR (section 820.1) says that if a manufacturer engages in only some operations subject to GMP requirements, and not others, the manufacturer only needs to comply with those requirements that are applicable. This provides a place to start when assessing division of responsibilities among the stakeholders; and at first glance it seems pretty straightforward. But remember that FDA will in some cases hold OEMs and their contract manufacturers jointly responsible for certain GMP requirements.5

To realize a practical action plan for managing outsourcing GMP, combine the flexibility of the QSR with a dose of GMP common sense and a genuine interest in protecting public health. The leeway offered by the QSR allows manufacturers to determine the need for, and extent of, the GMP solutions adopted. QSR preamble comment 13 illustrates this by stating that the extent of the documentation necessary to meet the regulation requirements may vary with the complexity of the design and manufacturing operations, the size of the firm, the importance of a process, and the risk associated with the failure of the device, among other factors. At a fundamental level, this means a GMP strategy should be tailored commensurate with the risk associated with the particular processes and devices involved. For example, if the FMEA for the device or for the outsourced process indicates a moderate or high level of residual risk, the GMP solutions would need to be more extensive than if the FMEA indicates a low level of residual risk. And don't forget: As the life cycle of the device progresses, the applicable GMP solutions may need to be revised if there are changes in residual risk.

In addition, all GMP decision-making should be anchored by an awareness that the OEM or the remanufacturer is ultimately responsible for establishing and maintaining control of device quality, safety, and efficacy. This remains true whether device processing is farmed out or done totally in-house. A sobering illustration of this is the scenario when a device recall is deemed necessary because of poor device quality due to contract manufacturing GMP problems. In such a case, the manufacturer identified on the label is the one who bears ultimate responsibility for the recall and corrective action even if the contract manufacturer is at fault.

A Case Study. Consider a firm that, to date, has done all manufacturing tasks in-house for its sterile device. A change has been proposed whereby subassembly fabrication will be kept in-house, but a contract manufacturer will now do final device fabrication, packaging, labeling, and sterilization. Finished devices will then be returned for final distribution.

This case study is particularly interesting because, at project inception, the original manufacturer has already established GMP solutions corresponding to total in-house manufacturing. For example, the existing device master record (DMR), device history records (DHR), equipment qualifications, and process validations were all done on the basis of in-house production and sterilization. So this means that, in addition to the fundamental task of identifying the GMP requirements applicable to each stakeholder, the outsourcing team is also faced with the challenge of the transitional GMP requirements that accompany making significant changes to existing production and quality practices. The rest of the article demonstrates how the GMP issues were approached in the case study.

Getting Started. To ensure that all specific GMP obligations are accounted for, it helps to systematically consider all elements of the QSR and then map them to the roles played by each finished device manufacturer in the outsourcing chain. This paves the way to devising specific GMP solutions that address each area of relevance.

A review of the QSR reveals many sections that are relevant to support a conversion to outsourcing. But there are two sections in particular that form the backbone of an overall GMP compliance plan:

  • 820.30(i) Design changes.

  • 820.50 Purchasing controls.

Maintain Adequate Change Control. Inadequate change control exposes a company to product liability actions, results in product recalls, and causes internal confusion. It is also a serious violation of the QSR.5 So how should such a major series of changes be approached and organized? The most savvy quality system pros always look at the whole picture when addressing any GMP issue.

When doing so for Class III, Class II, and some Class I devices, it becomes apparent that the design control process is where the device and its production processes were originally birthed, tested, and approved. FDA guidance confirms that design control includes the design of the device and the associated manufacturing processes.6 Further, design control applies not just to the design of products and processes, but also to changes in existing designs and processes.5 For many devices, this makes it apparent then that an effective way to ensure a state of control during the outsourcing transition is via QSR section 820.30(i) design changes.

This explanation may leave some wondering what role is played by QSR section 820.70(b) Production and Process Changes. FDA's Guide to Inspections of Quality Systems states that 820.30(i) design change control is in fact linked to, and is redundant with, 820.70(b).7 So for all Class III, Class II, and some Class I devices, it's clear that a conversion to outsourcing is in fact a design control issue. For manufacturers whose Class I devices are exempt from design controls, QSR section 820.70(b) still applies and requires careful control of the change. But by forgoing voluntary design controls, such Class I manufacturers miss out on the logistical and business benefits offered by design controls, as alluded to later in this article.

So who should champion the design change? The specification developer is ultimately responsible for the design change effort because design controls are outside the scope of the manufacturing activities performed by the contract manufacturer. Typically (as in the case study), the OEM is the specification developer. This means the OEM must sponsor, orchestrate, and ensure full documentation of the design change. All of the documentation must then be included or referenced in the design history file and must be maintained by the OEM.


Design Change Checklist

Use 820.30(i) Design Changes to Drive the GMP Plan. The design control subsystem can be a powerful tool during the outsourcing effort. The cascading effects inherent with design controls enable a systemic, organized, and fluent transition. Proper application of design controls during outsourcing provides a natural way to address many key GMP obligations applicable to the outsourcing stakeholders. See the sidebar, “Design Change Checklist,” for a demonstration of key items to address during the design change.

A review of the design change checklist reveals that many of the GMP tasks applicable to the OEM and contract manufacturer become apparent somewhat automatically in the context of an effective design control effort. For example, the design change mechanism prompted activity on more than 80% (20 out of 24) of the QSR sections applicable to the scenario in the case study discussed earlier.

GMP Obligations. A contract manufacturer that qualifies as a finished device manufacturer is independently accountable to FDA for its respective GMP obligations. But remember that the OEM, and where applicable the remanufacturer, bear ultimate responsibility to ensure overall device quality. So it is important to ensure close collaboration between the OEM and contract manufacturer throughout the duration of the outsourcing arrangement.

For instance, it's often a practical necessity for the OEM and the contract manufacturer to work closely to accomplish design output, verification, and validation even though the OEM (as the specification developer) bears primary responsibility for these tasks. It's also strongly recommended that a collaborative approach be taken to the many GMP responsibilities identified during the design change. For example, the parts of the DMR that directly pertain to the outsourced processes should be jointly developed and maintained, with the stipulation that the OEM has primary authority over all DMR changes.

What about process validation? For instance, does responsibility fall on the OEM or on the contract manufacturer to validate the sterilization process? The OEM is ultimately responsible for the validation of the process used to sterilize its devices, but it's a common and accepted practice to delegate portions of the validation study to the contract sterilizer.5 Such delegation is handled via written agreement. The OEM may even delegate the entire validation task to the contract manufacturer if the contract manufacturer is hired for its particular fabrication expertise. But the OEM still retains primary responsibility for the adequacy of the validation and, therefore, must ensure that the contract manufacturer's validation work fully satisfies the requirements called out in QSR section 820.75.

It's hard to imagine meeting these goals without a solid relationship between the OEM and the contract manufacturer. The bottom line is that, to maintain device quality, it's imperative that the OEM rely not just on FDA enforcement to ensure that the contract manufacturer meets its respective GMP obligations. Instead, the purchasing controls mechanisms integrated into the OEM's own quality system should be the primary means of ensuring that the contract manufacturer maintains GMP conformity.

Purchasing Controls Are a Cornerstone. Stakeholder collaboration (or lack thereof) can have a considerable effect on device quality. This is ultimately why it is prudent to finalize the outsourcing contract only after knowing precisely which GMP tasks will apply to each stakeholder. All respective GMP assignments should be plainly incorporated into the contract to ensure that all parties know what is expected.

As with the design control obligations discussed earlier, it is the specification developer (i.e., the OEM) that bears primary responsibility to meet these QSR purchasing control requirements. Note also that QSR preamble comment 100 states that this remains the case even when the contract manufacturer is a “sister facility” or some other corporate or financial affiliate. The following paragraphs give guidance on purchasing controls.

Establish Requirements. Use the contract to formally establish the requirements, including quality requirements, to be met by the contract manufacturer. In the case study, a detailed purchasing requirements checklist was used to direct contract development. The checklist contained nearly 30 GMP-related elements. Some of the important topics in the list include the following:

  • CM general quality system requirements.

  • OEM and CM responsibilities regarding the GMP deliverables pinpointed via the design change effort.

  • Utilization of preexisting test/validation data.

  • Joint maintenance of documentation.

  • Change control and authority.

  • Failure investigation of defective devices or processes.

  • Closed-loop corrective action.

  • Surveillance of the CM by the OEM.

  • Other requirements to be met by the stakeholders.

Evaluate the Contract Manufacturer. Via audit or other means by qualified personnel, objectively assess the contract manufacturer's ability to meet the requirements specified in the contract [820.50(a)(1)].

Define Control. Based on assessment results and the weight of the contract manufacturer's contribution, define the type and extent of control to be exercised over the contract manufacturer in order to maintain device quality [820.50(a)(2)]. In making this determination, the residual risk associated with the particular devices and processes involved should carefully be considered.

Approve the Contract Manufacturer. Document the approval of the contract manufacturer if found to be acceptable based on the 820.50(a)(1) assessment [820.50(a)(3)].

Set Purchasing Specifications. Establish the specifications that must be met in order to authorize the purchase of services from the contract manufacturer. This is essentially the prerequisite for approving the purchase of contract manufacturing services [820.50(b)].

Monitor the Outsourcing Relationship. After identifying specific GMP assignments, finalizing the contract, and ensuring initial compliance by all stakeholders, the relationship must be carefully monitored to ensure that GMP requirements continue to be met as the relationship evolves. The evaluations called for in section 820.50(a)(1) are a primary part of such monitoring and should be sponsored by the specification developer. Given the complexities associated with outsourcing GMP issues, it is important to use an assessor who is grounded in the subject and who has the training and experience to properly evaluate stakeholder compliance.

How frequently, and to what extent, should the OEM evaluate its contractor? Comment 99 of the QSR preamble gives some insight by indicating that the degree of control to be exercised over the contract manufacturer may vary with the type and significance of the services provided and their affect on device quality. Once again it's evident that a comprehensive risk management program is vital to any contemporary quality system maintenance effort. In a scenario like the case study—the outsourcing of significant parts of sterile device production—it is recommended that the contract manufacturer be evaluated on-site at least annually.

Finally, as shown in the work flow diagram in Figure 1 on page S-28, the entire process starts over again when the monitoring program reveals changes in stakeholder roles or risk.


GMP compliance in the United States is dynamic by design to account for a limitless variety of devices and business configurations. No two GMP compliance plans are the same, but they are all based on the same fundamental principles and laws. The solutions suggested in this article may not address all relevant GMP requirements applicable to a situation and are not meant to be the only possible means of meeting GMP requirements during outsourcing.

On a final note, remember that in addition to GMPs, other key regulatory requirements may apply to outsourcing stakeholders. Regulatory mishaps at any point in the outsourcing chain can compromise the business objectives of all involved. The outsourcing team must have the proper insights to ensure that each stakeholder has properly met these additional regulatory hurdles.

Kevin Randall is president of GlobalReg Compliance Associates Inc. (Erie, CO), a medical device consulting firm specializing in worldwide regulatory compliance and quality systems. He can be reached via e-mail at [email protected].


1. B Dunn, Market Opportunities in Outsourcing (Boston: Covington, 2007).

2. F-D-C Reports, “The Silver Sheet,” (vol. 11, no. 5, May 2007, www.thesilversheet.com).

3. F-D-C Reports, “The Silver Sheet,” (vol. 11, no. 1, January 2007, www.thesilversheet.com).

4. International Organization for Standardization (ISO), ISO 14971:2007, Medical devices – Application of risk management to medical devices (2nd ed., 2007-03-01).

5. HHS/CDRH, Publication FDA 97-4179 – Medical Device Quality Systems Manual: A Small Entity Compliance Guide (1st ed., December 1996).

6. FDA/CDRH, Design Control Guidance for Medical Device Manufacturers (March 11, 1997).

7. FDA, Guide to Inspections of Quality Systems (August 1999).

Copyright ©2008 Medical Device & Diagnostic Industry

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like