Legal Manufacturer in Medical Devices: Deep-Dive Guide to Duties, Evidence, and Supplier Control
A regulator-aligned, practical guide for medical devices including SaMD. Clarifies what a legal manufacturer is (and isn’t), contrasts with contract manufacturers, and adds clinical-evidence nuance, risk traceability, economic-operator controls, and US QMSR alignment.
Legal Manufacturer — Definition & Scope
Legal manufacturer (EU “manufacturer”; US “manufacturer/labeler”) is the entity placing the device on the market under its name and holding ultimate legal responsibility for conformity throughout design, production, labeling, distribution, and post-market surveillance. QMS ownership and market-access obligations sit here.
- QMS: ISO 13485-aligned system covering design through post-market.
- Conformity: Technical documentation, risk management, clinical/performance evidence, labeling, UDI, registration.
- Accountability: Responsibility remains even when activities are outsourced.
What the Legal Manufacturer Is Not
- Not a job title: Production or “manufacturing lead” is an operational role, not the legal entity.
- Not transferred by outsourcing: Contracting design/production does not shift legal responsibility.
- Not always the physical maker: In OEM/private-label, the name on labeling/DoC is decisive.
Legal Manufacturer vs Contract Manufacturer — Summary
| Aspect | Legal Manufacturer | Contract Manufacturer (Critical Supplier) |
|---|---|---|
| Accountability | Ultimate regulatory responsibility | Executes under quality agreement; no market-placing liability |
| Identification | Name/address on labeling, DoC, registrations | Named in supplier files/agreements |
| QMS Role | Owns QMS; sets supplier controls | Operates under its QMS + customer requirements |
| Authority Interface | Leads with NB/authorities | Supports evidence on request |
| Outsourcing | May outsource; keeps liability | Performs defined processes/SOPs |
Clinical Evaluation Nuance (EU) — What Auditors Probe
Evidence Expectations
- Plan and report per current EU guidance for clinical evaluation/performance evaluation (legacy and new devices).
- Claims-to-evidence mapping: each clinical claim or indication links to specific endpoints and datasets.
- Gap handling: justify equivalence limits and post-market data where applicable; avoid over-claiming.
Practical Controls
- Single “Claim Register” referencing CER/PEP sections and study IDs.
- Review cadence aligned to PMS/PMCF and NB conditions.
- Marketing/website checks to prevent claims creep beyond evidence.
Tip: Many findings arise from weak linkage between intended purpose/indications, clinical evidence, and public claims. Keep the traceability explicit and version-controlled.
Risk Management Traceability (ISO 14971 → V&V → Labeling → PMS)
| Element | Trace To | Audit-Ready Proof | Common Pitfalls |
|---|---|---|---|
| Hazards & Harms | Design inputs; risk controls | Risk file with control rationale | Unverified controls; vague harms |
| Risk Controls | V&V protocols/reports | Objective evidence, acceptance criteria | Controls not tested as implemented |
| Residual Risk | Labeling, IFU warnings | Benefit-risk summary, user info | Warnings not aligned to residuals |
| Signals | PMS/PMCF, CAPA | Trend thresholds, closed CAPA | Poor trending; weak feedback loops |
EU MDR/IVDR — Core Duties of the Legal Manufacturer
System & Documentation
- ISO 13485-aligned QMS.
- Annex II/III technical documentation; GSPR mapping; usability; clinical/performance eval; PMS.
- Labeling control & UDI; EUDAMED preparedness.
Actors & Responsibilities
- PRRC ensures pre-release checks, up-to-date TD/DoC, PMS/vigilance execution.
- Authorized Representative (AR) (if non-EU): verification, documentation access, authority interface.
- Importers/Distributors: ensure obligations awareness and traceability.
Economic Operators — Role Clarity & Documentation Access
Access Model
- Role-based portal/DMS: controlled access to labeling masters, DoC, UDI, vigilance contacts.
- Version-control & immutable logs for regulator spot checks.
- Defined turnaround SLAs for documentation requests (AR/importers).
Periodic Compliance Checks
- Annual importer/distributor attestations to obligations.
- Sample checks on labeling/UDI application in the field.
- Escalation path for non-conformities; records retention plan.
US QMSR — Alignment with ISO 13485 and Practical Nuances
What Aligns
- Risk-based QMS structure; management responsibility; purchasing controls.
- Design controls, verification/validation, complaint handling, CAPA.
- Labeler UDI responsibilities and GUDID stewardship.
Nuance & Enforcement Focus
- Human factors/usability documentation where risk warrants.
- Software risk controls and cybersecurity evidence appropriate to device risk.
- Complaint trending quality and timely MDR/field action processes.
Supplier Qualification, Audits & Escalation
Risk-Based Qualification
- Criticality scoring: impact on safety/performance, detectability, substitution options.
- Initial audits or objective evidence packages for critical suppliers.
- Quality agreements with change-control, KPIs, and audit rights.
Periodic Audits
- Frequency by risk (e.g., 12–36 months); more frequent if issues trend up.
- Escalation triggers: repeat NCs, late responses, complaint spikes.
- Documented follow-up: CAPA, effectiveness checks, re-audit.
Records & Retention
- Supplier files: approvals, audits, scorecards, change notices, training records.
- Retention aligned to device life and regulatory expectations.
- Continuity planning (second source) for high-risk items/services.
Technical Documentation, Labeling & UDI — Operational Controls
| Area | Purpose | Audit-Ready Practices |
|---|---|---|
| Intended Purpose/Indications | Anchor class & evidence | Claim register; consistent wording across IFU, submission, website |
| Labeling & IFU | User & regulatory info | Version control; translations; residual-risk warnings aligned to risk file |
| UDI | Traceability | Device ID governance; EUDAMED/GUDID data accuracy; field verification |
| Registration | Market access | Timely updates; AR/US Agent details where required |
Software, SaMD & Cybersecurity — Practical Integration
Lifecycle Integration
- IEC 62304 scaled to safety class; architecture, risk, V&V, maintenance.
- IEC 62366-1 usability evidence where use-related risks impact safety/performance.
- Configuration/change control tied to claims and risk.
Security Operations
- IEC 81001-5-1 processes; threat modeling and secure design inputs.
- SBOM/VEX practice; coordinated disclosure; patch/update policy with PMS tie-in.
- Cloud/service suppliers assessed when safety, performance, or data integrity can be impacted.
Clause Crosswalk — Fast Audit Reference
| Topic | EU MDR/IVDR (examples) | ISO 13485 (examples) | US (examples) |
|---|---|---|---|
| Manufacturer responsibilities | Article 10; PRRC — Article 15; TD — Annex II/III | §4–8 (QMS; design; purchasing; control of records) | QMSR alignment; establishment reg/listing; UDI labeler duties |
| Clinical/performance evaluation | Annex XIV (MDR); IVDR performance eval; current MDCG guidance | §7.3 (design & development inputs/outputs/verification/validation) | 510(k)/De Novo/PMA evidence suitable to risk and claims |
| Supplier controls | Article 10(9) QMS obligations | §7.4 Purchasing controls; supplier evaluation & monitoring | Risk-based purchasing; documented evaluation; complaint linkage |
| Risk management | GSPRs (Annex I); risk reduction principles | §7.1 planning; link to ISO 14971 risk management | Design controls; risk-based approach under QMSR |
| PMS & vigilance | PMS/PMCF; PSUR/SSCP where applicable | §8 measurement, analysis, improvement; feedback/complaints/CAPA | Complaint handling; MDR reporting; field actions |
Note: Cite your exact clauses/guidance and revision dates in internal SOPs and submission cover letters. Keep a controlled “cross-reference index” for auditors.
Quick Checklists
Are you the Legal Manufacturer?
- Your name/address on labeling/IFU & Declarations.
- You own QMS and technical documentation.
- NB/authority interface owned; AR appointed if non-EU.
- PMS/vigilance/control of economic operators in place.
Before Market Submission
- Intended purpose/indications consistent across IFU, submission, website.
- Claims ↔ evidence matrix complete; GSPR/QMSR mapping done.
- Supplier agreements/audits current; validations complete.
- UDI & registrations (EUDAMED/GUDID) ready; access model set for AR/importers.
Need clause-level clarity, a claim-to-evidence matrix, or a supplier audit plan?
Book Free Consult Regulatory Strategy Compliance note: This guide is informational and does not replace laws, standards, guidance, or regulator/Notified Body decisions. Always apply the current official texts and guidance applicable to your device, class, and markets.