CDMO Quality Agreement RACI for Sub-Tier Suppliers: Defining Accountability Across the Supply Chain
How to structure RACI matrices in CDMO quality agreements for sub-tier supplier control — defining who is responsible, accountable, consulted, and informed across OEM, CDMO, and sub-tier suppliers under ISO 13485, FDA QMSR, and EU MDR.
The Problem Nobody Owns Until It Fails
When a medical device fails because of a sub-tier supplier's material change, the FDA does not issue a warning letter to the sub-tier. It issues the warning letter to the device manufacturer. When an EU Notified Body finds a gap in sub-tier control, the non-conformity is written against the legal manufacturer's QMS, not the CDMO's and not the sub-tier's. The regulatory chain of accountability is linear: the legal manufacturer is responsible to the regulator, the CDMO is responsible to the legal manufacturer, and the sub-tier is responsible to the CDMO. But the quality agreements that govern these relationships are often ambiguous about who does what, who approves what, and who gets notified when something changes. That ambiguity is where failures begin.
This guide addresses a specific structural gap in medical device supply chains: how to use RACI (Responsible, Accountable, Consulted, Informed) matrices in CDMO quality agreements to define clear accountability for sub-tier supplier management. It covers what RACI means in this context, which activities need RACI definition, how to handle the most contentious areas (audit rights, change control, deviation management), and what regulators expect to see when they inspect your agreements.
Why Sub-Tier Supplier Control Is a Regulatory Priority in 2026
Three converging forces make sub-tier supplier control more important now than at any point in the last decade:
FDA QMSR enforcement. Effective February 2, 2026, the FDA's Quality Management System Regulation incorporates ISO 13485:2016 by reference. ISO 13485 Clause 7.4 requires control over purchased products and services, and this control extends through the supply chain. The FDA's inspection program (Compliance Program 7382.850) evaluates whether manufacturers have adequate purchasing controls, including control of sub-tier suppliers. Early 2026 data shows that purchasing controls remain among the top five areas cited in FDA warning letters.
EU MDR Notified Body scrutiny. EU MDR Article 23 and Annex I GSPR 14.2 require manufacturers to demonstrate control over the entire supply chain contributing to device safety. Notified Bodies are conducting deeper supply chain audits, requesting evidence that manufacturers know who their sub-tier suppliers are, what they supply, and how they are controlled.
Supply chain disruptions and geopolitical risk. The US BIOSECURE Act, post-COVID supply chain disruptions, and raw material shortages have forced many CDMOs to change sub-tier suppliers. Each change creates a potential quality impact that must be evaluated and controlled. Without clear RACI definitions, these changes happen without the OEM's knowledge.
What RACI Means in a CDMO Quality Agreement
RACI is a responsibility assignment matrix that defines, for each activity, four roles:
- Responsible (R): The party that performs the activity. They do the work.
- Accountable (A): The party that has final approval authority and bears accountability for the activity being done correctly. There should be exactly one Accountable party per activity.
- Consulted (C): Parties whose input is sought before the activity is completed. Two-way communication.
- Informed (I): Parties who are notified after the activity is completed. One-way communication.
In the context of CDMO quality agreements with sub-tier suppliers, the typical parties involved are:
- OEM (the legal manufacturer, your company)
- CDMO (the contract manufacturer)
- Sub-tier supplier (a supplier to the CDMO, providing materials or services that end up in your device)
- Quality Unit (OEM) (your quality team, which may have separate RACI assignments from your operations team)
- Quality Unit (CDMO) (the CDMO's quality team)
The ISPE discussion paper on implementing lifecycle validation practices at CMOs explicitly recommends RACI diagrams for defining roles and responsibilities between Marketing Authorization Holders (the equivalent of OEMs) and CMOs, including for process validation, technology transfer, and ongoing manufacturing activities.
The Regulatory Basis for Sub-Tier Control
Before building the RACI matrix, understand what the regulations actually require:
ISO 13485:2016 Clause 7.4
Clause 7.4.1 requires the organization to establish documented criteria for the evaluation, selection, monitoring, and re-evaluation of suppliers, based on the effect of the purchased product on the quality of the medical device. The organization must plan controls based on the results of this evaluation.
Clause 7.4.2 requires purchasing information to include, as appropriate, requirements for approval of product, requirements for supplier QMS, and requirements for notification of changes.
Clause 7.4.3 requires verification of purchased product.
The standard does not explicitly say "sub-tier suppliers," but GHTF SG3/N17 guidance (which is the interpretive framework for ISO 13485 purchasing controls) states: "The controls may extend further if a supplier subcontracts work." This is the regulatory basis for requiring your CDMO to control its sub-tier suppliers and for requiring transparency into those controls.
FDA QMSR
Under QMSR, the FDA evaluates compliance with ISO 13485 requirements as incorporated into 21 CFR Part 820. FDA has historically cited inadequate supplier controls as a top finding, and the agency's position is clear: the legal manufacturer cannot delegate regulatory responsibility through a contract. You can outsource the work, but you cannot outsource the accountability.
EU MDR
The EU MDR requires manufacturers to exercise control over their supply chain as part of their quality management system. Notified Bodies will review how you control your CDMO's suppliers and whether you have adequate visibility into sub-tier changes.
GHTF/IMDRF SG3/N17
This guidance document, "Guidance on the Control of Products and Services Obtained from Suppliers," is the foundational document for supply chain control in medical devices. It states that the manufacturer "cannot relinquish (contractually or otherwise) its obligation and responsibility over any or all functions within the quality management system." This means that even though the CDMO manages the sub-tier supplier, the OEM must have defined mechanisms to ensure adequate control.
Building the RACI Matrix: Activity by Activity
The following sections define the key activities that need RACI assignment in a CDMO quality agreement covering sub-tier suppliers. For each activity, the recommended RACI is provided along with the rationale.
Sub-Tier Supplier Selection and Qualification
Activity: Identifying and qualifying sub-tier suppliers for critical materials or services.
| Activity | OEM | CDMO | Sub-tier |
|---|---|---|---|
| Sub-tier identification and qualification | C | R | — |
| Approval of sub-tier for critical materials | A | R | — |
| Sub-tier quality system assessment | I | R/A | C |
Rationale: The CDMO performs the work of finding and qualifying sub-tier suppliers (R). The OEM must approve (A) the use of sub-tier suppliers for critical materials — this is non-negotiable for risk management. The OEM should be consulted (C) during qualification for non-critical materials and informed (I) of the results.
The CCI Supplier Quality Agreement template explicitly states: "Supplier shall implement and maintain sub-tier supplier control. Control measures shall be sufficient to ensure that sub-tier suppliers' manufacture, package, label, test and release of Products are consistent with this Quality Agreement."
Contentious point: CDMOs often resist giving the OEM approval authority over sub-tier suppliers, arguing that this gives the OEM too much control over the CDMO's operations. A practical compromise: the OEM approves sub-tier suppliers for critical materials (those directly affecting device safety), and is merely informed about sub-tier suppliers for non-critical materials. The line between critical and non-critical should be defined in the quality agreement based on the risk management file.
Change Control at the Sub-Tier Level
Activity: Changes at the sub-tier supplier that could affect material quality.
| Activity | OEM | CDMO | Sub-tier |
|---|---|---|---|
| Change notification (sub-tier to CDMO) | — | I | R |
| Change impact assessment (CDMO) | I | R/A | — |
| Change impact assessment (critical) | A | R | — |
| Approval to implement change | A | R | — |
Rationale: This is the most critical RACI in the entire agreement. The sub-tier notifies the CDMO of a change (R). The CDMO assesses impact (R/A for non-critical, R for critical). For any change affecting critical material specifications, the OEM must assess impact (A) and approve implementation (A).
The Helmer Scientific supplier quality agreement template states: "Prior to implementing changes, including changes requested by sub-tier Suppliers, Suppliers must notify [OEM] according to section 7.14.5 of this agreement."
Contentious point: The key disagreement is about what constitutes a "reportable change." The quality agreement must enumerate specific change types at the sub-tier level that trigger notification: raw material source changes, manufacturing site changes, process parameter changes, specification changes, and sub-sub-tier supplier changes. Do not accept vague language like "significant changes."
Audit Rights
Activity: Auditing sub-tier suppliers.
| Activity | OEM | CDMO | Sub-tier |
|---|---|---|---|
| CDMO audit of sub-tier | I | R/A | C |
| OEM direct audit of sub-tier (critical) | R/A | C | C |
| OEM review of CDMO audit reports | R/A | R | — |
Rationale: The CDMO audits its own sub-tier suppliers as part of its QMS (R/A). The OEM has the right to review CDMO audit reports for sub-tier suppliers (R/A). For critical sub-tier suppliers, the OEM should have the right to conduct direct audits (R/A), with the CDMO consulted (C) to facilitate access.
The Helmer Scientific template explicitly states: "Helmer Scientific shall be permitted to conduct an audit of the sub-supplier facility."
Contentious point: CDMOs may resist OEM direct access to sub-tier suppliers, citing commercial confidentiality. The quality agreement should address this by requiring the CDMO to include audit-right clauses in their own sub-tier agreements and by defining the scope and frequency of OEM sub-tier audits.
Deviation and Non-Conformance Management
Activity: Handling deviations and non-conformances originating at the sub-tier.
| Activity | OEM | CDMO | Sub-tier |
|---|---|---|---|
| Sub-tier deviation identification | — | I | R |
| CDMO investigation of sub-tier deviation | C | R/A | C |
| OEM notification of critical deviation | I | R | — |
| OEM approval of deviation disposition | A | R | — |
| CAPA (if required) | A | R | R |
Rationale: The sub-tier identifies and reports deviations to the CDMO (R). The CDMO investigates (R/A) and consults the sub-tier as needed (C). For critical deviations — those that could affect device safety or specifications — the OEM must be notified (I) and must approve the disposition (A). The OEM has final CAPA approval (A) for any CAPA that could affect device quality.
Material Release and Certification
Activity: Releasing materials from sub-tier suppliers.
| Activity | OEM | CDMO | Sub-tier |
|---|---|---|---|
| Sub-tier lot release and CoC | — | I | R/A |
| CDMO incoming inspection of sub-tier material | I | R/A | — |
| CDMO release of material to production | C | R/A | — |
| OEM verification (if applicable) | A | R | — |
Rationale: The sub-tier releases lots with a certificate of conformance (R/A). The CDMO performs incoming inspection (R/A) and releases material for production. The OEM may verify incoming material for critical components (A), either through testing or certificate review.
Process Validation at the Sub-Tier
Activity: Process validation performed by sub-tier suppliers.
| Activity | OEM | CDMO | Sub-tier |
|---|---|---|---|
| Validation planning | C | R/A | C |
| Validation protocol approval | A | R | — |
| Validation execution | I | C | R |
| Validation report approval | A | R | — |
Rationale: The CDMO is responsible for ensuring its sub-tier suppliers have validated processes (R/A). The OEM must approve validation protocols and reports for processes that are critical to device quality (A). This is consistent with FDA's position that "regardless of who actually performs the process validation, it is the manufacturer's responsibility to ensure that the validation is performed."
Structuring the Quality Agreement
The RACI matrix should be embedded in the quality agreement as an appendix or within the relevant sections. The FDA's guidance on quality agreements for contract manufacturing arrangements states that quality agreements may use "charts, matrices, narratives, or a combination of these" to document responsibilities, and that they should "clearly document which party is responsible for specific activities."
Recommended Structure
Purpose and Scope. Define that this agreement covers sub-tier supplier management for specific materials and services. List the sub-tier suppliers or the criteria for what constitutes a sub-tier supplier requiring coverage under this agreement.
Definitions. Define "sub-tier supplier," "critical sub-tier supplier," "reportable change," "critical deviation," and other terms used in the RACI matrix.
Sub-tier Supplier Management. This is where the RACI matrix lives. Cover selection, qualification, ongoing monitoring, audit rights, and re-evaluation.
Change Control. Define what changes at the sub-tier level must be reported, to whom, and with what lead time. Include the RACI for change assessment and approval.
Deviation and CAPA. Define notification timelines, investigation responsibilities, and disposition authority. Include the RACI.
Material Release and Traceability. Define lot release, certification, and traceability requirements. Specify how far traceability must extend through the sub-tier chain.
Audit Rights. Define the OEM's right to audit the CDMO's sub-tier suppliers directly, and the CDMO's obligation to ensure audit-right clauses in its sub-tier agreements.
Business Continuity. Address what happens if a sub-tier supplier is lost — notification, qualification of alternatives, and supply continuity planning.
RACI Matrix Appendix. The complete matrix covering all activities.
Practical Tips for Negotiation
Start with risk. Define which sub-tier suppliers and which materials are critical before negotiating RACI assignments. A risk-based argument for OEM approval authority is harder to resist than a blanket demand for control over all sub-tier activity.
Accept shared responsibility for non-critical items. For non-critical sub-tier suppliers, the CDMO can hold accountability (A) with the OEM informed (I). Reserve OEM accountability (A) for items where device safety is directly affected.
Define timelines. Every notification requirement should have a timeline. "Prompt notification" is not acceptable. Use specific timeframes: 24 hours for critical deviations, 5 business days for change notifications, 30 days for planned changes.
Make the RACI visible. Do not bury accountability in narrative paragraphs. Use a table or matrix that can be reviewed at a glance. Auditors and inspectors will look for this.
Include sub-tier acknowledgment. Where possible, require the CDMO to flow down relevant quality agreement requirements to the sub-tier supplier through its own purchasing agreements. The sub-tier does not need to sign the OEM-CDMO quality agreement, but the CDMO's agreement with the sub-tier should reflect the same controls.
Inspection Readiness
When the FDA or a Notified Body inspects your quality agreement, they will look for:
- Evidence that you know your sub-tier chain. Who supplies critical materials to your CDMO? Where are they located? What is their quality system status?
- Evidence of control. Not just awareness. Documented evaluations, approvals, monitoring data, and audit records.
- Evidence of change notification. Have changes at the sub-tier level been identified, assessed, and controlled? Can you demonstrate that the RACI has been followed?
- Consistency between the quality agreement and practice. The RACI matrix is meaningless if the OEM is marked as Accountable for sub-tier change approval but no sub-tier changes have ever been presented for approval.
The FDA's position, drawn from GHTF SG3/N17, is that the legal manufacturer "cannot relinquish (contractually or otherwise) its obligation and responsibility over any or all functions within the quality management system." The RACI matrix is your tool for demonstrating that you have not relinquished this obligation — you have structured it, documented it, and are actively managing it.