MedDeviceGuideMedDeviceGuide
Back
ManufacturingQuality SystemsISO 13485USEUGlobal

Process Validation Ownership at a CMO/CDMO: Who Writes, Who Runs, Who Approves

How to assign process validation ownership between OEM and CMO/CDMO for medical device manufacturing — protocol authorship, IQ/OQ/PQ execution responsibility, approval authority, and regulatory accountability under ISO 13485, FDA QMSR, and GHTF guidance.

Ran Chen
Ran Chen
Global MedTech Expert | 10× MedTech Global Access
2026-05-1113 min read

The Question That Derails Tech Transfers

During a technology transfer meeting between an OEM and a CDMO, the conversation eventually arrives at a seemingly simple question: "Who owns process validation?" The OEM assumes the CDMO will handle it because the processes run at the CDMO's facility on the CDMO's equipment. The CDMO assumes the OEM will handle it because the OEM designed the product and defined the process parameters. Both are partially right and partially wrong, and the ambiguity costs months of delay.

This guide addresses the specific question of process validation ownership when manufacturing is outsourced to a CMO or CDMO. It covers what the regulations actually require (versus what people assume), how to divide responsibility for IQ, OQ, and PQ activities, how to structure the quality agreement to make ownership explicit, and what happens when things go wrong.

The Regulatory Non-Negotiable: Accountability Stays with the OEM

Before getting into the practical division of labor, establish the regulatory foundation:

The legal manufacturer cannot delegate regulatory accountability for process validation. This principle is stated explicitly in GHTF SG3/N17: the manufacturer "cannot relinquish (contractually or otherwise) its obligation and responsibility over any or all functions within the quality management system." It is reinforced in GHTF SG3/N99-10 (the Process Validation Guidance): "Regardless of who actually performs the process validation, it is the manufacturer's responsibility to ensure that the validation is performed."

Under FDA QMSR (effective February 2, 2026, incorporating ISO 13485:2016), the legal manufacturer — the entity whose name is on the device label and the 510(k) or PMA — is accountable to the FDA for process validation. If a validated process fails at the CDMO and produces nonconforming devices that reach the market, the FDA issues the warning letter to the legal manufacturer, not the CDMO.

Under EU MDR, the same principle applies. The Notified Body assesses the manufacturer's quality system, including process validation. If validation is inadequate at a CDMO, the non-conformity is written against the manufacturer.

This does not mean the OEM must perform all validation activities. It means the OEM must ensure they are performed correctly and must approve the results. The distinction between performing and ensuring is the core of the ownership question.

The Three Stages and Who Typically Does What

Process validation follows the IQ/OQ/PQ structure defined in GHTF SG3/N99-10 and widely adopted across the medical device industry:

Installation Qualification (IQ)

IQ verifies that equipment is installed correctly, calibrated, and connected to utilities as specified.

Who writes the protocol: The CDMO typically writes the IQ protocol because they are most familiar with the equipment installation at their facility. The OEM should review and approve the protocol to ensure it covers the requirements relevant to the device's critical process parameters.

Who executes: The CDMO executes IQ. The equipment is at their facility, operated by their personnel, connected to their utilities.

Who approves the report: The CDMO's quality unit approves the report internally. The OEM's quality unit should also approve it for processes critical to the device. For standard equipment (e.g., a cleanroom HVAC system), OEM approval may not be necessary. For equipment specific to the device's critical processes (e.g., a custom heat sealer for sterile barrier packaging), OEM approval is essential.

Key point: IQ is the stage most often completed without OEM involvement, and this is often appropriate. But the OEM should at minimum review the IQ report to confirm that the equipment installed matches what was assumed in the process design.

Operational Qualification (OQ)

OQ demonstrates that the equipment operates within defined parameter ranges, including worst-case conditions, and identifies the operational limits of the process.

Who writes the protocol: This is where ownership becomes contested. The OEM designed the product and defined the process parameters. The CDMO operates the equipment and knows its capabilities. In practice, the best approach is collaborative:

  • The OEM defines the critical process parameters, their target values, and their acceptable ranges based on design outputs and risk analysis.
  • The CDMO defines the equipment operating parameters, the range of conditions that can be tested, and the test methods.
  • The protocol is a joint document, or one party writes it and the other reviews and approves.

Who executes: The CDMO executes OQ at their facility using their trained operators. The OEM should witness critical OQ activities — particularly worst-case testing and challenge conditions — to ensure the protocol is being followed as intended.

Who approves the report: Both parties. The CDMO's quality unit confirms the protocol was executed as written. The OEM's quality unit confirms the results meet the acceptance criteria defined for the device.

Performance Qualification (PQ)

PQ demonstrates that the process consistently produces product meeting all predetermined specifications under normal operating conditions over multiple runs.

Who writes the protocol: Similar to OQ, this should be collaborative. The OEM defines the acceptance criteria based on device specifications. The CDMO defines the sampling plan, run conditions, and monitoring approach.

Who executes: The CDMO. But the OEM should be actively involved in reviewing interim results, particularly for the first PQ runs, to catch issues early.

Who approves the report: Both. PQ approval is a joint decision because it establishes the validated state of the process. Neither party should unilaterally declare a process validated.

Recommended Reading
Contract Cleanroom Assembly Qualification for Medical Devices: Audit, Approval, and Ongoing Control
Manufacturing Quality Systems2026-05-11 · 35 min read

The Quality Agreement: Making Ownership Explicit

The quality agreement between the OEM and CDMO must address process validation ownership in specific terms. The ISPE discussion paper on implementing lifecycle validation practices at CMOs recommends defining responsibilities in the quality agreement, with more granular details (protocol-specific responsibilities) addressed in the individual plans and protocols.

What the Quality Agreement Should Cover

Validation master plan. Who develops it? Typically the CDMO develops a site validation master plan covering all equipment and processes at their facility. The OEM should review this to understand the CDMO's validation approach. For device-specific processes, the OEM may develop a product-specific validation plan that references the CDMO's site plan.

Protocol authorship and approval. For each validation stage (IQ, OQ, PQ), specify:

  • Who prepares the protocol
  • Who reviews the protocol
  • Who approves the protocol before execution
  • Who must approve the report after execution

Use a matrix format. A typical structure:

Activity CDMO Role OEM Role
IQ Protocol — Prepare R C
IQ Protocol — Approve A I
IQ Execution R I
IQ Report — Approve A C
OQ Protocol — Prepare R C
OQ Protocol — Approve A A
OQ Execution R C
OQ Report — Approve A A
PQ Protocol — Prepare R C
PQ Protocol — Approve A A
PQ Execution R C
PQ Report — Approve A A

R = Responsible (does the work), A = Accountable (has final approval), C = Consulted, I = Informed.

Revalidation triggers. Define what triggers revalidation and who is responsible for initiating it. Triggers may include equipment changes, process parameter changes, material changes, regulatory findings, or periodic revalidation intervals.

Ongoing process monitoring. After validation is complete, who monitors process performance? The CDMO collects data and performs statistical process control. The OEM reviews periodic summary reports. Define the frequency and content of these reports in the quality agreement.

Deviation handling during validation. If a validation run produces nonconforming results, who investigates? The CDMO performs the investigation. The OEM reviews the root cause and approves the disposition. Define this in the agreement.

Change control after validation. Who approves changes to a validated process? The CDMO evaluates the change. The OEM approves changes that affect critical process parameters or product specifications.

Process Validation in Technology Transfer

Process validation ownership is most complex during technology transfer, when a process moves from the OEM's development site to the CDMO's manufacturing site, or from one CDMO to another.

OEM-to-CDMO Transfer

In this scenario, the OEM developed the process and has data from development and pilot runs. The CDMO will manufacture at commercial scale.

Process knowledge transfer. The OEM must transfer not just documents but process knowledge: why parameters were chosen, what was tried and failed, what the critical-to-quality attributes are, and how they link to risk control measures. This is not optional — it is the foundation for the CDMO to execute validation correctly.

Protocol development. The OEM typically leads protocol development for OQ and PQ during a technology transfer because they own the process knowledge. The CDMO contributes equipment-specific details. IQ is typically CDMO-led.

Execution witnessing. The OEM should witness at least the first OQ and PQ runs at the CDMO. This is not about distrust — it is about catching misunderstandings early. A parameter that seems clear in a protocol document may be interpreted differently by an operator at a different facility.

CDMO-to-CDMO Transfer

When transferring between CDMOs, process knowledge may be split between the original OEM and the first CDMO. This is where ownership gaps are most dangerous. The OEM must ensure that all process knowledge is consolidated before the transfer begins, including any tacit knowledge held by the first CDMO's operators.

The Arrotek technology transfer guide emphasizes: "OEMs retain regulatory responsibility during and after the transfer, i.e., regulatory ownership or liability does not transfer to your new CDMO partner."

Common Ownership Conflicts and How to Resolve Them

"The CDMO Says Their Standard Protocols Are Sufficient"

CDMOs often have standard IQ/OQ/PQ protocols developed for their facility and equipment. They may resist writing custom protocols for each customer. Evaluate the standard protocols against your device's specific requirements. If the standard protocols cover all critical process parameters and acceptance criteria, they may be adequate. If not, supplement with device-specific addenda rather than demanding entirely new protocols.

"The OEM Wants to Approve Everything"

Some OEMs insist on approving every validation document, including internal CDMO work instructions. This creates bottlenecks and strains the relationship. Focus OEM approval on protocols, reports, and changes that affect product quality. Let the CDMO manage their internal execution documents.

"Nobody Wants to Own Revalidation"

Revalidation is often neglected because it is not clearly assigned. The quality agreement should specify: the CDMO is responsible for initiating revalidation when a trigger occurs, the CDMO prepares the revalidation protocol, and the OEM approves the protocol and the report.

"The CDMO Changed Equipment Without Telling Us"

This is the most common validation-related failure mode. The CDMO replaces a validated piece of equipment with a newer model, or moves equipment to a different location, without treating it as a change requiring revalidation. The quality agreement must explicitly state that equipment changes affecting validated processes require OEM notification and revalidation assessment.

Recommended Reading
Biological Specimen Raw Material Sourcing for IVD Development: Human Serum, Plasma, and Matrix Materials
Manufacturing IVD & Diagnostics2026-05-11 · 21 min read

FDA and ISO 13485 Inspection Expectations

When an FDA investigator or ISO 13485 auditor evaluates process validation at a CDMO, they will ask:

Where is the validation protocol and report? The OEM should have copies or access to all validation records for processes used to manufacture their devices. Do not assume the CDMO will always have these readily available during an inspection at your facility.

Who approved the validation? The auditor wants to see that the OEM's quality unit approved validation for critical processes. If only the CDMO's quality unit signed off, this is a finding.

What were the acceptance criteria? These must trace back to the device's design outputs and risk analysis. Acceptance criteria that appear arbitrary or disconnected from device requirements will be questioned.

Was the validation executed as planned? Deviations from the protocol must be documented and justified. Unplanned deviations during validation runs are a red flag.

How are validated processes monitored? Ongoing monitoring data (control charts, capability indices, trend analysis) must demonstrate continued process control.

What happens when something changes? The change control process for validated processes must be documented and followed. Changes without revalidation assessment are a common finding.

Building a Validation Ownership Matrix for Your Organization

To implement the principles in this guide, create a validation ownership matrix for each outsourced process. The matrix should cover:

  1. Process name and location (CDMO site, equipment ID)
  2. Risk classification (critical, major, minor)
  3. Who prepares each protocol (IQ, OQ, PQ)
  4. Who approves each protocol
  5. Who executes each validation stage
  6. Who approves each report
  7. Revalidation triggers and who initiates
  8. Ongoing monitoring responsibilities
  9. Change control responsibilities
  10. Document storage and access

Review this matrix with your CDMO during quality agreement negotiation. Update it when processes change. Make it available to auditors.

The Validation Master Plan as a Coordination Tool

A validation master plan (VMP) is not explicitly required by any regulation, but it is strongly recommended by GHTF SG3/N99-10 and is considered best practice. In a CDMO relationship, the VMP serves as the coordinating document that maps all validation activities and assigns ownership.

The VMP should list all processes requiring validation, whether they are performed in-house or at the CDMO, and should reference the quality agreement sections that define ownership. It should include a schedule, responsibility assignments, and the current status of each validation activity.

The SIFo Medical process validation guide notes that a VMP "provides a framework for scheduling, responsibility assignment, and documentation control" and that it should cover processes "regardless of whether the process is performed in-house or outsourced."

Recommended Reading
Contract Packaging Vendor Qualification for Medical Devices: ISO 11607 Compliance, Audit Approach, and Quality Agreement
Manufacturing Quality Systems2026-05-11 · 37 min read

Practical Lessons from Failed Validations

A CDMO completed IQ and OQ on a heat sealer for sterile barrier packaging but never completed PQ. The OEM assumed the CDMO would finish PQ before production started. The CDMO assumed the OEM would authorize production based on OQ results. Result: six months of sterile barrier seal failures before the gap was discovered during an FDA inspection.

An OEM transferred a molding process to a CDMO and provided process parameters from their development press. The CDMO ran PQ using those parameters on their production press, which had different screw geometry and cooling. Result: dimensional failures on the first three production lots, followed by an investigation that revealed the parameters were equipment-specific, not process-specific.

A CDMO replaced a validated ultrasonic welder with a newer model from the same manufacturer. The CDMO's change control system classified this as a "like-for-like" replacement and did not trigger revalidation. The new welder had a different amplitude control algorithm that produced inconsistent welds on the device's housing. Result: a field recall after complaints of housing separation.

These failures share a common root cause: ambiguous ownership. In each case, both parties assumed the other was responsible for a critical validation activity. The quality agreement either did not address the specific scenario or used vague language that allowed both parties to interpret it differently.

The solution is not more documentation. It is more specific documentation. Define exactly who does what, for which processes, with what approval authority, and what happens when conditions change. Put it in the quality agreement. Review it annually. And when the FDA inspector asks "who owns validation?" the answer should be immediate, documented, and supported by evidence.

Related Articles

ManufacturingQuality Systems

Adhesive Bonding Process Validation for Medical Devices: From Variables to IQ/OQ/PQ

How to validate adhesive bonding processes for medical devices — covering ISO 13485 Clause 7.5.6 and FDA QMSR requirements, UV curing and epoxy bonding process variables, IQ/OQ/PQ protocols, critical process parameters, surface preparation controls, adhesive chemistry selection (cyanoacrylate, UV-curable, epoxy, silicone), destructive testing strategy, revalidation triggers, and ongoing monitoring under FDA and EU MDR.

2026-05-11·16 min read
IVD & DiagnosticsManufacturing

Antibody Clone Lock and Lot-to-Lot Bridging for Immunoassay IVD Kits

How to lock down antibody clones, manage lot-to-lot bridging studies, and maintain immunoassay performance across manufacturing campaigns — covering recombinant vs hybridoma strategies, critical quality attribute monitoring, bridging study design, and regulatory expectations under FDA QMSR, ISO 13485, and EU IVDR.

2026-05-11·21 min read
Supply ChainManufacturing

Battery and Cell Sourcing for Portable Medical Devices: Supplier Qualification, Chemistry Selection, and Regulatory Compliance

How to qualify battery cell suppliers and design battery packs for portable medical devices — covering lithium-ion chemistry selection (NMC, LFP, LCO, LTO), IEC 62133-2 and UN 38.3 compliance, Battery Management System requirements, FDA QMSR traceability, EU Battery Regulation due diligence, conflict minerals sourcing, lot-to-lot cell matching, incoming inspection, quality agreement structure, and dual-sourcing strategies for infusion pumps, ventilators, wearable monitors, and other Class II/III portable medical devices.

2026-05-11·14 min read