Convenience Kit Recalls Land on the OEM. Here's Why.
Every OEM I talk to about convenience kits starts from the same blind spot. They picture the kit as a box of parts they bought from other people: a syringe from one supplier, a prep pad from another, saline from a third. FDA does not see it that way. FDA sees one finished device that the OEM manufactures. Those two views collide exactly once, usually during a recall, and the recall has the OEM's name on it.
I have sat across the table from a lot of medical device companies who learned this the hard way. They outsourced the assembly, outsourced the components, outsourced the sterilization, and assumed they had also outsourced the liability. They had not. So let me walk through why the recall lands where it lands, and what actually moves the odds.
The OEM is the manufacturer, even when the defect isn't theirs
FDA's foundational position here is not subtle. Under the agency's convenience-kit policy, the company that assembles or markets a convenience kit is itself a manufacturer, subject to premarket and quality-system obligations. Enforcement discretion exists only when narrow intended-use, component, and processing limits are met (FDA Convenience Kits Interim Regulatory Guidance).
That status flows straight through to labeling and traceability. A convenience kit is itself a device under 21 CFR 801.3, and the UDI on the kit's immediate container covers the individual devices packaged inside it (FDA / Federal Register, UDI: Convenience Kits). In plain terms: the kit carries the OEM's identity. When FDA has to find affected product in the field, they find it by the kit, not by the third party who made the part that failed.
So when a director of quality asks me whether the component supplier absorbs the recall, the honest answer is no. The supplier may own the defect. The OEM owns the field action.
The recalls that prove the point
I am not arguing a theoretical risk. The public record is full of kit owners absorbing recalls for upstream failures they did not cause.
Medline Industries issued a Class I recall, FDA's most serious category, on kits, trays, and packs after a third-party supplier's saline and sterile water products lost sterility assurance. Medline had to manage over-labeling and component removal across the field even though the underlying defect was not theirs (FDA Medical Device Recall, Medline kits and trays).
Alcon recalled customer-designed sterile ophthalmic Custom Pak procedure packs, also in FDA's most-serious recall class, because affected lots may have contained pouches with incomplete seals. A compromised sterile barrier on an ophthalmic pack raises the risk of ocular infection (FDA Medical Device Recall, Alcon Custom Pak). That one is worth sitting with, because it was not a glamorous failure mode. It was a seal.
And FDA issued an Early Alert on convenience kits recalled because they contained contaminated third-party alcohol prep pads, with potential Paenibacillus phoenicis. The contract kit assembler had to issue correction notices and over-labels even though the contamination originated upstream (FDA Early Alert, convenience kit issue).
Three different kits, three different upstream failures, one consistent pattern: the field action lands on whoever owns the finished kit. None of these are a statistical base rate. They are a recurring shape, and I have watched enough kit programs to recognize the shape.
The re-sterilization trap most OEMs don't see coming
There is a quieter failure mode that fragmented supply chains create on their own. When you build a kit from components that were already finished and sterilized, then terminally sterilize the whole kit, you may be sterilizing some of those components a second time. CDRH has flagged exactly this: finished device components assembled into convenience kits and then sterilized can be adversely affected, and kit manufacturers are directed to confirm that the kit sterilization process does not compromise the finished components (FDA Sterilized Convenience Kits for Clinical and Surgical Use).
This is the kind of problem that hides in the seams between vendors. The component maker validated their part for one sterilization cycle. The kit assembler runs a second one. Nobody owns the interaction, because the interaction only exists once both processes sit in the same kit. In my experience, the seams between vendors are where these programs break.
Why consolidating under one QMS changes the odds
Here is the part that matters for an OEM deciding how to structure a kit program. You cannot make the recall liability disappear. FDA put it on you, and it stays on you. What you can change is how many independent failure points sit upstream of your finished kit, and how fast you can contain a problem when one shows up.
That is the real case for putting component control, assembly, sterile-barrier sealing, and terminal sterilization under a single quality management system. Under the QMSR, FDA's current quality framework incorporates ISO 13485:2016 by reference, so the levers are the ISO clauses themselves.
Supplier and component control. ISO 13485:2016 Clause 7.4 requires that purchased product, including kit components, conform to specified purchasing requirements through documented supplier evaluation, selection, monitoring, and re-evaluation, proportionate to the risk the component poses to the finished device. Every one of the recalls above traced back to a component that entered the kit. The discipline that catches those problems is incoming-component control, and it works best when one QMS owns the whole chain instead of stitching together each supplier's separate promises.
Validated sterile-barrier and sterilization processes. ISO 13485:2016 Clause 7.5.6 requires validating any production process whose output cannot be verified by later inspection, which explicitly includes sterilization and sterile-barrier sealing. Layered on top, ISO 11607-1:2019 governs the sterile barrier system and seal integrity, and ISO 11607-2:2019 governs validation of the forming, sealing, and assembly processes for that barrier. The Alcon seal failure is what a gap here looks like in the field. When sealing validation and the sterilization cycle live in the same cleanroom QMS, the re-sterilization compatibility question that CDRH warns about gets answered once, deliberately, before routine release, rather than falling through the gap between two vendors.
Traceability that narrows the recall. ISO 13485:2016 Clause 7.5.9 requires records that provide product traceability, with the extent defined and documented. This is the difference between a recall that pulls a defined set of lots and a recall that pulls everything because nobody can prove which kits contained the suspect component lot. When assembly and sterilization records sit in one system, you can show FDA exactly which kits are affected. When they are scattered across three vendors' systems, you tend to pull wide, because pulling wide is the only defensible move you have left.
One controlled environment. ISO 13485:2016 Clause 6.4 covers work environment and contamination control. A kit is only as clean as the room it was assembled in. Consolidating assembly and kitting into a single validated cleanroom environment removes a set of handoffs where contamination and mix-ups get introduced.
None of this is a guarantee. I am not going to tell an OEM that a single-QMS partner means you will never see a field action, because that is not true and you would not believe me anyway. What I will tell you, after watching kit programs succeed and fail, is that the OEMs who own the recall do best when they own as little of the fragmentation as possible. Fewer seams, fewer independent failure points, faster containment when something moves out of spec.
The recall is going to have your name on it either way. The question is whether you have the records, the validated processes, and the contamination control to make it a narrow, defensible action instead of a wide one.