Life Science Outsourcing
spoke

Portfolio-Wide Warning Letter? Consolidate to One QMS

A

Andrew_G

I've sat across the table from a lot of OEMs after a bad inspection. The ones who scare me least are the ones with a single product cited for a single defect. That is a contained problem with a contained fix. The ones who scare me most walk in with a warning letter that reads like it was written about the company, not the product. Same observation, restated five times, against five different devices made in three different places.

When the same root cause shows up across an entire portfolio, you are not looking at five product problems. You are looking at one quality-system problem wearing five costumes. And in my experience, the OEMs who remediate that well stop trying to patch each device individually and start asking a different question: how many quality systems are we actually running, and why is it more than one?

A portfolio-wide letter is a QMS finding, not a product finding

Here is the pattern I see. An OEM grows by acquisition or by adding contract manufacturers one program at a time. Each site or each partner brings its own procedures, its own document-control habits, its own CAPA backlog. For a while it works, because nobody is looking at all of it at once. Then an FDA investigator does exactly that, and the observations cluster around the same handful of systemic controls every time.

The peer-reviewed analysis of FDA enforcement bears this out: CAPA-related failures drive the majority of device warning letters, non-routine quality events cost the industry billions of dollars annually, and one manufacturer estimated spending more than $5 million to make corrections across all 40 of its sites (Anderson & Tan, Journal of Industrial Engineering and Management, 2023). That last number is the one I'd circle. Forty sites. The cost was not in the defect. The cost was in the multiplication.

Under the new framework, this is even harder to fudge. The FDA Quality Management System Regulation took effect February 2, 2026, amending 21 CFR Part 820 to incorporate ISO 13485:2016 by reference (FDA, Quality Management System Regulation). CAPA now flows through ISO 13485:2016 Clauses 8.5.2 and 8.5.3 (corrective action and preventive action). Corrective action is no longer something you do per device. The standard expects a system that finds, fixes, and prevents recurrence across everything you make. A portfolio-wide letter is FDA telling you the system is what failed.

Why running parallel quality systems is the real exposure

When I ask a newly-cited OEM how many distinct QMS environments they're operating across their manufacturing base, the honest answer is usually "more than we'd like to admit." Every one of those is a separate document-control scheme, a separate training record set, a separate set of work instructions, and a separate place for an investigator to find the same gap again.

The problem with parallel systems is not that any single one is broken. It's that variance hides between them. A CAPA closed correctly at one site does nothing for the identical issue living at another. Process controls validated for one product line don't carry over. You can remediate three of the five devices in the letter and still get a follow-up inspection that reopens the whole thing, because the systemic root cause was never systemic to begin with. It was just repeated.

This is also where supplier oversight gets you. Under ISO 13485:2016 Clause 7.4, your purchasing controls and supplier oversight are your responsibility, and you have to evaluate and control suppliers based on their effect on product quality. If your finished-device assembly is spread across multiple contract manufacturers, you don't just own one outsourced QMS. You own the seam between all of them, and you have to demonstrate control over each one to an investigator who has already decided your systems are suspect.

Consolidating assembly under one unified QMS

This is the move I watch the well-run remediations make. They stop treating each program as its own island and consolidate finished-device assembly and kitting under a single FDA-registered, ISO 13485:2016-compliant contract manufacturer operating one quality system across the work.

The logic is not complicated. One QMS means one document-control system, one CAPA process, one training program, one set of validated processes, one audit trail. When FDA comes back to verify your remediation, they are looking at one system applied consistently, not five systems you have to defend one at a time. The variance that hid between your parallel systems has nowhere left to hide.

It also changes the supplier-oversight math from Clause 7.4. Instead of qualifying and monitoring several assembly partners, each with its own quality posture, you are overseeing one. The MDSAP framework reinforces why this matters: FDA determined ISO 13485:2016 is substantially similar to the prior Quality System Regulation and built the Medical Device Single Audit Program on it (AAMI, QMSR: What You Need to Know about Global Harmonization). A single partner running a single audited QMS is a smaller, cleaner thing to govern than a fragmented base, and it's a smaller thing for a regulator to inspect.

Worth being precise here, because the QMSR keeps FDA-specific requirements layered on top of ISO 13485. Unique Device Identification, labeling, and combination-product provisions under 21 CFR Part 4 still apply (FDA, QMSR Frequently Asked Questions). A unified QMS doesn't make those go away. It makes them manageable, because you're applying them once, consistently, instead of reconciling how three different partners each interpreted them.

The single-source objection, and where it's actually right

Whenever I make this case, a sharp supply-chain person pushes back, and they're not wrong to. Single-sourcing is a real risk. Medtech OEMs lean on single suppliers for specialized components all the time, which creates concentration fragility, and significant supply shocks recur on the order of every few years (Octopart, Overcoming Single Source Risks). I'm not going to tell a director of supply chain that concentration risk is imaginary. I've watched it bite people.

But here's the distinction that resolves the tension, and it's the one most of these arguments miss. Diversifying your component sourcing and consolidating your finished-device assembly are two different decisions. You can, and probably should, keep multiple qualified sources for critical components so a single shock doesn't stop your line. That is supply continuity, and it lives upstream. Consolidating assembly and kitting under one unified QMS is a quality-governance decision, and it lives downstream. The two don't conflict. You can hold component diversity and assembly consolidation at the same time.

The OEMs who confuse these two end up keeping their assembly fragmented to "avoid single-source risk" and then wonder why the same observation keeps reappearing across their portfolio. They solved a supply problem they had and ignored a quality problem they also had.

What this looks like as a remediation move

If I'm being straight with you, consolidating mid-warning-letter is not a small lift. You are transferring multiple product lines into one QMS while a regulator is watching, on a clock. The OEMs who handle it well treat it as a structured tech transfer with quality leading, not procurement, and they sequence the moves so the highest-risk, most-cited products land in the unified system first. They don't try to migrate everything in one quarter.

The ones who handle it badly try to copy their old fragmented process into a new building and call it consolidation. It isn't. Consolidation is the QMS becoming one thing, not the parts moving to one address.

What I'll say from the commercial side is this: a portfolio-wide letter is the moment the consolidation conversation finally gets easy, because the cost of staying fragmented just became visible to the board. Before the letter, single QMS is an efficiency argument nobody prioritizes. After the letter, it's the operating model that gets you out from under enforcement. You should verify the exact scope and language of any specific letter against FDA's public warning-letter database before you scope the remediation, because the cited systems determine what has to move first (FDA, Warning Letters).

The customers who come out of these situations strongest are the ones who stop asking how to fix five products and start asking how to run one quality system. That second question is the only one that actually closes the letter.

If you're scoping a portfolio-wide remediation and weighing whether to consolidate finished-device assembly under one QMS, our team can walk through your cited systems and product lines in a 30-minute technical review and map what a single-QMS transfer would actually require.

Request a Quote

Ship faster with fewer vendors

LSO consolidates assembly, packaging, validation, and sterilization under one roof — FDA-registered, ISO 13485-certified, across three facilities. Tell us about your device and we'll map the fastest path to production.

Or call us directly: (714) 672-1090