Does FDA apply to a non-medical 13485 certified custom manufacturing company?

[cgaro62]

To Whom it may concern:

My company recently had an ISO 13485 audit in one of its facilities. We are a custom manufacturing company that does not design or make its own product. We manufacture cables, wiring and harnesses. My question is, can an ISO 13485 auditor cite FDA 820 nonconformances when my company is not FDA registered and we do not make any medical devices?

Regards,
C-Ana

 

[ScottK]

To Whom it may concern:

My company recently had an ISO 13485 audit in one of its facilities. We are a custom manufacturing company that does not design or make its own product. We manufacture cables, wiring and harnesses. My question is, can an ISO 13485 auditor cite FDA 820 nonconformances when my company is not FDA registered and we do not make any medical devices?

Regards,
C-Ana

They can cite whatever they like, but you can push back.

However, they should have made clear in the audit agenda or opening meeting that they would be auditing to FDA criteria.
I've run into this a few times over the years when dealing with drug and device customers.

Are you ISO 13485 registered? Is their finding something that you would consider a non-conformance anyway?
You can always contest a finding and say "our system doesn't require us to comply with that clause you're citing, but if you want us to comply with that particular criteria it's going to add cost to each piece."

 

[John C. Abnet]

To Whom it may concern:

My company recently had an ISO 13485 audit in one of its facilities. We are a custom manufacturing company that does not design or make its own product. We manufacture cables, wiring and harnesses. My question is, can an ISO 13485 auditor cite FDA 820 nonconformances when my company is not FDA registered and we do not make any medical devices?

Regards,
C-Ana

The short answer is "no". ISO standards are registered to on a volunteer basis (although in reality, market share/customers may make it necessary).
ISO standards are NOT a compliance standards.
However, within 13485 there is a requirement to ..

7.2.1
The organization shall determine:
c) applicable regulatory requirements related to the product;

This reference to "APPLICABLE regulatory requirements" is ubiquitous throughout the standard. IF FDA 820 is "applicable" to your organization, then your organization shall "determine" (identify) /communicate as such, and...

4.1.1 The organization shall document a quality management system and maintain its effectiveness in
accordance with the requirements of this International Standard and applicable regulatory requirements.

4.1.3
e) establish and maintain records needed to demonstrate conformance to this International Standard
and compliance with applicable regulatory requirements

So, as you can see, it is up to your organization to determine / identify which (if any) regulatory requirements apply and then if any DO apply, to provide systems for compliance and evidence of same.


NOTE: You state regarding your organization .."we do not make any medical devices". May I inquire as to what is the scope/basis of your organization's ISO 13485 audit/certification?

Hope this helps.
Be well.

 

[ChrisM]

You had an "ISO 13485 audit"...... performed by whom and why? Is your organization registered to ISO13485 and the audit was by one of the Certification Body's auditors, or was it performed by a customer who is certified to ISO 13485?

 

[mihzago]

The audit plan should identify the audit scope, which should be shared with you before the audit starts. If it includes FDA regulations, such as 21 CFR 820, then you should request the scope to be modified to exclude any requirements not applicable to your company.

Additionally, as John alluded, your Quality Manual, or similar document should identify the scope of laws, regulations, or standards your company complies with.

 

[ScottK]

The short answer is "no". ISO standards are registered to on a volunteer basis (although in reality, market share/customers may make it necessary).
ISO standards are NOT a compliance standards.
However, within 13485 there is a requirement to ..

7.2.1
The organization shall determine:
c) applicable regulatory requirements related to the product;

This reference to "APPLICABLE regulatory requirements" is ubiquitous throughout the standard. IF FDA 820 is "applicable" to your organization, then your organization shall "determine" (identify) /communicate as such, and...

4.1.1 The organization shall document a quality management system and maintain its effectiveness in
accordance with the requirements of this International Standard and applicable regulatory requirements.

4.1.3
e) establish and maintain records needed to demonstrate conformance to this International Standard
and compliance with applicable regulatory requirements

So, as you can see, it is up to your organization to determine / identify which (if any) regulatory requirements apply and then if any DO apply, to provide systems for compliance and evidence of same.


NOTE: You state regarding your organization .."we do not make any medical devices". May I inquire as to what is the scope/basis of your organization's ISO 13485 audit/certification?

Hope this helps.
Be well.

I'm not the OP but I did work at an ISO13485 registered label printer that served the medical device world. We got the registration by stating we made components of medical devices. The registrar we used agreed with us so we got it. Not so sure that would fly today... this was about 12 years ago and some customer auditor questioned how we got 13485.

Just sharing my experience on how this could come to be.

 

[John C. Abnet]

I'm not the OP but I did work at an ISO13485 registered label printer that served the medical device world. We got the registration by stating we made components of medical devices. The registrar we used agreed with us so we got it. Not so sure that would fly today... this was about 12 years ago and some customer auditor questioned how we got 13485.

Just sharing my experience on how this could come to be.

Good insight @ScottK ...thanks for sharing. As you can see from the embedded information below, the scope for eligibility for ISO 13485 is nearly endless, so...open to a large variety of organizations even if simply "related services" or "associated activities".


Be well.

 

[cgaro62]

They can cite whatever they like, but you can push back.

However, they should have made clear in the audit agenda or opening meeting that they would be auditing to FDA criteria.
I've run into this a few times over the years when dealing with drug and device customers.

Are you ISO 13485 registered? Is their finding something that you would consider a non-conformance anyway?
You can always contest a finding and say "our system doesn't require us to comply with that clause you're citing, but if you want us to comply with that particular criteria it's going to add cost to each piece."

Hi Scott,
Thank you for your response. We are ISO 13485 registered.

The short answer is "no". ISO standards are registered to on a volunteer basis (although in reality, market share/customers may make it necessary).
ISO standards are NOT a compliance standards.
However, within 13485 there is a requirement to ..

7.2.1
The organization shall determine:
c) applicable regulatory requirements related to the product;

This reference to "APPLICABLE regulatory requirements" is ubiquitous throughout the standard. IF FDA 820 is "applicable" to your organization, then your organization shall "determine" (identify) /communicate as such, and...

4.1.1 The organization shall document a quality management system and maintain its effectiveness in
accordance with the requirements of this International Standard and applicable regulatory requirements.

4.1.3
e) establish and maintain records needed to demonstrate conformance to this International Standard
and compliance with applicable regulatory requirements

So, as you can see, it is up to your organization to determine / identify which (if any) regulatory requirements apply and then if any DO apply, to provide systems for compliance and evidence of same.


NOTE: You state regarding your organization .."we do not make any medical devices". May I inquire as to what is the scope/basis of your organization's ISO 13485 audit/certification?

Hope this helps.
Be well.

Hi John,

We are a custom manufacturing company, we build cables, harnesses and wiring assemblies per our customer's control documents and specifications.

 

[Sidney Vianna]

My question is, can an ISO 13485 auditor cite FDA 820 nonconformances when my company is not FDA registered and we do not make any medical devices?

In principle, the auditor was incorrect. Let's have a look at the Scope of coverage for the FDA 820 QSR's:

​

The regulation clearly states that applies to Manufacturers of FINISHED Medical Devices. But, it also states: "...This regulation does not apply to manufacturers of components or parts of finished devices, but such manufacturers are encouraged to use appropriate provisions of this regulation as guidance. ..."

Having said that, pretty much all of QSR is also covered in ISO 13485. Do you care to elaborate on what exactly the auditor cited that could not have been referenced back to the ISO Standard?

 

[cgaro62]

This is awesome! Thank you!

In principle, the auditor was incorrect. Let's have a look at the Scope of coverage for the FDA 820 QSR's:

View attachment 28779
​

The regulation clearly states that applies to Manufacturers of FINISHED Medical Devices. But, it also states: "...This regulation does not apply to manufacturers of components or parts of finished devices, but such manufacturers are encouraged to use appropriate provisions of this regulation as guidance. ..."

Having said that, pretty much all of QSR is also covered in ISO 13485. Do you care to elaborate on what exactly the auditor cited that could not have been referenced back to the ISO Standard?