Does the FDA Require Companies to Re-conduct ISO Level Audits (non Registrars or Auditors)

[kellijeff]

Hello all,
I have a customer with a certified device through FDA (non sterile, non implantable, non life support) on which we are building their PCBAs, cables and final assembly of the unit through calibration and burn-in. We are ISO9001/AS9100 registered through a Registrar and working to implement ISO13485. We were not required to be ISO registered OR compliant for this contract. This company is not yet ISO13485. They are attempting to conduct their 'supplier evaluation' which is well known to us and expected, in terms of QMS standards. However, their approach mimics an ISO type of audit all the way to the agenda (opening/closing meeting) and audit checklist. They are attempting to audit our compliance to standards vs. reviewing our performance as their supplier. When I push back on what seems to be a redundant and misapplied approach, they state the FDA 'requires' this type of audit. For all of our internal audits, I use a 2nd party certified auditor as well - in short, we are audited frequently to the standards. Their approach seems illogical and is not how we conduct our supplier evaluations nor what the language speaks to in the various standards. Where would I be able to dispute or verify what the FDA would actually require from us as the downstream supplier? Thank you for ANY help out there.

 

[Nichole F]

FDA is in the process of incorporating ISO 13485:2016 by reference to 21 CFR §820. This rule was finalized last year and will be effective February 2, 2026. That being said, current FDA regulations require your customer, as the legal manufacturer, to evaluate and select suppliers on the basis of their ability to meet specified requirements, including quality requirements. The type and extent of control is left up to the manufacturer but is generally related to the criticality to the finished device and the class of the finished device. ISO 13485 requires pretty much the same thing except they spell it out bit clearer. ISO 13485 can be viewed online (for free!) so if you want to read the exact wording, you can.

There isn't any (to my knowledge) any sort of ombudsman where you can dispute what they are asking or their approach to supplier evaluation. I'm not sure if the term "certified device" can from your end or the customer's, but FDA does not "certify" devices. Devices are registered, 510(k) cleared, or receive a PMA. There is de novo, HDE, IDE, but I suspect those do not apply in this case. I might be reading too much into the situation, but it sounds like perhaps there is either a gap in communication between what your customer needs versus what you are understanding, or your customer does not have a good grasp on proper supplier management. This honestly sounds like a desk audit. In either case, you will need to sort this with your customer. You can always ask them for the clause they are citing for FDA requiring them to conduct such an audit.

 

[yodon]

Agree with @Nichole F , but I'd like to look at it from another angle. You say:

audit our compliance to standards

The "old" 21 CFR 820 and ISO 13485 were both pretty close in terms of expectations and I don't really see any issue with the audit approach described, necessarily. Are they flagging you for clauses that are not in your scope or not covered in 820 (e.g., postmarket)?

Maybe more details on specific concerns they are raising would help.

As noted, this is not an "FDA thing," it's between you and your customer. Did they execute a Quality Agreement with you? Are they stepping outside of that?

 

[FRA 2 FDA]

My spidey senses tell me that this is a new company (or company new to meeting regulations/standards) and that they simply have no idea what a supplier audit actually is supposed to accomplish and how to do it.

 

[Sidney Vianna]

Very likely the person doing the audit is familiar with 3rd party auditing protocols and is mimicking the approach. Chances are s/he has no experience doing supplier assessment and development and are doing what feels comfortable.