Is this even required?
Are audits even required? The short answer is, yes. The long answer is, mostly yes.
1st Party Audits
This party of audit is required as part of monitoring and measuring your Quality Management System for conformance, effectiveness, and continual improvement. You must conduct them in accordance with a procedure as part of your audit program. You can find references to this requirement within 21 CFR 820. Quality Audit as well as ISO 13485:2016 Subclause 8.2.4. Internal Audit.
Since the QSR is conveniently publicly available, I can provide it as an example.
If you manufacture medical devices for market under the U.S. FDA’s jurisdiction, you must conduct quality audits. Alternatively, if you have an ISO 13485:2016 compliant QMS, you will conduct internal audits per Clause 8.2.4. as part of the monitoring and measuring of your system’s effectiveness. Many quality management systems combine the two and conduct 1st party audits to both criteria.
2nd Party Audits
Supplier audits. Part of initial supplier qualification or maintaining qualification. This is something that falls under Purchasing. A supplier audit or 2nd party audit is a way of qualifying a supplier of goods or services that could affect the quality of your product. Many regulations allow this to be a risk-based activity. This means that an audit could be part of qualification but not that it always will be. It is because 2nd party audits may or may not be part of your purchasing controls at any given time is the reason why the long answer is ‘mostly yes’ instead of ‘definitely yes.’ Again, the QSR provides an example.
Section (a), and Section (a)(1) are the important pieces to focus on. It is the ‘evaluation’ that may or may not include auditing. A supplier audit is ‘a’ way to help qualify a supplier, but it is not the only way.
‘meet specified requirements, including quality requirements’ and ‘The evaluation shall be documented’. That sure sounds like an audit would do that. In quality system terms, a supplier audit would produce an audit report as a process output. That report would be a record that objectively documents findings, both of conformity and nonconformity(… potentially. Nonconformities don’t get fabricated where none are found). Since conformity is merely the fulfillment of a requirement, this means that a supplier audit conveniently meets most of the purchasing control requirements.
ISO 13485:2016 addresses Purchasing in Clause 7.4. It also requires the evaluations of suppliers.
3rd Party Audits
3rd party audits are required, but don’t worry, you will have very little say in them. Sure you can usually have a discussion for scheduling a certification or re-certification audit. However don’t expect to tell the FDA to come back later when they show up unnanounced for a ‘for cause’ inspection.
3rd party audits are either required by law or to achieve/maintain certification. You can always not have a re-certification audit but it won’t change the expiration date on your certificate.
For more information, below is a link tot he FDA website where that screenshot was taken from.
https://www.fda.gov/industry/fda-basics-industry/what-should-i-expect-during-inspection
Certification Bodies
Certification bodies in accordance with ISO/IEC 17021-1:2015 Conformity Assessment – Requirements For Bodies Providing Audit And Certification Of Management Systems – Part 1: Requirements, will audit your Quality Management System.
This will generally happen with 3 steps.
- Step 1. The Body will conduct a Stage 1. audit to assess the readiness of your system for certification.
- Step 2. The Body will conduct a Stage 2. audit for certification.
- Step 3. After successful certification, the Body will conduct regular audits to maintain certification.
Partial list of Certification Bodies (really, like not even close, there are alot of them)
Make sure that the organization performing certification/accreditation is recognized by the authority having jurisdiction to provide certification/accreditation.
For more information on this ISO directly recommends contacting the national accreditation body of your country, or the International Accreditation Forum.