Medical Device 3PL Audit: Questions to Ask Before You Sign

Written By Dana Madlem

Picking the wrong fulfillment partner for consumer goods costs you a few angry reviews and a refund or two. Picking the wrong one for medical devices can cost you a recall, an FDA Form 483, or a patient who never received a working device. The stakes are simply not in the same universe, which is why a medical device 3PL audit deserves more scrutiny than almost any other vendor decision you will make.

Most brands rush this step. They get a tour of a clean warehouse, see a slide with a 99.9% accuracy number on it, and sign. Then six months later a temperature log is missing for a shipment of diagnostic kits, or a lot recall takes four days instead of four hours, and the gaps that were invisible during the sales process become very visible during an inspection. The point of an audit is to surface those gaps while you still have leverage before the contract, not after the problem.

This guide walks through the questions that actually matter when you are evaluating a medical device 3PL partner, grouped by what you are really trying to verify: regulatory standing, traceability, storage controls, quality systems, recall readiness, performance, technology, and the contract itself. Ask all of them. The answers, and how readily a provider gives them, tell you almost everything.

Why a medical device 3PL audit is different from a standard fulfillment review

When you vet a 3PL for apparel or supplements, you are mostly checking speed, cost, and accuracy. Those things still matter here. But medical device logistics adds a layer that generic ecommerce fulfillment providers were never built to handle: regulatory compliance, chain of custody, lot and expiry control, sterility, and zero-tolerance accuracy. A mis-picked order or a broken cold chain doesn't just disappoint a customer, it can compromise patient safety and trigger a costly recall.

There is also a responsibility question that catches a lot of device companies off guard. As the device owner, you remain accountable for your product's quality and distribution even after it leaves your hands. The FDA does not accept "our 3PL handled it" as a defense. That means your fulfillment partner is effectively an extension of your own quality system, and you are obligated to qualify them, monitor them, and be able to prove you did both. An audit is how you discharge that obligation and how you decide whether this is a partner or a liability. If you want the broader vetting framework first, our guide on how to choose the right 3PL provider is a useful companion to what follows.

Regulatory and compliance questions

Start here, because everything else is downstream of it. If a provider stumbles on the basics of medical device regulation, the warehouse tour is irrelevant.

Are you ISO 13485 certified and can I see the current certificate?

ISO 13485:2016 is the international quality management standard built specifically for medical devices, and a 3PL that takes the category seriously will hold it (or operate to it under your quality system). Ask for the actual certificate, check the scope statement, and confirm it is current; not expired, not "in progress." Note that as of February 2, 2026, the FDA's new Quality Management System Regulation (QMSR) replaced the old Quality System Regulation and now incorporates ISO 13485:2016 by reference into 21 CFR Part 820, which makes alignment with that standard more central to U.S. compliance than ever. A partner who can talk fluently about that shift, rather than reacting blankly to the acronym, is a partner who has been paying attention.

Are your operations aligned with FDA distribution and cGMP expectations?

Certification is a snapshot; daily practice is the reality. Ask how their receiving, storage, picking, packing, and shipping standard operating procedures map to current good manufacturing and good distribution practice. The right answer is specific and document-backed, not a vague reassurance. This is exactly the bar our own medical device fulfillment operation is built to, FDA-aligned SOPs and cGMP-compliant practices designed in from the start rather than bolted on after a client asked.

Will you sign a quality agreement?

This is one of the fastest filters you have. A quality agreement defines, in writing, who is responsible for what; receiving inspection, storage conditions, complaint handling, deviation reporting, recall execution, record retention. A serious medical device 3PL expects to sign one and may even hand you a template. A provider who hesitates, or who has never heard of one, is telling you they treat your devices like any other parcel. Worth knowing too: the QMSR transition means existing quality agreements often need updating to reflect the new regulation, so ask whether theirs has been revised.

What is your FDA registration status, and do you act as an initial importer?

Depending on the activities they perform, repackaging, relabeling, importing, a 3PL may carry its own FDA obligations, including establishment registration or initial importer duties for devices coming in from overseas. If your supply chain crosses borders, this matters a great deal; pair the conversation with their international 3PL and DDP fulfillment capabilities so customs, duties, and regulatory classification don't become your problem at the dock.

Traceability and documentation questions

If you cannot trace a device, you cannot recall it and you cannot prove compliance. Traceability is the spine of medical device logistics.

Do you capture lot, batch, and serial numbers at receiving?

Traceability that starts at the pick line is already too late. Confirm that every unit is logged into the warehouse management system with lot numbers, batch numbers, serial numbers, and expiry dates captured the moment it arrives and is matched against your purchase order. Ask to watch it happen during your visit rather than taking it on faith.

Is your system UDI-ready?

Unique Device Identification tracking should be native to the platform, not a manual spreadsheet someone maintains on the side. UDI-ready serialization is what makes a fast, accurate recall possible, and it is increasingly a baseline expectation rather than a premium feature. The depth of a provider's 3PL software tends to reveal itself in this answer, strong platforms make serialization and lot-level reporting routine, weaker ones treat it as a special project.

How fast can you produce records if I or an auditor asks for them?

This is the question that separates audit-ready from audit-anxious. You should be able to ask for the complete inbound and outbound history of a given lot, including chain-of-custody logs and quality hold records, and receive it quickly and cleanly. "Give us a few days to dig that up" is a failing grade. During an FDA inspection or your own internal audit, documentation that lives in someone's memory or a tangle of emails is the same as no documentation at all. For a deeper look at how good record-keeping ties back to stock control, our piece on 3PL inventory management is worth a read.

Storage and handling questions

A clean floor is necessary but nowhere near sufficient. Medical devices need conditions, and conditions need to be monitored and proven.

How do you monitor and log temperature and humidity?

For cold chain and environmentally sensitive devices, ask how the facility maintains temperature-controlled zones, how often conditions are logged, what happens when a reading drifts out of range, and whether they work with temperature-compliant carriers for the final mile. Then ask to see a real excursion record. How a provider handled a past deviation tells you more than any policy document about how they will handle yours.

How do you segregate devices by class and risk?

Class I consumer health products and Class II regulated diagnostics should not share a shelf with no controls between them. Look for designated, climate-appropriate zones, sterile separation, magnetic shielding for imaging and diagnostic equipment sensitive to electromagnetic interference, and dedicated handling for fragile or oversized durable medical equipment. Segregated storage is one of the line items every auditor checks, and it is hard to fake on a walk-through.

Do you pick on FEFO logic with active expiry management?

First-Expired-First-Out, not just First-In-First-Out, is the standard for anything with a shelf life, because the oldest stock by date should always ship first. Confirm the system enforces it automatically rather than relying on a picker to read a label correctly under time pressure. Near-expiry and expired stock should be flagged and quarantined, never quietly shipped.

Quality system and SOP questions

Procedures are only worth what their execution proves. Probe how the quality system actually runs, day to day.

How do you handle deviations, nonconformances, and CAPA?

Things go wrong in every warehouse. The difference between a good 3PL and a dangerous one is what happens next. Ask how a deviation gets documented, investigated, and closed, and how corrective and preventive action (CAPA) is tracked. A mature partner has a paper trail showing problems caught, root causes identified, and fixes verified. Notably, the QMSR places real weight on demonstrating risk-based decisions across the whole quality system, so "we noticed it and fixed it" should come with evidence of why and how.

What does personnel training look like, and can you prove it?

The people picking and packing your devices need documented, role-specific training and SOP sign-offs, and those records need to exist on demand. Staff turnover is normal; undocumented training is not. Training and SOP sign-off records are a standard inspection item for a reason.

How often do you run internal audits and mock recalls?

A provider that audits itself before you do is the one you want. Ask for the cadence of internal audits and, critically, whether they run mock recalls and what the measured turnaround was. A mock recall is the single most revealing test of a medical device 3PL, it exercises traceability, documentation, communication, and speed all at once. If they have never run one, you are about to be their first live test.

Recall and reverse logistics questions

Recalls are the moment the entire system is judged. Plan for them before you sign, not during the crisis.

What is your recall turnaround, from notice to isolated stock?

You want a number, backed by a process. With lot-level traceability in place, a provider should be able to identify, locate, and isolate every affected unit fast, hours, not days. Ask them to walk you through the exact sequence: who is notified, how affected lots are pulled and quarantined, and what documentation you receive at the end.

How do you handle returns, refurbishment, and quarantine?

Every returned device should be received, inspected, logged, and then quarantined, restocked, or routed for repair according to your protocols, with full documentation either way. This is where reverse logistics done properly pays off, and where it done poorly creates compliance exposure. The returned data also tends to surface product patterns worth catching early. We have seen a single recurring return comment reveal a sizing or instructions problem a brand had no other way of spotting.

Accuracy, throughput, and SLA questions

Now the operational metrics, but read them in the context of everything above, because speed without control is a liability in this category.

What are your real accuracy and on-time numbers, and how are they measured?

Ask for pick-pack accuracy, inventory accuracy, and on-time shipment rates, then ask how each is calculated and audited. Numbers without methodology are marketing. For reference, the bar we hold ourselves to across our order fulfillment solutions is 99.99% shipment accuracy, 99.9% inventory accuracy, and 99.9% on-time fulfillment, with barcode verification at multiple checkpoints so the accuracy is built into the process rather than hoped for.

What is in the SLA, and what happens when you miss it?

A service level agreement that only describes the happy path isn't an SLA, it's a brochure. Look for committed processing windows and same-day cutoffs (ours is a 12pm cutoff for same-day shipping), defined delivery targets, and, this is the part most brands forget to negotiate, the remedies when a target is missed. What credits, escalation, or corrective steps are triggered? Get it in writing.

Can you scale through a demand spike without breaking?

Medical device demand is rarely smooth. A new clearance, a flu season, a pandemic, volume can jump overnight. Ask how the provider has absorbed a real surge in the past and what the operational ceiling looks like. Scaling without disruption is one of the clearest signals you are dealing with a capable 3PL company rather than one that will buckle the first time you succeed.

Technology and integration questions

The platform underneath the operation determines how much visibility and control you actually get.

Do I get real-time inventory and lot-level reporting?

You should be able to see exactly what is in stock, down to the unit and the lot, at any hour, without emailing your account manager. Real-time inventory visibility, automated reorder alerts, and lot-level reporting through a client portal are the difference between running your business and guessing at it. The strength of a provider's warehouse management system is what makes all of that possible, so dig into it. If you want to understand what good reporting unlocks, our overview of 3PL analytics covers the metrics that should be at your fingertips.

Will you integrate with my sales channels and my buyers' systems?

For direct-to-patient brands, confirm clean connections to Shopify, WooCommerce, Amazon, and your ERP. For institutional sales, EDI capability is non-negotiable; hospitals, surgical centers, and group purchasing organizations have strict, unforgiving requirements for packing lists, labeling, and delivery windows. Check the breadth of available integration partners and make sure your specific stack is supported before you sign, not after. Many device companies run both motions at once, which makes B2B 3PLand D2C fulfillment under one roof a meaningful advantage.

Who owns the data, and can I export it?

Your inventory, order, and traceability data is yours. Confirm you can export it in full at any time, and clarify what happens to it if the relationship ends. This is partly a compliance question and partly an exit-strategy question, and the answer should never be "you'd have to ask us."

Contract and commercial questions before you sign

This is the section the title promises, and the one where leverage quietly evaporates the moment you commit. Read every clause as if you will one day need to rely on it, because you might.

Is the pricing genuinely transparent?

Medical device fulfillment quotes hide a lot of detail. Ask for a full breakdown, receiving, storage, pick and pack, kitting, special handling, returns, account management, and any minimums or peak surcharges. Then ask what is not included. Our breakdown of how much a 3PL costs is a good reference for spotting the fees that tend to live in the fine print.

How are liability, indemnification, and insurance handled?

Confirm the provider carries appropriate cargo and product liability coverage, and read how liability is allocated if a device is damaged, lost, or shipped in error. Pay special attention to who bears the cost of a recall caused by a fulfillment error, this single clause can be worth more than the entire annual contract value. Don't accept hand-waving; get the limits and the allocation in the document. Our deeper guide to 3PL contracts and the clauses worth negotiating is essential reading before you put a signature on anything.

What are the term, renewal, and exit conditions?

Look hard at contract length, auto-renewal triggers, notice periods, and; most important, offboarding. If you ever need to leave, how do you get your inventory and your data out, how long does it take, and what does it cost? A partner confident in their service makes leaving straightforward. One that locks you in with painful exit terms is hedging against their own performance. Thinking through the relationship as a long-term arrangement, the way we frame it in understanding 3PL partnerships, helps you negotiate terms you can live with for years.

Does the contract cover business continuity?

Ask what happens if a facility goes offline; fire, flood, system outage, regional disruption. Multi-location 3PL distribution and a documented disaster recovery plan keep devices moving when one node fails. For products that patients depend on, continuity is not a nice-to-have.

References, value-added services, and the on-site audit itself

Two things no slide deck can substitute for: talking to people who already trust this provider, and seeing the operation with your own eyes.

Can I speak to current medical device clients?

Ask for references from companies with regulatory profiles similar to yours, and ask them the uncomfortable questions: How did the 3PL handle a deviation? A returns spike? An audit? A near-miss? Tenure matters too, a provider with decades in fulfillment and a roster of device and health brands has absorbed problems a newer entrant hasn't met yet.

Do they handle the value-added work my product needs?

Procedure pack assembly, sterile packaging configuration, tamper-evident sealing, custom kit building, many devices ship as assembled or configured products, not loose units. Confirm the provider offers the kitting services and value-added assembly your product requires, with documented SOPs that keep every kit consistent whether you ship fifty or fifty thousand.

Will they let you run a real on-site audit and a mock recall?

The final test is willingness. A medical device 3PL with nothing to hide will welcome an on-site audit, walk you through their documentation, and let you initiate a mock recall on the spot. Reluctance at this stage is the loudest answer you will get in the entire process. Sign with the partner who invites the scrutiny, not the one who manages around it.

A pre-signing audit checklist

Bring this with you. If a provider can't satisfy most of it, and explain the rest, keep looking.

  • Current ISO 13485:2016 certificate, with scope reviewed, plus a clear position on QMSR / 21 CFR Part 820 alignment

  • FDA-aligned SOPs across receiving, storage, picking, packing, and shipping, and confirmed cGMP / good distribution practices

  • A signed quality agreement defining responsibilities, with FDA registration and initial importer status clarified

  • Lot, batch, and serial capture at receiving, with UDI-ready serialization and FEFO expiry management

  • Audit-ready documentation produced on demand: chain-of-custody, receiving inspection, and quality hold records

  • Temperature and humidity monitoring logs, device-class segregation, sterile and magnetically safe zones

  • Documented deviation, nonconformance, and CAPA processes, plus personnel training records

  • A real internal audit cadence and a measured mock recall turnaround

  • Defined accuracy, inventory, and on-time SLAs with stated remedies for misses

  • Real-time inventory and lot-level reporting, the integrations your stack needs, and full data export rights

  • Transparent pricing, clear liability and recall-cost allocation, and fair term, renewal, and exit conditions

  • Medical device client references, relevant value-added capabilities, and a standing invitation to audit on-site

None of this is bureaucracy for its own sake. Every line traces back to the same thing, a device that reaches the right patient, in the right condition, with a record proving exactly how it got there. If you are weighing whether you even need this level of partner yet, our take on when to use a 3PL and the difference between 3PL and 4PL models can help you frame the decision. And if your operation has outgrown spreadsheets and a shared warehouse, the foundation worth building on is purpose-built 3PL fulfillment rather than generic shipping.

Dana Madlem
Next

UPS vs USPS vs FedEx: 2026 Cost Comparison & Performance Data