Trusting ISO 13485 Certification of a Supplier... A Sad Story

M

MIREGMGR

This post pertains to the subject-company of [DEAD LINK REMOVED] who have been (but no longer will be, starting yesterday) one of our suppliers.

It's about the worst medical-device-company Warning Letter I've ever seen...even exceeding the Triad situation in a number of respects, especially finding #10.

The subject-company is a maker of ultrasound probe coupling gel, among other products. Such coupling gel is commonly provided to end users in various forms, including pre-sterilized, single-use 20ml foil packettes for ultrasound imaging in medical contexts where materials contacting the patient must be sterile.

As reported in the Warning Letter, an end-user hospital had multiple babies in a neonatal intensive care unit develop infections with pseudomonas aeruginosa. Pseudomonas infection can be lethal, especially to immuno-weak persons such as already-sick/premature infants. An investigation by the hospital revealed that their supplies of subject-company-made ultrasound probe gel in two different package sizes were contaminated with pseudomonas. The hospital filed a mandatory Medical Device Report with FDA, which apparently led to a for-cause inspection of the subject-company.

As the Warning Letter notes, apparently the subject-company hasn't been calibrating or maintaining its in-house sterilizers, hasn't been using validated processes, hasn't been doing sterilization verification-testing (!), hasn't been maintaining a DMR/DHF, hasn't been maintaining a DHR with sterilization batch information, and openly destroyed legally required production records rather than let them be FDA-reviewed.

So, what's my point?

It turns out upon our initial internal review that our Quality and Purchasing folks hadn't physically visited this company to audit them. Instead we trusted their ISO13485 certification, and continued a prior relationship with them that was established by another company we bought some time ago.

In theory, we should be able to do that, right? What does ISO13485 certification mean, if the certificate doesn't indicate that the subject company actually operates according to the standard, and the company has been certified for a number of years so that many audits have (supposedly) taken place?

Bad mistake on our part.

At this point, I'm perfectly willing to change our internal procedures to completely disregard ISO13485 certification as a supplier qualification. If we can't trust any certificate without more knowledge of the issuer's and the individual auditors' track records than anyone will provide to us, it's meaningless.

We need a meaningful, rigorous certification system for medical device companies. ISO13485 doesn't cut it.
 
Last edited by a moderator:

sagai

Quite Involved in Discussions
Re: Trust of ISO13485 Certification...A Sad Story

very thank you for sharing these information, it is really valuable.
I would reflect regarding the ISO13485 certification ...
1.,
I can not recall any earlier ISO13485 audit, when the auditor had more knowledge than we had in the subject of our audit and they always leaving with more knowledge than they arrived. Once I would be grateful to learn something from them in such occasions.
2.,
We should acknowledge, third party ISO audit is business driven.

Regards
Szabolcs
 

Sidney Vianna

Post Responsibly
Leader
Admin
Re: Trust of ISO13485 Certification...A Sad Story

This post pertains to the subject-company of this US FDA Warning Letter, who have been (but no longer will be, starting yesterday) one of our suppliers. <snip>
What about keeping the CB responsible for the supplier ISO 13485 certificate accountable? I went to the supplier website and see they have an RvA accredited ISO 13485 certificate. If you were willing to use the certificate as a means of confidence in the supplier and now you feel that the certificate can not be trusted anymore, are you going to let the CB off the hook that easily? By the way, this is the same CB that was "disqualified" from the Canadian CMDCAS program 6 years ago.

It is disheartening when people make broad-brush generalizations about confidence in management system certificates. A few of us, CB's, want to be accountable to the users of our certificates. But if the users don't keep the CB's and AB's accountable to the need to provide confidence via accredited certification, they are just rewarding the certificate-mills, less than serious CB's.

Casting shadows over the whole industry without exercising the process does not add to the solution.

As my Cove signature says, sustainable conformity assessment adds value to all stakeholders. If a stakeholder feels "cheated" (like you, in this case), you need to voice your concern, as pointless as it might seem to you now. Otherwise, where is the hope that the CB's will be pressed into only certifying deserving systems?

Let's think, for a second, what will happen if you decide to stop recognizing management system certificates from your suppliers. What will be the business impact to you? Apparently, based on what you stated, you would have to send representatives to audit your suppliers. Can you afford to do that? Do you have competent QMS auditors to assess your supplier base? How often are you going to repeat the process?

It is time for people to realize that not all ISO management system certificates carry the the same credibility. That's exactly why I created the Should customers influence a supplier's registrar selection? thread.
 
M

MIREGMGR

Re: Trust of ISO13485 Certification...A Sad Story

What about keeping the CB responsible for the supplier ISO 13485 certificate accountable? I went to the supplier website and see they have an RvA accredited ISO 13485 certificate. If you were willing to use the certificate as a means of confidence in the supplier and now you feel that the certificate can not be trusted anymore, are you going to let the CB off the hook that easily? By the way, this is the same CB that was "disqualified" from the Canadian CMDCAS program 6 years ago.

Well, we already have a policy of not accepting certificates from certain bodies, and this particular CB obviously will go on that list. But there are a lot of other CBs. Do we have to be burned by each bad one in order to find out that we can't trust them? How do we know that we can trust even the ones with supposedly good reputations? How do we quantify and evidentiate a reputation?

It is disheartening when people make broad-brush generalizations about confidence in management system certificates.

My point isn't that there aren't good CBs. It's that ISO13485 as presently constituted doesn't require enough rigor from either certified companies or certifiers and their auditors for third parties like us to be objectively certain that the certified company always does what the standard requires.

We make medical devices. We absolutely require always.

Casting shadows over the whole industry without exercising the process does not add to the solution.

The direction you're advocating is a CB-discipline process. I don't think throwing out a CB will fix the problem. I think what's needed is something well beyond ISO13485, and then more rigorous CB qualification and responsibility.

Let's think, for a second, what will happen if you decide to stop recognizing management system certificates from your suppliers. What will be the business impact to you? Apparently, based on what you stated, you would have to send representatives to audit your suppliers. Can you afford to do that?

Yes. The cost to us of having even one supplier like this will be, in the current instance, much greater than auditing them every six months would have been.

Do you have competent QMS auditors to assess your supplier base?

Noting that the focus would be Critical Suppliers as defined in our QMS, I think so, but if not we'd get more. And our audit teams include a process validation engineer, because we audit to our qualitative standards.

How often are you going to repeat the process?

As often as necessary for us to avoid this happening again.
 
Last edited by a moderator:

Doug Tropf

Quite Involved in Discussions
Re: Trust of ISO13485 Certification... A Sad Story

It would be interesting to know if there were any similar findings during previous FDA inspections.
 
M

MIREGMGR

Re: Trust of ISO13485 Certification... A Sad Story

It would be interesting to know if there were any similar findings during previous FDA inspections.

I've been reviewing the weekly Warning Letter list for the past three years or so. If there was a prior Warning Letter, either I missed it or for some reason it wasn't included in the published list.

Finding #5 does mention that a DHR discrepancy was "documented during a previous inspection". My guess is that a Warning Letter wasn't issued that time.

Perhaps the prior inspection was a normal low-intensity QSIT-1 review, whereas the April-May inspection was a For-Cause and therefore more thorough.
 

Sidney Vianna

Post Responsibly
Leader
Admin
Re: Trust of ISO13485 Certification...A Sad Story

My point isn't that there aren't good CBs. It's that ISO13485 as presently constituted doesn't require enough rigor from either certified companies or certifiers and their auditors for third parties like us to be objectively certain that the certified company always does what the standard requires. ...SNIP.... I think what's needed is something well beyond ISO13485, and then more rigorous CB qualification and responsibility.
Going over the 10 items in the FDA warning letter, I don't see anything there that is not covered under ISO 13485. So, if there is a problem, it lies with the CONFORMITY ASSESSMENT (also known as certification) process.

This process will only work well if all stakeholders keep the parties accountable. For example, in this case, it is very possible that the CB themselves and RvA are unaware of this warning letter. Until someone brings this issue up to them and ask:
What are you going to do about this?
we will have no idea how serious they are.
You, as a customer of the certified supplier and DIRECT user of the certificate (until the day before yesterday) are in a very good position to ask this question to the CB and the AB.
 

Doug Tropf

Quite Involved in Discussions
Re: Trust of ISO13485 Certification... A Sad Story

They apparently are not all published as I recently had to apply for a copy of an FDA warning letter through the Freedom of Information Act.
 
Top Bottom