Re: Trusting ISO 13485 Certification of a Supplier... A Sad Story
Thank you for this detailed history Sidney; I was questioned somewhat severely by someone at an IAF meeting in Rio, after some organization had a problem with a medical device, and the company was ISO 13485 certified. As you point out, and as we all know, Quality Managements Systems are an important part of product quality, but they cannot be fully relied on, alone, to address all aspects of medical device safety and effectiveness.
I was talking with a former FDA official last week about the FDA "Certificate to Foreign Government" (CTFG)and how they state:
"The manufacturing plan(s) in which the product(s) s produced is subject to periodic inspections. The last such inspection showed that the plant(s), at that time, appeared to be in substantial compliance with current good manufacturing practice requirements for the product(s) listed above".
I explained that the (CTFGs) have been viewed as FDA Quality System Certificates, because the GMP referred to infers that the FDA Quality System was operating "substantially in compliance" at the time of the inspection.
The CABs, like FDA, really cannot be there every day, and anything can happen after they leave, which could throw a wrench in the system, but a good QMS will catch problems that will inevitably arise and resolve them through a good feedback and CAPA system. I usually tell people, at the very least, I like to know a company has a QMS, so I can talk about CAPA with them, if something goes bad, and we can dig down to the root cause. Quality Managers know CAPA well. Production managers, sales and even engineers, do not always go far enough.
It has been my experience with FDA, they are very focused on the "attitude" of the Quality Department and Management toward the common goal of providing safe products, and reporting problems quickly. "Attitude" energizes reactions when problems occurs, and so bad attitudes will certainly present a serious concern to FDA. Genuinely good attitudes realize we are on the same team.
So feel it is wrong to characterize the CABs and Accreditation system as a failure, because it cannot succeed 100% of the time from eliminating problems occurring in the market. FDA doesn't claim their own inspections should be trusted so much. What we do know, is that proper vigilance from within and from outside CABs, and up the entire accreditation chain, is ideal.
I have mentioned in this or other posts, how shocked I was to hear so many reports from the field, after the IAF program went into effect Fall 2012, of the other regulatory audits from CABs and Canadian CMDCAS being improved. We had no intention on affecting these other regulatory audits. It happened because CE and CMDCAS auditors were required to meet the IAF requirements during the very same combined audits.
Before the IAF program went into effect, the softer (vague competency “requirements” for CE and CMDCAS CABs) created a wider range of variability in the competency of the audit teams. I learned that some CMDCAS and CE audits had to be entirely re-planned after fall 2012, since the audit teams for CMDCAS and CE didn’t have competent enough auditors to meet the newer, and more specific requirements of IAF MD9.
The requirements were not meant to be more difficult, but they eliminated use of auditors that lacked sufficient ISO 13485 auditor competency and experience, which most would have expected to exist under ISO 13485 CMDCAS and CE (Annex II and Annex V) type audits. This was not necessarily a widespread problem, but it did happen.
It happened this way; Since the Accreditation Assessors were going to be checking on these new IAF competency requirements, ANNUALLY, the CABs, wanting to maintain their international accreditation, had to adapt to the IAF requirements quickly for their upcoming combined audits, or risk losing their international accreditation for ISO 13485.
The new IAF Accreditation requirements were designed to be effective conformity assessment tools, with improved clarity of the specified requirements. The more loosely stated competency requirements that had been enforced by Notifying Authorities couldn't be used to excuse CABs from such variability as existed in their competency requirements, which I noted in their "designated authority handbook"; You cannot assess things that are not specific enough to assess. You cannot have "soft" requirements, and then expect to issue nonconformities. I have seen these things appearing now in MDSAP requirements for competency of Regulator assessors, and this creates inconsistency among those that use "soft requirements". It is also what has been identified as creating the variability among regulators performing notification activities in Europe. In fact the German regulators in 2008 propose the regulators consider using IAF created standard ISO 17021, to help align the "Notification" activities. But what about the ISO 17011 requirements for the Notifying Authorities themselves???
So we merely interpreted the intents, based on standard practices of 4 major notified bodies, who also provided ISO and CMDCAS audits. I would compare this to tightening a tolerance by providing a tolerance level. Yes, tolerance does provide variability, but we understand that risks of devices are afforded tolerances as well, even in the regulated QMS (e.g. Design Controls are exempt for lower risk devices for FDA, Health Canada and EU Directives).
What we have now, are more specific requirements for ABs and CABs, that are being enforced through IAF assessments of ABs and their regional group members, improved AB assessments of CABs, which are inculcated into the entire chain ANNUAL assessments and additional assessments when changes to a new Main Technical Area Scope (per IAF MD9 Annex A), so that our ISO 13485 audits are more consistent, across the globe.
As these improved assessments are also frequent (6 to 27 times as frequent as the FDA inspections performed overseas if you belief the 2008 GAO report data is still relevant) this certainly increases the number of audits that show “substantial compliance to the ISO 13485 QMS standard. Is it perfect? Is anything?
Would we dare say we can eliminate crime by having enough police officers? Would we argue that when a murder, rape, or theft occurs, law enforcement has failed us? Keep in mind, the US FDA is indeed a law enforcement agency, and they conduct many “for cause” inspections when things go bad. Had they been in the factory every other year, as mandated by Congress; would we have a whole lot less “for cause” FDA inspections? Are we willing to pay for 5X more FDA investigators and their international travel, hiring of local interpreters, etc? Do we need to suddenly move toward that opposite extreme? Most medical devices really couldn’t cause a safety risk (serious injury or death). Many are safer than the tools you buy at home depot, but certainly provide for billions of meaningful treatments.
Last edited by gramaley; 9th March 2015 at 01:22 PM.