Trusting ISO 13485 Certification of a Supplier... A Sad Story

[Bev D]

Re: Trust of ISO13485 Certification...A Sad Story

What about keeping the CB responsible for the supplier ISO 13485 certificate accountable?

exactly. the fda should also be investigating all certifying bodies for this organization. The WHOLE point of this proliferation of "TLA-XXXX whatever" standards over the last two+ decades was to get Customers out of the business of auditing their suppliers as it is a collosal expense for both parties.

I'm not saying throw the baby out with the bath water - I'm saying let's make all of our third party auditors accountable, professional and valuable.

 

[Doug Tropf]

Re: Trust of ISO13485 Certification... A Sad Story

FDA Warning letters are available @ https://www.fda.gov/ICECI/EnforcementActions/WarningLetters/default.htm You can even subscribe to receive updates via this link.

I subscribe to receive the warning letter updates however, the particular letter I was interested in was not listed or available at the site. I contacted the FDA and was given instructions on how to request a copy of the letter via the Freedom of Information Act (which I did).

 

[BradM]

Re: Trust of ISO13485 Certification... A Sad Story

I subscribe to receive the warning letter updates however, the particular letter I was interested in was not listed or available at the site. I contacted the FDA and was given instructions on how to request a copy of the letter via the Freedom of Information Act (which I did).

That's kind of scary. I thought 483 were publicly posted. I wonder why they did not have this one available.

 

[BradM]

Re: Trust of ISO13485 Certification... A Sad Story

This thing kind of scares me. How could a company be making direct product-contact material, with essentially no sterility checks of any kind?

To me, that just borders on criminal negligence.

 

[Doug Tropf]

Re: Trust of ISO13485 Certification... A Sad Story

That's kind of scary. I thought 483 were publicly posted. I wonder why they did not have this one available.

I wound up exchanging emails with the FDA inspector who wrote the 483 and he advised I would have to go thru the FOIA - no explanation as to why was given.

 

[try2makeit]

Re: Trust of ISO13485 Certification... A Sad Story

I have two questions. In the warning letters the FDA sends out with the findings, does the Company not have a responsibility to correct those findings in a reasonable time, just like we in automotive with CA's. Why does it say no date given? And why are there still companies operating, that have received findings last year or the year before? Does the finding determine the date?

My other question is, seeing that the particular companies ISO cert is expiring October 2011, I am wondering if they had their re-cert audit already with the same CB and were re-certified even under the current circumstances. Anyone know?

 

[MIREGMGR]

Re: Trust of ISO13485 Certification... A Sad Story

This thing kind of scares me. How could a company be making direct product-contact material, with essentially no sterility checks of any kind?

In fairness, the text of the Warning Letter doesn't preclude that the subject company was having some sterility checking done...just not every batch, and without comprehensive record keeping. The batch the FDA cited was one for which no test was done and/or no records were created, but it's possible that they weren't all handled that way.

As to the contaminated product in the field, it's conceivable that a bacterial colonization of their production system occurred immediately prior to the FDA inspection, rather than being a long-standing condition.

Of course, neither of these interpretations would be a cautious construction of the possible scenarios that might explain what the FDA determined.

 

[markl368]

Re: Trusting ISO13485 Certification of a supplier... A Sad Story

Just so everyone is aware of what is available from FDA...establishment inspection reports (EIRs) are available under FOIA regulations, but you have to follow specific procedures to get the reports. Even if a 483 (notice of adverse finding) is written against the company, you have to go through FOIA procedures to receive the EIR. Warning letters, however, are letters based on very serious findings OR the failure to adequately address 483 findings. These warning letters are published on the FDA website.

So, just because someone had some 483 findings from an inspection, if they take it seriously and address the issue in a timely and effective manner, they will not have a warning letter posted for all to see.

 

[Sidney Vianna]

Re: Trust of ISO13485 Certification... A Sad Story

I've emailed Orion. After their response or a suitable time, I'll inquire similarly of the AB if necessary.

Responses will be shared here.

Be aware of a new IAF Mandatory Document:
IAF MD 9 :2011 Application of ISO/IEC 17021 in Medical Device Quality Management Systems (ISO 13485)
(Issue 1 Version 2, issued on 15 July 2011)
Sets out the general requirements for bodies operating audit and certification of organizations' Quality Management Systems in accordance with ISO 13485.

This document is not in force yet; application is mandatory from July 15, 2012, forward. However, a couple of aspects that are relevant to your concern expressed in this thread:

4.4 Responsibility
MD.4.4.1
ISO 13485 requires the organization to comply with the statutory and regulatory requirements applicable to the safety and performance of the medical devices.
The maintenance and evaluation of legal compliance is the responsibility of the client organization. The CAB is responsible for verifying that the client organization has evaluated statutory and regulatory compliance and can show that appropriate action has been taken in cases of non-compliance with relevant legislation and regulations, including the notification to the Regulatory Authority of any incidences that require reporting.

9.3.2 Surveillance audit
MD 9.3.2.1
In addition to requirements of Clause 9.3.2.1, the surveillance programme shall include a review of actions taken for notification of adverse events, advisory notices, and recalls.

9.5.2 Short-notice audits
MD 9.5.2
Short notice audits may be required when:
a) external factors apply such as:

i) available post-market surveillance data known to the CAB on the subject devices indicate a possible significant deficiency in the quality management system​

ii) significant safety related information becoming known to the CAB​

An unannounced or short-notice audit may also be necessary if the CAB has justifiable concerns about implementation of corrective actions or compliance with standard and regulatory requirements.

Besides that, the supplier in case is also ISO 9001 certified. ANAB mandates that all CB's educate their workforce, including assessors, in the Expected Outcomes of Accredited ISO 9001 Certification document.

 

[Wes Bucey]

What about keeping the CB responsible for the supplier ISO 13485 certificate accountable? I went to the supplier website and see they have an RvA accredited ISO 13485 certificate. If you were willing to use the certificate as a means of confidence in the supplier and now you feel that the certificate can not be trusted anymore, are you going to let the CB off the hook that easily? By the way, this is the same CB that was "disqualified" from the Canadian CMDCAS program 6 years ago.

It is disheartening when people make broad-brush generalizations about confidence in management system certificates. A few of us, CB's, want to be accountable to the users of our certificates. But if the users don't keep the CB's and AB's accountable to the need to provide confidence via accredited certification, they are just rewarding the certificate-mills, less than serious CB's.

Casting shadows over the whole industry without exercising the process does not add to the solution.

As my Cove signature says, sustainable conformity assessment adds value to all stakeholders. If a stakeholder feels "cheated" (like you, in this case), you need to voice your concern, as pointless as it might seem to you now. Otherwise, where is the hope that the CB's will be pressed into only certifying deserving systems?

Let's think, for a second, what will happen if you decide to stop recognizing management system certificates from your suppliers. What will be the business impact to you? Apparently, based on what you stated, you would have to send representatives to audit your suppliers. Can you afford to do that? Do you have competent QMS auditors to assess your supplier base? How often are you going to repeat the process?

It is time for people to realize that not all ISO management system certificates carry the the same credibility. That's exactly why I created the Should customers influence a supplier's registrar selection? thread.

I understand and sympathize with Sidney's frustration. It certainly isn't fair to have an ostensible competitor take shortcuts which take potential business, but even worse that the repercussions of those shortcuts result in a taint of your industry so that even the straight arrows who do everything by the book are forced to admit there are bad apples and their stench can start a rot in the entire registrar industry.

Going over the 10 items in the FDA warning letter, I don't see anything there that is not covered under ISO 13485. So, if there is a problem, it lies with the CONFORMITY ASSESSMENT (also known as certification) process.

This process will only work well if all stakeholders keep the parties accountable. For example, in this case, it is very possible that the CB themselves and RvA are unaware of this warning letter. Until someone brings this issue up to them and ask: we will have no idea how serious they are.
You, as a customer of the certified supplier and DIRECT user of the certificate (until the day before yesterday) are in a very good position to ask this question to the CB and the AB.

Yep. it's all very well and good to say we folks who rely on certificates of registration to relieve our organizations of the cost of individual supplier assessments "should" follow through on the report and complaint process, but pragmatism reigns and the money men at the top of the organization are hard put to justify the delay and cost when no immediate amelioration of the problem is forthcoming. How does the aggrieved organization deal while the report and investigation drag on? What if the result comes back, "This was not a systemic problem with the certifying body, but merely an individual 'slip' beyond the scope of the CB's audit."?

The situation described in the OP of this thread is one of the major factors FDA has thus far refused to sign on to the "harmonization" of ISO 13485; it also makes sense that much more attention needs to be paid to contract clauses with suppliers, requiring copies of audit reports (with details of N/C, if any) from CBs and regulators in a due and timely manner.

This process will only work well if all stakeholders keep the parties accountable. For example, in this case, it is very possible that the CB themselves and RvA are unaware of this warning letter.

Similarly, CBs and ABs probably need more reporting rigor when such events occur. It is absolutely unacceptable for any CB to be unaware of an adverse report from FDA or any regulatory body. Organizations holding certificates cannot be allowed to sweep adverse reports under the rug and hide them from both registrar and customer. Do the CB's subscribe to the FDA reports? Do they require their certificate holders to notify them when even the reports that can only be retrieved via an FOIA are issued by a regulatory body?

Similarly, customers dealing with suppliers of products which can contain hidden factors [not capable of being detected in ordinary incoming inspection, but only through destructive testing] which would affect life, health, or safety of users may need to implement programs of segregating samples from random shipments and subjecting them to destructive testing. It seems to me that many of the instances I read about where products are contaminated with disease-causing organisms involve companies which previously had pristine safety records. However, in the weeks or months leading up to the discovery of the contamination, those suppliers exhibited signals (shoddy paperwork, slow or non-existent response to queries or complaints, late shipments, etc.) that all was not right with the supplier. Some customers, once burned by a bad supplier, become much more alert to those signals, triggering deeper investigation, escalated to a higher level than some assistant purchasing agent, into the root cause behind the changes.

(In my own experience, I was burned by a supplier who had a big turnover in employees so that we seemed to be dealing with a new person whenever we talked or exchanged correspondence. The big surprise came when we learned the owner had died, but his widow kept the knowledge secret from customers as she frantically tried to milk money out of the company. Employees who had been loyal to the owner were mistreated and left the company, but were threatened with unspecified harm if they told the "secret." We ended up having to trash $20,000 in parts which had been damaged in contaminated plating solutions. The company was bankrupt so we never recovered the loss. In hindsight, the signals were all there that we should have made an on-site investigation in the two months leading up to our loss.)

I've emailed Orion. After their response or a suitable time, I'll inquire similarly of the AB if necessary.

Responses will be shared here.

Thanks for caring enough!

exactly. the fda should also be investigating all certifying bodies for this organization. The WHOLE point of this proliferation of "TLA-XXXX whatever" standards over the last two+ decades was to get Customers out of the business of auditing their suppliers as it is a collosal expense for both parties.

I'm not saying throw the baby out with the bath water - I'm saying let's make all of our third party auditors accountable, professional and valuable.

OK, but exactly WHAT would the regulatory body investigate? What signals would trigger action by the regulatory body?

Just so everyone is aware of what is available from FDA...establishment inspection reports (EIRs) are available under FOIA regulations, but you have to follow specific procedures to get the reports. Even if a 483 (notice of adverse finding) is written against the company, you have to go through FOIA procedures to receive the EIR. Warning letters, however, are letters based on very serious findings OR the failure to adequately address 483 findings. These warning letters are published on the FDA website.

So, just because someone had some 483 findings from an inspection, if they take it seriously and address the issue in a timely and effective manner, they will not have a warning letter posted for all to see.

Yes. In general, I agree with the premise that one or two minor complaints should not lead to public reports which could trigger a panicked exodus by customers, plunging the regulated company into bankruptcy. The question arises about the level of nonconformance which should trigger such a public report. Should it be triggered by implementing a very short response deadline, which, when passed without resolution, means public exposure? Are customers willing to agree to the net cost of regulatory bodies hiring more competent investigators to implement the heightened regulatory activity? (The net cost comes from higher fees paid by regulated companies passed on to customers.)