Trusting ISO 13485 Certification of a Supplier... A Sad Story

Ronen E

Problem Solver
Moderator
And what is it about the system that permits incompetent/corrupt/irrelevant CBs to stay in business?

As poetically put by Wes:

the fact in many cases neither audited company nor its customer really gives a rat's patootie for anything more than a piece of paper to fulfill a punch list.
 
J

Julie O

Yeah, well, you know....companies are just legal constructs, so they can't give a rat's patootie about anything.

If you mean the execs, board, shareholders, then the question is why should they care? Seems like plenty of companies are churning along, getting their ROI, with things as they are. They often don't care too much about anything else, so if anyone is going to care about anything at a functional level within the company, it usually has to be the people responsible for and involved in that function.

I've never known execs or board members or shareholders to get involved in vendor selection. So who is it within the company who is approving vendors based on certification alone? Do they not give a rat's patootie either?
 

Wes Bucey

Prophet of Profit
Yeah, well, you know....companies are just legal constructs, so they can't give a rat's patootie about anything.

If you mean the execs, board, shareholders, then the question is why should they care? Seems like plenty of companies are churning along, getting their ROI, with things as they are. They often don't care too much about anything else, so if anyone is going to care about anything at a functional level within the company, it usually has to be the people responsible for and involved in that function.

I've never known execs or board members or shareholders to get involved in vendor selection. So who is it within the company who is approving vendors based on certification alone? Do they not give a rat's patootie either?
Some companies have executives who are involved and engage in long-range thinking and planning. Some have executives who are not stockholders and worry only about the short-range bonus and leave resolving messes to their successors (if the organization stays in business long enough to hire successors.)

I was a C-level executive for most of my career. The truth is as Julie says: "the primary concern of EVERYONE in the executive suite is $$$!" Most of my career was in investment banking. I had long period in the 1990s when I was a 50% stockholder and principal officer in a high tech contract machining business. From the late 1960s to my most recent retirement, I created, rescued, re-engineered and made profitable dozens of companies as either the investment banking exec or primary investor.

In every organization, we paid attention to anything and everything that could affect

  1. gross sales
  2. net sales
  3. gross profit
  4. net profit
BUT we had laser focus on "image" and reputation. We certainly would never have used a supplier whose bad reputation could rub off on us. We shopped for and got value for our money. We paid our suppliers in full and usually early, reasoning a supplier pays better attention to a good and prompt paying customer than to one that finds excuses to be late or pay short. We paid our employees good wages and ensured excellent working conditions, facilities, tools. We empowered our employees and as I wrote years ago (2005) about the contract machining business,
"Bottom line:
We treated our operators as true partners. We made sure our suppliers and customers understood the power and authority we gave them. In ten years, they never disappointed us. I hope we never disappointed them."
 
M

MIREGMGR

The context of this thread is medical device companies. Many of those, I think, are managed by executives who very much want to avoid having to explain to their board, OEM customers and/or end-user customers why a regulator has whacked them for not following the rules, or they've had a major recall, or their products hurt someone that now is suing them.

Maybe I'm atypical, but I've never worked for a medical device company that hasn't had executives above my level that very much understood the ramifications of the above issues and the details of how we could end up there, and were actively eager to avoid them.
 

Wes Bucey

Prophet of Profit
The context of this thread is medical device companies. Many of those, I think, are managed by executives who very much want to avoid having to explain to their board, OEM customers and/or end-user customers why a regulator has whacked them for not following the rules, or they've had a major recall, or their products hurt someone that now is suing them.

Maybe I'm atypical, but I've never worked for a medical device company that hasn't had executives above my level that very much understood the ramifications of the above issues and the details of how we could end up there, and were actively eager to avoid them.
Actually, I think the context of the thread is NOT whether the companies make good products and adhere to regulatory practices as much as it is about whether the executives care whether the third party certificate writer is good, bad, or indifferent, as long as they have the certificate from a valid registrar.

No registrar has ever made a good company bad, regardless of how slipshod the registrar and its employees may be. Executives of most companies DO CARE about the quality of their products (except for some rare frauds in EVERY industry - see my comments below.) Executives DO CARE about following Good Manufacturing Practices because they make sense and help make a company efficient, effective, and profitable. Executives DO CARE about maintaining optimal working conditions for employees because the work product is more efficient and effective.

:topic:Comments
Every industry has a few companies which have frauds, charlatans, and crooks who managed to get in positions of power and look only to enrich themselves. Some are "accidental," driven to bad practices by desperation when something unforeseen puts their operation in jeopardy. Most, though, are sociopaths and psychopaths who consciously set out to enrich themselves without care or regard for downstream consequences. These are the guys who pollute, use shoddy material, exploit workers and suppliers. The problem is, as I wrote years ago in the thread Ethics - Moral law vs. Criminal law
What should you do if you find yourself between a rock and a hard place on a question having to do with ethics or criminality?

Some courses of action:
  1. Confirm your suspicion that you witnessed wrongdoing on purpose versus from ignorance. A guy who realizes he transposed his digits the first time he wrote an inspection dimension and erases the error is not a criminal - just a fool. A manager who creates a forged SPC chart to meet a 1.33 Cpk requirement is both a fool and a criminal.
  2. If the wrongdoing is from ignorance, your primary responsibility is to inform someone in authority within the organization so they can investigate and take some sort of corrective or preventive action.
  3. If the wrongdoing is from criminal intent, you ought to determine if it is limited to one individual or is systemic.
  4. If individual, see item (2), unless it is the very top officer; if systemic, or the top officer, see a qualified employment lawyer first, before gathering documents or secret recordings. The primary purpose of the lawyer is to protect you and your family, then to expose the criminal activity to proper authorities, perhaps even to cooperate or collaborate with authorities. Under no circumstances should you attempt to do any cooperation or collaboration with authorities without advice and agreement from your attorney every step of the way.
Summary:
  1. Above all, remember that following a formal legal course of action will result in a more permanent resolution to the problem than a suicidal rush to expose the evildoers.
  2. Not every instance of wrongdoing is criminal or even purposeful, some are just the result of ignorance or stupidity.
  3. If there is any lingering question whether the activities you witness or are being asked to perform are criminal, the input from the lawyer will help resolve that question.
  4. Under no circumstances should you try to steal or copy confidential documents to bolster your case. (Google Mark Whitacre ;)) If, after your conversation with the attorney, referral to legal authorities takes place, they can issue search warrants and go in and seize ALL necessary documents and assure they will be admitted as evidence.
  5. Prepare for the LONG wait. It may be years, if ever, before you can get compensation for wrongful termination.
  6. Disregard tales of anyone who says, When it happened to me, I just told them . . . stop it, or else . . . and they straightened right out. That's pure fantasy. Reread stories about Rich Taus, Karen Silkwood, Ed Bricker, and others for a dose of reality.
  7. Regardless of the fact there is a government route for whistle blowing on a corporation, do NOT take that route without the advice of a lawyer who will protect YOUR interests.
  8. Above all, choose your battles. Consider yourself. Consider your own REAL motive for doing this.
    Are you afraid life, health, safety of people are affected by the wrongdoing? Do it!
    Are you just hoping to get a reward (10% of moneys recovered from wrongdoing corporations?) Maybe do it
    Are you just getting even with the SOB who promoted his brother-in-law instead of you? Think twice.
    Did the guy humiliate you in public and now you are going to get even? Don't waste your time.
 
G

gramaley

I don't think I have ever read through so many Elsmar Cove posts on any one subject that I am so much involved with.

I just want to start with this one point. Whatever you may think about the company in question, the FDA has cleared all of their products and allows them to be legally marketed.

For my part, I led the development of the new IAF program of accreditation for ISO 13485. It was based on the combined input of four highly respected notified bodies, input from the IAF member Accreditation Bodies, and we included regulators, including a top expert in Quality Systems from the US FDA, Switzerland and a visit from another in Germany. The IAF Accreditation structure was intended to take the existing handbook used for Notified Bodies, the International Accreditation framework of IAF (ISO 17011 and ISO 17021 and several IAF MDs) and look at what Health Canada's required of SCC accreditation assessors, witness assessments, etc, and finally, aligned the system into 5 main areas, based from a modified use of an NBOG coding structure. All of this was just intended to capture the current state of regulatory audits worldwide, but enhance the criteria so that we could reduce the vagaries that the regulators had left in place that we knew created disparities in performance among the auditors.

The IAF initiative for ISO 13485 began getting integrated when it went into effect July 2012. I received numerous reports that CMDCAS and CE notified body audits were suddenly being challenged, since the IAF requirements were NOT vague on competency and impartiality, and some of the regulatory auditors had to be replaced. This was a welcome side-effect. We were making regulatory audits better that we had no legal responsibility for.

To be honest, the requirements have challenged the entire chain of accreditation, and since it is now a worldwide program (wherever ISO 13485 certificates are issued, under an IAF member accreditation body), the ABs and CABs have been playing catch-up.

With regard to MDSAP, which intends to use Regulatory Authorities in place of Accreditation Bodies, this is a very difficult challenge for the regulators. In fact, Health Canada has never done an accreditation assessment. Those have always been performed by SCC, and in accordance with ISO 17021. Accreditation Assessors are of course well versed in operating under ISO 17011 and performing assessments against ISO 17021. Now they are having to add MD8 and MD9. Competencies related to medical devices, risk management, etc are required and audit durations properly reflect the longstanding state of the regulatory audits that have existed (we did not lengthen or shorten the audit durations that medical device manufacturers normally endure)

I want to leave this post regarding the IAF program, and put on my own hat, as a Regulator Q/RA professional, and partake in some of those other highly relevant discussions.
 

Mark Meer

Trusted Information Resource
Re: Trust of ISO13485 Certification...A Sad Story

We should acknowledge, third party ISO audit is business driven.

I think this is key in discussing the value of ISO certification.

The bottom line is that CBs are vying for your business. If their auditors are overly zealous, you are likely to take your certification elsewhere.

It seems because of the "business driven" element, that CBs may actually have incentive to NOT thoroughly audit the companies they certify.
 
M

Mrochholz

While this is a challenging situation and a sad story, we should all live by the adage "trust but verify".
 
J

jaijinedra

Are you taking about ultra sound warning letter in company Pharmaceutical Innovations ?
 
Last edited by a moderator:
G

gramaley

From the business angle, a CAB that doesn't operate as it should, cuts audit days too much, uses untrained auditors for the task, these CABs risk losing their accreditation, and with it the value of their certifications.

So go ahead, cut corners if you dare, but THAT is why CABs don't risk cutting corners, "where IAF leaves no corners left to cut".

On the other extreme, if an auditor is enforcing something that is not required, they are taking another risk, of losing a client. We are looking to create equilibrium, not extremes.

CABs are going to be assessed every year by the ABs, to make sure they conform to the IAF requirements for competency, impartiality and audit durations, among many other things. This global network of enforcers is the only way to create equivalency worldwide.

I also want to insert something I learned from a Trade and Standards Specialist that works in Brussels that explained "WTO defines "International" as meaning open to all countries to participate". I have observed organizations that use that term in their name, but are not "International" and alienate other countries so they can shape things quickly, and to serve the narrowest interests of a few countries. Then I have seen organizations like the Asian Harmonization Working Party, which is truly "International" as they are open to all, and indeed, Latin American, Middle Eastern and African nations are welcomed to join.

All of these countries need solutions that work for them, and we all need international solutions to help them gain some level of confidence in our certs, as much as we deserve to have confidence in there's. This is why we need ISO, IAF, IEC and ILAC working with organizations that are truly concerned with protecting workers and patients among the global community we all belong to.

When bad things happen (and bad things will always happen) 1/7000 will die from a car accident in the US. Do we suddenly give up on cars. When an airplane crashes do we stop flying? When a company accidently, or even deliberately neglects issue that put others in danger, do we then tear down out the entire roadway to international trade and healthcare protection?
 
Top Bottom