ISO Certified? So What?

A Canadian medical device company, with an ISO 13485 certification, has been selling its diagnostic product in Canada and was in the process of expanding its market into the United States.  As a measure of reassurance that the company was ready for an on-site FDA visit, it retained The Practical Solutions Group, LLC to perform a mock FDA inspection.  On the surface, the company had the requisite operations, processes and controls that were necessary to qualify it for the ISO 13485 certification. 

Given all that, for the purposes of the mock FDA inspection, we focused on the company's records and data that supported of the clinical studies conducted in the United States and, to our surprise, we identified numerous inadequacies in the company's Quality System.  The following represents a sample of the inadequacies identified:

1. Several unexplainable accountability issues regarding labeling and packaging of the clinical supplies were noted in the packaging and labeling records.
2. Numerous controls regarding process validation, product handling, and equipment adjustment/calibration/maintenance were either missing or inadequate.
3. Independent audits performed by the company were ineffective in that numerous non-conformances (83-pages worth of them) were not identified by the company's QA.
4. The company failed to implement effective and timely follow-up corrective actions, including re-audits of the vendors who were listed as the root cause of some of the regulatory deficiency issues.
5. There was no evidence that the process and environment are controlled and monitored to the expected degree.
6. Numerous activities, records and approvals required by the Quality System Regulation have not been provided for in the Quality System, and other requirements that were included in the Quality System have not been complied with.

So given the status of the company's lack of readiness to host an FDA inspection for its PMA submission, we suggested that the client do the following:

1. Hire a full-time, seasoned QA professional, experienced with both ISO and FDA requirements, to remedy the quality-related issues.  This would be more beneficial than employing external consultants because such a move would allow the company to retain the institutional knowledge of the details of the policies and procedures adopted.
2. Immediately resolve all of the issues relating to numerous questions regarding validity of the information in the packaging and labeling records, which were used in support of the US clinical supplies and which were generated by the third-party vendor.  Without an ability to rely on available packaging and labeling information, an alternative route should be considered.
3. Review all of the additional supporting documentation deficiencies (e.g., equipment/instrumentation, refrigerator, freezer, thermometer, T/H device) in light of their potential impact on integrity of the clinical supplies that were used in support of the US PMA submission.  Justify or negate any negative impact by referencing other existing procedural controls (e.g., QC, historical data).  If other procedural controls are not sufficient, consider justifying or negating the applicable issues through additional testing, stability studies, etc.
4. Adopt a realistic timeline, given available resources, to address all of the identified issues.  Specifically, management indicated that five (5) months would be sufficient to remedy the existing issues, but no resources were available to do the work.

The take away for medical device companies: you are not "bullet-proof" just because you are ISO-certified.  The FDA inspector will focus on your quality system at a level that the ISO auditor will not, and you should be prepared to defend your submission information at that level of detail.