In September, the US Food and Drug Administration (FDA) cited the Canadian firm Cardiomed Supplies Inc. with multiple regulatory violations, including serious basic deficiencies of the company’s quality management system (QMS). Despite this, Cardiomed continues to hold ISO 13485 certification issued by BSI and accredited by the IAF member SCC (Standards Council of Canada).
The FDA Warning Letter cites Cardiomed for having released adulterated medical devices, specifically phlebotomy bags and dialysis equipment. It then details multiple QMS violations which should not be possible under an ISO 13485 certification, since the BSI certificate alleges it audited those areas of the company and then certified that Cardiomed was fully compliant. The FDA reported that Cardiomed’s procedure for corrective and preventive action (CAPA) failed to address basic requirements:
Your “Corrective Action and Preventive Action” procedure (Rev 00 dated 09/05/2017) is inadequate in that:
i) It does not address how identified quality data sources will be evaluated to identify the need to take corrective or preventive action(s).
ii) It does not specify that verification/validation activities conducted for effectiveness and analysis of adverse impact on the device will be performed prior to implementation of corrective and preventive actions.
Both of those requirements should have been assessed by BSI during a Stage 1 audit of ISO 13485 and any subsequent surveillance audit, as they match requirements found in ISO 13485 as well as the FDA’s rules under 21 CFR 820.100(a).
The BSI certificate shown on the Cardiomed site, and verified as current using BSI’s online verification tool, nevertheless shows the company was originally certified in 2011 and is still current on its certification, with an expiration date of December 2018. The BSI certificate is signed by COO Carlos Pitanga; Mr. Pitanga was contacted for comment on how a company awarded a certificate with his signature could later have been found to have basic QMS deficiencies by the FDA. Mr. Pitanga has not yet replied.
BSI is under scrutiny for its role in issuing a CE Mark certification to a company now found to have released defective spinal implants, which are dissolving inside patients and forcing additional spinal surgeries. It is still be investigated whether BSI issued ISO 13485 certification to that company as well.
BSI’s competitor in the field, TUV Rheinland, was recently found criminally culpable for its role in the PIP breast implant scandal, for having granted CE Mark certification to a French firm later found to have released defective products to the market. The spinal implant story is being watched closely to see if BSI faces a similar outcome.
Another BSI client, Collagen Matrix, was also cited for QMS violations by FDA, even as BSI boasts about the client, having published a “Case History” about Collagen Matrix on its website.
The IAF, which oversees the world’s ISO certification activities, has refused to investigate claims such as these, and has ignored all requests for clarification on how certificates can be issued to companies who are later found by regulators or law enforcement to be engaged in violations that should have been caught by auditors within the scheme. The IAF is currently largely managed by a single Canadian consultant, Elva Nilsen, who previously worked for SCC, the body that accredited BSI for the issuance of ISO 13485 certifications. Because each party in the certification chain pays the body above it, the scheme has been criticized as having conflicts of interest baked in, ensuring that certificates are issued to any company regardless of whether their QMS is compliant, and regardless of whether they release deadly products on the market.