I'm trying to sort out how our QMS should be corrected to reflect how this currently works as a matter of rule. In particular, I'm trying to sort out whether the upstream aspects of ISO 13485 amount to a viable Corrective and Preventative Action mechanism under FDA rules.
Under the current standards and guidances:
Is a CB mandated to be aware (as soon as reasonably possible) of a regulatory action by a third party, such as an inspection-finding 483 or a Warning Letter issued by US FDA?
Is a CB, having learned of US FDA findings in a Warning Letter, mandated (after verifying the substance of the findings) to take action in regard to any corresponding non-conformances to ISO 13485?
Do I correctly understand per the above explanation of ISO 17011 that an AB is not mandated to take substantial action in the event that a CB does not take substantial action regarding an FDA Warning Letter, etc.?
If all of this is non-mandatory, I don't think it's acceptable under 21CFR 820.100.
If it's not acceptable under 21CFR 820.100, then my company's practice of relying partially or completely (depending on material/service criticality) on third party audits (i.e. ISO 13485 certificates) to implement supplier and material/service qualification under 21CFR 820 is out the window.
Looking back at this old thread, I don't think I'm any more comfortable with the problem I posed above:
If all of this (i.e. followup actions by CBs and ABs) is non-mandatory (and cost and business convenience are allowed considerations), I don't think it's acceptable under 21CFR 820.100.
This is relevant because of FDA's progress toward MDSAP, building on their experience with their current VARSP program which only allows selected CBs to participate. Apparently that participation determination is based on unpublished criteria for rigorousness and reputation, and apparently includes affirmative FDA knowledge of a good correlation between claimed rigor and client regulatory track record.
MDSAP is rumored to be the future of medical device maker inspection in the US. In that regulatory future, FDA inspectors no longer will do QSIT 1/2 inspections; instead all device makers will be required to participate in MDSAP, and FDA inspectors will perform only For Cause, emergency and special-case inspections.
It appears to be the plan that CB participation in MDSAP will work like with VARSP, i.e. FDA decides based on their own criteria, and nothing else is relevant.
If this comes to pass, it will directly address the core complaint I had at the beginning of this thread, which was that some CBs either weren't very good at their job or were looking the other way, and some ABs were not policing those CBs. If the MDSAP program works as I've surmised to date, there'll be no profit in the US/Canada/Brazil/Australia (so far) medical device sector for bad-actor CBs because (presumably) they won't be accepted into MDSAP, and I'm guessing no place for ABs in the medical device sector in those countries because FDA will have taken over that role.
Maybe this not-too-subtle indictment of the core validity of the CB/AB concept is why the EU so far is not participating in the MDSAP program.
