Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Del Williams
Options to address the risk of combustible dust explosions for NFPA 61 compliance
Doug Folsom
Unpatched vulnerabilities will become increasingly susceptible to cyberattacks
Del Williams
Mitigate risk, prevent safety issues by utilizing closed conveyor systems designed with sanitation in mind
Dirk Dusharme @ Quality Digest
Companies say they plan to pull some or all of their devices
Dirk Dusharme @ Quality Digest
First step, migrate your QMS to a cloud-based electronic quality management system

More Features

FDA Compliance News
Company’s first funding round will be used to accelerate product development for its QMS and MES SaaS offerings
Showcasing tech, solutions, and services at Gulfood Manufacturing 2022
Easy, reliable leak testing with methylene blue
Now is not the time to skip critical factory audits and supply chain assessments
Google Docs collaboration, more efficient management of quality deviations
Delivers time, cost, and efficiency savings while streamlining compliance activity
First trial module of learning tool focuses on ISO 9001 and is available now
Free education source for global medical device community
Good quality is adding an average of 11 percent to organizations’ revenue growth

More News

Grant Ramaley

FDA Compliance

The Beginning of the End for Fake ISO 13485 Certificates

IAF announces the largest technical trade agreement ever prepared for the medical device standard

Published: Tuesday, October 29, 2013 - 09:02

Many of us have heard horror stories about ISO certificates that were fakes, or of medical-device quality system audits being performed by persons who were not competent. A recent report published by the European Commission found that two out of 11 notified bodies were performing so inadequately, they were ordered to stop issuing CE certificates.

Interpol is regularly involved in tracking down fake certificates, while regulators have been losing faith in the entire chain of certification. The International Accreditation Forum (IAF) began to work on a solution to this problem for medical devices in 2007. The last work item to secure the credibility of ISO 13485 certificates worldwide has just been completed.

On Oct. 24, 2013, the IAF announced it is now able to accept applications from accreditation bodies (AB) to join in its multilateral recognition arrangement (MLA) for its new ISO 13485 medical device accreditation. This is the largest technical trade agreement ever prepared for the standard ISO 13485—“Medical devices—Quality management systems—Requirements for regulatory purposes.”

Why is this important? IAF “signatory members” agree to allow special IAF assessment teams to regularly assess them. In turn, the accreditation bodies will be permitted to use the highly coveted IAF MLA mark, which provides worldwide acceptance of the ISO 13485 certificates by other members. Most accreditation bodies are from government ministries, or have a memorandum of understanding with their governments.

In similar fashion, conformity assessment bodies (CAB) that wish to be accredited to provide ISO 13485 certificates must agree to annual assessments by the accreditation body. In turn, they can also apply the IAF MLA mark to any ISO 13485 certificates they issue to manufacturers.

Not only is a robust surveillance system established and maintained by the IAF and its accreditation body members, but the IAF MLA mark also guarantees that the other 70 members of the IAF must recognize these certificates. The incentive for the medical device industry and regulators is not only in gaining an ISO 13485 certificate that will be recognized internationally, but also in knowing these certifications are founded on a robust system that will be routinely managed, year after year, using international standards for accreditation and certification.

This IAF MLA arrangement for ISO 13485 caps off the “trust, but verify” approach the IAF has been using in other industry sectors for 20 years, including aerospace. The IAF is the foremost expert on accreditation and cooperates with regulators and Interpol to identify and take action against fake certificates. It takes complaints from industry and CABs as well, and works closely with ISO to support harmonization of all activities related to accredited certification.

Australia’s Therapeutic Goods Administration has already posted on its website that it will now accept ISO 13485 certificates that have been issued under the IAF MLA. The IAF also provides an advisor to the Asian Harmonization Working Party.

New ISO database of accredited certificates

While attending the IAF meeting in Korea, the liaison from ISO announced that ISO is performing trial runs on a new accredited certificate database. Only IAF-based accredited certificates will be included in the new database. It is expected to begin running for users worldwide around the end of 2014. It will include ISO 13485 and ISO 9001 certificates, as well as other management system certificates that are supported by IAF-based accreditation. The new database will allow manufacturers to more quickly determine if they are holding fake certificates. If the certificate is not listed, it may have been issued by an organization that is not properly accredited, or worse.

How to detect fake certificates

You don’t have to be Sherlock Holmes to detect an unaccredited or fake certificate. It’s pretty straight forward. The hierarchy is: IAF assesses the accreditation body, who in turns accredits the conformity assessment body, who in turn audits a company and issues them a certificate for conformance to a standard, a code of practice, or regulatory requirement. So we just investigate that in reverse. Refer to the graphic below.

Verifying a certificate (click for larger image)

First, look at the ISO 13485 (or ISO 9001) certificate for the company in question. I have included my company, Aseptico, here. The certificate will show both who the CAB is, BSI in this case, and the accreditation body, Standards Council of Canada. So now you go to the CAB’s website and make sure the certified company is listed. Here you see that Aseptico appears in BSI’s database. (You could also do this over the phone with the CAB if their registrations aren’t online.) 

Second, let’s make sure that BSI is indeed covered by the accreditation body shown on the cert. Every AB must make available a list of the CABs it has accredited. This allows anyone with access to the Internet to determine if the CAB was duly accredited. In this case, we go to Standards Council of Canada and we see that, indeed, SCC has accredited BSI.

Finally, in case the AB is one we don’t recognize, we can go to the IAF web site and make sure that it has assessed Standards Council of Canada, which it has. The IAF webpage includes a link to each accreditation body’s webpage.

If you have done all the above, you can be pretty certain that a certificate is not counterfeit and that all the parties involved (company, CAB, AB) all adhere to performance standards.

Medical device regulators have received assistance from the IAF members to detect fake certificates. You may not need to ask the IAF for help, but they care about the users of accredited certification and are most willing to help.

“Certified once, accepted everywhere” is the vision statement of the IAF. It is what drives everything it does. The IAF understands that only a trustworthy certificate is deserving of such broad acceptance. That is why the largest technical trade agreement for medical devices had to involve the IAF. Only accreditation bodies are able to visit every CAB in every country, every year. It’s good to know that a certificate is worth more than the paper it’s printed on, and even better to know the true value of the certificates you already possess.

Discuss

About The Author

Grant Ramaley’s picture

Grant Ramaley

Grant Ramaley is the director of regulatory affairs for Aseptico Inc., a manufacturer and marketer of dental support equipment in the United States and Canada since 1975.  Ramaley also is co-chairman of the Regulatory Affairs and Standards Committee for the Dental Trade Alliance, Convener for the ISO 13485 Medical Device Working Group at the International Accreditation Forum, and Technical Committee Advisor to the Global Harmonization Working Party.

Comments

No restriction in use of fake ISO certificate.

ISO Central Secretariat has shrugged off its burden about taking an action about fake ISO certificate, saying that its not in their administrative jurisdiction. IAF is silent and National Accreditation board of India; NABCB has nothing to do as it has informed the party that the certificate awarded are invalid. The Joint Accreditation System of Australia and New Zealand; JAS-ANZ though assured that they will issue a notice to the party for withdrawal of the fake certificates from their website etc, but, do not keep its promise. JAS-ANZ further stated that in case the party doesn't pay any heed to their notice then they will initiate legal escalation of this issue for cancellation or withdrawal of the fake certificates. Ultimately JAS-ANZ keep silence.

Geological Survey of India, GSI are issued ISO 9001:2015 Certificates [Two certificates] on 12-August-2016. These certificates are declared fake by JAS-ANZ. These certificates are still in use by GSI. Lax regulation about fake ISO certificate give full freedom to certification and accreditation bodies to make ISO Certificate a piece of paper only, which can be obtained by paying a price only for it. Adaptation of standardisation of ISO's level is no compulsion. Rampant misuse, abuse of ISO certification and no concern will soon make ISO a nonentity.  

Rats !

D. Gentile opened a Pandora's vase: it's years we field auditors lament poor control by registrars and accreditation bodies over certificates. It's all about money, money is everything: an Redskin legend asks whether Man could thrive on gold only, when there would be nothing else on Earth. We daily hear of agreements, negotiates, more or less multilateral; but, as it was in the past centuries, Honesty only exists in dictionaries. 

Your claims

I'm all for improvement, but some of what you say is unclear:

"... ISO certificates that were fakes" - what makes a certificate "fake"?

"... audits being performed by persons who were not competent. A recent report published by the European Commission found that two out of 11 notified bodies were performing so inadequately, they were ordered to stop issuing CE certificates. - what is the competency standard? how were the "notified bodies" - registrars? - failing?

"... Interpol is regularly involved in tracking down fake certificates" - in what way is this a legal issue?

"... while regulators have been losing faith in the entire chain of certification" - for what reason?

"The International Accreditation Forum began to work on a solution to this problem for medical devices in 2007. The last work item to secure the credibility of ISO 13485 certificates worldwide has just been completed." - how is this different than what has gone before, and how will it correct the deficiencies which, hopefully, you will identify for this community?

Is it appropriate to expect that QD, as a journal, would apply standards to this "article", or is this a blog or op-ed?

I'm all for regulation if it adds value. IMHO the entire accredition / registration ecosystem has some noble intentions but is compromised by hack registrars giving certificates to hack clients. The problem is some of these hacks are "properly" accredited and registered. I think a system of "labelling" various entities can give someone the warm fuzzies - like purchasing Government Inspected meats at a market - but all too often the Emperor has no clothes. I propose that instead of being labelled as "meeting a standard", the registrars instead should provide an objective assessment of how well, or the extent to which, a client performed certain activities - the kind of assessment that would truly relieve a customer of the need to perform an independent audit. A good/better/best model might air out some of the rot.

Illegality of fake certs

I would add to what Grant said below

In the EU, the CE Mark is legally required for certain classes of products, medical devices for instance. If you sell certain types of medical devices without a CE Mark you are breaking the law. Ditto for claiming to have a CE Mark when you don't (via a fake cert for instance).

For Clarity

Dave, I guess we can divide this into two segments. a) Fake certs, and B) certs that are not fake, but not issued under a structure of credibility (per ISO and IAF accreditation standards).

We all know what a fake certificate is. A fake certificate bears registered marks belonging to an AB or CAB that are not earned. Quality Digest has another article that I believe explains this quite well, and the problems it creates for regulators in the field of product safety, as well as the role Interpol is playing to prosecute this kind of fraud. http://www.qualitydigest.com/inside/twitter-ed/t-v-s-d-intensifies-effor...

The question of competency is certainly the core issue, and there has been, and remains, wide ranging differences of opinion. Our working group at the IAF for ISO 13485 took documents from the Global Harmonization Task Force (GHTF) and other guidance from the Notified Body Operations Group, Designating Authorities Handbook and Canada's GD210, and then collaborated with top experts from AB, CAB, NBs and even regulatory representatives from US FDA, who led GHTF SG-4. We then took all of this, and shook it down to what is now captured in IAF “Mandatory Documents” MD8 and MD9. These became a stake in the ground that would establish competency requirements for ABs and CABs operating in the field of medical device QMS ISO 13485.

So indeed, the competency issue is probably the most important issue of all, but is quite pointless, unless there is a mechanism to assure that these requirements are being met, regularly and globally.

Do regulations add value, well; I'm not going to step into arguing one way or another, because the matter is already settled. If the regulation exists, then it is the law, and I would not risk breaking it. The business risks of not complying with the law are very severe indeed.

The Accreditation Body marks are not something someone can buy. Ask any CAB that has undergone an ISO 17021 and MD9 Accreditation Assessment, and they will tell you, they pay with more than money to carry their accreditation certificate. Competency and management system compliance with IAF/ISO accreditation standards is a full time effort. Some ABs are not willing to apply to the IAF for the new subscope of ISO 13485 for this very reason.

To be honest, this program went into effect July last year, but without the IAF MLA having yet been adjusted to add ISO 13485. Some CABs that had been performing regulatory audits suddenly felt concern to adjust their audit teams, to make sure they had the proper competency to meet IAF MD9. I learned ISO 9001 auditors were leading ISO 13485 audits and even CE audits. Since however the ABs now had IAF MD9 to leverage, the CABs could no longer get away with the lack of specified requirements that had plagued these other regulatory audits. Immediately after July 2012, the IAF program for ISO 13485 began to have a side effect of cleaning up other regulatory audits! Why? Because Accreditation Bodies, could revoke their Accreditation Certificates from the CAB, many who were also Notified Bodies under the Medical Device Directives.

You see, it is not merely the toughest competency requirements that make ABs and CABs perform better, but a regular system of enforcement from IAF assessors of ABs, to AB assessors of CABs, to CAB assessors to manufacturers. The marks are not merely registered trademarks; they are indicators that point to a link in the chain of credible certification.

Thank you

Grant, I appreciate the clarification. When you mentioned "fakes" I thought you meant unaccredited, not falsely advertised - I hadn't imagined any person or organization would fraudulently represent itself the way you described in "broad daylight".