April 14, 2017 — The U.S. Food and Drug Administration (FDA) sent a warning letter to Abbott/St. Jude Medical (SJM) this week blasting the company for failure to address several issues with its implantable electrophysiology (EP) devices. This included failure to take corrective action for flawed batteries in these devices, shipping recalled products to customers, and failure to adequately protect patients with implanted EP devices from cyber attacks.
The warning letter was issued April 12 in response to an FDA inspection that revealed major problems with the Fortify, Unify and Assura (including Quadra) implantable cardioverter defibrillators (ICD) and cardiac resynchronization therapy defibrillator (CRT-D) devices, and the [email protected] monitoring system used in combination with these devices. “These devices are adulterated within the meaning of section 501(h) of the Act, 21 U.S.C. § 351(h), in that the methods used in, or the facilities or controls used for, their manufacture, packing, storage or installation are not in conformity with the current good manufacturing practice requirements,” wrote U.S. Public Health Service Capt. Sean M. Boyd, MPH, deputy director for regulatory affairs, Office of Compliance, Center for Devices and Radiological Health, at the FDA, in a letter to Abbott’s Mike Rousseau, president of cardiovascular and neuromodulation division.
“The specific violations noted in this letter and in the inspectional observations issued at the close of the inspection may be symptomatic of serious problems in your firm’s manufacturing and quality management systems,” Boyd wrote in the warning letter. “Your firm should investigate and determine the causes of the violations and take prompt actions to correct the violations and bring the products into compliance.”
The FDA gave Abbott / SJM 15 days to respond to the warning letter with how the company plans to address the issues raised by the FDA. Boyd wrote a stern warning: “You should take prompt action to correct the violations addressed in this letter. Failure to promptly correct these violations may result in regulatory action being initiated by the FDA without further notice. These actions include, but are not limited to, seizure, injunction and civil money penalties. Also, federal agencies may be advised of the issuance of warning letters about devices so that they may take this information into account when considering the award of contracts. Additionally, premarket approval applications for Class III devices to which the Quality System regulation deviations are reasonably related will not be approved until the violations have been corrected.”
Abbott acquired St. Jude Medical in January 2017. Abbott issued the following statement, "At Abbott, patient safety comes first. We have a strong history and commitment to product safety and quality, as demonstrated by our operations across the company. The FDA inspection of the Sylmar facility, formerly run by St. Jude Medical, began on Feb. 7, and we responded to the 483 observations on March 13, describing the corrective actions we are implementing. We take these matters seriously, continue to make progress on our corrective actions, will closely review FDA's warning letter and are committed to fully addressing FDA's concerns."
FDA investigators inspected Abbott’s facilities in Sylmar, Calif., Feb. 7-17, 2017, and found the devices did not meet federal standards. Boyd itemized the violations, starting with failure to establish and maintain procedures for implementing corrective and preventive actions to fix the device battery issues.
Abbott’s Failure to Address ICD Battery Depletion
The FDA said it reviewed company product analysis reports from between 2011 and 2014, which showed instances when the battery manufacture provided evidence that lithium cluster bridging in the batteries was causing premature draining of the battery. However, Boyd said the vendor repeatedly concluded in its own reports that the cause of premature depletion of Greatbatch QHR2850 batteries “could not be determined.” He said Abbott/St. Jude later categorized these as “unconfirmed” lithium bridges.
“By basing your firm’s risk evaluation on ‘confirmed’ cases and not considering the potential for ‘unconfirmed’ cases to have been shorts, your firm underestimated the occurrence of the hazardous situation,” Boyd wrote to in the warning letter. This delayed initiation [of corrective action] until Dec. 18, 2013, and your firm continued to distribute devices containing this battery until October 2016.” He said preventive action is supposed to be commensurate with the significance and risk of the nonconformance, based on severity, probability and detectability.
Read the article "St. Jude Medical Recalls ICDs and CRT-D Due to Premature Battery Depletion."
“The adequacy of your firm’s response cannot be determined at this time,” Boyd wrote. “Your firm provided a summary of, and implementation dates for, several corrections, corrective actions, and systemic corrective actions. However, in your firm’s response, you failed to provide evidence of implementation for your firm’s corrections, corrective actions, and systemic corrective actions.” He explained the company failed to follow the proper Corrective Action and Preventive Action (CAPA) Procedure to properly document its corrective actions.
The FDA also contends that those performing management review and medical advisory boards did not receive relevant and complete information concerning the premature battery depletion issue. The letter says information was only presented on confirmed battery depletions, and left out reports of other battery issues. “The presentation did not include information on the potential for ‘unconfirmed’ cases to be shorts, despite possessing evidence provided by your supplier regarding premature battery depletion caused by lithium bridges,” Boyd stated. “This resulted in significant underestimations of the probability of occurrence of the hazardous situation. Additionally, both presentations stated there were no serious injuries or deaths directly related to lithium cluster formations.”
Boyd said this was completely misleading, since there was already one death reported from the battery depletion issue, and the company had completed its review of the death in an Aug. 27, 2014 report. “The analysis concluded the cause of premature battery depletion ‘could not be determined’ despite evidence of lithium bridges, provided by your supplier,” Boyd wrote. “This death was not disclosed in these presentations for management or medical advisory board review.”
“We have reviewed your response and conclude that it is not adequate,” Boyd told Abbott in the letter. “In your firm’s response, you failed to consider systemic corrective actions and the necessary information to include evidence of implementation for your firm’s corrections, corrective actions, and systemic corrective actions.”
Failure to Address Cybersecurity Vulnerabilities
Boyd said after the company evaluated a third-party report, dated Aug. 25, 2016, which showed cybersecurity issues related to the [email protected] wireless EP device monitoring system, the vendor did not follow federal guidelines to take corrective action. Instead, Boyd said the company conducted a risk assessment and a corrective action outside of the CAPA procedures. “Your firm did not confirm all required corrective and preventive actions were completed, including a full root cause investigation and the identification of actions to correct and prevent recurrence of potential cybersecurity vulnerabilities, as required by your CAPA procedures,” Boyd wrote. “Additionally, your firm did not confirm that verification or validation activities for the corrective actions had been completed, to ensure the corrective actions were effective and did not adversely affect the finished device.”
The company did revise and update its risk assessment and its corresponding corrective action for the [email protected] system starting Dec. 7, 2016. However, Boyd wrote, “We have reviewed your response and conclude that it is not adequate. Your firm provided a summary of and implementation dates for several corrections, and corrective actions. However, in your firm’s response, you failed to consider systemic corrective actions and the necessary information to include evidence of implementation for your firm’s corrections, corrective actions, and systemic corrective actions.”
Read the article “Market Report Calls Into Question St. Jude Medical EP Device Safety, Cybersecurity.”
Recalled Devices Shipped and Implanted in Patients
The FDA also stated Abbott/St. Jude failed to maintain procedures to control its recalled products. The example cited was an Oct. 11, 2016, recall for the Fortify, Unify and Assura ICDs and CRT-Ds due to premature battery depletion. However, the FDA said 10 of these ICDs were shipped from the firm’s distribution centers to St. Jude U.S. field representatives. Between Oct. 14-26, 2016, an additional seven ICDs, also subject to this recall and in the control of St. Jude U.S. field reps, were implanted into patients, the FDA stated in the letter.
Failure to Fully Test Design Output Requirements
Another item the FDA cited the company for was failure to ensure that design verification for its [email protected] system design output meets the design input requirements. The FDA contends the system is only supposed to open network ports to authorized interfaces according to its design documents submitted to the agency. However, Boyd said this design output was not fully verified during the design verification activities. According to St. Jude’s testing procedures, the requirement was only partially verified by testing that the network ports opened with an authorized interface. “Your testing procedures did not require full verification to ensure the network ports would not open with an unauthorized interface,” Boyd wrote.
Failure to Ensure Risk Analysis
Boyd also cited Abbott/St. Jude for failing to accurately incorporate the findings of a third-party updated cybersecurity risk assessment the vendor commissioned on April 2, 2014. Specifically, Boyd said the company failed to accurately incorporate the third-party report’s findings into its security risk ratings, causing post-mitigation risk estimations to be acceptable, when, according to the report, several risks were not adequately controlled.
The FDA said the same report identified the hardcoded universal unlock code as an exploitable hazard for St. Jude Medical ICD devices. The company’s own global risk management procedure requires the firm to assess if new hazards are introduced, or previously identified hazardous situations are affected, by risk control measures.
“Your firm identified the hardcoded universal unlock code as a risk control measure for emergent communication,” Boyd wrote. “However, you failed to identify this risk control also as a hazard. Therefore, you failed to properly estimate and evaluate the risk associated with the hardcoded universal lock code in the design of your high voltage devices.”
The risk management procedure is supposed to be integrated into all product lifecycle stages to assure early identification and timely mitigation of risks that could impact patient safety. However, the FDA contends the cause of premature battery depletion due to lithium ion cluster formation was not identified as a hazardous situation and a potential cause of premature battery depletion through this risk management process.
Read the article "FDA Confirms Cybersecurity Vulnerabilities of St. Jude’s Implantable Cardiac Devices, Merlin Transmitter."
St. Jude Medical issued a statement in January explaining it was working to fix its EP device cybersecurity issues.
“There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,” said cyber security expert Ann Barron DiCamillo, former director of U.S. CERT and advisor to St. Jude Medical’s Cyber Security Medical Advisory Board. “[This] is another demonstration that St. Jude Medical takes cyber security seriously and is continuously reassessing and updating its devices and systems, as appropriate.”
“We’ve partnered with agencies such as the U.S. Food and Drug Administration (FDA) and the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) unit and are continuously reassessing and updating our devices and systems, as appropriate,” said Phil Ebeling, vice president and chief technology officer at St. Jude Medical, in the January statement.
Read the FDA letter at www.fda.gov/ICECI/EnforcementActions/WarningLetters/2017/ucm552687.htm