An April 12 FDA Warning Letter issued to the head of Abbott’s cardiovascular and neuromodulation division alleging quality system (QS) regulation violations involving St. Jude Medical defibrillators and a wireless home monitor device — sent in the wake of battery supply and cybersecurity concerns associated with the products — is a reminder of the depth with which the agency can scrutinize a device manufacturer’s QS operations, particularly in the wake of high-profile product problems.

The letter from the FDA Center for Devices and Radiological Health Office of Compliance to Abbott details the company’s alleged failure to adhere to its own corrective and preventive action (CAPA) procedures, to fully consider warnings provided by a product component supplier and to control the distribution of products subject to a company recall, among other agency concerns.

In the letter the FDA raised allegations related to an internal analysis that allegedly failed to disclose a patient death to management or a company medical advisory board (MAB), as well as the alleged shipping and implantation of defibrillators that had been subject to a manufacturer-initiated recall.

Background

The Warning Letter focused on several models of implantable cardioverter defibrillators (ICDs) and cardiac resynchronization therapy defibrillators manufactured by St. Jude Medical Inc., as well as a St. Jude monitor used to transmit and receive radiofrequency signals containing data stored on the devices. Abbott completed its acquisition of St. Jude Medical in January 2017.

The defibrillators were the subject of an October 2016 Class I recall and an FDA safety communication following reports of premature battery depletion in the devices. In addition, the products were the subject of a January 2017 FDA safety communication alerting patients, caregivers and health care providers of cybersecurity vulnerabilities in the monitor, which the agency said could allow unauthorized users to remotely access the devices.

The letter’s QS regulation violation accusations resulted from a February 2017 inspection of a company facility in Sylmar, Calif. The letter included the FDA’s concerns about a company response to the Form FDA 483 list of inspectional observations issued by agency investigators following the inspection.

CAPA Issues

In the letter, the FDA detailed the results of its review of internal company product analysis reports produced between 2011 and 2014. The reports showed that, after a supplier analysis showed that lithium cluster bridging in the devices — short-circuiting caused by lithium deposits — had prematurely drained their batteries, the company “repeatedly concluded that the cause of the premature depletion of [the] batteries ‘could not be determined.’” In addition, the FDA found, the company “later categorized these as ‘unconfirmed’ lithium bridges.”

The agency concluded that the company “underestimated the occurrence of the hazardous situation,” thereby failing to follow a CAPA procedure mandating that “the level of corrective action and preventive action shall be commensurate with the significance and risk of the nonconformance.”

The company mistakenly based its risk evaluation on “confirmed” cases and did not consider “the potential for ‘unconfirmed’ cases to be shorts” — thereby allegedly delaying initiation of another CAPA until December 2013, according to the agency. Distribution of the devices containing the faulty batteries continued until the October 2016 recall, the FDA said.

The company’s actions constituted a violation of its regulatory responsibility to establish and maintain procedures for implementing CAPAs, the letter alleged. The FDA said that it could not fully analyze the company’s response to the issues but noted that the response failed to document implementation of corrective actions.

The company also allegedly failed to follow its CAPA procedures in its response to an August 2016 third-party report regarding the monitor’s cybersecurity vulnerabilities.

“Your firm did not confirm all required corrective and preventive actions were completed, including a full root cause investigation and the identification of actions to correct and prevent recurrence of potential cybersecurity vulnerabilities, as required by your CAPA procedures,” the FDA said. “Additionally, your firm did not confirm that verification or validation activities for the corrective actions had been completed, to ensure the corrective actions were effective and did not adversely affect the finished device.”

A third CAPA violation centered on the alleged failure of the company’s management review and medical advisory boards to receive “relevant and complete information” about the premature battery depletion problem, the FDA said. Two November 2014 presentations to the boards “did not include information on the potential for ‘unconfirmed’ cases to be shorts,” the agency alleged, “despite possessing evidence provided by [the company’s] supplier .... This resulted in significant underestimations of the probability of occurrence of the hazardous situation.”

The FDA also alleged that both presentations “stated there [was] no serious injury or death directly related to lithium cluster formations” — despite an analysis of a returned device related to a patient death. The analysis, completed approximately 10 weeks before the presentations were made, “concluded the cause of premature battery depletion ‘could not be determined’ despite evidence of lithium bridges, provided by your supplier,” the agency said. “This death was not disclosed in these presentations for management or MAB review.”

Controlling Nonconforming Product

The agency also alleged that, in its handling of the October 2016 recall, the company violated its regulatory obligation to control product that does not conform to required specifications.

After the recall was announced, the FDA said, 10 ICDs subject to the recall were shipped from distribution centers to field sales representatives. In addition, the agency alleged, shortly after the recall was initiated, seven more ICDs subject to the recall and in the control of sales representatives were implanted into patients.

Design Output Verification

In the letter, the FDA also said that the company failed to fully verify a design output requiring that the monitoring device “shall only open network ports to authorized interfaces,” as specified in the product’s software system requirements.

According to the agency, the firm’s testing procedures showed that “the requirement was only partially verified by testing that the network ports opened with an authorized interface.” The company’s testing procedures, the FDA said, “did not require full verification to ensure the network ports would not open with an unauthorized interface.”

Risk Analysis

The Warning Letter also alleged that the company failed to ensure that its devices’ design validation included appropriate risk analyses, as required by the QS regulation. The FDA said that the company “failed to accurately incorporate” the findings of an April 2014 company-commissioned third-party assessment of the company’s cybersecurity risk analyses for its high-voltage and peripheral devices.

Specifically, the agency said, the company “failed to accurately incorporate the third-party report’s findings into its security risk ratings, causing [its] post-mitigation risk estimations to be acceptable, when, according to the report, several risks were not adequately controlled.”

The third-party report also identified the devices’ hardcoded universal unlock code as an exploitable cybersecurity hazard, the FDA said. Despite a company standard operating procedure, it alleged, the company “failed to properly estimate and evaluate the risk” associated with the code in the devices’ design.

In addition, the agency alleged, the company “failed to identify lithium clusters as a hazardous situation and a potential cause for premature battery depletion through its risk management process” — despite a September 2011 returned product analysis for a device explanted the previous July that reported evidence of lithium ion cluster formation on the product.

The letter called for Abbott to tell the FDA within 15 business days the steps it would take to correct the alleged violations and to prevent their recurrence.

In an emailed statement, Abbott said, "At Abbott, patient safety comes first. We have a strong history and commitment to product safety and quality, as demonstrated by our operations across the company. Abbott acquired St. Jude Medical in January 2017; the FDA inspection of the Sylmar facility, formerly run by St. Jude Medical, began on February 7; and we responded to the 483 observations on March 13, describing the corrective actions we are implementing. We take these matters seriously, continue to make progress on our corrective actions, will closely review FDA's Warning Letter, and are committed to fully addressing FDA's concerns."