Steris Isomedix Services

STERIS Corporation
Product:facility sterilizes medical devices

1. Failure to establish and maintain adequate procedures for implementing corrective and preventive action, as required by 21 CFR 820.100.
Your CAPA procedure, PROC-00007, Revision 19, is deficient in that it does not adequately describe how to identify, correct and prevent the recurrence of nonconforming product and other quality problems, including any actions necessary to mitigate such risk. For example, the investigation, NC-05731, opened on July 29, 2013 to investigate data manipulation/falsification at the inspected facility where product was overdosed but was subsequently made to appear within specification, did not include a review of all potentially affected products. Specifically, NC-05731 excluded:
all runs that were not suspected overdosed runs. This would include all dosimeters that are read following the possible manipulation of the spectrophotometer to improperly zero the instrument which is not stored in the instrument?s audit trail. If the spectrophotometer is not properly zeroed,

8. Failure to adequately validate software used as part of production and the quality system for its intended use according to an established protocol, as required by 21 CFR 820.70(i). Specifically, actions were not taken to ensure that computer errors would not result in the loss of dosimetry and run dose data from the Dosimetry Measurement Application (DMA) module of (b)(4). For example,

a. The inspection found that 2,900 records were missing from the main table of the DMA module of (b)(4) between the time that it was installed at the Libertyville North facility on November 4, 2011 and November 6, 2013. Each missing record represents an attempt at creating a dosimeter record.

b. Of the 2,900 missing records, 1,623 records/dosimeters (representing (b)(4) irradiation runs) contained dosimetry data and were intentionally deleted from the DMA module. These records contained a calculated dose when they were deleted, and 192 of the dosimeters (representing (b)(4) unique runs) were out-of-specification low (under-dosed).

c. The (b)(4) and DMA systems are set up to automatically discard any dosimeter absorbance readings outside the set operating range of (b)(4) to (b)(4) absorbance units.

We have reviewed your responses to sub-points (a) through (c) and have determined that the adequacy of the responses cannot be determined at this time because your firm?s corrective actions are either on-going or documentation was not provided to allow for FDA review. For example, your responses indicated that the (b)(4) software and system documentation will be remediated, and a full revalidation of the (b)(4) system will be performed; however, this is not complete. In addition, your responses indicated a number of corrective actions to address the specific issues listed above; however, no documentation was included with the responses to verify these actions.

FDA District Office:Chicago District

About the author

Amy enjoys researching and writing about developments in medical technology and how that intersects with US law. She received her J.D. from the University of Florida Levin College of Law in 2020 and now works as a Regulatory Associate for SoftwareCPR®, a general-purpose regulatory consulting firm that is recognized globally for their expertise with standards and national regulations pertaining to medical device, mobile medical app, and HealthIT software.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:




Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now



Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.