How Did September 11th Affect Security?

Two decades ago, the United States was involved in a horrendous tragedy on September 11th, 2001. On September 11th (9/11) four planes flying over the eastern US were seized simultaneously by small teams of hijackers. They were used as giant missiles to crash into well-known landmark buildings in New York and Washington, DC. This attack changed America forever.

The next terror attack will not be perhaps via airplanes, but cyber-attacks. The Department of Homeland Security has geared its focus towards cyber threats and domestic terrorism. A recent Presidential Executive Order has asked all agencies to focus on securing the cyber networks of our nation. Although the United States is more secure than twenty years ago, it is important that we keep track of our cybersecurity. The majority of security risks today are viewed as targeting the networks and hardware that planes and airlines rely on.

The most common cyber threats that we have encountered are phishing, ransomware, and supply chain attacks. It is important to make sure that your organization has a strong cyber security system. Taking an ISO 27001 lead auditor training will provide many benefits to an individual that is seeking to keep information assets secure. This standard is the only auditable international standard that defines the requirements of an information security management system. ISO 27001 contains a set of policies, procedures, and systems that manage information risks such as cyber-attacks, hacks, data leaks, or theft. This specific lead auditor training can help improve your organization’s cybersecurity strategy. Big companies, as well as small and medium firms, should be interested in the ISO 27001 standard.

At QMII, we offer an ISO 27001 (information security) lead auditor training course. Information Security is important to any business. It helps protect companies’ data which is secured in the system from malicious purposes. The goal of information security management is to ensure businesses have balanced protection of confidentiality, integrity, and availability of data. It is important to identify all potential risks to information security in your ISO 27001 risk assessment. Terrorist attacks are one of these threats. By enrolling in an information security course with QMII, students will be given an understanding of the requirements on ISO 27001 as well as how to relate those requirements to an Information Security system. Lead Auditor training gives students an understanding of the requirements of this standard and how to relate it to an Information security management system. Organizations need an effective information security management system in order to effectively manage challenges. To learn more information about ISO 27001 lead auditor training, visit our website and join us in our next course.

Quality Without Question

 

As I was driving home from work, I noticed the following on the back of a vehicle, “Quality without question”. This got me thinking about the message that was being conveyed. Did the organization mean to convey that their quality was great and should not be questioned? That a customer should take their word just because they say so. For many of us that is exactly what we do when we purchase goods off a grocery shelf. We trust the certified organic and non-GMO ratings that we observe on the packaging. But should one question these and how should an organization decide when to?

To check or not to check

ISO 9001 is an internally accepted standard that sets out the requirements for companies looking to implement a quality management system. While ISO 9001 allows an organization to self-declare many organizations choose to go ahead and pursue certification. This is because it demonstrates to the customer an external independent validation by a subject matter expert of the organization’s ability to manage risks and enhance customer satisfaction.

In many cases though, these companies are often audited by customers especially in highly critical industries where the margin for error is very small. ISO 9001 does not require companies to audit their suppliers but asks organizations to determine the type and extent of control they intend to apply. In determining the type and extent of control, consideration should be given to the perceived effectiveness of controls by the supplier. Essentially can the system controls be trusted to effectively manage risks and deliver? This becomes the basis for the need to check or not.

But we don’t have the resources to audit

This is often the case for many small businesses and perhaps even for some governmental organizations that are limited to one or a few suppliers. In these cases, the organization is still obligated to control the externally supplied process, product, or service. Companies can do this by monitoring metrics such as on-time delivery, sampling incoming items for conformity, and in some cases accepting the external organization certification. No matter the approach used, it does not ever absolve the company of ensuring control of the outsourced process/product/service.

In the case of critical items or a single supplier, they may choose to sample 100% of all items coming in and decide over time based on the results if to continue with a large sample size or to reduce to a smaller one. Here also the aspect of resources plays a part. In cases where the resources cannot be made available, the leadership must acknowledge and accept the risk.

In conclusion

Quality must always be questioned, first internally by the organization itself and checked through its processes. It must also be questioned by the customers on a case-by-case basis. Quality and systems that are left unchecked and unmonitored will over time deteriorate and perhaps result in a major incident/accident. To learn more about the requirements of ISO 9001 join QMII’s next lead auditor training.

Is your organization ready for MDSAP?

Quality is important in all industries but perhaps more so in the medical industry and for those organizations producing medical devices. Apart from ISO 13485 that defines the requirement for medical device quality management systems, medical device manufacturers have to also comply with the regulations of the country their devices are going to be used within. In an effort to streamline the program for manufacturers the Medical Device Single Audit Program (MDSAP) was devised. The MDSAP program is an audit done of the company to the regulations of five participating countries. It is thus much longer than a regular ISO audit as it has to assess the system against multiple regulatory requirements.  

As your company prepares for this new audit scheme perhaps the easiest thing to do is a self-assessment. Use the MDSAP audit model guide to assess whether the company processes meet all the requirements. Conduct a gap assessment and then work to fill in the gaps including keeping records as needed by MDSAP. Just because an organization undergoes MDSAP does not mean that it will not have an ISO 13485 audit as these are two separate schemes. In the conduct of the assessment ensure that the person conducting it is competent to do so. This will avoid any last-minute surprises. Make note that the MDSAP model grades non-conformities differently and so use the same scoring scheme to know what are the priorities that need to be addressed immediately.  

Is the leadership prepared? Often in preparing an organization focuses on the lower echelons as also on the processes involved in the design and manufacturing processes. Ensure the leadership is briefed on the model guide and understands the expectations from them. As a part of each audit, the AO focuses on the management and assesses their commitment to the system. The leadership once committed will drive the rest of the organization to follow suit. This will make it easier for those implementing the system and assessing it internally.  

Make sure personnel are trained and understand well the expectations. QMII offers a variety of MDSAP offerings that are tailored to meet the requirements of the organization with training for each level of the organization. In addition, QMII also offers ISO 13485 lead auditor training. Organizations must recognize that participating in MDSAP will not exclude them from regulatory audits from other organizations. While the audit program may seem cumbersome at first there are benefits from participating in it that include reduced costs and a streamlined audit process.  

Why pursue AS9100 certification

What is AS9100?

In the aerospace industry, a small error in the supply chain can have catastrophic consequences.  AS9100 was developed to manage the extensive global supply chain of aerospace manufacturers and to ensure that each is implementing an effective quality management system.  AS9100 is based on the framework of ISO 9001 and follows the same high-level structure.  A company conforming to the requirements of AS9100 also meets the requirements of ISO 9001.

AS9100 certification  provides third party validation of the processes an organization has put in place to manage the quality of the product/service they deliver. It can also provide confidence to customers that the organization adheres to the highest standards of quality and safety.

Is AS9100 certification mandatory?

AS9100 and ISO 9001 allow organizations to self-declare conformance.  However, if you are looking to do business in the aerospace industry AS9100 certification is practically mandatory.

AS9100 and ISO 9001 allow organizations to self-declare conformance.  However, if you are looking to do business in the aerospace industry AS9100 certification is practically mandatory.  For a company to be listed on the OASIS supplier database, it will need to have AS9100 certification.  Companies not registered with the OASIS supplier database will have trouble doing any business in the aerospace sector. 

Is it worth it?   

AS9100 certification  comes at a cost, of course.  There are recurring costs as recertification occurs every 3 years and there are annual surveillance audits conducted in the intermediate years.  Developing and maintaining the system will require resources including training time and time spent on improving processes. 

In addition to being listed with OASIS, meeting the requirements of ISO 9001 and AS9100 provides other benefits.  One of these is the creation of feedback loops for communicating and implementing opportunities for improvement.  Another is that it ensures non-conformities are addressed and that effective corrective action is taken.  In addition, it ensures that management remains more involved in the system and that quality is integral to the management system. 

What about audits? 

While AS9100 certification may reduce the possibility or frequency of a supplier audit, it does not imply that an organization will not get audited.  Supplier audits look at an organization’s compliance to supplier requirements as well as the AS9100 standard.  Certification to AS9100 also does not reduce the internal checks required by the company.  AS9100 certification audits will not go to the same depths that internal audits can, which is why internal audits are vital to the success of the system. 

An organization looking to do business in the aerospace industry will need to consider AS9100 certification when implementing a system.  Care must be taken in the system implementation not to use a one size fits all template and to make the effort to build a strong management system that will deliver benefits beyond just the certificate on the wall. 

TSMS Template: Are they worth it

Subchapter M ushered in a new era for the inland water companied within the US in the towing industry. The need for the regulation was driven by the many accidents that occurred on the inland waters of the US owing substandard vessels and incompetent personnel in use. As companies struggle to meet the requirements of the new regulation, those opting for the TSMS option seek documentation templates that will ease the implementation efforts. At first glance these seem the ideal solution and a quick band aid to heal a new wound. However, in the long run companies will find that these templates slowly start failing and the damage they cause can be quite long lasting.

Subchapter M through the regulation seeks to usher in greater safety standards for vessels to enable safer operations as also protection of the marine environment. As with any change there was tremendous push back against the regulation to the extent that it took 10 years to come into force. Companies however are working to a tighter deadline to implement these regulations. As such it is in their best interests to minimize the change needed to enable greater buy-in. Templates will not enable this and will be analogous to fitting a square peg in a round hole.

For a TSMS complaint with subchapter M to work, the company should begin by identifying what is already documented. This documentation should be reviewed to ensure that it accurately captures the As-is of the operations as they are done on board or in the office. Once the system as it exists today is identified it is not time to compare it against the subchapter M regulations and note the gaps. These gaps that can then be filled in with new processes. Whenever new processes are being developed the organization should determine the feasibility of implementing them including the provision of resources.
Subchapter M requires a lot of training to be done but training alone will not enable buy-in from the personnel.

In order for the system to succeed and for all personnel to embrace it, there is a need to keep them involved in the development of the system from the outset. As processes are captured gain their inputs on the challenges they currently face or may potentially face. Based on available recourses identify automation options or engineering controls to reduce the chance of human error.

A TSMS thus developed based on what is done makes it easier for personnel to implement. It results in smaller changes, a well-accepted and thus well implemented system. Subchapter M regulations do not guarantee safe operations. They do however increase the likelihood of safe operations and a willing workforce increases that likelihood.

Managing Risks related to ISO 13485

ISO 13485 sets the requirements for a quality management system for those organizations in the medical device industry. While there are many mandatory regulatory requirements issued by each country related to medical devices, ISO 13485 remains a voluntary standard. The need for certification to the standards stems either from a customer requirement or from a need to market to customers that the organization used a system and risk-based approach to managing quality and continual improvement.
The standard was recently revised in 2016 and includes a greater emphasis on risk than that of the 2003 revision. Risk-based thinking has been emphasized across all ISO requirement standards and is core to implementing a system that is proactive in nature. Risk in its new avatar encourages organizations to look beyond just product safety risk. Organizations complying with ISO 13485 now have to also consider organizational risk and the risk or not meeting compliance obligations. The lifecycle of the product needs to be considered in assessing risks.
Risk however can be a subjective topic and to ensure that an organizational appetite for risk is developed a risk criterion must be determined by the leadership that will then be the basis for all risk assessments. Risk assessment for medical devices use the same basis of likelihood of occurrence and severity in calculating the overall risk. Organizations may consider a third factor prescribed by FMEA that takes into account the probability of detection. Either before the risk occurs or as soon as it occurs so that the consequence can be minimized.
ISO 13485 clause 4.1.2(b) requires “The organization shall apply a risk-based approach to the control of appropriate processes needed for the quality management system.” ISO 14971 is another standard that provides guidelines on the risk management framework. In addition to the requirements prescribed per this standard organizations need to account for performance and compliance risks. In order to address risks posed by software validation and verification organizations may refer to Good automated Manufacturing Practices (GAMP). Other risks to consider are the risks from outsourced processes and supplier risks.
Competence of personnel per clause 6.2 of ISO 13485 also poses the potential or risk and organizations must ensure they have the competent personnel needed for the work to be done. Human error owing incompetent personnel is a common cause of risk within an organization. Mistake proofing identified risk areas is an effective way of addressing risks within the system. High risks should be addressed to reduce them to an acceptable level. Risks may at times be addressed by accepting them, avoiding them and even sharing of the risks with another entity. The risk must be addressed using a planned approach and monitored for effectiveness. QMII’s ISO 13485 training provide students with the knowledge of how to identify, analyze, evaluate and address risks within the system.

ISO training – how much is enough?

We live in a world of super specialization. There seems to be a degree for every field and then subspecialty and further sub-sub specializations. It is not enough to be a banker anymore but there is a need for specialization in wealth management or mortgages of loans and so on. As the need for specializations and the associated training increases how does one determine the extent of ISO training needed. This can often be confusing given the plethora of training available.
Before we answer this question let us however consider another. Do we even need training? I am sure that most of you would agree that some form of training is needed. It may be either in a classroom environment, done at a school or college, perhaps in-house as on the job training or computer based. Why is ISO training needed? Sometimes it is needed as a means of gaining competence or perhaps to reinforce a lesson lest it be forgotten. The frequency may vary based on the competence of the personnel to start with as also the criticality of the issue such as if it is a control to mitigate a risk.
In the ISO world the most basic form of ISO training is an investment in the system. It is the building block where an organization gets to explain to the workforce why they need to be involved, engaged and embrace the system. Essentially to answer the “what’s in it for me” question. An indirect benefit is that investing in your workforce signal to them that you want them to succeed and thus improves workforce retention. As a part of this most basic training personnel need to understand how they contribute to meeting the policy and vision of the organization. They learn the implications of not conforming and how it can impact a customer. An organization should easily be able to do this in-house and should not need an external consultant for this.
The next ISO training to be considered is for management so they understand their role in the system and how the lack of evidence of management support can kill the system. This too can be provided in house by the system manager. In our experience though management listens more carefully when the information is conveyed by an independent third party. There only remains one more ISO training to consider and that is auditor training. Auditor training should be provided to at least 5% of the workforce to ensure a good pool for auditors to conduct internal audit. Personnel should be selected for the desired qualities and from across the organization. QMII’s certified lead auditor ISO training and other training options prepares your workforce to enable continual and sustained improvement of your organization.

Is your organization ready for MDSAP

Quality is important in all industries but perhaps more so in the medical industry and for those organizations producing medical devices. Apart from ISO 13485 that defines the requirement for medical device quality management systems, medical device manufacturers have to also comply with the regulations of the country their devices are going to be used within. In an effort to streamline the program for manufacturers the Medical Device Single Audit Program (MDSAP) was devised. The MDSAP program is an audit done of the company to the regulations of five participating countries. It is thus much longer than a regular ISO audit as it has to assess the system against multiple regulatory requirements.

As your company prepares for this new audit scheme perhaps the easiest things to do is a self-assessment. Use the MDSAP audit model guide to assess whether the company processes meet all the requirements. Conduct a gap assessment and then work to fill in the gaps including keeping records as needed by MDSAP. Just because an organization undergoes MDSAP does not mean that it will not have an ISO 13485 audit as these are two separate schemes. In conduct of the assessment ensure that the person conducting it is competent to do so. This will avoid any last-minute surprises. Make note that the MDSAP model grades non-conformities differently and so use the same scoring scheme to know what are priorities that need to be addressed immediately.

Is the leadership prepared? Often in preparing an organization focuses on the lower echelons as also on the processes involved in the design and manufacturing processes. Ensure the leadership is briefed on the model guide and understands the expectations from them. As a part of each audit the AO focuses on the management and assesses their commitment to the system. The leadership once committed will drive the rest of the organization to follow suit. This will make it easier for those implementing the system and assessing it internally.

Make sure personnel are trained and understand well the expectations of them. QMII offers a variety of MDSAP offerings that are tailored to meet the requirements of the organization with training for each level of the organization. In addition, QMII also offers ISO 13485 lead auditor training. Organizations must recognize that participating in MDSAP will not exclude them from regulatory audits from other organizations. While the audit program may seem cumbersome at first there are benefits from participating in it that include reduced costs and a streamlined audit process.

How to get ISM certified

The ISM Code is the International Code for the safe Operation of Ships and Prevention of Pollution, more popularly knows as the International Safety Management Code. The most recent revision of the code was released in 2018 that provides updates to the Resolutions included as amendments to the code. The ISM Code specifies the methods to attain ISM certification.
The regulations were drafted by IMO in an effort to improve maritime safety and while it has been hailed as a major contributor, it has also led to increased bureaucracy as also increased burden of documentation. As part of the ISM certification scheme there are two certificates needed. One for the company called the Document of Compliance or DoC. This allows the companies to operate vessels under the ISM Code. The DoC is issued by the Flag State, that is the country where the company and its ships are registered. The DoC is issued for each type of vessel that the company operates. This means that it cannot operate a bulk carrier if it only possesses a DoC for a container.
The next certificate under the auspices of the code that is issued is a safety management certificate. This is issued to each ship of the company and in order to get the certificate an audit of the vessel is conducted, and certain criteria needs to be met prior issue of the certificate. The SMC ISM Certification is issued for a period not exceeding five years and where only one intermediate verification is done it should be done within the 2nd and 3rd anniversary of the certification.
The ISM Certification provides validation that both company and ship are operating using a process-based system approach to manage risks and achieve continual improvement. The ISM code is meant to be a preventive tool and asks companies to assess all risks and then take measured to safeguard against them. Responsibilities and authorities are set out for the various entities includes in the ISM process.
Gaining ISM Certification does not guarantee that the ship will be safe or environmental pollution will not occur. It does however provide stakeholder the confidence that non-conformities will be addresses systemically and where an emergency does occur, the company and ship will be prepared to deal with them in the best way possible to mitigate consequences. To be successful it needs active involvement by the leadership and needs them to walk the talk. The system must be built around the users and for the users to enable them to succeed.
To learn more about the ISM Code and ISM certification enroll for QMII’s ISM auditor training.

How is ISO 13485 different from ISO 9001

ISO 13485 released an updated version of the standard in 2016 but it broke ranks with ISO 9001. In the past the two standards were aligned with the ISO 13485 capturing the additional requirements for the medical device industry. An ISO 13485 overview would reveal that it has retained a lot of the documentation requirements and not left the standard as subjective as the revised ISO 9001:2015.
ISO 13485 provides the requirements for quality management systems for use by the medical device industry. While it still remains broadly based on the framework set by ISO 9001 compliance with the standard will not inherently mean compliance with ISO 9001. The standard is published by ISO, an international organization. It is assessed by certification bodies across the globe accredited by IAF.
ISO 13485 overview of the standard will show much more in-depth requirements for rick management. This essentially aligns with the US CGMP regulations as also regulations by international bodies. The standard for further assessing risk is ISO 14971 which specifically deals with risk within the medical device industry. In dues course the US CFRs will get aligned with ISO 13485 and plans are underway for the update.
As a part of risk management of the systems companies will now have to assess add address the risks from outsourced processes, Lack of competent personnel, lack of adequate number of personnel, loss of traceability, failure in testing of the products at relevant stages, Failure to timely address non-conformities, and the documentation of risk itself. Management need to keep an ISO 13485 overview of their system through the planned management reviews and periodic internal audits. To ensure audits add value these must be conducted by trained and competent personnel.
QMII’s ISO 13485 lead auditor training prepares your personnel to not only effectively audit the system but also implement it as needed. An ISO 13485 overview version of the course is also available for senior management, so they understand their roles and responsibilities with respect to the standard. Having discussed this the question often arises if ISO 13485 is mandatory. As with all other ISO standards it is not mandatory to implement ISO 13485 though it is mandatory to meet regulatory requirement such as CFRs and EU MDR. However, implement ISO 13485 provides confidence to customers that the organizations uses a process based approach to continual improvement.
ISO 13485 overview of the standard demonstrates that product quality cannot be guaranteed just from implementing the standard but that it must be vigorously used. The standard can also be applied to all sizes of organizations.