Is your organization ready for MDSAP?

Quality is important in all industries but perhaps more so in the medical industry and for those organizations producing medical devices. Apart from ISO 13485 that defines the requirement for medical device quality management systems, medical device manufacturers have to also comply with the regulations of the country their devices are going to be used within. In an effort to streamline the program for manufacturers the Medical Device Single Audit Program (MDSAP) was devised. The MDSAP program is an audit done of the company to the regulations of five participating countries. It is thus much longer than a regular ISO audit as it has to assess the system against multiple regulatory requirements.  

As your company prepares for this new audit scheme perhaps the easiest thing to do is a self-assessment. Use the MDSAP audit model guide to assess whether the company processes meet all the requirements. Conduct a gap assessment and then work to fill in the gaps including keeping records as needed by MDSAP. Just because an organization undergoes MDSAP does not mean that it will not have an ISO 13485 audit as these are two separate schemes. In the conduct of the assessment ensure that the person conducting it is competent to do so. This will avoid any last-minute surprises. Make note that the MDSAP model grades non-conformities differently and so use the same scoring scheme to know what are the priorities that need to be addressed immediately.  

Is the leadership prepared? Often in preparing an organization focuses on the lower echelons as also on the processes involved in the design and manufacturing processes. Ensure the leadership is briefed on the model guide and understands the expectations from them. As a part of each audit, the AO focuses on the management and assesses their commitment to the system. The leadership once committed will drive the rest of the organization to follow suit. This will make it easier for those implementing the system and assessing it internally.  

Make sure personnel are trained and understand well the expectations. QMII offers a variety of MDSAP offerings that are tailored to meet the requirements of the organization with training for each level of the organization. In addition, QMII also offers ISO 13485 lead auditor training. Organizations must recognize that participating in MDSAP will not exclude them from regulatory audits from other organizations. While the audit program may seem cumbersome at first there are benefits from participating in it that include reduced costs and a streamlined audit process.  

How to get ISM certified

The ISM Code is the International Code for the safe Operation of Ships and Prevention of Pollution, more popularly knows as the International Safety Management Code. The most recent revision of the code was released in 2018 that provides updates to the Resolutions included as amendments to the code. The ISM Code specifies the methods to attain ISM certification.
The regulations were drafted by IMO in an effort to improve maritime safety and while it has been hailed as a major contributor, it has also led to increased bureaucracy as also increased burden of documentation. As part of the ISM certification scheme there are two certificates needed. One for the company called the Document of Compliance or DoC. This allows the companies to operate vessels under the ISM Code. The DoC is issued by the Flag State, that is the country where the company and its ships are registered. The DoC is issued for each type of vessel that the company operates. This means that it cannot operate a bulk carrier if it only possesses a DoC for a container.
The next certificate under the auspices of the code that is issued is a safety management certificate. This is issued to each ship of the company and in order to get the certificate an audit of the vessel is conducted, and certain criteria needs to be met prior issue of the certificate. The SMC ISM Certification is issued for a period not exceeding five years and where only one intermediate verification is done it should be done within the 2nd and 3rd anniversary of the certification.
The ISM Certification provides validation that both company and ship are operating using a process-based system approach to manage risks and achieve continual improvement. The ISM code is meant to be a preventive tool and asks companies to assess all risks and then take measured to safeguard against them. Responsibilities and authorities are set out for the various entities includes in the ISM process.
Gaining ISM Certification does not guarantee that the ship will be safe or environmental pollution will not occur. It does however provide stakeholder the confidence that non-conformities will be addresses systemically and where an emergency does occur, the company and ship will be prepared to deal with them in the best way possible to mitigate consequences. To be successful it needs active involvement by the leadership and needs them to walk the talk. The system must be built around the users and for the users to enable them to succeed.
To learn more about the ISM Code and ISM certification enroll for QMII’s ISM auditor training.

ISO 9001:2015 – Exclusions

Exclusions to what an organization does were integral to the ISO 9001 standard prior to the 2015 version update. After all an organization cannot do all the work. Clause 7.1.1 lays the foundation on this thought by accepting that an organization must determine and provide resources. In doing so it determines the constraints and capabilities of the existing resources and what needs to be obtained from external providers. As such in previous standards, the organization, when seeking certification, requested exclusion on those processes that it did not perform.

The drawback of this was a major flaw. Over the period of time, some of these organizations, sheltered under the exclusion provision even lost the ability to pick the correct outsourced party! For example, if the organization builds highways, but outsources bridges and tunnels, then it must have the ability to be able to pick the correct vendor/ contractor who will not let the customer down. The revised 2015 version of the standard therefore in the wisdom of TC-176, removed this exclusion provision. It does not imply now the organization cannot outsource what it does not do. All that it means that the organization can review the applicability of the requirements based on its size, complexity and decide on the activities it needs to outsource.

With the exclusion provision removed, the organization would need to do due diligence in appreciating the range of its activities and the risks and opportunities it encounters as also the effect if any of the outsourced vendors not performing to accepted requirements. The organization then remains accountable for the outcome of the outsourced processes and products and services externally obtained. To ensure their consistency and levels of acceptance, it would need to take measures as required by clauses 8.4.1, 8.4.2, and 8.4.3 of the ISO 9001 in enforcing monitoring and measuring to protect its customer and clients.

This assurance that an organization can not and will not outsource those activities which by its decision will not result in failure to achieve conformity of products and services. Clause 4.3 of ISO9001 in determining the scope of the quality management system clearly requires that conformity to the ISO 9001 can only be claimed if the requirements determined as not being applicable do not have an adverse impact on the promises made by the organization. The products it provides, based on externally obtained subproducts or services must not affect customer satisfaction.

In terms of auditing, it is incumbent upon auditors that they carefully seek conformity to this requirement when auditing. Internal audits to ISO 9001 must provide the objective inputs to top management to make better decisions and appreciate the risks of outsourcing to nonperforming and or underperforming outside organizations, remembering they remain accountable and answerable for the final product or service. Ensuring the organization’s accountability for the conforming products and services whether outsourced or not is the responsibility of the organization.

QMII’s ISO 9001 EG (Exemplar Global) certified lead auditor training designed carefully to meet the objectives as envisaged in the standard.

The role of internal audits in MDSAP audits

As MDSAP deadlines draw near companies are asking how to prepare for the MDSAP audit. The most basic step for the success of any management system is to say what you do and do what you say. When the system as documented is captured to reflect the “As-Is” of how it is done then implanting the system leads to conformity at all levels.
Auditing Organizations (AOs) that will come to assess the conformity of the system will be using a process-based approach to the audit as also prescribed by ISO 13485 and ISO 19011. As such internal audit teams too should be trained to conduct process-based audits. This will ensure that the organization will be ready and familiar with the way the AO audit will be conducted. Process-based audits also allow a better look at how the system is working to meet objectives. In the aerospace industry PEAR diagrams are used to identify the inputs, resources and controls for each process to better understand the interrelation of them within the process, whether they are sufficient and how they interact with other processes.
In the process audits for MDSAP the AO will first start with an audit of the leadership (top management) to appreciate their commitment to the system as also their awareness of the risks impacting their system and the actions, they are taking to address them. At each level the auditors will be seeking evidence of competence, documentation and data control and monitoring and measurement being done.
Internal audit teams should use a grading system familiar to those used by MDSAP auditors and as prescribed by HTF/SG3/N19:2012. The grading system follows a scale of 1 to 5 with 5 being the most severe. This will enable a realistic look at the state of the system. Auditors will also focus on the design and development and production controls from a risk perspective. They will assess how well the outsourced providers are controlled and what risks were determined in assessing the type and extent of control to be applied.
As with all systems auditors will want to assess that a system exists to identify and deal with non-conformities including implementation of corrective action within the defined time frame. Internal audit personnel can gain a better understanding of MDSAP audits and how to prepare by enrolling in QMII’s suite of course offerings tailored to various levels of the organization. Keep in mind that MDSAP audits are longer in duration as the audit time is based on tasks and not the number of employees.

Effectiveness of the ISM Code

The ISM (International Safety Management) Code, in itself, is not a magic wand, that will bring safety or prevent pollution. It depends on the organization on how it implements the Code. Safe operation of ships and the prevention of pollution should have been any organization’s objective. Yet all over the world owners to save money compromise these objectives. Did not the Titanic on April 15, 1912, sink, trying to create a record of crossing the Atlantic, by going North to cut distance, run into the iceberg?

The sinking of the Titanic, with a loss of nearly 1500 passengers and the crew was an eye-opener. It led to the SOLAS (Safety of Life at Sea) convention. Did the negligence and continued operation of ships compromising safety stop with SOLAS? Sadly not. The investigation by Justice Sheen into the sinking of the Herald of Free Enterprise, on March 6, 1987, looked at why SOLAS had not helped prevent the tragedy. It brought out the necessity for a process-based management system, and the SOLAS Chapter IX was updated to authorize the ISM Code. It provides the guidelines for the implementation of a system to ensure the safety of vessels at sea.

The Flag State Administrations whose flag the ships sail under, legitimize the use of the code making it mandatory for internationally trading vessels. If any company is bent upon not implementing it in the spirit of it, then of course the objectives of the code as also the functional requirements will not be met. Owners and Operators of the vessels often look to short term gains wherein they compromise the standards and bypass the rules. They have to understand that behind every casualty at sea are many detentions and behind them indicators like Major NCs (non-conformities) and near misses.

The Flag States who do not strictly inspect and audit vessels to the ISM Code and issue SMC (safety management certificates), are actually, to retain the business of ship owners, jeopardizing the same ships! Even some responsible Flag States, due to shortage of manpower outsource their duties to ROs (recognized organizations), often represented by class societies. This results in diluted control, as an outsourced process needs strict monitoring of the process to ensure the performance is not affected. Not managing an outsourced process is as good as not taking responsibility. Authority can be delegated, bot the responsibility.

NCs (non-conformities) drive correction and CA (corrective action), and as such should be welcome as inputs to ensure continual improvement of the system based on the ISM Code. Yet, there are every day common examples of Masters of ships negotiating to somehow get the auditors to not give NCs. This is because the management ashore is not mature to realize, that keeping the master’s pressurized and performance being judged by NCs reported is creating an environment of fear and hiding of NCs. A good SMS (safety management system) based on the ISM Code, if correctly implemented should welcome NCs. The DP (designated person) should know that the “only bad NC, is the one which the organization does not know about.”

For domestic vessels, and for that matter towing and small vessels, and perhaps in due course of time for domestic passenger vessels, one would think a new standard would be required? Sub Chapter M for the towing industry in the USA, is nothing else but the ISM Code domesticated. The ISM Code is a useful well thought of document which provides strong fundamentals based on hundreds of years of sea experience, loss of life, cargoes, ships, and fortunes. The process-based management system it propagates would systematize operations. However, for an effective management system, the implementers have to be motivated and committed. The Flag States have to be strict and vigilant in their issue of certificates. When they outsource the certification to Ros, they must not wash their hands of their responsibility. The strict monitoring of the ROs by ensuring good clear concise MOUs (memorandums of understanding) with clear provisions to audit the ROs must be put in place. The owners and operators through their organization should put in place a robust internal auditing program that gives the objective inputs on the implementation of the ISM Code.

– by Dr. IJ Arora

Eight steps for a successful internal audit program

Internal audit programs play an important role in ensuring the success of the system. ISO standards such as ISO 9001, ISO 14001,  ISO 45001 provide the framework for management systems to function using a process-based approach, to achieve customer and other stakeholder’s requirements. Organizations certified to ISO standards, strive to be compliant, efficient and remain certified. Successful systems have Top Management (TM) / Leadership that are committed to and engaged with the system. They ensure regular internal audits and conduct management reviews (MR) to assess the continuing suitability, adequacy and effectiveness of the system. They further ensure that their decision-making process uses the inputs from the MR to ensure objective resourcing and support for efficiency.

External third-party audits too add value to this system, provided the auditors remain objective throughout the audit. Over the years QMII has come across instances where Non-Conformities (NC) were issued without the requirement being clearly stated or the evidence did not substantiate the requirement not met. However, these NCs are rarely challenged by organizations for “fear” of upsetting the auditors. Changes are further implemented to the system as a part of corrective action based on these findings. At times when the management is disconnected from the working system they often are surprised by the NCs presented at the closing meeting.

Is there, as a result, a case for preparing the organization for both internal audits and external audits? In well-functioning systems the organization should never have to prepare for an internal audit. The systems are designed to drive success and not for auditors or to get through audits without any NCs. NCs are, after all, an opportunity for continual improvement of the system and should be embraced, provided they are objective and not subjective to an auditor’s experience or opinion. An organization can and must respect a good NC and use it to drive correction and corrective action (CA). After all CA is NC driven. The organization/ auditee should be happy to receive a NC for risk(s) not appreciated.

I do however think that there are steps organization can take to build employee confidence in the  system, including the confidence to challenge the auditor when a NC is not clear or incorrectly given. Here are eight steps an organization can do to have its employees get that confidence for internal audit and subsequently for external audits:

  1. Conduct orientation on the process-based management system (PBMS) approach in general, and introduction to the highlights of the specific standard (e.g. ISO 9001:2015). This ensures that the basics of system approach and the internal management system are clear to all personnel.
  2. All TM must do a short training to be aware of the ISO standard, the main clauses and the benefits of the management system. This awareness leaders workshop (ALW) brings the confidence in the system, its implementation and continual improvement. This leadership awareness further encourages engagement of all personnel to use the system and increases buy-in.
  3. On regular basis, in day to day work and meetings refer to the management system. Ensure Quality, environment, safety, security, social responsibility, compliance are topics of discussion at periodic intervals. Even the middle and lower management e.g. supervisors should be encouraged to use the  system and engage others to do so. Management may have to support others in their roles of leadership at relevant levels.
  4. More than just following processes, all personnel must feel free and confident to challenge the process, make suggestions, raise NCs and submit innovative ideas. A participatory approach to system implementation is very cost effective. Let employees voice their concerns. Once they confident of their process and their system (with the fundamentals of the ISO Standard/other requirements built-in) the fear of audits will reduce.
  5. Put in place an aggressive internal audit program. When an outside (third party) auditor raises a NC, the organization does RCA (Root Cause Analysis) of the NC, but rarely does it challenge its Internal system and ask how the internal audit program missed the NC raised by the third party? Internal audits must be objective and strict and must raise all NCs.
  6. NCs must be tracked diligently and addressed within the time frame the organization has set for itself. TMs must stay involved by asking on the progress to the CA process. Overdue NCs must be investigated and TM must ask during the MR why the concerned department did not address it in time. Encourage PSW (Problem Solving Workshops) so teams can look at complex, inter-departmental NCs. Encourage use of tools as Causal Analysis and FMEA (Failure Mode Effect and Analysis).
  7. Creating a lesson learned data base has many advantages. It acts as a historic record for new joiners to learn of past occurrences. Additionally, it has great participatory value connecting each future task as a driver of improvement based on the past. The collective intelligence of the organization is available to the organization and does not vanish when individuals leave the organization.
  8. Some additional points for ISO 9001/ ISO 45001/AS9100 audit preparation:
  • Answer audit questions to the point. Do not volunteer information not sought.
  • Do not be reluctant to ask for your manager/ supervisor to support you if you are not clear on the question.
  • Have the confidence in your professionalism to ask the auditor for the requirement based on which the auditor is planning to raise a NC.
  • Be aware of risks associated with their process and actions taken to address them.
  • Explain the risks in the context of the organization and the context of what the employee does to them.

ISO 9001 certification decline – Does quality still matter?

ISO 9001 certification have seen a decline in the past two years per data from ISO. Some say that the standard has gotten too complicated with the introduction of organizational context, risk-based thinking and the removal of mandatory documented procedures. Even a few of QMII’s clients had considered letting their certification lapse as conformity to the new standard was perceived as too complex.

To certify or not

Let us begin by looking at the purpose of ISO 9001. ISO 9001 provides a framework for organizations looking to put in place a system that will enable them to consistently deliver products/services to customers that meet their requirements and enhance customer satisfaction. ISO 9001 certification is external validation that the system meets the requirements of ISO 9001. However, ISO 9001 allows organizations to use the standard and self-declare conformity without incurring the cost of certification. Many argue that there is no value in doing this. This is probably correct if you are implementing a system to meet a contractual or customer requirement. In these cases, certification is a requirement.

Waning trust in the system

Organizations that implement ISO 9001 for the benefits it will deliver in improved productivity, reduction in process waste and management of risks have seen the bottom line improve with time [1]. If implementing the standard enables consistent quality, why then the reluctance? Perhaps the trust in the ISO 9001 certification process has declined over time. Often have we heard from quality managers of the challenges faced when they raise non-conformities in internal audits. These are often viewed as “finger pointing” exercises since the certification body has already audited and “cleared” (certified) the system.

We have also heard from clients of certification bodies and auditors wanting to view documented evidence of organizational context, stakeholder needs and risks. The standard however does not require these to be documented and leaves it up to the organization to determine the risk of not doing so. Some auditors, however, struggle with auditing undocumented systems and auditing to the new standard [2]. As a result, organizations start documenting their system for the auditors and certification bodies resulting in a system tailored for auditors and  forced down on the organization by auditors. The auditors were to provide inputs to TM (top management) to make better decisions, instead now the auditors and audits have become the product. The system must be designed for the employees not for the auditors. The intent of the standard to act as a preventive tool gets lost in this compliance process.

Supplier audits

Over the past two decades there have been several mergers and acquisitions leading to larger multi-site organizations and perhaps as a result a reduction in certifications. As these organizations have grown, and maybe in part owing to the declining trust in the certification system, they have decided to conduct their own supplier audits. As such suppliers have chosen to let their certification lapse since they are nevertheless being audited by the customer and that is the audit that really counts for them.

Supplier audits are more focused on the customer contractual requirements. Organizations who perceive ISO 9001 as a documentation burden will then only document the parts of the system to meet contractual requirements rather than document the system to meet the organization’s requirements based on ISO 9001. They fail to see that ISO 9001 leaves the extent of system documentation up to the organization and often perceive it as everything needs to be documented.

Conclusion

While quality does matter and customers are still looking to receive a quality product, oft incorrect interpretation of the standard leads many to choose against ISO 9001 certification. At times other certification requirements like CE marking may be more desired and certification to two standards be burdensome. Also methodologies like Six Sigma and Lean have gained prominence. So, ISO 9001 certification gets the boot.

Those looking to gain the benefits of a quality management system need not re-invent the wheel. ISO 9001 provides the framework that essentially reflects business 101. If you do not need ISO 9001 certification then you can self-declare and let the doubters come and assess for themselves. In the meantime, you will still gain from a well implemented management system. Remember, you already have a system that has brought you thus far, align ISO 9001 to your system and not your system to ISO 9001.

[1] Guasch, Luis J.; Racine, Jean-Louis; Sanchez, Isabel; Diop, Makhtar. 2007. Quality systems and standards for a competitive edge (English)

[2]Quality Progress October 2017, Article: The results are in…

What is ISO 14001 Lifecycle Perspective?

ISO 14001 Lead Auditor training introduces students to the ISO 14001 standard and its interpretation as well as the skills needed to assess the effectiveness of the environmental management system. ISO 14001 in its 2015 revision introduces the lifecycle perspective. In essence, the standard asks organizations to use a lifecycle perspective when designing/manufacturing their products/services. This means that instead of a cradle to grave concept organizations need to think of a cradle to cradle concept.

Cradle to Grave

ISO 9001 ‘Requirements for Quality Management Systems’ ushered in a new era of process-based management systems that could be used to improve the quality of products/services being delivered to customers as well as when well implemented to increase efficiency and productivity. However, as productivity, efficiency and quality were being improved; the by-products of the system were not addressed. During the 1980s there were some regional efforts to address the impact of organizations on the environment and ISO 14001 was ISO’s effort to lay down the requirements for a management system that addressed the aspects and their associated impacts. Organizations were expected to take action on these impacts to reduce them. Auditors undergoing ISO 14001 Lead Auditor training were now ready to assess the effectiveness of these systems.

In its initial publication and subsequent revision in 2004 ISO 14001 asks organizations to take a ‘cradle to grave’ approach to managing their impacts on the environment. This meant reducing the immediate impact on the environment. However, with time we learned that this does not address the growing landfill issues being faced by countries globally. To address this issue as well as to align with international efforts to address climate change, rapid depletion of the planet resources and encourage sustainable operations the ISO 14001 standard introduced the concept of ‘cradle to cradle’ in its 2015 revision.

Cradle to Cradle

ISO 14001 defined lifecycle as “consecutive and interlinked stages of a product (or service) system, from the raw material acquisition or generation from natural resources to final disposal.” Life cycle stages can include the acquisition of raw materials, design, production, transportation/delivery, use, end-of-life treatment, and final disposal. A great example of a lifecycle perspective in manufacturing is the recycling of Lead-Acid Car Batteries. Nearly 99% of these batteries are recycled/reused. Major battery manufacturers have programs in place to encourage the recycling of car batteries.

While ISO 14001 does not call for a formal life cycle assessment ISO 14044 provides the guidelines for a life cycle assessment should an organization wish to do so. In determining the end of life disposal organizations may choose products that are recyclable, sustainable and even perhaps biodegradable. ISO 14001 lead auditor training provided by QMII, highlights the concepts of a lifecycle perspective and how to incorporate it into your environmental management system.

Conclusion

ISO 14001 Lead Auditor training enables participants to go back and implement environmental management systems that will benefit their organization, the environment, and stakeholders. It also enables participants to conduct value-adding audits of their systems. The intent of the audit is to identify opportunities for improvement. With the skills, ISO 14001 Lead Auditor training by QMII and the knowledge of a life cycle perspective participants are ready to hit the ground running in implementing and auditing environmental management systems.

 

Obtaining Top Management Commitment

Who cares about the system? 

Management systems need top management commitment to work well, and yet many systems lack the necessary commitmentYou may recognize some symptomsPolicy – ignoredObjectives  are barely alive. Corrective actions remain open. Managers seem not to appreciate the value of the requirementsEmployees are unsure about the system’s requirementsProactive identification and addressing of risks/opportunities is rareRoot causes of failure remain in the system. Consequently, the system is not improved. Employees are unaware of what the system should do for themManagement reviews are embarrassingLeaders either do not show or do not contribute. Top Management Commitment is lacking. Audits may temporarily energize the playersManagement representatives ask, Am I the only person who really cares?” 

Who trained the leaders? 

Many leaders do not explain their management systemsThey may know the importance of certification, but they rarely explain why their system is vital for survival and growthWhy is this? Examine your internal audit program; is it driven by top management’s objectives?  Audit your training recordsDo they show that leaders are competent and confident to show their top management commitment? Who trained the leaders in their organizational management systemCompetent leaders take responsibility for their systemThey explain how their system works and why its requirements are so important to themUnaware leaders blame employees for mistakes caused by their system. 

Your system, is it perceived as worthy? 

Even if your system is certified, do not expect leaders to support it Every organization is a systemDoes the documented part of this system describe how it converts stakeholder needs into cash (or continued funding)?  Is this the management system that was certified or was it some new ISO system built on templates?  

Is your system irresistible to the leaders?  If notshow how your system converts needs into cash so top managers would not want to lead without itTry our methodology to appreciate how others have developed systems and gained top management commitment beyond certification. Everyone should fulfill their objectives and earn their bonuses by using and improving  the system.  

Awareness Leaders Workshop 

Engage us to design and facilitate your one-day Awareness Leaders Workshop™Select attendees who are leaders by job title and those who are leaders by personalityInclude the skeptics! 

We listen to your objectives and design your workshop to fulfill your required outcomesThis may need  system analysis to result in a diagram that explains how the system converts needs into cash. This  workshop is facilitated by our senior management system consultant and auditor, who for over 20 years  has helped many willing and reluctant managers to understand and commit to their systems. 

Prepare for action 

Remove the root causes of what ails many management systemsYou want your top management commitment  to the requirements of their management systemClear the backlog of stale CARs  and pending actions on identified risks to prepare for the surge of improvements flowing from the renewed leadership of your system 

When you are ready, please email IJ Arora or call 888.357.9001 with your requirements.