ISO 13485: QMS Requirements of Medical Devices for Regulatory Purposes

by Dr. IJ Arora

ISO 13485:2016 is a standard that addresses quality management system requirements for those within the medical device industry. It is based on the systems-based approach found in ISO 9001:2015, but because it emphasizes requirements for regulatory purposes, it does not align with ISO’s harmonized structure (HS). In many ways, ISO 13485 does align with the HS, particularly in the structure and foundational principles of quality management.

The introduction of ISO 13485 explicitly states that the standard is aligned with ISO 9001, and this connection is important for understanding how the two standards relate to each other. I am a bit surprised as to why ISO 13485 isn’t fully harmonized with the HS as defined in Annex SL, which is the specific document within ISO standards that outlines the HS. I believe that if this standard were aligned to the HS, it would make implementation much less laborious for all involved.

The ISO 9001 foundation

The 2015 version of ISO 9001, which is presently under revision, provides a good basis for all standards. As mentioned, ISO 13485 has its roots in ISO 9001, which is why the key QMS principles (e.g., customer focus, leadership, process approach, continual improvement, and evidence-based decision making) central to ISO 9001 are also embedded in ISO 13485.

ISO 13485 includes several core concepts and clauses from ISO 9001. Clause 4 on quality management systems (e.g., structure, documentation requirements, and the scope of the QMS); cause 5 on management responsibility (e.g., top management involvement, resource allocation, and internal audits); and clause 8 relating to measurement, analysis, and improvement (e.g., monitoring, corrective actions, and continual improvement), are just some of these examples.

As I study, teach, consult, and audit using ISO 13485, I wonder why the standard Is not fully harmonized with similar standards as laid out in Annex SL. In consulting, I feel the pain of organizations that must meet regulatory requirements and so tend to overlook the process-based management system (PBMS) approach as the fundamental to the plan-do-check-act (PDCA) cycle. This regulatory focus is one reason why, although ISO 13485 shares many similarities with ISO 9001, it is not fully aligned with the HS. ISO 13485 places a strong emphasis on compliance with regulatory requirements specific to the medical device industry. The standard’s clauses addressing design and development, post-market surveillance, risk management, and traceability requirements are all far more extensive than those found in ISO 9001. Annex SL focuses more on general management practices and less on industry-specific regulatory controls. The detail and specificity required for medical device safety and compliance often necessitates a structure that goes beyond the framework of the HS.

Overcoming differences

Different scopes and audiences are also a consideration in that, while ISO 9001 is a general quality management standard applicable across industries, ISO 13485 is designed specifically for organizations that manufacture medical devices. These organizations must meet stringent regulatory requirements that go beyond what ISO 9001 addresses. Because of this, ISO 13485 requires more detailed processes related to product lifecycle management, post-market activities, risk management, and regulatory controls, which aren’t adequately covered under the more generalized HS. ISO 13485 includes a much stronger emphasis on managing the product’s entire lifecycle, from design and development to post-market activities (e.g., complaint handling and vigilance). Although ISO 9001 mentions product realization, ISO 13485 goes into much greater depth, including extensive requirements for design control and risk management. These elements reflect the higher level of scrutiny needed in the medical device industry, where safety and compliance are paramount.

With that said, I believe that these differences don’t prevent ISO 13485 from being organized according to the HS format. The standard would not only help medical device manufacturers’ management systems conform with specific regulatory requirements but also meet the obligations for continual improvement. After all, registered organizations in the aerospace and automobile industries already do just that via sector-specific management system standards that are harmonized with ISO 9001.

The structural differences in the clauses found in ISO 13485 and the standards adopting the HS are not too far apart. Although ISO 13485 is aligned with ISO 9001, it diverges when it comes to specifics that are unique to the medical device sector and regulatory requirements.

ISO 13485’s clause 7, “Product Realization” includes additional elements, such as design controls and regulatory compliance requirements, that are critical in the medical device industry. Post-market surveillance and complaint handling are central to ISO 13485, but the HS doesn’t go to the level of detail necessary for medical device manufacturers.

ISO 13485 emphasizes the need for continuous monitoring of device performance, even after they are on the market, ensuring any issues are identified and addressed in a timely manner. I believe ISO 9001’s subclause 9.1.2, “Customer Feedback,” can be updated to incorporate this requirement.

Risk management is a vital consideration. ISO 13485 integrates risk management into the standard in a way that is far more structured and pervasive than what is found in ISO 9001. ISO 13485 has a more detailed approach to identifying, assessing, and mitigating risks throughout the lifecycle of medical devices. However, these added requirements could be added to subclause 6.1.1 (““Actions to Address Risks and Opportunities”) or subclause 8.1.1 (“Operation Planning and Control”) found in the HS.

ISO 13485 includes specific requirements for design and development processes, which are critical in medical devices due to their complexity and potential risk to patient safety. The HS doesn’t provide this level of detail for other types of products or industries.

Identifying similarities

Notwithstanding the differences between ISO 13485 and the standards that align with the HS, there are also some key similarities. As with ISO 9001, ISO 13485 is built around seven quality management principles: customer focus, leadership, engagement of people, process approach, improvement, evidence-based decision making, and relationship management. Continual Improvement of the quality management system is part of both standards, emphasizing the need for a strong focus on monitoring, auditing, corrective actions, and reviews. Document control is another similarity. Both ISO 13485 and ISO 9001 stress the importance of clear and accurate documentation to ensure that quality management processes are defined, monitored, and maintained effectively.

In keeping itself separate from the HS, ISO 13485’s clause structure, despite being based on ISO 9001, serves to meet the unique needs of the medical device industry. The decision not to fully harmonize the standard with the structure seen in Annex SL likely stems from the need to ensure a tailored regulatory focus. ISO 13485 is aligned with a variety of regulatory frameworks across different countries and regions (e.g., FDA, EU MDR, TGA, etc.). These regulations require specific processes that go beyond the generic, high-level harmonized framework provided by Annex SL to facilitate combined/ integrated management systems. The structure of ISO 13485 allows for a more detailed, industry-specific approach to product safety, efficacy, risk management, and compliance. Product lifecycle control is an essential part of the medical device industry, and it has a complex lifecycle that includes design controls, manufacturing processes, and post-market activities that require more attention than the HS would provide.

Looking at a few additional clauses reveals that ISO 13485 follows a specific structure that allows it to emphasize the unique aspects of medical device quality management while maintaining consistency with other ISO standards.

For example, Clause 1, “Scope,” is relatively straightforward and outlines the scope of the standard, which is specific to organizations that design, manufacture, and maintain medical devices. The clause also highlights exclusions (for example, aspects not applicable to the organization), which is quite typical in a quality management standard.

Clause 2, “Normative References,” lists the documents referenced within ISO 13485, which is typical for any ISO management system standard. The important point here is that ISO 13485 requires compliance with relevant regulations and standards, particularly those in the medical device sector.

Clause 3, “Terms and Definitions,” is crucial because the terminology in the medical device industry can be very specifically. Definitions clarify terms that might have different meanings in other industries (e.g., what qualifies as a “medical device,” “design verification,” or “post-market surveillance”). This ensures uniformity and understanding across the industry.

Clause 4, “Quality Management System (QMS),” describes the basic requirements for establishing and maintaining a QMS, which is a fundamental aspect of ISO 13485. This clause outlines the need for a quality policy, the establishment of objectives, and the requirement to continually improve the QMS. These are common in all ISO standards but are tailored here to fit the needs of the medical device industry.

Clause 5, “Management Responsibility,” covers executive involvement as a key theme. In ISO 13485, it emphasizes top management’s responsibility for ensuring that quality objectives are met. This clause also requires that management provide resources for quality activities and review the performance of the QMS regularly, ensuring alignment with regulatory requirements and customer needs.

Clause 6, “Resource Management,” could have been aligned to clause 7, “Support,” found in the HS. This clause in ISO 13485 requires the organization to manage resources effectively, which includes personnel training and competence (a critical area in the medical device industry). This ensures that employees have the skills needed to produce safe and effective devices. It also covers infrastructure and the control of the work environment, ensuring that conditions are suitable for maintaining product quality.

Clause 7, “Product Realization,” diverges further from the HS. Product realization in the medical device sector involves the entire lifecycle of the device—from planning, design, development, and manufacturing to service and post-market activities. This clause is extensive and includes requirements for design controls, risk management, validation, and traceability, all of which are critical in the medical device industry. The detailed focus on design and development, verification and validation, and product monitoring ensures that all aspects of a medical device’s journey, from conception to post-market surveillance, are covered.

Clause 8, “Measurement, Analysis, and Improvement,” requires organizations to evaluate the effectiveness of their QMS through regular monitoring, measurement, and audits. It also focuses on corrective and preventive actions (CAPA) to improve quality. Preventive action in the HS has not been thrown out like the proverbial baby with the bath water. It has instead been replaced by requirement to appreciate risk. For medical devices, complaints and nonconformance reporting are key to ensuring ongoing safety and compliance. ISO 13485 could also have gone from preventive action to risk.

Post-market surveillance and vigilance is a requirement of the medical device standard. Unlike many other ISO standards, ISO 13485 places significant emphasis on post-market surveillance, which is the process of monitoring the performance of medical devices once they are in use. This is a major distinguishing factor from other ISO standards. Manufacturers are required to establish processes for post-market feedback, complaint handling, and field safety corrective actions (FSCA), which are essential for identifying and managing risks after the product is on the market.

In conclusion, I would opine and agree that although ISO 13485 is indeed based on ISO 9001, it diverges from the HS identified in Annex SL because the unique needs of the medical device industry—such as regulatory compliance, product lifecycle management, and patient safety—require a more detailed and specialized approach than the HS can provide. The clause structure of ISO 13485 reflects these specific requirements, making it a robust and industry-specific standard that ensures the safety and quality of medical devices while maintaining alignment with the foundational principles of quality management in ISO 9001.

This balance of maintaining core quality principles while addressing the needs of the medical device industry is why ISO 13485 has not fully adopted the HS but instead continues to incorporate elements of ISO 9001 alongside medical-device-specific regulatory needs. That it could still at the least attempt to align the primary clauses as risk to the HS would help all parties involved.

Note – The above article was recently featured in Exemplar Global’s publication called “The Auditor”. Click here to read it.

Are Provider Audits Mandated through ISO 9001?

by- Dr. IJ Arora

In relation to outsourced processes, the query (to paraphrase William Shakespeare) is, “To audit or to not audit?”

Take, as an example, the necessities from the principle process-based control machine usual, ISO 9001:2015. One would possibly imagine the machine way as equipped in clauses 4.4.1a thru 4.4.1h and conclude that tracking and regulate are had to recognize the dangers of the inputs and make sure persistent growth. The usual is supposed to be interpreted, and so not anything prescriptive is predicted. But, the query stays as to how organizations would possibly regulate the processes and ensure they’re assembly goals. Clause 5.2, “Coverage,” resulting in clause 6.2, “Goals,” supplies a touch that proof will have to be amassed of measurable goals being met. But, how can we get the inputs to attract a conclusion? The inputs are essential, and due to this fact there’s a want to decide the to be had accumulate and regulate knowledge.

In all probability the solution may also be discovered within the auditing serve as. By means of enforcing a strong provider analysis activity, together with audits as wanted, organizations can beef up the standard control machine and construct sturdy, dependable relationships with providers. Notice that requirements similar to ISO 9001:2015 don’t particularly mandate audits, but the intent of registration to a typical is to regulate the group’s processes. if now not auditing, then what different mechanisms can organizations use to regulate an outsourced activity and decrease dangers to their finish consumers?

Exerting regulate

Clause 8.4.2 of ISO 9001:2015 offers with the sort and extent of controls that a company should practice to externally equipped processes, merchandise, and products and services. The important thing sides on this dialogue come with making sure conformity, the kinds of controls wanted, and the level of those controls. Conformity has at its core the main to make sure that those exterior provisions don’t negatively have an effect on the group’s skill to constantly ship conforming services to its consumers. This implies the group should have mechanisms in position to make sure that the standard of the exterior inputs meet the group’s necessities and in the end fulfill buyer necessities.

Kinds of controls might be interpreted as acting a point of regulate, in all probability through auditing, even supposing auditing isn’t a selected requirement. The choice and analysis of the controls can be according to organising standards for deciding on and comparing exterior suppliers (e.g., a strong high quality control machine of their very own, previous efficiency, registration, and many others.) and/or undertaking thorough checks of doable providers (e.g., audits, questionnaires, web site visits, and many others.). As well as, you will need to installed position sturdy contractual agreements with exterior providers that come with transparent and measurable necessities, explicit key efficiency signs (KPIs), and acceptance standards for the needs of tracking and size. This may come with monitoring provider efficiency towards agreed-upon KPIs, examining knowledge to spot tendencies and spaces for growth, undertaking common efficiency critiques and comments classes, acting root purpose research and corrective and preventive movements when problems are known, and appreciating dangers through being proactive and the use of preventive measures.

The level of this regulate would rely at the criticality of the externally equipped activity, product, or provider to the group’s general high quality. For top-risk pieces, extra stringent controls (e.g., extra common audits or extra rigorous inspections) could be essential as, as an example, within the aerospace trade. In essence, clause 8.4.2 emphasizes the significance of proactive measures to make sure that exterior inputs don’t compromise the group’s skill to ship high quality services to its consumers.

Auditing supplies most of these inputs if the audit is appropriately deliberate and done. For instance, with approval, this stage of regulate might be completed through far flung cameras or the presence of the group’s inspectors on the provider’s amenities. The purpose is to care for the client focal point (clause 5.1.2) and include a risk-based way. The level of regulate will have to be proportionate to the related dangers. Power growth includes that the group will have to often evaluation and reinforce its processes for exterior controls.

Subsequently, even if clause 8.4 (particularly subclauses 8.4.1, 8.4.2, and eight.4.3) does now not explicitly mandate provider audits, it strongly implies their significance. Subsequently, a robust focal point on regulate should be interpreted. Clause 8.4 emphasizes the want to regulate externally equipped processes, merchandise, and products and services. Auditing is a a very powerful instrument for comparing a provider’s skill to fulfill high quality necessities and care for regulate over their processes.

Mitigating menace

To verify ok menace control, one should imagine if the provider’s efficiency at once impacts the group’s skill to ship high quality merchandise or products and services. Audits assist establish and mitigate doable dangers related to the use of exterior suppliers. Power growth is the most important consequence of auditing and offers precious comments on provider efficiency. This allows the group to spot spaces for growth of their processes and their practices round provider variety and provider control. Subsequently, even if now not strictly mandated, provider audits are extremely really useful for organizations in the hunt for to successfully put into effect ISO 9001 and make sure the standard in their services. The important thing issues can be:

  • Chance-based way. Auditing efforts will have to be desirous about providers that pose the easiest menace to the group’s high quality goals.
  • Number of analysis strategies. Audits are only one manner of provider analysis. Different strategies come with efficiency tracking, comments research, and web site visits.
  • Documentation. Care for transparent documentation of all provider analysis actions, together with audit findings, corrective movements, and growth plans.

When taking into consideration the outsourcing of a activity, the group should assess and decide the factors through which providers are decided on. Via systematic analysis, a company can put into effect a rigorous provider variety activity that comes with:

  • Detailed questionnaires to collect knowledge at the provider’s high quality control machine, processes, and features
  • Reference exams made through contacting earlier consumers to evaluate the provider’s efficiency and reliability
  • On-site visits to watch the provider’s operations and assess their amenities, apparatus, and body of workers
  • A risk-based way matrix to prioritize providers according to the possible impact at the group’s high quality goals

In making plans bids, growing contractual agreements, or different processes involving outsourcing, the next will have to be regarded as:

  • Transparent specs. Outline transparent and measurable necessities for the outsourced services or products.
  • Efficiency metrics. Determine KPIs to trace provider efficiency, similar to on-time supply, defect charges, and buyer delight.
  • Contractual consequences. Come with clauses for non-compliance with contractual tasks, similar to past due deliveries or subpar high quality.

The procedures for tracking and measuring outsourced processes should be nicely idea out and will have to be carried out when tendering a freelance. Consider, including necessities due to this fact is continuously tricky. Imagine the next:

  • Common efficiency evaluation. Behavior common efficiency critiques with providers to trace their efficiency towards agreed-upon KPIs.
  • Knowledge research. Analyze knowledge on provider efficiency, similar to defect charges, supply instances, and buyer proceedings to spot tendencies and spaces for growth.
  • Comments mechanisms. Determine a machine for gathering and examining comments from interior and exterior consumers relating to provider efficiency.

Whether or not a company prefers to audit or use different way of controlling the outsourced activity, a well-thought-out collaboration and verbal exchange plan will have to be made, taking into consideration:

  • Open verbal exchange channels. Care for open and common verbal exchange channels with providers to deal with issues, percentage knowledge, and collaborate on growth tasks.
  • Joint drawback fixing. Paintings collaboratively with providers to spot and unravel problems associated with high quality, supply, or different efficiency issues.

Power growth is integral to any excellent control machine. As a abstract I’d recommend the next:

  • Common critiques and updates. Often evaluation and replace your provider control processes to verify they continue to be efficient and aligned with converting industry wishes.
  • Provider construction. Enforce methods to assist providers reinforce their high quality control programs and function.

By means of enforcing a mixture of those mechanisms, organizations can successfully regulate outsourced processes, decrease dangers, and make sure that they obtain fine quality services from their providers.

Clause 9.2.1 of ISO 9001 does certainly recommend that auditing outsourced processes is excellent follow. This clause states that organizations will have to habits interior audits to guage the effectiveness of the standard control machine. The scope of interior audits generally comprises all related processes and actions inside the group. How this pertains to outsourced processes is the place the requirement turns into open to interpretation. Despite the fact that it does now not explicitly state “provider audits,” the clause means that comparing the effectiveness of processes which might be outsourced is a part of assessing the total effectiveness of the QMS. If the outsourced processes considerably have an effect on the group’s skill to fulfill buyer necessities, then the ones processes will have to be integrated within the scope of interior audits.

Dr. IJ Arora’s article was published in the Exemplar Global Publication “The Auditor”. Click here to read the featured article.

The Baltimore Bridge Collapse : Another Case of a Failed Management System ISO 55001:2024

By – Dr. IJ Arora

Can good management systems make organizations immune to disasters? The Baltimore bridge or simply the Bay Bridge or more precisely the Francis Scott Key Bridge that collapsed in 2023 because of the allision with the container vessel MV Dali is a tragedy, perhaps caused by the failure of several management systems, the ship, the port, the state and whoever else was involved.   

The National Transportation Safety Board (NTSB) investigation is ongoing, and will no doubt look at the part played by the MV Dali, its crew and operator. However, my thought is the MV Dali or other ships plying the waters by simple statistical probability were considered as a risk by the authorities. I mean there is the water channel, ships sailing in and out, and a bridge, there was likely to be an allision someday. Perhaps not a matter of if but when! Thus should the bridge have been safer and better designed, based on known and appreciated risks? After all, not all accidents can be completely avoided. However, each tragedy has lessons learnt as responsive action. The lessons become the data that drive risk identification and trends and, thus making the system proactive.  I am sure  the NTSB is considering all this. In the meantime, without going into the ongoing investigation, are there some basics which are common indications of failures of the system. Be it the Titan submersible, or the Boeing management system,  as an SME in  process-based process-based management systems I see a common cause; the failure of the system to  deliver conforming products and services. 

In this short article I want to discuss this bridge collapse in the context of the management system, considering ISO 9001:2015 generically and ISO 55001:2024 Asset Management System requirements specifically. Could simply designing a good system based on the standard have enabled the organization to better assess the associated risks? Perhaps they were assessed and justified as a low probability of occurrence. If that were the case, the discussion would be on prioritization of risks. ISO 55001 was first published in 2014. It was developed as a standalone standard for asset management, building upon the principles of ISO 9001 (quality management) and other relevant standards. 

I am aware that as of September 2024, the investigation into the Baltimore bridge collapse is still ongoing.  Therefore, while the exact cause of the collapse remains under investigation, we can consider several factors that could have contributed to the incident. MV Dali, experienced a series of electrical blackouts before the allision.  The vessel SMS (safety management system based on the ISM Code) implementation could be a factor. Bridge stability, its age and condition are I am sure are being investigated as a potential contributing factor. Then there is always human element.  There may have been errors on the part of the ship’s crew or bridge operators. Was the system designed to support them in such a scenario? What factors may have caused operators at all levels to perhaps not follow requirements, to justify the risks. The NTSB’s investigation will highlight a detailed analysis of the ship’s navigation systems, the bridge’s structural integrity, and the actions of the individuals involved in the reasons for this tragedy. Their final report will provide a comprehensive understanding of the incident and may include recommendations to prevent similar occurrences in the future. 

However, even at this stage we can agree that bridges in general are national assets. They are valuable infrastructure that provides essential services to communities. While it is not publicly known whether the State of Maryland specifically implemented ISO 55001 for its bridges, the principles and practices outlined in this standard could have been beneficial in managing the risks associated with the Baltimore bridge. The implementation of this standard and or even if the generic standard ISO 9001 were implemented the authorities could have performed: 

  • Risk Assessments: ISO 55001 requires organizations to conduct regular risk assessments to identify potential threats and vulnerabilities. A thorough assessment of the bridge’s condition, age, and traffic load could have helped identify potential risks and inform maintenance and repair decisions, as also change in procedures, protection of navigation channels and so on. 
  • Life Cycle Management: The standard emphasizes the importance of managing assets throughout their entire lifecycle, from planning and acquisition to maintenance and disposal. By following ISO 55001, the state could have developed a comprehensive plan for the bridge’s maintenance, upgrades, and eventual replacement. 
  • Performance Measurements: ISO 55001 requires organizations to establish measurable Objectives or Key Performance Indicators (KPIs) to measure the effectiveness of their asset management activities. This could have helped the state monitor the bridge’s condition and identify any signs of deterioration. 
  • Continual Improvement: The standard promotes a culture of continual improvement, encouraging organizations to learn from past experiences and make necessary adjustments to their asset management practices. 

I agree, it is impossible to say definitively whether ISO 55001 would have prevented the Baltimore bridge collapse. However, the principles and practices outlined in the standard could have helped to reduce the risk of such incidents. By adopting a systematic and proactive approach to asset management, organizations can improve the reliability and safety of their infrastructure. A systematic study must go beyond what the MV Dali contributed to the Baltimore bridge collapse, it is also important to consider the broader context and the potential contributions of other factors: 

  • Bridge Design and Maintenance: The age and condition of the bridge are likely to be factors in the investigation. Older infrastructure may be more susceptible to damage or failure, especially if it has not been adequately maintained or upgraded. 
  • Vessel Traffic: The frequency and intensity of vessel traffic in the area can also influence the risk of collisions. The bridge is in a busy shipping channel; therefore, the likelihood of incidents was higher. 
  • Safety Measures: The presence or absence of safety measures, such as buoys, warning systems, or restricted areas, can also impact the risk of collisions/allisions. This needs to be studied and are factors the authorities would know. 
  • Human Element and Factors: Errors on the part of both the ship’s crew and bridge operators can contribute to accidents. Factors such as fatigue, inexperience, or inadequate training may play a role. What led to these?  Error proofing, mistake proofing and FMEA (Failure Mode Effect & Analysis) are tools that could be part of the effective management system. 

Let us therefore consider ISO 55001 and the relevant clauses of the standard which could apply to the collapse of the Baltimore Bridge. 

Clause 4: Context of the Organization 

  • Clause 4.1: Understanding the external context, such as the age of the bridge, traffic volume, and environmental factors, is crucial for risk assessment. 
  • Clause 4.2: Identifying the needs and expectations of relevant interested parties, including the public, commuters, and regulatory bodies, is essential for effective asset management. 

Clause 6: Planning 

  • Clause 6.2.1: The bridge’s asset management plan should have included clear objectives for its maintenance, repair, and replacement. 
  • Clause 6.2.2: Specific objectives related to safety, reliability, and cost-effectiveness should have been established. 
  • Clause 6.2.3: Detailed planning for maintenance, inspections, and upgrades would have been necessary to ensure the bridge’s structural integrity. 

Clause 7: Support 

  • Clause 7.1: Adequate resources, including funding, personnel, and expertise, should have been allocated for bridge maintenance and inspection. 
  • Clause 7.2: Ensuring that personnel involved in bridge management have the necessary competence and training is essential. 
  • Clause 7.3: Raising awareness among all relevant stakeholders about the importance of bridge maintenance and safety is crucial. 

Clause 8: Operation and Maintenance 

  • Clause 8.1: Regular inspections and monitoring of the bridge’s condition would have helped identify potential problems early on. 
  • Clause 8.2: A well-defined maintenance schedule, including preventive and corrective maintenance, would have been necessary to address issues before they escalated. 

Clause 9: Performance Evaluation 

  • Clause 9.1: Establishing key performance indicators (KPIs) to measure the bridge’s performance, such as safety records, traffic flow, and maintenance costs, would have provided valuable insights. 
  • Clause 9.2: Regular monitoring and evaluation of these KPIs would have helped identify areas for improvement. 

Clause 10: Improvement 

  • Clause 10.2: The bridge’s management should have implemented a system for monitoring and measurement, including data collection and analysis. 
  • Clause 10.3: Predictive maintenance techniques could have been used to identify potential failures before they occurred. 

My objective of writing this article is to awaken this basic thought in organizations that by applying the principles of a standard, be it generic ISO 9001 or an industry specific standard or as in this case the asset management system standard ISO 55001, the organization (State of Maryland) could have strengthened its asset management practices and potentially mitigated the risks associated with the Baltimore bridge collapse. 

The above article was recently published in the Exemplar Global publication – ‘The Auditor’.

Looking Ahead at ISO 9001

ISO 9001 has proactively kept up with various industry expectations, over the years, to allow

application by a broad spectrum of industry including the defense forces. The 2015 revision was

a thoughtfully planned giant step. It defined risk (ISO 9001 Clause 6.1) in the context of the

organization (ISO 9001 Clause 4.1 & 4.2) and removed exclusions provision from certification by

redefining what an organization does not do or outsources in the scope (ISO 9001 Clause 4.3). It

also removed preventive action, a reactive concept, and introduced proactive risk appreciation

(Clause 6.1 of ISO 9001 & Clause 8.1 in industry specific standards as AS9100).

This took preventive action from the delayed “Act” stage of the PDCA (Plan-Do-Check-Act) stage

to the more logical sensible “Plan” stage. After all, “look before you leap”, as the historical

fundamental, could not be left as a preventive action decision. It had to be at the look – plan

stage! Risk also needed not just mitigation, but also acted as an input, to be used to bring in

innovation in terms of OFI (opportunity for improvement).

These were all positive steps in keeping with technical advancements and computerization and

AI (artificial intelligence) tools. The HLS (high level structure), later updated to HS (harmonized

structure), recognized the need to enable ease of implementation of integrated management

systems. This in turn leading to efficiency, ROI (return on investment) and where applicable

environmental protection, security of the global supply chain, business continuity, cyber

security and health and safety.

The differentiating of knowledge (ISO 9001 Clause 7.6) from competence (ISO 9001 Clause 7.2)

was also a clever needed change. Organizations needed to define their corporate knowledge

aspects and differentiate it from the individual knowledge of personnel. Knowledge and

competence needed merging and a healthy marriage but needed recognition that they were

different. Removal of the reference to Quality Manager (QM) and Quality Manual from the

standard, took away the narrowness of thinking in quality, and brought the clarity to leadership

to remain accountable and to differentiate authority delegation from retaining the

accountability.

I am a member of the TAG-176 group, and yet have not really contributed much to the next

expected changes to ISO 9001. I am sure the TC-176 is working on this. Nevertheless, it is time

to debate and consider updating the standard.

Since the 2015 version was a major fundamental change, I doubt there would be a significant

departure from this 2015 version in the next major update. Unlikely that the next version may

have revolutionary updates. The emphasis, I think would be to clarify and strengthen the

present thoughts in the 2015 version. I would consider the following:

1. Two Standard Concept: I have over the years thought about the two prongs:

manufacturing and service, approach. Both the service and the manufacturing industry

have been using the standard. Some may consider the need for a separate

manufacturing and a service standard as the next step. However, over the years I have

feared too much bureaucracy which the two standards approach brings. I think the two

standard approaches may actually cause more issues than to resolve them. Might I

opine that Clauses under 8.3 for D&D can, if needed, be strengthened, clarified or more

useful notes as applicable to service version incorporated to assist implementers,

consultants and auditors?

2. Risk be better defined and OFI be clarified, to avoid auditors using it as a tool to sneak in

recommendations. OFI is the outcome of considering risk as an input for innovation. It is

not a recommendation.

3. The knowledge clause needs meat to strengthen it, and to better make it inclusive to

systematizing the requirements for organizations to systematize lessons learnt.

4. An annex added to bring clarity and ease to designing and implementing a combined

management system for an organization.

5. Clause 4.3 Scope, in defining scope requires consideration of the context of the

organization, which is based on Clauses 4.1 and 4.2. However, while the scope has to be

available as documented, 4.1 and 4.2 do not require documentation. I would suggest

both clauses 4.1 & 4.2 to have context as a documented requirement.

In conclusion, I think, updating the standard ground up is not a wise idea at this stage. Perhaps

slight tweaking to include some minor changes would give stability in implementation of an

already robust standard.

How to Alleviate Common Management System Pain Points

Implementing ISO standards is not mandatory, however a management system conforming to a standard can have numerous benefits. Some benefits include increased efficiencies, proactive risk management, better interaction among departments and alignment with the needs of interested parties. However, once you are actually in the process of implementation, you may experience the following pain points: 

  1. Lack of top management commitment 
  1. Limited resources to effectively implement the program 
  1. Lack of buy-in from the workforce  
  1. Over documented systems  
  1. Lack of measurable objectives driving improvement  
  1. Teams lack adequate interaction and alignment  
  1. Company is focused on keeping certification at all costs  

Quality Management International, Inc (QMII), having over 37 years of providing sustainable solutions for our clients, recognized how these hurdles can impact an effective management system. QMII has developed and provided solutions to address and alleviate these pain points that continue to benefit our clientele. 

A management system consulting project cannot start without top management present to map the process of what they do (core process) and to identify the core objectives for the system. Policies, objectives, and motivation must be demonstrated from the top-down and evidenced by all the team players. To further reinforce commitment, we get top managers to develop a presentation to launch the system and that will then be used for awareness training as the system progresses. This is done using our Awareness Leaders Workshop. Without authority, responsibility, and resources, middle management and individual contributors cannot improve the business management system.  

We understand that companies have financial restrictions. With a mission to get organizations to appreciate the benefits of a process-based management system, we provide multiple options to work around this challenge. 

(1) We provide free information on our website so you can carry out ISO implementation at your organization.  

(2) Attending a lead auditor training course is a relatively minimal cost. You and your team will gain a comprehensive understanding of the desired ISO standard and gain the skills necessary to implement requirements and conduct audits to determine conformity.  

(3) If you need a little more guidance, we provide scalable consulting services. Our consultants are here to assist you with exactly what you need. You will not have to pay for the full package.  

(4) Our alumni have free email and phone support, for life, to get over average hurdles.  

As far as reluctance among employees, it’s human nature to be reluctant towards change. Keeping this in mind, QMII consultants get key process owners to evidence top management’s commitment and ensure that they are involved in QMS (Quality Management System) development. We analyze with them to capture the system AS-IS and what-should-be. It is essential to get the team buy-in during this process and get their input on the process’s actualities. Teams must also interact and be aligned. We provide team-building workshops where we align objectives to the vision and processes to meet objectives. 

ISO implementation is not an overnight process, it may even seem daunting. QMII’s Action Plan Checklist is readily available, and it focuses on the big picture to simplify the process. If you need more assistance, our consultants would be happy to work with you through the checklist. We appreciate the system you already have; we are simply helping you enhance it to meet requirements and set objectives. Documentation is a significant part of ISO implementation. To remove complexities, we incorporate existing documentation and use a format that works best for you. 

At the end of the day, ISO certification is primarily a marketing decision. QMII strives to help you develop a resilient, integrated management system so that you receive actual benefits. Once set up, your system will work independently and continue to improve while managing risk proactively.  

P-D-C-A with a Christmas Tree

As a QMII employee, I can sit and observe classes whenever I want, more so since they are virtual instructor led these days. It allows me to get a refresher on the clauses, even though it is so hard to get them. It gets me every time. When the time comes to interview auditees, I smile like a Cheshire cat; not a confident grin but one that hopefully does not betray my nervousness.  Often, I am nervous as a long-tailed cat in a room full of rocking chairs. However, my QMII ISO lead auditor training has prepared me well. I am nervous as the auditee too, even though I know audits are not about pass or fail.  While I call myself a writer and researcher my greatest struggle perhaps lies with Audit Report writing. Oh, man! QMII lead auditor training, however, well prepared me to gather all notes during an audit to present a valuable report to the auditee. Smile.

The aspect of Lead Auditor training I like is the P-D-C-A cycle because I can use that analogy anywhere in my life. I have the responsibility of putting up the tree, however, currently, my application of the P-D-C-A is not going so well. Perhaps a re-plan is needed?

So from the Lead Auditor classes that I have attended, P-D-C-A stands for the following and the task next to it is what I have to do:-

P – Planning: We have to put the tree. Also, the objective of my mission. Considerations include where are the decorations kept, do we have enough, do we need a ladder, what should be the first step, then the next (like testing the lights before we put them on the tree), and more. Most important plan the time to do it in my busy schedule!

D – Do: Now to put my plan into action! Locate the boxes, get them out, unpack, and, get my team to help me even if they don’t want to (just to cheer me on perhaps). Yay! Thanks guys, for your help! Thumbs up for that. Basically, everything else that needs to be completed before the tree is finally up and lit up and everyone is happy. The DO stage can be extremely exhausting. How about that drink to cool me down?

Note – From my Lead Auditor training and also when I am auditing my clients, I know that the ‘DO’ section of the process is where a lot of the “action” happens. Just because “you gotta do it, man, get on with it!” I feel the pain of the “Do’s” as it is easy sometimes to plan but more taxing to put the plan into action. Now getting back to my tree.

C – Check: Once the tree is up and you think the job is over, it is not. You have to wait for the others to “check” the tree out and give their opinions. Pass comments, critique your effort while you are bickering away that they didn’t do anything, but they get to analyze it. What was that? Oh yes, I agree it is just an opportunity for improvement and we love our non-conformities.

A – Act: The verdict is out. The tree looks great. Beautiful decorations. However, the lights seem to flicker at some places, we need better lights for next time. Get more decorations. Good job!

VERDICT

Plan it better next time. Stop bickering when you are doing the job. Be patient and stop being

grumpy when they are “checking” and analyzing your work. Continually Improve this process till you get your Act together – words of a wise Yoda who is enjoying the view of the Christmas tree and listening to the Christmas songs.

Can I get that drink now? Long Island, please. Merry Christmas!

Quality Without Question

 

As I was driving home from work, I noticed the following on the back of a vehicle, “Quality without question”. This got me thinking about the message that was being conveyed. Did the organization mean to convey that their quality was great and should not be questioned? That a customer should take their word just because they say so. For many of us that is exactly what we do when we purchase goods off a grocery shelf. We trust the certified organic and non-GMO ratings that we observe on the packaging. But should one question these and how should an organization decide when to?

To check or not to check

ISO 9001 is an internally accepted standard that sets out the requirements for companies looking to implement a quality management system. While ISO 9001 allows an organization to self-declare many organizations choose to go ahead and pursue certification. This is because it demonstrates to the customer an external independent validation by a subject matter expert of the organization’s ability to manage risks and enhance customer satisfaction.

In many cases though, these companies are often audited by customers especially in highly critical industries where the margin for error is very small. ISO 9001 does not require companies to audit their suppliers but asks organizations to determine the type and extent of control they intend to apply. In determining the type and extent of control, consideration should be given to the perceived effectiveness of controls by the supplier. Essentially can the system controls be trusted to effectively manage risks and deliver? This becomes the basis for the need to check or not.

But we don’t have the resources to audit

This is often the case for many small businesses and perhaps even for some governmental organizations that are limited to one or a few suppliers. In these cases, the organization is still obligated to control the externally supplied process, product, or service. Companies can do this by monitoring metrics such as on-time delivery, sampling incoming items for conformity, and in some cases accepting the external organization certification. No matter the approach used, it does not ever absolve the company of ensuring control of the outsourced process/product/service.

In the case of critical items or a single supplier, they may choose to sample 100% of all items coming in and decide over time based on the results if to continue with a large sample size or to reduce to a smaller one. Here also the aspect of resources plays a part. In cases where the resources cannot be made available, the leadership must acknowledge and accept the risk.

In conclusion

Quality must always be questioned, first internally by the organization itself and checked through its processes. It must also be questioned by the customers on a case-by-case basis. Quality and systems that are left unchecked and unmonitored will over time deteriorate and perhaps result in a major incident/accident. To learn more about the requirements of ISO 9001 join QMII’s next lead auditor training.

ISO 9001:2015 – Exclusions

Exclusions to what an organization does were integral to the ISO 9001 standard prior to the 2015 version update. After all an organization cannot do all the work. Clause 7.1.1 lays the foundation on this thought by accepting that an organization must determine and provide resources. In doing so it determines the constraints and capabilities of the existing resources and what needs to be obtained from external providers. As such in previous standards, the organization, when seeking certification, requested exclusion on those processes that it did not perform.

The drawback of this was a major flaw. Over the period of time, some of these organizations, sheltered under the exclusion provision even lost the ability to pick the correct outsourced party! For example, if the organization builds highways, but outsources bridges and tunnels, then it must have the ability to be able to pick the correct vendor/ contractor who will not let the customer down. The revised 2015 version of the standard therefore in the wisdom of TC-176, removed this exclusion provision. It does not imply now the organization cannot outsource what it does not do. All that it means that the organization can review the applicability of the requirements based on its size, complexity and decide on the activities it needs to outsource.

With the exclusion provision removed, the organization would need to do due diligence in appreciating the range of its activities and the risks and opportunities it encounters as also the effect if any of the outsourced vendors not performing to accepted requirements. The organization then remains accountable for the outcome of the outsourced processes and products and services externally obtained. To ensure their consistency and levels of acceptance, it would need to take measures as required by clauses 8.4.1, 8.4.2, and 8.4.3 of the ISO 9001 in enforcing monitoring and measuring to protect its customer and clients.

This assurance that an organization can not and will not outsource those activities which by its decision will not result in failure to achieve conformity of products and services. Clause 4.3 of ISO9001 in determining the scope of the quality management system clearly requires that conformity to the ISO 9001 can only be claimed if the requirements determined as not being applicable do not have an adverse impact on the promises made by the organization. The products it provides, based on externally obtained subproducts or services must not affect customer satisfaction.

In terms of auditing, it is incumbent upon auditors that they carefully seek conformity to this requirement when auditing. Internal audits to ISO 9001 must provide the objective inputs to top management to make better decisions and appreciate the risks of outsourcing to nonperforming and or underperforming outside organizations, remembering they remain accountable and answerable for the final product or service. Ensuring the organization’s accountability for the conforming products and services whether outsourced or not is the responsibility of the organization.

QMII’s ISO 9001 EG (Exemplar Global) certified lead auditor training designed carefully to meet the objectives as envisaged in the standard.

ISO 14001 Management System Certification – Cost versus Value

The most popular type of management systems used today often depends on the type of organization, and how they run their operations.  ISO 9001:2015 Quality Management Systems is the most popular for companies selling products to the military, along with AS9000:2016 Rev D for aviation, space, and defense organizations.  Food processors lean toward ISO 14001:2015 Environmental Management Systems (EMS) and ISO 45001:2018 Occupational Health and Safety (OH&S).  The size of the organization can have a significant bearing on whether they get certified or claim to conform.  It cost less to state you conform than to conduct the number of audits needed to become, and stay, certified.

Agricultural oriented small and medium enterprises (SMEs) will often opt for EMS.  Vineyards, vegetable farms, and livestock farms like ISO 14001.  Therefore, it depends a lot on the percentage of SMEs that are in those businesses.  In many cases, the percentage of organizations conforming to ISO 14001 depends on the amount of local or government pressure to conform.  In Europe and China, ISO 14001 is much higher than in the USA, in part due to government and environmentalist pressure.

Agricultural businesses and those that are getting pressure from socially responsible groups are the types of organizations that become ISO 14001 certified.  Meat packaging companies like Smithfield Ham in Virginia (now owned by a Chinese company), is ISO 14001 certified.  Only four major Ports in the USA are ISO 14001 certified (Port of Virginia is one) but many countries require the certification.  Partly due to all of the food coming into the Ports, but also due to the amount of pollution generated by boats, trains, and trucks that service the Ports. Ports are also now looking at ISO 50001 Energy Management Systems in conjunction with ISO 14001 certification.

One of the key drivers is the desire to meet ISO 14001 Standard requirements in the markets that they want to operate in or sell to.  It is difficult to open facilities in most of Europe, the Middle East, and China without having an ISO 14001 certification.  Environmental impact, energy efficiency, pollution reduction, and sustainability are considered by government permitting organizations.  This is more important for large organizations, but many SMEs also want to sell internationally.

Like other ISO Standards, it takes about a year of internal audits to be ready to claim conformity or get certified to ISO 14001.  SMEs, due to their smaller size, could take less time.  Medium-size businesses, with multiple locations, may elect to just have their headquarters certified, and state conformity for branches and suppliers.  An organization may elect to get its headquarters operation certified and use second-party audits to confirm that its other facilities and suppliers conform to the Standard.

The major cost of becoming certified involves training and multiple audits to get ready for certification.  Once ready, a third-party audit is required.  Most SMEs could be ready within a year.  The actual cost would vary depending on the number of employees trained, and the number of audits conducted before certification.

With good training and responsible staff, most SMEs can become certified.  All processes need to be in line with the goal of using environmental best practices.  In some cases, the cost of changing current processes can become a barrier.  Organizations can consider out-sourcing some processes in order to become more environmentally friendly.  Internal and second party audits can help an organization determine what, if any, processes need to be modified or out-sourced.

There are many reasons why organizations decide to become certified, but over time, reasons have changed for both small and large organizations.  With the new high-level-structure (HLS), EMS is now more similar to other standards.  Organizations that use to be ISO 18001 are now considering ISO 45001, which has OSHA embedded in it.  SMEs, like larger organizations, appreciate the value of being certified to popular standards and promote their conformity in their promotional material.  Many companies that are certified to ISO 9001 have to get the certification to sell to government agencies.  Many of the companies that get ISO 14001 certification, feel their end-users appreciate the company for having it.

To be sustainable, an organization needs to consider many factors.  These factors typically fall into one of the three pillars of Sustainability – Social, environmental and economic categories.  All organizations want to be socially responsible and do minimal damage to the environment, but they have to address the economics of operation.  The key is to strike a balance and establish a management system with processes that can be defended in the light of internal and external audits.

– by Peter Burke