Does MDSAP replace ISO 13485

The short answer is NO. MDSAP is not going to replace ISO 13485 and it is not time to give up your ISO 13485 certification. ISO 13485 MDSAP are two different programs with similar requirements but they do not duplicate each other. MDSAP has the more stringent requirements of the two and companies that are already certified to ISO 13485 will see an increase in the number of audit days once they seek certification to MDSAP.
What is MDSAP? It stands for Medical Device Single Audit Program and current the following countries are part of the program: USA, Canada, Japan, Brazil and Australia. This means that a accredited body that certifies an organization will assess them against the regulatory requirements of all the different countries aforementioned. While the audit may be long it does mean that doing one audit will qualify the product for all the different markets without having to go through other audits.
What is ISO 13485? The standard is developed by ISO and is based on the process-based approach for management systems. Until recently it aligned with the ISO 9001 and was built upon the same framework with clauses aligning. However, when ISO 9001 was revised in 2015, it changed to align to the new high-level structure. However, ISO 13485 did not follow suit and chose to retina its old structure as also some of the requirements that ISO 9001 did away with. ISO 13485 has more prescriptive requirements than ISO 9001 and now in its new 2016 avatar has given more importance to risks. Companies getting certified to ISO 13485 may use ISO 14971 to address the risk requirements within the medical device industry.
ISO 13485 MDSAP are standards that look to ensure that medical devices are manufactured to strict quality requirements. These are important given that the devices are used in the healthcare industry and pharma industry with the end users being humans. ISO 13485 MDSAP will still require organizations to implement ISO 1385 as the underlying quality management system. We must note that MDSAP is only an audit approach and not a system in itself. However, to gain the benefits of ISO 13485 MDSAP companies will need to get audited to both requirements and receive a certificate of conformity to both the ISO 13485 and regulatory requirements under the MDSAP program.
Organizations need to keep in mind that should they seek to do business in Europe it will require certification to EU requirements as MDSAP does not yet cover the EU requirements such as MDR. Those organizations looking to prepare for ISO 13485 or for an MDSAP audit may consider QMII’s service offerings that are tailored to meet the varying needs of the organization.

AIAG-VDA FMEA vs Traditional FMEA – The Differences

FMEA or Failure Mode Effects Analysis has been in use since the 1940s. It was primarily used in the aerospace industry to start with and then slowly made its way into the automotive sector where it gained popularity. In 2019 a change was made to the FMEA methodology used and AIAG (The US Automotive Group) and VDA (the German counterpart) issued a new FMEA handbook that changed the methodology of how this process was carried out. For companies this does not mean that an immediate changeover is required. The need for use of the new methodology will be driven by the customer as part of their requirements.
What is FMEA? FMEA is a tool used to assess risk. There are two types of FMEA. Process FMEA and design FMEA. Using the tool organizations can identify potential threats within their process and design and take actions to address them before they develop into a non-conformity. In essence therefore it is a preventive tool. While there are differences between the traditional and new methodologies, they both use the same process to identify and mitigate risks.
They both still requires three axes for calculation of the risk to the organization. The first is the probability or likelihood of detection, the next is the severity or consequences and the last factor taken into consideration is the ease of detection before the error or risks occurs. If less likely to detect the risk is greater and is easy to detect then the risk overall is considered to be less. FMEAs must be done by teams and the overall risk is based on a criteria set by the organization and not by one individual. Therefore, it is also always better to use teams to conduct an FMEA opposed to one individual doing it.
FMEA’s are not static documents that once created do not require a change. They are living documents that are updated and reviewed at periodic intervals to ensure no changes that may change the overall risk. In the traditional FMEA an RPN or Risk Priority Number was calculated. A number or people over the years have critiqued the RPN approach as the threshold at which a risk is considered not acceptable is often arbitrary. In the AIAG-VDA approach they have changed this to an Action Number and the handbook provides a table for guidance with what each Action Number means. The new methodology is also broken down into seven steps.
To learn more about FMEA and how to conduct either a Design FMEA or a process FMEA join QMII’s training offered in both an onsite and virtual instructor led format.

The role of internal audits in MDSAP audits

As MDSAP deadlines draw near companies are asking how to prepare for the MDSAP audit. The most basic step for the success of any management system is to say what you do and do what you say. When the system as documented is captured to reflect the “As-Is” of how it is done then implanting the system leads to conformity at all levels.
Auditing Organizations (AOs) that will come to assess the conformity of the system will be using a process-based approach to the audit as also prescribed by ISO 13485 and ISO 19011. As such internal audit teams too should be trained to conduct process-based audits. This will ensure that the organization will be ready and familiar with the way the AO audit will be conducted. Process-based audits also allow a better look at how the system is working to meet objectives. In the aerospace industry PEAR diagrams are used to identify the inputs, resources and controls for each process to better understand the interrelation of them within the process, whether they are sufficient and how they interact with other processes.
In the process audits for MDSAP the AO will first start with an audit of the leadership (top management) to appreciate their commitment to the system as also their awareness of the risks impacting their system and the actions, they are taking to address them. At each level the auditors will be seeking evidence of competence, documentation and data control and monitoring and measurement being done.
Internal audit teams should use a grading system familiar to those used by MDSAP auditors and as prescribed by HTF/SG3/N19:2012. The grading system follows a scale of 1 to 5 with 5 being the most severe. This will enable a realistic look at the state of the system. Auditors will also focus on the design and development and production controls from a risk perspective. They will assess how well the outsourced providers are controlled and what risks were determined in assessing the type and extent of control to be applied.
As with all systems auditors will want to assess that a system exists to identify and deal with non-conformities including implementation of corrective action within the defined time frame. Internal audit personnel can gain a better understanding of MDSAP audits and how to prepare by enrolling in QMII’s suite of course offerings tailored to various levels of the organization. Keep in mind that MDSAP audits are longer in duration as the audit time is based on tasks and not the number of employees.

Should you start using the system only after it is fully documented

The word quality means different things to different people. To companies it often means delivering a conforming product/service to a customer aka meeting their requirements. To achieve this conformity consistently successful companies, implement quality management systems. Rather than re-invent the wheel, ISO 9001 is often selected as the standard to use to set up a quality management system (QMS) In addition, ISO 9001 training is provided to individuals at all levels within the company.
As companies start to implement the system ISO 9001 training can prove useful. Leadership is trained so they are aware of their role in the system and how they can positively contribute to its success. The personnel are trained so they are aware of their need to contribute and implication is they don’t. The project managers who own the project for implementing a QMS get training on the process to go about implementing the requirements of the standard as also their correct interpretation. Auditors are trained in an ISO 9001 training course designed to also teach the auditing requirements per ISO 19011.
So should personnel then start using the documentation as soon as it is complete or wait for the entire system to be documented and for the official launch date. If the system has been implemented correctly then the documented processes should reflect the way work is currently done and not a fictional process. It should not increase the burden for the users. As users start to use their newly documented processes, they can begin to provide feedback on its accuracy as well as the need for change. Personnel therefore should have to wait until the entire system is documented. Yes, organizations could however set an official launch date from which point forth records will be maintained. As such all data prior to the launch date is not then auditable nor is there a requirement to maintain it.
It should also be kept in mind that not every process needs to be documented as also that the organization can determine the extent to which to document the system. The extent to which to document depends on a number of factors including competency. ISO 9001 training is one way of increasing awareness of the requirements of ISO 9001 as also the system. Training may not always result in competency however.
At QMII a number of ISO 9001 training options are available and our training can be customized to meet the clients’ needs. The training is also available in an instructor-led virtual interactive format.

What are the functional requirements of the ISM code

The ISM Code was ratified and brought into effect to improve the safety of shipping. With this was ushered in new era for the maritime industry. The ISM code was launched with the intent of getting companies to self-regulate and proactively mange risks. Companies that have embraced the ISM Code and not solely viewed it as a paperwork burden have reaped the benefits of the ISM code. Companies with ISM certification that have a well implemented system are able to proactively manage risks and thus able to save costs from saving the costs on dealing with non-conformities.
To gain ISM certification an organization must demonstrate that they have met the intent of the code and inherent in this is meeting the following functional requirements of the ISM code:

• A Safety and Environmental Protection Policy – To attain ISM Certification in the form of a Document of Compliance or Safety Management Certificate for the vessel the company must demonstrate that a policy is in place that shows how the company will meet the safety objectives of the code. It must be implemented at both shore and vessel.
• Instructions and procedures to ensure safe operation of ships and protection of the environment in compliance with relevant international and flag State legislation – These are essentially addressed by implemented SMS documentation meeting the requirements of clause 7 of the ISM code.
• Defined levels of authority and lines of communication between, and amongst, shore and shipboard personnel – The key words of between and amongst in this clause should not be missed. For the system to go beyond ISM certification the processes must work interactively to achieve the goals of the company and personnel must be clear on the expectations of them.
• Procedures for reporting accidents and non-conformities with the provisions of this Code – Identifying and addressing non-conformities plays a crucial role in the success of the system. With effective corrective action companies are able to ensure that the non-conformity does not occur again. This requirement is further amplified in clause 9 of the code.
• Procedures to prepare for and respond to emergency situations – ISM certification includes being able to demonstrate that a company can respond to emergencies at any time. To ensure this a designated person ashore is appointed who is available 24 x 7.
• Procedures for internal audits and management reviews – Internal audits and reviews to assess the effectiveness of the system must be conducted. Apart from the internal audits done by the company the Flag Administration conduct ISM certification audits prior issue of the interim SMC/ DOC as also prior the first full term certificate. Thereafter verifications are conducted at periodic intervals.
To learn more about how to implement and assess the effectiveness of implementation through audit enroll for QMII’s ISM Auditor class.

Can training solve the issue of human error at sea?

Those who have been employed in the maritime industry for even few months will have heard the term that 80% of the accidents incidents at sea can be attribute to human error. The solution for this is often quality maritime training for the personnel involved. However, training is perhaps the most easily reversible corrective action. System experts will even go so far as to say that when something goes wrong do not blame the individual but blame the system. Can it always only be the system fault. Surely human error does play some part.

With the onset of STCW, new rules were ushered in to ensure quality maritime training for all personnel at sea. Similar rules have been extended to those in the inland water towboat industry with the onset of Subchapter M. STCW required maritime training centers to have quality standards systems in place and for flags to provide oversight of the training institutions to ensure quality maritime training was indeed being delivered. So, with such well trained personnel why then do errors still take place?

Safety management system are truly only successful when a just culture for safety exists aboard the vessels. This means there is no fear of repercussion or reprimand for stopping someone performing an unsafe act or to report an unsafe condition. When human error does creep in, it can often be attributed to the dirty dozen of unsafe acts and conditions. When a non-conformity occurs, or a potential non-conformity is identified the corrective action identified must address the root cause(s) of the problem. Poor root causes analysis will lead to quick fixes but no long-term improvement. Identifying the root cause leads to systemic corrective action with solutions perhaps being newly identified competence, mistake proofing of the system, revised procedures and in some case training. However, this time the training is made systemic and so repeated at periodic intervals.

Quality maritime training is only the first step towards ensuring qualified mariners as required by the ISM code but they competent, qualified mariners need to have the support of the system. When human error, operator error, user error and the such are identified over time as root causes it may be possible that it is indeed such, but it may also signify a deeper root cause. Perhaps a poorly managed hiring process, or induction process, or onboard training program. Training may have some role to play in the success of a safety management system and the reduction of human error as a cause of incidents/ accidents. Quality maritime training may be a leading preventive tool, however, only when the issues are treated systemically will long term improvements be gained and safer operations as a result.

ISO 14001 Management System Certification – Cost versus Value

The most popular type of management systems used today often depends on the type of organization, and how they run their operations.  ISO 9001:2015 Quality Management Systems is the most popular for companies selling products to the military, along with AS9000:2016 Rev D for aviation, space, and defense organizations.  Food processors lean toward ISO 14001:2015 Environmental Management Systems (EMS) and ISO 45001:2018 Occupational Health and Safety (OH&S).  The size of the organization can have a significant bearing on whether they get certified or claim to conform.  It cost less to state you conform than to conduct the number of audits needed to become, and stay, certified.

Agricultural oriented small and medium enterprises (SMEs) will often opt for EMS.  Vineyards, vegetable farms, and livestock farms like ISO 14001.  Therefore, it depends a lot on the percentage of SMEs that are in those businesses.  In many cases, the percentage of organizations conforming to ISO 14001 depends on the amount of local or government pressure to conform.  In Europe and China, ISO 14001 is much higher than in the USA, in part due to government and environmentalist pressure.

Agricultural businesses and those that are getting pressure from socially responsible groups are the types of organizations that become ISO 14001 certified.  Meat packaging companies like Smithfield Ham in Virginia (now owned by a Chinese company), is ISO 14001 certified.  Only four major Ports in the USA are ISO 14001 certified (Port of Virginia is one) but many countries require the certification.  Partly due to all of the food coming into the Ports, but also due to the amount of pollution generated by boats, trains, and trucks that service the Ports. Ports are also now looking at ISO 50001 Energy Management Systems in conjunction with ISO 14001 certification.

One of the key drivers is the desire to meet ISO 14001 Standard requirements in the markets that they want to operate in or sell to.  It is difficult to open facilities in most of Europe, the Middle East, and China without having an ISO 14001 certification.  Environmental impact, energy efficiency, pollution reduction, and sustainability are considered by government permitting organizations.  This is more important for large organizations, but many SMEs also want to sell internationally.

Like other ISO Standards, it takes about a year of internal audits to be ready to claim conformity or get certified to ISO 14001.  SMEs, due to their smaller size, could take less time.  Medium-size businesses, with multiple locations, may elect to just have their headquarters certified, and state conformity for branches and suppliers.  An organization may elect to get its headquarters operation certified and use second-party audits to confirm that its other facilities and suppliers conform to the Standard.

The major cost of becoming certified involves training and multiple audits to get ready for certification.  Once ready, a third-party audit is required.  Most SMEs could be ready within a year.  The actual cost would vary depending on the number of employees trained, and the number of audits conducted before certification.

With good training and responsible staff, most SMEs can become certified.  All processes need to be in line with the goal of using environmental best practices.  In some cases, the cost of changing current processes can become a barrier.  Organizations can consider out-sourcing some processes in order to become more environmentally friendly.  Internal and second party audits can help an organization determine what, if any, processes need to be modified or out-sourced.

There are many reasons why organizations decide to become certified, but over time, reasons have changed for both small and large organizations.  With the new high-level-structure (HLS), EMS is now more similar to other standards.  Organizations that use to be ISO 18001 are now considering ISO 45001, which has OSHA embedded in it.  SMEs, like larger organizations, appreciate the value of being certified to popular standards and promote their conformity in their promotional material.  Many companies that are certified to ISO 9001 have to get the certification to sell to government agencies.  Many of the companies that get ISO 14001 certification, feel their end-users appreciate the company for having it.

To be sustainable, an organization needs to consider many factors.  These factors typically fall into one of the three pillars of Sustainability – Social, environmental and economic categories.  All organizations want to be socially responsible and do minimal damage to the environment, but they have to address the economics of operation.  The key is to strike a balance and establish a management system with processes that can be defended in the light of internal and external audits.

– by Peter Burke

AS9100-Risk-Based Thinking in the Airline industry – It’s about time.

The airline industry statistically has one of the best safest records. AS9100 defines the framework for a quality management system for aerospace parts manufacturers across the globe. Over the past decade there have been several airline accidents however, that have brought the safety of airlines to the forefront. In a most recent case of the Boeing 737-max a software glitch was identified as the cause. As investigations proceed the general consensus is that this glitch should have been previously identified.

Risk generally is associated with ‘uncertainty’ or ‘negativity’. This changed with ISO 9001:2015 and the onset of risk-based thinking that now asks companies to consider the opportunities for improvement that may arise out of taking a ‘calculated’ risk. Further in AS9100, that is built on ISO 9001, there are requirements for consideration of strategic risks and operational risks and the need to take action to address each. The impact of coronavirus or a similar pandemic is a great example of a strategic risk that can affect business continuity.

Risk-based thinking in the AS9100 standard promotes customer focus within an organization. While risk-based thinking has been inherent in previous versions of the standard with preventive action, the new standards address risk at each stage of the PDCA cycle thus enabling the entire As9100 management system at each stage as a preventive tool.

The aerospace and automotive industry are leaders in the implementation of Failure mode and effects Analysis (FMEA) and the Plan-Do-Check-Act Cycle (PDCA) of process management.  Originally adopted by the military in the 1950’s, FMEA later was embraced by the auto and aerospace industries.  The FMEA process identifies risks that can then be addressed using mistake proofing and problem solving with a team approach.  FMEA can be used for either product or process. When used properly it can be a very effective at addressing risks. FMEA is a great core tool that can be applied to address the AS9100 clause 8.1.1 operational risk requirements.

AS9100 asks top management to take accountability for the quality of products and services produced by their organization; keeping a customer focus at the core of all they do.  The influence of end users, customers and the companies marketing department on the product’s design needs to be constantly reviewed. At each stage of the requirements gathering, design & development and manufacturing stages of the AS9100 system there are potential risks. As such doing a single FMEA may not be sufficient but may require a review of the FMEA at periodic intervals as a change in inputs to the process/product may change the associated risks or identify new ones.

Management wants to encourage continuous improvement and innovative recommendations by all stakeholders, but changes must be reviewed.  Whenever a change is made to a AS9100 certified product or service, that change should follow the PDCA Cycle approach, the same way it was done when the product was first introduced.  This will reduce the number of recalls, and the risk of injuries to end users of the products.

A single non-conforming product that goes out of the organization into the market results in an intangible loss for no value can be put on the loss of reputation. It only takes a single incident! Starting with risk appreciation at the Plan stage of the PDCA cycle and then throughout the rest of the cycle, with a focus on customer satisfaction, will help the aerospace industry improve by preventing non-conformities before they occur as well as hopefully, improve their As9100 certified products.

ISO 14001-Benefits for Maritime Companies

Environmental accidents in the maritime industry get quick media attention. ISO 14001 does not guarantee that maritime accidents will not happen. It does, however, get organizations to consider their operations from a life cycle perspective of minimizing the impact of their operations on the environment.

The maritime industry has for a while now been governed by the requirements of MARPOL. MARPOL has 6 annexes and as of date all six annexes are in force. The six annexes cover the requirements for prevention of pollution of the marine environment by oil, noxious liquid substances, harmful substances in packaged form, sewage, garbage and air. However, MARPOL does not address the lifecycle operations of the shipping business. From an ISO 14001 perspective this would need to encompass the need for recycling of ships once they are done with their life.

The French Aircraft carrier Clemenceau is a good example of a vessel that faced major issues with being scrapped. Having sailed all the way to Alang, India it was denied entry and had to transit back to French Waters. It was denied access to Alang owing the Asbestos used on the vessel and the potential harm it would have on the scrap workers at Alang. MARPOL also does not address the operations as managed from operations ashore and the environmental impact of the operations of supporting the ships.

ISO 14001 encompasses the entire operations of the company if within scope and encourages organizations to look at all their operations from a lifecycle perspective. This essentially means that when designing office spaces and building ships companies need to start thinking about how they will dispose of waste from the processes in a responsible manner to the environment. Environmental sustainability is a new buzzword and demonstrating commitment to the environment, to stakeholders, through implementation of an internationally recognized standard ISO 14001.

ISO 14001 need not run independent of the existing management system that most maritime companies have conforming to the ISM Code. The requirements of ISO 14001 as with the MARPOL requirements get incorporated into the one management system on which the company operates. ISO 14001 as with other ISO standards is a voluntary standard. As such companies must choose to implement an environmental management system conforming to ISO 14001. Many leading maritime companies have already done so. QMII’s ISO 14001 training is delivered in multiple formats such as executive overviews, internal auditor and lead auditor. The training is also provided in an instructor-led online format and QMII’s instructors, having a maritime background, bring a unique skill set to the class in connecting the requirements of the standard through real life experiences.

Eight steps for a successful internal audit program

Internal audit programs play an important role in ensuring the success of the system. ISO standards such as ISO 9001, ISO 14001,  ISO 45001 provide the framework for management systems to function using a process-based approach, to achieve customer and other stakeholder’s requirements. Organizations certified to ISO standards, strive to be compliant, efficient and remain certified. Successful systems have Top Management (TM) / Leadership that are committed to and engaged with the system. They ensure regular internal audits and conduct management reviews (MR) to assess the continuing suitability, adequacy and effectiveness of the system. They further ensure that their decision-making process uses the inputs from the MR to ensure objective resourcing and support for efficiency.

External third-party audits too add value to this system, provided the auditors remain objective throughout the audit. Over the years QMII has come across instances where Non-Conformities (NC) were issued without the requirement being clearly stated or the evidence did not substantiate the requirement not met. However, these NCs are rarely challenged by organizations for “fear” of upsetting the auditors. Changes are further implemented to the system as a part of corrective action based on these findings. At times when the management is disconnected from the working system they often are surprised by the NCs presented at the closing meeting.

Is there, as a result, a case for preparing the organization for both internal audits and external audits? In well-functioning systems the organization should never have to prepare for an internal audit. The systems are designed to drive success and not for auditors or to get through audits without any NCs. NCs are, after all, an opportunity for continual improvement of the system and should be embraced, provided they are objective and not subjective to an auditor’s experience or opinion. An organization can and must respect a good NC and use it to drive correction and corrective action (CA). After all CA is NC driven. The organization/ auditee should be happy to receive a NC for risk(s) not appreciated.

I do however think that there are steps organization can take to build employee confidence in the  system, including the confidence to challenge the auditor when a NC is not clear or incorrectly given. Here are eight steps an organization can do to have its employees get that confidence for internal audit and subsequently for external audits:

  1. Conduct orientation on the process-based management system (PBMS) approach in general, and introduction to the highlights of the specific standard (e.g. ISO 9001:2015). This ensures that the basics of system approach and the internal management system are clear to all personnel.
  2. All TM must do a short training to be aware of the ISO standard, the main clauses and the benefits of the management system. This awareness leaders workshop (ALW) brings the confidence in the system, its implementation and continual improvement. This leadership awareness further encourages engagement of all personnel to use the system and increases buy-in.
  3. On regular basis, in day to day work and meetings refer to the management system. Ensure Quality, environment, safety, security, social responsibility, compliance are topics of discussion at periodic intervals. Even the middle and lower management e.g. supervisors should be encouraged to use the  system and engage others to do so. Management may have to support others in their roles of leadership at relevant levels.
  4. More than just following processes, all personnel must feel free and confident to challenge the process, make suggestions, raise NCs and submit innovative ideas. A participatory approach to system implementation is very cost effective. Let employees voice their concerns. Once they confident of their process and their system (with the fundamentals of the ISO Standard/other requirements built-in) the fear of audits will reduce.
  5. Put in place an aggressive internal audit program. When an outside (third party) auditor raises a NC, the organization does RCA (Root Cause Analysis) of the NC, but rarely does it challenge its Internal system and ask how the internal audit program missed the NC raised by the third party? Internal audits must be objective and strict and must raise all NCs.
  6. NCs must be tracked diligently and addressed within the time frame the organization has set for itself. TMs must stay involved by asking on the progress to the CA process. Overdue NCs must be investigated and TM must ask during the MR why the concerned department did not address it in time. Encourage PSW (Problem Solving Workshops) so teams can look at complex, inter-departmental NCs. Encourage use of tools as Causal Analysis and FMEA (Failure Mode Effect and Analysis).
  7. Creating a lesson learned data base has many advantages. It acts as a historic record for new joiners to learn of past occurrences. Additionally, it has great participatory value connecting each future task as a driver of improvement based on the past. The collective intelligence of the organization is available to the organization and does not vanish when individuals leave the organization.
  8. Some additional points for ISO 9001/ ISO 45001/AS9100 audit preparation:
  • Answer audit questions to the point. Do not volunteer information not sought.
  • Do not be reluctant to ask for your manager/ supervisor to support you if you are not clear on the question.
  • Have the confidence in your professionalism to ask the auditor for the requirement based on which the auditor is planning to raise a NC.
  • Be aware of risks associated with their process and actions taken to address them.
  • Explain the risks in the context of the organization and the context of what the employee does to them.