Mapping the sequence and interaction of processes

ISO 9001 training is a great starting point for those that do not have a good understanding of the ISO 9001 standard and are looking to implement it within their organization. The standard provides the framework for implementing a quality management system and defines requirements around the plan-do-check-act framework. ISO 9001 is also the basis for many other ISO standards such as ISO 13485 and IATF 16949.

ISO 9001 places responsibility on the leadership to take accountability for the effectiveness of the system. In order to start the system implementation, the standard ask organizations to define the context of the organization. What is context? It is the business environment within which an organization operates and consists of various aspects that may impact the continuity of operations of an organization. ISO 9001 training will provide inputs into how a SWOT analysis or a PESTLE analysis may be use to define the context. The analysis account for the aspects of economic, technological, legal and others that may impact business if not accounted for and acted against. The context also accounts for internal aspects that may pose a risk such as the non-availability of competent personnel or loss of knowledge.

Once the context and needs of the stakeholders are defined the organization needs to clearly state the purpose of their business and how they achieve it. This includes documenting the sequence and interaction of their processes. This is a great exercise for an organization to bring leadership on board as also for leadership to gain clarity on how the business runs. At QMII, this is referred to as the core process. In order to capture this core process, the leadership and executive team must be present. The top management provides the objective of the process or their vision for the business. ISO 9001 training is a great method to introduce leadership to their role in the system and what is expected of them per the standard.

The remaining executive team helps the leadership map out the remaining processes of the system that enable the organization to meet the vision of the leadership. The team must clearly be able to see where interactions take place between the different departments for each key process to achieve its goal and be successful. Once all the key processes are identified they can be mapped in further detail with the help of the process owners. QMII’s ISO 9001 training includes a lecture on developing a process-based management system that covers how to map the core process of your organization.
Once the different departments can see how they contribute as a team to the goals and vision of the organization the quality management system will be better implemented as working in silos has not helped any organization.

Managing Risks related to ISO 13485

ISO 13485 sets the requirements for a quality management system for those organizations in the medical device industry. While there are many mandatory regulatory requirements issued by each country related to medical devices, ISO 13485 remains a voluntary standard. The need for certification to the standards stems either from a customer requirement or from a need to market to customers that the organization used a system and risk-based approach to managing quality and continual improvement.
The standard was recently revised in 2016 and includes a greater emphasis on risk than that of the 2003 revision. Risk-based thinking has been emphasized across all ISO requirement standards and is core to implementing a system that is proactive in nature. Risk in its new avatar encourages organizations to look beyond just product safety risk. Organizations complying with ISO 13485 now have to also consider organizational risk and the risk or not meeting compliance obligations. The lifecycle of the product needs to be considered in assessing risks.
Risk however can be a subjective topic and to ensure that an organizational appetite for risk is developed a risk criterion must be determined by the leadership that will then be the basis for all risk assessments. Risk assessment for medical devices use the same basis of likelihood of occurrence and severity in calculating the overall risk. Organizations may consider a third factor prescribed by FMEA that takes into account the probability of detection. Either before the risk occurs or as soon as it occurs so that the consequence can be minimized.
ISO 13485 clause 4.1.2(b) requires “The organization shall apply a risk-based approach to the control of appropriate processes needed for the quality management system.” ISO 14971 is another standard that provides guidelines on the risk management framework. In addition to the requirements prescribed per this standard organizations need to account for performance and compliance risks. In order to address risks posed by software validation and verification organizations may refer to Good automated Manufacturing Practices (GAMP). Other risks to consider are the risks from outsourced processes and supplier risks.
Competence of personnel per clause 6.2 of ISO 13485 also poses the potential or risk and organizations must ensure they have the competent personnel needed for the work to be done. Human error owing incompetent personnel is a common cause of risk within an organization. Mistake proofing identified risk areas is an effective way of addressing risks within the system. High risks should be addressed to reduce them to an acceptable level. Risks may at times be addressed by accepting them, avoiding them and even sharing of the risks with another entity. The risk must be addressed using a planned approach and monitored for effectiveness. QMII’s ISO 13485 training provide students with the knowledge of how to identify, analyze, evaluate and address risks within the system.

ISO training – how much is enough?

We live in a world of super specialization. There seems to be a degree for every field and then subspecialty and further sub-sub specializations. It is not enough to be a banker anymore but there is a need for specialization in wealth management or mortgages of loans and so on. As the need for specializations and the associated training increases how does one determine the extent of ISO training needed. This can often be confusing given the plethora of training available.
Before we answer this question let us however consider another. Do we even need training? I am sure that most of you would agree that some form of training is needed. It may be either in a classroom environment, done at a school or college, perhaps in-house as on the job training or computer based. Why is ISO training needed? Sometimes it is needed as a means of gaining competence or perhaps to reinforce a lesson lest it be forgotten. The frequency may vary based on the competence of the personnel to start with as also the criticality of the issue such as if it is a control to mitigate a risk.
In the ISO world the most basic form of ISO training is an investment in the system. It is the building block where an organization gets to explain to the workforce why they need to be involved, engaged and embrace the system. Essentially to answer the “what’s in it for me” question. An indirect benefit is that investing in your workforce signal to them that you want them to succeed and thus improves workforce retention. As a part of this most basic training personnel need to understand how they contribute to meeting the policy and vision of the organization. They learn the implications of not conforming and how it can impact a customer. An organization should easily be able to do this in-house and should not need an external consultant for this.
The next ISO training to be considered is for management so they understand their role in the system and how the lack of evidence of management support can kill the system. This too can be provided in house by the system manager. In our experience though management listens more carefully when the information is conveyed by an independent third party. There only remains one more ISO training to consider and that is auditor training. Auditor training should be provided to at least 5% of the workforce to ensure a good pool for auditors to conduct internal audit. Personnel should be selected for the desired qualities and from across the organization. QMII’s certified lead auditor ISO training and other training options prepares your workforce to enable continual and sustained improvement of your organization.

Is your organization ready for MDSAP

Quality is important in all industries but perhaps more so in the medical industry and for those organizations producing medical devices. Apart from ISO 13485 that defines the requirement for medical device quality management systems, medical device manufacturers have to also comply with the regulations of the country their devices are going to be used within. In an effort to streamline the program for manufacturers the Medical Device Single Audit Program (MDSAP) was devised. The MDSAP program is an audit done of the company to the regulations of five participating countries. It is thus much longer than a regular ISO audit as it has to assess the system against multiple regulatory requirements.

As your company prepares for this new audit scheme perhaps the easiest things to do is a self-assessment. Use the MDSAP audit model guide to assess whether the company processes meet all the requirements. Conduct a gap assessment and then work to fill in the gaps including keeping records as needed by MDSAP. Just because an organization undergoes MDSAP does not mean that it will not have an ISO 13485 audit as these are two separate schemes. In conduct of the assessment ensure that the person conducting it is competent to do so. This will avoid any last-minute surprises. Make note that the MDSAP model grades non-conformities differently and so use the same scoring scheme to know what are priorities that need to be addressed immediately.

Is the leadership prepared? Often in preparing an organization focuses on the lower echelons as also on the processes involved in the design and manufacturing processes. Ensure the leadership is briefed on the model guide and understands the expectations from them. As a part of each audit the AO focuses on the management and assesses their commitment to the system. The leadership once committed will drive the rest of the organization to follow suit. This will make it easier for those implementing the system and assessing it internally.

Make sure personnel are trained and understand well the expectations of them. QMII offers a variety of MDSAP offerings that are tailored to meet the requirements of the organization with training for each level of the organization. In addition, QMII also offers ISO 13485 lead auditor training. Organizations must recognize that participating in MDSAP will not exclude them from regulatory audits from other organizations. While the audit program may seem cumbersome at first there are benefits from participating in it that include reduced costs and a streamlined audit process.

How to get ISM certified

The ISM Code is the International Code for the safe Operation of Ships and Prevention of Pollution, more popularly knows as the International Safety Management Code. The most recent revision of the code was released in 2018 that provides updates to the Resolutions included as amendments to the code. The ISM Code specifies the methods to attain ISM certification.
The regulations were drafted by IMO in an effort to improve maritime safety and while it has been hailed as a major contributor, it has also led to increased bureaucracy as also increased burden of documentation. As part of the ISM certification scheme there are two certificates needed. One for the company called the Document of Compliance or DoC. This allows the companies to operate vessels under the ISM Code. The DoC is issued by the Flag State, that is the country where the company and its ships are registered. The DoC is issued for each type of vessel that the company operates. This means that it cannot operate a bulk carrier if it only possesses a DoC for a container.
The next certificate under the auspices of the code that is issued is a safety management certificate. This is issued to each ship of the company and in order to get the certificate an audit of the vessel is conducted, and certain criteria needs to be met prior issue of the certificate. The SMC ISM Certification is issued for a period not exceeding five years and where only one intermediate verification is done it should be done within the 2nd and 3rd anniversary of the certification.
The ISM Certification provides validation that both company and ship are operating using a process-based system approach to manage risks and achieve continual improvement. The ISM code is meant to be a preventive tool and asks companies to assess all risks and then take measured to safeguard against them. Responsibilities and authorities are set out for the various entities includes in the ISM process.
Gaining ISM Certification does not guarantee that the ship will be safe or environmental pollution will not occur. It does however provide stakeholder the confidence that non-conformities will be addresses systemically and where an emergency does occur, the company and ship will be prepared to deal with them in the best way possible to mitigate consequences. To be successful it needs active involvement by the leadership and needs them to walk the talk. The system must be built around the users and for the users to enable them to succeed.
To learn more about the ISM Code and ISM certification enroll for QMII’s ISM auditor training.

How is ISO 13485 different from ISO 9001

ISO 13485 released an updated version of the standard in 2016 but it broke ranks with ISO 9001. In the past the two standards were aligned with the ISO 13485 capturing the additional requirements for the medical device industry. An ISO 13485 overview would reveal that it has retained a lot of the documentation requirements and not left the standard as subjective as the revised ISO 9001:2015.
ISO 13485 provides the requirements for quality management systems for use by the medical device industry. While it still remains broadly based on the framework set by ISO 9001 compliance with the standard will not inherently mean compliance with ISO 9001. The standard is published by ISO, an international organization. It is assessed by certification bodies across the globe accredited by IAF.
ISO 13485 overview of the standard will show much more in-depth requirements for rick management. This essentially aligns with the US CGMP regulations as also regulations by international bodies. The standard for further assessing risk is ISO 14971 which specifically deals with risk within the medical device industry. In dues course the US CFRs will get aligned with ISO 13485 and plans are underway for the update.
As a part of risk management of the systems companies will now have to assess add address the risks from outsourced processes, Lack of competent personnel, lack of adequate number of personnel, loss of traceability, failure in testing of the products at relevant stages, Failure to timely address non-conformities, and the documentation of risk itself. Management need to keep an ISO 13485 overview of their system through the planned management reviews and periodic internal audits. To ensure audits add value these must be conducted by trained and competent personnel.
QMII’s ISO 13485 lead auditor training prepares your personnel to not only effectively audit the system but also implement it as needed. An ISO 13485 overview version of the course is also available for senior management, so they understand their roles and responsibilities with respect to the standard. Having discussed this the question often arises if ISO 13485 is mandatory. As with all other ISO standards it is not mandatory to implement ISO 13485 though it is mandatory to meet regulatory requirement such as CFRs and EU MDR. However, implement ISO 13485 provides confidence to customers that the organizations uses a process based approach to continual improvement.
ISO 13485 overview of the standard demonstrates that product quality cannot be guaranteed just from implementing the standard but that it must be vigorously used. The standard can also be applied to all sizes of organizations.

How AS9100 prevent airline accidents

It is said that air travel is statistically one of the safest modes of transportation. The flights that do not land well or go missing make the news more than the 1000’s of those that complete a safe flight. Checklists used in the aviation industry are infamous for how well they assist pilots deal with disasters. However, a lot is to be said for the plane itself, which is built to stringent quality requirements, down to the last rivet. Many aerospace parts manufacturers are certified for AS9100. So, what is AS9100?
It is an internationally accepted standard that defines the requirements for a quality management system for companies. It is built on the foundation of ISO 9001, another globally recognized quality standard. It builds the framework for organizations to identify risks at all stages of the production or service realizations process. The standard sets the baseline for quality and once implemented within an organization is assessed and certified by independent accreditation bodies. So, a part produced by an AS9100 certified organization in India, Brazil or elsewhere will meet the basic quality requirements.
What is AS9100 prescribing that companies do to achieve this? As9100 is not prescriptive in its requirements. It defines the framework, and each company must then interpret the requirements as they best apply to what they do. The leadership of the organization must remain involved and is accountable for the effectiveness of the system. The systems are influenced by regulatory requirements, customer requirements and other business requirements as from various stakeholders. What is AS9100 requirements with respect to control of outsourced processes.
Organizations must control outsourced processes and remain responsible for the output of the process. Based on the performance of the vendor of the criticality of the parts etc., the type and extent of control may vary. AS9100 also requires organizations to determine the competence of personnel needed and then to take steps to achieve this competence. As9100 quality requirements must be flowed down to all suppliers in the supply chain and supply chain risks are to be considered and mitigated as appropriate.
What is AS9100 requirements for audits. External certification audits are conducted on a three-year cycle with annual surveillance audits in the intermediate years. Internal audit frequency is determined and based on the organization needs and the auditors used to conduct the audits must be competent. To achieve this competence, they should compete a certified AS9100 lead auditor training. QMII offers a PROBITAS Authentication lead auditor training in both virtual and on-site format. These stringent quality requirements in the supply chain as advocated by AS9100 help ensure planes meet the highest safety and quality requirements. Thus helping to reduce accidents.

Does MDSAP replace ISO 13485

The short answer is NO. MDSAP is not going to replace ISO 13485 and it is not time to give up your ISO 13485 certification. ISO 13485 MDSAP are two different programs with similar requirements but they do not duplicate each other. MDSAP has the more stringent requirements of the two and companies that are already certified to ISO 13485 will see an increase in the number of audit days once they seek certification to MDSAP.
What is MDSAP? It stands for Medical Device Single Audit Program and current the following countries are part of the program: USA, Canada, Japan, Brazil and Australia. This means that a accredited body that certifies an organization will assess them against the regulatory requirements of all the different countries aforementioned. While the audit may be long it does mean that doing one audit will qualify the product for all the different markets without having to go through other audits.
What is ISO 13485? The standard is developed by ISO and is based on the process-based approach for management systems. Until recently it aligned with the ISO 9001 and was built upon the same framework with clauses aligning. However, when ISO 9001 was revised in 2015, it changed to align to the new high-level structure. However, ISO 13485 did not follow suit and chose to retina its old structure as also some of the requirements that ISO 9001 did away with. ISO 13485 has more prescriptive requirements than ISO 9001 and now in its new 2016 avatar has given more importance to risks. Companies getting certified to ISO 13485 may use ISO 14971 to address the risk requirements within the medical device industry.
ISO 13485 MDSAP are standards that look to ensure that medical devices are manufactured to strict quality requirements. These are important given that the devices are used in the healthcare industry and pharma industry with the end users being humans. ISO 13485 MDSAP will still require organizations to implement ISO 1385 as the underlying quality management system. We must note that MDSAP is only an audit approach and not a system in itself. However, to gain the benefits of ISO 13485 MDSAP companies will need to get audited to both requirements and receive a certificate of conformity to both the ISO 13485 and regulatory requirements under the MDSAP program.
Organizations need to keep in mind that should they seek to do business in Europe it will require certification to EU requirements as MDSAP does not yet cover the EU requirements such as MDR. Those organizations looking to prepare for ISO 13485 or for an MDSAP audit may consider QMII’s service offerings that are tailored to meet the varying needs of the organization.

AIAG-VDA FMEA vs Traditional FMEA – The Differences

FMEA or Failure Mode Effects Analysis has been in use since the 1940s. It was primarily used in the aerospace industry to start with and then slowly made its way into the automotive sector where it gained popularity. In 2019 a change was made to the FMEA methodology used and AIAG (The US Automotive Group) and VDA (the German counterpart) issued a new FMEA handbook that changed the methodology of how this process was carried out. For companies this does not mean that an immediate changeover is required. The need for use of the new methodology will be driven by the customer as part of their requirements.
What is FMEA? FMEA is a tool used to assess risk. There are two types of FMEA. Process FMEA and design FMEA. Using the tool organizations can identify potential threats within their process and design and take actions to address them before they develop into a non-conformity. In essence therefore it is a preventive tool. While there are differences between the traditional and new methodologies, they both use the same process to identify and mitigate risks.
They both still requires three axes for calculation of the risk to the organization. The first is the probability or likelihood of detection, the next is the severity or consequences and the last factor taken into consideration is the ease of detection before the error or risks occurs. If less likely to detect the risk is greater and is easy to detect then the risk overall is considered to be less. FMEAs must be done by teams and the overall risk is based on a criteria set by the organization and not by one individual. Therefore, it is also always better to use teams to conduct an FMEA opposed to one individual doing it.
FMEA’s are not static documents that once created do not require a change. They are living documents that are updated and reviewed at periodic intervals to ensure no changes that may change the overall risk. In the traditional FMEA an RPN or Risk Priority Number was calculated. A number or people over the years have critiqued the RPN approach as the threshold at which a risk is considered not acceptable is often arbitrary. In the AIAG-VDA approach they have changed this to an Action Number and the handbook provides a table for guidance with what each Action Number means. The new methodology is also broken down into seven steps.
To learn more about FMEA and how to conduct either a Design FMEA or a process FMEA join QMII’s training offered in both an onsite and virtual instructor led format.

ISO 9001:2015 – Exclusions

Exclusions to what an organization does were integral to the ISO 9001 standard prior to the 2015 version update. After all an organization cannot do all the work. Clause 7.1.1 lays the foundation on this thought by accepting that an organization must determine and provide resources. In doing so it determines the constraints and capabilities of the existing resources and what needs to be obtained from external providers. As such in previous standards, the organization, when seeking certification, requested exclusion on those processes that it did not perform.

The drawback of this was a major flaw. Over the period of time, some of these organizations, sheltered under the exclusion provision even lost the ability to pick the correct outsourced party! For example, if the organization builds highways, but outsources bridges and tunnels, then it must have the ability to be able to pick the correct vendor/ contractor who will not let the customer down. The revised 2015 version of the standard therefore in the wisdom of TC-176, removed this exclusion provision. It does not imply now the organization cannot outsource what it does not do. All that it means that the organization can review the applicability of the requirements based on its size, complexity and decide on the activities it needs to outsource.

With the exclusion provision removed, the organization would need to do due diligence in appreciating the range of its activities and the risks and opportunities it encounters as also the effect if any of the outsourced vendors not performing to accepted requirements. The organization then remains accountable for the outcome of the outsourced processes and products and services externally obtained. To ensure their consistency and levels of acceptance, it would need to take measures as required by clauses 8.4.1, 8.4.2, and 8.4.3 of the ISO 9001 in enforcing monitoring and measuring to protect its customer and clients.

This assurance that an organization can not and will not outsource those activities which by its decision will not result in failure to achieve conformity of products and services. Clause 4.3 of ISO9001 in determining the scope of the quality management system clearly requires that conformity to the ISO 9001 can only be claimed if the requirements determined as not being applicable do not have an adverse impact on the promises made by the organization. The products it provides, based on externally obtained subproducts or services must not affect customer satisfaction.

In terms of auditing, it is incumbent upon auditors that they carefully seek conformity to this requirement when auditing. Internal audits to ISO 9001 must provide the objective inputs to top management to make better decisions and appreciate the risks of outsourcing to nonperforming and or underperforming outside organizations, remembering they remain accountable and answerable for the final product or service. Ensuring the organization’s accountability for the conforming products and services whether outsourced or not is the responsibility of the organization.

QMII’s ISO 9001 EG (Exemplar Global) certified lead auditor training designed carefully to meet the objectives as envisaged in the standard.