The role of internal audits in MDSAP audits

As MDSAP deadlines draw near companies are asking how to prepare for the MDSAP audit. The most basic step for the success of any management system is to say what you do and do what you say. When the system as documented is captured to reflect the “As-Is” of how it is done then implanting the system leads to conformity at all levels.
Auditing Organizations (AOs) that will come to assess the conformity of the system will be using a process-based approach to the audit as also prescribed by ISO 13485 and ISO 19011. As such internal audit teams too should be trained to conduct process-based audits. This will ensure that the organization will be ready and familiar with the way the AO audit will be conducted. Process-based audits also allow a better look at how the system is working to meet objectives. In the aerospace industry PEAR diagrams are used to identify the inputs, resources and controls for each process to better understand the interrelation of them within the process, whether they are sufficient and how they interact with other processes.
In the process audits for MDSAP the AO will first start with an audit of the leadership (top management) to appreciate their commitment to the system as also their awareness of the risks impacting their system and the actions, they are taking to address them. At each level the auditors will be seeking evidence of competence, documentation and data control and monitoring and measurement being done.
Internal audit teams should use a grading system familiar to those used by MDSAP auditors and as prescribed by HTF/SG3/N19:2012. The grading system follows a scale of 1 to 5 with 5 being the most severe. This will enable a realistic look at the state of the system. Auditors will also focus on the design and development and production controls from a risk perspective. They will assess how well the outsourced providers are controlled and what risks were determined in assessing the type and extent of control to be applied.
As with all systems auditors will want to assess that a system exists to identify and deal with non-conformities including implementation of corrective action within the defined time frame. Internal audit personnel can gain a better understanding of MDSAP audits and how to prepare by enrolling in QMII’s suite of course offerings tailored to various levels of the organization. Keep in mind that MDSAP audits are longer in duration as the audit time is based on tasks and not the number of employees.

Defining Measurable Objectives/ Metrics to Drive Continual Improvement

Measurable objectives are an essential input for all levels of the management and come from the top management (TM). These objectives guide personnel at the work level to help ensure the success of a management system. The need for a set of value-based metrics is met by looking carefully at the company policy (based on the strategic direction) and then drawing the measurable objectives from it.

My thought is for any organization giving more than the desired value is a challenge! Values in today’s business world are often related solely to the ROI (Return on Investment). Providing value to the customer is a goal. The question is at what cost? Due to budgetary concerns, no organization wants to do more than what is required. Availability of funds is input to the design of the final product and or service. Consequentially, the values that an organization sets for itself must be based on trying to meet the objectives and expectations of the customers, or the statutory bodies (if relevant) within the constraints of the resources. Where a statutory body is involved, it is the vital responsibility of that body to precisely define expectations and what metrics they will accept.

My opinion is that the statutory bodies such as the FAA, FDA, EPA, and USCG, would have concerns about continual improvement by the external service providers. It is therefore critical to conduct an analysis and conduct management reviews internally to achieve the intended purpose of Clause 10.3 of ISO 9001:2015. However, it all starts with defining, providing and monitoring these clear expectations. This means that the statutory body should provide guidelines for stated requirements, as the IMO does in the ISM Code, within Resolution A.1118(30) & MSC-MEPC.7/Cir8. In a similar manner, the USCG could provide clear guidelines for TPO (Third Party Organization) and for the towing companies for the Subchapter M.

Statutory bodies, understandably, may struggle with defining their policy in the initial stages and clearly converting it to a set of measurable objectives (Value based metrics) for external providers. The need for the Leadership (TM) is to spend time and resources well at the plan stage of the PDCA cycle (Plan-Do-Check-Act) by understanding the context of the organization (Clauses 4.1 and 4.2 of the ISO 9001) and appreciate the various risks (Clause 6.1 of ISO 9001) keeping the customer focus in mind. The Standard here provides useful clauses to make the decision. An objective audit of the internal procedures of the statutory body (Clause 9.2 of ISO 9001) would provide the inputs for the Management Review (Clause 9.3) and ensure a robust decision-making process. This then should be followed by regular audits of the organization to which the processes have been outsourced (meeting the requirements of Clause 8.4.1 and 8.4.2 of ISO 9001). The organization which provides the outsourced service or product needs the information in terms of clause 8.4.3 to perform to the total satisfaction of the statutory body. As such providing clear requirements is a vital role of the statutory body.

Once requirements are clear, then the organization providing a product or service will use these inputs to design their Policy (Clause 5.2 of ISO 9001) 5.2.1d. This policy would then ensure that the feedback loop will help to drive continuous improvement efforts of the QMS. This policy would then provide the framework for the “value-based metrics” which in Quality terms would be the measurable objectives in terms of clause 6.2. Both 6.2.1 and 6.2.2 would put the organization on the correct path to success. The statutory body would vigorously and regularly audit the correct implementation itself or by using an independent professional service provider.

In effect, what this means is that just being certified to e.g. ISO 9001:2015 is not enough for any organization. What is required is a functioning PBMS (process-based management system) based on the chosen standard and other criteria implemented by committed leadership and motivated manpower.

(The author Dr. IJ Arora, is the President and CEO of QMII)