Are Medical Audits Improving Systems Or Only Driving Fixes? 

Is there a potential downside to medical audits wherein the audits are focused on finding and fixing problems? A recent discussion with a medical professional piqued my interest in the value of Medical Audits given that QMII, a subject matter expert in auditing, has ventured into the medical auditing field. This led to a conversation with a few additional healthcare professionals to understand a little more about medical audits, their findings and how organizations address them. My additional reading outlined a lack of effective systemic corrective action. In this article, I discuss some aspects of the medical audit process and what organizations can do to improve the process of audits and of implement corrective action.  

There are various types of medical audits including clinical audits, billing/coding audits, financial audits, operational audits and compliance audits. While there are regulations, protocols and standards against which these audits are conducted, in many cases, industry-best practices are also used as audit criteria. This brings subjectivity into the audit as ‘best practices’ knowledge may vary from auditor to auditor based on their experience. Auditing to an auditor’s experience has a major drawback not just in the medical industry but in all industries. It takes the auditors away from requirements which then results in biased inputs to the leadership that may be inaccurate.  This also leaves the auditee (the organization being audited) on the receiving end of findings for which there are no certain requirements. That is, they may make changes to their system based on the finding of one auditor only to find that another auditor objects to the very actions they implemented based on the previous auditor. 

Medical Audits and Recommendations 

In medical audits, it is common practice for auditors to provide recommendations to address findings. These recommendations are based on experience and industry-best practices. In ISO audits this is not allowed. In most industries, including the healthcare industry, there is no obligation to act upon any of the recommendations of an auditor. However, if auditors are perceived to be in a position of authority, then there is an underlying implication that the audit recommendation must be implemented. This is for fear of the nonconformity occurring again only for someone to say, “the auditor told you what to do and no action was taken”. This then also implies, audits do not delve deeply enough to identify systemic weaknesses within the processes or the workflow. 

In speaking with the medical professionals within my professional circle of friends, it was surprising to hear that in many cases the personnel being asked to address the audit findings are unaware of any root cause analysis methodologies nor have they been given any formal training in the subject. Further, they are not clear about what a CAPA is but do know that they need to provide some action to close out the finding. In such cases, is it then fair to expect effective corrective action? Perhaps, the lack of effective corrective actions perpetuated the need for auditor recommendations! 

Without proper training, it is but natural for personnel responding to audit findings to default to the recommendations of the auditor and implement those actions prescribed by the auditor as the corrective action in and of itself. Sadly, in such cases the root cause of the issue goes unaddressed. Sometimes such cases may lie in inadequate resources, technology or even lack of guidance/policy from leaders. While the aim of the audits is to identify where the process may require additional controls, all for providing better healthcare for the patient, the outcome may only be a band-aid. 

What can be done to change this? 

While change may not come overnight, there are a few key steps that can be taken to improve the audit process overall right up until corrective action and meet the end goal of providing better healthcare.  

Auditor training – Auditors must be trained to remain objective through the audit process, to focus on the requirements (criteria) of their audit, to focus on factual evidence and objectively assess it (yes, no experience!). Further they must understand the implications of providing recommendations and thus not provide any recommendations. The auditors are but to focus on assessing the effectiveness of the corrective action plan submitted and verifying the effectiveness of actions taken.  

Root Cause Analysis Training – Healthcare organizations must invest in providing their personnel with training in the different root cause analysis methodologies and how to apply it to identify the root cause(s) of a problem.  

Reinforcing that Recommendations need not be accepted/addressed – Organizations must be professional to build the courage to stand up to auditors and not accept recommendations. Auditors do not know all facets of the process from the short sample of the organization they witness. If their “advice” in the recommendations is wrong/ineffective, who then pays the price? 

Auditor Selection – ISO 19011 provides guidance on the behaviors and skills that an auditor should exhibit, and these are applicable to an auditor selected to conduct any type of audit. Auditors must be evaluated periodically to ensure they are remaining objective through an audit and working to identify the effectiveness of controls and adequacy of resources in assessing if the overall objectives have been met. To learn more about how QMII can support your organization’s audit process, click here

Julius DeSilva, Senior Vice-President

Can Boeing Deliver a Long-Term Solution to their 737 MAX Problems?

Dr. IJ Arora

Boeing is in the spotlight again with its 737 MAX planes, which have already had a deeply troubled history. Customer focus (which is clause 5.1.2 of ISO 9001 and AS9100) seems to have been lost somewhere.

I have read several recent articles on these incidents as well as Peter Robison’s book Flying Blind: The 737 MAX Tragedy and the Fall of Boeing, all of which point to a worsening situation for Boeing. The public perception of this great American company, which has always been committed to top-class engineering and trusted products, is changing from one of respect to one of caution. Travelers are wondering, “Should I fly in a 737 MAX?”

Boeing and the aerospace industry in general have high standards for quality and product safety. In this article, I postulate whether a company’s quality management system can guarantee that nothing goes wrong for customers. Can it ensure perfection? If not, what are the alternatives—and why have one at all?

What happened and who is responsible?

For those not familiar with the 737 MAX incident in January, shortly after an Alaska Airlines flight departed from Portland, Oregon, a cabin door panel blew off. As investigations are still ongoing the causes have not yet been fully determined. Boeing also had a software issue on the 737 MAX, resulting in the crash of a Lion Air flight in 2018 and an Ethiopian Airways flight in 2019.

Here in the United States, the Federal Aviation Administration (FAA) plays a critical role in providing regulations to ensure flight safety, and also provides oversight of aircraft manufacturers, airports, and maintenance providers. In the case of the Alaska Airlines flight, it seems that the FAA failed to uphold its trusted role. The FAA’s numerous checks and balances, most of which are intended to focus on customer safety, were like aligning holes in slices of Swiss cheese. It will be interesting to see what changes this incident brings about at the FAA. Then again, can regulatory oversight guarantee safety of flight?

The AS9100 standard, which is specific to the aerospace industry, isn’t the brainchild of a single entity, but rather a collaborative effort driven by two key players:

  1. The International Aerospace Quality Group (IAQG). This international organization brings together representatives from aviation, space, and defense companies across the Americas, Asia/Pacific, and Europe. They actively participate in developing, maintaining, and updating the AS9100 standard.
  2. Standardization organizations. These bodies, such as the Society of Automotive Engineers (SAE) in the Americas and the European Association of Aerospace Industries (now the AeroSpace and Defence Industries Association of Europe), officially publish and distribute the standard.

It is important to note that AS9100 builds upon the foundation of the more general ISO 9001 quality management system standard. While ISO 9001 lays the basic framework, the IAQG adds industry-specific requirements crucial for ensuring safety and quality in the aerospace domain.

In addition to the manufacturer and the FAA, the owner/lessor of the aircraft also plays a role in ensuring the plane is properly maintained. This includes selecting a competent maintenance provider, hiring competent engineers, and having robust processes in place. With so many different stakeholders, can blame be attributed to just one when accidents happen? Furthermore, should blame be the name of the game? Perhaps not! It is important to note that the system is implemented to support each user and that all stakeholders in the value chain play their part as well.

Audits, inspections, and management systems: Are these the solution?

Behind every tragedy, casualty, and mishap is a chain of related events. The immediate suspect when these types of critical failures occur are poor inspection protocols, perhaps even the dreaded “human error.” However, this may be the low-hanging fruit and a deeper dive may identify other causal factors, such as asking if the quality audit failed.

What is the difference between an audit and an inspection? Can they replace each other or are inspections alone enough? The simple answer is no! Both are needed due to fundamental differences in approach. Audits look at the processes to ensure the management system produces conforming products and services. An efficient management system must include the following, to name a few:

  • It must be well-defined, starting with the “as-is” state of the system.
  • Risks must be identified (clause 6.1) based on the context of the organization (clauses 4.1 and 4.2).
  • A clear definition of the product must be identified.
  • Effective audits and periodic review must be undertaken by management.
  • Outsourced processes must be controlled.

Inspections play an important role by identifying defects prior to release, thus protecting not only the client/customer/user/warfighter, etc., but also the reputation of the organization itself. With that said, inspections don’t contribute to continual improvement because they focus on fixes as opposed to long-term solutions. In effect, they do not really add value since the organization has already incurred the cost of producing the defective part or product. The creators of the Toyota Production System (i.e., lean) came up with the Andon process to catch a defect as early in the process as possible so as to fix it before the problem went too far down the line.

Management systems are not just a collection of documents. To function properly, they require commitment at all levels of the organization, including top management providing the needed resources. It takes time to build a culture of quality in which shortcuts are avoided and there is no fear of speaking up. Customer focus must not be compromised. For example, release of conforming product should go through the process specifically called out by clause 8.6; any interference by top management to truncate this process would imply the loss of customer focus. Is this a possibility? Perhaps, but the investigation must reveal the truth. In this case of the Alaska Air incident both the Boeing customers and Boeing as a company have suffered. It is my hope that investigators will identify all failed parts of the system from each responsible party. These may include not only failed inspections, but also suboptimal processes. This could end up taking us back to an inadequate quality management system.

Quality management systems: Can they deliver?

Given the above, can a properly designed and well-audited management system (supported by good inspection techniques to help ensure conforming product) guarantee that nothing goes wrong with an organization’s output? My opinion is that no one can guarantee this completely. However, risk can certainly be greatly reduced when everything is implemented well. This includes the training of personnel, which correlates strongly to competence; unfortunately, this is often the first budget to get cut when resources are scarce.

When high-visibility incidents like these occur, it may be forgotten that airplanes remain the statistically safest mode of travel on earth. This is primarily due to robust quality management systems, well-adopted regulatory frameworks, and regular oversight. Humans play an important role in the success of the management system, from the commitment at the top to the buy-in by the workforce (clause 5 to clauses 7.1.3, 7.1.4, and 10.3). Taken together, this helps create an environment where quality can flourish within the organization.

Boeing may be doing a lot correctly, and yet the results could be unacceptable depending on the performance of outsourced processes (clauses 8.41/8.4.2/8.4.3). After all, the fuselages for the 737 MAX are made by Spirit AeroSystems Holdings Inc. Spirit AeroSystems is located in Wichita, Kansas; once these fuselages are manufactured, they are shipped by rail to Boeing’s facility in Renton, Washington. Therefore, not only is a major component of the 737 MAX outsourced, but the shipping and preservation of product (clause 8.5.4) also could contribute to the product’s nonconformity. Overall, Boeing remains responsible for the entire supply chain (clause 4.3), with their obligation to “ensure conformity of its products and services and the enhancement of customer satisfaction.”

Even with a solid quality management system in place, this or similar failures can occur. There is no way to assure the public of 100-percent performing (i.e., perfect) output. The fear in the minds of air travelers is valid and will remain so until an exhaustive root cause analysis of this issue is performed and those root causes are resolved. The current events beg the question: Did Boeing improve their management system after the Ethiopian Airlines 737 MAX crash? If they had bent to the oars and gone deep into their review to uncover and permanently fix the holes in their management system, this event may never have occurred. Surface corrections, or what some organizations call “fix -it” solutions, only remove the symptoms. The root causes must be addressed and resolved (clause 10.2.1). There are no shortcuts to quality.

In conclusion

It has taken years for air travelers to feel safe and unconcerned about air safety. I travel a lot internationally, and often pick an airline based on their service and comfort, but now I (as well as the broader public, I would imagine) need to consider which aircraft will transport us. It is a new fear about product safety that has its genesis in Boeing not operating its management system efficiently and losing customer focus. The worst is the erosion of public confidence in federal oversight and its intent to keep the customer safe.

I have spent my life studying similar complex problems and leading teams in helping organizations find long-term sustainable solutions. This requires bold and dynamic leadership (clauses 5.3 and 5.1) for leaders to plan and implement change. Appreciating and accepting risks (i.e., keeping the customer in focus) and moving forward is integral to true leadership. Ethics is still not a clause of ISO 9001 and AS9100, but ethical leadership is about doing the correct thing for all stakeholders.

In seminars at which I present, I often ask senior managers: “If you have a choice between following the procedure and/or doing the correct thing, what would you do as a leader?” The answer—I hope—is to do the correct thing at all times. But then, hope is not a plan. Air safety cannot be based on hope and faith. Boeing needs the leadership to redesign their system if they are to bring the public trust back for this great American company.

Hyperlink to the thing characteristic in Exemplar International e-newsletter – “The Auditor”

Controlling Sub-Sea Infrastructure


The recent implosion of the Titan, a sub-sea submersible used for taking elite, high-paying tourists to see the wreck of the Titanic, brought the safety protocols of both vessels into focus. There were no statutory requirements for regulating the Titan and neither were there any when the Titanic sank in 1912! As a reactive measure, the maritime community came up with the Safety of Life at Sea (SOLAS) Convention soon after the sinking of the Titanic. Ironically, after the Titan submersible imploded, we have come to realize there are no requirements covering this vessel. Perhaps with time, the involved counties will react.

The question is, why was nothing done proactively? Tourists go up in hot air balloons all the time. Is there any statutory requirement that these tourist companies must meet? Is there even a requirement to have a management system in place so that these companies work systematically, appreciate the risks in the context of the organization, and plan their operations keeping risks in mind? It is true that entrepreneurs do not like regulations and consider requirements a hindrance in a free business environment. And yet the Titanic, which was declared to be “unsinkable,” did, in fact, sink! In the United States, the domestic towing vessel industry functioned without statutory requirements until recently. The industry avoided regulation, but tragedies occurred, and now the industry is regulated under the U.S. regulatory framework. A process-based management system is the best systematic structure to produce conforming products and services, ensure continual improvement, and implement the statutory requirements if available.

The intent of this article is to proactively start a discussion on the need for regulating sub-sea infrastructure to reduce its affect on the marine transportation system. The phrase “sub-sea infrastructure” refers to equipment and technology placed on or anchored to the ocean floor. This infrastructure may include, but is not limited to, cables for telecommunication, cables for power transmission, pipelines for transmission of fluids, and other stationary equipment for scientific research.

The growth of sub-sea infrastructure is a global phenomenon. As an example, is in the interest of all nations, and particularly here in United States, to promote wind farms, which are a source of renewable energy. When these wind farms are placed in selected geographical locations along the continental shelf, they need sub-sea cables. But are there any laws controlling the systematic development of the industry to enable an effective marine transportation system and its protection of maritime community interests and environmental interests? Is there a central agency responsible for this coordination to allow for a balanced approach to risks? The amount of cabling piling up needs management and oversight.

Sub-sea infrastructure, the definition of the problem

Numerous industries have a stake in sub-sea infrastructure. Examples include oil and gas, telecommunications, fishing, scientific research, and perhaps military/defense applications such as sonar and other arrays and obstacles. This infrastructure is a requirement, but it also faces various challenges including those that can lead to accidents, environmental damage, and possible breaches in national security. All these bring out very significant concerns related to sub-sea infrastructure and the lack of comprehensive and globally accepted standards, requirements, obligations, and assurance mechanisms. It is not that organizations such as the United States Coast Guard, the National Oceanic and Atmospheric Administration, the Bureau of Safety and Environmental Enforcement, the U.S. Army Corps of Engineers, the Environmental Protection Agency, and other federal and state agencies do not look at these issues.

Nevertheless, it remains a concern that there is no single agency or overarching requirement to provide a framework to the industry on harmonized implementation of requirements. This lack of harmonization can mean inconsistencies in design, installation, and maintenance practices which may not address risks uniformly. This can generate consequential risks, leading to increased accidents, mechanical failures, and costs to the industry and the nation.

Recent tragedies and accidents

Recent tragedies and accidents involving sub-sea infrastructure have been limited, and yet must not lead to complacency by the agencies involved. The few that have occurred indicate the challenges and trends pointing to the need for proactive requirements. The recent tragedies include:

  • Deepwater Horizon. The potential consequences and challenges inherent in deep-water oil drilling were brought out by the Deepwater Horizon tragedy in 2010. The oil rig explosion in the Gulf of Mexico caused a massive oil spill and resulted in the loss of 11 lives. Although not technically a sub-sea incident, it highlighted a series of failures in design, maintenance, and company oversight—all factors pointing to the importance of robust safety standards and requirements, and the implementation thereof. The Deepwater Horizon incident was not directly related to sub-sea infrastructure; however, it heightened the risks associated with offshore oil and gas production and the potential for catastrophic environmental damage.
  • Nord Stream 1 and Nord Stream 2. Occurring in September 2022, the damage to these gas pipelines in the Baltic Sea highlighted concerns around sub-sea infrastructure. These pipelines transport natural gas from Russia to Europe; in this incident, they sustained multiple leaks. The exact cause of the damage is unclear, though deliberate sabotage was suspected and is still under investigation. Regardless of the ultimate findings, this incident exposed the vulnerabilities of sub-sea infrastructure to sabotage, and the potential for significant environmental and economic consequences are real. Intentional attacks to the sub-sea infrastructure have the potential for widespread disruption of energy supplies. Apart from the Nord Stream, there have been other sub-sea incidents affecting the gas and oil industry. In 2021 a fire broke out on a sub-sea production control umbilical off the coast of Brazil, causing significant damage to the underwater equipment and resulting in a major oil spill.
  • English Channel Internet Disruption. In 2021, a ship dragging its anchor on the seabed in the English Channel cut the three main internet cables to the Channel Islands. Although this only resulted in slower broadband speeds in this instance, there remains the possibility that it could have resulted in a complete outage.

Looking ahead

These incidents represent leading indicators of a tragedy in the making should proactive action not be taken. The critical importance of safety for sub-sea infrastructure underscores the need for a more comprehensive and rigorous approach to standards and assurance. Industry stakeholders together with regulatory bodies within the United States and global organizations such as the International Maritime Organization must work together to establish a harmonized set of safety standards, implement robust assurance mechanisms, and foster a culture of safety throughout the sub-sea industry.

The increasing reliance on sub-sea infrastructure for various industries (including wind farms) necessitates a proactive approach to safety and risk management. There is definitely a need to invest in research and development to enhance the resilience and monitoring capability of sub-sea infrastructure. The various companies in the sub-sea industry are holding their proprietary information close to the vest. This is understandable. However, these organizations are in competition with totalitarian governments, in which control of business practices is the exclusive dominion of the state. It is necessary to enhance transparency and information-sharing among industry stakeholders to facilitate better risk assessment and incident prevention.

Conclusion

Promoting a culture of safety that prioritizes risk identification, risk mitigation, and continual improvement is essential. There is no common ISO standard for sub-sea management systems. Of course, ISO 9001 is interpretable and can be used as the basis for now. Environmental protection is a challenge for a developing industry, and as such, even greater urgency is needed for statutory requirements encompassing all aspects of stakeholder interests, the marine industry in general, and the protection of the environment for generations to come.

Marine transportation remains the most important way for goods to be shipped across the world, as approximately 80 percent of the world’s goods are transported by ships. Vessels need a place to anchor in normal operating conditions as also in emergencies. A crowded seabed in harbors makes this a challenge for the entire maritime industry.

Without adequate and effective regulatory oversight, it may be too late to take action once cables and other sub-sea equipment have already been laid. Further, multiple agencies regulating the same aspects of the industry can potentially lead to bureaucratic delays.  There is therefore an urgent need to create a single statutory body to regulate the sub-sea infrastructure industry, which will greatly benefit all parties invested in the maritime transportation system.

Exemplar Global Publication “The Auditor”