A Case Study Demonstrates

The Value of ISO 9000 Derivatives

Case study shows different needs exist when safety is at stake
by Dale K. Gordon
Those of us who are in the standards writing business need to keep reminding ourselves why we put
those supposedly noble words on paper to begin with.
I recently had the opportunity to review the operations of a supplier in the aerospace business
that I will call "Bigalow, Irwin & Gutman Parts Inc.," or BIG Parts for short.
The occasion for my visit to BIG Parts resulted from an escalation of customer complaints about
some quality problems that were discovered during a review of its quality processes. A customer
had performed a routine product acceptance audit during the parts delivery process and uncovered
some disturbing items.
It seems BIG Parts has an excellent reputation in the design, development and fabrication of some
pretty sophisticated hardware used in the flight systems of military aircraft. Its products perform
very well and are recognized as being on the cutting edge of technology.
BIG Parts recently finished development of some very technically difficult products that will go
into the next generation of aircraft for the U.S. military and will also be used by the air forces of
our allies.
The United States Department of Defense (DoD) decided some time back to adopt commercial
practices whenever it was feasible to reduce procurement costs and prevent overspecification of
weapons systems and other DoD purchases. This decision was widely viewed as a correct course of
action and heartily endorsed by the defense industrial base.
This means, of course, that auditors and other quality professionals must take the generic words
of the ISO 9000 standards and their derivatives and make sure that we apply them with the
degree of rigor and knowledge fitting the products and components to be produced.
Well, our friends at BIG Parts seemed to believe that the ISO 9001 requirements were a "no
brainer" and went about their business of designing and manufacturing sophisticated hardware upon
which the lives of men and women in the armed forces would depend. They had all the necessary
requirements for the 20 elements of ISO 9001 well-documented. They performed internal audits,
and BIG Parts' senior management even got together occasionally to perform a management review
of the operations.

Here is a blow-by-blow account of what was uncovered during a quality system review of BIG Parts.
Management responsibility
All the right words were in the procedures, and the company does have a quality policy practically
tattooed on each employee. The quality manager hung charts on the wall with care.
But the quality personnel worked for the functional organizations, and no one was clearly
responsible for solving quality problems involving either the systems or the products. A certified
operator program was in effect, but there was no way for the operators to initiate corrective
action or have the organizational freedom to prevent nonconformities.
This resulted in processes that were not capable and in repeated nonconformances. No actions
were taken to correct the problems; instead, there were continual material review board actions.
Quality system
Procedures were written around ISO 9001 requirements, but personnel did not know what the
procedures said and were never trained on how the procedures should be applied.
Manufacturing engineers, who were never trained on such things as gage accuracy, gage
repeatability and reproducibility, or inspection methods, were used to perform the quality planning.
This resulted in operators using gages that were not suited for the required accuracy or, in many
cases, using unproven (although calibrated) gages for the features being inspected.
Contract review
Contract review was handled by the program management part of the organization. When the
program transitioned from the development phase to production, there was no review of the
production contract by the quality or production organizations.
Consequently, BIG Parts missed all the customer flowdown supplier control issues and production
inspection requirements such as sampling plans and gage verifications prior to production. In several
cases state-of-the-art inspection methods were being used, but the risks associated with their use
were not evaluated with respect to product acceptance.
Design control
The customer supplied computer models regarding what the design parameters should be. These
models were translated into numerical control (NC) and coordinate measuring machine (CMM)
programs.
When it came time to verify whether the parts and details met the engineering requirements,
there was no definitive agreement between the customer and BIG Parts on how the items should be

measured. (In other words, there were no complete drawing definitions or complete dimensions to
use to verify if the parts met the design intent.)
Document and data control
While there was adequate document and data control, the procedures were all maintained online,
and only certain personnel had access to the computers.
Most personnel were not trained or even knowledgeable about how to access the procedures or
locate the ones applicable to their jobs. This resulted in most tasks being performed by using the
"tribal legend" method--or worse, by using any method that made sense at the time.
Purchasing
While the selection and approval of suppliers were adequate, customer specifications and essential
technical information were not required to be flowed down to subtier suppliers, and the subtier
suppliers were not controlled in any fashion.
Also there was no system to indicate what happened when supplier performance began to fall and
at what frequency the reviews should be performed before there was a need to obtain corrective
action or replace the supplier. This resulted in suppliers that missed technical requirements and
receipt of a large amount of noncompliant product.
Customer supplied product
The customer had directed the use of certain raw material suppliers by BIG Parts because these
suppliers were known to have proper controls in the critical manufacturing processes.
This led BIG Parts to believe that no oversight of these suppliers was necessary. While test
reports from these suppliers showed that the material was within specification, BIG Parts
performed no independent verification or evaluation of the material. This resulted in failed product
and arguments with the customer over responsibility.
Product identification and traceability
While there were procedures and processes in place to trace critical parts and assure proper
identification, individual items were not traceable to specific processes or inspections. This
precluded assurance that the product met all of its requirements. Likewise, the product could not
be traced to processes that were later determined to be noncompliant.
Process control
BIG Parts had an effective process documentation system, including shop travelers, appropriate
operator sign-off and inspection verifications. However, when changes were made to the process or
workarounds were required, there was no control of these alternative methods or verification that

the process changes achieved the same level of quality that the original process possessed. Also NC
machines and CMM programs were not controlled or proven to meet design intent.
Inspection and testing
Inspection plans were in place, and proper inspection points were available. However, sampling
inspection was only utilized upon initiation of part manufacture. There was no evidence that the
process was capable or that critical characteristics were adequately controlled before statistical
sampling began.
Control of inspection, measuring and test equipment
While a robust calibration and recall system was in place, there was no verification of the
measurement software used in some of the advanced measurement equipment.
Inspection and test status
BIG Parts' employees were all assigned stamps, and there was effective stamp control. However,
there was no evidence that the stamps were used to preclude product that had not been stamped
appropriately.
Control of nonconforming product
While nonconforming product discovered internally was segregated and reviewed, there was no
control over suspect product returned from the customer. There was also no mechanism for
reporting to the customer those nonconformances that might have already left the quality system.
Corrective action
BIG Parts prided itself on the thoroughness of the corrective action process it employed. One
small problem was that this same process was not carried through the supply chain to assure
supplier corrective and preventive action.
Handling, storage and delivery
The procedures for handling the parts and shipping them were adequate, but there were no
controls to assure that the parts were properly cleaned, that foreign objects were removed to
prevent blocked oil passages, or that the documentation that accompanied the shipment was not
lost or destroyed.
Control of quality records
No problems were found in this area.
Internal quality audits

The BIG Parts internal audit process was to list all of its procedures and have managers audit the
areas not under their control.
While corrective actions were sometimes written, the audit process contributed little to the
overall improvement of the quality system. Such items as customer complaints, scrap rates and
nonconformance trends were not used to determine where audits should be directed. Checksheets
against requirements, formal audits and protocols were not used.
There were comprehensive records of training requirements for all employees in the facility, but
nowhere did BIG Parts require or document the training of employees on the quality management
system (QMS) procedures or changes to existing procedures.
Servicing
BIG Parts created service manuals and instructions for support of its products, but there was no
mechanism for collecting and analyzing product usage data to put back into the design requirements
or to correct product problems in service.
Statistical techniques
Sampling plans employed were based on Mil-Std-105D, and BIG Parts used a sampling number in
which known defectives could exist in a manufacturing lot. The sampling plan was valid, but it did not
use a zero acceptance number, thereby allowing for the possibility that defectives could exist in
the lot.
ISO 9001 is not always enough
BIG Parts has an ISO 9001 certification from an accredited certification body, but it can be
argued that the deficiencies noted above are not directly covered in the standard. But the
deficiencies are implied. How should a company determine exactly what quality requirements are
needed?
I think we all recognize that the design, application and implementation of the QMS should fit the
product and processes used by the individual company. But the fact that the ISO 9001 criteria are
considered the minimum requirements for a QMS means that in instances where the product or
service is critical, more definition is required.
AS9100, the ISO 9000 derivative for aerospace, begins to articulate those requirements in an
industry where people's lives are at stake.1 Even the interpretation of standards such as AS9100,
QS-9000, TL 9000 or others needs to be carefully considered in light of the product, process and
services being provided.

The more we try to make requirements generic, the more we need to make sure that the
interpretations of the requirements fit the application.
REFERENCE
1.

AS9100 Quality Systems--Aerospace--Model for Quality Assurance in Design, Development,

Production, Installation and Servicing (Warren-dale, PA: Society of Automotive Engineers
Inc., 1999)

ISO 14001 And Regulatory Compliance

Three major requirements must be addressed

by Marilyn R. Block

Many companies with environmental management systems (EMS) also have registered quality
management systems (QMS). Frequently, the quality system representative is designated as the
EMS representative because he or she is knowledgeable about systems.

This dual role is almost always true when the QMS and EMS have been integrated; and it is more
typical than not even when the two systems are established as separate, parallel efforts.

Quality assurance managers attempting to understand the requirements of ISO 14001 often are
confused about the references to regulatory compliance. Limited or no previous exposure to
environmental regulatory requirements leads to questions concerning the role ISO 14001 plays in
assuring regulatory compliance.

Three related requirements

ISO 14001 imposes three related requirements:

1. An organization must identify all of its environmental legal obligations and be familiar with all
applicable environmental laws and regulations. Additionally, the organization must have some
mechanism for ensuring that new legal obligations are identified in a timely fashion.

2. The environmental policy must contain a commitment to understand and comply with all applicable
environmental laws and regulations. Words on paper aren't sufficient; an organization must make
every effort to fulfill its commitment to do what it says it is going to do.

3. Compliance with identified legal requirements must be evaluated on some self-defined periodic
basis. Whether an organization engages in a comprehensive compliance audit or employs a variety of
monitoring activities, it must know whether all identified legal requirements are being met. In the
event a regulatory noncompliance is identified, the organization must take action to correct the
noncompliance and prevent it from recurring.

These requirements do not impose specific performance standards on organizations. The

international scope of ISO 14001, coupled with differing national laws and enforcement policies,
makes it impossible to establish acceptable parameters for air emissions, water discharges and
other similar environmental impacts. Instead, individual organizations must approach these
requirements within the context imposed by national, state or provincial, and local laws.

U.S. regulatory agencies and registrars have somewhat different expectations about the ways in
which a company addresses these three requirements.

The regulatory view

Not surprisingly, many in the regulatory community and nongovernmental environmental
organizations question whether ISO 14001 contains sufficient emphasis on regulatory compliance.
In order to determine whether ISO 14001 registration results in improved regulatory compliance,
several efforts were launched shortly after publication of the standard in September 1996.

The most visible of these efforts is the Multi-State Working Group (MSWG), an organization of
state environmental agencies formed in 1996 in response to growing state interest in ISO 14001
and the potential for environmental enforcement flexibility and other state initiatives.

By 1998, the MSWG had evolved from an informal working meeting to a formal networking
organization with elected officers. One of the group's objectives is to enhance ISO 14001
regarding the relationship of the EMS to regulatory compliance and performance regarding all
significant environmental aspects.

There does not appear to be a clear consensus among MSWG members as to the value of ISO
14001. In a 1998 interview, Robert Stephens, MSWG chair, stated that MSWG "is firmly
committed to the voluntary nature of the ISO 14001 standard and that this voluntary nature is not
in conflict with the public policy goals [the MSWG] is pursuing."1 That same month, a MSWG
member suggested that the language in ISO 14001 is so loose that it undermines the credibility of
the standard.2

To assist in resolving questions related to implementation of ISO 14001 and regulatory compliance,
the MSWG launched a research project that same year. Information on the effect that an EMS has
on regulatory compliance was to be collected from pilot projects in a number of states and
organized into a database.

At the end of 2000, researchers concluded that the national database could not provide any
insight into whether companies with an EMS have higher levels of regulatory compliance. It should
be noted that this project is ongoing and may provide such information at some future date.

The registrars' perspective

Even though MSWG thinks the jury is still out, ISO 14001 registrars believe they have attained a
verdict. Based on data collected during registration audits, many ISO 14001 EMS lead auditors are
convinced that an EMS does, in fact, improve regulatory compliance.

In their efforts to address the requirement to identify legal requirements, many organizations
learn about regulations with which they were previously unfamiliar and with which they should have
been complying. This increased level of awareness causes such organizations to become compliant in
areas previously ignored.

Moreover, periodic evaluation of compliance creates an operating climate in which responding to

regulatory lapses is considered standard operating practice.

MSWG has suggested that registrars do not pay sufficient attention to the regulatory compliance
status of the companies they ultimately register. This view is supported by examples in which
registration is approved and the organization is later found to be out of compliance with a particular
regulatory requirement. At its spring 2000 quarterly meeting, MSWG authorized a review of U.S.
third-party registrars.

It is important to understand that ISO 14001 registrars evaluate the environmental management
system. These registrars do not seek to determine whether an organization is out of compliance
with legal requirements; rather, they attempt to verify whether the organization has determined
its compliance status.

According to Greg Hansa, vice president-technical development, SGS International Certification

Services Inc., an accredited ISO 14001 registrar, SGS "first assesses the ability of the EMS to
adequately identify appropriate environmental legislation and regulations. Once the EMS has been
determined to be effective in identifying regulatory requirements, the system's monitoring and
evaluation of compliance is audited. The ability of the EMS to implement corrective and preventive
action also is audited."

What happens if an audit team finds evidence of a regulatory noncompliance? The existence of a
noncompliance, in and of itself, should not suggest that the EMS is deficient. If an SGS audit
discovers a regulatory noncompliance, it would determine whether the organization had identified
the same noncompliance.

"If it has been identified," states Hansa, "we would assess the implementation of corrective and
preventive action. If the noncompliance has been adequately addressed, the EMS is in conformance
with the applicable elements of ISO 14001."

What if the EMS fails to identify a regulatory noncompliance or, subsequent to identification, fails
to respond appropriately? In the first case, SGS would write a nonconformance against clause 4.3.2,
which requires identification of legal requirements. In the latter case, the nonconformance would

be linked to clause 4.2, which requires inclusion in the environmental policy of a commitment to
compliance.

When asked to distinguish between systemic failure and isolated problems, Hansa offered the
following: "If the EMS fails to identify or respond appropriately to an isolated noncompliance, the
system nonconformance probably would be considered 'minor.' However, if the EMS consistently
fails to identify or adequately address regulatory noncompliances, a total breakdown of the
appropriate element of the management system would be cited and would likely be categorized as a
'major' nonconformance."

How often are such nonconformances written? "Seldom," says Hansa. "We find that our client
organizations are indeed committed to protecting the environment and regulatory compliance. The
structure and voluntary nature of their ISO 14001 programs allow them to proactively become
familiar with their legal obligations and address any issues without much of the fear and pain
historically associated with these issues."

Conclusion
During the drafting of ISO 14001 from 1993 to 1996, reference to regulatory compliance was the
focus of much debate among members of the U.S. technical advisory group (TAG) charged with
establishing the official U.S. position on the environmental management system standard.

The ISO mandated five-year review process has provided an opportunity to again consider whether
ISO 14001 adequately addresses this issue. However, the decision by ISO Technical Committee
207 not to include any new requirements in the ISO 14001 revision, scheduled for publication in late
2001, rendered this debate moot.
It is fair to state that the TAG remains somewhat split on whether ISO 14001 requires additional
language on this point. Those TAG members representing federal and state regulatory agencies and
nongovernmental environmental organizations tend to favor more stringent language and, therefore,
more prescriptive requirements about regulatory compliance by those who seek ISO 14001
registration. TAG participants from various industry sectors tend to support current language
pertaining to regulatory compliance and resist more stringent requirements.
Additional language would appear to be superfluous. Any organization in the United States is
obligated to identify, understand and comply with applicable environmental laws and regulations. The

decision to implement ISO 14001 does not change that obligation; in fact, it tends to improve an
organization's environmental performance.

The Challenges TL 9000 Requirements

New interpretations, lack of objective evidence can cause difficulties

by Sandford Liebesman

TL 9000, the telecommunications quality management system standard, presents several auditing
challenges. A derivative of ISO 9000, TL 9000 is defined in two handbooks: a requirements
handbook called Book 11 and a metrics handbook called Book 2.2

Book 1 contains ISO 9001 plus TL 9000's 83 added requirements (called adders). Book 2 contains
11 families of measurements (metrics).

TL 9000 presents auditing challenges because many of the added requirements demand
interpretations that are new to ISO 9000 auditors, and the auditing of metrics is a completely new
experience for them. In addition, it is difficult to find objective evidence for some of the
requirements.

Key supplements to ISO 9001:1994

The Quality Excellence for Suppliers of Telecommunications (QuEST) Forum, which manages TL
9000, expanded on the current ISO 90013 requirements by taking the following steps:
Placing more emphasis on top management responsibilities.
Increasing the focus on proper/robust planning, including quality planning, project planning,
configuration management planning, product planning, life cycle planning and test planning.
Adding requirements for customer-supplier communication.

Adding requirements emphasizing quality improvement and customer satisfaction.

Adding requirements covering specialized servicing functions.
Adding requirements related to metrics, including defining targets, tracking data, reporting data
to a central database and using data to foster continual quality improvement.
Using the word "should" to indicate the preferred approach. Suppliers choosing other approaches
must be able to demonstrate that their approach meets the intent of TL 9000. These adders are
referred to as "should adders."

Auditing challenges
The major challenges faced by auditors have to do with the items identified as key supplements to
ISO 9001:1994.

For the first supplement, more emphasis on top management responsibilities, adder 4.21.1.C.3
requires more management visibility in communicating supplier performance feedback to the
company work force. This requirement has caused management to be concerned with revealing
proprietary information and airing dirty laundry to associates. In some organizations, leaders
communicate through monthly or quarterly meetings and newsletters summarizing customer
satisfaction data, thus providing some objective evidence.

Another adder in this category, management commitment (4.21.2.C.1), requires executive

involvement in establishing and maintaining customer relations. This adder may be difficult to audit
because executives often do not document their customer interactions.

For the second key supplement, an increased focus on proper/robust planning, six adders require
prescriptive planning processes:

1. Project planning (4.4.2.C.1).

2. Test planning (4.4.2.C.2).

3. End of life planning (4.4.2.C.3).

4. Migration planning (4.4.2.S.4).

5. Integration planning (4.4.2.S.3).

6. Long- and short-term planning (4.2.3.C.2).

A seventh adder, 4.2.2.C.1, requires a life cycle model that covers the development, operation,
maintenance and disposal of the supplier's products. These seven adders are difficult to audit
because they are should adders, which allow the organization to deviate from the requirements as
long as the intent is met.

The third key supplement is a requirement for customer-supplier communication in adder

4.21.2.C.2, which notes that a supplier with a large number of customers does not have to use the
same level of communication with every customer.

This adder links to two other elements: 4.2.3.C.1 (customer involvement) and 4.2.3.C.3
(subcontractor input). Experience shows that it is difficult to find objective evidence that
demonstrates compliance. Examples of evidence are meetings of suppliers with customers, including
the contents of discussions, stated product quality goals and objectives, supporting documentation
from key subcontractor meetings and follow-up action items from these meetings.

The fourth key supplement is the emphasis on quality improvement and customer satisfaction in
adder element 4.21. The standard links quality improvement to setting objectives for metrics in
4.1.1.C.1, quality objectives.

Since the metrics measure parameters that directly affect products and services, meeting the
objectives should improve customer satisfaction. However, some objectives are based on field
performance data (4.21.3.H.1), which may be difficult to gather because many customers use third-

party repair houses. Data relating to findings of no trouble are often not recorded, and finally,
collecting and analyzing customer satisfaction data (4.21.3.C.1) may be difficult.

The fifth key supplement is the set of added customer servicing requirements included in element
4.19. Many of these adders are linked to other elements, making them difficult to audit:
Element 4.19.C.2 (service resources) is linked to 4.18 (training).
Element 4.19.C.3 (notification about problems), 4.19.C.4 (problem severity), 4.19.C.5 (problem
escalation) and 4.19.H.1 (supplier's recall process) all link to 4.14.2 (corrective action).
Element 4.19.HS.2 (problem resolution configuration management) links to 4.8 (problem
identification and traceability).

The final key supplement focuses on metrics and their related requirements. Auditors may have
issues with metrics objectives (4.1.1.C.1) because it is difficult to set objectives for some metrics,
such as the number of problem reports. Others such as fix response time and on-time delivery are
easier.

It is also difficult to audit the 11 metrics being reported to the University of Texas at Dallas, the
repository for TL 9000 measurement data, because metrics are a new concept to most auditors.

Approved metrics
Eleven metrics in four categories were approved by the QuEST Forum as follows:4
Those common to hardware, software and services including the number of problem reports,
problem report fix response time, overdue fix responsiveness, system outage measurement and ontime delivery.
Return rates, which are related only to hardware.
Corrective patch quality, feature patch quality, software update quality and release application
aborts, which are related only to software.
Service quality for categories such as installation, maintenance, repair, and call center or support
services.

Using metrics to improve quality

TL 9000 is unique in its use of metrics to determine the quality level of products and services and
to encourage continual quality improvement.

This extension of ISO 9000 into metrics is expected to result in an industry drive to improve
overall quality. Certainly, when suppliers know where their products stand relative to the
competition and customers know the quality level of best in industry, there will be a drive by all
suppliers to improve.

Auditors will need to establish that the metrics being used are those that are required for the
products covered by the scope of the quality management system. They will need to assure that the
data collection methods satisfy Book 2 requirements, establish the reasonableness of the data, look
for records of submittal as objective evidence and look for evidence that the metrics were used in
quality improvement.

One final note: Because the new TL 9000 requirements are much more detailed than those of ISO
9001, auditing the telecommunication standard takes much more time than auditors usually
estimate.

ACKNOWLEDGMENTS

The following auditors assisted with this article by providing information on their TL 9000
experiences: Mike Harder of LRQA, Desmond O'Loughlin of NSAI and Pete Ortolani of Telcordia.

REFERENCES

1. TL 9000 Quality System Requirements, Book 1, Release 2.5 (Milwaukee: ASQ Quality Press,
1999).
2. TL 9000 Quality System Metrics, Book 2, Release 2.5 (Milwaukee: ASQ Quality Press, 1999).

3. Quality Systems--Model for Quality Assurance in Design/Development, Production, Installation

and Servicing, ISO 9001:1994, second edition (Geneva, Switzerland: International Organization for
Standardization, 1994).
4. TL 9000 Quality System Requirements (see reference 1).

ISO 9001 and Regulatory Compliance In the Medical Device Industry

Lack of attention to quality systems can result in hefty fines, indirect costs

by Joe Tsiakals

Hundreds of millions of dollars in fines and actions have recently been levied against two U.S.
medical device manufacturers. The faults included the failure of top management to establish
appropriate quality systems to help ensure that products were safe and operations could
consistently meet applicable requirements and specifications.

These examples of ongoing enforcement actions by the U.S. Food and Drug Administration do not
indicate new or surprising initiatives for those of us familiar with the FDA.

In one example involving Abbott Laboratories, defective product was not identified. Instead,
Abbott's practices for corrective and preventive action (CAPA) and for process validation were
called into question, and other quality system deficiencies were cited--to the tune of over $300
million in losses to the bottom line.

In a consent degree of permanent injunction the U.S. District Court for the Northern District of
Illinois issued against Abbott on November 2, 1999, Abbott agreed to pay $100 million in fines while
admitting no guilt.1

The decree provided the FDA invasive supervisory rights, with FDA expenses to be paid by Abbott,
for a minimum of five years. The action also required Abbott to incur, conservatively estimated, an
additional $200 million in costs associated with product recalls and corrective actions, excluding
the long-term impact of lost sales and product withdrawals.

On December 15, 2000, the U.S. Attorney for the Northern District of California, the U.S.
Department of Justice and the FDA announced that Lifescan, a California subsidiary of Johnson &
Johnson (J&J), pleaded guilty in federal court to criminal charges and was ordered to pay criminal
and civil fines totaling $60 million.2

The criminal charges stemmed from defects in a blood glucose monitoring device, the SureStep
system, which the company knew about but failed to disclose to customers, patients and the FDA.
Among the remedies agreed to, Lifescan will operate under the supervision of the U.S Probation
Office for three years. During the criminal investigation, J&J recalled the SureStep system from
the market at a cost of $40 million.

Recently, J&J also recalled about 850,000 units of a new generation of glucose monitors for
erroneous displays. According to newspaper reports, Lifescan's senior management has been
replaced and J&J may face a number of liability suits. The total cost to J&J may well be in excess
of $200 million.

The importance of ISO 9000

The entire scope of ISO 9001:2000 covers the necessity for top management to set up and see
that quality management systems are followed to ensure safe product and compliance with
requirements and specifications. The standard reads:

This International Standard specifies requirements for a quality management system where an
organization

a) needs to demonstrate its ability to consistently provide product that meets customer and
applicable regulatory requirements, and

b) aims to enhance customer satisfaction through the effective application of the system, including
processes for continual improvement of the system and the assurance of conformity to customer
and applicable regulatory requirements.3

The FDA regulatory requirements for medical device quality systems are found in the Quality
System Regulation, also known as the QSR.4 The QSR was the first revision of the FDA's medical
devices original good manufacturing practice (GMP) regulation issued in December 1978.

The revision achieved the the primary purpose of incorporating many of the new quality system
concepts of ISO 9001:1994 into the GMPs. Even though design control was the recognized major
addition, new requirements in the QSR included those for management review and CAPA.

Japan's approach to regulating the design and manufacturing of medical devices is similar to that
of the FDA. ISO 9000 requirements are embedded within their country's regulations.

Contrasting with this are the regulatory requirements for designers and manufacturers of medical
devices for the European market. They must follow the medical device directive issued by the
European Commission. It directly references the use of ISO 9001:1994 and ISO 9002:1994 as do
the corresponding regulations for Canada and Australia. Most of the rest of the world uses either
the FDA approach or the European approach.

The influence of the sector

All firms that design, manufacture, process, pack, label and ship medical devices are required to
comply with governmental regulations based either directly or indirectly on the ISO 9000 series. It
should not surprise anyone that the medical device sector, although small, is extremely interested
in the development and the progression of refining requirements for ISO 9000.

It's also not surprising that this sector is the only one with its own International Organization for
Standardization, known as ISO, technical committee on quality management, ISO/TC 210. This
committee is focused primarily, but not exclusively, on the ISO 9000 series developed by another
ISO technical committee, ISO/TC 176.

Nor is it surprising that ISO/TC 210 had a disproportionate level of influence in the development
of ISO 9001:2000 by ISO/TC 176. ISO/TC members participating in ISO/TC 176 task groups
developing the ISO 9000:2000 series included representatives from the United States, United
Kingdom, Japan, Switzerland, the Netherlands, Denmark and Canada,

Officially, three liaison members represented ISO/TC 210, each working on one of the three
writing teams for ISO 9001. Included among these three were the chairman of ISO/TC 210 and
the convenor (working group chairman) of the ISO/TC 210 quality systems working group. In
addition, a key member of the ISO/TC 176 subcommittee for definitions has been a member of
ISO/TC 210. Four other long-term, influential members of ISO/TC 176 are from the medical
device sector.

Aiding regulated industries

The needs of regulated industries were among the major considerations identified in the planning
phase for the new revision, ISO 9001:2000. There are seven references to regulatory requirements
in the new standard. Regulatory considerations are identified under the ISO 9001:2000 clauses for
scope and management commitment and are included as requirements for the design and
development inputs of products and processes.

The traditional approach used by companies for achieving regulatory compliance focuses on
individual requirements and their corresponding procedures.

This often results in the establishment of extensive bureaucracies of paper and those managing
the paper. Everything has to be described in documented procedures, and all work has to be
recorded. This tends to be neither effective nor efficient in assuring that requirements are met.
Simply focusing on requirements and compliance to these requirements results in an ever increasing
array of more requirements and paper.

The trouble with complex document bureaucracies has been lack of clarity for top management as
to the key issues affecting quality. What is the actual performance of the product? Of the
process? How do we correct the problems we have now? How do we anticipate potential problems
and take action to avoid them?

Process approach and continual improvement

Integrated throughout ISO 9001:2000 are quality system elements that lead to minimizing
complexity and achieving an effective quality system. Two concepts intertwined throughout the
standard are the process approach and continual improvement.

New is the fact that the standard is structured now around four main processes:

1. Management responsibility.
2. Resource management.
3.Product realization.
4. Measurement, analysis and improvement.

A process model and the process approach are described in the introduction. The approach
emphasizes identification and management of numerous linked activities.

This approach highlights the importance of understanding and meeting requirements, considering
processes in terms of added value, obtaining results of process performance and effectiveness, and
continual improvement of processes based on objective measurement.

The solution to many of the problems faced by regulated industry involves addressing how
organizations identify real and potential deficiencies to improve. Organizations are now required to
"plan and manage the processes necessary for the continual improvement of the quality management
system." Continual improvement is also mentioned under the standard's quality objectives and
quality planning clauses.

The last clause of ISO 9001:2000, clause 8.6, is titled "continual improvement." There are specific
requirements for corrective action for eliminating the causes of known nonconformities.

The requirements for preventive action require determining potential nonconformities and their
causes and taking appropriate action to prevent their occurrence. Of great importance is the clause
8.6 lead sentence that describes a quality improvement loop.

The clause states that continual improvement will be facilitated through "use of the quality policy,
objectives, audit results, analysis of data, corrective and preventive action, and management
review."
These are seven important clauses of the standard that, when linked as an effective set of
processes, provide the necessary visibility and involvement of top management for making sure
requirements are met. Six of the clauses specifically feed into the management review.
Management review is the periodic gathering of an organization's top management to discuss the
current state of quality and compliance and to determine appropriate action. With real and
meaningful management reviews it is inconceivable that the regulatory actions mentioned at the
beginning of this paper could occur. This last clause of the standard becomes the most important
part for tying everything together.
Avoiding bureaucratic pitfalls
ISO 9001:2000 has been developed so organizations can avoid the pitfalls and inefficiencies
associated with the traditional bureaucratic and piecemeal approach to meeting requirements. This
new standard is offered as a key for achieving an overarching objective of the top management of
the medical device industry: to obtain a highly effective quality system that meets all customer and
regulatory requirements.

Implementing ISO 9001:2000

Early feedback indicates six areas of challenge

by John E. "Jack" West

ISO 9001:2000 (ANSI/ISO/ASQ Q9001-2000) has now been available for several months. This
new edition of ISO 9001, which is based on the eight quality management principles, represents a
significant departure from the 1987 and 1994 versions. The principles were reviewed in detail in an
earlier standards column.1

During roundtable discussions at seminars I conducted this year using the new standard (and in
2000 using the last two drafts), I received feedback from several hundred organizations.

In general the participants in these discussions were very satisfied with the new standard. In fact,
most have been enthusiastic about its additional focus on the role of top management and on
customers, its simplified documentation requirements and the specific inclusion of the concept of
continual improvement.

I asked each of these roundtable groups to identify challenges and solutions related to
implementing the new ISO 9001. It is not surprising that some of the things people really like about
the new standard also turn out to be challenging. The issues that appear important from an
implementation point of view can be summarized in six categories.

1. New structure of the standard

The new standard is structured differently from the 20-element model of earlier versions. In fact,
the new model is better connected with the way organizations are normally managed, so new users
find it much easier to work with. But organizations transitioning from the 1994 version often
initially mention the new structure as a major challenge.

After some discussion, however, most users are able to see how to demonstrate compliance with
the new standard by using a matrix or by revising only their top level quality manuals. Even then, the
new structure remains challenging for organizations that did not use the process approach in initial
system development.

2. Process approach

ISO 9001:2000 requires identification of the processes of the quality management system, along
with their sequence and interactions. In effect, this means the quality management system must
reflect the actual way in which the organization operates. This is normally accomplished by using
techniques such as process mapping.

A majority of the organizations reported they used this approach in establishing their current
quality management system. On the other hand, a minority said they had developed their
documented system using the earlier standard--but without real consideration of the processes in
the business.

For this latter group, adoption of the process approach represents a significant challenge. In some
cases, these organizations reported they had created "shadow" quality systems in which the actual
quality management processes are quite different from those described in the documented manual
and procedures.

Organizations finding themselves in this situation must think hard about their approach to the new
standard. Most of this minority agreed, however, the use of the new approach will help them align
their written processes with actual practice to create a more effective system.

An implementation module that provides insight into the use of the process approach is available.2

3. Simplified documentation requirements

One of the key objectives of the revision process was to make the new ISO 9001 user friendly for
small organizations. While the quality management system must still be described fully in the
documentation needed to ensure its effectiveness, the number of system level documented
procedures specifically called out has been reduced--from 18 in the 1994 version to six in 2000.

The notes in clause 4.2 provide good guidance on the extent to which an organization should go to
document its system. Unfortunately, some organizations think auditors will continue to demand
documented procedures where they have no value. And some auditors say they are unable or
unwilling to audit without documentation.

Where documentation of a process has no value and the criteria of the notes in clause 4.2 have
been met, organizations should stand their ground and resist creating useless paperwork.

In such cases, auditors need to learn to assure process effectiveness by talking to multiple
individuals--from top managers or supervisors to workers who carry out the process. In that way,
auditors can determine whether the process is actually carried out as intended by the leadership.
On the other hand, auditors should seriously question processes where there is a lack of such
alignment.
4. Focus on the role of top management
The new ISO 9001 has a greater emphasis on the role of top management than earlier versions. In
fact, top managers are assigned specific new responsibilities.
In the quality policy, leadership must include a commitment to meeting requirements and to
continual improvement of quality management system effectiveness. Top managers must also ensure
requirements are determined and met.
There are major robust requirements for management review, including its use to identify
improvement opportunities. Most roundtable participants see this emphasis as a positive shift in
focus and an opportunity to improve the involvement of senior leaders in the quality management
system. But others are concerned they will not be able to gain the required level of commitment.
Certainly, the transition to the new standard is a good time for quality professionals to
demonstrate the benefits of senior management involvement.
5. Measurement of customer satisfaction
The new ISO 9001:2000 requires organizations to monitor information relating to customer
perception on whether the organization has met customer requirements. This information is to be
used as a measurement of the performance of the quality management system.
About half the organizations at the roundtable discussions indicated they now comply with the
requirement. The other half is divided into two groups. Some have no system to measure
satisfaction at all. Others report they have a corporate system (in some cases very sophisticated)

for measuring customer satisfaction, but the data are not provided in a form that can be used
within the quality management system.
In either case, these organizations will need to address this gap during the transition period.
6. Inclusion of design and development
There is a challenge for the 5% or so of roundtable participants whose organizations were
previously certified to ISO 9002. While their organizations perform design and development
activities, compliance with ISO 9001:2000 cannot be claimed if an organization performs these
activities but excludes them from the scope of the quality management system.
The groups described a wide variety of circumstances, which are discussed in the implementation
module on application.3 Organizations in this situation should get the module, study it and review
their situation with their certification body. It is also clear that the certification bodies will need
to exercise care in crafting the scope of certificates.
Auditing the quality management system
Some of these six topics are very important to auditors as well as system implementers. Issues
important from an audit perspective will be discussed in future "Standards Outlook" columns.

From Deming to ISO 9000:2000

Lip service isn't enough; management must understand and carry out its obligations to achieve
sustainability and growth

by R. Dan Reid

"In the last 40 years, many things have changed, but the basic body of knowledge that impacts the
quality of a product or process (hardware or software, manufacturing or service...) has not changed
all that much. ... Everything I needed to know about quality was published by 1931."1

This comment was made during the Society for Automotive Engineers (SAE) World Congress this
March in Detroit. The speaker went on to list a number of quality programs, such as companywide
quality control, kaizen and total quality control, that have come and gone since that time.

When you look at these programs, you find many indeed share common elements that have been
identified, quantified and explained from many different angles. As the speaker said, the basic
concepts have been around for some time. They are still not widely deployed, however. American
industry apparently loves to innovate, but struggles to implement the fundamentals of quality
management.

For quality programs to be successful, management must take an active role in their
implementation. Plenty of guidelines are available in the work of quality leaders such as W. Edwards
Deming and in more recently developed standards and programs such as ISO 9000:2000. An
organization can now combine elements from several sources to tailor a quality management system
that meets its specific needs. The key to success in any program, however, is for management to
follow through.

And Deming said

In his book Out of the Crisis, Deming reflected on the information he shared with the Japanese in
1950 and showed how quality improvement results in a chain reaction:

Improve quality >> costs decrease (less rework, fewer delays) >> productivity improves >> capture
the market with better quality and lower price >> stay in business >> provide jobs and more jobs.2

Figure 1 summarizes the next point Deming made in 1950, that production should be viewed as a
system. This simple concept helped the Japanese capture new markets in just over 20 years.
Deming said it would take American industry decades to catch up, if it ever did, and he emphasized
that quality improvement should ultimately impact a society's quality of life, including jobs.

It's all about customer satisfaction

As the figure shows, Deming emphasized the importance of consumer research, which should lead
to the design or redesign of the product or service to improve customer satisfaction.

Deming said reduction of variation could be provided through the single sourcing of suppliers. He
advocated long-term relationships based on trust and promoted the continual improvement of
testing capability for products, services, processes, machines, methods, inspection and distribution.
He stressed the consumer is the most important consideration throughout the product realization
process.3

ISO 9001:2000, clause 5.2, now requires top management to ensure customer requirements are
determined and fulfilled.4 The new standard also commits top management to communicating to the
organization the importance of meeting customer requirements.5

In lean manufacturing, we see an emphasis on value, which is defined by the customer and created
by the producer.6 In the Malcolm Baldrige National Award criteria, we find a significant emphasis
on customer/market focus. Whatever the model, there is a need to understand current and future
customer needs and continually work to satisfy them.

Plans and methods

Deming then said an organization needs to integrate an overall plan. He asked, "Where do you want
to be in five years?" and "How may you reach this goal ... by what method?"

According to Deming, goals or objectives are hopes, and hopes without a method to achieve them
remain hopes. He recommended his 14 Points for Management and his Deadly Diseases and
Obstacles as methods for management to use to achieve goals and objectives.7

QS-9000, ISO TS 16949 and the new ASQ/Automotive Industry Action Group and ISO Industry
Technical Agreement health care document cite the need for strategic business planning by an
organization. This planning is needed for areas such as costs, growth projections, facilities,
employee development, research and development, customer satisfaction, health, safety and
environmental issues.

Deming added quality must be built in at the design stage.8 ISO 9001:2000 now places more
emphasis on up-front quality planning because an organization can have the most influence on
product quality during the planning stage.

QS-9000 requires use of the industry Advanced Product Quality Planning (APQP) and Control Plan
manual, which provides the template and checklists for product realization.

It is important that certain activities be conducted earlier in the product realization cycle than
others and that all the right things be done. The APQP is a good model for hardware and has
applications for other sectors.

During design and development, a record should define the product, process or service
characteristics and their requirements. These should be based on consumer research and the
organization's product knowledge, and they should take into account the expected life of the
product, durability, reliability and maintainability.

Efforts to error proof the product and processes should be made from the beginning of planning
and continue through corrective and preventive action. This is to prevent problems--which was
Deming's point when he said to cease dependence on inspection.

Particularly where error proofing is not incorporated into product or service design, the quality
characteristics should be evaluated for risk of failure (for example, failure mode effects analysis
exercises). Then the quality or control plan should address how conformity will be achieved and
measured later in the realization phase.

Where the product design does not prevent nonconformances at the characteristic level, work
instructions should tell operators how to mitigate the effects of potential problems--what to do
when things go wrong and how to operate processes correctly.

Process capability or performance needs to be matched with the product and process requirements
and consumer expectations. The process capability should be determined and monitored statistically

over time. Management should be trained to understand which measures are appropriate and how to
interpret what the data are telling them about process variation.

The most important numbers

Deming said the central challenge of management is to better understand the meaning of variation
and the processes being managed.9 His contention was that where management is incompetent, it
manages the outcome by numbers. For example, to compensate for a lack of knowledge of
processes, management may mandate some yearly percentage of improvement in a specified
characteristic. Quality, however, is about effective process management.

To Deming, the most important numbers were what he called "unknown" and "unknowable."10 An
example of this would be the unknown costs incurred when a customer is lost due to a poor quality
experience. An understanding of this idea should motivate management to continually improve the
product and process independent of quality mandates.

Process management involves the use of metrics. Implementing effective metrics starts with
identification of the key product or service characteristics to measure. It is not practical to
measure all characteristics.

One psychology of measurement maintains that what gets measured improves. In the automotive
industry, part approval is obtained when the selected characteristics meet requirements. How to
determine whether they meet the requirements is the challenge of the measurement system. It
includes testing.

The journey should not stop with initial approval, however. Management should work to continually
improve the processes to reduce variation, increase customer satisfaction and lower costs.

ISO 9001:2000 now incorporates the measuring and monitoring of the product, process and quality
system. This is a significant improvement over the previous version of the standard. These
requirements can drive the use of appropriate quality measures throughout the organization.

Constancy of purpose

In his 14 Points, Deming says management must create constancy of purpose toward improvement
of product and service. He shows how job mobility inhibits constancy. The results are failure to
establish the long-term relationships necessary to encourage suppliers to invest in innovation and
the creation of fear and mistrust in the work force, which leads to a lack of pride in workmanship
and, in turn, to poor quality and more turnover.11

In the U.S. automotive industry, work on what became QS-9000 started about 15 years ago.
Leadership of this effort was by eight different men occupying the positions of vice president for
purchasing or procurement and supply at three different automakers: Chrysler, Ford and GM.

Never before in the industry had there been a quality manual with three company logos on the
front. Never before had the industry utilized a third-party independent auditing function to qualify
suppliers.

While the development of QS-9000 started with modest efforts, a documented long-term vision
of success was crafted with input from some forward thinking suppliers. There were regular
reviews with the vice presidents to report progress and update the plan.

Despite leadership mobility, a constancy of purpose for this effort remained. Without it, QS-9000
would never have happened, and automotive suppliers would still be faced with numerous quality
requirements, inconsistent use of terminology and multiple customer quality system audits on an
annual basis.

Other sector documents such as TL 9000, the telecommunications quality management standard,
have also been developed using the QS-9000 model as input.

Institute leadership

Deming called for true leadership to substitute for a number of management practices. One of his
central tenets was that leadership should help employees do a better job. To Deming the majority
of problems in an organization were under the direct control of management, not the workers.

This concept has shown up in lean manufacturing as "support for the employee." It has shown up as
"simplifying" and "standardizing" in the 5 S's (a Japanese program that also includes sorting,
sweeping and sustaining). It involves structuring the job so the employee can spend a higher
percentage of time on value added work.

The vast majority of the time a raw material spends being transformed into finished goods involves
nonvalue added activities such as waiting, moving and storage.

In Deming's 14 Points, leadership was also to be the substitute for quotas and management by
numbers (numerical goals). Management was to work on the system to make it better for the
employees. Although this would take time away from other urgencies, it was to be a priority.

A significant section of a recent book about Jack Welch, CEO of GE, was devoted to leadership. In
the chapter "Stop Managing and Start Leading," Welch refutes the conventional wisdom about
management's role (monitoring, supervising and controlling) and argues that "managers muddle"
while "leaders inspire."12

One primary way they can inspire the work force is to make continual improvements in the systems
to make the employees' jobs easier and more productive.

Training and competence

Deming advocated on-the-job training.13 One of his 14 Points was to institute a vigorous program
of education and self-improvement.

The new ISO 9000 requires competence, and training is listed as one of several ways to achieve it.
In the automotive standard ISO TS 16949, training on the job is a specific requirement.

The effectiveness of training should be periodically reviewed. High work force turnover demands
repetition of basic training initiatives. For example, a company may provide initial training sessions
in statistical process control, variation and tools to measure quality (such as control charts and run
charts). However, as the trained employees move on to other jobs, companies need to teach such
concepts to their successors.

Employees in the same assignments could also benefit from further training in more advanced
concepts, particularly when data indicate they fall outside of the common cause variation as taught
by Deming.

Training in the fundamentals of quality management should be institutionalized. Recognizing this,

TL 9000, the telecommunication standard, requires all employees, including top managers who have a
direct impact on product quality, be trained in fundamental concepts of continual improvement,
problem solving and customer satisfaction.14

Many organizations are using new employee orientation manuals to provide basic training.
Information from such manuals can now be loaded onto company Web sites to provide easy access
and better change management. For this reason, many organizations now use electronic media for
their quality manuals and procedures.

Continual improvement

Deming stressed the need for continual improvement of the system of production and service in his
14 Points. He linked it to cost reductions, which lead to productivity improvements and the chain
reaction caused by quality.
Deming promotes Walter Shewhart's plan-do-check-act cycle, often known as the "Deming cycle,"
for continual improvement of each element of the product realization process15 shown in Figure 1
(p. 67). QS-9000 and ISO TS 16949 detail the need for continual improvement that must extend to
product characteristics.

Organizations are either growing or dying daily. To grow, organizations must be managed well and
committed to improving faster than the competition.
Using the management system
For sustainability and growth, an organization should design and implement a management system
based on the fundamentals of quality. To start, ISO 9001:2000 can provide a template that should
be enhanced with other elements to drive efficiency and effectiveness.
With appropriate metrics, status can be known and improvements achieved, continually increasing
customer satisfaction. As we have seen, the concepts and methods have been documented for
decades. It is past the time for implementation. But as Deming stated, support of top management
is not enough. Management must know what it must do, and these obligations cannot be delegated.16

Auditing ISO 9001:2000

Challenges arise because some of the requirements aren't specific or traceable

by J.P. Russell

Because many of its clauses are nonprescriptive--they don't contain specific or traceable
requirements--some quality professionals are expressing concern about the auditability of ISO
9001:2000, the new quality management standard.

"Auditability" refers to the capability of applying audit techniques for positive verification of
requirements. If conformance to requirements is not verifiable and traceable, the credibility of the
audit function (audit program, registrar or regulatory oversight) could be questioned.

First, however, it is important to point out that most of the ISO 9001:2000 clauses contain very
specific and traceable requirements. For example, the internal audit clause ISO 9001:2000: 8.2.2
requirements include the following:

1. A documented procedure.
2. Auditing at planned intervals.
3. Audit planning based on status and importance.
4. Reporting of results.
5. Maintaining of records.
6. Taking action on detected nonconformities.
7. Verifying of actions.
8. Reporting of verification results.

Auditors can use various techniques to verify specific audit program requirements have been
addressed in the quality management system. They can evaluate documents and verify records;
interview document users to verify the process described by the document has been established,
implemented and maintained; and trace the process forward or backward to verify activities are
being performed. Verification of specified requirements is fast, efficient, reliable and traceable.

The technique for verifying specified requirements can be stated as, "Show me the document,
record, procedure, plan, schedule, material or activity."

Less prescriptive or nonprescriptive clauses

Most can agree audit evidence should be verifiable and traceable for both conformance and
nonconformance to requirements. But the less prescriptive clauses may have no requirement for a
procedure, schedule or record. Without prescriptive requirements, the traceability between the
standard and the users of the quality management system is less obvious and may be suspect.

One clear example of a nonprescriptive clause in ISO 9001:2000 is element 7.5.5--preservation of

product. The organization is required to "preserve the conformity of the product during internal

processing to final destination." There is no requirement for a procedure, schedule, inspection, plan,
method or record.

This requirement is so general it is possible for an organization being audited to believe it can
simply declare conformance to the requirement and challenge the auditor to prove otherwise.
Because that can be like looking for a needle in a haystack, it is important for the auditor to take
the opposite approach by challenging the auditee to show why there is no needle in the haystack.

To audit the less prescriptive clauses, the auditor must verify the organization conforms to the
intent of the requirements of the standard by determining whether an approach has been
established, implemented, maintained and improved.

This technique lends itself to several of the clauses of ISO 9001:2000. For some clauses the
auditor must seek to determine the existence of a process, how it was planned and implemented, its
outcomes and whether management determines ongoing effectiveness.

What to ask

An auditor might ask the following questions for the less prescriptive clauses:
Is there a plan or method for conforming to the requirements? What is it? Has it been
established? Audit evidence may include an outline, flowchart, markings in a work area, procedure,
work instructions, specifications or criteria. Clause 7.1 contains requirements to be considered for
planning the realization processes.

Has it been implemented (deployed)? Audit evidence may include the existence of records,
corroboration by multiple interviews or observations.
Have planned results been achieved? Audit evidence may include trend diagrams, records, bar
charts, matrices or comparisons. Data collected to meet clause 8.4 requirements may be helpful
(for example, data summaries, analyses, metrics and performance indicators).
Is there improvement? Has the system/process been changed? Audit evidence may be changes to
documents, designs or the ways business is conducted.

The auditor should keep a record or log of the audit evidence to show conformance and
nonconformance for traceability and to provide consistency from audit to audit. Examples of audit
evidence and perhaps log entries may be included as part of the audit report.

The answers

To start, the organization being audited might describe how the requirements are addressed in the
quality manual--as an overview, executive briefing or in procedures. Based on the description and
the requirement in the standard, the auditor can interview personnel to collect audit evidence, using
either open-ended or closed-ended interview question techniques.

A closed-ended question will result in specific yes, no or item by item answers. Normally openended questions give us more information, but it is up to the auditor to sort and determine the
relevance of the information.

The same is true for nonprescriptive requirements. They are open-ended, and it is up to the
auditor to match the information with the requirement and determine relevance. In some interview
situations, an auditor may be surrounded by people ready to provide information needed to verify
conformance to the requirement. As one person leaves to find a memo or checklist, another is ready
to seek out the next piece of evidence (record, procedure or chart) the auditor needs to verify
conformance to requirements.

In each situation the auditor must determine the appropriate data collection plan to ensure the
information is free from bias. A worksheet is an ideal tool for listing the clause or requirement on
the left and recording the evidence provided in a space to the right.

The technique for verification of a nonprescriptive requirement is, "Show me how you conform to
this requirement with the existence of a plan (approach), its implementation, achievement of
planned results and continual improvement."

The key is to follow the plan by:

Examining the plan addressing the requirement.
Examining the implementation of the plan.
Examining the achievement (outcomes) of the plan.
Examining the improvement of the plan.

Determining conformance or nonconformance

Once the organization being audited has had an opportunity to provide evidence and the auditor has
made his or her observations, it is time to determine conformance or nonconformance.

Good audit practice also requires the auditor to indicate the importance of the nonconformities
detected. Some nonconformities represent high risk to the organization, while others represent low
risk. One of the simplest methods to gauge importance is to classify nonconformities as major or
minor. Each organization should establish its own classification system.

The auditor must make a judgment based on the data presented and audit program guidelines to
determine if there is conformance, a minor nonconformance or major nonconformance. The
credibility of the audit function will be questioned unless there is consistency in judgment between
the auditor and organization being audited.

The measurement system should be fair, unbiased, consistent and standardized. One method is to
assess first the planning and implementation and then the results (outcomes) of the process. For
example, an auditor's guideline for assessing the planning and implementation may state:
Major nonconformance: No process is evident from the information presented, or there is partial
implementation but significant gaps still exist.
Minor nonconformance: There are sound methods but some minor gaps in deployment.
Conformance: Sound methods are fully implemented.

For assessing the results and outcomes, the guidelines may state:

Major nonconformance: There are no data, limited data or data that can't be assessed against
criteria.

Minor nonconformance: There are some trend data, and they can be evaluated against objectives
and criteria. But the data are not comprehensive or being maintained.

Conformance: Comprehensive and current trend data can be evaluated against ISO 9001 criteria to
determine conformance.

Preparing for the audit

To audit to ISO 9001:2000 and other nonprescriptive standards, auditors will need to use new
audit techniques to verify conformance and provide traceability. In preparing for the audit,
auditors may request the completion of a survey that spells out how requirements are addressed.
Auditors may also evaluate quality management plans and objectives. At the opening meeting, the
methods and techniques that will be used during the audit should be shared with the organization
being audited.
During the performance of the audit, open-ended techniques should be used to verify the intent of
the requirement has been addressed. Observations should be recorded on checklists, in log books or
by completing worksheets to ensure traceability of conformance as well as nonconformance. The
degree or importance of what was found must be determined and reported to the client and area or
organization audited.

Caveat Emptor

Standards and audits will have value only if organizations being audited--and their customers-demand it

by Dale K. Gordon

What does it take to have a competent third-party audit of your quality management system?

Surely, if you were doing it yourself, you would know exactly where to look to find the weakest
links in the system. An internal audit should give you a good idea of what is right and what needs
improvement. Why, then, is so much being made of having a third party perform an audit just so you
can have a piece of paper or plaque to hang on the wall and show to your customers?

It's the practical way

Ever since the world agreed on standards for quality management systems (the ISO 9000 series),
we have come to believe if we show evidence our operations meet these standards, we can provide
some level of confidence to our customers.

They can be confident because they know there are systems, processes and controls in place to
assure product conformance and continuous improvement in operations. An in-depth audit of a
quality system is the accepted method of demonstrating this conformance.

To have audits performed by all our customers in this global economy is neither a practical nor a
cost effective use of resources--especially as we look at the depth and breadth of the supply chain,
from raw material or concept to product and service.

We have therefore devised a process by which we hire supposedly impartial third parties (often
called registrars or certification bodies) to audit quality management systems. If we are compliant
with the necessary or appropriate standard, they provide us with certification (called registration
outside the United States).

For customers to have confidence in the registrars hired by our organizations, we require they be
accredited by an official accreditation body, which may or may not be tied to a government
controlled process of approval.

Finally, in order for these accreditation bodies to agree the process of accreditation is equivalent
from one location (country) to the next, the accreditation bodies have gotten together to sign
agreements and audit each other's processes.

It sounds reliable

To further ensure confidence in the system, the ISO 10011 series of auditing standards attempts
to describe auditing requirements as follows:
Auditors need to know something about the standard they are measuring organizations against.
They should know something about the types of processes being audited, the organization being
audited and its customers.
They should have the knowledge, the temperament and experience in auditing to be credible.

It sounds pretty complicated, doesn't it? At the same time, the various levels of control and the
auditing requirements make it sound pretty reliable, and that's what customers are paying for.

The problems

This certification process has been in place for more than 10 years. How is it doing? Is it as
reliable as it sounds? Is it as reliable as it ought to be?

The actual results of this auditing system are mixed. Many fine registration companies are now
doing business, but some are not delivering what they advertise--unless the objective is a

meaningless piece of paper. Certification/registration has become a big deal involving lots of money.
As more competitors have entered the field, more variability has entered the process.

It's amazing to me the number of times I have heard companies going to great lengths to prepare
for audits by developing elaborate plans to assure auditors are kept busy and the real work of the
organization is not exposed.

Similarly, I have heard countless tales of auditors who had little knowledge of the organizations
they were auditing, poor auditing skills or even incomplete or incorrect knowledge of the standard.

In an extreme case, I saw an auditor proceed to tell a client how it should be complying with the
standard. Even worse are auditors who tell their clients how to perform a given process or what
should be changed in the system to satisfy an audit finding.

Auditors aren't supposed to do any of these things. The purpose of an audit is simply to establish
the standard is being met and assist the client in identifying weaknesses in its systems. The
outcome of this process should be some assurance to the client and its customers the system is
working and accomplishing its objectives.

Who's in charge?

The client of the audit should be in charge. The client should demand capable, honest and
meaningful examinations in exchange for the money being paid. The organization's internal audits
should lead to continuous improvements; the third-party process should only be a validation that the
company's existing quality system works as designed.

But if elaborate measures are taken to deceive or placate a third-party auditor or if the auditor or
audit process is flawed, that purpose will be lost.

A big concern is that neither the audit client nor those who rely on the certificates have direct
input into the oversight and review of the third-party process. While the accreditation bodies are
doing what they can within their purview, as with the audit itself, they are just sampling the
process.

What some sectors have done

Sectors such as aerospace, automotive and telecommunications have supplemented ISO 9001
requirements, recognizing the value is not only in the standard, but also in its consistency of
application. To control variables, many of the sector specific standards they developed mandate
auditor knowledge, training and the process by which the audit is performed.

Some sectors have gone as far as to put strict controls on auditor training; others regulate
qualifications and experience. In each case it is the sectors that know their processes, systems and
customers. They make the determination of how an audit can determine compliance.
It's up to the customers of the auditors
The clients of the audit are in the same position as these sectors and should exercise similar
rights with the registration companies. It's up to the customers to demand their money's worth, in
both the process and the results. They should demand appropriate behavior and a high level of
knowledge and competency from the auditor so the end result will be a thorough, accurate and
complete audit.
It's not out of line to request the proof of qualifications, knowledge and experience of an auditor
prior to letting him or her in the door--in fact, this information should be required. If an auditor is
not satisfactory, he or she should be refused and a suitable person found. If the auditor's behavior
becomes unacceptable during an audit, the registration company should be asked to discontinue the
audit until a replacement can be sent.
If the audit itself is not thorough enough to test the system, a complaint should be lodged and a
request made to have a more complete examination.
Sound crazy? Why? Of what purpose and value is the certification process if it has no integrity?

ISO 14000 Revisions Likely To Be Minor

Recommendations make additional documentation, regulatory compliance and external

communication unlikely

by Marilyn R. Block

The ISO 14001 environmental management standard reaches its fifth anniversary this September.
The International Organization for Standardization, known as ISO, requires a review of its
standards every five years to determine whether they should be retained, revised or rescinded.

At the June 2000 annual meeting of ISO Technical Committee (TC) 207, delegates determined
ISO 14001, Environmental management systems--Specification with guidance for use, should be
revised. This effort was guided by three precepts:
Revisions should clarify the intent of existing language.
Language should be modified to improve compatibility with ISO 9001:2000.
Revisions should not be substantive.

One year later, a drafting group has prepared its recommendations, which are scheduled for
discussion as this column goes to press. Representatives from around the world will thrash out
concerns until consensus is reached on the changes to be incorporated into a draft document for
consideration by national standards bodies.

It is anticipated the draft document will be reviewed by the U.S. Technical Advisory Group to ISO
TC 207 at its meeting this September.

Of the 29 changes proposed, 16 are classified solely as clarification and five as improving
compatibility. Eight are classified as both. This article will discuss only the most significant
changes.

Annex A unchanged

Interestingly, no changes have been offered for Annex A, the guidance for implementing an
environmental management system (EMS). This is the case even though the original (current)
version notes, "Text may be included in a future revision" in the sections on operational control,
emergency preparedness, and monitoring and measurement.

So while many users of ISO 14001 were under the impression that these sections would be
addressed in a revision effort, there have been no recommendations yet. But ISO 14004, the
guideline on principles and techniques to support implementation of an EMS, is undergoing a
comprehensive revision.

Definition changes

Six definitions in ISO 14001 have been recommended for modification to enhance user
understanding. For example, definition 3.8, environmental performance, would be changed to
"results of an organization's management of its environmental aspects."

Similarly, definition 3.9, environmental policy, would be modified as "overall intention and direction
of an organization related to the environment as formally expressed by top management."

Finally, definition 3.13, prevention of pollution, would be rewritten as "use of processes, practices,
materials, products or energy to avoid, minimize or control (separately or in combination) the
creation or emission of pollutants and waste, in order to reduce overall adverse environmental
impacts."

Discussion of general requirements (ISO 14001, clause 4.1) would be expanded. Unlike the current
version, which states an EMS must be "established and maintained," the proposed revision requires
an EMS must be "established, documented, implemented, maintained and continually improved." This
section's proposed revision goes on to require that organizations define the scope of their EMSs.

Environmental aspects

In an effort to clarify clause 4.3.1, environmental aspects, the first paragraph would be broken
into sections. The proposed first paragraph now requires procedures to:
"Identify the environmental aspects of its activities, products or services (including potential or
new developments, and new or modified activities) that it can control and over which it can be
expected to have an influence."
"Determine those aspects that have or can have significant impacts on the environment."

The addition of "potential" developments appears to constitute a substantive change because it

adds a new requirement. This is likely to generate discussion and, therefore, may be rewritten for
future drafts.

The drafting group also recommended the final sentence in the first paragraph of clause 4.3.1 be
moved to create a new second paragraph. The language moves away from a narrow focus on the role
of significant aspects in establishing environmental objectives to a broader focus on the
relationship of significant aspects and implementation of the EMS.

Although no recommendation has been made at this time to change the title of clause 4.3.4
(environmental management program), it was expected to be discussed this summer. As written, the
requirements in this section are directed at achievement of articulated objectives and targets.
This is not conveyed by the title and causes confusion among those attempting to understand and
implement ISO 14001 requirements.

Three changes have been suggested for clause 4.4.2 on training, awareness and competence:
First, the last paragraph would be repositioned to become the first paragraph. This would change
the emphasis from providing training to ensuring employees are competent, and it would
acknowledge competence may be achieved through means other than training, such as education and
experience.

Second, the term "personnel" would be replaced by "any person." This would broaden the group of
individuals who must be competent from employees to anyone who can create a significant
environmental impact, such as contractors or temporary workers.
Finally, a note would be added at the end of the clause to explain the term "member," which
appears in the paragraph concerning awareness training. "Member" would include volunteer, partner,
board member or any other type of nonemployee.

Communication

The final paragraph in clause 4.4.3, communication, has been addressed. New language would
require an organization to "decide whether to communicate externally on its significant
environmental aspects." This is an effort to eliminate confusion that has surrounded the
requirement to consider processes for external communication.

Clause 4.4.5, document control, would be revised. The changes of greatest interest appear in the
first sentence, which would shift focus from documents required by ISO 14001 to documents
required by the EMS, and in the two notes at the end of this clause, which differentiate between
"procedures" and "documented procedures."

Proposed note one states documented procedures must be documented (that is, written in paper,
electronic or other medium), and note two says procedures must require a specified way to carry
out an activity but do not have to be documented.

The current language in clause 4.5.1, monitoring and measurement, contains three distinct
requirements: monitoring and measuring operations associated with significant environmental
impacts, calibrating the equipment used in monitoring and measuring efforts, and evaluating
compliance with regulatory requirements.

Proposed changes to clause 4.5.1 would retain only the first two requirements. Evaluation of
regulatory compliance would be placed in a new clause 4.5.2 entitled "Evaluation of legal compliance."
Remaining clauses would be renumbered, so corrective/preventive action would become clause 4.5.3,
records would become 4.5.4, and EMS audit would become 4.5.5.

The second paragraph of clause 4.6, management review, would be rewritten to specify inputs to
the management review and required outputs. Inputs include results of EMS audits, changing
circumstances and follow-up actions from previous management reviews. Outputs include possible
changes to policy, objectives and other elements of the system to fulfill the commitment to
continual improvement.

Recommendations for compatibility

The title of the standard would be changed to Environmental management systems--requirements

with guidance for use. This reflects the title ISO 9001:2000, "Quality management systems-Requirements.

Clause 4.4.1, structure and responsibility, would be renamed "Resources, roles, responsibility and
authority." It is somewhat unclear why this change is categorized as achieving greater compatibility
with ISO 9001:2000, because the quality standard devotes one clause (5.5) to responsibility,
authority and communication and another (6) to resource management. However, it would clarify the
requirements imposed.
Clause 4.4.4, EMS documentation, would undergo significant modification to reflect the general
documentation requirements (clause 4.2.1) in ISO 9001:2000. The proposed revised clause says the
environmental management system documentation should include:
Documents required by this international standard.
Documents needed by the organization to ensure the effective planning, operation and control of
processes that relate to its environmental management activities.
Records required by this international standard (see 4.5.4).
Reference to related documents.
Unlike ISO 9001:2000, this clause would not require an EMS manual; and unlike the current version
of ISO 14001, it would not require a description of EMS core elements.
Clause 4.5.3, records, would be modified in two ways. First, the records procedure would have to be
documented. Second, in order to achieve compatibility with ISO 9001:2000, the procedure would be

expanded beyond identification, maintenance and disposition of environmental records. Maintenance

would be replaced by "storage, protection and retrieval of records."
It is important to note the changes presented here are far from conclusive. Readers familiar with
the ISO standards-writing process know every word will be examined in excruciating detail.
Equally important, however, is the message conveyed by this first set of recommendations: There
is unlikely to be any substantive change to ISO 14001, either in terms of content or formatting
(numbering).
Individuals who were worried the new version of ISO 14001 would bear little resemblance to the
old are likely to be pleased with this initial effort at improvement. Organizations in the process of
designing or that have already implemented an environmental management system based on ISO
14001:1996 will find they have to make relatively few modifications to demonstrate conformance to
the revised version.
Those who hoped the revision effort would impose additional documentation requirements or
require greater attention to regulatory compliance and external communication are likely to be
disappointed.

ISO 9000:2000 Product Support Initiative

Effort to provide value to users grows out of standards validation work

by Sandford Liebesman and Jim Mroz

When the International Organization for Standardization, known as ISO, Technical Committee (TC)
176 began the process of drafting revised editions of the ISO 9000 series in 1996, a significant
goal was to verify and validate the drafts to ensure they fulfilled TC 176's objectives and provided
added value for their users.

Verification consisted of checking the drafts against the specifications describing the
committee's understanding of user needs. Validation consisted of obtaining feedback from users on
the ability of the draft standards to meet their needs.

Verification and validation of the ISO 9000:2000 family of standards were conducted as special
projects from 1998 to 2000. Feedback from participating organizations resulted in improvements
to the drafts.

The successful validation effort made the U.S. Technical Advisory Group (TAG) to ISO/TC 176
recognize the value of the validation process. The TAG agreed to conduct the ISO 9001:2000
product support initiative (PSI) as a mechanism for providing information that will improve the
ability of organizations to understand and apply ISO 9001:2000 in their quality management
systems (QMSs).

The vision of the U.S. TAG is to provide product support and to continue validation activities
resulting in useful inputs for future revisions of the ISO 9000 family. The PSI will be a resource
that enhances the value of the ISO 9000:2000 family, helps organizations conform to ISO
9001:2000 and provides inputs on implementation experience to the U.S. TAG and ISO/TC 176.

Who are the PSI customers?

The following are considered the customers of the PSI:

Organizations in the process of achieving QMS conformance to ISO 9001:2000.
Organizations considering ISO 9001 implementation efforts.
Registrars and accreditation bodies.
Trainers and consultants.
The U.S. TAG to ISO/TC 176.

Several strategies will be used to fulfill the vision of the PSI:

Develop the IDEAS (information, discussion, examples, analysis and sources) program to provide
help to organizations during implementation. This help will be in the form of information in response
to questions, discussion generated through a listserv Web site and other sources, analysis of issues
and references to sources of information. However, some questions that could result in

interpretations may be sent to the U.S. TAG interpretations coordinator for ISO TC 176, Morgan
Hall of the University of Maryland. His committee will review these questions and determine
whether to provide them to TC 176.
Maintain a PSI survey as a mechanism for summarizing issues, problem areas, successes, costs and
the added value of conformance across a broad spectrum of organizations.
Develop case studies to provide in-depth information about the conformance process across a
specified spectrum of organizational sizes (small with fewer than 50 employees, medium with 50250, large with more than 250), product categories (manufacturing, software, services, processed
materials) and industries (automotive, aerospace, healthcare, telecommunications). The case study
questionnaire format will build on the PSI survey.

ISO 9001:2000 survey

The ISO 9001:2000 PSI survey contains 53 questions in the following eight categories:
General information (organization demographics).
Assessment of QMS status (gap analysis and improvements).
The QMS documentation, development and implementation processes.
Training and other implementation aids.
Value and use of internal audits and preassessments.
The registration process (quality of registrar services).
Estimate of resources used for conformance.
Estimate of value added by ISO standards conformance.

The survey is posted on a PSI survey Web site at www.asq.org/mr/psisurvey.html, where it can be
filled out online by organizations that have achieved ISO 9001:2000 conformance.

Most questions are multiple choice, some use scroll down features and a few require brief answers.
The intent is for the survey to be easy to use and quick to complete and for it to provide valuable
data for two purposes:

To provide quantifiable measurements of the experiences of organizations implementing and using

ISO 9001:2000. These measurements can be used to alter and enhance U.S. and ISO introductory
support efforts and may be submitted as feedback for future revisions of the standards.
To publicize and promote the use of ISO 9001:2000 through reports of the survey results and
case studies demonstrating real-world implementation. It is expected positive feedback from ISO
9001:2000 conforming organizations will help other organizations in their quest for compliance.

Results from the PSI will be disseminated through various media: Web sites, ASQ publications,
publications covering ISO 9000 (for example, the Informed Outlook, Quality Systems Update and
Quality Digest) and business publications. Feedback will be provided to the U.S. TAG and ISO/TC
176 for the next revision of the standards.

Expected deliverables

The following are the deliverables envisioned by the U.S. TAG:

Posting of implementation information gathered by IDEAS on the Web site. The information will be
organized by the major processes of ISO 9001:2000 and linked to the eight quality management
principles that framed the ISO 9000 revisions.
Periodic analysis and posting of results from the survey of ISO 9001:2000 conforming
organizations.
Development of case studies aligned with the PSI survey.
Development of a PSI Web site managed by ASQ to provide continual results of the IDEAS
program, continuing surveys of ISO 9001:2000 conforming organizations; a summary of survey
results; and individual case studies and a summarization of successfully conforming organizations by
size, product categories and industry.
Publication of at least one article in Quality Progress each year summarizing survey results.
Contribution of at least one article on case studies in Quality Progress.
Development of several case studies as articles in the Informed Outlook each year.
Issuance of a report to the U.S. TAG summarizing information about ISO 9001:2000
implementation by the first quarter of 2004.

Completion of a plan to study the use of ISO 9004:2000 for QMS performance improvement by
Jan. 1, 2002.
Five subteams
This support initiative for the introduction of the ISO 9000 revisions is being led by Sandy
Liebesman and supported by the U.S. TAG and ASQ. The following five subteams were created to
accomplish the goals of the PSI:
Subteam one, led by Nancy Jennejohn of the University of Wisconsin-Stout, is responsible for the
IDEAS program. This subteam will analyze information on a periodic basis, publish results on the
PSI Web site and publish articles on results from the IDEAS program.
Subteam two, led by Ron Berglund of MRI International, is responsible for the PSI survey. This
subteam will analyze information from the survey and publish that information and analysis.
Subteam three, led by Joe Green of KVF Quad Corp., is responsible for conducting case studies
and analyzing the results.
Subteam four, led by consultant Herb Monnich, is responsible for direct support of the
participating organizations. The subteam consists of regional coordinators who will help promote the
initiative in their regions, identify participating organizations, help them locate resources and
support them during their efforts. The regional coordinators are: John Broomfield, Quality
Management International (Mid-Atlantic Region); Si Daily, California Manufacturing Technology
Center (Far West Region); Nancy Jennejohn, University of Wisconsin-Stout (Midwest Region);
Dennis Kelly, Georgia Tech University (Southeast Region); Herb Monnich, consultant (Southwest
Region); Richard Vinton, Raytheon (Northeast Region); Ken Sowder, Bechtel BWXT Idaho LLC
(Pacific Northwest Region).
Subteam five will be made up of staff from ASQ and the Informed Outlook, who will have a
number of support responsibilities such as communications, publications, references, marketing,
database and Web site.
Schedule
The PSI was kicked off on Aug. 31, 2001, with the first dissemination of IDEAS results. The
kickoff marked the initiation of the survey and the case study effort. It is expected that the
initiative will last at least three years.
We anticipate providing information for organizations that will help them effectively use and
conform to ISO 9001:2000. In addition, we expect to provide inputs to ISO/TC 176 that will be
used in the next revision of the ISO 9000 family.

Corrective and Preventive Action In Medical Device Manufacturing

ISO 9000 made more rigorous to ensure a robust system

by Les Schnoll

Representatives of the U.S. Food and Drug Administration (FDA) have been very active on several
ISO 9000 technical committees, including TC 176 and TC 210. The regulatory requirements for
medical devices, previously known as the good manufacturing practices, were revised in 1995 to
more closely emulate ISO 9001:1994. These revisions to 21 CFR (Code of Federal Regulations) 820
were renamed the Quality System Regulation (QSR).

With the advent of the QSR, the inspection methodology used by the FDA was also changed. The
agency adopted the quality system inspection technique (QSIT) for most of its routine regulatory
inspections. Again, the philosophy behind this change was based on a review of the system rather
than on an investigation of compliance to the letter of the regulation.

The ISO 9001 international quality management standard was not adopted verbatim for a variety
of reasons, the most critical being the FDA believed--and rightly so--several of the elements in the
standard were not quite rigorous enough for the purpose of ensuring a robust system for the
products the agency regulates.

One crucial element that was strengthened was the need for a system (or subsystem) to monitor
the effectiveness of actions implemented to resolve past or potential nonconforming conditions.
This subsystem, known as corrective and preventive action (CAPA), has become of ever increasing
importance and value. The requirements for this subsystem are identified in 21 CFR 820.100.

Within its documented quality (and regulatory compliance) system, a medical device manufacturer
should have a high-level procedure that describes its CAPA program. The basic sections of this
procedure are described in this article.

Purpose and scope of CAPA

The purpose of a CAPA subsystem is to collect and analyze information, identify and investigate
product and quality problems, and take appropriate and effective corrective and preventive action
to prevent their recurrence.

Figure 1 depicts the scope of activities generally encompassed within the corrective and preventive
action subsystem under the QSIT.

CAPA should be viewed as an umbrella system that allows a company to assess its entire program.
The scope of any corrective and preventive action system must include the verification or validation
of corrective and preventive actions.

Additional elements include communicating corrective and preventive action activities to those
responsible, providing relevant information for management review and documenting those
activities. These activities are essential in dealing effectively with product and quality problems,
preventing their recurrence and preventing or minimizing device failures.

Under the CAPA umbrella, the organization should include all activities and processes taken to
eliminate the causes of potential nonconforming products, processes and conditions within its
documented quality system. For most manufacturers of medical devices, these activities include
their methods for:
Complaint handing (21 CFR 820.198).
Medical device reporting (21 CFR 803).
Reports of corrections and removals (21 CFR 806).
Product recalls (21 CFR 810).

Postmarket surveillance (for companies assessed under the Medical Device Directive 93/42/EEC
from the European Economic Community).
Quality audits (21 CFR 820.22).
Nonconforming products, processes and conditions (21 CFR 820.90 for nonconforming products).
Device tracking, as appropriate (21 CFR 821).

Responsibilities and authorities

Assignment of responsibilities and authorities for the corrective and preventive action system (see
the sidebar, "Key Definitions") will vary among companies, primarily as a result of organizational
structure. In a hypothetical organization, let's make the following assignments to department
management, quality department personnel and everyone else in the company.

Department management is responsible for:

Maintaining overall responsibility for management of corrective and preventive action activities in
areas of responsibility.
Responding to identified nonconforming conditions within defined time periods and with complete
information to describe the planned (and actual) corrective actions taken.
Assigning appropriate personnel and other resources to develop and implement corrective and
preventive action plans.
Ensuring implemented corrective and preventive actions are completed, effective and documented.
Notifying quality department personnel of the corrective and preventive action resolutions.

Quality department personnel are responsible for:

Maintaining a listing or database of nonconformance reports and the identified corrective actions.
Maintaining a listing or database of identified preventive actions.
Performing periodic statistical analyses (for example, trend analyses) of identified nonconforming
conditions.

Reviewing corrective and preventive action documentation for timeliness.

Coordinating verification of corrective and preventive actions by the assigned personnel.

Company personnel are responsible for reviewing and implementing corrective and preventive action
procedures and changes that impact their positions.

CAPA inspection objectives

When the corrective and preventive action system is assessed during a QSIT inspection,
investigators focus on the following 10 key activities:

1. Verify the CAPA system procedures that address the requirements of the quality system
regulation have been defined and documented.

2. Learn whether appropriate sources of product and quality issues have been identified and
confirm data from those sources are analyzed to identify existing product and quality issues that
may require corrective action.

3. Determine whether sources of product and quality information that may show unfavorable
trends have been identified and confirm data from those sources are analyzed to identify potential
product and quality issues that may require preventive action.

4. Challenge the quality data information system and verify the data received by the CAPA system
are complete, accurate and timely.

5. Verify appropriate statistical methods are employed where necessary to detect recurring quality
issues and determine whether results of analyses are compared across different data sources to
identify and develop the extent of product and quality problems.

6. Using sampling tables, determine if failure investigation procedures are followed and that the
degree to which a quality issue or nonconforming product is investigated is commensurate with the
significance and risk of the nonconformity. Investigators will also determine if failure
investigations are conducted to determine root cause, where possible, and verify there is control
for preventing distribution of nonconforming product.

7. Using sampling tables, determine whether appropriate actions have been taken for significant
product and quality issues identified from data sources.

8. Determine whether corrective and preventive actions were effective and verified or validated
prior to implementation and confirm corrective and preventive actions do not adversely affect the
finished device.

9. Using sampling tables, verify that corrective and preventive actions for product and quality
issues were implemented and documented.

10. Determine whether information concerning nonconforming product, quality issues and corrective
and preventive actions has been properly disseminated (this includes distribution for management
review).

General requirements

The CAPA system should be designed to include actions needed to correct nonconforming product
and other quality problems (correction), prevent recurrence of nonconforming product and other
quality problems (corrective action), and eliminate the cause of potential nonconforming product and
other quality problems (preventive action).

In most cases, a process approach can be followed to ensure the system captures the required
information using appropriate sources of data and is effective. The concepts utilized in this
approach are:
The CAPA system procedures address the regulatory requirements and quality system standards.

Management has provided definitions and interpretation of words or terms.

Existing and potential problems are identified (quality data sources are identified and data from
those sources are analyzed). Data are complete, accurate and analyzed in a timely manner.
Statistical and nonstatistical techniques are used to detect recurring quality problems. Results of
analyses are compared across different data sources and used to identify and develop the extent
of problems.
Failure investigation is adequate (procedures are followed and the investigation is commensurate
with the significance and risk of the nonconformity). Where possible, the root cause has been
identified.
Product is controlled to prevent distribution of nonconforming product.
After root causes are identified, appropriate corrective and preventive actions are taken. Actions
are verified and validated, are effective and do not adversely affect the finished device.
Corrective and preventive actions are documented.
CAPA information is disseminated to individuals directly responsible for assuring product quality
and preventing quality problems.

Sources of data

Data to be included in a CAPA system come from a variety of sources, both internal and external.
Some sources of internal data include:
In-process and final inspection and test data.
Scrap and yield data.
Process control data.
Incoming component testing and inspection test data.
Equipment data (preventive maintenance, calibration).
Internal audits.
Device history records.
Training records.

Change control records.

Rework and reprocessing.
Nonconforming materials reports.
Some sources of external data include:
Complaints--customers, employees, MedWatch (the FDA's medical products reporting program),
field service reports, journal articles, information from the FDA and other regulatory bodies.
Warranty reports.
Legal claims.
Study reports.
Third-party audits.

Corrective action procedures

Documentation of the identified nonconforming product, process or condition should be performed

according to the organization's documented procedures. After being informed of the identified
nonconformance, responsible personnel then assign appropriate personnel to investigate the
nonconformance and identify its root causes. Representatives from other functions may be used.

Once the investigation is completed, appropriate meetings, discussions and training sessions are
held with department personnel and other groups whose activities may be impacted by the
investigation and corrective action implementation.

The identification of the root causes (established, in part, by failure analysis, when appropriate) is
indicated on the company's appropriate documents. The documents are completed, returned to the
individuals who identified the nonconformance and then reviewed according to the process
described in documented procedures.

Once the corrective action has been verified as implemented, the documents are forwarded to
quality department personnel, who enter the corrective action information into the database for
future statistical analysis.
Preventive action procedures
As a result of identified nonconformances (for example, identified through trending) and effective
corrective actions, an individual may decide to implement a similar action to prevent the occurrence
of a nonconforming condition.
If department management identifies and approves a preventive action plan, it should also initiate
documentation. The preventive action plan and associated documentation are described on the
report form. Once the preventive action plan is accepted, the initiator verifies implementation and
effectiveness.
Documentation of preventive action is forwarded to quality department personnel for entry into
the database and possible subsequent statistical analysis.
Finally, records of corrective and preventive actions are maintained in accordance with the
company's defined process for control of quality records.