ISO 9001:2008 Impact on ISO 13485:2003

ISO 13485, medical devices, medical device manufacturing

Q: Why does Annex B of ISO 13485:2003: Medical devices — Quality management systems — Requirements for regulatory purposes address ISO 9001:2000?

Shouldn’t it be ISO 9001:2008 Quality management systems–Requirements?

A: ISO 9001 is “controlled” by Technical Committee (TC) 176 while ISO 13485 is “controlled” by TC 210. They are two separate, independent technical committees that write and revise standards.

ISO 13485:2003 is founded on ISO 9001:2000, with additional requirements added for the medical device industry. In other words, ISO 13485:2003 is ISO 9001:2000 (but with the requirement for “continual improvement” removed) and additional requirements for the medical device industry

When TC 176 revised ISO 9001 in 2008,  TC 210 decided not to make a change to ISO 13485 because ISO 9001 requirements didn’t change substantially.   It is important to note that many governments such as Health Canada have adopted ISO 13485:2003 as their law or have their medical device law based on 13485:2003. Many medical device companies today get ISO 13485:2003 registered and have dropped ISO 9001:2008 altogether as not being necessary.

By the way, TC 210 issued a technical corrigendum to ISO 13485:2003 in August of 2009 correcting its reference to “ISO 9001” to “ISO 9001:2000” to make this clear.

Jim Werner
Voting member to the U.S. TAG to ISO TC 176
Medical Device Quality Compliance (MDQC), LLC.
ASQ Senior Member
ASQ CQE, CQA, RABQSA Lead QMS Assessor

ISO 9001 Quality Manual

ISO documentation practices, requirements

Q: My small company is forcing me in the direction of using flowcharts to specify ISO standards. With their many branch statements, they are convoluted and confusing. I prefer plain, simple English. But my question is: is it ok to use flowcharts to specify ISO 9001 standards?

A: Actually, as long as you do not intend to become registered (also called certified), you can – and probably should – implement the ISO 9001:2008 Quality management systems–Requirements standard any way you want! I happen to like flowcharts, as long as they are limited to one page and fewer than a dozen boxes.

But if you intend to become registered, the registrar you choose will always require you to explain how you are implementing the concepts contained in ISO 9001.  Most firms choose to call this explanation document a quality manual. You do not repeat the words in the ISO 9001, rather you say how you intend to implement the concepts locally. A manual should be site-specific and about 50-60 pages. Some have written them in 20 pages.

Once you have the framework (manual) in place for the system, then you need to write procedures for the processes. Remember, procedures are job performance aids for an already-trained and qualified person. They should be about five to six pages, since the individual already knows how to perform the tasks.

The powers that be in your company want these procedures to be in the form of flowcharts. That’s OK, as long as you have explained this in your manual. The registration company accepts your manual before they ever send an auditor to your site. If they have accepted your description of flowcharts instead of procedures, then the auditor must accept that approach.

The whole point is to provide information to the person doing the job in a way that is useful. Written standard operating procedures (SOPs), or flowcharts, or pictures. It is the implementation that matters.

Dennis Arter
ASQ Fellow
The Audit Guy
Columbia Audit Resources
Kennewick, WA
http://auditguy.net

Example Quality Manual

Need to write a quality manual that conforms to ISO 9001:2008? Download an example quality manual from the ASQ Knowledge Center and read about how to create one!

ISO 9001 Procedure Vs. Process

Mr. Pareto Head and procedures

Q: I‘m seeking clarity and advice on a recent incident  I was informed about.

An organization I am very familiar with and is fully certified to ISO 9001:2008 Quality management systems–Requirements (with no exemptions) recently had a new external auditor come in to conduct a certification audit.

While continued certification was recommended, a number of small areas of concern were noted.

I understand that most of the recommendations will improve the system, but one recommendation has caused me some concern.

A bit of history of the QMS of this organization:

This company originally gained certification under ISO 9001:2000 and has transitioned to ISO 9001:2008.  They have a very robust quality management system (QMS), have clearly identified their processes, and have mapped their procedures to these various processes.  They have implemented a rigorous internal audit program which has targeted these procedures and their interrelationship with the various processes.

My problem is that the report for this recent certification audit stated that under 8.2.2 of the standard, in order to ‘gain’ full certification to ISO 9001:2008, they have to conduct process audits rather than procedural audits, or their certification could be at risk.  This has caused some angst with senior management, as their previous certification body was happy with their implementation of the standard.

8.2.2 b: Internal audit

“An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited…”

I can see no mandatory requirement in 8.2.2 to support the statement that process audits have precedent over procedural audits as long as the status and importance of the processes are taken into consideration.

My understanding would be that the requirements of 8.2.2 would be met if the organization’s processes are clearly identified and its procedures and their interrelationships are mapped to the processes and it can be clearly identified during the audit that process requirements are being addressed with the procedures.

Obviously if it can be shown that the processes are not adequately covered, then that must be addressed. But I do not believe this is the case here.

Your advice would be greatly appreciated.

A: I hope to answer your questions about process vs. procedure  in ISO 9001:2008. I will offer several different definitions.  This is not to confuse you, but to help you see how different people deliver the same message while using different words.

We will begin by trying to recognize just what a procedure is. You can have any number of procedures within a process.  That means, a process requires one or more procedures. You take actions to get results.  The actions you take are your procedures.

I once read it this way on the internet: procedures / actions / activities / work instructions all describe the lowest level of decomposition, i.e.: the procedure cannot be broken down further.

A process is “something going on.” It is a continuing natural or biological activity or function.

A process is a series of actions or operations conducing to an end. It is a continuous operation or treatment, especially in manufacturing.

A procedure is a particular way of accomplishing something. This is also defined as a series of steps in a regular definite order; a traditional or established way of doing things.

While the two could sound similar, they are clearly not the same thing.  A process refers to a series of actions, but does not place a particular order on those actions.

Procedures however, are focused on steps, order and instruction. As the author Mark McGregor once wrote, “We can see that while a process may contain order, it does not require order to be a process. If we take away the order from procedure, then we don’t have a procedure, but we may still have a process.”

You are not alone in your questioning of this. It is like the ongoing controversy over continual vs. continuous in the quality arena.  However, the distinction between a process and a procedure should be more clear to you after reading above.

Now, let’s consider why. Why is 8.2.2 worded the way it is?  I think the most simple way to put it is this: in the past, it was not uncommon for internal audit teams to concentrate on element auditing. That is, they audited the verbiage of the documented procedures to see if they complied with that of the standard.

Each individual company has their own processes.  It is through those processes, those actions, that you would comply with the intent of the standard.  The value of controlling and improving on those processes is reflected in your audits.

Input -> Process -> Output

So, it does not matter how you word things. The product audit (or service audit) determines if tangible characteristics and attributes of a thing are being met. A process audit determines whether process requirements are being met. During the process audit, the auditor will examine an activity or sequence of activities to verify that inputs, actions, and outputs are in accordance with an established procedure, plan or method.

By now, you have seen a pattern to all the words above.  My intention was not to muddy the waters further, but to help you recognize why so much light has been shined on process activities. To  “do what you say you do” requires having documented procedures and following what they say.  Doing all of this in an efficient and a profitable manner requires process control.

Finally, if you haven’t already done so, I strongly suggest that you acquire a copy of The Process Auditing & Techniques Guide by J.P. Russell.  This is a good guide you can order through ASQ and it can help with setting aside some of your concerns and answer questions.

I hope this has been helpful.

Bud Salsbury
ASQ Senior Member, CQT,CQI

Ask A Librarian

What’s the Difference Between ISO 9001 and ISO 19011?

Reporting, best practices, non-compliance reporting

Q: What is the difference between the ISO 9001:2008 and ISO 19011:2011 literature on your web site? Please provide a detailed explanation and their use.

A: I can see where the confusion might arise, as the numbers are very similar! But the contents are quite different.

ISO 9001 Quality management systems–Requirements is the mother of all quality management systems. It lays out the minimal requirements for an acceptable way of managing your business for quality. In the beginning, it was developed as a requirements document to lay on your suppliers. Then it became the foundation for registration (other countries might call this certification) of your own management approach to quality. About a decade ago, various business sectors – aerospace, automotive, medical devices, laboratories, etc., all used the ISO 9001 document as the base for their specific approaches. They didn’t take anything away, but added additional requirements. By far, the greatest use today is for registration/certification. This is somewhat sad, in that the standard itself is a beautiful way of managing the resources within the enterprise. Registration can get quite bureaucratic and not worth the expense.

ISO 19011:2011 Guidelines for the auditing management systems is the international auditing standard (my specialty). It was first developed as a means to get all the various registration agencies around the world to do their audits in a consistent manner. It also had support from the multinational companies that had factories – and thus registrations – all around the world and often with different cultures. Norms in Canada are not the same as China! Unfortunately, this registration emphasis in the standard made it somewhat hard for internal auditors and supplier auditors to use it. Plus, there is no requirement to use the standard, other than within the registration industry.

For these reasons, the U.S. wrote a supplement for the 2002 version of this standard, giving guidance on how to use the principles for internal audits and small organizations [note: development is underway to offer similar supplements for the ISO 19011:2011 version  — anticipated end of 2012/early 2013.]. ASQ is the only place to get this version, which  includes the supplement, along with the base document. As this auditing standard was revised, it picked up environmental auditing and safety auditing in the scope.

Dennis Arter
ASQ Fellow
The Audit Guy
Columbia Audit Resources
Kennewick, WA
http://auditguy.net

Is ISO 9004:2009 an Implementation Guide?

ISO documentation practices, requirements

Q: I am looking to purchase the latest ISO 9001:2008 Quality management systems–Requirements. However, in the past, ISO 9004:2000 Managing for the sustained success of an organization — A quality management approach,  included the ‘requirements’ of ISO 9001 in boxes as a reference in ISO 9004 (used for implementation assistance). Is that still the case? I would much rather buy the revision, ISO 9004:2009 if the ISO 9001 requirements were in the standard…it’d be one less standard to have around.

A: We have consistently promoted the concept that ISO 9004 is NOT an implementation guide to ISO 9001. It is designed to provide guidance to organizations that desire to go beyond meeting minimum requirements towards achieving higher levels of performance.

There is much that is required of organizations today to sustain themselves and the next edition did try to focus on addressing issues that were essential to sustainability, perhaps at the expense of revisiting the old ground of content related to 9001 compliance which, by now, have become well understood by many organizations.

So, ISO 9004 is about going beyond ISO 9001. ISO 9004 is still consistent with ISO 9001, but it places more intensity on going beyond and less on hard line-by-line congruence.

Charlie Cianfrani
Consulting Engineer
Green Lane Quality Management Services
Green Lane, PA
ASQ Fellow; ASQ CQE, CRE, CQA, RABQSA Certified QMS-Auditor (Q3558)
ASQ Quality Press Author

Merging With a Non-ISO 9001 Certified Organization

Reporting, best practices, non-compliance reporting

Q: My federal agency is comprised of many different internal organizations. We have a scenario where a recently certified organization to the ISO 9001:2008 Quality management systems–Requirements is planned to be merged with a non-certified organization that has no type of management system. The certified organization’s certification runs for three years but it will be more closely integrated with the non-certified organizations. Will the merger affect the certified organization’s certification? Do you have any insights on how these types of occurrences typically affect the management system itself when an organization that is certified for 100% of its operations now becomes 50% of a larger organization? It’s quite likely that the certified organization’s name will change at least in part.

A: With regard to your question, if company “A” is already ISO 9001:2008 certified and is now being merged with a non-certified company here’s what should be considered.  First, the current ISO certification is only applicable to company “A” as defined in the scope of the quality manual as well as on the ISO 9001 certification issued by the ISO registrar.

Your ISO registrar needs to be immediately informed of changes effecting the company name, top management and/or processes.  The registrar may very likely require the newly merged companies to be reevaluated for ISO certification and listed under one ISO certification.

Most ISO registrars will not issue ISO certification for just a portion of a company.  All processes that comprise the quality system must be identified and included as a part of the QMS unless specific exclusion is stated in the quality manual as permitted by ISO 9001.  The management representative will need to ensure that top management is aware of how this merge may affect the current QMS so effective actions can be taken to bring company “B” in line with the established QMS procedures and other ISO requirements.  I hope this helps.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

AS9100 Rev. C Document References

Airplane, aerospace, AS9100

Q: My organization is getting ready for our registration audit to AS9100 Rev. C  — Requirements for Aviation, Space and Defense Organizations.  There is a debate regarding procedures and the document references with those procedures.  If the procedure does not mentioned a document within the body of the document we normally do not include it in the reference section of the procedure.  Our internal auditor says that we should reference all documents that show linkage in the process approach.

For example, the auditing procedure references corrective action, preventive action, etc., but does not have any of the document mentioned in the body of the procedure.

Can you settle this matter? Our auditor says that we will get a finding if this is not done.

A: The process approach is more than including references to documents, especially with AS9100 revision C requirements to identify your product realization processes.  I would encourage you to examine some guidance materials available on the ISO website:
Introduction and support package: Guidance on the concept and use of the process approach for management systems action procedures, but the narrative of the procedure does not include how these procedures tie into the auditing practice?  It would seem that the auditing procedures body should support the referenced procedures and explain how they are applicable within the auditing process.  If I was your auditor, I would issue an observation or opportunity for improvement for that condition.

Your first paragraph seems to indicate the reverse scenario.  If a document is not referenced within the body of the document, then it is not a referenced procedure.  Yes, that appears reasonable.

It is a good practice to show the interrelationship of documents to include parent-child relationships and referenced documents when appropriate.

Buddy Cressionnie
International Aerospace Quality Group Americas AS9100 Lead
Voting member of the U.S. TAG to ISO/TC 176
Southlake, TX

Resources about Quality Culture

ASQ Global State of Quality 2016

Q: I am a senior member of ASQ.  I plan on giving a two to three hour workshop on quality culture at my company.  Do you have any audiovisual materials and/or examples from other successful companies that I could use for my slide presentation?  I would really appreciate it if you could provide me with more informaton on creating a quality culture.

A: According to The Quality Improvement Glossary by Donald L. Siebels, quality culture “consists of employee opinions, beliefs, traditions, and practices concerning quality within an organization”.

ASQ has over 200 books and articles on the topic of quality culture.  I have included links to a number of different resources, including webcasts and case studies, that contain content that I believe pertains most to your question regarding quality culture.

Case Studies:

“Quality Culture in Small Business: Four Case Studies”: http://asq.org/data/subscriptions/qp/2001/0101/41watson_jan2001.html

“Building a Culture of Quality”: http://rube.asq.org/2010/08/certification/culture-of-quality.pdf

“Quality Engrained in Culture at Iowa Hospital”:
http://asq.org/2009/05/continuous-improvement/quality-engrained-in-culture-at-iowa-hospital.html

“R. L. Polk & Co.: Making Every Issue the Only Issue”: http://asq.org/2009/02/customer-satisfaction-and-value/polk-making-every-issue-the-only-issue.html

“Celsius Australia: BEST PRACTICES, Reach for the STARS”: http://asq.org/quality-progress/2007/05/leadership/reach-for-the-stars.html

Articles/Conference Papers:

“A Framework for Organizational Quality Culture”: http://asq.org/data/subscriptions/qmj_open/1999/october/qmjv6i4cameron.html

“A Nontraditional Approach to Creating a Quality Culture”:
http://asq.org/world-conference/2011/six-sigma/creating-quality-culture.html

“Creating a Quality Driven Culture…Breaking Through the Culture Wall”:
http://asq.org/data/subscriptions/jqp_open/1994/march/jqpv17i2sirota.html

“Creating a Culture of Success Is a Team Effort”: http://asq.org/members/news/aqc/54_2000/14107.html

“The Modern Noah’s Ark”: http://asq.org/world-conference/2011/quality-management/culture-of-quality-cruise-ship.html

Webcasts:

“Creating a Quality Culture Webcast”: http://asq.org/2011/10/creating-a-quality-culture-webcast.html

“Juran’s Quality Handbook: The Complete Guide to Performance Excellence Webcast”: http://asq.org/2011/09/basic-quality/jurans-quality-handbook-webcast.html

“Executive Insight Webcast Interview with Mark Laney of Heartland Health”: http://asq.org/2011/04/baldrige-national-quality-program/executive-insight-webcast-interview-with-mark-laney-of-heartland-health.html

(discusses how they built a culture of high performance in their organization)

These videos are from ASQ’s blog, “A View from the Q”.  The videos are located at the end of the blog posts:

“Coca-Cola’s Quality Culture”: http://asq.org/blog/2011/11/coca-colas-quality-culture/

“Four Questions: Creating a Culture of Quality with Dr. J.J. Irani”: http://asq.org/blog/2011/07/four-questions-creating-a-culture-of-quality-with-dr-j-j-irani/

“The Ps and Qs of the new General Motors”: http://asq.org/blog/2011/09/the-ps-and-qs-of-the-new-general-motors/

“Four Questions: Talking Quality with Ford Motor Company”: http://asq.org/blog/2011/06/four-questions-talking-quality-with-ford-motor-company/

2011 ASQ World Conference on Quality and Improvement On-Demand Recordings (Available for purchase): http://wcqi.asq.org/2011/virtual/index.html

Includes the topics “Building a Quality Culture” and “Organizational Excellence”

E-Books:

“Quality Makes Money: How to Involve Every Person on the Payroll in a Complete Quality Process (CQP)”:
http://asq.org/quality-press/display-item/index.html?item=E1241&xvl=76081302

“The Progressive Audit: A Toolkit for Improving Your Organizational Quality Culture”:
http://asq.org/quality-press/display-item/index.html?item=E1268&xvl=76081291

I hope that this information helps.  If you are interested in doing some more searching on your own, you can search for articles and books in the ASQ Knowledge Center: http://asq.org/knowledge-center/index.html.

If you are interested in using any of these resources in your presentation, please contact ASQ’s Quality Information Center for more information on using and reprinting ASQ resources or see the following link on ASQ’s copyright permission policies: http://asq.org/copyright/.

Best regards,

ASQ Research Librarian
Milwaukee, WI

ISO 9001 Management Representative

About ASQ's Ask the Standards Expert program and blog

Q: ISO 9001:2008 Quality management systems — Requirements defines the responsibilities of the management representative (MR). To carry out these responsibilities, the MR needs certain defined authorities. What principle authorities should a MR posses to meet the responsibilities defined? I am a quality manager and I report to the project director, who reports to the CEO. While auditing other directors in the organization, my boss (the project director), requested from me to discuss with him the audit results of other director’s’ audit findings since I am reporting to him. I pointed out that the MR Role is independent and it is not a part of the function of Quality Manager where I report to him.

How can I make it clearer that I need independent authorities to perform the role of the MR?
 
A: Section 5.5.2 Management Representative: defines the appointment and responsibilities of the management representative. He/she is appointed by top management. The implication is that top management can ask for reports on the MR’s responsibilities. A summary of these are:

  • Ensure QMS process are established, implemented and maintained
  • Reporting to top management on performance of QMS and need for improvement
  • Ensure promotion of customer Requirements in the Org.

It is true that management representative responsibilities are not those of the quality manager. But, ISO 9001 does not define responsibilities of the quality manager.

My suggestion is to go to the person who appointed you management representative and ask him if you should provide the information requested.

Sandford Liebesman, Ph.D.
Voting member of the U.S. TAG to ISO/TC 176
ASQ Fellow
Morristown, NJ

ANSI/ASQC C1-1996 Supplier Testing

Schedule, calendar, timeline

Q: I need clarification on the following, please:

ANSI/ASQC C1-1996 — Specification of General Requirements for a Quality Program — has been included in the required specifications from a prospective customer. Section 3.3.4 states (in the last sentence) “Furthermore, the validity of certifications shall be periodically verified by the buyer through independent testing.”

What criteria (time-frame, suppliers, mills, etc.) should be used to comply with “periodically?”

What testing is to be performed for the required independent testing? Is it to be only a chemical analysis, or are mechanical tests to be performed as well?

Does this standard require independent testing of materials in purchased components such as gaskets, glass, bolts and fittings, or is “raw materials” only meant to be the base materials such as plate and sheet steel that we purchase?

A: To begin with, most establishments, including your customer, already know that materials most often come with material test certificates.  For example, when you order a sheet of steel from EMJ Metals or another supplier, they will supply a test certificate along with it.

The certificates include that data which would be most important to your customer such as chemical analysis, mechanical properties, ASTM specifications, etc. You are probably already aware of all this.

As for “periodic” and “independent” testing, here is my opinion:

If you have, in writing, a document stating that all purchased materials will be subject to receiving inspection and such inspections will verify that customer requirements have been met, that will be step 1.

For step 2, if you go to the web site of almost any materials supplier, they will have documentation (quality manual, ISO certification, etc.) which you can use as evidence they are a qualified supplier.

You can then contact that supplier and ask if they will verify, in writing, that they also test the material they are sending.  Steel suppliers, like most material suppliers, sell what they receive from the original mills.  The material certs they provide to you are made of tests the mills run.  A company such as EMJ, which I mentioned earlier, uses what is called a Niton tester to verify chemical make up of the product which they buy and in turn sell to their customers.

Finally, step 3: as with any quality management system, you must “do what you say you do.”  So, if you say that part of your receiving inspection includes hardness testing, be ready to provide evidence of that (incoming inspection reports).

In closing, I feel confident that if you prepare the steps noted above, or something similar and communicate this to your potential customer, they will be doubly satisfied with your company. Doubly because all of this would display evidence of an organization with a mature QMS.

Bud Salsbury,
ASQ Senior Member, CQT,CQI