Kerri Williams of Platinum Registration was recently asked to make a presentation about upgrading an existing ISO 9001 management System to ISO 13485.

She kindly allows us to display her presentation.  With her agreement we have modified the content to remove background and benefit information about Platinum Registration. The presentation covers many of the differences between ISO 13485 and ISO 9001  but read below for more information about some of the issues which have to be considered.  You can see the presentation here: Upgrading to ISO 13485.

Organizations who are already registered to ISO 9001 are often interested in migrating to industry specific versions of the standard.  These include TS16949 (for the Automotive Industry), AS9100 (for the Aerospace Industry) and ISO 13485 (for the Medical Device Manufacturing Industry).  In some instances, customers are insisting on conformance and in others, organizations want the marketing advantage to break into or extend their involvement in the industry.

These versions enhance the requirements of ISO 9001 by adding additional requirements that must be built into the management system and implemented – with evidence, to demonstrate conformance to an auditor.

This presentation looks at the differences that exist between ISO 9001 and ISO 13485 but the principle is the same with the other standards.

With ISO 13485 the scope of the management system is very important.  ISO 13485 is used by the medical device regulatory agencies in Europe, Canada, Australia and Japan (among others) and has been accepted by a global harmonization task force which is supported by the US.  At this time, the FDA does not use ISO 13485 and thus steps must be taken to address their requirements (CFR 21 Pt 820) if it is also applicable.  For many higher risk devices, agencies require that this standard is implemented before they will allow the marketing of the medical device.

But these rules typically only apply to the device manufacturer.  Many contractors seeking ISO 13485 do not manufacture the actual device.  And even if they did manufacture a complete device, they would only have a secondary responsibility for meeting the regulatory requirements (including ISO 13485) unless it was their name on the label as the owner of the device.  More frequently a contractor is producing parts for the medical device company who might finally assemble and sell the device.  It is they who are subject to the regulatory requirements and they want an easy life justifying how some of their parts are made to their regulators.  Thus they are keen on the contractor registering to ISO 13485.

ISO 13485 contains a number of requirements that are applicable only to the device manufacturer.  For instance, the collection of post-market intelligence.  Being registered to ISO 13485 implies that you have the ability to collect post market intelligence about the medical device.  However, a contractor might not even know what device their part is used in.  In some situations the contractor cannot exclude these requirements (like for instance they might be able to exclude the requirement for the control of sterilization) and must be able to demonstrate an ability to do something that they will never have any use to do.

The contractor needs to think carefully about what they want their management system to cover (i.e. the scope) and make this clear to the chosen registrar and their auditor so that no surprises occur.  These things are not always spelled out in the standards and highlight the reason why experienced help is essential in order to achieve success.

Other differences and additions to the standard are much clearer and simply require updating or new documented procedures and the implementation of simple processes or training.  So long as the interpretation is understood (and it is not always clear) then this is a straight forward process that just takes time and resources.

All management systems require internal auditing.  Done well internal audits bring benefits by protecting against issues before they are found by the registrar, highlighting opportunities (and waste) and giving confidence in the effectiveness of the management system.  When upgrading to a new standard an internal audit needs to be conducted.  This will ensure you haven’t missed anything and show conformance to the new standard has been achieved.  Technically it is possible to audit only the changes but if this not done well, a registrar should reject the audit as ineffective.  Bearing in mind that an internal audit would be necessary anyway, a slightly enhanced audit for the new standard is just a little more effort than normal.

Cavendish Scott, Inc. has been consulting, training and auditing on the implementation of ISO 9001 and industry specific standards for 25 years.  Upgrading an existing ISO system to meet an additional standard is something we are frequently asked to assist with.  Typically we review documentation, make adjustments to existing documents and write new procedures, support with the training, understanding and implementation of new processes and changes.  We then conduct internal audits (which usually have to be completed anyway) at a slightly enhanced level to prove conformance with the additional standard – and guarantee successful registration.  For more information tell us a little about what you want to achieve by clicking here.

Click here for the presentation:
http://www.cavendishscott.com/articles-info/articles/wp-content/uploads/2010/06/ISO-13485-v-ISO-9001-060310.pdf

Free e-Book: Upgrading to ISO 13485 From ISO 9001

Want to know why you should upgrade your ISO? Get our free e-book on making the transition from ISO 9001 to ISO 13485.

Colin Gray gave the attached presentation to the Northern Colorado ASQ in September of 2009.

Northern Colorado ASQ Presentation Fix your QMS to ISO 9001:2008

The content included:

• A review of the changes to the standard (no real changes)
• A review of the corrigulum fixing errors with the new standard (no real errors – only in appendices)
• The implementation timescale – no ISO 9001:2000 certificates to be issued after November 15, 2009.  No ISO 9001:2000 certificates in existence after November 15, 2010.
• Example of a poor nonconformance issued against the changes (withdrawn by the auditor after a complaint – but beware)
• Key implementation activities

People have been making mistakes for tens of thousands of years. Since the industrial revolution, the impact of certain mistakes has grown immensely. Before the industrial revolution, a dull tool used in machining a part would likely only impact one part—since parts were made one at a time. With the advent of mass production, a dull tool used in machining could impact hundreds of parts.

ISO 9000 is written by quality professionals all over the world, professionals who have had a lot of experience with industrial mistakes and problems caused by poor control over processing. So, ISO 9000 can be viewed as a collection of situations that need to be controlled in order to avoid well-known sources of quality problems. In fact, each and every requirement of ISO 9001 is intended to promote adequate control over organizations’ operations and improvement of organizations’ processes.

Taking the requirements of ISO 9001 in order and treating them very generally, let’s incorporate each of the requirements into the phrase: “If you don’t x, you can expect quality problems.” (For comedic relief, you might imagine the following list as being akin to Jeff Foxworthy’s, “If you x, you might be a redneck.”)

• If you don’t have a system to manage quality, you can expect quality problems. In other words, if you have no systems in place to ensure quality in processing, processes will become idiosyncratic and dysfunctional. This will cause quality problems.
• If you don’t have any documented methods of operations, you can expect quality problems. Word of mouth might work for a while but as time passes, so do memories of what was agreed to be the right way to do it; as product requirements become more plentiful and complicated, processes used to realize such products need to be clearly defined and process documentation (e.g., drawings) is necessary—or else you will have quality problems. Can you imagine a (legal) organization that uses no documentation whatsoever?
• If you don’t control your process documentation and records, you can expect quality problems. If you have no controls over your documentation—which almost hard to imagine—people will make mistakes. Imagine no dates or revision levels on drawings or specifications; imagine random part numbers or order numbers; imagine people finding their work instructions blowing around in the parking lot. No control over records would mean that you could not retrieve any evidence of contractual agreements, no evidence of work completed, no evidence of inspection or test results, etc. Without adequate control over documents and records, you are going to have quality problems.
• If you don’t have top managements’ interest in quality, you can expect quality problems. If top management doesn’t drive it, don’t expect autopilot to take over. If management does not provide some mechanism for communicating the importance of quality, the importance of quality will not be communicated; if management does not plan quality assurance, management is effectively planning for quality problems; if management does not periodically review performance and establish goals for improvement, performance will not improve. Without management commitment, you are going to have quality problems.
• If you don’t determine and provide resources necessary to assure quality, you can expect quality problems. If incompetent human resources are involved, you will have problems. If the provided work spaces and equipment are inadequate or unreliable, you will have problems. If the work environment is such that it hinders processing or degrades product somehow, you will have problems.
• If you don’t plan product realization, you can expect quality problems. Without some idea of what to make, how to make it, how to check it, and how much to produce, you can expect problems.
• If you don’t understand what your customers want, you can expect quality problems. Failure to understand customer requirements will not fix itself internally during subsequent order processing. If you make promises to customers that you do not have the ability to fulfill, you will have problems—not just quality problems, but business problems.
• If you don’t control the process for designing products, you can expect quality problems. If inputs to the process are ill-defined and criteria for success are equally ill-defined, you will have design problems. If the outputs of design are not reviewed to determine their acceptability, i.e, they are not verified or validated to meet customer needs, you can expect quality problems. If you have no controls over design changes, you will have problems.
• If you don’t exert some control over suppliers or supplied product, you can expect quality problems. If you use unreliable suppliers and/or you don’t properly qualify and quantify product to be purchased and/or you do nothing to verify supplied product, you will have quality problems.
• If you don’t plan how each order will be processed, you can expect quality problems. If you don’t provide information describing the product or instructions to make the product, you will have problems. If suitable equipment is not provided to process work, you will have problems. If you don’t have inspection devices and you need them to determine conformity, you are going to have problems.
• If you don’t control processes resulting in product that cannot be verified to conform to requirements, you can expect quality problems. If you are building bombs or packing parachutes for a living, and you let just anyone off the street process work using whatever equipment they might be carrying, you are going to have problems. If you have no specified method for processing, you are going to have problems.
• If you don’t or can’t identify product you are working with, you can expect quality problems. If traceability is required and you cannot maintain it, you are going to have problems.
• If you don’t notify the customer that you smashed, lost, or otherwise ruined product they supplied to you, you can expect quality problems—at the very least dissatisfied customers.
• If you don’t make efforts to preserve product during processing, storage, and transport, you can expect quality problems. If you ruin product while working with it, allow it to spoil during storage, or fail to package it properly for shipment, you are going to have problems.
• If you don’t establish a par for processing performance, you can expect quality problems. Without measures revealing how well you are performing, you will not know how well you are performing. If you don’t know how satisfied your customers are, you don’t know how well you are performing; if you don’t know the degree to which working practice complies with established methods, you don’t know how well you are performing; if you don’t establish a par for processing and analyze actual performance against par, you don’t know how well you are performing; if you don’t measure or monitor your product to determine if it meets requirements, you don’t know how well you are performing. In this latter case, you don’t know if your product conforms to requirements, which will cause quality problems every time.
• If you don’t control nonconforming product, you can expect quality problems. If you continue to add value to product that doesn’t conform to requirement in the first place, or if you ship nonconforming product to customers, you can expect big problems.
• If you don’t analyze the measurement data you are collecting, you can expect quality problems. Unanalyzed data is not worth collecting.
• If you don’t improve upon what you do, you can expect quality problems. As tolerances become tighter and competition grows stiffer, improvement must be a permanent objective of any process—or else you will have problems.
• If you don’t take actions to eliminate the root causes of your problems, you can expect quality problems. If you simply correct errors and go on, you can expect the same errors to repeat themselves—resulting in the same old problems.
• If you don’t take actions to address potential problems, you can expect quality problems. If you don’t avoid them, you will experience them.

FREE E-BOOK:
Five Easy Pieces: The Basic Steps to ISO 9000

Need to begin implementing ISO 9000 but feeling overwhelmed and unsure where to start? Come get our free guide on the basic steps to ISO 9000:

Download Now

Such a broad question might best be answered, “It depends upon the circumstances.” It’s a bit like asking, “What does the law require?” The answer depends upon the situation in which it is being applied.

Let’s take part of ISO 9001:2008, 7.2.2 as an example:

“The organization shall review the requirements related to the product. This review shall be conducted prior to the organization”s commitment to supply a product to the customer (e.g. submission of tenders, acceptance of contracts or orders, acceptance of changes to contracts or orders) and shall ensure that:

a) product requirements are defined,

b) contract or order requirements differing from those previously expressed are resolved, and

c) the organization has the ability to meet the defined requirements.

Records of the results of the review and actions arising from the review shall be maintained (see 4.2.4).”

One organization might generate sales orders as evidence of successful review and acceptance of customer purchase orders. In this case, the above ISO 9001 requirements apply directly to that organization’s sales orders and to their respective customer purchase orders. Review activities resulting in accepted sales orders are also subject to these requirements. Since order review and acceptance is evidenced by the generation of sales orders, sales orders are regarded as quality records and must be maintained accordingly. In this case, the above ISO 9001 requirements may be construed as follows:

Before sales orders are generated, customer purchase orders must be reviewed to ensure that product requirements are defined, that any requirements differing from those previously expressed are resolved, and that the organization has the ability to meet those requirements. Records of sales orders must be maintained according to the requirements of ISO 9001:2008, 4.2.4.

Meanwhile in another organization, the evidence of successful review and acceptance of a customer’s purchase order might be order entry in “the PO Log.” In this case, ISO 9001 applies to the log and to the activities resulting in each log entry. So, in this case, the standard’s requirements might be construed as:

Before orders are recorded in the PO Log, customer purchase orders must be reviewed to ensure that product requirements are defined, that any requirements differing from those previously expressed are resolved, and that the organization has the ability to meet those requirements. The PO Log must be maintained according to the requirements of ISO 9001:2008, 4.2.4.

Free e-Book: How to Avoid Famous Mistakes With ISO 9001

Want to avoid some of the most common auditing mistakes for ISO 9001? Get our free e-book on common ISO mistakes and how to avoid them.

Par is a recognized standard for golf performance. It is applied at the end of every hole and at the end of every round. It is used to measure performance in terms of strokes. Golfers compare their performance against a standard to determine how well they golf relative to the established standard. Because other golfers use the same standard, golfers’ scores allow them to assess their performance not only relative to a standard, but also relative to other golfers.

A ruler represents a standard for linear measurement. This standard is applied to any linear object to discern its length in terms of defined (standard) units. In America, these standard units are inches.

A standard exists for each type of purebred dog breed, e.g., a standard poodle. Such standards describe established criteria pertaining to height, weight, color, coat, stop, etc. Using this standard, any purebred dog can be compared to its standard. One can conclude that her dog is heavier than standard or taller than standard, etc.

So a standard is an established set of criteria or a frame of reference against which individual cases can be assessed or measured.

ISO 9001 is an international standard for quality assurance. If par as a standard measures golf performance, and a ruler as a standard measures length, what does ISO 9001 as a standard measure? Answer: quality management systems. The standard is applied to organizations’ quality management systems to determine the degree to which these systems satisfy a given set of established criteria.

Any organization staying in business has some kind of system to keep afloat. The question here is whether or not the system is consistently applied and whether or not the system is robust enough to meet the established requirements of ISO 9001.

ISO 9001 requires that a system be in place to promote consistent control over processing, a system that continually improves process performance. Because it is a standard for quality assurance, its criteria pertain to processes affecting the quality of products or services offered to customers. An organization pursuing certification to ISO 9001 needs to demonstrate that its processes affecting quality are systemically managed. It requires a system of assuring quality, meaning that the processes involved are defined and operation of these processes is controlled to an appropriate degree to assure quality.

If an organization re-invents itself and its processes with the acceptance of each customer order, this inconstancy in processing will result in inconsistent performance, inconsistent product or service quality, and inconsistent customer satisfaction. Organizations operating such systems do not receive ISO 9001 certification.

ISO 9001 requires a system of processes to be defined, through with each customer order consistently flows, thus promoting consistency of processing, thereby promoting consistency in resulting product or service offerings. This results in consistently satisfied customers—which of course is good for business.

If a person told you that he was a better golfer than Tiger Woods, you would expect the person to prove it. If this person’s proof consisted of, “Because I say so,” you might not find this evidence compelling. Before believing this person, you would most likely want to know the person’s handicap—which is ultimately derived from the standard we know as par. Absent such objective evidence, how would we be able to tell how good Tiger is in the first place?

If a person told you that their organization would be an excellent supplier to your organization, you might want more than “Because I say so” as evidence. You might want to know if they are a fly-by-the-seat-of-their-pants type of organization, or if they actually have systems in place to assure quality. If a potential supplier can prove a system is in place, and that this system has been assessed and registered to ISO 9001, now you have some evidence of systemic quality management. This imparts confidence that your orders will be processed in a manner known to produce successful results.