Diana Lough gave this presentation to Pikes Peak ASQ in September 2009.

Pikes Peak ASQ Presentation. Regulatory and Statutory Compliance: Its Everybody”s Business

09 Sep 2009 ASQ Presentation by Diana Lough

TITLE: Regulatory and Statutory Compliance:It’s Everybody’s Business

Regulatory and statutory compliance has long played a part in business. Traditionally the emphasis has focused on the safety and efficacy for raw materials, components, sub-assemblies and finished products sold. It often included third-party testing resulting in a listing or mark on the product and for finished products and/or it may have required a registration or license with a government agency. Where there are regulatory and statutory requirements, compliance is mandatory and enforceable. Failure to comply can result in product confiscation, lost future sales, fines, and in severe cases, plant closures and legal prosecution. No matter the scale, failure to comply requires time and resources (and therefore money) to resolve the issue along with interruption to the business and failure to meet customer needs.

In today’s global marketplace, more governments are increasing “protection” for their citizens. More countries are following in the footsteps of Europe, Japan and Australia by requiring product registrations and in-country representation. Medical device exports have more stringent requirements.In some countries, medical and consumer product labeling and/or instructions for use must be translated in their official language.

And with the changing emphasis on the environment, the impact has broadened and more statutory requirements are coming into play. Local laws and ordinances may govern your organization’s waste stream, nuisance control and other negative impacts on the environment. Depending on the destination market for your product (national or international), there may be statutory laws regarding the product’s packaging (content and disposal) and the end of product life disposal. Legislation for banned chemicals is more commonplace, particularly in Europe and Canada. And transportation of goods even has country-specific restrictions.

So what business processes are impacted? New product development and design changes are still a primary focus. But regulatory and statutory requirements also impact marketing, sales, manufacturing, shipping and transportation, disposition of nonconforming material, facilities management, complaint handling, documentation, record keeping, and management. A brief overview of process controls for each of these will be covered.

The sky isn’t falling by any means. By ensuring your business processes are defined and implemented with adequate controls, your organization will maintain compliance and keep up with our changing world.

by Keri Luka

Warning – Not All Calibration Certificates are Created Equal!

Does your company think that it has adequate evidence of calibration because it has official-looking calibration certificates neatly placed in calibration files? How closely have you looked at the external calibration records provided by manufacturers and contract calibration laboratories?

Buyer Beware!

Some equipment manufacturers are apparently selecting and calibrating a sample of equipment in a manufactured batch. If the sample equipment is within calibration, then the entire batch of manufactured equipment is issued calibration certificates. Unfortunately, Cavendish Scott Consultants frequently find companies that are unwittingly purchasing such equipment because they see the words certificate, conformity, or calibration in the catalogue narrative without first ensuring that the equipment has been individually calibrated to national or international standards.

Upon reviewing the manufacturer certificates, it”s easy to see how they can be confusing because many of them look official and often have titles like “Certificate of Conformity” and “Certificate of Calibration.” Often these certificates even include vague statements regarding the process of calibration by referencing Z540, ISO Guide 25 or even ISO 9000. However, if you look closely at these certificates, it is obvious that they are not valid calibration certificates since they do not include the references necessary to trace the calibration to national or international standards as required by ISO 9000 and data is not generally provided.

What can you do if you have such certificates stored in your files in support of your calibration system? Start by calling the distributor or manufacturer. Ask for copies of the calibration data, evidence of traceability to the national or international standard (this is a number) and the actual procedures used to perform the calibration. If such information can be provided, then you will have enough evidence to believe that the equipment was individually calibrated. If the information cannot be provided, then ask if you can return the equipment and purchase equipment with traceable calibration certificates. In the worst case scenario, you may need to segregate the equipment from use and send it to a contracted calibration company for re-calibration.

Review Outside Calibration Certificates!

Upon receipt of calibration services, companies should review the equipment to ensure that it was identified properly and matches the information provided on the calibration certificates. The certificates should be reviewed to ensure that the required information has been included on the documents as specified in their Purchasing Agreements.

All too often, companies completely rely on the certificates provided by contracted calibration companies without looking at the certificates with a critical eye. Don’t forget to verify the records that you receive from contracted calibration laboratories – it serves as your receiving inspection for the services rendered!

As you perform this record review, ask yourself some questions:

• Has the company provided a reference that allows you to trace the calibration to a national or international standard?
• Was the equipment received out of calibration?
• Did the calibration company provide you with the data to demonstrate the severity of the nonconformity?
• If not, how will you make valid decisions regarding the use of the equipment prior to submitting it for calibration?

Does the information provided by the calibration company make sense to you? Compare the certificate to the previous certificate or to other certificates for different equipment for continuity. Do you have enough details to make you feel comfortable that the calibration was indeed performed as contracted? Most reputable calibration companies will welcome your questions and will gladly explain their processes and certificates to you.

Ensure that Calibration Certificates are Available for Review!

Some companies are electing to allow contracted calibration companies to maintain their records of calibration for them. If your company utilizes this service and has minimal records on-site for your calibrated equipment, you should ensure that the calibration company can locate and provide all of the necessary calibration records at your request. Don”t forget that some registrars will review calibration in the afternoon on the last day of the assessment. In such cases, your company may need access to their records in minutes. It would be a little more than disappointing to fail an assessment because the calibration records were not made available for review!

To ensure that the calibration company understands your expectations, ensure that your requirements are clearly stated on your purchasing agreements.

Don’t forget to verify that the calibration company is able to provide you with the necessary records during internal quality audits by selecting a sample of the calibrated equipment, calling the calibration house, and asking for the corresponding records.

QS 9000 Calibration Companies and ISO Guide 25 – A New Requirement

While ringing in the New Year, QS 9000-certified companies are scratching their heads regarding their ability to locate ISO Guide 25-certified calibration companies so that they can remain in compliance with the standard.

If your company is trying to comply with QS 9000 you should be aware that the 3rd edition of the standard requires that external calibration companies be certified to ISO Guide 25 or a national equivalent. If you cannot locate a Guide 25-certified calibration company, then you need to try to locate a company that can provide evidence that they have been audited by an OEM customer or an OEM-approved second party and that they were found to meet the intent of ISO Guide 25.

Registrars have agreed that locating such calibration companies with the right credentials has been a problem but they are required to assess companies for compliance in spite of the difficulties.

An AIAG representative recently told Cavendish Scott that they have had a lot of complaints about the requirement because of the difficulty of locating such laboratories and the cost of sending inspection, measuring, and test equipment to laboratories in other states. The AIAG said that they are planning on publishing an official position on the requirement in the near future so keep an eye on their publication. That position has now been published as the official sanctioned interpretations of QS 9000. The new position is that the registrar need not enforce this requirement so long as the supplier has a plan in place, detailing how compliance can be achieved by Jan 1, 2001. That gives everyone a little more time to push those calibration sub-contractors to seek accreditation.

Diana Lough and Emily Myers

The Value of ISO and Meaningful Audits

The attached presentation was made to a Packaging Industry group.  The emphasis was to the finishing departments in the packaging industry environment although the sentiment is widely applicable.  The presentation has two main areas:

1. How ISO can be valuable and how to realize that value.
2. How to maximize the benefits of ISO audits.

One of the most difficult things that potential clients have to cope with is how to choose a good consultant.  Unfortunately it is almost immpossible to be certain because they all tell you that they are the best and who is to know what information is important if you have never heard it before.

A few weeks ago this question was posed of Cavendish Scott by a potential client – now a client in progress.  And what a good question!  Why? Because the question asks you to choose between two important factors but you have to be good at both.  In fact this is often the reason why many consultants don’t do a good job.

Here is our response:

This is a technical standard.  If you half-heartedly address half of one of the requirements (even if you are applying it in spirit) then you will get a nonconformance and you might fail your audit.  You have to be technical on every requirement on every occasion or it may cost you.  We have tools that we use to ensure we cross our T’s and dot our I’s.  We don’t make mistakes like this.  We guarantee it (in writing).

Over the years, our immersion in the standard and demands of many customers keep our focus on the true purpose of the standard – improvement in quality performance.  You cannot improve if the system is overly burdensome, has too much bureaucracy or is difficult to maintain.  The standard requires none of these but actually encourages unique solutions based on each individual company.  We tailor your existing system, matching the requirements of ISO to what you do at the moment not asking you to change.  Where there are new things that the standard requires for you to do, we ensure an appropriate level of discipline and control that is very practical for your type of organization.  For instance it is not necessary for you or any people in your organization to be experts in ISO.  That just doesn’t work.  There is no ISO requirement and trying to remember all the requirements is expensive.  Our solutions prove you have addressed ISO in a practical way and provide you with the technical tools to demonstrate it.

Bottom line is that we are very practical.  We don’t blatantly demand improvement (formalization and discipline is often improvement enough).  We support positive practical solutions that make sense for your organization and (almost) co-incidentally, but very technically and precisely meet the requirements of ISO.

All too often internal audits are looked on as a necessary part of doing ISO.  However, if you have to do it, why not get the most out of it you can?

Any management system audit focuses on three objectives:

1. Conformance – which shouldn’t be ignored because it will protect you from the registrar’s findings but also ensures your own processes are being followed.
2. Effectiveness – auditors should determine if processes are effective at performing what they are supposed to.  Ideally there would be documented objectives and measurements to demonstrate the effectiveness of each process, although this is not always practical or desirable.  However, effectiveness is still relevant and this is one of the most important conclusions an auditor can make.
3. Improvement – ISO requires improvement.  Management also generally finds this a good thing.  Auditors should be questioning and challenging for improvements in all processes.  If there are stated objectives the question relates to how those objectives are being improved upon.

Here are some tips to boost your internal audit:

• An audit is performed for senior management.  Ask for their involvement.  Be clear about what they want out of the audit.  So long as the audit is conducted in a meaningful and thorough manner, problems uncovered are beneficial.  Even if the audit verifies that the process is reliably and consistently followed, that confirmation is valuable information too.
• Internal auditors are trainers and mentors too.  Train, empower and encourage them to provide answers, help with solutions and add value whenever possible.  They should also help employees prepare for the external audit.
• Ensure internal auditors are your process experts.  As they audit, ask them to verify for ISO issues and explain the standard to other employees.  While this is difficult with volunteer auditors, give them more time to prepare and execute the audit.  Get them to look for and encourage best practices.
• An internal audit should be a learning experience for employees.  It should help the organization prepare for the external auditor.  Employees should be able to practice answering questions and as a result of the audit, employees should be more aware of their own process, what controls are important to make it successful and what measures exist.  This points them towards improvement.
• Ensure your ISO audit covers all of the requirements of the standard each year.  While not a requirement of the standard itself, registrars, not unreasonably, impose this requirement.  Cross reference your management system to the standard and keep records of the comparison each year.  Management should be keen about this issue as a thorough review of the organization against the requirements of the standard helps ensure no stone goes unturned.
• Mix up the schedule.  Ensure some audits are conducted by ISO clauses, some by procedures, some by department.  Ensure different people look at different processes from different perspectives.  Spend more time on those areas that are more important to you or that have caused more issues.  Ensure your internal audit team includes people from every department and every level.  Yes that means top management too and the delivery driver.  They see issues differently.
• Allow the audit team some “team time” to remind themselves how to conduct the audits, review and discuss procedures and introduce areas for focus.  Involve top management to show commitment.   Similarly at the end of the audit allow a separate review meeting to discuss improvements and opportunities.
• Ensure good practices are identified and communicated throughout the organization.  Get management involved in specifying where discovered best practices need to be adopted elsewhere in the organization.