Procedures!

There is a lot of debate about the use of flowcharts and the degree of documentation necessary for an ISO project.

Common misconceptions are that ISO requires only a minimum amount of documentation and thus you should try to have as little documentation as possible, and that flowcharts provide an adequate way of describing a process and thus meet ISO requirements. These myths have been propagated by poor auditors who allow inadequate procedures, however documented, but typically flowcharts. Also there has been an upsurge in Lean and Six Sigma training which frequently tends to denigrate the benefits of ISO (and in some cases is justified but not in principle and not generally) and substantially supports the use of flowcharts to define and describe processes.

Flowcharts have their place. Their goal in Lean and Six Sigma project is to provide enough information to allow an understanding of the process to perhaps look for waste or opportunity. Sometimes these flowcharts have considerable detail including timing information, production rates and other information. These flowcharts are great for that purpose.

ISO requires that processes are defined and that those processes meet certain requirements. A flowchart tends to be general in nature and so to be able to prove that the ISO requirements have been met, additional information has to be added to a general flowchart of the process in question. Sometimes this means adding extra boxes to describe the detail of the requirement. Then all of a sudden, a nice general flowchart with boxes of similar detail, have a couple of boxes that are out of context because they are provide substantial detail. For instance, three boxes might be “plan the activity”, “issue instructions” and “review results”. The ISO box might require “record details and person authorizing the release of the job”.

By the time you have added extra boxes for all of the ISO requirements the flow is broken.

Another approach is to add notes to side of the flow chart and associate them with the box. So now the note about “record details….” would be a note at the side related to the “review” box. This works and the flowchart can remain general or at least consistent in level of detail. Truth is that this is also potentially confusing. The box and notes are not often next to each other and thus referencing and cross referencing makes it different for the understanding to flow with the simplicity of the flowchart. Moreover, if the notes are going to be in sufficient detail to actually describe what the activity is (in order to meet the ISO requirement) then it might as well have been written in full as a procedure anyway.

Flowcharts provide a few key benefits. The provide a simple overview of processes. But they need to be consistent in level of detail, decision boxes cant be contrived (just to make the flowchart worthwhile) and they should ideally fit on one page – or you lose that special benefit of being able to see the whole process.

Obviously all of these issues must be taken with a “pinch of salt” but the bottom line is that if you are trying to create a comprehensive management system, documented procedures are the best way to do it.

Cavendish Scott has been consulting, auditing and training in ISO management system processes and systems since 1985 and has limitless experience of documenting systems, processes and activities. We can also provide training on documenting and implementing ISO management systems.

Great question! Too many organizations get this wrong. With the wrong approach you will set back your ISO registration by a year or more, misunderstand the whole point and cause substantial amounts of extra work.

Unfortunately there are many consultants out there who don’t understand this either and they are providing the misdirection.

ISO 27001 is a management system standard. Its goal is to enhance information security but the way it does it is to build a management system that ensures success. It is NOT about information security controls and protecting information. Well, obviously it is about these things but only in outcome terms – not in terms of process.

Too many organizations pass the ISO 27001 project to the information security or IT organizations. Or a consultant is sought with expertise in information security. Typically these sources will focus on technical and security aspects of information security and spend a lot of time and money reviewing your security status, conducting tests and designing solutions. While this is definitely part of the program it is NOT what ISO 27001 is about and it wont get you registered. Further, this is the most expensive part of information security and takes the most time. Delays and cost are a turn off to top management.

The whole philosophy behind ISO 27001 is that you establish processes within your organization so that you understand your information security situation, what that means in risk terms, that your communicate it clearly to those ultimately responsible and take only the actions that you want to. That is it. It is not about physical security, network scanners or patching processes. If any of these are good ideas in your organization the management system will identify them, quantify what that means and allow those responsible to work out the risk return decision.

Addressing the controls can often take years and you don’t need to have done that to get ISO 27001 registered. If you start from the management system direction you can be ISO registered in a few months and have ever improving information security from then on.

The background of the consultant who can do this best is those with more ISO experience than security experience. If your consultant is pressing for too much security then you probably have a long wait and a lot more effort to go before you get ISO registered.

Cavendish Scott has been consulting, auditing and training in ISO management system standards since 1985. Our expertise is in processes and management systems and in the careful and precise interpretation of standards and regulatory requirements into organizational processes and management systems. We guarantee successful ISO registration when we take on projects.

The term harmonized standards is officially used in European law. To meet European product laws such as the Medical Device Directive (or Active MDD or In-vitro MDD) an organization must meet the requirements laid down in the directive itself. In order to make that easier (legislation is written in legalize and not technical language) the European Union officially recognizes international and National standards that specifically meet legislative requirements. These standards are then termed “harmonized”. The most common example is ISO 13485 itself. There is no requirement in the MDD to actually meet 13485 but if an organization can demonstrate that it does meet 13485 then it is considered to fully meet the some of the requirements of the MDD.

The principle goes further. Europe recognizes that certain standards, which if adopted and met, will address other
requirements. Many of these standards are detailed technical standards and address a “few” requirements within the legislation. A complete technical standard might cover testing and validation of toxicity and address a single line in the legislation that says “ensure the product is not toxic”. As time goes on more and more technical standards are recognized as meeting requirements and more and more become harmonized.

Although there is not a downside, in some instances the harmonized standards may be overkill.

For instance, IEC 62304 -  medical device software – software life cycle processes, is a standard for how software should be developed for medical devices. If your device is simple and perhaps you are the only developer then a formal lifecycle process is not necessarily appropriate, although the principles are still valid.

It is important to note that technically harmonized standards are not mandatory. If you have a simple way to prove that your product is “not toxic” or that “software is developed under controlled conditions” then you don’t need to address a full standard.

It is also worth noting that notified bodies are keen to encourage the use of harmonized standards and it is likely that all relevant standards will be identified for your device and you will be quizzed about their applicability. Adherence to standards shows a comprehensiveness of approach and the notified body doesn’t need to challenge themselves and think about adequacy – because the standard is defined as adequate. Given this it is important that you look for harmonized standards, review them and are at least able to comment of their applicability.

Finally its worth noting that the concept of harmonized standards is actually adopted more widely including in Canada and the US.

Here is a link to the harmonized standards recognized by the EU: (Oct 2011)

http://ec.europa.eu/enterprise/policies/european-standards/documents/harmonised-standards-legislation/list-references/medical-devices/index_en.htm

Here is the link for Health Canada (it’s easiest to then click on the link for “List of Recognized Standards” and then click on the pdf view): (Oct 2011)

http://www.hc-sc.gc.ca/dhp-mps/md-im/standards-normes/index-eng.php

And here is the US FDA’s link: (Oct 2011)

http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Standards/default.htm

They expect you will extract from their list all that are applicable to your device.

Cavendish Scott helps organizations implement ISO 13485 management systems and assists with the preparation of device technical files including formats to address legislative requirements including through harmonized standards.

Free e-Book: Upgrading to ISO 13485 From ISO 9001

Want to know why you should upgrade your ISO? Get our free e-book on making the transition from ISO 9001 to ISO 13485.

There are obviously many training classes out there but there are commonly three or four types.

Firstly there are the auditing classes: internal auditor and lead auditor.  Then there are implementation classes and awareness classes.

The awareness classes tend to be introductory and very general in nature.  Someone would understand what ISO is but wouldn’t be able to audit or manage an ISO project, for instance.  It might be useful for management or generally for all personnel.

Implementation classes do exist but they are rare.  Many people who embark on ISO have consultants or do it themselves from previous experience.  Thus these courses run only infrequently.  Although trainers publicize them, they don’t always run.  It is also important to remember that this is a substantial and complex subject and frankly a few days’ training is not really adequate to cover it well.  It might be a good introduction but it is unlikely to be all that is needed.

Auditing courses are more common.  This is because all ISO organizations need to do auditing and so there is quite a need to train auditors.

Lead auditing is a professional audit course that is “needed” by all certification body auditors.  It is popular with ISO project managers and implementation teams because it gives them an understanding of ISO from the point of view of their auditor.  Theoretically it trains them to understand the standard just as well.  The course is 5 days, detailed and intensive.  There is lots of content and it provides the best possible situation for providing in-house expertise.  In our lead auditor training course we constantly present the issues from the perspective of implementing ISO as well as auditing it — they are different perspectives.

Accredited ISO lead auditor classes (e.g. IRCA) are recognized worldwide and are a meaningful qualification to organizations (so it looks good on the resume).

Because the lead auditor class is so beneficial and “desirable” it is more likely to be available and is generally more popular.  Without hesitation it is the class that is most useful to the broadest number of people.

FREE E-BOOK:
Five Easy Pieces: The Basic Steps to ISO 9000

Need to begin implementing ISO 9000 but feeling overwhelmed and unsure where to start? Come get our free guide on the basic steps to ISO 9000:

Download Now

It depends.

If the subcontractor is able to measure their process output, then it is not special to them (only to us because we can’t).  Therefore, a cert is acceptable and we prefer that it includes data as evidence of actual measurement.

If they are registered to 9001, AS or NADCAP, then we only require their ISO/AS/NADCAP cert because their QMS should meet the requirements of 7.5.2 if they cannot measure their process outputs on the product.

If they are not registered to 9001, AS or NADCAP and they cannot measure the products, then we need to audit them or review objective evidence of their system that they provide to us that might include work instructions, training evidence, process validation, etc.

So to answer the question, through supplier evaluation and approval, we will know which situation exists and therefore, we will know if a certificate is acceptable as all that’s required.

Free e-Book: How to Avoid Famous Mistakes With ISO 9001

Want to avoid some of the most common auditing mistakes for ISO 9001? Get our free e-book on common ISO mistakes and how to avoid them.