Piecing together quality and compliance

Julian Rutherford explains that quality assurance and compliance need not be two separate entities

All too often, issues of quality assurance and compliance are viewed as a paperwork exercise to demonstrate that the individual – be it person, laboratory or company – is acting in the best interests of all stakeholders with respect to both legal and specification requirements. Quality assurance can be defined as the systems, protocols, checks and balances that are required to assure the eventual customer that the product or service is as described and, therefore, fit for purpose. Compliance can also be defined in terms of the requirements  imposed on all suppliers of a particular product or service by a regulatory agency, again to ensure that the product or service is delivered as described and therefore fit for purpose. The upshot of this is frequently two top heavy administrative systems, one for quality assurance, the other for compliance, each with their own priorities and champions. This can act as a barrier to free thinking, development and progress whilst entrenching the negative aspects associated with posterior covering that often motivates many corporate bodies, both large and small.

This need not necessarily be the case; the protocols associated with both quality assurance and compliance have many features in common and could benefit greatly from a sympathetic merging of the two systems. I believe that an effective quality assurance system can greatly facilitate and support a parallel compliance system whilst reducing the administrative overhead to an acceptable level without compromising on the requirements of either discipline. A particular health & safety discipline, that of risk assessment, can act as a glue that binds all three activities – quality, compliance and risk assessment – together into a single cohesive business tool that can identify areas of weakness, in compliance terms whilst at the same time identifying areas for improvement in quality  as well as the information necessary to prioritise those improvements. Finally, I will introduce a financial element into the discussion. In essence once there has been a prioritisation in terms of need, be it quality or compliance, there can be a further ranking in order of budgetary availability.

Quality assurance and compliance have many features in common and could benefit greatly from a sympathetic merging of the two systems

Considering ISO9001:2008 the general quality assurance standard, and ISO13485:2003 the medical device quality assurance standard, it is immediately apparent that these two are very similar documents with very similar requirements. If we then look at the requirements of one of the best know compliance bodies, the FDA (Food and Drug Administration) of America then we can again see a significant amount of convergence. Just as the two quality assurance standards have sections requiring that there are corrective and preventive actions (generally addressed by section 8.5 of both standards) there is a requirement for there to be corrective and preventive actions and that these should be assessed during both abbreviated and comprehensive inspections by the regulatory authority acting under the FDA protocols.

In the early days of quality assurance when the standard of choice was BS5750, parts 1, 2 or 3, there was a significant compartmentalisation of functions. This meant that when ‘problems’ arose; they were dealt with differently, with their own documentation. For example, there was the customer complaint form, the supplier performance record, and the internal fault report. This latter could broaden out into separate forms for manufacturing, warehousing, design, sales and marketing, administration; indeed the list was endless. Each individual function or department had their own priorities and turf to patrol and all too often defend. This resulted in the situation where there were many different methods of reporting against many different criteria. In addition, the methods of reporting were parochial and often not relevant to the global business. The resulting mountain of paperwork, initially, got the quality assurance standards a bad reputation as a top heavy administrative burden.

Let us now examine the requirements of the FDA with respect to the inspection of medical device manufacturers (program 7382.845) and the operational parameters against which inspection is carried out. Looking at the inspection strategy for operations we see a number of areas that identify non-conformity and require appropriate responses to that non-conformity, should it have occurred.  Furthermore, there are requirements for adequate design and production controls as well as the facility for, what is essentially, re-assessment following compliance failure.

Looking at the level of FDA inspections, they acknowledge that different devices and different stages in the manufacturer’s development require different levels of inspection. This parallels with the quality assurance standards where there are different assessment requirements for design, manufacture and strategic review assessments as well as re-assessment following major non-conformity. For example, for an engineer, it is comparatively easy to appreciate a deviation of 1% from specification. In some circumstances 1% is hardly noticeable, in others it can result in catastrophic failure. Likewise, for a sales manager it is again comparatively easy for them to understand that to be a day late in fulfilling an order could have an equivalent spectrum of importance, from a minor inconvenience to the loss of a valuable customer. The problem is getting the two sides in these examples to understand the importance of each other’s failure to meet requirements, be they engineering, customer or compliance.

Each individual function or department had their own priorities and turf to patrol and all too often defend. This resulted in the situation where there were many different methods of reporting against many different criteria

At this stage in the discussion I am indicating the parallels in the administration of the two sets of standards, the quality assurance (ISO) and compliance (FDA) requirements for medical devices. Not only that, but in operational terms, it would appear that the requirements of the two types of standard are almost identical. This does not, in any way, disregard the differences in criticality of measurement and rigour of inspection between the manufacture of a medical device such as a pacemaker and a less critical electrical device such as an MP3 player. It simply states that the methodologies of inspection and control of design, process and non-conformity are of a similar nature.

In the UK, the HSE (Health & Safety Executive) facilitate the implementation of risk assessments throughout business by indicating that to be effective they do not necessarily have to be complex. The NHS have for a number of years adopted the consequence linked with likelihood model (Table 1).

The system of scoring provides a common understanding across multiple disciplines, including clinical, managerial, and financial, within the NHS that a scenario with a score of twenty five needs immediate action, if the score is twelve it needs addressing sooner rather than later and when we get down to 1, 2 or 3 we are at the dotting the i’s and crossing the t’s level.

Although somewhat simplistic, in this example, the use of numbers as scores of severity, indicate the potential for any given scenario to impact the business involved. The advantage of the above method is that it is accessible and highlights where there are areas of risk that need addressing. The problem with this method is that the scores, being (usually) subjective and therefore not capable of calibration, lead to a degree of uncertainty in the overall value of the result.

[caption id="attachment_26135" align="alignleft" width="300" caption="Table 1: Risk scoring = consequence x likelihood ( C x L )"][/caption]

Failure Mode Effect Analysis (FMEA) has been used to further advance the communication of action required and is a tool historically used in engineering. In FMEA there is another parameter, that of ease of detection as well as a more detailed examination of potential problems. There are still, essentially the likelihood and severity criteria but added in is the probability of detection. Also in identifying the various failure modes it is possible to give a more accurate score to the criteria in question. In addition, in FMEA there is a requirement to both identify the failure modes and identify what to do about them to reduce the severity and likelihood of the effects themselves. In essence, what FMEA can be used for is to take a risk assessment tool and use it as a continual improvement tool. The implications of this are far reaching when adopted as a global strategy throughout an organisation, be it large or small. The main drawback with FMEA, when compared to the 5x5 risk matrix, is that it is much more complex, both to do and to be understood by different disciplines. The overwhelming advantage is that it gives a numerical result for any given scenario that can be readily appreciated by any function within an organisation. The simple fact that scenario A has an FMEA score of 212 means that it is inherently more risky than scenario B which has an FMEA score of 28. This simplistic judgement call is one that can be appreciated across the whole spectrum of any business in any country in any sector and thus readily identify areas of vulnerability. In effect the FMEA is re-focused to be a Vulnerability Assessment Tool (VAT).

All quality assurance systems set up under ISO9001 and/or ISO13485 (section 8.5 Improvement in both standards) must have within them a methodology for identifying non conformity and also of identifying corrective and preventive action(s) and using that to drive the continual improvement process. With a well-managed quality assurance system there should be built into it requirements for such activities as internal audits and regular calibration of equipment. It is not unreasonable to extend these planned events to include the reviews necessary to ensure continued compliance status with the relevant regulatory body.

Joining these two threads, that of risk assessment through FMEA together it is possible for the relevant internal authorities within each business sector to produce their own VATs. This would mean that even without the knowledge and understanding required to produce them, VATs will  demonstrate areas of vulnerability and the appreciation across the board of the reasoning behind the assignment of specific resources to address these. If this information were then supplied to management in the form of an Ishikawa (fishbone) diagram, which, in these circumstances is not a cause and effect diagram as such but shows where there are areas that present a significant, potentially cumulative risk to business. This therefore demonstrates where there is  an increase in the overall vulnerability of an operation or organisation.

Furthermore, considering the fundamental requirements of compliance, that of the review and documentation of change, the VATs should, automatically, generate the necessary actions on behalf of the requisite personnel to ensure that compliance criteria are actively maintained.

There are also economic benefits to the use of VATs.  The necessity of having an individual with an intimate knowledge and understanding of all the processes involved in an operation is greatly reduced.  Usually this is not possible in the larger organisations and so there is an entire compliance department, which will consist of a multidisciplinary team that is able to understand and assess all the processes for compliance. Very often there will also be a quality assurance department carrying out, what are in the final analysis very similar functions but being more customer focused.

Where VATs are created in an objective manner and coordinated accordingly, it would be possible to merge the compliance and quality assurance activities into a single entity where the benefits to the business are greater than the sums of the two individual functions. This would represent a true synergy with positive benefits to the company concerned.

There was the customer complaint form, the supplier performance record, and the internal fault report. This latter could broaden out into separate forms for manufacturing, warehousing, design, sales and marketing, administration; indeed the list was endless

Essentially this is a development of the principles of quality assurance from conformity to specification to continual improvement. I spent a number of years as a quality assurance consultant assisting SMEs with the introduction of BS5750. This quality assurance standard required that, at management review the company addressed a single question; “Do we do what we say we do?”  This was a requirement of the standard that, at regular and appropriate intervals, the appropriate people got together to ask and answer this question. Knowing how difficult it was for SMEs to plan and deliver formal meetings there was the need to make the management review more meaningful so I suggested asking a second question; “Can we do it better?”  My clients saw this as a move away from just compliance and towards positive business improvement.

I would suggest now that the construction of VATs by the individuals who have the knowledge to do so and their supplying these to the systems people, be they quality assurance or compliance professionals, will greatly facilitate the continuance of successful compliance assessments as well as on going quality assurance surveillance assessments. This has, in effect, the same incremental increase in benefit to the organisation as the asking of the second quality assurance question as indicated above.

There is an increasing emphasis on business continuity planning with the advent of BS25999 and the anticipated publication of ISO22301 towards the end of 2011, beginning of 2012, that would indicate that the principles of risk assessments should be applied throughout a business. The VAT will do just that and as well as making it apparent to the operational sectors of a business where there is the need to take action, it will also identify to administration their vulnerabilities. These two, often separate business entities, can then be compared allowing management to identify and prioritise actions, based on objective measurements not perceptions of need.

In short, it would be reasonable to conclude that the synergy between the requirements of quality assurance and compliance protocols, when combined with an aspect of risk assessment and failure mode effect analysis produce a business tool that has a universal applicability and a measurable effect on the ability of the business to perform in a consistent and robust manner.

Author: Julian Rutherford Quality and Safety Manager for D&L Medical Ltd, a leading provider of medical gas pipeline services