ISO Certification: Standing Out by Outsourcing

Originally Published MDDI March 2004

Guide to Outsourcing

The use of consultants can help your organization obtain, enhance, and defend ISO 9000 certification.

Darryl Duayne Baird

America's medical industry is unparalleled in its size and scope. Medical practices, pharmaceuticals, hospitals, and medical insurance are all huge industries embedded in the American economic landscape. Even the medical supply and equipment manufacturing segment, although smaller than others, is made up of nearly 12,000 companies generating nearly $70 billion in sales.1 In an industry of this size, companies need recognition to distinguish themselves from their numerous competitors. Leading companies in the industry have chosen ISO 9000 certification as one way to be recognized as elite.

Successfully obtaining and maintaining certification warrants some degree of reliance on outside consultants. Company personnel who have extensive familiarity with ISO 9000 are not easy to find, and medical suppliers and manufacturers often cannot hire enough in-house personnel to comply with all aspects of ISO 9000. Understanding the role of consultants brings a competitive elevation over others in the industry. A good consultant can learn a company's internal quality system and understand what is involved in maintaining and reinstating certifications. 

Why ISO?

At the end of 2002, the global population of ISO 9000 certificates totaled approximately 562,000, with 50,000 certified companies in the United States.2 Among American companies, the medical supply and equipment industry has nearly 1200 ISO-certified companies, with many others aspiring to become certified. Suppliers to these companies, medical distributors, and support services account for almost 600 more ISO-certified companies. Combined with the pharmaceutical industry, the medical industry has more ISO-certified companies in the United States than any other industry except automobiles and electronics. 

Obtaining and Maintaining Certification

ISO-certified companies often use certification to ISO 9000 as a consideration for supplier approval, if not as an outright prerequisite. As a result, some certified companies are vulnerable to the loss of customers if it loses its certification. Many companies do not have the internal know-how or resources to maintain certification, much less to reinstate their certification once it's lost. Even if the certified company does have the resources to perform certain compliance activities, the use of consultants may be advisable.

Certified companies operate differently from other companies. They engage in compliance activity to verify fitness for certification; participant companies receive examinations on, at the least, an annual basis. Examinations are conducted by certification auditors, employed by or contracting with registrar companies, who verify a certified company's compliance with the ISO 9001:2000 standard. Certification auditors, by the ethics of their profession, cannot serve as consultants. Therefore, certified companies often engage consultants from other registrar companies, or from firms that provide related services. 

Any company that is engaged for consulting services should have verifiable training or experience for its personnel in quality system assessment and auditing. While companies can receive ISO 9000 certification, individuals may also receive ISO certification for various levels of training in quality system assessment and auditing. Most companies choose to take on the bulk of ISO compliance activities internally; however, companies should seriously consider outside consultants for the four following areas. 

Conducting Internal Audits. All companies certified under the ISO 9001:2000 standard are required to conduct internal quality audits (IQAs).3 Depending upon the type and scale of a certified business, certain processes may receive more frequent attention than others. However, IQAs must examine every aspect of a company's quality system under ISO 9000 on a cyclical basis. As a practical matter, most certified manufacturing companies are encouraged by their registrars to have at least four internal audits annually; service businesses generally receive a bit more leniency on this point.

Two important requirements come into play here. First, the selection of auditors and the conduct of the IQA must ensure objectivity and impartiality. Second, the internal auditors cannot audit their own work. Internal independence creates a vital need for consultants to do internal audits. Outside auditors, unlike employees, cannot audit their own work, nor do they significantly succumb to company politics. Outsiders minimize the threat of internal audit results being used to retaliate against coworkers, because consultants already have an inherent objectivity and impartiality from dealing with clients. Outside auditors also permit a company's personnel to be deployed to operational tasks that client management considers most important, rather than engaging in mere compliance activities. Additionally, companies can enlist the help of auditors who have experience examining the processes, records, and quality management systems of multiple companies.

Training Internal Auditors. If a certified company does not require assistance to conduct an internal audit, it may require services to conduct training sessions for its own internal auditors. Internal auditor training is a more comprehensive undertaking. The ISO standard requires that personnel from certified companies have evidence of competence, awareness, and training for all activity that affects product quality. Internal audits have an undeniable impact on product quality; thus, certified companies may rely on consultants to provide training. 

As a practical matter, most certified companies have minimum levels of training required for their employees, usually based upon hours per year or sessions per year. Material for training sessions should be specific to the company; canned materials should be used sparingly, if at all. 

Cecilia G. Loose, CIA, CPA, of Croft, Drozd & Co. (Exton, PA) has provided ISO-related training sessions to two of the company's clients. “We design the PowerPoint presentation for our training sessions,” says Loose, whose practice has been ISO 9000-certified since 1999. In addition to providing internal auditor training, Loose has also coined a phrase, awareness training, to describe training that is designed to familiarize all personnel at a certified company with the requirements of the standard. 

Once a training presentation or materials are designed, they should be used multiple times until a major change in the company's quality system occurs. The trainer should be prepared to sign and distribute certificates to internal auditor trainees upon session completion to provide a record of training for each employee, as required by the standard.

Quality Manual Drafting and Conversion. Certified companies are required to have a quality manual. In addition, certified companies are required to have written procedures for the following six functions: 

• Control of documents.
• Control of records.
• Internal audits.
• Control of nonconforming product.
• Corrective action.
• Preventive action.

As opposed to having an employee or a member of management write a quality manual and its related procedures (which typically consist of several dozen pages at a minimum), consultants can write quality manuals and their related procedures for their clients.

Manual drafting does not require writers to have any specific credentials. However, writers or reviewers should have as much intimate knowledge as possible of a company's quality management system. Much of this knowledge can be obtained in the process of drafting a manual and its procedures. “We helped two clients through the registration process by drafting some of their internal documents,” says Loose. “We have been asked to draft policies and procedures [even for companies that] don't want to go through the registration process.” 

The manual's writer or reviewer should also be familiar with the interpretation and application of each section of the standard, and should send interim copies to the company's personnel at regular intervals for comment. Although manual drafting can be a tedious chore and few consultants provide these services, no other service can make consultants more familiar with a certified company's operations, records, and processes.

A manual-drafting project generally takes place with a company that aspires to have ISO 9001:2000 certification. However, the standard is subject to international revision every five to seven years, and certified companies are required to register to and respond to changes to new standards in their quality manuals. These changes require upgrading existing quality manuals to the next standard. At Hales, Bradford & Allen LLP (Brownsville, TX), the upgrade process is known as quality manual conversion. Certified companies are generally provided with an overlap period to upgrade from one standard to another. For example, the ISO 9001:2000 standard was implemented in the fall of 2000; however, registrations that were certified under the previous standard did not expire until December 15, 2003, leaving a three-year window for upgrade activities.

Other Miscellaneous Matters. A consultant who has performed a variety of internal audits has intensified expertise on quality system design, records, and processes. Internal personnel do not have the opportunity to observe any quality system but their own. Registrars that provide certification audits, by their own ethical standards, cannot provide consulting services to the same company. Unlike certification auditors, consultants that serve merely as internal auditors can provide services without conflicts of interest.

Internal Benefits

The internal benefits of ISO 9000 certification cannot be discounted among companies in the industry. ISO 9001 requires that all certified companies clarify contractual relationships, establish record retention policies, maintain internal communication, and undertake management review of the entire quality system at defined intervals. A certified company's method for dealing with corrective and preventive action can bring accountability to a company's production employees. New staff can see all the processes of the company, which streamlines training and recruitment. Finally, ISO 9001 certification ensures preferential treatment from potential customers in the medical equipment industry.

Other Considerations

The degree to which medical companies embrace the ISO standard should not depend heavily upon the number of certified medical companies in the community, because the medical industry has a relatively uniform distribution across the American landscape. No U.S. city has more than 17 certified companies serving the medical supply industry. However, if many companies are serving other industries in a given geographic area, the consultants will likely make themselves available to other types of local companies. Although certification auditors and ISO consultants travel widely, certified companies tend to prefer local consultants when they are available.

High concentrations of certified companies depend more upon the structure of the community's commerce. In this respect, population is not necessarily an indicator of the number of ISO-certified companies in the community. For example, Grand Rapids, MI, has three times as many certified companies as New York City. 

Cities with high levels of plastic and metal product manufacturing or access to oceangoing or waterway traffic have a greater tendency to attract and cultivate ISO-certified companies than most others. Consequently, Houston has the most ISO certified companies of any U.S. city, with more than 600. 

Conclusion

In some quarters, the prospect of the continued growth of ISO 9000 certification has been questioned. However, despite trends toward consolidation of multiple registrations, fewer customers requiring certification, and economic decline, the total number of ISO certificates in force increased by approximately 10% globally during 2002.4 ISO 9000 certification will have a presence among device companies for the foreseeable future.

References

1.Bizstats.com, “Size of U.S. Markets by Industry;” available from Internet: www.bizstats.com/marketsizes.htm. 
2.Ashok M Thakkar, “The Rise and Fall of ISO 9001?” Quality Digest, September 2003; available from Internet: www.qualitydigest.com/sept03/articles/03_article.shtml.  
3.American National Standard (ANSI/ISO/ASQ Q9000-2000), American Society for Quality, 2001.
4.Robert H King Jr, “View From the Summit,” Quality Digest, November 2003; available from Internet: www.qualitydigest.com/nov03/articles/04_article.shtml. 

Darryl Duayne Baird, CPA, is the ISO 9000 management representative for Hales, Bradford & Allen LLP, headquartered in Brownsville, TX.

Copyright ©2004 Medical Device & Diagnostic Industry