"ISO 9001:2000 requires an organization to identify and control the statutory and regulatory requirements applicable to its products (including services). It is up to the organization how to do this within its quality management system. The organization should demonstrate that the legal requirements applicable to its products / services have been properly identified, are available, and easily retrievable. "

How do we ensure that an internal audit covers the above reqs. What type of docs or questions should be asked to the design function in order to verify compliance to the above.?

How do we ensure that an internal audit covers the above reqs.First and foremost, the auditor should understand what is the process established during contract review, design and development, etc. to ensure that product related legal requirements are being identified and complied with. Then, and only then, the auditor should determine if the process is deployed and effective.

Typical failure modes for this type of issue:

regulatory requirements not being identified by the customer and/or the supplier.
regulatory documents not available to the organization.
people reviewing legal requirements not having the knowledge to perform an effective assessment.
validation reports not clearly demonstrating compliance to regulatory requirements.

Thanks for the info Sydney. Shall the auditor before auditing our design and development process request to see the statutory and regulatory requirements pertinent to our product? we fabricate pneumatic tools for the application of fasteners. Electromechanical tools for applying industrial staples, nails, hog rings. What type of statutory and regulatory reqs could apply to our designs.

Sidney has give you good guidance in his replay but he, or most other Covers cannot tell you “What type of statutory and regulatory reqs could apply to our designs”. Its time to seek guidance from a layer in this matter as you more than likely will need to comply with a number of federal or international regulatory issues.

Two that come to mind is product safety and OSHA.

Thanks for the info Sydney. Shall the auditor before auditing our design and development process request to see the statutory and regulatory requirements pertinent to our product? we fabricate pneumatic tools for the application of fasteners. Electromechanical tools for applying industrial staples, nails, hog rings. What type of statutory and regulatory reqs could apply to our designs.

As an auditor I would be not simply be asking for the regulations, per se. I'd want to know how the engineering management make certain (aka assure) that the engineers have considered those regs in their design. One aspect is doing some research to find out if any exist. Do you have an occupational saefty person? They might know, for starters.

Then it becomes a matter of ensuring the design process considered those applicable regs/specs and that the product was tested, including any certification/type approval testing (like by a UL type of organization).

BTW - if you are auditing a design process and you don't know some of these things (lucky for me I've been in design quality) you might consider getting some help to do the audit.

FWIW - It always pays to do lots of research before doing an audit, since it's not just a case of asking "what's the right question" for an auditor, because you have to know the right answers too............

"ISO 9001:2000 requires an organization to identify and control the statutory and regulatory requirements applicable to its products (including services). It is up to the organization how to do this within its quality management system. The organization should demonstrate that the legal requirements applicable to its products / services have been properly identified, are available, and easily retrievable. "

How do we ensure that an internal audit covers the above reqs. What type of docs or questions should be asked to the design function in order to verify compliance to the above.?

The company should be designing its products to comply with the legal requirements for the markets that your company sells into. Earlier posters have given you a good set of starters. My :2cents: you should be asking the people with responsibility for the New Product Introduction (NPI) process how they have access to legal requirements, relevant standards etc. (for all markets the products will be sold into) and how they feed into the design activity.

They form part of design input (7.3.2) and should be used in the review (7.3.4) , verification (7.3.5) and validation (7.3.6) activities within the process.

To give you some idea when working at a previous certification body I produced guidance for auditors on the European Machinery Directive (MD) giving guidance to our (3rd party) auditors on what to look for in the various areas of an organization's QMS. To meet the MD organizations had to design around European (and International) standards and testing was carried out against these standards in the design process and later in production.

Paul,
Do you have to ID the legal and statutory requirements in which your product MAY be used? I've just audited a software supplier that my org purchased from and now uses software in a pharmaceutical environment. I know the drug manufacturer is responsible for demonstrating that the software complies with regulations, but where does this leave the supplier?

Paul,
Do you have to ID the legal and statutory requirements in which your product MAY be used?Yes, in relation to the product.

But if your product is going to be designed into someone else's then they take responsibility for the final product - although they may require additional information / controls from you.
I've just audited a software supplier that my org purchased from and now uses software in a pharmaceutical environment. I know the drug manufacturer is responsible for demonstrating that the software complies with regulations, but where does this leave the supplier? I presume this is embedded software?

Again the customer takes the overall responsibility but they should be providing application information to the software developer so they can design the necessary level of robustness / fail safe into the software. I mean you wouldn't want the same level of quality / reliability as Bill provides, would you? :lmao:

"ISO 9001:2000 requires an organization to identify and control the statutory and regulatory requirements applicable to its products (including services). It is up to the organization how to do this within its quality management system. The organization should demonstrate that the legal requirements applicable to its products / services have been properly identified, are available, and easily retrievable. "

How do we ensure that an internal audit covers the above reqs. What type of docs or questions should be asked to the design function in order to verify compliance to the above.?

If you have a clear process for how to determine and identify these regs, and,

If you have some method of listing or summarizing them, and

If your engineers and technical folks can access and explain them...

Then, your auditors should be able to audit whether they are met.

The gap usually is, when asked, no one can point to them, or even a clear system for it.