Hello everyone! I'm new to this forum although I've reviewed some interesting threads on it in the past. I thought i would throw a question out there to see what others thought of this. My company is in the medical device industry, and we have developed a QMS that has passed quite a few inspections now.

We have a few areas of our business that I have not included in our QMS documentation. specifically i have chosen to eliminate some of our accounting and human resources work from our existing document controls because many of these processes are unrelated to our products or services and would not have an impact on them. So far so good; our auditors have agreed with this decision and I have not had any issues.

Recently, our HR department (which is very small) has created quite a few uncontrolled forms and documents for their own internal processes. These processes are NOT related to our training or anything like that, so they really don't qualify as part of our QMS. I hesitate to let them remain uncontrolled though because i keep thinking that if our HR person leaves, whoever replaces them is going to face a nightmare to figure out exactly what documents were once necessary and what documents were created at the fancy of our existing department for needs that might not be applicable anymore.

Has anyone else considered applying controls to areas of the company where it might not be necessary? Specifically, has anyone else put a lot of controls on HR type processes such as medical benefit management, disability leave, and whatnot? I would love to hear from some other professionals since i'm somewhat green at this! :D

Hello everyone! I'm new to this forum although I've reviewed some interesting threads on it in the past. I thought i would throw a question out there to see what others thought of this. My company is in the medical device industry, and we have developed a QMS that has passed quite a few inspections now.

We have a few areas of our business that I have not included in our QMS documentation. specifically i have chosen to eliminate some of our accounting and human resources work from our existing document controls because many of these processes are unrelated to our products or services and would not have an impact on them. So far so good; our auditors have agreed with this decision and I have not had any issues.

Recently, our HR department (which is very small) has created quite a few uncontrolled forms and documents for their own internal processes. These processes are NOT related to our training or anything like that, so they really don't qualify as part of our QMS. I hesitate to let them remain uncontrolled though because i keep thinking that if our HR person leaves, whoever replaces them is going to face a nightmare to figure out exactly what documents were once necessary and what documents were created at the fancy of our existing department for needs that might not be applicable anymore.

Has anyone else considered applying controls to areas of the company where it might not be necessary? Specifically, has anyone else put a lot of controls on HR type processes such as medical benefit management, disability leave, and whatnot? I would love to hear from some other professionals since i'm somewhat green at this! :D

Good first post ISOBlue.

Are any of these forms related to the QMS? I believe you said no.

First, and probably the one important thing that I see, what are these forms and what are they used to document? Meaning, does the information contained in the forms have any bearing on the way the Organization functions.

I am not a Subject Matter expert in Medical, so I may be leading you down the wrong path. I am basing this on personal experience and knowledge with other Quality Management Systems.

I look at it this way: If you don't care what results you get, then don't control the process.

When you say "might not be necessary" I think you're referring to the requirements of standards or regulations making them necessary. Don't forget that your business has needs, and that some controls may be necessary for your business - not just to pass an audit.

If the forms remain uncontrolled, what will happen? Will there be problems if someone has the wrong version of a form?

Hi ISOBlue,

Agreeing with Courey Ferguson and Howste, I would suggest you ask yourself - 'Why are these forms/records there if their existence is not important to your business operations?' There must be some purpose.

In my opinion these must be controlled at least to be identified, retrievable and show the order or sequence of the activities recorded. The control may remain only with the process owner or as suitable to your organisation and so defined.

Use ISO9001 and incorporate the standard in your system for effective results. ISO9001 compliance / certification should not be the end result, but a means for moving ahead.

Has anyone else considered applying controls to areas of the company where it might not be necessary?

Depends on how you define 'necessary'. Instead of focussing narrowly on 'is this in or out of ISO', I'd turn the question on its head, and ask myself:

Q: WHY do Standards such as ISO 9001 (and others) require us to control documents?

A: Because it's good practice.

In other words, I'd readily apply or encourage ISO disciplines to be applied elsewhere in the organisation because it's good practice and leads to all those good things.

YOu appear to be really only asking about controlling docs, whereas the thread title asks about controlling processes - I firmly contend that ANY process in an organisation requires some form of control. I doubt anyone is simply allowed to go on leave or paid without some form of control over the process! (If they are, it's definitely bad practice)

It's handy to know which the latest version of any document is, for example. But I'd not stomp around with a big stick beating people over the head, either. You can often accept a lesser type of control on less important docs (eg, a leave form is generally a leave form, and the world probably won't end if it isn't well controlled) than the design drawings for manufacturing, for example.

But you're right - if someone leaves (and they do!) how will anyone else know what docs exist, what state they're in, who signed 'em off (if anyone did), where they are, etc etc.

To me, these are some of the reasons why ISO requires such things to be managed & controlled.

But you seem really to be just asking about controlling documents, whereas your thread title asks about controlling processes. Any process needs some kind of control! After all, even in HR, surely you don't just have people going off on leave or being recruited without any kind of controls, do you?

ISOBlue,

My advice is to keep business system requirements separate from quality management system requirements. Bundling these together can lead to unwarranted observations and findings during a QMS audit.

This being said, where to control documentation of a business nature becomes the question. More and more I believe that organizations, especially those required to follow Sarbanes-Oxley will have to develop parallel systems to control policy, procedures and forms. In an unregulated business, it might make sense to couple the business documentation program with the quality program documentation, but as you are working in the medical device industry, again my advice is to keep things separate.

Our peers here are giving good advice: business excellence cannot be achieved by mere compliance with QMS standards and requirements. Businesses must look beyond the narrower interpretation and utilization of requirements and tools and apply what works more broadly. The thing of it is, in regulated industry, you need to simplify QMS approaches to remain in the highest state of compliance. Here, I believe QA and RA managers need to determine the appropriate strategy that balances compliance risk with an organizations documented QMS program.

Keep in mind that compliance can take different forms: financial, regulatory and ISO for instance. Beyond the QA and RA managers, the business folks need to offer their suggestions as well.

Regards,

Kevin

P.S. Welcome to the Cove!! I hope that now that you have entered into discussions here that you find it to be personally and professionally rewarding. Enjoy the learning!!!!:bigwave:

First I'd like to thank everyone for providing so much information in your posts. It has all been very helpful. The documents that my HR department are creating are things like FLMA (family medical leave act) signoffs, medical leave notification documents, change of status (full-time to part-time/night shift) and things like that.

I believe after reading all of your posts that you are all leaning towards having at least some moderate control over these documents, so i will give some thought as to the least burdensome way to handle such a project. Since our HR department has only a single employee, right now its easy enough for him to know what documents he's handling, but passing the torch is going to be an issue one day!

I think maybe i will implement a more relaxed type of control where i at least catalog what documents HR is using and what their purpose is, but maybe not rigidly control their specific format so that they can be changed more easily as labor laws shift.

I would not be as concerned about this issue if there was more organization in the department. Our accounting department for instance has little in the way of written procedures and forms, but i'm confident that they can pass on their methods and policies to new workers because they have more organization and more employees to share the knowledge. HR is very small though, and to a degree it can be a black hole of knowledge about the procedures.

Once again, thanks to everyone for being so helpful. You have given me much to think about and plan! :)

My advice is to keep business system requirements separate from quality management system requirements. Bundling these together can lead to unwarranted observations and findings during a QMS audit.

I've run into this argument a lot of times trying to help get some sort of structure into our management system in the US. If topics like these are discussed in Europe it seems everybody is cool and feel we should explain the external auditor and that's it. IMHO in the US the external auditor seems to be regarded as the bogey man every now and then.

I agree you should have your external auditor on board, explain him things, etc. But creating parallel systems just because it might confuse him with some discussion as a result seems just plain wrong. I say go for 1 system and do it properly so that everyone's on board.

It is your system, you are in charge, not your certification auditor!

My advice is to keep business system requirements separate from quality management system requirements. Bundling these together can lead to unwarranted observations and findings during a QMS audit.Kevin, I will respectfully, but vehemently oppose such suggestion. No organization should try to dissociate quality management from business processes. Simply because quality management IS part of operating a business.

Exactly because many organizations fail to understand that the only path for sustainable and effective quality management is to truly integrate it with the rest of business, we have so many dysfunctional "quality" systems out there. Systems which have no buy-in nor ownership by the workforce. Systems that are artificially created, maintained, audited and certified.

Only when quality management is effectively integrated with the business, we will succeed, as quality professionals.

The solution for external auditors not delving into issues outside of the system they should be assessing isn't to not document the processes. The solution is for auditors and auditees to understand the scope of the assignment and ensure that auditors don't go out of bounds.

ISOBlue, sounds like a good path of action you're planning.

HR is very small though, and to a degree it can be a black hole of knowledge about the procedures.

This is very often the case - has been in almost every organisation I've consulted to.

I've run into this argument a lot of times trying to help get some sort of structure into our management system in the US. If topics like these are discussed in Europe it seems everybody is cool and feel we should explain the external auditor and that's it. IMHO in the US the external auditor seems to be regarded as the bogey man every now and then.!
Interesting - I've noticed a similar tendency also.

I could not agree more with you and Sidney. Sorry Kevin, but I disagree with your advice completely. 'Parallel systems' fly in the face of good practice and contradict the increasing move toward integrating management systems. What on earth is the point of having lots of isolated, parallel systems??? :bonk:

I say go for 1 system and do it properly so that everyone's on board.

Me too.
It is your system, you are in charge, not your certification auditor!
Absolutely.

And the point that Sidney takes up is an essential one: quality management is not a thing apart from business management. It IS integral to business management!

No organization should try to dissociate quality management from business processes. Simply because quality management IS part of operating a business.

Exactly because many organizations fail to understand that the only path for sustainable and effective quality management is to truly integrate it with the rest of business, we have so many dysfunctional "quality" systems out there. Systems which have no buy-in nor ownership by the workforce. Systems that are artificially created, maintained, audited and certified.

Only when quality management is effectively integrated with the business, we will succeed, as quality professionals.

Hear, hear.:applause:

The solution for external auditors not delving into issues outside of the system they should be assessing isn't to not document the processes. The solution is for auditors and auditees to understand the scope of the assignment and ensure that auditors don't go out of bounds.

Exactly so. :applause:

Good competent auditors will understand this, and audit accordingly. Don't make them into bogeymen or fall into the trap of doing things 'because the auditor might not like it/won't understand it/can't get it, etc.

If your auditor or CB doesn't or fails to understand, do find one that does. They do exist and they can be obtained.

After all - look at some of the excellent examples of the above who write in the Cove!:yes:

Our solution (to answer the original question) was to control the basic form (we have it in our "forms" directory) for HR, but we don't control the contents necessarily. i.e.: The format for Job Descriptions is a form, but HR controls what each job description contains. Mostly, because HR doesn't write them (the applicable departments do), but it's important that the structure be consistent. This is for forms that are HR-directed, but used by others in the company.

As far as other HR-specific stuff, we require that they keep all of the forms, procedures, etc. they use in a specific place (directory on the network) that they control. That way, if someone in HR leaves, their successor will at least know where to look. This also keeps it out of an external ISO-type auditor's fingers. (Same thing for Accounting, btw). They are part of the overall system, but not directly IN it. And we don't have to have the discussions about SOX, privacy issues, etc.

Martijn, Sidney and Jane,

It might be appropriate for me to start with some history http://elsmar.com/Forums/showthread.php?t=3089&highlight=business+safety+quality&page=3. Check out the last post I entered. I think we aren’t too far apart on the issue in most instances ( This pleases me.:D )

To this day, I have a Venn Diagram drawn on a whiteboard in my office that depicts these same three systems (business, safety, and quality) all overlapping equally. I’ve not given up the notion that for total business optimization and excellence, one must integrate these systems and I still teach this viewpoint. I also like Sidney’s response a lot because it is consistent with my own core beliefs. However, my core beliefs were put into check by comments made by two FDA investigators. Without getting into the details, business requirements became subjects in two different audits. As Dr. Deming used to say, it takes only one example to disprove a theory. Now I have two.

In one situation, a premier regulatory consulting firm was hired to help ‘clean-up’. The effort was to remove the business requirements from the design control procedures and the design model. It was clearly their experience that these systems should remain independent and they make millions each year doing this very kind of work. Co-mingling was to be avoided. Now to a great extent, this is hard for me, a Systems Thinker, to accept. But the facts are what they are.

I’m not sure if you are speaking from the perspective of the Medical Device industry (and maybe more specifically the US FDA), but here my advice is still to keep program requirements separate for the government agents. These ‘bogeymen’ have badges and like to make folks sweat. Things are not ‘out of bounds’ if they are noted in your procedures. I don’t disagree that some items will draw less/no attention by an investigator, but other not-so-obvious linkages might exist and could be damning. Also, you can't count on being able to successfully reason with an investigator as you might an ISO Auditor and you don't have the option of requesting a different auditor for an investigation. For this reason, I like the approach to train the brain to keep things in the appropriate context…and program. You wont have time to change your mind when FDA is at your door.

If you asked me four years ago, I’d have given a similar answer as I did 7+ years ago: intertwine the systems. But now, my conservative position from what I’ve experienced and learned from national experts, keeping separate system program documenation for medical device manufacturers (such as ISOBlue’s organization) is preferable.

Back to the group…

Kevin

Good points, Kevin.

Thanks Jane. I’m grateful for the challenges (and the reminder) from my peers and I appreciate knowing that there are many out there that share in the ‘larger’ system philosophy. I’ve not engaged in this type of discussion here for years, I think, so I’ll take it when I can get it!

Regards,

Kevin

Kevin. I truly appreciate you taking the time and explaining the context of your advice. If I were in your shoes, I would probably behave in a similar fashion. We are all "prisoners" of our experiences. And, sometimes we have to accept non-optimal solutions to deal with dysfunctional stakeholders.

Fortunately, having to deal with abusive, regulatory auditors who have the power to shut your operation down, is not the norm. Many organizations do not have to put up with external audit incompetence and arrogance. To them, I would still advise to integrate their quality processes with business practices.

The one thing that was not clear from your post, and I will understand if you can not divulge information, even when you have business requirements intertwined in your quality system documentation, if the FDA auditors delve into business issues during their factory inspections (http://www.fda.gov/cdrh/qsr/18inspn.html), and the business processes are following the established criteria, is that a problem? My question is: if the auditors find the processes compliant, what harm does that pose to you? Have you ever considered contacting their ombusdman (http://www.fda.gov/cdrh/ombudsman/about.html)?

Thanks Jane. I’m grateful for the challenges (and the reminder) from my peers and I appreciate knowing that there are many out there that share in the ‘larger’ system philosophy. I’ve not engaged in this type of discussion here for years, I think, so I’ll take it when I can get it!

Regards,

Kevin

Yes Kevin, I like the thinking challenges too! And I would also always support the viewpoint that the person in the 'hot seat' is almost always in the best position to know what will work. I'm not familiar with FDA requirements at all (natch) though I do understand that total integration while the best thing to aim for, IMO, may at times be compromised by particular regulatory requirements.

For example, organisations in a particular branch of financial planning/broking/dealing over here (Australia) have to have a certain manual with a particular name and a particular set of contents. Woe and betide any org that doesn't do it that way, because it either won't get or keep its licence and thus won't be able to operate in the field!!

But I would nevertheless contend (possibly idealistically!) that integration whenever and wherever possible is the ideal, and continue to advocate it. For clients in the last situation, for example, we wove some of the requirements of 9001 into that manual and had a clear explanation of the structure, so that the auditor could accept this as the 'quality manual', albeit by a pretty different title to most.

An FDA inspection is unlikely to get to HR operations.

The FDA is very much internally rules-driven, and the prioritization for inspections is well defined. Per published internal rules, a firm making only exempt FDA Class Is and with a clean record and no external cause for action is normally not surveillance-inspected at all. If an inspector arrives on a first visit and then finds out that only exempt Class Is are made, the inspection covers only the CAPA system, unless problems are found there.

A firm making at least some non-exempt Class IIs, but no Class IIIs, with at least one prior inspection, with a clean prior record and no external cause for action, is normally surveillance-inspected every few years at QSIT (Quality Systems Inspection Technique) Class 1. A Class 1 QSIT inspection consists of CAPA, then either Design Controls or Production and Process Controls depending on the inspector's judgement of where problems are more likely based on the CAPA records. The inspector may also choose the one that wasn't chosen at the last inspection.

If a Class II device maker has a minor adverse finding in one surveillance inspection, but the circumstances don't rise to a requirement for a follow-up inspection, the next surveillance inspection may be Level 2. A Level 2 QSIT inspection covers Management Controls, CAPA, Design Controls and Production and Process Controls, possibly including sterilization if applicable.

The questions for a Level 1/2 QSIT audit are published in the QSIT manual in flowchart form. There is no inspection of issues like HR operations, other than the requirement in an inspection of Production and Process Controls for appropriate training.

Follow-up and For Cause audits can be at QSIT Level 3 and can delve more intensively into the four subject areas of a Level 2 audit. Audits of an FDA Class III device maker, particularly when serious problems are known or suspected, or a Class II device maker with known serious problems are not constrained by the QSIT procedure and can go as deep as the inspectors think is needed...but even so, the Inspection rules never discuss (to the best of my knowledge) any issues that would be normally considered to be HR-managed except for training.

Actually, the above is a good thing for us, because our HR department operates almost entirely using ABRA, an HR-specific software system.

Business (non-production-process) software-systems validation, or more to the point the lack thereof, is one of our weaknesses.