Should Regulatory Agencies require Accredited Certification in their Respective Areas of Oversight

Should regulators require management system certification as a component of oversight

  • Yes, that is a good idea.

    Votes: 2 16.7%
  • No, that is a bad idea.

    Votes: 4 33.3%
  • Only if the CB's were forced to clean up their act.

    Votes: 6 50.0%

  • Total voters
    12

Sidney Vianna

Post Responsibly
Leader
Admin
Time and again we hear of organizations operating in highly regulated sectors, such as Food & Drugs, Aviation, Medical Devices, etc. to have major quality system breakdowns, creating hazards and risks to the population.

Contaminated food, airlines operating with disregard to maintenance mandates, unsafe drugs in the market place, unreliable automotive components leading to injuries and deaths, etc... Examples abound. While the population expects the regulatory agencies to keep them safe, these organizations are, many times, operating at substandard level with resources lacking.

While regulatory control of certain aspects of our society will always exist, since "self policing" has been demonstrated to have it's shortcomings, one could make a case that regulatory agencies could mandate organizations operating under their scrutiny to implement and attain credible certification to relevant standards.

For example, organizations operating in the food supply chain could be required to implement and attain certification to ISO 22000, Aerospace repair stations could be required to do the same against AS/EN 9110; Medical Device manufactures would go for ISO 13485 and so on.

The idea is to promote another layer of control, in addition to the regulators, already stretched thin in their resources. If the certifiers were to be kept really accountable to the stakeholders and the certificates were only granted to those organizations that really deserved, the regulators would have more confidence on the systems of the organizations they are expected to police.

Health Canada has a requirement such as this for medical device manufacturers selling in Canada, to be certified to ISO 13485 by specifically approved CB's. At least one CB has already been removed from the system.

My article on the potential deployment of AS/EN 9110 in the Aviation MR&O sector tries to make a similar point.

So, I am interested in your opinions and votes to this idea.
 
Last edited:

BradM

Leader
Admin
Re: Should Regulatory Agencies require accredited certification in their respective a

An interesting notion. Below I use FDA to represent all the major regulatory agencies.

I was under the impression that at least the FDA was beginning to move towards this proposal anyway. I guess you are proposing something similar to the Moses plan? In the desert, Moses was trying to administer to all the people, and was spreading himself too thin. Thus, his father-in-law proposed implementing levels of authority, reporting up to him. The FDA would "observe" the CB's auditing the regulated industries.

Health Canada has a requirement such as this for medical device manufacturers selling in Canada, to be certified to ISO 13485 by specifically approved CB's. At least one CB has already been removed from the system.

Now, personally, it would concern me having the FDA scrutinize and removing any CB. Yes, there are rotten agencies out there. But if industry has had a difficult time weeding them out through supply/demand, I'm not sure if a government body could do it any more efficient. NOTE: That is a personal opinion, and valid opinions could fall on either side.

However, I do see an option: A CB could be "blessed" per se, by the FDA. This would show the CB went the extra mile, and for that, they would receive more business from the regulated organizations. The bodies that wanted the extra business would go the extra mile for the extra profit. Those that didn't would probably continue as they are. Those organizations subject to regulatory scrutiny would then do well to pick the "blessed" CB.

One thing that came to mind, though, is for this to work, a CB would have to have specialty knowledge in each of the regulated areas, or CB's would need to be specialized. I realize anything has a price, but would the average auditor want to take on reading CFR's and the like?
 

Randy

Super Moderator
Re: Should Regulatory Agencies require accredited certification in their respective a

The EPA has demanded registered EMS's for years of many organizations as part of a Supplemental Program (Check out some of the cruise ship lines...I understand those EMS's weren't voluntary in a couple of cases), but I have been wrong before.
 

Sidney Vianna

Post Responsibly
Leader
Admin
Re: Should Regulatory Agencies require accredited certification in their respective a

The EPA has demanded registered EMS's for years of many organizations as part of a Supplemental Program (Check out some of the cruise ship lines...I understand those EMS's weren't voluntary in a couple of cases), but I have been wrong before.
Thanks for the reply, Randy. But the EPA Supplemental Projects have to do with settling legal cases. Concerning some of the cruise lines having to have their EMS certified, as part of a court settlement, you are correct.

But I was thinking along the lines of having such mandates as the normal process, not in special, litigation-driven cases.

For example, one of the most dangerous occupations in the USA is working in mines. Couldn't the Mine Safety and Health Administration (MSHA) require operators to implement and attain certification to the ANSI Z-10 or OHSAS 18001? If mine operators did that and the certification program had some teeth to it, maybe the incidents and accidents would decrease.
 

Sidney Vianna

Post Responsibly
Leader
Admin
Re: Should Regulatory Agencies require accredited certification in their respective a

One thing that came to mind, though, is for this to work, a CB would have to have specialty knowledge in each of the regulated areas, or CB's would need to be specialized. I realize anything has a price, but would the average auditor want to take on reading CFR's and the like?
Good point, Brad. Let's remember that management system audits are not regulatory compliance audits. In my proposal, I suggest no reduction of regulatory oversight, unless, historical performance shows an organization to be of a lesser risk.

My proposal is that compliance to an applicable standard would be an additional component for risk mitigation in regulated sectors. Audit teams obviously need to be competent to assess the organization's ability to satisfy the applicable legal requirements they are subjected to. From that perspective, it is not much different from the current process.
 

Randy

Super Moderator
Re: Should Regulatory Agencies require accredited certification in their respective a

Thanks for the reply, Randy. But the EPA Supplemental Projects have to do with settling legal cases. Concerning some of the cruise lines having to have their EMS certified, as part of a court settlement, you are correct.

But I was thinking along the lines of having such mandates as the normal process, not in special, litigation-driven cases.

For example, one of the most dangerous occupations in the USA is working in mines. Couldn't the Mine Safety and Health Administration (MSHA) require operators to implement and attain certification to the ANSI Z-10 or OHSAS 18001? If mine operators did that and the certification program had some teeth to it, maybe the incidents and accidents would decrease.

The Mine Lobby is stronger than the one for cruise ships and besides what's a few miners compared to the beauty of the Carribean and the Alaskan Coast?
 
R

Roland Cooke

Re: Should Regulatory Agencies require Accredited Certification in their Respective A

In relation to the medical device industry:


While I do have some issues with the Canadian set-up, I personally think it is the most pragmatic of all the global regulatory approaches.

1. Anyone wanting to sell medium/high risk devices into Canada must have an ISO13485 certificate.
2. The company will require to be audited by the registrar at least annually
3. That certificate is only valid if issued from a Health Canada-approved registrar.
4. The requirements for the registrar to get that approval initially are stringent. The registrar must demonstrate it has 'corporate' capability; in addition, each auditor must take training (only given by HC), and pass a meaningful exam (i.e. on an individual basis).
5. The registrar is accredited by Standards Council of Canada, who essentially are controlled by Health Canada. Thus there is a sensible cascade of audits.
6. SCC audits the registrar stringently; both office activity and onsite witnessed audits. (Manufacturers are not allowed to refuse to host such an audit).
7. The audits on the registrar have real teeth, with one registrar being de-accredited, and several auditors being de-approved. Thus the registrars take this appropriately seriously.
8. Canada permits registrars to employ contractors to perform audits. (Japan has followed the FDA model in not allowing that; I don't understand Japan's rationale there, whereas I do understand the FDA's).


Where I think the Canadian system scores is that all relevant establishments worldwide are being audited frequently (where FDA falls down), and the audits are of a fairly high and consistent standard (which is where, arguably, the European approach falls down, with different levels of competence across the different authorities). The system is also fairly straightforward for foreign manufacturers (the same cannot be said to be true for the new JPAL).


The HC model's flaws include having a few wierd things in the regulations themselves (HC is no different in that!), but mainly revolve around having a bar that is possibly set too high for the size of market*.

Some manufacturers are choosing not to sell to Canada because it is too much hassle, similarly some registrars have not applied because of the set-up costs.
Going forward, there are always complaints about how hard it is to get more auditors qualified, with training held infrequently and then only rarely outside Canada.


*But if you are going to have a flaw, that's the one to have! :D


Again, all the above is my personal opinion only.
 
Last edited by a moderator:

Sidney Vianna

Post Responsibly
Leader
Admin
Re: Should Regulatory Agencies require Accredited Certification in their Respective A

I plan on populating this thread with examples of how certification could add a layer of oversight in regulated sectors, when it is publicly knowledge the need for enhancements on regulatory oversight.

Check for example the attached DOT and FAA document.
Abstract
Title:Assessment of FAA's Risk-Based System for Overseeing Aircraft Manufacturers' Suppliers
Date:February 26, 2008
Type:Audit
Project ID:AV-2008-026

Summary:On February 26, 2008, we issued our assessment of the Federal Aviation Administration's (FAA) oversight of aircraft manufacturers' quality assurance systems for domestic and foreign aircraft part suppliers. Because aircraft and engine manufacturers are increasingly taking an international partnership approach to business, aircraft parts and component suppliers now produce significant parts of U.S.- and foreign- manufactured aircraft. Although aviation manufacturers are ultimately responsible for the quality of their products, FAA's Aircraft Certification Service personnel oversee manufacturers' processes for ensuring that the products meet approved design specifications and are in a condition for safe operation.
We found that FAA's risk-based oversight system for suppliers needs improvement as it does not consider the degree to which manufacturers now use suppliers to make aviation products. Specifically,
(1) FAA has not ensured that manufacturers are providing oversight of their suppliers,
(2) FAA does not require inspectors to perform enough audits of suppliers to determine how well manufacturers' quality assurance systems are working, and
(3) the systemic deficiencies we identified at 21 supplier facilities indicate that both manufacturers and FAA need to strengthen their oversight of these facilities.

Our recommendations to FAA focus on: requiring manufacturers to establish criteria for conducting on-site (initial and periodic) supplier audits, assessing risks at suppliers that produce flight-critical parts, ensuring objectivity and consistency in inspectors' risk assessments of manufacturers, correlating the number of inspector audits with the number of suppliers a manufacturer uses, and enhancing inspector training.
 

Attachments

  • WEB_FILE_Final_Supplier_report.pdf
    431.5 KB · Views: 319

Jim Wynne

Leader
Admin
Re: Should Regulatory Agencies require accredited certification in their respective a

I think the big "if" in all of this is if the CBs look out for the interests of "stakeholders"...
I have always thought that having a system where the auditee pays the auditor creates a clear conflict of interest, and completely negates the idea of CB auditors being independent. I've seen too many companies registered to ISO standards that shouldn't be to think otherwise. The other side of the coin is that government regulation and oversight is fraught with political finagling, no matter how many government inspectors there are.

I think this is one instance where perhaps we should let the market decide. If consumers don't trust the sources, the sources will sustain significant hits on the bottom line, where it hurts the most.
 

Sidney Vianna

Post Responsibly
Leader
Admin
Re: Should Regulatory Agencies require accredited certification in their respective a

I think the big "if" in all of this is if the CBs look out for the interests of "stakeholders"...
I have always thought that having a system where the auditee pays the auditor creates a clear conflict of interest, and completely negates the idea of CB auditors being independent.
That is the heart of the certification sector dilemma. Some CB's realize that if their brand is deemed untrustworthy, their certificates might be relegated as irrelevant, IF the actual users of the certificates were vigilant and demanding of accountability. Thus, they realize that, as important as satisfying their direct customers, they must be cognizant and aware of other stakeholders expectations.

Other, less-than-reputable CB's not only survive, but prosper and thrive primarily due to appealing to the registrant's misguided goals of easy audits and guaranteed certification. As long as certificates are misperceived as an attribute and stakeholders don't question the pedigree of the certificate, as well as fail to associate the performance of the certified system with the issuer of the certificate, the market will allow for substandard CB's to operate and grow.

If, as part of the (my proposed) regulatory mandate for system certification, the regulators, who would become a very critical and interested stakeholder, were to police the CB's and demonstrate, from the beginning, zero tolerance for less than serious and competent CB performance, things might change.

After all, even unscrupulous CB's fear having their names being dragged through the mud, or having one of their top managers being sento jail*.

I still believe, as I have been saying now for over a decade, that the only thing that will fix the problems of the certification sector is the enforcement of accountability. At all levels. From the organizations that use the certificates, to the organizations that hire CB services, to AB's, CB', individual auditors, standard development bodies, etc....
Until accountability is demanded and enforced, the competitive nature of the certification sector will promote the path-of-less-resistance registrars, who historically focus solely on the immediate bill-paying client, and fail to heed to the remaining stakeholders expectations.

*what has happened in a large North American CB, for embezzlement, a few years ago.
 
Top Bottom