Cashing in on ISO 9000?
By Susan English-Seaton
Geneva — The International Organization for Standardization (ISO), which sets quality standards for businesses around the world — embodying the philosophy, “Do it right. Do it right the first time, and do it right every time” — is trying to defend itself against the fraudulent use of its good name by companies trying to cash in on the advertising value of ISO registration or certification of its products or processes.
Rightly or wrongly, use of the ISO logo or “ISO 9000 registered” label on a product implies that the product or service has been manufactured under a set of high quality system guidelines, and that the company has submitted to a compliance audit verifiable at least yearly by an independent third-party organization. But the company may only have incorporated some ISO 9000 procedures in some of its processes, performed a self-audit or had a two-party audit — one conducted by a vendor or supplier. Is the company entitled to the perceived market edge over its competitors of actual ISO 9000 registration? Dick Matthews, president of Filtration Technology (Greensboro, NC) and a member of ISO`s American Technical Committee 209, says: “ISO 9000 is basically a paper trail — a paper-driven, manual, document-based procedure. You don`t have to be registered to have an ISO 9000-type procedure in your facility. Registration requires a third-party audit.”
To counter any further misuse of terms, ISO has just published new guidelines on “Publicizing your ISO 9000 or ISO 14000 certification” to help businesses and other organizations who have achieved ISO 9000 or ISO 14000 (environmental management systems) certification avoid making false or misleading claims in advertisements and other communications media. Misleading practices ISO wants to put a stop to are: (1) The use of the ISO logo, which is a registered trademark. Promotional material should carry the logo of the organization that actually performed the audit and issued the certificate. (2) The use of terms such as “ISO certification” or “ISO 9000 registered,” which give the impression that ISO itself has awarded certification. (Certificates are actually bestowed by independent testing laboratories or other quality system certification organizations), and (3) The use of the term “ISO 9000” as a product quality label. Only the processes or systems that went into manufacturing a product can be certified — not the product itself.
What is ISO 9000?
More than just a disagreement over terminology or trademarks, this most recent directive from ISO`s headquarters gives some indication of the increasing importance and widespread use of ISO 9000 standards as a worldwide benchmark for quality. A series of quality system standards which have evolved over the years, they incorporate the best elements of many other quality standards from around the world. In the cleanrooms industry, the label “ISO 900(1)(2) or (3) registered” is being seen more and more in connection with everything from air handling systems to design/build and construction. A type of total quality management, the ISO certification (or registration) process itself consists of the assessment of a company`s quality system against the requirements of one of the applicable ISO 9000 standards. A certificate is then issued by an independent certifying organization to confirm that the process is in conformance with the standard`s requirements.
ISO certification or registration are terms largely used interchangeably, reflecting differing national practices or business-culture preferences. “Accreditation,” sometimes used wrongly as a synonym for these terms, relates to the work of national accreditation bodies, which have been set up in a number of countries to provide some measure of control over the activities of quality system certification bodies. An accreditation body will accredit (approve) a certification body as competent to carry out ISO 9000 certification of quality management systems. Audits may either be “first party” — an organization auditing itself; “second party” — a customer audits its vendor or supplier; or “third party” — an independent assessment by an outside organization consisting of registrars accredited and audited in this country by the Registrar Accreditation Board Inc. (RAB) in Milwaukee, WI.
ISO is still in more widespread use in Europe than in the U.S. However, that appears to be changing rapidly. ISO`s member body in the United States is the American National Standards Institute (ANSI). Says an ANSI spokesperson: “We see ISO 9000 as being a ticket to the global market place. You are seeing more and more around the world that if you don`t have a registration or certification process, you as a company may be disadvantaged with respect to those companies who are not competing and have the registration.” Though not mandatory, many countries have already incorporated its standards into their national laws, as well as cGMPs. In this country, facing increasing market pressure and the choice of being included on the “approved supplier” lists of companies like the Big 3 — Ford, Chrysler and General Motors — the U.S. is playing a fast game of “catch up.” Filtration Technology`s Matthews says: “There`s basically a lack of education in America — Europeans are much further along. The British have 50,000 manufacturers that are ISO 9000 qualified — in the U.S., we probably have 10,000, so there`s a huge difference in the base.”
Which ISO 9000 standard should I choose?
There are five separate documents in the ISO 9000 Series of Standards: ISO 9000, 9001, 9002, 9003 and 9004. The latest version of the standard defines four basic product categories addressed by ISO 9000: hardware, software, processed materials and services. A common misconception is that ISO 9001 is “better than” ISO 9002, which is better than ISO 9003, etc. This is incorrect, since they simply apply to different sets of activities. ISO 9000 is a guidance document that assists companies in determining which of the standards is applicable and appropriate to their business. ISO 9001 is the most comprehensive of the standards and covers 20 separate elements, including design, process control, purchasing, etc. The other two standards ISO 9002 and 9003 — are subsets of ISO 9001 and contain fewer elements. ISO 9001 is applicable to companies that have design/development, production, installation and service of a product or service. ISO 9002 has 19 elements and is applicable to companies who do not have a design function but who do perform production and installation. ISO 9003 is for companies that only provide final inspection and test services. ISO 9004 is also a guidance document that provides guidelines on how to apply ISO 9001, 2 and 3.
ISO 9000 and FDA cGMPs
The pharmaceutical industry has readily adopted GMPs because of its extensive multinational trade. Many of its vendors and suppliers, as well as manufacturers, already operate at standards even more stringent than ISO 9000. Industry experts say that with many pharmaceutical manufacturers now utilizing contractors in the production and release of their products, third-party audits such as those included in the ISO 9000 process, may provide an efficient means of evaluating contractor performance. FDA management has reported that often the lack of validation of bulk drug substance manufacturing is the reason for non-approval of pending drug applications. Using GMP, products are designed from the outset with quality “built-in” to all processes, from raw material specifications, through production, to packing and transport. This building-in of quality from the earliest stages — also known as “total quality approach” — is embodied in ISO 9000-registered companies. It runs directly counter to the principle of inspection — finding defects in the product or service at the end of the process chain.
According to a recent article by William Schwemer in Pharmaceutical Engineering, (March/April 1997), government and private organizations in over 70 countries of the European Community (EC) have now adopted the ISO 9000 series of standards as a voluntary standard, European Norm (EN) 29000. As they become effective, specific EC directives (laws) for certain products, such as medical devices, will incorporate EN 29000 into the EC`s regulatory scheme. In the pharmaceutical industry, ISO 9000 tends to form a supportive, though unofficial, framework for the FDA`s commodity-specific cGMPs, which are actually quality standards in disguise, says Schwemer. In 1993, the FDA published proposed new medical device cGMP regulations that are harmonized with ISO 9001. This June, the newest regulations go into effect. For instance, the regulations applicable to Human and Veterinary Drugs, Low Acid Canned Foods and Infant Formula are comparable to the ISO 9002 Standard, while the umbrella food cGMPs are less comprehensive. In general, says Schwemer, FDA-regulated companies that conform to ISO 9000 are likely to improve their compliance with cGMP, HACCP, and other rules as a result of the reviews necessary to assure well-documented quality systems. Also, increasing numbers of preferential purchasing policies by governments and businesses are stimulating greater interest in ISO 9000.
Registrars and the accreditation process
Why should a company adopt ISO registration? Bill Sullivan of ABS Quality Evaluations, Inc. (Houston, TX) suggests three reasons: (1) The intrinsic value of operating to a quality standard; (2) An edge over the competition; (3) Key customers and prospects may soon be demand it. A small but increasing number of companies are making certification a prerequisite to being on their approved supplier list. Also, a growing number of private businesses are reportedly accepting registration certificates rather than conducting vendor audits.
Sullivan says, “The counsel we give customers is that if you do this evaluation — whether it be for the value of improving your process, sales and marketing or because of your customers, — once you`ve established the need for a compliance system, put a plan in place that allows you to do it at your speed and not somebody else`s. You don`t want to get yourself in a position where your largest customer gives you an `or else` backstop of, say, six months!”
Selecting a registrar
Over the last five years, ISO 9000 has become big business. There has been an enormous growth in the number of companies offering certification services — some less than credible, says ABS`s Sullivan. The growth in the number of consultants has been even greater. “The world of ISO 9000 is, by and large, a totally unregulated market. In the ISO 9000 arena, anyone can call themselves an ISO 9000 registrar, take some money from you, perform an audit and issue you an ISO 9000 certificate.” Sullivan advises calling some registrars, getting copies of their certified companies` directors, and picking out those companies who are either in the same business or whose judgment you trust.
Ask about their experience in the ISO 9000 certification process. Ask them about the costs of implementing the quality system, and specifically, ask if they have tangible and measurable metrics to determine the value of the certification. How do you know that the company that performed the audit was competent to do it? The answer, says Sullivan, is accreditation. “When you ask a registrar if they are accredited, if you get answers that begin: `We are accredited through an arrangement with …` or `We are accredited through an MOU (memorandum of understanding) with …`, this probably means the registrar is not directly accredited, but has access to another registrar`s accreditation. This should then certainly prompt the question, `why doesn`t this registrar have direct accreditation?`”
Accreditation
Accreditors provide oversight, regulation and review of just about every aspect of a registrar`s activities which relate to their certification services. Certificates bearing the accreditor`s mark on them signify that the registrar complies with certain requirements. These requirements are very similar to ISO 9000, namely, the registrar is required to have a documented quality system. Accrediting bodies will conduct audits of the registrar`s facilities usually every six months. The registrar is required to define how they will determine auditor competency for specific industries. An accreditation body requirement is that at least one member of the audit team demonstrate competency for that particular industry. The registrar is further required to demonstrate industry competency, usually by having an audit observed or witnessed by the accreditation body before a given industry sector can be added to their accredited scope.
An assessment of a company should be and is just more than a document, says Gus Schaefer, a registrar with Underwriters` Laboratories Inc. (Northbrook, IL). Schaefer warns, ISO 9000 registration is only a beginning, not a guarantee. There are two elements to an audit: (1) an assessment of the documented system to determine what kind of procedures and controls are in place to assure there`s some type of repeatability and training of staff, etc., and (2) an on-site audit to assure that the documented system is in fact what`s being followed. “And that shouldn`t be done locked in a room just looking at a bunch of papers,” he says. “It should be done by going out on the production line or meeting with staff and discussing with them how they understand their job, what training procedures are in place — basically, how they can do things in a consistent manner.”
Once the initial audit is done, it doesn`t stop there: under the UL program (requirements vary from registrar to registrar), there will be two visits per year to monitor the system and the same process in an abbreviated form will be repeated. Also, he adds, the RAB will visit registrars, monitoring their performance and assessing how well the work is being carried out. “Again, it`s a two-step process: they`ll audit our office operation and then go out into factories with us to make sure we`re performing in accordance with the accreditation criteria. It`s a fairly closed-loop system with a good number of checks and balances in place,” he says.
Costs
Accreditation is a measure of a company`s commitment to quality in real dollar terms, since the process can cost as much as $50,000 and take up to a year to attain. Registrar costs can vary by as much as 25 percent, says ABS`s Sullivan. “There are almost as many ways of pricing certification as there are registrars — application fees, administration fees, listing fees, up-front payments, etc.” He says that auditor day rates are not a good way to compare registrar costs. “Insist that the registrar present you with a quotation, which will allow you to determine the three-year cost of ownership, irrespective of how it is packaged. In this way, you will be able to make an `apples-to-apples` cost comparison between registrars.”
There are some very “user unfriendly” contracts out there which require either a paid visit to your facility or mandatory pre-assessment, says Sullivan. These visits should be at your option, he says, not the registrar`s. Also, be aware of possible cancellation fees — “some can be pretty hefty.” Be sure to negotiate, he advises. If the registrar is not prepared to make a visit to your facility without cost to you, you might want to question their commitment to a partnership approach to the certification journey.
Editor`s Note: Richard Matthews, founder and president of Filtration Technology, Inc. (Greensboro, NC) is also president of Micron Video International, Inc., a company which markets training videos for the cleanrooms industry. The company has produced a video tutorial on the ISO process entitled “Understanding ISO 9000.” Micron Video International can be reached at: (847) 272-8800.