Best Practices in Quality & Compliance Management

Foreword
With a dramatic increase in the number of regulations over the last decade, Risk Management and Regulatory Compliance have taken on increased visibility and focus. Key metrics that measure risk and compliance are now being tracked and monitored at the corporate level. However, organizations are finding that their plant-level deployments of compliance solutions create information silos and prevent senior management from getting an aggregated view of regulatory risk/cost. Hence these organizations are gradually replacing them with a single enterprise-wide software solution. In addition to improving visibility, organizations wrestling with upgrading legacy systems to comply with new regulations, sometimes find the cost to be higher than the cost of deploying a brand new solution. This is also leading to accelerated adoption of a single enterprisewide compliance solution. As a leading vendor of quality and compliance software, we are helping many leading companies make this transition today. In the process, we have learned a lot about emerging best practices, new performance metrics and key success factors. We have documented some of this learning in this collection of papers. I hope you enjoy reading these papers. Please feel free to forward this collection to your peers. Regards Shellye Archambeau CEO, MetricStream

Copyright @ 2005 by Shellye Archambeau. All rights reserved. Manufactured in the United States of America. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher.

Contents
A Framework for Systems Validation for the FDA environment ............................................................................ 4 Overview of Impact of 21CFR Part 11 on Information Systems ............................................................................ 9 Best Practices in Internal Audit ........................................................................................................................ 12 Here comes TS 16949 ...................................................................................................................................... 15 Impact of Regulatory Compliance on Quality and Profits .................................................................................. 16 Incorporating Audits in your Operational framework .......................................................................................... 18 Incorporating quality into management style ..................................................................................................... 21 Managing Quality at Outsourced Manufacturing Operations ............................................................................. 22 Roadmap for compliance with 21 CFR Part 11 .................................................................................................. 24 Supplier Charge-backs ..................................................................................................................................... 29 What is Your Company's Cost of Poor Quality - Tools for calculating and reducing it ....................................... 31 Workplace Safety Compliance: The New Approach .......................................................................................... 35 Corrective Action (CAPA) Systems at Innovative Companies ............................................................................ 39 Ensuring Regulatory Compliance through Training and Certification ................................................................. 41 IT Systems Validation for Regulatory Compliance ............................................................................................. 43 Implementing a well designed audit program .................................................................................................... 49 How to build a Business Case for a Quality Management System ................................................................... 52 Using a Compliance Platform to build Custom Quality and Compliance Applications ....................................... 61 Raising your Audit Score through effective Document Control ........................................................................... 67 Reducing New Product Introduction (NPI) time using a packaged software solution ......................................... 70 New User Access Requirements for 100% Compliance .................................................................................... 73 Smart Investment Strategies for a Compliance Platform: A Ten Step Guide ....................................................... 76 How to give a Quality Score to your Supplier .................................................................................................... 79 Can't get budget approval for your Quality Management System? .................................................................... 84 Paper-based quality system is more costly than you think ............................................................................... 87 Role of a Quality Management System in Six Sigma Deployments .................................................................. 89

A Framework for Systems Validation for the FDA environment

21CFR part 11 requires that all systems that govern any cGXP process - including Good Manufacturing Practices (GMPs), Good Laboratory Practices (GLPs), and Good Clinical Practices (GCPs), should be validated. FDA issued a very comprehensive guidance on systems validation in a document released in January 2002. This white paper uses that FDA guidance as an input to define an easy-to-implement framework for systems validation. Finally the paper identifies a best practice which calls for IT organizations and software vendors to proactively audit their software development and implementation processes on an ongoing basis to identify and correct any systemic issues to lower the cost of compliance.

Why System Validation? Current Good Manufacturing Practices (cGMP) are mandated by the FDA to ensure that the products manufactured by the industries such as pharmaceutical, biotech and medical devices, meet specific requirements for identity, strength, quality, and purity. In order to comply with cGMP, companies are required to record, track, manage, store and easily access various production documents and their detailed change history including Standard Operating Procedures (SOPs), Master Production Batch Record (MPBR),

Figure 1: Scope of 21CFR Part 11 Requirements

Source: CGE&Y

Production Batch Record (PBR), Equipment log books etc. Historically, all such documents have been maintained on paper by companies in order to comply with FDA's cGMP. Even as companies automated their production and quality processes, they were still being forced to maintain and track paper records for FDA acceptance. The code of Federal Regulations (CFR) Part 11 was implemented in 1997 to let the FDA accept electronic records and signatures in place of paper records and handwritten signatures for compliance. The regulation outlines controls for ensuring that electronic records and signatures are trustworthy, reliable, and compatible with FDA procedures and as verifiable and traceable as their paper counterparts.

Hence 21 CFR Part 11 also specifies a number of requirements for software systems to enable trustworthy and reliable electronic records and signatures - see Figure 1. These software requirements must be met for the resulting electronic records to comply with FDA's cGMP. If an organization does employ electronic records and signatures, but fails to comply with these system requirements, the FDA will cite the firm for violating the underlying regulation. For example, if a drug company maintains its written complaint records, required by 21 CFR 211.198(b), in electronic form, but the agency finds that these records are unacceptable substitutes for paper records, the FDA would charge the firm with violating 211.198(b). The potential impact might include FDA requested recall, FDA mandated recall, Warning Letter, seizure, injunction, prosecution, civil penalties, and detention

System Validation is a key 21CFR Part 11 requirement - its primary benefit is to assure quality and performance of the systems deployed to manage any cGxP process. It is the establishment of documented evidence that provides a high degree of assurance that a specific process, managed by the system, will consistently yield a product meeting its predetermined specifications and quality attributes. The ultimate goal of any system validation project is to realize and sustain compliance, while ensuring the peak performance and functionality of those systems.

What is System Validation? Validation is the process of compiling written verification of all system functions and the performance of those functions to system specifications, as well as data integrity and system maintenance. That written documentation must be in alignment with the industry standards and regulatory laws that guide the FDA in their evaluation and enforcement of regulatory compliance. To successfully manage compliance, each regulated system must be proven to operate in accordance with its intended use and design, and all documentation supporting that evidence must culminate in FDA-acceptable documentation.

The FDAs General Principles of Software Validation Final Guidance for Industry and FDA Staff, published jointly by CDRH and CBER was originally written with the medical device industry as its intended audience. This guidance describes how certain provisions of the medical device Quality System regulation apply to software and FDAs current approach to evaluating a software validation system. Any software used to automate any part of the device production process or any part of the quality system must be validated for its intended use, as required by 21 CFR 820.70(i). Hence, this requirement applies to any software used to automate device design, testing, component acceptance, manufacturing, labeling, packaging, distribution, complaint handling, or to automate any other aspect of the quality system. In addition, computer systems

used to create, modify, and maintain electronic records and to manage electronic signatures are also subject to the validation requirements. Systems that maintain certain employee training records may even be subject to validation. Such computer systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

This guidance is now being held up to the rest of the FDA-regulated world as an example of best practices in computer system validation. This guidance is now used to validate systems that are governed by any of the GxP regulations, including Good Manufacturing Practices (GMPs), Good Laboratory Practices (GLPs), and Good Clinical Practices (GCPs.)

Framework for System Validation While various consulting companies have created their own methodologies for systems validation, our experience shows the following framework to be the comprehensive and applies to both -off-the-shelf software or home grown. This framework ensures that the software being deployed is most likely to be compliant with FDA requirements and will continue to sustain the compliance over time. Key elements of that framework include:

Compliance with core 21CFR Part 11 requirements: This element ensures that the software is compliant with key requirements of the regulation including

Any change to any record is captured in the audit trail and these entries are time stamped with additional information including operator name and why the record was changed. System provides adequate security to prevent unauthorized modification by ensuring role-based access and preventing users from directly updating the database. Software employs electronic signatures for any transaction into the system

Software Development Lifecycle: This element ensures that the software vendor (or an IT organization that develops its own software) follows a clearly defined and documented software development lifecycle to ensure quality and prevent software defects. The components of the lifecycle include:

All system Requirements must be clearly defined and approved before any design or coding effort starts. All system functions must be identified at this stage. System design specification must be clearly documented and design reviews must be done to evaluate the capability of the design to meet system requirements and to identify any problems. Test plans, test procedures and test cases should be developed as early in the development lifecycle as possible. Coding Standards should be well documented and code reviews must be done to ensure that these standards are followed. Multi-level testing methodology including unit test, functional test, integration test and system test must be followed. In addition stress Testing and disaster ecovery testing must be performed to ensure that system performance requirements are met. Closed-loop change control: This element ensures that proper change control documentation, approval and esting procedures are followed for any changes including, correcting software defects
6

or adding new capabilities for a new version of the software or making changes to software configuration. Change control procedures must be written and well understood through training, to ensure compliance. Unauthorized changes to a validated system, even during the implementation process, can have a detrimental affect on the system integrity.

Facility: This element ensures that the vendor facilities (or an IT organization software development lab) employ adequate security controls to prevent unauthorized access to software, computer rooms and backup media storage rooms.

Figure 2: Change Control Process

Organization: This element ensures that the software developers, designers, QA engineers are project managers are trained to perform the technical aspects of their jobs and the company has training policies to ensure they continue to have the right skills on an ongoing basis to do their job. Validation for intended use: This element ensures that the requirement specifications are developed for the intended use of the system. The system documentation is compared to the intended use specification to identify any gaps. Then the system is tested against the intended use specification to identify any additional gaps. Any major gaps are fixed using the closed-loop change control method described above and retested before the system is validated as ready for intended use.

Organizations that implement this framework find it easier to keep their system FDA validated on an ongoing basis.

Using a QMS system for Proactive System Validation In a world where technology and business practices are dynamic rather than static, reactive compliance udit methodologies provide questionable value. Best practices call for IT organizations and software vendors to use the above framework to proactively audit their software development and implementation processes on an ongoing basis to identify and correct any systemic issues. Industry leaders are deploying Quality Management Systems (QMS) within their IT/development organizations to streamline and automate the entire internal audit and corrective action process.

The QMS system serves as a system-of-record for the systems validation project. All documents including SOPs, specifications and test plans are stored in its repository. The QMS audit capabilities are used to create and track an audit checklist and its results. Once issues have been identified through the internal audit process, the first step is to initiate an investigation and to properly identify the root cause of the problem. After the root cause has been identified, Corrective Action (CAPA) items are created. When corrective actions are approved, appropriate changes are implemented in the environment through a change-control process and then the CAPA is closed out. These changes may include amendments to a documented procedure/SOP or creating a new documented procedure/SOP when one is lacking, or placing controls to ensure that the documented process is followed, or upgrading the skill set of an employee through a training and certification process. Its dashboard provides IT and regulatory management ongoing view into the process metrics. By using a QMS, companies ensure that the ongoing and proactive audit and corrective action process is systematized and provides the basis for lowering the cost of compliance.

In summary, system validation is not a onetime project it is an ongoing process. Through a combination of a good implementation of system development lifecycle and proactive internal auditing of the software development and implementation process, companies can easily comply with the system validation requirements of 21CFR part 11 at a lower cost of compliance.

Overview of Impact of 21CFR Part 11 on Information Systems

Pharmaceutical, medical device, biotechnology and services companies are challenged to ensure regulatory compliance through all their operations. A critical success factor is in their ability to have a common enterprisewide solution for capturing out-of-spec/non conformance, tracking and managing the corrective action process, ensuring that the recommendations are implemented successfully and providing visibility into the process and performance metrics at various operational and management levels.

In August 1997 the Food and Drug Administration (FDA) passed Part 11 of Title 21 of the Code of Federal Regulations and established standards for the use of electronic records and signatures as an equivalent and/ or substitute for paper records and handwritten signatures executed on paper. Part 11 applies to all areas governed by the FDA and includes the pharmaceutical, medical devices, and biotechnology sectors, and extends to all records in electronic form. It is applicable to records identified in predicate rules-previously published regulations such as Good Clinical Practices (GCP), Good Laboratory Practices (GLP), and Good Manufacturing Practices (GMP).

As illustrated in figure 1, the rule was designed to ensure that information is accurate, trustworthy, and traceable across the multiple systems and entities that fall within the FDA program areas. Most importantly,

(Source - CGEY, 2002)

9

the legislation was not intended to be just another exercise in regulatory compliance. Instead, it was designed to enable both the FDA and the Life Science industry to take advantage of new technologies to improve efficiency and speed in both operations and also regulatory process and to incorporate electronic document control and change management technology into their current business processes. By establishing tight user-authentication and security, enabling audit trails, and enforcing records retention, pharmaceutical companies could realize the full benefits of electronic record and signature while remaining fully complaint.

As illustrated in figure 2, Part 11 affects the entire value chain and is more pervasive on some applications in key segments of the value chain than in other. For some applications such as Clinical Data Management, Quality Management or Manufacturing Execution Systems, Part 11 influences every element of the application. For other applications such as ERP, CRM, or Training Management Systems, Part 11 impact only selected workflows and data elements. In addition, the use of good data management techniques and well constructed standard operating procedures (SOPs) can ensure that many applications which should not contain a data of record for regulatory purposes do not inadvertently become subject to the requirements of 21 CFR Part 11. Non-compliance in some application is more likely to trigger an enforcement action than others. Which applications are more important, within a specific organization, depends on how the data is used, prior gulatory history, and recent enforcement trends.

(Source - CGEY, 2002)

10

MetricStream's best-of-breed Enterprise Quality and FDA Compliance solutions help life sciences companies implement quality management, non-conformance tracking, corrective action and change control throughout the enterprise.

11

Best Practices in Internal Audit

Internal auditing is a mechanism by which an organization examines a business process to evaluate its ability to comply with internal and external requirements. It is also a very effective tool to implement a discipline of continuous improvement. Internal audits enable management to:

Discover what's really going on within the organization, which enables objective decision making and enables managers to direct the resources towards the right issues Learn about potential problems before they become burning issues Identify failure points within a process, so relevant stakeholders can implement corrective actions in a timely manner Determine the effectiveness of controls within a process

Attributes of a successful internal audit program To be effective, the internal audit and the corrective and preventive action (CAPA) processes must be fully integrated in a closed-loop manner. Internal audit of a process/organization takes a snapshot of the current environment, maps it to defined requirements or specifications and then identifies nonconformities or opportunities for improvement. These nonconformities are then fed into a corrective action process, which recommends specific actions and solutions. The lead auditor should then verify that the corrective action has been implemented and the root cause of the original nonconformity has been eliminated. An internal-audit program within an organization is less likely to be successful when it does not have the right management support and commitment. In organizations where the audit program consistently delivers good results, the closed loop audit/corrective action process is likely to be institutionalized as a result of the management support. A key attribute of such an organization is any process-owner's ability to answer the following questions very clearly:

Are the processes and metrics clearly defined, so internal audit process can discover unambiguous non-conformance? How does the audit process incorporate the results of previous audits to track progress against previously discovered nonconformities? What is the process to identify potential root causes in a timely manner for the non-conformities that are discovered by the audit process? Are corrective actions always taken to eliminate such root causes or potential root causes? How is the data on corrective and preventive actions reported and analyzed? How do employees receive feedback on their respective non-conformities?

Five key activities in an internal audit An internal audit is almost always successful when an internal auditor is able to carry out the following five linked activities:

12

Audit schedule: The purpose of the audit schedule is to communicate when the organization can expect to be audited, who will lead the effort, which high level processes will be included in the audit and what type of resources may be needed from the process owner. Audits scheduled far in advance always produce better results. Audit plan: An audit plan should detail a single audit's scope, objectives and agenda. The plan provides a chronology of the audit from start to finish: which specific processes and sub-processes will be audited, exactly when they'll be audited, who will do it and which requirements will be audited in each segment. Audit management: Lead auditor manages the overall process including managing and communicating any changes to the audit plan, communicating the audit progress to the stakeholders, ensuring that the audit process stays on track, reviewing all nonconformities to ensure that they're logical, valid and clear, resolving all conflicts constructively and ensuring that the entire audit is conducted professionally and positively. Audit reporting: Stakeholders are presented with the written audit observations and a list of nonconformities, and these form the basis for discussion of the audit results. Audit Verification: The manager of the process being audited is usually asked to respond to audit nonconformities by an agreed-upon date. The response should include investigation into the root cause, proposed corrective action and a date when the action should be completed. The lead auditor reviews the responses to determine whether the investigation and proposed corrective actions are adequate. If a response doesn't identify a plausible root cause or propose a corrective action related to it, the lead auditor can reject the response and explain to the manager-of-the-process why it's inadequate. The second stage of verification occurs when the manager-of-the-process notifies the lead auditor that corrective action has been implemented. At this stage, the lead auditor or a team member will verify that the corrective action has been fully implemented and the root cause of the original nonconformity has been eliminated.

System Requirements for a Successful internal Audit Program A specific audit is likely to be more successful if the detailed steps listed above are automated using software to make them repeatable. Leading industry analysts have identified the following core requirements of a software solution for a closed-loop internal audit program an end-to-end process from audit management through corrective actions to change control.

Audit Management: The software should allow definition and management of various elements of the audit process including creation of different checklists by audit type, tracking audit schedule details, managing role differentiation between lead auditors, approvers and managers for all audit components and enabling workload distribution by sharing components of the audit. The software should also allow auditors to track progress, attach various documents as supporting evidence of the non-conformities, review non-conformities identified by audit team members, ensure all exit criteria in the checklist have been met before the step is completed and report audit results (pass/fail). Non conformance tracking and management: The software should track and manage all nonconformances arising out of the audit process and provide an ability to either close-out the nonconformance (based on severity level and authorization) or trigger a corrective action process. In some regulated industries such as medical devices, closing out the certain non-conformities may not

13

be an option and a corrective-action is automatically triggered.

Corrective Action: The software should provide a collaborative mechanism for automatically routing a corrective action request to a hierarchy of users with built-in notification and escalation procedures, enabling them to review all relevant non-conformance records to analyze the root cause and document corrective actions to correct or prevent the recurrence of the problem. The system should support configurable industry-specific report formats such as 8-D, 5-Phase and PIAR. Change Control: The software should support multiple change control mechanisms identified in corrective action such as document change (change to a standard operating procedure or process instructions etc.) or employee training or equipment recalibration. The system should be developed from the ground up using web architecture, so it can be easily accessed by any user within the company or by key suppliers or customers outside the organization and it can easily integrate with other systems or corporate portals. The system should allow Enterprise-wide reporting on any non-conformance and corrective action at a department/plant/division/company hierarchy and provide an Executive Dashboard to report on key process indicators.

A successful internal audit program is critical to implementing an organizational discipline of continuous improvement. By ensuring that the best practices are implemented and by using software to automate the closed-loop process, an organization will be well on its way towards realizing impressive results from its internal audit program.

14

Here comes TS 16949

The International Automotive Task Force (IATF) took on the challenge of developing a standard to harmonize three European catalogs-VDA 6.1 (Germany), AVSQ (Italy), EAQF (France)-and the North American QS9000 standard. The result was the ISO/TS 16949:2002 standard.

The Big Three automakers have put their support behind ISO/TS 16949:2002. QS-9000 is no longer in the long-term picture. According to an executive from one of the Big Three, the ISO/TS 16949 contains 90 percent of QS-9000 already, and it's an improved standard. DaimlerChrysler released a letter dated July 2002, which stated that effective July 1, 2004, all product and service part suppliers to DaimlerChrysler are required to be registered to ISO/TS 16949. In early August 2002, DaimlerChrysler, Ford and GM released a joint letter announcing that the third edition of QS-9000 will expire on Dec. 14, 2006, after which ISO/TS 16949:2002 will replace QS-9000

(Source - Quality Digest, October 2002)

A supplier's certification to ISO/TS 16949:2002 will satisfy vehicle manufacturers' current quality system requirements for compliance or certification.

15

Impact of Regulatory Compliance on Quality and Profits

Regulatory compliance by enterprises could result in a positive impact on quality of the product and services that they generate. This could imply that the results of compliance can be quantified into direct economic value for the complying enterprises. Although this is not a tested hypothesis no one would dispute the fact that a significant body of regulations today, attempts to raise the quality of products to benefit (or protect) the consumers. One may ask if it is possible to quantify the gains so achieved. While the issue of cost of compliance to consumers and tax paying citizens is a well-researched fact, the cost of non-compliance is still an uncharted area measured mostly by fines and penalties paid by corporations. Those opposing the pressure of compliance, often argue that regulations only expand the bureaucracy, adding burden to its subjects or on the industries it regulates. The popular press is full of articles these days, arguing that the recent Sarbanes-Oxley regulation is overburdening corporations. While there may be some truth to this matter, one should not forget the cost of non-compliance, which was borne by the shareholders of the numerous corporations who broke the inherent trust of the financial markets. In my judgment, Sarbanes-Oxley gives CEO's an internal mandate to institutionalize what most CEO's have always wanted and in many cases failed to achieve; Real-time documentation and controls on key financial and operational processes. The correct operating perspectives allow business executivesto turn the focus away from the debates of the cost of Sarbanes-Oxley, and achieve greater competitive advantage through tighter process controls and metrics. These efforts will not only result in higher quality of financial controls and disclosures, it can further enhance the financial results through superior process automation and controls. Taking an example from the food industry, a single cow with a dreadful disease could push businesses to the brink of bankruptcy, disrupt markets and spread paranoia worldwide. It is common knowledge that interested lobbies fought hard to stop cattle inspections and the industry did not heed FDA's sound advice to avoiding mixing meat from downers into the cattle feed. The food industry abounds with such examples where massive amount of processed food have been recalled from the shelves because of lapses in the production process. Embracing the USDA recommendations with appropriate automation and tools, can give CxO's a way to define, automate and raise the quality of their food processing activities, delivering differentiated food products in the market, which the consumers can feel safe to consume. Although USDA regulations may seem expensive to organizations on the surface, complying with these stringent regulations provides for greater food safety and enhanced customer satisfaction, eventually leading to enhanced financial results for the company.

Besides food and drugs, occupational health and environment protection is surfeit with regulations as well. Strong lobbies are fighting regulatory controls tooth and nail to delay if not to limit, many of these regulations. One should not forget that regulations around global safety, OSHA regulations are increasingly becoming more critical for regulators as we inherently live in a "riskier" world post September 11th 2001. As we raise the quality of our safety processes, create better frameworks for corrective and preventive actions, build an infrastructure of emergency preparedness and disciplined audits, not only are we being more compliant, we

16

are also raising the safety of our employees and facilities worldwide, eventually resulting in better managed safety and environmental risks for corporations. These risk reduction initiatives fundamentally translate to more predictable and sustainable shareholder returns. One could argue that self-regulations are the best form of regulated controls as it imposes the minimum amount of cost on corporations and regulators. The proponents of self-regulations denounce the surge of regulatory controls and cite historical examples, where industry regulations have failed to work. The shift that these advocates of self-regulation fail to acknowledge. is that we now have a globally working communication infrastructure, the Internet, which allows a collaborative platform for regulators and corporations to work together across geographies and organizational boundaries. Using appropriate regulatory tools and processes, forward-looking corporations enjoy the benefits of increased effectiveness of regulations as well as a decreased cost of compliance. Maybe, we all need to rethink how we can leverage technology more effectively as we incorporate regulators and regulations in the fabric of our extended enterprise!

17

Incorporating Audits in your Operational framework

While Many books and articles have been written about how to drive greater management and organizational output, only recently are managers being asked to think about how to incorporate "audits" as a management tool within their organizations. First of all, contrary to the belief, audit is not a responsibility of the internal or external auditors. It is the responsibility of business heads and managers who are running the operations of the company, on a day-to-day basis. How does one incorporate audit best practices within a management framework?

Here are some simple examples of audits, which many large and small companies are using to enhance their compliance with internal and external regulations and mandates.

A global retailer sets up a global field audit capability to enhance its store operations. A mid-size pharmaceutical company focuses on documenting its key policies and procedures. A large food service company enables a web infrastructure for audits of its suppliers and franchisees. A sporting good manufacturer begins to manage its business through real time KPI's (Key performance Indicators).

All these companies are incorporating audits in their management and operational framework. They are creating an environment for continuous improvement through a well thought out strategy of audits. These audit frameworks are not merely designed to serve the requirements of the internal or external auditors, but also provide continuous operational benefits to the business units.

So, how should one think about building an audit strategy within the management framework of an organization? Here is a simple framework to think about how to incorporate audit controls in your business.

Segregation of Duties: Segregation of Duties ensures that no one person is solely responsible for the entire process end-to-end, without effective checks and balances. For example, key authorization processes should have appropriate checks and balances. The person, who documents the transaction, should not be the same person who conducts the transaction. These simple checks and balances ensure effective controls and reduce organizational error rates. Best Practices:

Design your organization with "checks and balances" in mind. Ensure that the organizational processes and policies have a "quality control" oversight at all times. Ensure that the quality functions are reporting independent of the operational units.

18

Policies and Procedures: Written policies and procedures codify management's criteria for executing an organization's operations. They document business processes, personnel responsibilities, departmental operations, and promote uniformity in executing and recording transactions. Thorough policies and procedures serve as effective training tools for employees. Having a documented repository of your standard operating procedures at the operational, financial, manufacturing unit levels, ensures consistency of processes and reduces audit failures. Best Practices:

Document key business processes, and policies. Make the policies and procedures available to all personnel Ensure they are accurate, complete, and current at all times. Revise policies and procedures for changes in business processes and policies. This is particularly important when new systems are developed and implemented or other organizational changes occur. Communicate significant changes to all affected personnel immediately to ensure they are aware of any revisions to their daily duties and responsibilities. In the event that there are changes in personnel (i.e. new employees are hired, promotions granted, etc.), documented policies and procedures will facilitate training and provide guidelines for the respective positions. An integrated Document management system with an integrated training management ensures that all the employees, suppliers, vendors, partners are current with your documented policies and procedures.

Reviews and Approvals: When a process is performed within a department, there should always be another level of review and approval performed by a knowledgeable individual independent of the process. The approval should be documented to verify that a review was done. Review and approval are controls that help management gauge whether operational and personnel goals and objectives are being met. In this time and age of emails and web technologies, it is easier to document your approvals if you can refrain from verbal approvals and use electronic methods to approve key policies and processes.

Best Practices:

Approve electronically to enable rapid documentation of approvals. Ensure that approval alerts and escalations are embedded in the workflow of your organization. Document all the approvals in a repository to ensure compliance with internal and external audits. Numerous approval management and archival solutions exist to facilitate both enforcement and documentation of approvals within an organization.

Process Efficiency and Effectiveness: Organizational Processes must be efficient and effective. Efficiency implies most productive way to perform

19

a task or function. Effectiveness implies that the given process has the intended outcome. Organizational process-flows have to be designed with both efficiency and effectiveness in mind. Best Practices:

Effective processes are easier to audit, as the cause and effect of the processes are well understood. Ill-designed processes are often harder to audit and may have unforeseen consequences. Incorporate key audit controls (Key process indicators, metrics etc.) in your workflow to ease the audit of the processes. Efficient processes are often easier to audit as there are less intermediate steps and approval loops. So, all your effort to design greater process efficiency indeed pays of not just on an operational basis but also from an audit standpoint. Efficient processes are simply easier to audit. Talk to your internal and organizational audit organization sooner in the process and incorporate their needs as you design your key processes and policies.

Reporting: Management reporting takes on a more strategic priority as you are designing your organization for greater auditability. The reporting infrastructure of your company is not just a way to create visibility into the status of key processes and activities, it enables the management and the auditors a way to get possibly real-time visibility into the key indicators of your organization. Reporting of key Corrective Actions and Preventive Actions, Process KPI's, employee training status to key processes, supplier and partner scorecards, quality maintenance reports on critical equipments and plants are simple example of a well-designed management reporting system. Best Practices:

Implement an organization wide reporting process and infrastructure, ensuring that all your business units are reliably and consistently reporting the required process status and data. A well-designed organization implies that reporting is not a separate task which you perform manually once a month or week. Instead, reports are generated "in-band" as you go through the key processes within your day-to-day activities. This ensures that reports are reflective of the process themselves and not a "post-fact" historical analysis of outcomes. These historical reports tend to be prone to manipulation and human errors. Reporting is not just what your direct reports and business units share with the management. In welldesigned management reporting environments, the management must share back key reports back to the business units and direct reports. For example, many companies are beginning to implement "real-time" scorecards, which shows comparative performance across different business units, suppliers or franchisees. These scorecards give an actionable framework to business units or suppliers to improve their performance in real-time. Post-fact scorecards (in hind-sight) may have some value, it lacks the ability of real-time performance improvements and actionability. Well-run organizations provide "drill-down" reporting capabilities, ensuring that employees, managers, suppliers can see the performance of their processes at the right level of abstraction. "Drill-down" enables organizations to get to the root-cause of key issues, enables insights and learnings, and creates an environment of continuous process improvements.
20

Incorporating quality into management style

Quality and compliance are not necessarily after thoughts, which are achieved through systems and software, rather it's a part of the management style of managers and leaders. In progressive companies, managers are not merely focused on enhancing organizational output and productivity, but are also aware of achieving greater degree of quality and compliance to the regulatory frameworks of their industries, economies and communities. So, what does it mean to be a more compliant or "quality-aware" manager? Embracing Six-Sigma, TQM...? No, not necessarily. Good managers understand how to create processes and organizations that minimize variance, produce repeatable productive outcomes and have built in feedback flows from their internal and external customers. Case in point, One of our large Hi-Technology customers, is attempting to become more "customer focused" and deliver greater quality and satisfaction. Principles of Corrective Action and Preventive Action are being incorporated not just in business workflows, but how managers are being trained in this organization to handle customer issues and drive down defects and thereby enhance customer satisfaction.

In another example from a noted Automotive manufacturer, the entire senior management has shown commitment to quality and compliance by focusing on reducing cycle times to internal, supplier and customer issues. These commitments are being incorporated in forms of how the lines of businesses are being organized, how "quality and compliance" is every body's job, and how suppliers and managers are being rewarded for their contributions to quality and customer satisfaction.

21

Managing Quality at Outsourced Manufacturing Operations

The need for enterprise quality management is amplified for companies in the technology industry. These companies have increasingly shifted manufacturing and assembly operations offshore to low cost countries or have outsourced these functions to a contract manufacturer. As a result, a large number of their deliveries to US based customers have become cross-border transactions and sometimes take weeks to be delivered to distribution sites within the United States, resulting in long supply chains. The long supply chain has created a new set of system requirements for quality processes within the extended enterprise.

It is very important for such organizations to gain visibility into quality issues within their offshore manufacturing sites, including those of the contract manufacturer, so that they can prevent any unacceptable quality products from entering the inbound supply chain. If these unacceptable quality products enter the supply chain, the rejection process can delay shipment by weeks. By rejecting a shipment at the point of destination, weeks after it was shipped from the manufacturing site, may cause shortages and disrupt fulfillment of customer orders a very high opportunity cost. Carrying high inventory at distribution centers to buffer against a poor quality shipment is an expensive alternative, especially in an industry with short product life-cycles. The additional transportation and handling incurred due to poor quality products being rejected at the point of destination, instead of the point of manufacture, also leads to increased cost of inventory write-offs.

As a result, many technology organizations are seeking to minimize quality issues at outsourced and/or contract manufacturers plants and are aggressively implementing enterprise class quality management

22

systems to audit finished goods at offshore sites, collect that data, and then aggregate, analyze and report that information to key business process owners to give them visibility into potential quality problems. Using this information, the business process owners not only can prevent a poor quality shipment from entering the supply chain in a timely manner, they also use that information to create appropriate corrective actions and systematically prevent such problems from occurring again. Industry data shows that companies can reduce the costs of inventory write-offs by 5-10% and increase revenues by 2-5% by reducing the risk of missed market opportunities from poor quality shipments within a long supply chain.

Many organizations find that their contract manufacturer may be using the same plant to manufacture products for multiple customers and hence can not be forced to install different systems for different customers at the same plant to support their respective quality needs. As a result, the organization has to rely on process and product quality information from the contract manufacturers quality system. That information usually does not integrate well with the organizations own systems and is frequently not available in a timely manner.

Hence, a new breed of quality management systems is needed to support long supply chains. These systems must be web-based, so an organization can extend its internal quality system to its contract manufacturer, where they can enter the required quality information for their customers products. As a result, the organization gets instant access to quality information without requiring the contract manufacturer to install a dedicated system at their plant. These systems must also support an extraprise data and security model, so a contract manufacturer can not see the quality issues that the organization faces at a competing outsourcer or their internal plants. The organization should also be able to configure the system easily to allow them to simultaneously deploy different quality processes at different outsourced or offshore sites to accommodate varying process maturity levels at each of such sites. The system must also support an integrated inspection/ audit, non-conformance tracking, corrective action, change control, document management, and user certification capabilities, so an organization can implement an end-to-end closed loop quality process for an outsourced supplier. A traditional point solution does not meet these requirements and increases a companys risk of high reject costs and disruption of supply of finished goods for their customer orders.

23

Roadmap for compliance with 21 CFR Part 11

According to some analysts, the cost of 21CFR Part 11 compliance could vary from $5 million to $400 million, depending on a company's size and current state of systems. Companies with lots of computer systems that are not compliant with 21 CFR Part 11 must prioritize which systems to upgrade first. They are now beginning to use a risk-based methodology to create a roadmap for compliance. This paper explains the 21CFR part 11system requirements, discusses a risk-based methodology to create a compliance roadmap and identifies popular first steps in the roadmap for most companies. cGMP the basis for 21CFR Part 11 Current Good Manufacturing Practices (cGMP) are mandated by the FDA to ensure that the products manufactured by the industries such as pharmaceutical, biotech and medical devices, meet specific requirements for identity, strength, quality, and purity. cGMP regulations are specified in 21 CFR Part 210 (Current Good Manufacturing Practice in Manufacturing, Processing, Packing, Or Holding Of Drugs; General Part) and 21 CFR Part 211 (Current Good Manufacturing Practice for Finished Pharmaceuticals). In order to comply with cGMP, companies are required to record, track, manage, store and easily access various production documents and their detailed change history including Standard Operating Procedures (SOP): SOPs are documents that describe how to perform various routine procedures in a cGMP facility. SOPs relate to both tools and equipment. SOPs contain step-by-step instructions that technicians in production, QC, maintenance and material handling must consult daily in order to complete their tasks reliably and consistently. They make it clear how the task will be performed (procedure), who will perform the task (responsibility), why it will be performed (purpose), and what limits of use apply (scope). Master Production Batch Record (MPBR) or Production Batch Record (PBR ): A master production batch records (MPBR) is a detailed, step-by-step description of the entire production process for a specific drug. The MPBR explains exactly how the product is produced, indicating specific types and quantities of components and raw materials, processing parameters, in-process quality controls, environmental controls, etc. Production Batch Records (PBR) documents the production events, quality charts, environmental monitoring records and inspection reports for the entire production process for a specific batch. Equipment Log Books: Log books are kept for all major equipment in a cGMP facility so that a chronological record of all equipment-related activities can be maintained. Minimum log book entries include date, time, the name of the technician and the event, but could also include a list of tasks that permits the technician to check off, sign, and date each event in the list of tasks as s/he performs them. Why 21 CFR Part 11? Historically, all the quality documents including SOPs, MPBRs, PBRs and log books have been maintained on paper by companies in order to comply with FDAs cGMP. Even as companies automated their production and quality processes, they were still being forced to maintain and track paper records. The code of Federal Regulations (CFR) Part 11 was implemented in 1997 to let the FDA accept electronic records and signatures in place of paper records and handwritten signatures for compliance. The regulation outlines controls for ensuring that electronic records and signatures are trustworthy, reliable, and compatible with FDA procedures
24

and as verifiable and traceable as their paper counterparts. Hence 21 CFR Part 11 also specifies a number of requirements for software systems to enable trustworthy and reliable electronic records and signatures. These software requirements must be met for the resulting electronic records to comply with FDAs cGMP. If an organization does employ electronic records and signatures, but fails to comply with these system requirements, the FDA will cite the firm for violating the underlying regulation. For example, if a drug company maintains its written complaint records, required by 21 CFR 211.198(b), in electronic form, but the agency finds for some reason that these records are unacceptable substitutes for paper records, then the FDA would charge the firm with violating 211.198(b) "Master production records are generated from a computer as electronic records without any apparent controls to assure authenticity and integrity [21 CFR 211.186(a)]." Software Requirements of 21 CFR Part 11 The following are the specific software requirements specified in Section 11.10:

Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. The ability to generate accurate and complete copies of records in both human readable and electronic form. Protection of records to enable their accurate and ready retrieval throughout the records retention period.

Scope of 21CFR Part 11 Requirements

25

Source: CGE&Y

Limiting system access to authorized individuals. Use of secure, computer-generated, time-stamped audit trails. Use of operational system checks to enforce permitted sequencing of steps and events. Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. Use of device checks to determine the validity of the source of data input or operational instruction. Determination that persons who develop, maintain, or use electronic record/electronic signature systems has the education, training, and experience to perform their assigned task. The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures. Use of appropriate controls over systems documentation.

Building a Roadmap for compliance with 21 CFR Part 11 According to some analysts who track FDA regulations, the cost of Part 11 compliance could vary from $5 million to $400 million, depending on a companys size and requirements. The Pharmaceutical Research and Manufacturers of America (PhRMA) projects the industry wide cost of compliance to reach $2 billion by 2006. Companies with low budgets and lots of computer systems that arent compliant with 21 CFR Part 11 must prioritize which systems to fix first. They are now beginning to use risk-based methodology to create a compliance plan for their systems. Risk-based compliance methodology begins with an inventory of all the existing systems and carefully identifies all systems that are either paper-based or non-compliant. The approach then carefully analyzes each

- Source Clarkston Consulting

26

system to assess their risk, as well as, the cost of either converting paper-based system or upgrading/replacing a non-compliant system to comply with the regulations. A key aspect to determining risk is assessing the computer systems potential impact on affecting consumer safety. Incorporated in this assessment must be the role that system plays in the product life cycle, as well as the potential capability of the companys products to injure the consumer as a result of the use of that system. Another aspect to determining risk relates to systems potential to fail due to issues such as software code complexity, lack of good vendor support or lack of change control procedures. Finally, the company must consider the risk of intervention by FDA during an inspection, leading to a large fine or delay in drug approval or a consent decree. While calculating the cost of upgrading, one should determine if the total costs of legacy system upgrade and validation is more expensive than its replacement. This information is then plotted on an X-Y matrix that measures, from low to high, the risk to security of the data (X-axis) and the cost of upgrading (Y-axis). Then the company may prioritize its systems and processes needing conversion or replacement based on where they fall in the matrix. Computer systems, for example, that fall in the high data security risk, low conversion cost area of the matrix could be targeted first for compliance validation. Low Hanging Fruits in the Roadmap for Compliance with 21 CFR Part 11 Based on research by various analysts and consulting firms, one of the low hanging fruits is upgrading quality management systems to become compliant with 21CFR part 11. Such systems provide a core infrastructure for electronic records for SOPs & training/certification, implement strict change control and enable auditable corrective action processes. Hence these systems are considered quick hits because of their high-risk (high risk of FDA intervention due to direct correlation with cGMP) and lower-cost (relatively lower cost of replacement than a manufacturing system) profile. Quality Management systems should support multi-plant and multiorganization architecture, including any outsourced operations such as clinical trials, R&D or production. Multiorganization architecture enables companies to ensure consistency of practices and processes across the entire internal supply chain leading to a reduction of overall risk of customer-safety. Since existing implementations of quality management systems do not have the architecture to support global operations, enhancements to existing legacy systems is more expensive than implementing a new solution with a global architecture. Capabilities addressed by Quality Management systems include:

Document Management and Control (for SOPs) Audit Management Out-of-Specifications/Non-Compliance Tracking Corrective and Preventive Action (CAPA) Change Control Training Equipment Calibrations

AMR, an industry analyst firm based in Boston, in a recent report on the Risk from the current systems to support FDA compliance stated that Information Technology (IT) applications have not been integrated to support end-to-end compliance business processes. This issue will come under increasing regulatory pressure as the FDA targets a top-down, risk-based approach to consumer product safety. Product integrity and consumer safety are still disconnected across product supply and customer-facing processes because IT environments today support prioritized quality applications at local sites. These applications include CAPA, quality monitoring

27

and Laboratory Information Management System (LIMS) applications, complaint management, and adverse event management. No enterprise-wide straw man exists for managing quality and compliance across global operations. Leading pharmaceutical, drug discovery and development companies are aggressively investing in quality management systems through initiatives that

Establish and Monitor Company Wide Quality Programs Assure Compliance with Company and Regulatory Procedures and Guidelines Provide Release and Approval of all cGMP Documentation, including Standard Operating Procedures (SOPs) and Batch Records Enable Auditing of

Chemical Development, Medicinal Chemistry, and Analytical Departments. Manufacturing and Packaging facilities Analytical chemistry laboratories. Drug formulation facilities. Raw material supplier audits. Contract testing organization.

Risk-based methodology enables companies to create a prioritized roadmap for compliance with 21CFR Part 11, while staying within their budgets. This roadmap allows IT organization to start selecting and implementing new systems such as an enterprise-wide Quality Management System and upgrading existing production systems that create batch records.

28

Supplier Charge-backs
Most manufacturers have implemented a Supplier charge-back program, where a supplier is charged for the additional cost incurred by a manufacturer due to non-conforming components, materials and late deliveries from suppliers. A charge-back system is an effective way to introduce business discipline and accountability into the supply chain.

However, most manufacturers only end up recovering the material costs of non-conforming components from their supplier. This is primarily attributed to lack of ability of their information systems to capture nonmaterial costs associated with the non-conforming component. These non-material costs normally exceed the costs of non-conforming material and can end up costing manufacturers millions of dollars a year on accumulated basis due to supplier poor quality.

Supplier manual of a major consumer electronics manufacturer suggests that as a result of non-conformance, the following activities will charge back to the supplier on per-hour wage-costs. 1. 2. 3. 4. 5. Operator/Foreman handling Eventual disassembly of the part Administration to take the part out of stock Quality department handling Handling by the planner to get a new part

29

6. 7. 8. 9.

Transportation back to the receiving area Communications with the supplier - what shall be done with the part? New instructions Attention from engineers

10. Packing and arranging transport back to the supplier 11. Invoice Handling

Our research shows that current ERP systems or departmental quality management systems do not support this process well. Hence most companies end up using manual systems such as spreadsheets to calculate charge-backs. As a result, the actual COPQ (Cost of Poor Quality) costs are always higher than what is charged back. Before investing in "add-on" software applications, we recommend that you design a quality management process that spans the entire organization and includes relevant suppliers. This step should incorporate key quality processes including audit, non-conformance tracking, corrective action, change control and charge backs. Once a sound non-conformance process workflow is outlined, you should then evaluate and select software applications that provide a standardized platform for automating dispute discovery and capture. The system should enable charge-backs to be more easily itemized, categorized, routed and escalated. In contrast to manually tracking data on spreadsheets, which allows only a periodic, after-the-fact review of charge-backs, a new system should provide an integrated, real-time solution that enables deductions to be managed and addressed at any level of detail and resolved in a timely manner. Such a system also exposes the actual cost of poor quality and provides a backdrop for the manufacture to work closely with the supplier in identifying the root cause of the problem and implementing Corrective Actions.

30

What is Your Company's Cost of Poor Quality - Tools for calculating and reducing it
Quality is never an accident, it is always the result of an intelligent effort" - John Ruskin (1819-1900)

A manufacturing company had annual sales of $250 million. Its quality department calculated the total cost of repair, rework, scrap, service calls, warranty claims and write-offs from obsolete finished goods. This aggregated cost, called Cost of Poor Quality (COPQ) amounted to 20% of their annual sales. A 20% COPQ implied that during one day of each five-day workweek, the entire company spent its time and effort making scrap, which represented a loss of approximately $ 100,000 per day.

Experts have estimated that COPQ typically amounts to 5-30% of gross sales for manufacturing and service companies. Independent studies reveal that COPQ is costing companies millions of dollars each year and its reduction can transform marginally successful companies into profitable ones. Yet most executives believe that their company's COPQ is less than 5%, or just do not know what it is. All levels of executives recognize that quality is an absolute necessity to survive and succeed in today's business environment. The diagram below provides a framework for calculating COPQ as a percentage of sales.

In a recently published book "Success through Quality", the author estimates that COPQ for an average company is about 20% of sales, with a range as wide as under 1% for companies who have achieved "six sigma", about 15%-25% for companies who are at "four sigma" level and about 25% to 40% of revenue for companies who are at "three sigma" levels. A large fortune 500 communications company calculated its COPQ at 8.6% of sales in 2002 and has set a goal of 5.4% for 2005, which will result in a savings of a little less than $1 Billion per year!

31

COPQ in a Supply Chain The COPQ of individual suppliers participating within a supply chain has a cumulative effect on the COPQ of the OEM shipping the end product - see figure below. As a result, companies are working very proactively with their suppliers to reduce their COPQ. Many OEMs are also implementing supplier charge-backs (also called cost recovery), where a supplier is charged for the additional cost incurred by the OEM due to nonconforming components and materials and late deliveries from suppliers. A charge-back system is an effective way to introduce business discipline and accountability into the supply chain. OEMs use it as a "stick" for their suppliers to drive them to collaboratively identify the root cause of quality problems and to implement corrective actions.

Reducing COPQ Systematic reductions in the Cost of Poor quality can be attained by implementing a Quality Management

System (QMS) that provides an integrated and closed loop corrective action process. In a manufacturing organization, when deviations, nonconformance, out of specifications, quality incidents or customer complaints occur, corrective and preventive actions need to be initiated to remedy the problems.

Once a quality problem has been identified, the first step is to initiate an investigation and to properly identify the root cause of the problem. After the root cause has been identified, Corrective Action (CAPA) items are created and routed for approval. When approved, appropriate changes are implemented in the environment and then the CAPA is closed out. These changes may include amendments to a documented procedure, upgrading the skill set of an employee through a training and certification process, or recalibrating the manufacturing equipment. In addition, the system may capture COPQ associated with that non-conformance and use that information to initiate and complete a cost recovery process with a supplier. It is critical to deploy a closed-loop, integrated quality management system, rather than a set of loosely connected modules from one or more vendors. Integration ensures that the information flows out the corrective action process with a high degree of accuracy and velocity without falling through the cracks. It also ensures

32

that the entire change control process is auditable from end-to-end - a critical requirement to support FDA 21CFR part 11 and the Sarbanes-Oxley Section 404 audit criteria.

The QMS system should also be web-based, so that the suppliers can easily participate in the quality management process. The suppliers often use the same plant to manufacture products for multiple OEMs. As a result, they cannot be forced to install different systems for different OEMs at the same plant to support their respective quality needs. Hence the OEM has to rely on process and product quality information from the supplier's quality system. That information usually does not integrate well with the OEM's own systems and is frequently not available in a timely manner. A Web-based QMS allows the OEM to make the application available to the supplier without requiring the supplier to implement the system at their site. As a result, the supplier can provide relevant quality information about the shipment to the OEM even before it ships from the supplier's dock. If there are quality issues with any supplier component, manufacturers can take appropriate preventive action even before it arrives or take it out of the supply chain to reduce their own COPQ. QMS systems that do not support web architecture make it difficult for an OEM, participating in a supply chain, to reduce its effective COPQ.
33

MetricStream MetricStream, a market leader in Quality and Compliance Management Systems, allows its customers to dramatically reduce COPQ through its integrated and comprehensive quality management solution. Market leaders in industries as diverse as Automotive, High Technology, Consumer Goods, Manufacturing, Pharmaceutical, Food Services and Government use the company's solution. Developed from the ground up using web architecture, MetricStream provides an integrated set of the following modules to drive closed loop corrective actions and reduce COPQ

Audit Management Inspection Management Non-Conformance Management CAPA Change Control Document Management Training Management Equipment Management Cost Recovery

34

Workplace Safety Compliance: The New Approach

Workplace Safety is emerging as one of the key risk management and regulatory compliance focus areas among many global companies. As a result of this trend, traditional workplace safety compliance systems, which were designed to be point solutions at a plant-level, are giving way to enterprise-wide safety management systems. Such systems need to comply with the OSHA 29CFR regulations and support the OSHAS 18001 framework, while providing enterprise-wide visibility into incidents and trends, corrective actions and process metrics. This paper highlights the requirements of next generation systems for workplace safety compliance. Occupational Safety and Health Administration (OSHA) Regulations OSHA's mission is to assure the safety and health of America's workers by setting and enforcing standards; providing training, outreach, and education; establishing partnerships; and encouraging continual improvement in workplace safety and health. OSHA and its state partners have approximately 2100 inspectors, plus complaint discrimination investigators, engineers, physicians, educators, standards writers, and other technical and support personnel spread over more than 200 offices throughout the country. This staff establishes protective standards, enforces those standards, and reaches out to employers and employees through technical assistance and consultation programs. The passage of the Williams-Steiger Occupational Safety and Health Act of 1970 clearly defined the regulations governed by OSHA.

The Occupational Safety and Health Act of 1970 was passed to assure safe and healthful working conditions for working men and women; by authorizing enforcement of the standards developed under the Act; by assisting and encouraging the States in their efforts to assure safe and healthful working conditions; by providing research, information, education, and training in the field of occupational safety and health; and for other purposes. The regulations under the act are covered in 29 CFR.

29CFR Part 1903 states that

Every employer covered under the Williams-Steiger Occupational Safety and Health Act of 1970 furnish to his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees. Employers comply with occupational safety and health standards promulgated under the Act, and that employees comply with standards, rules, regulations and orders issued under the Act which are applicable to their own actions and conduct. The Department of Labor be authorized to conduct inspections, and to issue citations and proposed penalties for alleged violations.

29CFR Part 1904 requires employers to record and report work-related fatalities, injuries and illnesses. Under the act, companies are required to use OSHA 300, 300-A, and 301 forms, or equivalent forms, for recording work-related injuries and illnesses.

35

First Generation Safety Compliance Software With the 29CFR safety regulations, came a rash of companies dedicated to helping manufacturers comply with the regulation. Most of these companies were small to midsize consulting and training firms that helped manufacturers set up automated systems to manage their compliance - primarily record keeping and reporting. They sometimes added auditing services to measure levels of compliance pre- and post-project. These first generation applications were almost always developed as point systems to address specific requirements such as OSHA incident recording and reporting OR Material Safety Data Sheets (MSDS) and Hazardous Material Inventory management. The following diagram lists various point solutions in the market along the health and safety continuum.

Global Organizations Begin To Look for Next Generation Safety Solutions Most first generation applications in use today have been purchased by the plant personnel--the environmental safety department or the plant HR organization. In some cases, they developed simple applications inhouse. As a result, many large corporations have ended up with different systems in different plants, making it difficult for the plants to share EH&S (Environmental Health & Safety) information with their corporate headquarters or other factories. The setup is not only inefficient, but it obstructs companies from sharing and implementing common EH&S management practices across the entire enterprise, the foundation for standards such as OHSAS 18001.

OHSAS 18001 (Occupational Health and Safety Assessment Series) is a consensus standard developed in 1999 by an independent group of national standards bodies and certification bodies (registrars). OHSAS 18001 was specifically developed to be compatible with ISO 9001 and ISO 14001 (the environmental management system standard) to allow companies to develop and register integrated quality, environmental and occupational safety and health management systems. OHSAS 18001 covers:

Developing an OHS Policy Hazard Identification & Risk Assessment Training Employees
36

Implementing OHS Control Measures Emergency Planning Document and Record Control Internal Audit Programs Corrective and Preventative Action Management Involvement and Management Review

In addition, many progressive manufacturers see EH&S as beyond just a compliance issue. Rather, they see it as a risk-management issue. As a result, EH&S has gained more visibility at corporate headquarters and corporate I.T. is being asked to implement systems that transcend plant boundaries.

The combination of a need to support the OHSAS 18001 framework and the need for a corporate-wide safety solution has created a trend that is analogous to the ERP story, where large corporations ripped out local-level point systems in favor of global ERP systems.

The industry analysts have identified the following core requirements of an enterprise-wide safety system:

The system should provide an integrated set of the modules that enable OHSAS 18001 to drive closed loop process for reducing potential risk of safety incidents Audit/inspection Management Incident Management Corrective Action Change Control Document Management Training Management

The system should enable user to capture and report incidents and provide information on hazardous material The system should be developed from the ground up using web architecture, so it can be easily accessed by any user within the company and can easily integrate with other systems or corporate portals. Enterprise-wide reporting on a incident/plant/division/company hierarchy and an Executive Dashboard to report on key process indicators

A system that implements such capabilities will meet both objectives for Workplace Safety - risk management and regulatory compliance at the enterprise level, as well as, at the plant level.

About MetricStream MetricStream, a market leader in Quality and Compliance Management Systems, was designed to allow its customers to comply with various industry regulations governed by FDA, EPA, NHTSA, OSHA etc. as well as industry initiatives such as ISO 9000, QS 9000 and Six-sigma. Market leaders in industries as diverse as

37

Automotive, High Technology, Consumer Goods, Manufacturing, Pharmaceutical, Food Services and Government use the company's solution. Developed from the ground up using web architecture, MetricStream provides an integrated set of the following modules to drive closed loop corrective actions and increase compliance.

Audit Management Inspection Management Incident Management Corrective Action (CAPA) Change Control Document Management Training Management Equipment Management Process Dashboards

38

Corrective Action (CAPA) Systems at Innovative Companies

Increased regulatory pressures, the latest customer mandates and internal quality initiatives are requiring companies to take a proactive and automated approach to their corrective action process. Regulatory compliance requires organizations to capture all corrective action issues and track their corrective action process to completion. About 30% to 50% of all 483 citations in FDA regulated industries are related to problems with Corrective Action & Preventive Action (CAPA) processes. The corrective action process also forms the core of various quality management disciplines such as Six Sigma DMAIC (Define, Measure, Analyze, Improve and Control) or TOPS-8D (see the table below) or ISO 9000.

In a manufacturing organization, when Deviations, Nonconformance, Out of Specifications, Incidents or Complaints occur, Corrective and Preventive Actions need to be initiated to remedy the problem. Once a CAPA has been initiated, it follows its assigned workflow process. For instance, the first step may be to initiate an investigation and to properly identify the root cause of the nonconformance. Once the root cause has been identified, CAPA items can be created and routed for approval. Once the corrective actions have been approved, appropriate changes are implemented in the environment and then the CAPA is closed out.

A software solution can be very helpful in managing and tracking a CAPA process. According to AMR Research, a leading industry analyst firm, the core functionalities resident in a CAPA system should include the following:

Web-based change management, audit trails, and tracking Visualization, reporting, and quality performance analytics Configurable workflows and standard template-based best practice workflows Roles-based information view Trigger and event management and integration to back-end systems A Modular product, capable of being incrementally deployed.

The adoption of CAPA systems will become widespread because of their enabling role in mitigating significant business risks and driving quality as an integrated part of the manufacturing process. As a result, companies are no longer buying a stand alone CAPA system; they want their CAPA solution to be an integrated part of a quality and compliance solution.

Team-Oriented Problem Solving, 8 Disciplines (TOPS-8D) Step 1 Form an appropriate cross-functional team The team should include a champion who has the resources and authority to implement the team's solution. Step 2 Define the problem.
39

Step 3

Contain the problem. Protect the customer from the problem. This step can be omitted when 8D is used for a proactive improvement because there is no "problem" (like defective parts).

Step 4 Step 5 Step 6 Step 7

Identify the root cause. Select a permanent correction. Implement the corrective action and verify its effectiveness Make the change permanent (standardization). Also share the solution with similar operations. This is best practice deployment.

Step 8

Recognize the team's achievement.

40

Ensuring Regulatory Compliance through Training and Certification

Role of Training and Certification in Regulatory Compliance In recent years, there has been a dramatic growth in compliance and regulatory requirements across all industries. There are over 130,000 pages of rules in the Code of Federal Regulations. In addition, over 60 Federal Agencies issue about 4,000 new regulations every year. These federal regulations are the law-of-theland and organizations covered under such regulations need to actively implement them. Non-compliance can cost organizations millions in fines, litigation, opportunity costs and production delays. Organizations need to ensure that they are fully compliant with all of the regulations and reporting requirements of their industry in order to avoid being fined and cited by the respective regulatory bodies. Hence employees and management in these organizations should be able to interpret and internalize relevant regulations and then apply them to their daily business processes. Often, it is lack of proper employee training that leads to actions causing non-compliance, resulting in stiff penalties. Hence, a critical success factor for regulatory compliance is keeping the workforce well trained. Enterprise Requirements The following are the three core aspects of employee training and certification within a regulated organization:

Understanding the Regulations: In order to ensure compliance with all relevant regulations, it is first necessary for the employees to understand the core requirements of a regulation and its impact on their daily work. Job Training: A core aspect of regulatory compliance is ensuring that the workforce is trained in all parts of their job. In fact, 21CFR part 11 requirements state that persons who develop, maintain, or use electronic record or electronic signature systems must have the education, training, and experience to perform their assigned task. Hence, regulatory compliance requires that people be trained in various aspects such as:

Operating equipment safely under OSHA compliance; Following standard recipes for manufacturing to ensure quality and consistency for FDA compliance; Ensuring that the contracts are done right to SOP-97 for SOX compliance

Change Control: One of the key training objectives is to ensure that a proper change control procedure is followed throughout the company. The two most frequent problems in maintaining compliance is keeping the Standard Operating Procedures (SOPs) updated and in giving employees adequate training on any SOP changes. Any modifications to the system or process need to be communicated to the workforce. It is imperative that these changes are understood and implemented through information dissemination, training and certification.

Specific Regulatory Requirements Different regulatory bodies have defined specific requirements for employee training. Examples of the impact of specific regulations on training include:

41

FDA- 21 CFR: Ensuring electronic data security and integrity is vital from a regulatory, as well as from a business standpoint. It is important that employees of FDA regulated enterprises be trained in following the current regulatory requirements for electronic records and electronic signatures. In addition, compliance training should teach employees to

Interpret the FDA's most recent guidelines and inspectors' expectations Develop and utilize 21 CFR Part 11 compliance tools such as audit checklists and Perform risk assessment on computer system validation.

SEC (Sarbanes-Oxley): In August 2002, the SEC implemented the Sarbanes-Oxley Act, wherein the CEOs and CFOs of all publicly traded companies in the U.S must represent that their financial filings are fair and correctly stated. In order for the senior management of a company to comply with these requirements, companies need strong policies, processes, and programs to ensure a high level of internal controls as well as financial disclosure controls. This in turn requires that all appropriate employees be trained in areas such as defining and validating internal controls, COSO framework, and risk assessment. In addition, employees should be trained on the specific clauses of sections 302 and 404 of the Sarbanes-Oxley Act OSHA: Many standards promulgated by the Occupational Safety and Health Administration (OSHA) explicitly require the employer to train their employees in the environmental health and safety aspects of their jobs. Other OSHA standards make it the employers responsibility to limit certain job assignments to employees who are certified, competent or qualified. These requirements reflect OSHAs belief that training is an essential part of every employees safety and health and it protects workers from injuries and illnesses. Harassment: In todays business environment, it is now very important that employers take affirmative measures to prevent unlawful harassment in the workplace. At a minimum, employers should provide training to employees and supervisors on anti-harassment issues, and document that training. According to recent court decisions, proof of effective training may help to establish a defense against harassment claims that do arise, or help to reduce or avoid an award of punitive damages. Solutions for training in regulated industries According to AMR Research, companies need to tightly link their employee training module to their execution systems to close the loop on compliance. In addition, change control is a carefully managed process in regulated environments, but it often requires retraining or re-certification. As a result, compliance with regulations such as Sarbanes-Oxley, HIPAA, OSHA, The Patriot Act or internal initiatives such as ISO 9000, requires that training be an integral part of the compliance management systems. According to leading industry analysts, the core capabilities of any software for regulatory compliance should be a closed-loop solution set that contains audit management, corrective action, change control, training and document management. As a result, when an audit uncovers serious process non-conformance, the CAPA process is triggered which leads to preventive action plan that may incorporate a Standard Operating Procedure (SOP) change, requiring retraining of some group of employees on the new SOP. A re-audit will then ensure that the problem was corrected. In summary, training has become an integral part of compliance with Federal regulations (FDA, OSHA, SarbanesOxley etc) or internal mandates (ISO9000, six-sigma etc.). Hence, training software needs to become core to any quality and compliance management system.

42

IT Systems Validation for Regulatory Compliance

Importance of Information Systems Audit and Validation Information technology has become a core enabler of business processes within the organizations today. As a result, companies are required to audit and validate their relevant IT systems to ensure that their business processes and underlying records comply with regulations such as the Sarbanes-Oxley Act of 2002 or Healthcare Insurance Portability and Accountability Act (HIPAA) or 21 CFR Part 11(FDA). This paper defines an easy-toimplement framework for auditing and validating IT systems for regulatory compliance. It also identifies a best practice which calls for IT organizations and software vendors to proactively audit their software development

Figure 1: Sarbanes-Oxley: Internal Control Components Source: IT Control Objectives for Sarbanes Oxley, ISACA
43

and implementation processes on an ongoing basis to identify and correct any systemic issues to lower the cost of compliance. The Sarbanes-Oxley Act signed into law on July 30, 2002, takes corporate governance, disclosure and financial accounting to new heights. The crux of the legislation aimed squarely at public companies centers on ensuring the accuracy, consistency, transparency, and timeliness of financial results and disclosures. Establishing and maintaining an adequate internal control structure and procedures for financial reporting is at the core of compliance with section 404 of Sarbanes-Oxley Act. However, there is a strong linkage between the enhanced internal controls that the act demands and the information systems that manage data, implement workflows, and automate business processes. In fact, the accuracy and timeliness of financial reporting is heavily dependent on a well-controlled IT environment. PCAOB Auditing Standard No. 2 discusses the importance of IT in the context of internal control. In particular, it states: The nature and characteristics of a companys use of information technology in its information system affect the companys internal control over financial reporting. Many companies are using the COSO framework for internal controls where the importance of IT controls is embedded in the framework. These companies are then applying the C OBIT model of IT Governance to ensure that the right level of IT controls are implemented (see figure 1). Compliance with Sarbanes-Oxley Act requires that financial systems used in the preparation of required financial statements be controlled and validated to prove the accuracy and timeliness of certain financial data. HIPAA (Healthcare Insurance Portability and Accountability Act, passed in 1996), presents the health care

Figure 2: Scope of 21CFR Part 11 Requirements Source: CGE&Y

44

industry with extensive regulations that significantly impact the technical and operational aspects of health care information systems and embedded health care systems. It includes standards for electronic exchange of administrative and financial healthcare transactions between health care providers and insurance providers and includes privacy rules to protect the confidentiality and security of health data being transmitted. Companies have rushed to make appropriate changes to their software to comply with the regulation. However, the challenge now is to ensure that the systems infrastructure continues to be validated on an ongoing basis to stay compliant with the HIPAA requirements. 21CFR Part 11 was implemented in 1997 to let the FDA accept electronic records and signatures in place of paper records and handwritten signatures for compliance. The regulation outlines controls for ensuring that electronic records and signatures are trustworthy, reliable, and compatible with FDA procedures and as verifiable and traceable as their paper counterparts. Hence 21 CFR Part 11 also specifies a number of requirements for software systems to enable trustworthy and reliable electronic records and signatures see Figure 2. These software requirements must be met for the resulting electronic records to comply with FDA mandated Current Good Manufacturing Practices (cGMP). If an organization employs electronic records and signatures, but fails to comply with these system requirements, the FDA will cite the firm for violating the underlying regulation. The potential impact might include FDA requested recall, FDA mandated recall, warning letter, seizure, injunction, prosecution, civil penalties, and detention. IT System Validation is a key 21CFR Part 11 requirement - its primary benefit is to assure quality and performance of the systems deployed to manage any cGMP process. Empirical evidence states that if a specific process is managed by a validated IT system, it will consistently yield a product that meets its predetermined specifications and quality requirements. What is IT System Validation? IT system validation is the process of verifying all the system functions in writing and ensuring that the performance of those functions meets system specifications and data integrity. To successfully manage compliance, each regulated system must be proven to operate in accordance with its intended use and design, and in certain organizations such as those regulated by FDA, all documentation supporting that evidence must be in a form acceptable to the regulatory body upon audit. The scope of the systems that needs to be validated is based on the regulatory body. For example, in an FDA environment, any software used to automate device design, testing, component acceptance, manufacturing, labeling, packaging, distribution, complaint handling, or to automate any other aspect of the quality system is in scope of validation requirements. In addition, computer systems used to create, modify, and maintain electronic records or systems that maintain certain employee training records are also subject to the FDA validation requirements. Such computer systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. Similarly, compliance with Section 404 of the Sarbanes-Oxley Act requires that financial systems used in the preparation of required financial disclosures and statements be controlled and validated to prove the accuracy and timeliness of certain financial data. Framework for System Validation While various consulting companies have created their own methodologies for systems validation, our experience shows the following framework to be comprehensive and applicable to both off-the-shelf and home grown software solutions. This framework ensures that the software being deployed meets the regulatory requirements and will continue be compliant over time. Key elements of that framework include:

45

Compliance with core regulatory requirements: This element requires that the software is audited to be compliant with the key requirements of the regulation. For example in FDA regulated industries, the software should comply with the following 21CFR Part 11 requirements:

Any change to any record is captured in the audit trail and these entries are time stamped with additional information including operator name and why the record was changed. System provides adequate security to prevent unauthorized modification by ensuring role-based access and preventing users from directly updating the database. Software employs electronic signatures for any transaction into the system

Similarly, HIPAA requires that the information systems that maintain electronic Protected Health Information allow access only to those persons or software programs that have been granted access rights as specified.

Audit and Validation for intended use: This element requires that the requirement specifications are developed for the intended use of the system. First, the system documentation is audited against the intended use specification to identify any issues. Then the IT system itself is audited using the intended use specification to identify any issues. Major issues need to be corrected using the closed-loop change control method (see lifecycle methodology below) and system needs to be retested before it can be certified to be validated as ready for intended use. Lifecycle Methodology: This element ensures that the software vendor (or IT development organization) that develops the software and the IT organization that implements the software follows a clearly defined and documented software lifecycle methodology to ensure good quality and prevent any software defects that cause non-compliance. The components of the lifecycle include:

All system Requirements must be clearly defined before any design or coding effort starts. All system functions must be identified at this stage. System design specification must be clearly documented and design reviews must be done to evaluate the capability of the design to meet system requirements and to identify any problems. Test plans, test procedures and test cases should be developed as early in the development lifecycle as possible. Coding Standards should be well documented and code reviews must be done to ensure that these standards are followed. Multi-level testing methodology including unit test, functional test, integration test and system test must be followed. In addition stress Testing and disaster recovery testing must be performed to ensure that system performance requirements are met. Closed-loop change control: This element ensures that proper change control documentation, approval and testing procedures are followed for any changes including, correcting software defects or adding new capabilities for a new version of the software or making changes to software configuration. Change control procedures must be written and well understood by the developers through adequate training, to ensure compliance. Unauthorized changes to a validated system, even during the implementation process, can have a detrimental affect on the system integrity .

46

Figure 3: Mapping of COSO and COBIT for the system lifecycle Source: IT Control Objectives for Sarbanes Oxley, ISACA

47

Facility: This element requires that the vendor facilities, as well as, the IT organization be audited to ensure that they employ adequate security controls to prevent unauthorized access to software, computer rooms and backup media storage rooms. Organization: This element ensures that the software developers, designers, QA engineers and project managers are trained to perform the technical aspects of their jobs and the company has training policies to ensure they continue to have the right skills on an ongoing basis to do their job. This requirement is specified in the FDA regulations and in the COSO framework.

Organizations that implement this framework find it easier to keep their system validated on an ongoing basis. Using a QMS system to streamline IT audit and validation process In a world where technology and business practices are dynamic rather than static, reactive validation methodologies provide questionable value. Best practices call for IT organizations and software vendors to proactively audit their software development and implementation processes on an ongoing basis using the framework defined above and to identify and correct any systemic issues arising from the audit. In order to streamline and automate the entire IT audit and corrective action process, industry leaders are deploying Quality Management Systems (QMS) within their IT/development organizations. The QMS system serves as a system-of-record for the IT systems validation project. All documents including functional requirements, system specifications and test plans are stored in its repository. The QMS audit capabilities are used to create and track an audit checklist and its results. Once issues have been identified through the internal audit process, the first step is to initiate an investigation and to properly identify the root cause of the problem. After the root cause has been identified, Corrective Action (CAPA) items are created. When corrective actions are approved, appropriate changes are implemented in the environment through a change-control process and then the CAPA is closed out. These changes may include amendments to a documented procedure/SOP or creating a new documented procedure/SOP when one is lacking, or placing controls to ensure that the documented process is followed, or upgrading the skill set of an employee through a training and certification process. Its dashboard provides IT and regulatory compliance executives an ongoing view into the status of the validation process. By using QMS, companies ensure that the ongoing and proactive audit and corrective action process is systematized and provides the basis for lowering the cost of compliance. In summary, system validation is not a onetime project it is an ongoing process. Through a combination of a good implementation of system development lifecycle, proactive auditing of the software development and implementation process and automation of the audit and corrective action process, companies can easily comply with the system validation requirements of regulations such as 21CFR part 11, Sarbanes-Oxley or HIPAA etc. at a lower cost of compliance.

48

Implementing a well designed audit program

In our July 2004 issue, we discussed best practices for incorporating audits into your operational framework. In this issue, let us take the discussion further and pose the question, on how to most effectively implement audits in a global organization. To put the problem in context, let us look at a specific use case scenario at a large retail chain.

A large and diverse retail organization selling convenience and fast food products has set up a global organization for field audit management. The fully staffed field audit team comprising of internal staff and contracted auditors are chartered to work closely with the store management, retail staff, company auditors and regional sales managers. Retail field audits are conducted to evaluate and reduce quality issues at shipping and receiving, reduce on-site safety incidents, achieve inventory loss prevention, and provide close-loop feedback for continuous improvement at the retail stores. The current process for managing field audits is manual and error-prone. Audits are conducted manually using photocopied questionnaires and checklists. Audit scores are manually assigned to test compliance with the corporate quality standards, safety guidelines and inventory loss prevention procedures and controls. The field auditors use a multi-sheet excel spreadsheet to conduct their scheduled and spot field audits, and upload the information to the corporate audit support team, who then summarizes the information and distribute the findings, compliance reports with the management. This manual approach of audits while provides the basic audit data, does not enable deep dive analysis on the root causes of audit scores. Audit metrics are hard to create, change and monitor, and therefore the organization lacks the ability to actually improve the audit scores, share best practices and improve quality and customer satisfaction.

Does this use case scenario sound familiar? This fast growing retail chain has incorporated audits into their operational framework, but are they most effectively implementing the audit process for maximum benefits to the organization? Here are some tips which we have seen work in many customer scenarios. Requirements for a well-designed Field Audit program In talking to our customers and industry analysts, we believe that a well-designed audit program must achieve the following at the minimum.

Provide immediate access to all of the field audit data at any level, across the extended enterprise (corporate, stores, franchisees, suppliers etc.) Establish an audit database and warehouse across all the field locations to enable real-time and historical analytics, trend-analysis, and root cause analysis on inventory losses, safety and quality incidents. Automate and streamline the data entry process of the audit data to minimize errors.

49

Enable auditors to distribute audit results to the store managers, distribution managers and executives. Enable auditors to review audit scores interactively with the store personnel and raise the audit scores through training and continuous improvement programs.

Top 5 Recommendations for implementing a well-designed Field Audit program 1. Look for a solution that automates the entire audit process. A well-designed audit solution must meet all of the requirements discussed earlier. While one may start small with one aspect of audit management, it would pay to understand how your audit program would scale to deliver a. Automated reporting and analytics b. Online and offline audit data capture c. Integrated corrective action and incident tracking d. Integrated document and training management for Standard operating procedures (SOPs) and closed-loop training to improve audit scores. 2. Look for a mobile solution, which is practical and usable for the field auditors. Many audit programs fail because the auditors find it hard to use the system while they are in the field conducting the audits. Forward thinking organizations are insisting on offline and mobile auditing solutions so that auditors can conduct the audit in the field and not have to re-enter their data when they come back to their office. Re-entry of audit data is the single most point of error, which we recommend is best avoided. Simple questions to ask and consider: a. Can the auditors email the audit forms? Can those emailed audit forms be automatically synced up with the centralized audit database? b. Can hand-held devices like PDAs be used to conduct audits? c. Are their built in real-time rules to check for data integrity at the point where auditors are capturing the audit data in the field? 3. Look for a real-time audit solution. Remember, that the real goal of an audit program is to not just monitor the audit scores across your extended enterprise, but instead to raise the audit scores through real-time actions and processes. Simple questions to ask and consider: a. Can audit results be tightly integrated with corrective action and preventive action plans? b. Can audit scorecards trigger a well-integrated training program to raise the performance of the under performing units? c. Can the Standard Operating procedures and controls be modified effectively based on audit findings? d. Can the management drill down into specific audit failures and understand the root cause and trends? 4. Look for an audit solution, which is auditable. A well-designed audit solution must be auditable in itself. You should be able to audit the auditors to ensure that the program is running as you expect it to run. Simple questions to ask and consider: a. Can you set up audits for the auditors?

50

b. Can you train and manage your auditors to conform to your standard operating procedures? c. Do your field auditors believe that management and reviewers have full visibility into their data and results? 5. Look for an audit solution, which can change with your business and processes. No matter which business or process you are trying to audit, changes are inevitable. New stores, new processes, future mergers and acquisitions will dictate that your audit methodology will evolve with time. Simple questions to ask and consider: a. Can you change the audit data or methodology? b. Can the audit scoring methodology be refined as you get more insights of your process or business? c. Can you enable and build new audit applications over time with the help of your IT staff or consultants?

51

How to build a Business Case for a Quality Management System

Most enterprise software projects require its champion to build a business case to justify the capital spend. In building a business case, the champion needs to capture all tangible benefits that the company would obtain from implementing the software and then place a defensible monetary value on these benefits in terms of annual savings to the organization. The goal of the business case is to ensure that the project delivers value greater than the corporate hurdle rate for capital investments. This paper provides a proven step-by-step process to developing a business case for a Quality Management System (QMS) within an enterprise.

A business case for a Quality Management System can be developed very rapidly by following the seven step process mentioned below:

Step 1: Identify Key levers Step 2: Capture as-is Scenario and Collect Baseline Metrics Step 3: Identify Root Causes of as-is Scenario Step 4: Develop a to-be Scenario Step 5: Model to-be Metrics Step 6: Populate ROI model and Quantify the Benefits Step 7: Communicate Value

Step 1: Identify Key Levers:

52

The first step of the process is to identify the top 3 to 5 quantifiable business levers which will be impacted by implementing the QMS. The key criterion for selecting these levers is that they should be exhaustive but should not overlap (to prevent double counting of benefits) and the impact of QMS on these levers should be quantifiable. A set of sub-levers helps identify detailed quantifiable cost savings or revenue increase from the selected levers. The following chart identifies the key levers for a QMS for an industrial products manufacturer, but may be applicable to most other manufacturing environments.

Step 2: Capture as-is Scenario and Collect Baseline Metrics The next step is to identify the business processes that are related to the primary levers and sub-levers listed above, document the as-is scenario of such processes, identify the key metrics associated with these processes and determine the current value of these metrics. The user should also determine the calculations that enable him/her to leverage the metrics to determine the current value of each sub-lever. Finally the user should use these calculations to create a model for each sub-lever. See Appendix A for the screen shots of the model for each of the sub-levers identified in the example in Step 1 of this paper.

For example, if a sub-lever is recovering non-material related Cost of Poor Quality, then the user needs to document the current process for cost-recovery and then determine:

What is the current dollar amount of cost recovery last year? What % of this cost recovery was non-material related? What % of Suppliers are currently covered under chargeback/recovery program? Hours spent on following steps (non material costs due to poor supplier quality)

Operator/Foreman handling Eventual disassembly of the part Administration to take the part out of stock Quality department handling Handling by the planner to get a new part Transportation back to the receiving area Communications with the supplier - what shall be done with the part? New instructions Attention from engineers Packing and arranging transport back to the supplier

Administrative man-hours spent on chargeback (non material costs)

Computing chargeback

53

Communicating chargeback with suppliers Resolving disputes Communicating final resolution to purchasing & Payables

Calculation: Sum (hours of non-material activities needed on the component that failed inspection due to poor supplier quality *standard costs for each activity)

Similarly, if the sub lever is reducing scrap, the user needs to capture the current process for scrapping inventory at each inspection point and then calculate the current value of scrap attributed to quality. Specifically, the user will need to identify

For each inspection point

Total Amount of Scrap in the last four quarters % of the Scrap value attributed to Quality (using reason code captured in the scrap transaction)

Step 3: Identify Root Causes of as-is Scenario This is a key step in identifying why the current process is not delivering the target value for the metrics identified above (that map to best practices or internal targets) and enables the user to pin-point the issues in the current process.

For example, a user might discover that it is hard to determine the supplier-related poor quality issues at two inspection points in the Cleveland plant because the inspection step at machining-plus and molding-2 operations dont capture the right reason code for poor quality while scrapping material. Without right reason codes captured, it is hard to identify the non-material costs incurred at these two operations due to poor supplier quality. While the new QMS would not address this issue, the user has uncovered that streamlining this process will enable the organization to implement the non-material related cost recovery processes.

User might also discover that the cost recovery process is very manual and as a result there is a lot of leakage in cost recovery. Root cause analysis will determine that

There is no one place to manage all open cases and disputes. Chargeback information is scattered in multiple reports, on excel and email. Average chargeback resolution requires 4 reports, 12 emails and reviewing at least 5 spreadsheets 5 cases representing $215K Million have been open for over 8 months slipped through the cracks It would be hard to scale to cover of the supply base without hiring 3 additional chargeback administrators. The company is committed to keeping headcount flat for the next 12 months, except in engineering and sales positions.

54

Step 4: Develop a To-be Scenario This step enables you to visualize the to-be process flows with the new QMS solution. This step lays the foundation for how the new system will streamline the various processes that drive the primary levers and sublevers identified in step 1 and how the new system will address the various issues identified in Step 3 ( rootcause analysis of the as-is process).

For example, the diagram below enables the user to identify how the QMS system will streamline the information and process flow of the cost recovery process.

Step 5: Model to-be Metrics This is the most critical part of the business case development process. The user determines how the to-be scenario will improve the key baseline metrics identified in step 2 for each of the sub-levers and creates assumptions for the new value of the metrics. Since this is the most subjective part of the overall process, it is recommended that the user create two scenarios for identifying improvements to the metrics:

Conservative Scenario: User assumes that change management related inertia will slow the improvements identified in step 4 to each of the processes. Most Likely scenario: Use assumes that with strong sponsorship of the management team, the user will be able to achieve the most likely process improvements, factoring in some change management related pushback.

55

The following example shows the assumptions for new metrics associated with non-material cost recovery sub-lever, with very clear reasons behind these assumptions.

Step 6: Populate ROI Model and Quantify the Benefits Once the user has determined the value of metrics in the to-be process, the next step is to:

Incorporate the assumptions for new metrics for conservative and likely scenarios for every sub-lever into the model Use the new metrics to calculate the annual $$ benefits for both scenarios for each sub-lever as a result of migration to the QMS system. Include only tangible savings. Non-tangible savings such as productivity improvements should not go into the calculation for total savings for the sub-lever from the QMS system. Add the savings from each sub-lever to compute the total $$ savings for the organization Determine a schedule for phased realization of savings from implementing the QMS (e.g. 50% savings realized in year 1, 70% in year 2 and 100% in year 3, 4 and 5) User hurdle rate to compute NPV.

The model for each of the sub-levers listed in step 1 in this paper is displayed in Appendix A and can serve as a guide in building scenario-specific model. Step 7: Communicate Value Once the user has built the model with the new metrics and calculated the NPV, the final step is for the user to develop a management presentation that presents the business case for the QMS system. In this presentation, the user needs to highlight the savings and assumptions for each primary lever. The white paper shows two slides from the cost-recovery primary lever.
56

We believe that with this seven step process, any user is well on their way to building a business case for a Quality Management System. Please feel free to contact the author at agupta@metricstream.com if you have any questions or feedback. About MetricStream MetricStream allows its customers to improve supplier quality through its integrated and comprehensive quality management solution. Market leaders in industries as diverse as Automotive, High Technology, Consumer
57

Goods, Manufacturing, Pharmaceutical and Food Services use the company's solution. Developed from the ground up using web architecture, MetricStream provides an integrated set of the following modules to drive closed loop corrective actions and manage supplier quality

Audit Management Inspection Management

Non-Conformance Management
CAPA Change Control Document Management Training Management Equipment Management Cost Recovery Supplier Scorecard Analytics/dashboards

MetricStream is headquartered in Redwood Shores, California and can be reached at www.metricstream.com Appendix A The Model 1. Savings from Material and Non-material Cost Recovery

58

2. Savings from reduced Scrap/Inventory

3. Savings from Reduced Line Shutdown and Improved Utilization of Bottleneck-Equipment

59

4. Savings from reduced expediting, lower warranty and recall costs

5. Total Savings and NPV Calculations

60

Using a Compliance Platform to build Custom Quality and Compliance Applications

Despite the availability of off-the-shelf quality and compliance applications in the market, many organizations still choose to develop custom compliance software to support their unique business processes and reporting requirements in their environment. The cost of ownership of such custom applications is high due to long development timeframes and higher on-going maintenance costs. This paper suggests that using a compliance platform as a starting point dramatically reduces the cost of ownership of a custom-developed application. The paper also provides an important checklist if you or your organization is contemplating developing a custom quality and compliance application.

Packaged Quality and Compliance Applications Organizations are successfully implementing enterprise-wide quality and compliance systems to gain visibility and control over key quality processes across their operations and to ensure compliance with government regulations, industry mandates, company policies and internal initiatives. If quality is not managed in a systematic, enterprise-wide manner, it can result in line shutdowns, reduced employee productivity, higher internal costs, loss of key customers, and slower revenue recognition. Not achieving compliance with government regulations can lead to penalties, fines and plant shutdowns. Gaining enterprise-level visibility into key quality and compliance metrics is critical to managing risk and implementing continuous improvement practices throughout the organization.

An enterprise-class quality and compliance system enables companies to identify, track, manage and correct issues and exceptions in key operational processes. Such systems contain the following capabilities:

Audit Management that enables organizations to create audit checklists and schedules, define qualitative or quantitative pass or fail criteria for each audit checklist component, record detailed observations, report results and ensure that the entire process can be implemented with appropriate audit controls and approvals Inspections that enable an organization to define product inspection criteria and sampling plans, specify qualitative and quantitative inspection criteria and acceptance levels for each attribute, collect attributes data, calculate CPKs from inspection data and compare against acceptance levels to monitor manufacturing process control or incoming part variance levels and identify non-conformance Adverse event reporting that enables an organization to capture and report adverse events such as workplace accidents or hazardous material spills Non-Conformance tracking that enables the identification and recording of material and process non-conformances, tracking of these issues across the organization and routing them for further review and approvals to determinate disposition such as corrective actions. Corrective Action/Preventive Action (CAPA) to deploy a structured process for collaboration among problem owners, coordinators and team members to identify core issues and document the actions to

61

be taken to resolve the problem to correct the nonconformance or to prevent the recurrence of the problem

Change Control including updating existing SOP (Standard Operating Procedures) or creating new SOPs; updating other documents; recalibrating equipment, (re) training employees etc to implement the actions identified in the CAPA process. The change control process also leaves an audit trail, which is critical for regulated environments. Training including management of training offering, schedules and enrollment, maintaining and reporting on training records for regulatory requirement, course material routing and approval and providing feedback on instructor and course material effectiveness for closed-loop control. Reporting and Dashboard capabilities generate specific metrics on the performance of closed-loop corrective action process and create reports about compliance with various regulations such as FDA or EH&S. Document Management that serves as a central repository for all relevant documents and records withsupport for search and view, change-request lifecycle (check-out, update, approval cycle, notifications and check-in with version control), distribution control (set controls on the distribution of sensitive documents and generate detailed reports by document type and distribution list) and an audit trail for history tracking. Security to ensure that unauthorized access to any record is strictly prohibited and the application implements specific capabilities such as encryption, electronic signatures etc to support specific regulations.

Off-the-shelf quality and compliance software are increasingly being implemented by large and small companies across various industries to address regulatory compliance issues (such as 21CFR part 11 or OSHA) or customer-mandated quality processes (such as implementation of QS9000 or TS16949 by suppliers in the automotive industry) or to support internal quality initiatives (such as an implementation of ISO9000 or sixsigma).

Why build custom quality and compliance software? Many organizations have unique audit and corrective action processes that require collection of very specific transaction data. In addition, such processes may also have very unique workflows and reporting requirements and require integration with multiple proprietary systems for specific process data. These scenarios abound in a large-distributed organization when one is automating an audit of a service process or corrective action in a supply chain process or compliance reporting for a very specific industry regulation. It is also very common for a company that is implementing leading edge best practices to have very unique data collection and process workflow requirements.

As a result, off-the-shelf quality and compliance systems do not entirely map to such a scenario unless the application is heavily customized. Hence many organizations opt to build their own custom quality and compliance applications to support their unique data collection, process workflow and application integration requirements. In addition, some organizations may start with an off-the-shelf application and add custom modules to support a specific audit process or a unique regulatory reporting requirement.
62

Key components of a custom quality and compliance software Once an organization has decided to custom build their own quality and compliance application, they would need to incorporate the following elements within their custom application.

63

Management of both unstructured and structured data: Quality and compliance applications are very document extensive and require the application screens, workflows and database to support the management of both structured and unstructured data. This requirement creates additional design considerations for system audit-ability, security and performance. Document Management: The custom application needs to support document access and control capabilities such as search and view, change-request lifecycle, controls on the distribution of sensitive documents and an audit trail for history tracking. Such capabilities enable creating, revising, approving, viewing, printing and archiving controlled documents such as Standard Operating Procedures (SOPs), Work Instructions, Policies and Certification documents. Modeling quality & compliance objects: The custom application will need to model and implement various quality and compliance objects such as audits, issues, approvals, action items, checklists etc because such objects form a key component of any Internal Audit Management, Material Inspection, Corrective or Preventive Action and Change Control applications. Real-time Event Management Sub-system: The custom application will need to provide capability to the user to define customizable rules that trigger events and provide mechanisms for appropriate programmatic actions within the application when an event occurs. This event management capability has to be scalable, reliable, and extensible. Electronic Signatures and other compliance requirements: If the organization is creating a custom application for an FDA regulated environment, they have to support 21CFR Part 11 requirements. These include:

Product requirements such as electronic signatures Audit requirements such as use of a development lifecycle methodology

The custom application must support the ability to capture username, password and purpose-related data for any transaction and log that information for audit purposes. It should also provide automatic user lockout after a finite number of failed attempts.

Dashboard, Reporting & Metrics: The custom application needs to provide a library of key metrics and user configurable reports/dashboards that leverage the metrics and data to provide quick visibility into process status and performance. The custom application must also provide a reporting wizard and integrated capabilities for charts and in-context drilldowns.

Integration with external systems: The custom application needs to provide a mechanism for easy integration with other applications and cost-effective on-going maintenance of such integration over time.

Offline Access: Many activities such as audits and inspections can be done more effectively if the users
had offline access to the application. The custom application must support offline access capability, if the business process requires such a capability.

Engaging casual users: One of the key factors for successful compliance with regulations is that everyone who interacts with the relevant processes should follow the defined policies and procedures. Typically

64

these procedures and policies are encapsulated in applications that automate the process. Hence successful compliance requires 100% adoption of these applications by everyone who interacts with the process. However this requirement also implies that even the most casual users within the enterprise and at suppliers should know how to navigate through the application and should always use it as they interact with the process, making them the weakest link in the compliance process. If the custom application enables casual user to access a relevant form without them having to learn the application, and then it will enjoy broader access among casual users.

Auditability: An application developed for the regulatory environment needs to provide an ability to audit any previous activity on the system. As a result, this capability consists of two separate system requirements: update transactions that do not override previous records, but create new records and providing a metadata of the audit, so reports of the audit history can be easily created.

If such capabilities were designed into a software platform, specifically created for quality and compliance applications, IT organization could reuse such objects and capabilities by building their custom application on such a platform, rather than defining, modeling and programming such capabilities from scratch in a custom application. Modeling and programming such objects can consume over 50% of the overall programming effort in an application.

Any custom application built on a compliance platform automatically gets access to all the common services defined within the platform. As a result, development of a custom quality and compliance application/module is practically reduced to defining and programming the process logic and user interface forms the application/ module leverages the platform for common services that it would have to build otherwise. We estimate that building applications on a compliance platform can save about over half of the initial development effort for a custom application and over 80% of the annual maintenance resource requirements for a custom application. As a result organizations can build functionally-rich custom applications for quality and compliance at a dramatically lower cost-of-ownership.

About MetricStream MetricStream allows its customers to improve supplier quality through its integrated and comprehensive quality and compliance management solution. Market leaders in industries as diverse as Automotive, High Technology, Consumer Goods, Manufacturing, Pharmaceutical and Food Services use the company's suite of applications. Developed from the ground up using web architecture, MetricStream provides an integrated set of the following modules to drive closed loop corrective actions and manage supplier quality

Audit Management Inspection Management Non-Conformance Management CAPA Change Control Document Management

65

Training Management Equipment Management Cost Recovery Supplier Scorecard Analytics/dashboards

MetricStream took a platform-centric approach to building its suite of quality and compliance applications. Instead of embedding capabilities such as document management, dashboards and analytics, electronic signatures, checklists, issue-tracking, workflow approvals, notifications, offline, event management etc. directly within its application-suite (as done by other vendors in this space), MetricStream decided to build such common quality & compliance specific services within its platform, called the MetricStream Compliance Platform. It then built its applications on top of this platform. As a result of this approach, MetricStream applications demonstrate the rich functionality, the scalable architecture and the architectural elegance expected in an enterprise-class application. The MetricStream Compliance Platform has also enabled companies to build custom quality and compliance applications at a very low cost of ownership.

66

Raising your Audit Score through effective Document Control

In our August 2004 issue, we discussed best practices for implementing a well-designed audit program. In this issue, let us discuss how one can most effectively raise the audit scores of your organization by building effective document control processes. Document control and document lifecycle management have become increasingly important foundation for building and implementing a good quality and compliance system. With the growth of online manuals, standard operating procedures (SOPs), supplier contracts, electronic material safety datasheets (MSDS), OSHA safety datasheets, plant and operator instruction manuals, most large and mid-size manufacturers are finding it difficult to enforce compliance with corporate procedures and quality standards. In many cases where such digital document repositories do exist, we find that these document repositories are not integrated with the underlying processes and quality standards of the organization. To make matters worse, as organizations look at managing large offshore supply chains, effective document control becomes even more challenging in establishing the quality baseline between all parties involved. A well implemented document control system, besides providing a document repository for global use, must enable seamless document and data control, closed-loop collaboration and process flexibility to turn organizational documents into living and breathing standards for global quality and compliance.

To put the problem in context, let us look at a specific use case scenario at a large manufacturer.

A large and diverse manufacturer selling hi-tech products has multiple plants through out the globe with increasingly many components and parts being sourced from specialized suppliers and outsourcers. The manufacturer has several thousand business critical documents stored in a document management system implemented just a few years back. These documents are increasing in volume and scope and are often sent around in emails to facilitate collaboration across teams and organizations. The current process for managing documents mostly involves individuals and groups to work on certain documents and then file them electronically to the common document vault for record keeping or collaborative purposes. While on the surface the document infrastructure may be adequate to keep the plants operational, the manufacturer often scores poorly on internal, customer or regulatory audits.

So where is the problem here? Why does the organization continue to have a challenge adhering to the quality standards, even though there exists a nice collaborative environment to document and follow the critical standards and procedures?

The simple but important realization which many large and medium size manufacturers have had over the last few years is that global quality management initiatives must take ownership of the global document management initiatives to ensure that quality processes and associated documentations on standard operating procedures are tightly coupled. Moving forward, document changes must lead to process changes and vice versa.

Here are some tips which we have seen work in many customer scenarios to raise quality audit scores.
67

Requirements for an effective Document control process We believe that document control processes designed to improve your audit scores must achieve the following.

Provide immediate access to all of the plant and corporate documents at any level, across the extended enterprise based on appropriate roles and privileges. (Corporate, plants, distributors, suppliers etc.) Establish a simple framework for document lifecycle management, which covers document creation, change management, management approvals, and regulatory filings, real-time as well as historical reporting. Connect document changes with process changes and vice versa. For example, when standard operating procedures change, those changes must reflect in the process flows across the extended enterprise. On the flip side, as the processes change with business requirements, process documentation must reflect such process changes. Managing process and document flows in isolation can lead to quality and compliance failures and introduce gaps between documented objectives and process implementations. Enable auditors to audit process and product document controls. For example, creating audit checklists based on stated procedures and documents could enable auditors to rapidly create relevant audit packages. Ensure that changes in documented SOPs, process manuals trigger appropriate organizational training processes. Most regulations (such as FDA regulations) mandate evidence of appropriate training upon changes in the documented SOPs and procedures. Facilitate document control in offline and email environments. As process documentations, SOPs, supplier contracts are collaboratively managed, it is critical that offline and email based document controls are implemented. In many cases, documents must be worked on by remote suppliers without requiring access to your document management environment. It is critical that all those documentation changes and approvals are captured in your system in offline environments.

Top 5 Recommendations for raising your audit scores through effective documentation 1. Look for a solution that automates the entire document lifecycle. A well-designed document control solution must facilitate complete management of document lifecycle. a. Enable creation, change management, approvals, filings, and storage of all documents. b. Ensure reuse of existing document lifecycle templates. c. Integrate seamlessly with existing document management infrastructure and document vaults for record keeping and storage. d. Facilitate role based ad-hoc work groups across the supply chain to collaborate throughout the document lifecycle.

2. Look for a mobile solution, which is practical and usable by the entire extended organization. Many document control programs fail because users find it hard to use the system while they are in the field working on the documents. Forward thinking organizations are insisting on offline and mobile document solutions so that quality and compliance organizations can manage the document lifecycle in the field
68

and not have to re-enter their updates when they come back to their office. Re-entry of document changes is a point of error, which we recommend is best avoided. Simple questions to ask and consider: a. Can quality organizations collaborate on documents through email? Can emailed documents be worked on remotely and automatically synced up with the centralized document control solution? b. Can hand-held devices like PDAs be used to manage document lifecycle? c. Are their built in real-time rules to check for approvals and document controls at the point where users are making changes to the documentation in the field?

3. Look for a document control solution with built-in process management capabilities. A well-designed document control solution must be seamlessly integrated with process management capabilities to help raise your audit scores. Changes in SOPs and documentations should trigger process changes and vice versa. a. Can processes described in the SOPs be implemented through process flows? b. Does the system provide automatic alerts when SOPs change? These changes might mean following up with changes in the process itself. c. Can the Standard Operating procedures and controls be modified effectively based on audit findings?

4. Look for a quality document control solution, which integrates training management programs. A welldesigned document control solution must tightly integrate with training management processes: a. As SOPs get created, are the right members of your organizations being trained on these new SOPs? b. Can the feedback from end user training be incorporated to further update the SOP itself?

5. Look for a document control solution, which is readily auditable. General-purpose document control solutions work fine as document repositories. However, when it comes to building a document control solution for quality and compliance, auditability and traceability becomes most important. Simple questions to ask and consider: a. Can you get complete visibility into any and all changes to documents for audit purposes? b. Can your auditors drill down into any aspect of your document repository and lifecycle and ascertain process compliance? c. Can you trigger quality and compliance alerts on documents based on rules set forth by the internal or external auditors?

By carefully integrating document control with Quality and Compliance processes large and mid-size manufacturers can significantly enhance their audit scores. Many organizations who viewed document control and quality control as separate initiatives in the past are now increasingly taking an integrated approach to quality and compliance building a robust quality infrastructure on a strong foundation of document controls.

As always, I look forward to inputs and thoughts from many of you, as we keep the Compliance and Quality discussions going in our future newsletters.

69

Reducing New Product Introduction (NPI) time using a packaged software solution

In several industries, the total time taken to introduce a new product into the market can be the key difference between a blockbuster and a mediocre performing new product. New Product Introduction involves several collaborative processes including product design, product quality planning, identifying and qualifying vendors and plants for sourcing components, conducting first article inspection and taking corrective actions to fix issues and finally, transitioning the product into high-volume production.

Supply Chain and PLM vendors have attempted to solve this problem using a very narrow approach. However, in order to successfully reduce the NPI cycle time, companies need a software solution that supports end-toend NPI process.

Packaged Solution for managing the NPI process

A best-of-breed solution for managing the New Product Introduction process must include the following key capabilities:

Support for NPI capabilities within the Part Master: The enterprise must manage key NPI product data such as inspection attributes, inspection methods, skip-lot sampling plans and document attachments within its part master. Since these capabilities are not typically available within the existing ERP part master, the NPI packaged solution must provide such capabilities and integrate them with the part master of the resident ERP system. Bid Package Mgmt: Creating a Bid Package for vendor selection involves close collaboration between product management, engineering, quality, purchasing and internal operations. The NPI solution must provide the ability to leverage technology for enabling close cooperation between the collaborating organizations as they prepare the bid package documents, compile the bid package documents, and implement a workflow approval process before sending the package and tracking responses from vendors. Vendor Audit & Qualification: Vendor audit is usually a key step in the acceptance process, before a component or sub-assembly from a vendor is approved for production. In most companies today, vendor audit is a manual process. The packaged NPI solution must provide an audit capability, with flexible administration, to handle questions/checklists that can vary by vendor, site and part. Not only does the configuration of checklists/questions have to be flexible but the audit responses must be configurable and quantifiable as well. The necessary reporting infrastructure to analyze this information must also be available. First Article Inspection: Reducing NPI cycle time by automating the First Article Inspection (FAI) process is an important aspect of a packaged NPI solution. The system should allow the user to easily setup FAI checklists and then enable the inspectors to capture appropriate FAI data against the checklists during the inspection process. The results of the FAI are then reviewed by Engineering and Product Management

70

based on which the FAI could either be approved or rejected. Unless a FAI is approved, production parts cannot be received by the receiving dock. The FAI capability should support information capture, collaboration and the ability to identify opportunities for improving delays in NPI.

Corrective Actions: This capability takes the results of the FAI process, identifies issues, and enables root cause analysis, creation of corrective action plans and implementation of those plans. The solution must support collaboration with suppliers to ensure reduction in problem resolution cycle times. Ongoing Inspections and Corrective Action: The system must support ongoing inspections and corrective actions during the production ramp-up process leading to new product introduction. Inspections and corrective actions ensure low PPM in the final product and provide a mechanism for continuous process improvement. Cost Recovery: The process typically allows for complete cost recovery from suppliers during the rampup leading to NPI for any non-conformances once the FAI is completed. The system must provide capabilities to support the cost-recovery process and must provide mechanisms to include both - costs of components and the costs incurred by the manufacturer while adding value on that component. Most cost recovery process are managed manually and dont incorporate non-material costs, which may be over half the total cost of processing non-conforming components from suppliers.

The following diagram illustrates the integrated Process Flows in the NPI process.

71

Using the MetricStream Platform and Applications for NPI cycle time reduction

MetricStream, a market leader in quality and compliance software, provides key capabilities to manage a New Product Introduction process. These capabilities include:

Audit Management First Article Inspection Corrective Action Change Management Cost Recovery Document Management Analytics Process Dashboard

In addition, its platform for Quality and Compliance Management includes capabilities such as Event Management, Notification and Escalation Management and Workflow Management, which can be used to customize existing applications or rapidly develop specific capabilities that integrate with existing modules listed above.

Summary Reduction in NPI cycle times has become an important focus area for most companies. They are increasingly implementing packaged NPI solutions. Such solutions include Bid Package Management, Vendor Qualification and Audit, First Article Inspection (FAI), Non-Conformance tracking, Corrective Action Request Management, Ongoing inspections, Cost Recovery and Process Performance Dashboards.

72

MetricStream Compliance Insights Series

New User Access Requirements for 100% Compliance

As companies implement the enterprise-wide quality and compliance systems to support their 21CFRPart 11 or Sarbanes-Oxley or ISO9000 initiatives, they are forced to address the following critical issues:

How do you ensure that every person who interacts with a regulatory process, including the most casual user, always uses the software that automates the regulatory process, instead of informal mechanisms, to get the job done? How do you make the compliance software easily accessible to road warriors such as auditors and inspectors even when they are offline, so they dont have to record the quality and compliance information manually and later transfer it into the compliance software a key source of user errors leading to failure to comply with the regulation or mandate?

The solution to these issues lies in leveraging the latest but proven technologies to provide new ways for the user to access the application. By removing any barriers to easy access and use, companies can ensure 100% adoption of the application. This paper addresses how the next generations of compliance systems are addressing these key issues.

Engaging casual users One of the key requirements for successful compliance with regulations is that everyone who interacts with the relevant processes should follow the defined policies and procedures. Typically these procedures and policies are encapsulated in applications that automate the process. Hence successful compliance requires 100% adoption of these applications by everyone who interacts with the process. However this requirement also implies that even the most casual users within the enterprise and at suppliers should know how to navigate through the application and be familiar with its functionality in order to use it as they interact with the process. As a result, such casual users become the weakest link in the compliance process.

Let us take the example of an environment where the process engineer approves any change to the operating instruction of complex manufacturing equipment before it is put into production. The process engineer uses the quality management system to approve such a change. He is trained on using the system and always needs to use the system to approve the change, so there is an audit trail of his approval (under the 21CFR part 11 requirements). However in this scenario he wants to request his senior product manager to review a specific change before it is approved to go into production, since the change may affect the surface tension of the product. Even though the product manager is asked to review such documents very-very infrequently for approval, she should use the quality management system to approve the change, rather than sending the approval via email, since her approval needs to be recorded into the system from a regulatory compliance perspective. As a result of this requirement, she is expected to know how to navigate the quality management system that she uses very infrequently. Such a requirement is challenging to impose on a casual user. What if

73

the product engineer from the equipment vendor also needed to approve the instruction, since it related to a new feature recently introduced in the product? It would be extremely difficult to expect a product engineer from a vendor to know how to navigate a customers quality management system. These examples indicate that enterprise-wide compliance software must enable a casual user to easily transact on the system without any knowledge of the navigation or the functionality.

An ability to capture approvals and explanations from even the most casual users is also very critical in key financial processes within a company. An example scenario may require a confirmation and explanation to be obtained from a controller in a foreign subsidiary for reporting a certain set of numbers in a revenue recognition account. In addition, this information needs to be recorded in a system to ensure compliance with the SarbanesOxley regulations. As is the case at many Fortune 500 companies, the subsidiary is using a packaged financial system that is different from the corporate financials system. Hence the controller of the foreign subsidiary is not at all familiar with the corporate financials system and chooses to send conformations and explanations via the company emails or faxes. Such key approvals documents get buried under an avalanche of emails/paperwork and can not be easily discovered later by auditors or regulators.

A best-in-class quality and compliance management addresses this issue by delivering relevant application forms through email to the casual users. The email is sent by the quality management application to these casual users with forms embedded inside the email to collect the required data. When the user receives the email from the application, (s)he opens the email and then enters the relevant information in the form and hits

74

send. The application processes the email, as if the information inside the email form was entered on an online form by the user. Hence the casual user can work within the familiar email system without needing to learn to navigate and use the application. Such an application capability allows companies to ensure adoption of their quality and compliance application by all relevant users.

Providing offline access Internal auditors, who are very mobile and typically work offsite, today use spreadsheets and printed reports to collect audit data at the site and then manually enter that data into their auditing application when they are back at their office. Since auditors typically work in teams and the audit team leader needs to review all the data collected by team members, paper-based (or spreadsheet-based) data collection techniques become very cumbersome in environments where checklists are large and timelines are tight. In addition, such a process leaves a lot of room for errors a system responsible for managing a regulatory environment can not afford to introduce errors into the system.

For example, when a team of internal auditors visits a key supplier, they may spend 2-5 days auditing the various design, engineering, manufacturing, shipping, quality and accounts payable processes of their suppliers. Most of the time during the day is spend collecting the data from interviews and observations and analyzing the data against the expected process flow to identify gaps and recording those issues. By asking the auditor to record the results on paper or on a spreadsheet and then manually typing them into the system when they are back at their home office creates an opportunity to introduce errors in the system. In addition, when the team leader wants to review the analysis and findings of the team members, he/she would have to manually review their notes.

The offline capability within the application enables audit teams to take their audit checklists offline on their laptops, easily share collected data among team members, and then synchronize the checklists with collected data back into the online quality and compliance system when they are back in the office. The synchronization happens automatically in the background and should ensure that the data recorded during offline access is safely updated into the system. All the forms in the off-line system should look exactly like the online web screens, so there is no additional training needed. In addition by keeping the user interaction with the software the same for off-line and on-line environments, the system usage and adoption is ensured a key requirement for compliance.

Summary The next generation of enterprise-wide quality and compliance applications leverage the latest technology to provide offline access and email-based application access capabilities. As a result of these two new access capabilities, organizations can ensure across-the-board use of the quality and compliance applications, rather than use of informal mechanisms to interact with the business processes that are regulated.

75

Smart Investment Strategies for a Compliance Platform: A Ten Step Guide

Government regulations and mandates are on the rise. Most corporate compliance offices are challenged to find compliance solutions that can scale across corporate compliance offices and also manage regulatory and compliance initiatives within respective operational and departmental areas. This article highlights the importance of selecting the right compliance platform, which can scale across different regulations (federal and state regulations, 21CFR part11, Sarbanes-Oxley, OSHA, internal governance initiatives etc.) while serving users across the enterprise. Most corporations have diverse systems and processes and the challenge always is on monitoring and reporting compliance events and trends across the enterprise.

A well-designed compliance management platform has abilities to perform the following key functions across the enterprise:

1. Compliance Dashboard: The compliance platform must provide a single enterprise-wide dashboard for all users to track and trend compliance events. All compliance events should be easily viewed interactively through the enterprise compliance dashboard. External auditors, internal auditors, compliance officers can use the dashboards to make decisions on the compliance status of the organization.

2. Policy and Procedure Management: A well-designed document management system forms the basis of managing the entire lifecycle of policies and procedures within an enterprise. Ensuring that these policies and procedures are in agreement with the ever-changing rules and regulations is a critical requirement. The creation, review, approval and release process of the policy documents and SOPs (Standard operating Procedures) should be driven by collaborative tools that provide core document management functionality. The ideal solution typically provides for both sequential processes to review and approve documents and parallel "ad-hoc" review processes enabling a wide range of participation and input to the review cycle. For such purposes, a welldesigned document management system with a tightly integrated email collaboration capability becomes a critical necessity to enable both sequential and parallel review processes across wide range of participants. Compliance solutions which do not enable appropriate email collaboration, and merely focus on document management often are not effective in ensuring that their policies and procedures are globally in sync with the rapidly evolving rules and regulations.

3. Event Management: The compliance management system must have ability to capture and track events, cases and incidents across the extended enterprise. Compliance Officers, Call center personnel, IT departments, QA personnel, ethics hotline should be able to log in any adverse events across the enterprise, upon which the necessary corrective and preventive actions (CAPA) are initiated. Creating a single system of record for all compliance events across regulations provides the opportunity for offering an integrated compliance dashboards. Enterprises which are investing in "point" solutions for each regulations often miss out on the efficiency gains of creating a single system of record for compliance, be it for Sarbanes-Oxley compliance, FDA compliance, or internal quality or governance initiatives.

76

4. Rules and Regulations: A well-designed compliance management solution must offer capabilities for organization to be continuously stay in sync with changing rules and regulations. As soon as there are regulatory changes, appropriate entities, policies and SOP owners should be notified proactively through "email based" collaboration. This process critically enables the organization to dynamically change their policies and procedures in adherence to the rules and regulations. While tracking a single regulation may be manually feasible, it becomes an error-prone task to track all local, state, and federal regulations across the globe for SarbanesOxley, FDA, JCAHO, ISO, EPA, OSHA, Patriot Act. A well-designed Compliance management system offers up-to-date regulatory alerts across the enterprise.

5. Audit Management: Audits have now become part of the enterprise core infrastructure. Internal audits, financial audits, external audits, vendor audits must be facilitated through a real-time system. Audits are no more "A-once-a-quarter" activity, in many instances, FDA/SEC audits are initiated without notice and corporations must be prepared to offer appropriate audit capabilities. Appropriate evidence of internal audits becomes critical in defending compliance to regulations.

6. Quality Management: Most organizations have internal operational, plant-level or departmental quality initiatives to industry mandates like Six-sigma or ISO 9000. A well-designed compliance management program incorporates and supports ongoing quality initiatives. Most quality practitioners would agree that quality and compliance are two sides of the same coin. Therefore, ensuring that your compliance management solution offers support for your enterprise-wide quality initiative is critical.

7. Training Management: Most compliance programs often require evidence of employee training. Regulations like FDA 21CFR Part 11 or SEC Sarbanes-Oxley Act, mandate employee training upon evidence of nonconforming events. Lack of documented training can lead to fines and penalties. Often the compliance office has to work closely with the HR organization to facilitate such employee training initiatives. Well-designed compliance programs require a well-integrated approach to elearning and training management.

8. Compliance Task Management: Compliance organizations must plan, manage and report status of all compliance related activities from a centralized solution. Automated updates from the various compliance modules should provide for up-to-the-minute status reporting that could be viewed by the board of trustees, corporate compliance officer, entity compliance coordinators, quality offices and others as designated.

9. Financial Sarbanes-Oxley Compliance: Sarbanes-Oxley Act of 2002 has become a critical compliance initiative in most CFO offices. It is critical that a well-designed compliance solution must address the needs of the financial office and provide support for COSO, COBIT and Enterprise Risk Management (ERM) frameworks of compliance. Enhancing the quality of financial reporting for publicly traded companies is critical for creating shareholder confidence as well as ensuring compliance to the Securities and Exchange commissions. SOX compliance must address the following compliance phases:

Design: Design of compliance environment, control hierarchies, and segregation of duties Assessment: Assessment of control executions, process-flows, effectiveness Improve: Improvement through remediation plans, corrective action plans and business user collaboration.

77

Monitor: Monitor design status, SOX quarterly and monthly trends, assessment and improvement status, SOX views by business units or geographies.

10. Configurable Platform: Last, but not the least, it is critical to build your compliance solution on a scalable and configurable platform, one which can adapt and change to the regulatory environments, today and in the future. Compliance workflows, tasks, audit processes, financial reporting standards, quality management techniques all change with time. Your chosen platform must enable you to rapidly adapt to the changes without intensive re-programming of your systems. Many compliance application vendors attempt to package their application as a platform, yet, discerning buyers look closely at the true power and capabilities of the configurable platform.

Forward thinking corporations who are following this ten step guide to compliance standards are achieving compliance more productively, they are in fact leveraging the compliance requirements into building a higher quality organization with greater corporate performance.

78

How to give a Quality Score to your Supplier

A supplier quality score provides a real-time and objective analysis of the quality performance of a supplier. The score empowers an organization to manage its supply base more effectively by enabling it to:

Identify continuous improvement and cost savings opportunities Promote and encourage improved communication on performance issues Provide objective data for use in supplier management and sourcing decisions Recognize and promote exceptional supplier performance in quality

A supplier scorecard contains categories or main groupings of metrics by which suppliers are measured. These categories include quality, delivery, cost, and responsiveness. Aggregated score for each category is calculated first, providing a company visibility into quality score, delivery score etc. Each category has assigned weighting, which is then rolled into the overall supplier score within the scorecard. The score of the quality category (quality score) typically carry 40% to 60% of the overall supplier score weighting factor in most

organizations. Hence quality management systems (QMS) drive the overall supplier scorecard in such organizations. This paper first describes how some of the leading manufacturers calculate their quality score and then gives a checklist to ensure that your quality management system (QMS) can drive an accurate and quick calculation of the quality score.

The following chart identifies key metrics in each of the categories.

Figure 1: Various Metrics in Supplier Scorecard

79

Supplier Quality Score The Supplier Quality Score is an aggregate rating of the various quality-related performance metrics for the supplier. Scores for various quality metrics are multiplied by their weighting and the summation provides the overall quality score for the supplier. The following examples show how two leading manufacturers calculate the overall quality score for their suppliers. Example 1: A Business Unit of a Fortune 500 Medical Device Manufacturer:

Supplier quality score is a simple metric that is a result of three key measurements: Lot Acceptance Rate (LAR) Supplier Corrective Action Requests (SCAR) Past Due SCARs

LAR is the percentage of lots shipped by the supplier and accepted by the organization within the given fiscal month. Each SCAR issued results in a 2 basis point deduction from the LAR for the fiscal month in which it was issued. If there is no response to SCAR within 20 business days then it is past due. Past Due SCAR results in 3 basis points deducted from the LAR for each fiscal month in which it was overdue. The Quality Score is calculated using each of these three measurements described above using the following calculation. Quality Score = LAR (# of SCARS * 2 basis points) (# Past Due SCARS * 3 basis points)

An "approved" supplier must consistently maintain both quality and delivery scores of 90% or greater. When either score falls below 90% for an extended period of time, the status of the supplier may be downgraded to "conditional", which means that future business may be dependent upon the successful completion of a written CAPA (Corrective and Preventative Action Plan) to eliminate the root cause of the quality or delivery problem. If the score of a "conditionally approved" supplier falls below 70% for an extended period of time, the supplier may be downgraded to "disapproved". The organization will not purchase from disapproved suppliers.

80

Example 2: A Fortune 500 Automotive Supplier:

What to look for in a QMS Quality Management System (QMS) enables a manufacturer to deploy supplier quality scores and use it as a basis to categorize their suppliers, as a part of their overall supplier strategy. While evaluating a QMS, you should look for the following four key capabilities within the system:

Ability to configure the quality scorecard: The manufacturer should be able to easily configure the scorecard capability within the QMS to add their own metrics with their own calculations and apply their own threshold criteria for each metric (to show green/yellow/red status for each metric) without having to modify their QMS system. Ability to see charts and details: The manufacturer should be able to configure the supplier scorecard capability within the QMS to easily see trend charts for a metric, as well as, be able to drill down into the details to better diagnose the issue without having to modify their QMS system. Ability to easily import information from other systems: The manufacturer should be able to easily import relevant information from various homegrown systems with no hardcode programming into the QMS scorecard module. This enables the manufacturer to quickly create scorecards and easily update them when the source systems change, at a very low cost of ownership.
81

Ability to calculate quality score : The manufacturer must be able to apply their own model to calculate their overall quality score without having to write custom software code within the QMS system. This is very important, since the calculations and weightings evolve over time and the manufacturer need not have to bear the cost of developing, testing and validating such changes to the QMS software on an ongoing basis.

Supplier quality scores, when implemented correctly, provide a very compelling tool to a manufacturer to automatically and continuously measure the performance of their supply-base and to proactively work with them to improve their capabilities. Without the right QMS product, these scores are created manually on spreadsheets in many corporate quality organizations a very manually intensive and error-prone process. About MetricStream MetricStream allows its customers to improve supplier quality through its integrated and comprehensive quality management solution. Market leaders in industries as diverse as Automotive, High Technology, Consumer Goods, Manufacturing, Pharmaceutical and Food Services use the company's solution. Developed from the ground up using web architecture, MetricStream provides an integrated set of the following modules to drive closed loop corrective actions and manage supplier quality

Audit Management Inspection Management Non-Conformance Management CAPA Change Control Document Management Training Management

82

 Equipment Management
Cost Recovery Supplier Quality Scorecard Analytics/dashboards

83

Can't get budget approval for your Quality Management System?

Many quality directors have difficulty in getting capital budget approvals to acquire a badly needed Quality Management System (QMS). The reason in most situations is that their justification approaches the system benefits from a bottom-up operational perspective the new system will provide a mechanism to achieve key quality objectives such as issue tracking, developing and implementing corrective actions and reporting on the key process improvement metrics.

While meeting these requirements enables an organization to standardize and automate its approach to quality improvement, it does not bring to light the key quality related issues that the senior management worries about. Such topics include

Getting access to scorecards and dashboards to get unprecedented visibility into the supplier quality to improve strategic supplier management Implementing a mechanism to measuring, monitoring and reducing cost of poor quality and cost of compliance on an ongoing basis Gaining a framework to manage enterprise risk from poor quality & compliance

84

A justification for a QMS must address how the system will address three key issues bottom-up operational management, top-down risk and cost management and financial ROI. The following is a list of topics that a QMS request-for-budget document should clearly address:

Bottom Up: How will the system enable the company to automate their key quality improvement processes including:

Audits Inspections Issue tracking Corrective actions Supplier cost recovery Document control Reporting

Top Down: How will system enable the company to implement the following:

Supplier Scorecards and key metrics covered Measuring Cost of Poor Quality: Metrics, calculations and trends Operational Scorecards: Metrics and trends. (Tracking key quality metrics that our customers or regulatory agency measure us by so this exposes any potential future problems and enables management to proactively address these issues to reduce risk. For example, if a manufacturer wants to manage their customer risk, the risk scorecard will allow them to track PPM scores from customer, customer CARs and their response/resolution time etc.)

Financial Justification: What is the financial return from the system

Total annual savings and NPV from quality system

Total cost recovery savings and NPV Total savings and NPV from reduced scrap Total savings and NPV from reduced rework Total savings and NPV from reduced MRB inventory Total savings and NPV from reduced line shutdowns Total savings and NPV from improved equipment utilization Total savings and NPV from less expedited freight Total savings and NPV from reduced warranty, recall & returns

85

Total savings and NPV from reduced inspections

Total cost of the system (HW, SW, implementation, additional headcount to manage the system, annual maintenance etc.) Average Return in # of months

A well framed 'request for budget' that addresses bottom-up operational needs and top-down management requirements, along with well quantified financial justification will go a long way in satisfying all relevant stakeholders to approve the funding for a Quality Management System.

86

Paper-based quality system is more costly than you think

Paper-based quality management systems are fairly common in mid-sized organizations. While such systems can successfully manage product and process quality, they significantly increase the risk of cGMP noncompliance at FDA-regulated organization. They also impede a manufacturer's ability to implement continuous improvement initiatives. Such paper-based systems also become a bottleneck for companies experiencing fast growth. This paper articulates various issues with paper-based quality management systems based on research with quality management executives at mid-sized companies.

Document Control: In a regulatory environment (or an ISO9000 environment), document control is a fact of life. Any changes to a SOP need to go through a strict change-control process. In a paper-based environment, there is little visibility into the status of documents in the review cycle. Quality managers often have to walk from desk-to-desk to identify where a document is 'stuck' in the review cycle. As a result, the review cycles can be long and unpredictable. Manual document control procedures can also be more error-prone. Such issues may at times unknowingly compromise an organization's ability to comply with cGMP regulations. They also make it difficult to implement continuous improvement initiatives in a timely and predictable manner in an ISO9000 environment. CAPA management: In a paper-based system, lack of a reliable closed loop control makes it difficult to ensure that the corrective actions were successfully implemented. As a result, cGMP compliance can be unknowingly compromised. Without a clear visibility into the status of planned process changes, it is difficult for quality managers to implement continuous improvement initiatives in an ISO9000 environment. Preventive Actions: Manufacturing organizations want to trend quality-related problems, proactively identify potential issues and take preventive actions to address such issues before they surface. Preventive actions can significantly reduce cost of poor quality in a manufacturing organization and can prevent potential problems that can cause cGMP non-compliance. However, quality managers in a paper-based environment can not easily trend problems. Hence they can not deploy such an important quality management technique on a large scale. Metrics: The prevailing wisdom says what you can't measure, you can't improve. Paper-based systems make it very difficult for companies to collect and review key operating metrics in a timely manner. Our research with quality executives lead us to believe that in a paper-based environment, metrics are usually compiled with a huge manual effort (over 15% of a quality engineer's time) and distributed on a fortnightly or monthly basis with little drill-down capability for detailed causal analysis. Lack of metrics impedes their ability to react to quality-related issues in a timely manner, leading to high cost of poor quality and high cost of compliance. Cost of a paper environment: While paper-based systems may seem to cost less on the surface, there is a huge amount of hidden costs due to the enormous amount of time the organization spends to ensure document control, to chase down bottlenecks in document review and to ensure corrective actions were implemented in a timely manner. From our research, a quality engineer typically spends over 35% of

87

their time on such activities - time that could be spent on higher value added activities for the organization. In addition, lack of ability to identify preventive actions on a large scale, inability to ensure all corrective actions are always implemented and poor visibility into quality-based metrics affects their ability to significantly reduce cost of poor quality or cost of compliance. As a result, the hidden cost of a paperbased quality system is very high.

An automated quality management system provides an organization with the tools to streamline the end-toend quality management process. With automated change control, the quality managers have visibility into the status of any change request at the click of a mouse - who has reviewed the revised document, who is sitting on the approval request and needs to be prodded and who else needs to review it. As a result, review cycle time can drop by as much as 50% after the process is automated. Once approved, the new version automatically replaces the existing version of the document making change control a very smooth process. The out-of-spec problems, non-conformance issues and corrective actions are tracked automatically by the system. Users have 100% visibility into non-conformance issues that have not been resolved or corrective actions that are waiting to be implemented. An ability to look at all corrective actions for a process or a product in aggregate provides quality engineers an ability to trend and proactively identify potential issues and design preventive actions to address such issues before they surface. Dashboards and scorecards with up to-the-minute metrics with detailed drilldowns are available to key stakeholders. As a result, the overall cost of poor quality and cost of compliance reduces. Risk of non-compliance (and potential liabilities associated with it) is minimized.

88

Role of a Quality Management System in Six Sigma Deployments

Six Sigma is a disciplined, data-driven approach to improving product and process quality. Ever since Jack Welch labeled Six Sigma as one of the most strategic initiatives undertaken by GE, it has seen its adoption increase dramatically across the world. Enterprise quality management systems play a key role in the Six Sigma deployments. This paper explains the role of such a system in the implementation of Six Sigma to improve the order-to-delivery process at a manufacturing site.

Six Sigma Overview The quality of a process is measured by its ability to consistently deliver products or services within the specification limits. While a company can deliver a good quality product made using an inefficient process, it comes at a very high cost. An inefficient process will generate an unacceptably high number of defects and produce them with a level of variation that hinders the ability to predict process performance. The following chart shows the defects per million and cost of poor quality at various sigma levels.

If a process is operating at Six Sigma, its variability is extremely low at 3.4 defects per million. At Six Sigma, the company has a significant competitive advantage in delivering very high levels of quality (nearly zero defects) at dramatically lower costs.

The methodology for achieving Six Sigma is an acronym called DMAIC. DMAIC stands for five interconnected phases - Define, Measure, Analyze, Improve, and Control. DMAIC refers to a data-driven approach for improving processes using Six Sigma Quality Initiative. In this paper a manufacturer applies the Six Sigma methodology to improve the on-time delivery process. The details behind the various phases in the Six Sigma implementation in this scenario include:

Define: In this phase the Six Sigma team develops a clear definition of the process sponsor expectations and issues, as well as, the scope of the overall project. This phase requires the team to perform the following:

Define the process to be improved by mapping the process flow in details Capture clearly the expectations of the process sponsor

89

Define project boundaries - the stop and start of the process

Measure: This phase requires the Six Sigma team to capture the key issues associated with order-to-delivery process data, as well as, key order-to-delivery metrics. The team uses the audit management capabilities in their quality management system to audit the order-to-delivery process to better understand key issues. The metrics are collected from various systems that touch the order-to-delivery process. The metrics form the baseline for the process performance and help focus on key issues. The baseline metrics also enable the team to quantify the improvements made to the order-to-delivery process at the end of the DMAIC phases. The key steps in the phase include:

Develop a data collection plan for the order-to-delivery process Collect data from many sources (systems and audits) to determine issues and core process metrics
Figure 1: Audit feature of the quality system allows the team to identify key expectations and issues

Analyze: This phase requires the Six Sigma team to analyze the data collected to determine the root causes of issues and identify opportunities for improvement. Key steps in this phase include:

Identify gaps between the current order-to-delivery metrics and goals Perform root cause analysis Identify corrective actions (CAPA) using technology and discipline Prioritize opportunities to improve

Improve: In this phase, the Six Sigma team implements the improvements to fix the problems and prevent them for occurring in future. Six Sigma team uses the quality management system to closely track the open corrective actions and to ensure that they are successfully implemented. The team also uses the quality management system for document change control to ensure the new operating procedures and other documents

90

are in use. The steps in this phase include:

Develop and deploy implementation plan Institutionalize the improvements through the modification of processes and structures (staffing, training, incentives) Implement document change control to ensure process changes are followed Track and ensure closure of CAPA items Monitor corrective action effectiveness with real-time performance data and analysis

Figure 2: Use CAPA tracking to ensure that corrective actions/solutions are successfully implemented

Control: In this phase, the Six Sigma team ensures that there are controls in place to keep the improved process on the new course. The quality management system allows the team to audit the order-to-delivery process to ensure the improvements have taken hold to prevent the process from reverting back to the "old way". The key steps in this phase include:

Require the development, documentation and implementation of an ongoing monitoring plan Monitor order-to-delivery metrics and perform process audits to ensure improvements are here to stay.

Using DMAIC, supported by an enterprise-wide quality management system, a company can streamline their order-to-delivery process and reap its rich rewards.

91