Quality Management in the Automotive Industry

Product Compliance
Volume 1:
Product Compliance System

1st edition, May 2023

Online download document

1
Quality Management in the Automotive Industry

Product Compliance
Volume 1:
Product Compliance System

1st edition, May 2023,

Online download document
Verband der Automobilindustrie e. V. (VDA)
ISSN 0943- 9412

Copyright 2023 by

Verband der Automobilindustrie e.V. (VDA)

Qualitäts Management Center (QMC)
Behrenstraße 35, 10117 Berlin

Layout and printing:

Druck- und Verlagshaus Zarbock GmbH & Co. KG
Sontraer Straße 6, 60386 Frankfurt am Main

3
Non-binding VDA recommendation
The Association of the German Automotive Industry (VDA) recommends
its members to apply the following standard in order to implement and to
keep carrying out product compliance activities. The concrete
implementation and realization can vary depending on the company-
internal organization and structure.
Exclusion of liability
VDA volumes are recommendations available for general use. Anyone
who implements them is responsible for ensuring that they are used
correctly in each case.
This VDA volume takes into account the technical procedures current at
the time of issue. Implementation of VDA recommendations relieves no
one of responsibility for their own actions. In this respect, everyone acts
at their own risk.
The VDA and those involved in VDA recommendations shall bear no
liability.
If during the use of VDA recommendations, errors or the possibility of
misinterpretation are found, it is requested that the VDA be notified
immediately so that any possible inaccuracies can be corrected or
improvements can be made.
Copyright
This publication is protected by copyright. Any use outside of the strict
limits of copyright law is not permissible without the consent of the VDA
and is liable to prosecution. This applies in particular to copying,
translation, microfilming and storage or processing in electronic
systems.
Translations
This publication will also be issued in other languages. The current
status must be requested from VDA QMC.
Definitions and glossary
A glossary of defined terms is provided at the end of the text. Defined
terms are printed in italics in this volume.

4
Table of contents
1 Introduction/objectives 6

2 Fundamentals 8
2.1 Situating the PCS within the corporate governance structure 8
2.2 Scope of the Product Compliance System 10
2.3 Binding obligations 10
2.4 Interplay with VDA Volume Product Integrity 11
2.5 Relationship with other management systems 12

3 Elements of the Product Compliance System (PCS) 13

3.1 Culture 13
3.2 Objectives 15
3.3 Risks 16
3.4 Program 17
3.5 Organization 21
3.6 Communication and training 22
3.7 Monitoring/improvement/reporting 24

4 Guiding questions 26
4.1 Culture 26
4.2 Objectives 26
4.3 Risks 27
4.4 Program 28
4.5 Organization 30
4.6 Communication and training 30
4.7 Monitoring/improvement/reporting 31

5 Glossary 33

5
1 Introduction/objectives
The common objective of the VDA member companies is to
continuously ensure the conformity of their products in a global market
in order to protect people and the environment as well as to prevent
risks. Conformity must be ensured with regard to so-called binding
obligations, i.e. all applicable statutory obligations as well as obligations
that companies assume voluntarily.

Products are becoming more and more complex, there is a growing

number of statutory and regulatory requirements, and
interdependencies in supply chains are increasing.

In order to meet these requirements, companies need elements helping

them to identify, monitor, control and minimize product-related risks. A
product compliance system (in the following abbreviated as “PCS”) can
be used for exactly this purpose. The goal of a PCS is to allow a
company to detect and minimize potential risks at an early stage. The
concrete realization of the PCS may vary depending on the size of the
company and ultimately falls within the individual company’s scope of
responsibility. Some of the terminology used in the present volume
varies in the industry, e.g. the term “technical compliance” is also
sometimes used.

The PCS is based on the so-called Three Lines Model and is a function
of the so-called second line.

This volume presents the fundamental elements of a PCS and is

designed to help with the concrete implementation by means of guiding
questions and practical examples. It provides a recommendation
regarding the implementation and operation of a PCS, thus enabling
and facilitating the communication and fulfillment of product binding
obligations for and across the supply chain. This increases security as
well as efficiency in all companies along the supply and value chain.

The regulations presented in this volume do not have any bearing on

6
quality assurance systems (such as DIN/EN ISO 9001 or IATF 16949).
In particular, they do not serve to interpret or evaluate quality assurance
or QM systems either.

7
2 Fundamentals
Product compliance means that a company must fulfill all of its binding
obligations. The latter include statutory and regulatory requirements that
are relevant to a company’s products, as well as further, self-imposed
product requirements (e.g. arising from internal regulations). Product
compliance processes defined within a PCS provide the framework for
systematic measures and activities designed to reduce the risk of non-
fulfillment of these binding obligations across the entire product life
cycle.

2.1 Situating the PCS within the corporate

governance structure
The bodies/entities bearing operational responsibility, thus the
implementing departments as the so-called first line, are regularly
responsible for the fulfillment of binding obligations. In the automotive
industry, the core processes to ensure product conformity and product
security have been integrated into the so-called first line processes for a
long time and have been described in (standardized) process
specifications. In this regard, the responsibilities are clearly defined.
Within the scope of the so-called legality control obligation, the
responsible governing bodies under company law are responsible for
ensuring that the company operates in conformity with the rules. In
practice, the introduction of compliance management systems (as an
umbrella term) has become generally accepted. To safeguard against
risk scenarios in the area of product compliance, the responsible
governing body can delegate the organization and implementation of
individual measures to a compliance function (a person or a panel) to
reduce compliance risks and to prevent compliance breaches.
In the following, the product compliance function is described in
organizational terms within the framework of the so-called Three Lines

8
Model1, and is considered to be a second line function. The product
compliance function thus has a governance role, monitors first line
processes, offers the implementing departments support and expertise,
and can complete tasks in risk-relevant areas.
The so-called third line constitutes an entity that is external to and
independent from the PCS organization, and that conducts audits within
the company, such as
the internal review.

Leitungsorgane

hrung des nternehmens unter eachtung der eset e.

Legalit ts und Legalit ts ontrollpflicht.

mset ende overnance Interne

achbereiche un tion evision

I T LI LI T I LI

LL LL LL
ereitstellung von orgaben und ber nabh ngige und
rodu ten ienst wachung ob e tive r fung und
leistungen f r unden eratung in allen
pertise und nter
Management von st t ung ragen in
isi en usammenhang mit
ufgaben in risi o der rreichung von
inhaltung der relevanten ielen
relevanten bindenden ngelegenheiten
erpflichtungen

Figure 1: Three Lines Model based on the IIA

1 based on the “Three Lines Model” of the IIA, Institute of Internal Auditors, 2020

9
2.2 Scope of the PCS
The required scope of the product compliance system is based on the
company’s product range and is considered across the entire product
life cycle. The company must specify, define and document the exact
composition of the products considered in the PCS.
Thus, the concrete aspects to be considered as part of the binding
obligations described below are derived from the scope of products.
The focal points of the company’s own PCS must be specified based on
the risks and should be communicated along the supply chain.
Communication within the supply chain must take place in compliance
with antitrust provisions. In particular, this means that price-determining
factors, concrete prices and conditions must not be disclosed to third
parties that are not part of the concrete supply relationship. Discussions
related to the quality characteristics of products as well as the disclosure
of PCS requirements for suppliers are prohibited.

2.3 Binding obligations

The binding obligations can be subdivided into the following clusters,
which are derived from the product-related requirements of the relevant
sales markets. The relevant concrete obligations must already be
determined, evaluated and fulfilled on the operative level within the
company. This is additionally ensured by means of a PCS as the
second line.
Binding obligations include:
• statutory and regulatory requirements
(e.g. emission laws, laws pertaining to product safety
and product liability)
In addition, to interpret these obligations and to determine the relevant

10
state of scientific knowledge and technology,

• technical and external standards

(e.g. relevant DIN/ISO standards, recommendations
from associations such as VDA volumes, etc.)
• company-internal (technical) standards
(e.g. process, inspection and quality requirements)
which reflect statutory and self-imposed requirements are also taken
into account.
Furthermore, the scope of a PCS can also include ensuring that actual
product characteristics correspond to

• self-commitments communicated externally by the

company and
• external (advertising) statements and thus customer
expectations
.

2.4 Interplay with VDA Volume Product

Integrity
At the operative level, placing a legally compliant product on the market
requires meeting quality assurance requirements in order to establish
product integrity, which is composed of product conformity and product
safety (see VDA volume titled “Product Integrity”).
The VDA volume titled “Product Integrity” addresses the necessary
structures to implement risk management and to ensure product
conformity as well as product safety, primarily at the first line level within
the scope of providing customers with the products.
The implementation and management of a PCS constitutes a second
line governance task within the sense of a control and monitoring
obligation, including the implementation of preventive measures,
delegated by the responsible governing body. A PCS equally serves to
ensure product conformity as well as product safety, and thus comprises

11
product integrity as per the previous definition in the VDA volume. In
addition to that, however, further binding obligations and related risks
are addressed, such as the prevention of misleading product
statements. The PCS thus has a broader scope.
In the following, this volume addresses the tasks of the governance
function of product compliance as well as their interfaces. For the sake
of a holistic view of the binding obligations, the terms product
compliance and product compliance system (PCS) are used exclusively.

2.5 Relationship with other management

systems
The PCS can build on existing structures within the company, such as
an already established quality management or compliance management
system and their respective elements. In particular, interfaces to the
following processes and systems should be created and used: Risk
management, quality management, process management, legal and
compliance management.

12
3 Elements of the Product Compliance
System (PCS)
In the following subsections, the seven elements that every PCS -
regardless of the concrete implementation in a company - should
contain are described in detail.

3.1 Culture
The effectiveness of a PCS is significantly influenced by the existing
corporate culture.
It is therefore essential to strengthen corporate values which contribute
to the fulfillment of statutory and regulatory product requirements.
Managers should convey guiding principles and expectations clearly
and regularly using a “tone from the top” approach, in particular by
means of communicative measures. In addition, these principles should
also be reflected in the leadership practices.
Mindsets and values which affect product compliance should ideally be
embedded in the corporate culture. Especially when conflicts of
objectives emerge (deadlines, costs, quality), it is vital to foster a
corporate culture that encourages employees to voice concerns
regarding product compliance issues, and to address these concerns.
For example, if there is an existing code of conduct within the company
or if there are other relevant conduct guidelines, these can be referred
to explicitly in the PCS.
Fostering a value-based corporate culture and relevant guiding
principles that positively influence product compliance should be part of
the PCS training and communication concept. If training requirements or
a need for change are identified, a training module or a change concept
can be developed.
An easily comprehensible code of conduct as well as a clearly
communicated and shared corporate culture guide and influence the

13
work and decision-making practices of all employees. The conduct and
concrete behavior at the top management level should receive particular
attention in this regard.
Within the framework of the PCS, requirements regarding a suitable
corporate culture in relation to product compliance include, in particular:

• The top managers must unambiguously communicate that the

binding obligations (see above) must be fulfilled (“tone from the
top”). This communication should be cascaded downwards in the
management hierarchy.

• Specification of clear conduct guidelines with regard to the desired

corporate culture, and inclusion of these guidelines in the company
guidelines. Existing regulations should be checked, e.g. it should be
checked whether an existing code of conduct can be supplemented
accordingly or whether a company-internal instruction can be
written.

• A culture of openly dealing with errors/mistakes, and the guarantee

that employees will not be sanctioned for addressing problems,
such that potential risks are identified, mitigated and dealt with in a
timely fashion.
• romoting a “spea up” culture in which employees openly address
issues, by establishing various reporting channels, both in the form
of direct exchange of employees with their manager and via other
means (e.g. anonymous hotline).

• Within the supply chain, product compliance issues with regard to

antitrust or other statutory requirements can be openly addressed at
any time in direct communication between the OEM and the
supplier or between the supplier and the sub-supplier. In parallel to
internal regulations (e.g. the code of conduct), it can make sense to
create or to supplement relevant “business code of conduct”
agreements or general terms and conditions of purchase with
regard to product compliance values and conduct guidelines.

14
3.2 Objectives
The PCS specifies concrete objectives. Specifying these objectives
provides a basis for implementing the PCS. Monitoring the fulfillment of
objectives makes it possible to keep the PCS up to date.
It is recommendable to define the most important objectives of the PCS
across all of the other six elements in order to allow for a
comprehensive understanding of what is to be achieved with the PCS.
In addition, specifying objectives for each element provides the basis for
continued measurement, management and improvement of PCS
efficiency.
An overarching objective of the PCS is orienting the company in such a
way that the binding obligations can be fulfilled over the entire product
life cycle for products that have been manufactured or placed on the
market. The goal is to establish a structured framework regarding the
PCS in the companies along the supply chain, such that all
parties/companies involved in the development, production, sales and
maintenance/operation as well as decommissioning can fulfill their
relevant binding obligations. With regard to the “ob ectives” element, it is
important to define clear and measurable targets which allow for
conclusions to be drawn concerning the use and effectiveness of the
PCS, e.g.:
• ensuring product compliance over the entire life cycle (e.g.
requirements regarding product safety, material conformity or
cybersecurity)

• correct implementation of processes and the organization within the

company

• protection of employees against personal consequences

• the acknowledgment of the importance of product compliance and

its implementation within the company
The “ob ectives” element should answer the question how the
implementation and efficiency of the PCS can be measured. For this
purpose, the system-related definition of objectives should meet the

15
following requirements:

• Definition of at least one objective per element (e.g. planned scope

of training regarding product compliance)
• The definition of key performance indicators (KPIs) and/or
measured values (metrics) for developing and operating the PCS
can for instance be suitable (as an input for monitoring and
improvement)

• Option of focusing on specific aspects (e.g. based on the risk profile

of the relevant company)

• Orientation of the objectives towards overarching corporate

objectives, e.g. differentiation from other management systems
such as quality, risk and compliance management systems

3.3 Risks
When it comes to developing a suitable and effective PCS, the
necessary starting point is to continuously identify, evaluate and control
product compliance ris s (“risk management”). This risk management is
also helpful when specifying/validating the scope of application of the
company-specific and individual PCS.
This can also affect the depth of integration or the understanding of
roles in various organizational units within the company.
Product compliance risks must be analyzed systematically along the
product life cycle in consideration of product compliance objectives, the
product range and the business model. The core objective of the risk
analysis is to identify and evaluate product compliance issues in
product-relevant organizational units in a timely fashion.
The PCS should be designed in such a way that adjustments and
changes of business units are detected and supported accordingly. This
applies in particular to new business areas or technologies and the
processing of relevant new topics with special attention and expertise.
In this regard, a product compliance risk constitutes a breach of binding

16
obligations. Which type of obligation is concerned can be taken into
account when analyzing, evaluating and mitigating risks.
It is recommendable to introduce a methodical approach in order to
systematically identify and evaluate product-related risks in the
company both in a quantitative and qualitative manner, taking existing
risk management systems within the company into account. The risks
that are identified can thus be analyzed in terms of their probability of
occurrence and the potential damage, also taking possible
interdependencies into consideration.
The implementation and the effectiveness of the measures derived from
the risk analysis should be monitored by means of suitable monitoring
measures and controls.
Consciously dealing with product compliance risks should be
understood and put into action as a strategic approach in order to
comprehensively protect customers, consumers, road users and
companies.
The risk assessment should be supported by a sufficiently independent
entity (second line).
Afterwards, the risks should be eliminated or minimized in a structured
way.
When conducting risk management, the common methods and
processes based on recognized standards should be applied.

3.4 Program
Within the PCS, the term program refers to all activities and processes
in the company that aim at achieving, maintaining and monitoring
product compliance. These activities should be specified and should
then be integrated into new or existing processes.
The PCS should be designed in such a way that all processes are
evaluated regarding their relevance to product compliance, are adjusted
if required and are interlinked in a goal-oriented way. Topics related to
product compliance include (among others) risk management, quality

17
management, process management as well as legal and compliance
management.
The scope of the PCS program also includes the interfaces to other
systems or areas (as well as their necessary processes) that are
required in order to achieve and maintain product compliance.
The PCS ensures that the processes linked to product compliance are
situated and monitored correctly. Any gaps that are identified should be
shown by the PCS and should be closed by the relevant responsible
managers. In order for the PCS to function efficiently, all relevant
interfaces should be brought together, and it must be ensured that they
combine in an optimal way.
For the sake of clearly understanding the interaction between the
interfaces/management systems described above and the PCS, this
interaction should be described in the manner specified for the company
(e.g. process description, work instruction).
When starting this interaction, it is recommendable to draw up an
interface description specifying roles and responsibilities. This
agreement contains (among other things) specifics regarding the
interfaces, objectives and the exchange process, offering a clear picture
of the responsibilities and the services to be provided.
To create a system with the aim of networked processes for ensuring
product compliance, it is recommendable to create a transparent
overview of the existing processes within the company.
The processes that are required in order to achieve product compliance
should be identified. They can be found along the entire value chain
(e.g. development, certification, production, after sales).
The relevant processes are related to binding obligations but also
directly influence the product, e.g. safeguarding. Processes that have an
indirect influence (e.g. maintenance) do not fall into the scope of the
PCS. These “PCS-relevant” processes should be described with clear
rules and specified criteria. For processes with the highest risk exposure
and/or with the highest relevance in terms of product compliance,
process reliability can be verified by means of compliance checks.
Within a company, there are PCS-relevant processes both at the

18
implementation level (first line) and at the control level (second line).

First Line

The realization/operative implementation level includes processes of the

typical day-to-day business, which map the fundamental development,
production, sales and quality assurance activities in accordance with the
line function.

These activities regularly include:

Identification
• Monitoring the applicable laws and product-related regulations
(regulatory monitoring)

• Identification of binding obligations (all relevant topics, all relevant

regions)
• Specification of responsibilities regarding the fulfillment of binding
obligations

Translation
• Clarification (interpretation and specification of the scope) of binding
obligations

Implementation
• Developing, manufacturing and providing products/services for
customers

• Eliminating or mitigating identified process risks and operative risks

(risk mitigation)

Safeguarding
• e.g. peer review or double verification principle
• Separation of functions
• Approval procedures and release authorizations

19
• Requirements regarding functions/products are interpreted and
fulfilled correctly in accordance with statutory provisions

Monitoring and reacting

• Carrying out processes at the operative implementation level
designed to systematically capture and process reports/indications
of product compliance breaches (e.g. escalation processes,
processes of communication with the authorities)

• Monitoring the first line’s own process reliability

Second Line

It is recommendable to document concrete specifications defining the

various tasks, subgoals and scopes of application of the PCS and
assigning them unambiguously to responsible persons.

These specifications include, among other things:

• Reporting and escalation paths

• Minimum process requirements to ensure product compliance (e.g.
separating implementation and release/approval, principle of double
verification)

• Communication, training and awareness measures

• Monitoring the suitability and effectiveness of the PCS

• Establishing processes for systematically capturing and processing

reports/indications of non-conformities as well as identified non-
conformities
The management board must support the processes for operating the
PCS. This is done by means of providing resources and training and
unambiguously assigning responsibilities. It must be ensured that there
is on overregulation (redundancies due to already existing processes
must be avoided).

20
3.5 Organization
The realization and operative implementation/regular operation of the
PCS requires a respective organization. The latter defines roles and
responsibilities relevant to product compliance in accordance with
theThree Lines Model.
The operative divisions constitute the so-called first line. Within the
PCS, their main task is to manage business in their organizational units
in such a way that it is consistent with the relevant binding obligations.
They are thus considered to be the primary risk owners.
In this context, compliance requirements and standards defined by the
second line are used and applied to the relevant processes. For
example, this includes a process regarding the management of product
compliance risks, including their identification, evaluation and mitigation.
In the so-called second line, product compliance standards are
established, risks at the company level are monitored, and framework
conditions for designing the PCS are put in place.
Within the scope of its governance function, the second line promotes a
culture of compliant behavior and informs the responsible persons,
panels or committees about the effectiveness of the PCS.
The second line also advises the first line on the effective
implementation of the PCS. Synergies can be created regarding the
second lines of the management systems, e.g. in order to combine
monitoring activities.
The general tasks required for the implementation and regular operation
of the PCS must be defined and structured in accordance with the Three
Lines Model. In this regard, the first and second line functions should be
separated in an appropriate way in order to avoid potential conflicts of
interest. In small companies, the second line can be covered by one
function for various aspects (e.g. security or safety). In general, the
governing bodies bear responsibility for product compliance. However,
the implementation can be delegated to a second line function. In larger
companies, it can make sense to define responsibilities for each
business unit or business area, depending on the organization of the

21
company. The identified tasks should be assigned to existing or new
roles and responsibilities (e.g. by means of a RASIC chart) and should
thus be integrated into the organization. A prerequisite for delegating
product compliance tasks is that the relevant framework conditions
(tasks, authorizations and responsibility) are defined by the governing
bodies. In order to allow for efficient delegation, the governing bodies
ensure that the addressees are selected (responsibility, position) and
that the required resources are available. The employees to whom
these roles are assigned and who thus carry out tasks in processes
relevant to product compliance must be adequately qualified and trained
for this. In addition, it is recommendable to monitor whether the
delegated tas s are carried out effectively. epending on the company’s
organization, it can also make sense to designate or establish a panel
as part of the organization in order to reach agreements and decisions
regarding PCS-relevant issues. Further panels or responsible bodies
that already exist in the organization and that are related to product
compliance must be identified and linked to the PCS (second line).
Clear reporting channels and escalation paths should be defined by the
panels and the line organization in order to make joint decisions and to
escalate (if required).
In the so-called “third line”, independent and ob ective reviews and
advice are provided on all issues related to the fulfillment of objectives,
for example in the form of an audit.

3.6 Communication and training

In order to implement a PCS effectively, employees must be sensitized
to the importance of product compliance and must be trained with
regard to the processes and requirements that are relevant to them. In
this regard, it is especially important to convey the significance of the
binding obligations defined within the company.
It is recommendable to define risk-based target groups for which
communication measures and training modules are established.
As there can be a strong link between the PCS and other management

22
systems, in particular the quality management and/or compliance
management system, existing training concepts and documents should
be utilized and supplemented in a useful way when creating
communication and training plans.
When developing a communication concept and a training plan, aspects
related to corporate culture should be ta en into account (e.g. “tone
from the top”), among other things.
The following target groups should be considered in a training plan
(based on the risk, if necessary):

• All relevant employees in terms of sensitization, mindset, etc.

• Employees at the operative implementation level who are involved

in processes relevant to product compliance
(e.g. in the area of products relevant to certification)

• Employees in designated roles within the PCS

It should be ensured that for each role and area of responsibility, the
processes and knowledge relevant to product compliance are conveyed,
and that training is provided accordingly.
Depending on the target group, it should be considered whether certain
training modules (e.g. basic training for all employees or expert training
for emission-relevant functions) should be defined as mandatory. The
implementation of the training should be verified and documented.
The employees’ participation should be chec ed by means of regular
monitoring.
Suitable contact persons, who can support and advise employees in
their relevant area in case of questions related to product compliance,
should be named and communicated.
In addition, product compliance communication aims at informing the
relevant business partners about the significance of product compliance
and promoting the implementation of a PCS internally as well as along
the supply chain. Depending on the business model (OEM or supplier),
relevant business partners can include the (sub)supplier, the trade

23
organization, a cooperation partner or the (business) customer.

3.7 Monitoring/improvement/reporting
Every PCS also includes a monitoring function, which should be
implemented based on the risk and should be defined in a company-
specific way.
In this regard, monitoring and control tasks can be carried out at all
three levels of the Three Lines Model using existing structures, e.g.
controls from QM processes.
In order to ensure that the established processes and methods of the
PCS are effective and are implemented and verified in a suitable way in
the first line, regular monitoring should be carried out by the second line
based on defined methods (e.g. specified guiding questions or
independent effectiveness reviews by the second line). This monitoring
by the second line focuses both on the implementation of the PCS and
the achievement of targets as well as the process reliability of core
processes relevant to product compliance. By evaluating monitoring
results, deviations from the targets (non-conformities) or any need for
improvement of the targets themselves can be identified, and it is
possible to take countermeasures for correction and improvement. In
addition to this monitoring, checks can also be conducted by the third
line (audits). Moreover, guiding questions for monitoring purposes can
also be used as an aid when introducing the PCS.
A prerequisite for regular operation of monitoring processes is that a
PCS is described in the company (official rules document) and that the
relevant processes and roles are known in the business units. To
ensure that the PCS is designed in a suitable way, the second line
should conduct regular self-checks.
Furthermore, it should be ensured that qualified and (as far as possible)
independent auditors (from the second line) are defined
(e.g. integration into an existing QMS/RMS).
To create transparency regarding the planned monitoring activities and
to allow the affected business units to prepare for these activities, it is

24
for example possible for the second line to create a yearly risk-based
monitoring plan, which can then be communicated within the company.
The aspects monitored as well as the monitoring processes used should
also be communicated transparently in advance.
The monitoring results should be saved in the form of a standardized
results document for the purpose of traceability. This concerns potential
non-conformities as well as insights potentially leading to updated
requirements, targets or monitoring methods.
In case non-conformities are identified, clear rules should be defined in
order to rectify them. Rules can for example include specifying
appropriate deadlines for a cause analysis or implementing corrective
measures, depending on the severity of the non-conformity. In general,
it should be clear after the cause analysis whether the non-conformity is
a systematic or an isolated one. The way the non-conformity is handled
and suitable escalation paths (depending on the severity of the non-
conformity and in line with the risk-based approach) should also be
defined and adhered to.
Within the company, it should be clearly defined who is responsible for
documenting the non-conformities and for monitoring the
implementation of the measures.
In order to identify non-conformities, information from existing systems
(such as the QM system, compliance management system,
whistleblower system) or information from first line panels regarding
processes can also be used. Interlinking/networking is thus strongly
recommended.
Regular reporting to the management board regarding topics relevant to
product compliance, e.g. pertinent aspects, processes, inspection
results and improvement measures should be defined and implemented.

25
4 Guiding questions
The following guiding questions are meant to provide orientation
regarding a better organization and implementation of the PCS. They do
not claim to be complete, and do not reflect any specific prioritization.

4.1 Culture
❖ Is there a mandatory code of conduct which includes guidelines
(principles of conduct) regarding product compliance for all
employees?

❖ Are principles relevant to product compliance regularly conveyed

within the company using a “tone from the top” approach?
o e.g. by means of e-mails or video messages in which
members of the governing bodies emphasize the
importance of product compliance.

❖ Are product compliance values regularly addressed in

communication and training concepts?

❖ Are the employees encouraged to identify and report misconduct or

breaches of the rules?

❖ Is there also a mechanism allowing internal and external

whistleblowers to anonymously report potential violations?
o e.g. whistleblower system

4.2 Objectives
❖ Are concrete objectives defined for individual elements of the PCS,
including criteria to fulfill those objectives?
o e.g. training quota, number and effectiveness of
communication measures

❖ Is there a process for systematically deriving, documenting and

communicating these objectives and criteria?

26
 o e.g. in a regulation document

❖ Are the defined objectives regularly monitored on the basis of

measures for continuous improvement?
o e.g. based on insights from the “monitoring” element

❖ Is the relevant separation/integration of objectives from/into other

management systems taken into account?
o e.g QM systems, risk management systems, compliance
management systems.

4.3 Risks
❖ Is there a risk management concept for identifying possible risks of
breaches of binding obligations?

❖ Are factors for identifying product compliance risks systematically

determined?
o e.g. systematic recording/identification of laws in the
relevant markets, sufficient monitoring regarding
compliance with the law, analysis of the dynamics and
complexity of the regulatory environment

❖ Are the identified risks evaluated systematically?

❖ Are cases of non-achievement of product compliance within the

company or in the industry and the resulting lessons learned taken
into account?

❖ Does the risk assessment cover the product life cycle?

o e.g. field observation/reporting obligation and change
management

❖ Are suitable measures defined for the identified risks, and is their
implementation monitored with reasonable diligence?

❖ Is the effectiveness of these measures evaluated and documented?

❖ Is there a process for recurrent consideration and reassessment of

potential product compliance risks and measures for risk
prevention?

27
❖ Are insights regarding risks communicated across business units
and product lines?

4.4 Program
General questions regarding the program and the process

❖ Is there already a suitable basis for process design and

documentation, such as a QM system, compliance management
system or similar systems, which can be used for the PCS?

❖ Are existing processes and roles related to product compliance

integrated into the PCS, or is there an exchange by means of
interfaces?

❖ Is it ensured that the second line function can operate sufficiently

independently from the first line (segregation of duties)?

❖ Are the processes which are directly related to binding obligations

and the product (PCS-relevant processes) identified?

❖ Are PCS-relevant processes modeled robustly (reduction of product

compliance risks), and are they continuously monitored for process
reliability and fulfillment of objectives?

On dealing with binding obligations

Identification
❖ Are the relevant target markets as well as the related binding
obligations known?

❖ Is there a method for identifying and communicating binding

obligations, including defined criteria?

❖ Is there a method for identifying and communicating changes to

binding obligations?

28
Translation
❖ Is there a method for interpreting and communicating binding
obligations?

❖ Is there a method for interpreting and communicating changes to

binding obligations?

❖ Is there a process for an advisory/clearing office which provides

support when interpreting unclear statutory/regulatory
requirements?

Implementation
❖ Is there a method for documenting and communicating
requirements based on the interpretation of binding obligations?

❖ Is there a method for adjusting the documentation and

communication of requirements based on the interpretation of
changed binding obligations?

❖ Are there consistent processes for fulfilling the requirements derived

from binding obligations?

Safeguarding
❖ Is a relevant double verification principle applied?
o e.g. peer review

❖ Do the processes include monitoring whether the requirements

regarding functions/products are interpreted and fulfilled correctly in
accordance with statutory provisions?

Monitoring and reacting

❖ Are there established processes for systematically capturing and
processing identified non-conformities (also potential non-
conformities) in relation to the product?

29
4.5 Organization
❖ Are there clearly defined roles and responsibilities in the first and
second line, and are PCS role descriptions regularly checked as to
whether they are up to date?

❖ Is it ensured that the first line and the second line are independent
from each other?

❖ Is it established who (function or panel) bears primary responsibility

for the concept, the implementation and the operation of the PCS?

❖ Are the necessary resources, authorizations and know-how required

for this purpose available?

❖ Are suitable interdisciplinary decision-making processes defined for

PCS-related aspects?
o e.g. for methods, requirements and decisions in specific
cases

❖ Are suitable panels or other bodies responsible for dealing with

PCS-relevant issues established and defined with regard to their
task?

4.6 Communication and training

❖ Does internal product compliance communication take place
regularly and in a structured way?
o e.g. web page, town hall meetings, newsletter

❖ Are there communication channels through which all relevant

employees (worldwide, possibly also those without access to a
computer) can be reached?

❖ Is communication regarding PCS-relevant issues possible along the

supply chain?

❖ Are guidelines regarding product compliance (potentially included in

the code of conduct) communicated on a regular basis using a “tone
from the top” approach?

30
❖ Is there a training concept oriented towards the various target
groups with regard to product compliance?
o e.g. various training modules

❖ Is there suitable proof (proof of effectiveness of training) that

employees are familiar with the topics covered in the training?
o e.g. assessment of e-learning tools, feedback provided by
participants

❖ Are the topics covered in the training regularly checked and

updated?

❖ Are there established points of contact regarding questions related

to product compliance, and are they used?

4.7 Monitoring/improvement/reporting
Monitoring

❖ Are the requirements that have to be met defined and made known?
e.g. in a regulation document

❖ Are the fulfillment of the defined objectives and the implementation

of PCS elements monitored?

❖ Is there a monitoring plan?

❖ Is neutrality ensured with regard to monitoring, and are the relevant

roles defined? E.g. no direct reporting line between monitoring and
monitored function

❖ Are potential synergies between the PCS and other systems used,
e.g. for QMS monitoring?
o e.g.by means of other audits

31
Improvement

❖ Are measures effectively implemented and monitored?

❖ Are weaknesses systematically determined, analyzed and

eliminated when it comes to ensuring product compliance?

Reporting

❖ Are the governing bodies of the company regularly informed about

the topic of product compliance?
o e.g. KPI reports, cases, risks

❖ Are channels for reporting non-conformities in the PCS described

procedurally, and are escalation paths defined?

❖ Is the documentation consistent and comprehensible?

❖ Are archiving obligations fulfilled?

32
5 Glossary

Term Definition
Binding obligations Statutory and regulatory
requirements that are relevant to a
company’s products, as well as
further, self-imposed product
requirements (e.g. arising from
internal regulations).
Compliance with all business-
relevant laws, rules and regulations
Compliance
as well as self-imposed internal
guidelines.
IIA Institute of Internal Auditors
Placing on the market Placing products on a market.
Conformity of a thing or an aspect
Conformity with previously specified
requirements.
The legality obligation constitutes
the core of the statutory due
diligence obligations regarding the
management of a business. In this
regard, diligent behavior means that
Legality control obligation
the governing bodies act in
accordance with the rules and - as a
separate legality control obligation -
ensure that the rules are adhered to
within the company.
Lessons learned means using any
Lessons learned insights gained from experience or
events in order to improve future

33
 actions.
Fulfillment of product-related binding
obligations throughout the product
Product compliance
life cycle. Product conformity is part
of product compliance.
Company-wide, structured approach
Product compliance system intended to ensure product
compliance
Hardware and software as well as
other objects (e.g. packaging) and
Product services (e.g. IT services, software
as a service) that a company
provides to legal or natural persons.
Obligation of a manufacturer or
others to compensate for personal
Product liability
damage, damage to property or
other damage caused by a product.
This term is used in the VDA volume
titled “ roduct Integrity”. In that
volume, the term refers to the
Product integrity fulfillment of product safety
requirements and product
conformity. The term is no longer
used in the VDA PCS volume.
Product conformity means that
products are in conformity with the
relevant statutory and regulatory
requirements. Among other things,
Product conformity
product conformity also
encompasses the statutory
requirements regarding product
safety.
Product life cycle Phases of development and use of

34
 a product up to its final disposal.
Product safety means fulfilling
Product safety safety-relevant requirements in
relation to the product.
Management system for managing
Quality management system,
and guiding an organization with
QM system
regard to quality.
RASIC refers to a method for
analyzing and clearly representing
roles and responsibilities. The name
RASIC is derived from the initial letters of
the words Responsible,
Approving/Accountable, Supporting,
Informed, and Consulting.
Risk management is a continuous
and systematic process used within
Risk management a company in order to identify,
assess, control, document and
report risks in a timely manner.
A risk management system includes
Risk management all specifications, activities and
system/RMS processes with regard to risk
management.

The terms of all VDA volumes are included in an online glossary

available in German and English free of charge:
https://vda-qmc-learning.de/module/glossar/

35
Quality Management in the Automotive Industry

The current versions of the VDA publications covering quality

management in the automotive industry can be found on the internet
under http://www.vda-qmc.de.

You may also order via this homepage.

Reference:

Verband der Automobilindustrie e.V. (VDA)

Qualitäts Management Center (QMC)

10117 Berlin, Behrenstr. 35

Phone +49 (0) 30 89 78 42-235, Fax +49 (0) 30 89 78 42-605
Email: info@vda-qmc.de, Internet: www.vda-qmc.de

36
37