Professional Documents
Culture Documents
Gelbband PCS Final 23-05-12 En
Gelbband PCS Final 23-05-12 En
Product Compliance
Volume 1:
Product Compliance System
1
Quality Management in the Automotive Industry
Product Compliance
Volume 1:
Product Compliance System
Copyright 2023 by
3
Non-binding VDA recommendation
The Association of the German Automotive Industry (VDA) recommends
its members to apply the following standard in order to implement and to
keep carrying out product compliance activities. The concrete
implementation and realization can vary depending on the company-
internal organization and structure.
Exclusion of liability
VDA volumes are recommendations available for general use. Anyone
who implements them is responsible for ensuring that they are used
correctly in each case.
This VDA volume takes into account the technical procedures current at
the time of issue. Implementation of VDA recommendations relieves no
one of responsibility for their own actions. In this respect, everyone acts
at their own risk.
The VDA and those involved in VDA recommendations shall bear no
liability.
If during the use of VDA recommendations, errors or the possibility of
misinterpretation are found, it is requested that the VDA be notified
immediately so that any possible inaccuracies can be corrected or
improvements can be made.
Copyright
This publication is protected by copyright. Any use outside of the strict
limits of copyright law is not permissible without the consent of the VDA
and is liable to prosecution. This applies in particular to copying,
translation, microfilming and storage or processing in electronic
systems.
Translations
This publication will also be issued in other languages. The current
status must be requested from VDA QMC.
Definitions and glossary
A glossary of defined terms is provided at the end of the text. Defined
terms are printed in italics in this volume.
4
Table of contents
1 Introduction/objectives 6
2 Fundamentals 8
2.1 Situating the PCS within the corporate governance structure 8
2.2 Scope of the Product Compliance System 10
2.3 Binding obligations 10
2.4 Interplay with VDA Volume Product Integrity 11
2.5 Relationship with other management systems 12
4 Guiding questions 26
4.1 Culture 26
4.2 Objectives 26
4.3 Risks 27
4.4 Program 28
4.5 Organization 30
4.6 Communication and training 30
4.7 Monitoring/improvement/reporting 31
5 Glossary 33
5
1 Introduction/objectives
The common objective of the VDA member companies is to
continuously ensure the conformity of their products in a global market
in order to protect people and the environment as well as to prevent
risks. Conformity must be ensured with regard to so-called binding
obligations, i.e. all applicable statutory obligations as well as obligations
that companies assume voluntarily.
The PCS is based on the so-called Three Lines Model and is a function
of the so-called second line.
6
quality assurance systems (such as DIN/EN ISO 9001 or IATF 16949).
In particular, they do not serve to interpret or evaluate quality assurance
or QM systems either.
7
2 Fundamentals
Product compliance means that a company must fulfill all of its binding
obligations. The latter include statutory and regulatory requirements that
are relevant to a company’s products, as well as further, self-imposed
product requirements (e.g. arising from internal regulations). Product
compliance processes defined within a PCS provide the framework for
systematic measures and activities designed to reduce the risk of non-
fulfillment of these binding obligations across the entire product life
cycle.
8
Model1, and is considered to be a second line function. The product
compliance function thus has a governance role, monitors first line
processes, offers the implementing departments support and expertise,
and can complete tasks in risk-relevant areas.
The so-called third line constitutes an entity that is external to and
independent from the PCS organization, and that conducts audits within
the company, such as
the internal review.
Leitungsorgane
I T LI LI T I LI
LL LL LL
ereitstellung von orgaben und ber nabh ngige und
rodu ten ienst wachung ob e tive r fung und
leistungen f r unden eratung in allen
pertise und nter
Management von st t ung ragen in
isi en usammenhang mit
ufgaben in risi o der rreichung von
inhaltung der relevanten ielen
relevanten bindenden ngelegenheiten
erpflichtungen
1 based on the “Three Lines Model” of the IIA, Institute of Internal Auditors, 2020
9
2.2 Scope of the PCS
The required scope of the product compliance system is based on the
company’s product range and is considered across the entire product
life cycle. The company must specify, define and document the exact
composition of the products considered in the PCS.
Thus, the concrete aspects to be considered as part of the binding
obligations described below are derived from the scope of products.
The focal points of the company’s own PCS must be specified based on
the risks and should be communicated along the supply chain.
Communication within the supply chain must take place in compliance
with antitrust provisions. In particular, this means that price-determining
factors, concrete prices and conditions must not be disclosed to third
parties that are not part of the concrete supply relationship. Discussions
related to the quality characteristics of products as well as the disclosure
of PCS requirements for suppliers are prohibited.
10
state of scientific knowledge and technology,
11
product integrity as per the previous definition in the VDA volume. In
addition to that, however, further binding obligations and related risks
are addressed, such as the prevention of misleading product
statements. The PCS thus has a broader scope.
In the following, this volume addresses the tasks of the governance
function of product compliance as well as their interfaces. For the sake
of a holistic view of the binding obligations, the terms product
compliance and product compliance system (PCS) are used exclusively.
12
3 Elements of the Product Compliance
System (PCS)
In the following subsections, the seven elements that every PCS -
regardless of the concrete implementation in a company - should
contain are described in detail.
3.1 Culture
The effectiveness of a PCS is significantly influenced by the existing
corporate culture.
It is therefore essential to strengthen corporate values which contribute
to the fulfillment of statutory and regulatory product requirements.
Managers should convey guiding principles and expectations clearly
and regularly using a “tone from the top” approach, in particular by
means of communicative measures. In addition, these principles should
also be reflected in the leadership practices.
Mindsets and values which affect product compliance should ideally be
embedded in the corporate culture. Especially when conflicts of
objectives emerge (deadlines, costs, quality), it is vital to foster a
corporate culture that encourages employees to voice concerns
regarding product compliance issues, and to address these concerns.
For example, if there is an existing code of conduct within the company
or if there are other relevant conduct guidelines, these can be referred
to explicitly in the PCS.
Fostering a value-based corporate culture and relevant guiding
principles that positively influence product compliance should be part of
the PCS training and communication concept. If training requirements or
a need for change are identified, a training module or a change concept
can be developed.
An easily comprehensible code of conduct as well as a clearly
communicated and shared corporate culture guide and influence the
13
work and decision-making practices of all employees. The conduct and
concrete behavior at the top management level should receive particular
attention in this regard.
Within the framework of the PCS, requirements regarding a suitable
corporate culture in relation to product compliance include, in particular:
14
3.2 Objectives
The PCS specifies concrete objectives. Specifying these objectives
provides a basis for implementing the PCS. Monitoring the fulfillment of
objectives makes it possible to keep the PCS up to date.
It is recommendable to define the most important objectives of the PCS
across all of the other six elements in order to allow for a
comprehensive understanding of what is to be achieved with the PCS.
In addition, specifying objectives for each element provides the basis for
continued measurement, management and improvement of PCS
efficiency.
An overarching objective of the PCS is orienting the company in such a
way that the binding obligations can be fulfilled over the entire product
life cycle for products that have been manufactured or placed on the
market. The goal is to establish a structured framework regarding the
PCS in the companies along the supply chain, such that all
parties/companies involved in the development, production, sales and
maintenance/operation as well as decommissioning can fulfill their
relevant binding obligations. With regard to the “ob ectives” element, it is
important to define clear and measurable targets which allow for
conclusions to be drawn concerning the use and effectiveness of the
PCS, e.g.:
• ensuring product compliance over the entire life cycle (e.g.
requirements regarding product safety, material conformity or
cybersecurity)
15
following requirements:
3.3 Risks
When it comes to developing a suitable and effective PCS, the
necessary starting point is to continuously identify, evaluate and control
product compliance ris s (“risk management”). This risk management is
also helpful when specifying/validating the scope of application of the
company-specific and individual PCS.
This can also affect the depth of integration or the understanding of
roles in various organizational units within the company.
Product compliance risks must be analyzed systematically along the
product life cycle in consideration of product compliance objectives, the
product range and the business model. The core objective of the risk
analysis is to identify and evaluate product compliance issues in
product-relevant organizational units in a timely fashion.
The PCS should be designed in such a way that adjustments and
changes of business units are detected and supported accordingly. This
applies in particular to new business areas or technologies and the
processing of relevant new topics with special attention and expertise.
In this regard, a product compliance risk constitutes a breach of binding
16
obligations. Which type of obligation is concerned can be taken into
account when analyzing, evaluating and mitigating risks.
It is recommendable to introduce a methodical approach in order to
systematically identify and evaluate product-related risks in the
company both in a quantitative and qualitative manner, taking existing
risk management systems within the company into account. The risks
that are identified can thus be analyzed in terms of their probability of
occurrence and the potential damage, also taking possible
interdependencies into consideration.
The implementation and the effectiveness of the measures derived from
the risk analysis should be monitored by means of suitable monitoring
measures and controls.
Consciously dealing with product compliance risks should be
understood and put into action as a strategic approach in order to
comprehensively protect customers, consumers, road users and
companies.
The risk assessment should be supported by a sufficiently independent
entity (second line).
Afterwards, the risks should be eliminated or minimized in a structured
way.
When conducting risk management, the common methods and
processes based on recognized standards should be applied.
3.4 Program
Within the PCS, the term program refers to all activities and processes
in the company that aim at achieving, maintaining and monitoring
product compliance. These activities should be specified and should
then be integrated into new or existing processes.
The PCS should be designed in such a way that all processes are
evaluated regarding their relevance to product compliance, are adjusted
if required and are interlinked in a goal-oriented way. Topics related to
product compliance include (among others) risk management, quality
17
management, process management as well as legal and compliance
management.
The scope of the PCS program also includes the interfaces to other
systems or areas (as well as their necessary processes) that are
required in order to achieve and maintain product compliance.
The PCS ensures that the processes linked to product compliance are
situated and monitored correctly. Any gaps that are identified should be
shown by the PCS and should be closed by the relevant responsible
managers. In order for the PCS to function efficiently, all relevant
interfaces should be brought together, and it must be ensured that they
combine in an optimal way.
For the sake of clearly understanding the interaction between the
interfaces/management systems described above and the PCS, this
interaction should be described in the manner specified for the company
(e.g. process description, work instruction).
When starting this interaction, it is recommendable to draw up an
interface description specifying roles and responsibilities. This
agreement contains (among other things) specifics regarding the
interfaces, objectives and the exchange process, offering a clear picture
of the responsibilities and the services to be provided.
To create a system with the aim of networked processes for ensuring
product compliance, it is recommendable to create a transparent
overview of the existing processes within the company.
The processes that are required in order to achieve product compliance
should be identified. They can be found along the entire value chain
(e.g. development, certification, production, after sales).
The relevant processes are related to binding obligations but also
directly influence the product, e.g. safeguarding. Processes that have an
indirect influence (e.g. maintenance) do not fall into the scope of the
PCS. These “PCS-relevant” processes should be described with clear
rules and specified criteria. For processes with the highest risk exposure
and/or with the highest relevance in terms of product compliance,
process reliability can be verified by means of compliance checks.
Within a company, there are PCS-relevant processes both at the
18
implementation level (first line) and at the control level (second line).
First Line
Identification
• Monitoring the applicable laws and product-related regulations
(regulatory monitoring)
Translation
• Clarification (interpretation and specification of the scope) of binding
obligations
Implementation
• Developing, manufacturing and providing products/services for
customers
Safeguarding
• e.g. peer review or double verification principle
• Separation of functions
• Approval procedures and release authorizations
19
• Requirements regarding functions/products are interpreted and
fulfilled correctly in accordance with statutory provisions
Second Line
20
3.5 Organization
The realization and operative implementation/regular operation of the
PCS requires a respective organization. The latter defines roles and
responsibilities relevant to product compliance in accordance with
theThree Lines Model.
The operative divisions constitute the so-called first line. Within the
PCS, their main task is to manage business in their organizational units
in such a way that it is consistent with the relevant binding obligations.
They are thus considered to be the primary risk owners.
In this context, compliance requirements and standards defined by the
second line are used and applied to the relevant processes. For
example, this includes a process regarding the management of product
compliance risks, including their identification, evaluation and mitigation.
In the so-called second line, product compliance standards are
established, risks at the company level are monitored, and framework
conditions for designing the PCS are put in place.
Within the scope of its governance function, the second line promotes a
culture of compliant behavior and informs the responsible persons,
panels or committees about the effectiveness of the PCS.
The second line also advises the first line on the effective
implementation of the PCS. Synergies can be created regarding the
second lines of the management systems, e.g. in order to combine
monitoring activities.
The general tasks required for the implementation and regular operation
of the PCS must be defined and structured in accordance with the Three
Lines Model. In this regard, the first and second line functions should be
separated in an appropriate way in order to avoid potential conflicts of
interest. In small companies, the second line can be covered by one
function for various aspects (e.g. security or safety). In general, the
governing bodies bear responsibility for product compliance. However,
the implementation can be delegated to a second line function. In larger
companies, it can make sense to define responsibilities for each
business unit or business area, depending on the organization of the
21
company. The identified tasks should be assigned to existing or new
roles and responsibilities (e.g. by means of a RASIC chart) and should
thus be integrated into the organization. A prerequisite for delegating
product compliance tasks is that the relevant framework conditions
(tasks, authorizations and responsibility) are defined by the governing
bodies. In order to allow for efficient delegation, the governing bodies
ensure that the addressees are selected (responsibility, position) and
that the required resources are available. The employees to whom
these roles are assigned and who thus carry out tasks in processes
relevant to product compliance must be adequately qualified and trained
for this. In addition, it is recommendable to monitor whether the
delegated tas s are carried out effectively. epending on the company’s
organization, it can also make sense to designate or establish a panel
as part of the organization in order to reach agreements and decisions
regarding PCS-relevant issues. Further panels or responsible bodies
that already exist in the organization and that are related to product
compliance must be identified and linked to the PCS (second line).
Clear reporting channels and escalation paths should be defined by the
panels and the line organization in order to make joint decisions and to
escalate (if required).
In the so-called “third line”, independent and ob ective reviews and
advice are provided on all issues related to the fulfillment of objectives,
for example in the form of an audit.
22
systems, in particular the quality management and/or compliance
management system, existing training concepts and documents should
be utilized and supplemented in a useful way when creating
communication and training plans.
When developing a communication concept and a training plan, aspects
related to corporate culture should be ta en into account (e.g. “tone
from the top”), among other things.
The following target groups should be considered in a training plan
(based on the risk, if necessary):
23
organization, a cooperation partner or the (business) customer.
3.7 Monitoring/improvement/reporting
Every PCS also includes a monitoring function, which should be
implemented based on the risk and should be defined in a company-
specific way.
In this regard, monitoring and control tasks can be carried out at all
three levels of the Three Lines Model using existing structures, e.g.
controls from QM processes.
In order to ensure that the established processes and methods of the
PCS are effective and are implemented and verified in a suitable way in
the first line, regular monitoring should be carried out by the second line
based on defined methods (e.g. specified guiding questions or
independent effectiveness reviews by the second line). This monitoring
by the second line focuses both on the implementation of the PCS and
the achievement of targets as well as the process reliability of core
processes relevant to product compliance. By evaluating monitoring
results, deviations from the targets (non-conformities) or any need for
improvement of the targets themselves can be identified, and it is
possible to take countermeasures for correction and improvement. In
addition to this monitoring, checks can also be conducted by the third
line (audits). Moreover, guiding questions for monitoring purposes can
also be used as an aid when introducing the PCS.
A prerequisite for regular operation of monitoring processes is that a
PCS is described in the company (official rules document) and that the
relevant processes and roles are known in the business units. To
ensure that the PCS is designed in a suitable way, the second line
should conduct regular self-checks.
Furthermore, it should be ensured that qualified and (as far as possible)
independent auditors (from the second line) are defined
(e.g. integration into an existing QMS/RMS).
To create transparency regarding the planned monitoring activities and
to allow the affected business units to prepare for these activities, it is
24
for example possible for the second line to create a yearly risk-based
monitoring plan, which can then be communicated within the company.
The aspects monitored as well as the monitoring processes used should
also be communicated transparently in advance.
The monitoring results should be saved in the form of a standardized
results document for the purpose of traceability. This concerns potential
non-conformities as well as insights potentially leading to updated
requirements, targets or monitoring methods.
In case non-conformities are identified, clear rules should be defined in
order to rectify them. Rules can for example include specifying
appropriate deadlines for a cause analysis or implementing corrective
measures, depending on the severity of the non-conformity. In general,
it should be clear after the cause analysis whether the non-conformity is
a systematic or an isolated one. The way the non-conformity is handled
and suitable escalation paths (depending on the severity of the non-
conformity and in line with the risk-based approach) should also be
defined and adhered to.
Within the company, it should be clearly defined who is responsible for
documenting the non-conformities and for monitoring the
implementation of the measures.
In order to identify non-conformities, information from existing systems
(such as the QM system, compliance management system,
whistleblower system) or information from first line panels regarding
processes can also be used. Interlinking/networking is thus strongly
recommended.
Regular reporting to the management board regarding topics relevant to
product compliance, e.g. pertinent aspects, processes, inspection
results and improvement measures should be defined and implemented.
25
4 Guiding questions
The following guiding questions are meant to provide orientation
regarding a better organization and implementation of the PCS. They do
not claim to be complete, and do not reflect any specific prioritization.
4.1 Culture
❖ Is there a mandatory code of conduct which includes guidelines
(principles of conduct) regarding product compliance for all
employees?
4.2 Objectives
❖ Are concrete objectives defined for individual elements of the PCS,
including criteria to fulfill those objectives?
o e.g. training quota, number and effectiveness of
communication measures
26
o e.g. in a regulation document
4.3 Risks
❖ Is there a risk management concept for identifying possible risks of
breaches of binding obligations?
❖ Are suitable measures defined for the identified risks, and is their
implementation monitored with reasonable diligence?
27
❖ Are insights regarding risks communicated across business units
and product lines?
4.4 Program
General questions regarding the program and the process
Identification
❖ Are the relevant target markets as well as the related binding
obligations known?
28
Translation
❖ Is there a method for interpreting and communicating binding
obligations?
Implementation
❖ Is there a method for documenting and communicating
requirements based on the interpretation of binding obligations?
Safeguarding
❖ Is a relevant double verification principle applied?
o e.g. peer review
29
4.5 Organization
❖ Are there clearly defined roles and responsibilities in the first and
second line, and are PCS role descriptions regularly checked as to
whether they are up to date?
❖ Is it ensured that the first line and the second line are independent
from each other?
30
❖ Is there a training concept oriented towards the various target
groups with regard to product compliance?
o e.g. various training modules
4.7 Monitoring/improvement/reporting
Monitoring
❖ Are the requirements that have to be met defined and made known?
e.g. in a regulation document
❖ Are potential synergies between the PCS and other systems used,
e.g. for QMS monitoring?
o e.g.by means of other audits
31
Improvement
Reporting
32
5 Glossary
Term Definition
Binding obligations Statutory and regulatory
requirements that are relevant to a
company’s products, as well as
further, self-imposed product
requirements (e.g. arising from
internal regulations).
Compliance with all business-
relevant laws, rules and regulations
Compliance
as well as self-imposed internal
guidelines.
IIA Institute of Internal Auditors
Placing on the market Placing products on a market.
Conformity of a thing or an aspect
Conformity with previously specified
requirements.
The legality obligation constitutes
the core of the statutory due
diligence obligations regarding the
management of a business. In this
regard, diligent behavior means that
Legality control obligation
the governing bodies act in
accordance with the rules and - as a
separate legality control obligation -
ensure that the rules are adhered to
within the company.
Lessons learned means using any
Lessons learned insights gained from experience or
events in order to improve future
33
actions.
Fulfillment of product-related binding
obligations throughout the product
Product compliance
life cycle. Product conformity is part
of product compliance.
Company-wide, structured approach
Product compliance system intended to ensure product
compliance
Hardware and software as well as
other objects (e.g. packaging) and
Product services (e.g. IT services, software
as a service) that a company
provides to legal or natural persons.
Obligation of a manufacturer or
others to compensate for personal
Product liability
damage, damage to property or
other damage caused by a product.
This term is used in the VDA volume
titled “ roduct Integrity”. In that
volume, the term refers to the
Product integrity fulfillment of product safety
requirements and product
conformity. The term is no longer
used in the VDA PCS volume.
Product conformity means that
products are in conformity with the
relevant statutory and regulatory
requirements. Among other things,
Product conformity
product conformity also
encompasses the statutory
requirements regarding product
safety.
Product life cycle Phases of development and use of
34
a product up to its final disposal.
Product safety means fulfilling
Product safety safety-relevant requirements in
relation to the product.
Management system for managing
Quality management system,
and guiding an organization with
QM system
regard to quality.
RASIC refers to a method for
analyzing and clearly representing
roles and responsibilities. The name
RASIC is derived from the initial letters of
the words Responsible,
Approving/Accountable, Supporting,
Informed, and Consulting.
Risk management is a continuous
and systematic process used within
Risk management a company in order to identify,
assess, control, document and
report risks in a timely manner.
A risk management system includes
Risk management all specifications, activities and
system/RMS processes with regard to risk
management.
35
Quality Management in the Automotive Industry
Reference:
36
37