September 17, 2014

Medical Device Industry Identifies Some Problems with Agency’s UDI Initiative

Michael Causey, Editor & Publisher,

Michael Causey, Editor & Publisher,

Let’s start with what most everyone agrees on: The Unique Device Identification (UDI) program is a swell idea.

It gets a little trickier after that.

In extensive comments, the Advanced Medical Technology Association (AdvaMed), Boston Scientific, and Merck, among more than a dozen others, generally voice support for the UDI concept, while finding lots and lots to say about where the FDA’s September Draft Guidance could use improvement.

Noting that implementing UDI will be a “costly proposition,” AdvaMed stresses that the length and complexity of the implementation plan demands a “living document” approach that will allow industry and the FDA to update and improve the guidance as both sides learn more during set-up. AdvaMed follows with 61 specific comments, with suggested changes.

Coviden, manufacturer of medical devices and medical supplies, echoes AdvaMed’s comments, and tosses another 22 into the mix, including a request that the guidance remain open for feedback and comment until the September 24, 2014 implementation deadline.

Merck, among other commenters, requested clarification and summarization regarding the scope of products for which data must be submitted to the Global Unique Identification Database (GUDID). Merck also asked FDA to add information regarding deadlines for submitting data to GUDID.

X-ray of hipBoston Scientific, noting that its medical devices already bear unique identification via HIBCC or GS1 standards, calls FDA out for what it labels “inconsistencies” with the FDA UDI Rule.

To pick one of their examples, and joining several other commenters in making this point, Boston Scientific claims the data elements column “Required?” is unclear because it fails to clarify if it is required to follow the rule based on regulatory requirements or validation requirements. “The meaning of ‘required’ should be clarified so that BOTH regulatory and system validation requirements are clearly identified in this guidance.”

FDA’s got its work cut out for it here, particularly with the recent departure of its UDI guru, Jay Crowley, for the greener fields of consultantdom.

We can offer some small consolation though: Crowley leads a webinar on UDI implementation from his new professional perch. Information is here:


Final UDI rule as published in Federal Register

FDA’s UDI page

Previous AssurX blog on UDI

The entire comment letter line-up is available here




Interpreting the FDA View of Medical Device Design Controls

Dennis Payton, Vice President of Product Marketing and Development, Expandable Software, Inc.

Dennis Payton, Vice President of Product Marketing and Development, Expandable Software, Inc.

Some of the shortest descriptions in the FDA CFR 21 Part 820 Quality System regulation are found in Sec. 820.30 and Sec. 820.40 totaling about a page of written language around Design Controls and Document Controls. However short, these two sections can be the most complex aspects of Medical Device controls when actual complying with the regulation. Fortunately, the FDA does give a bit more background to help a new medical device company understand these two key elements (see Medical Device Quality Systems Manual, A Small Entity Compliance Guide) but again with the detailed complexities, even those few pages of guidance (covered in section 9 Document and Change Control) fall short of coverage needed to understand the impact a company’s Medical Device Quality System. The good news is that there are some very good tools that can help mitigate these complexities and streamline controls. The bad news is that it still takes a very strong detailed and sustained effort to insure these complex controls are in place for continued success and compliance with regulation.

With a wide variety of Medical Device suppliers there comes a wide variety of processes, procedures and controls that are developed specific to a business and to the Medical Device(s) being produced. It is important to understand how the FDA tries to normalize a specific business to the regulation when auditing that business for Design Control compliance. Having a bit of understanding of their view will help make for a much smoother comparison, analogy and a much cleaner and successful audit of a company’s design processes.

A simplistic model can be derived from the 820.30 regulation that the FDA may use to assure design coverage and compliance of a device design and/or manufacture to the regulation. The design and development model can be graphically depicted and loosely linked to the regulation as follows:

FDA Design and Development Planning Model

Diagraming out the design flow is helpful in seeing a more detailed picture of the flow and validation and verification of a product against its intended use model and specifically important to the FDA that each and every stage of the process is well reviewed and documented.

Again, like the FDA regulation on Design Controls, this is a very short summary of complex processes, document definitions, controls and general management & approvals that there have been volumes of books written. The objective should be to have a very good understanding of how the FDA or other regulatory entity views the medical device controls such that a business can demonstrate how their particular controls map into the regulatory model. A logical analogy of a business’ design and development model should be able to map to the regulatory normalized base line model(s), in doing so, will result in smoother audits with a higher degree of success and hopefully (something the regulatory folks don’t really care about but as a business we all do) a lower expense/time in managing through the audit process.

A fuller descriptive paper outlines some key points in the development of a Medtech-specific design control with a product development process and how to maximize the use of enterprise level business tools that accelerate process, streamline audits and make for a much smoother compliance. The brief outline here is a key element to a more streamlined and smoother compliance with regulation keeping in mind not just the business drivers but also the FDA’s “normalized view” of design controls.

Get the full detailed White Paper here

About the Author

Dennis Payton is Vice President of Product Marketing and Development with Expandable Software Inc. He has 24 years of engineering, product management and executive management experience. He holds a BS in electrical engineering from California Polytechnic State University, San Louis Obispo, and post studies at Stanford University, University of California, Santa Cruz, and UC Berkley Haas School of Business.


Copyright UBM Canon. Used by permission.




FDA VCIP Program: Too Much Stick, Not Enough Carrot?

Michael Causey, Editor & Publisher,

Michael Causey, Editor & Publisher,

It’s a growing trend in these United States: paying extra for convenience such as bypassing the riffraff in airport security lines, or whizzing past mere mortal motorists on pristine for-pay express lanes.

Where I live in the Washington, D.C. area, the new express road program in Northern Virginia’s clotted traffic arteries appears to be a hit. For a buck or two, you get out of the more crowded free lanes. And you are allowed to go 65 miles an hour, while the peasants are held to 55 mph!

On the other hand, the express lane program at Reagan National Airport doesn’t appear to be generating much traffic.

If the FDA’s new VCIP (Voluntary Compliance Improvement Program) is trying to ride the “pay for convenience” bandwagon, early anecdotal evidence suggests they’re resembling airports more than highways. We’re hearing many in industry say the VCIP program doesn’t offer enough of an incentive to take on the extra work.

Undaunted, FDA released earlier this week a document that reads like a nice, bureaucrat gently trying to convince industry to give the program a try.

The joint pilot project housed in the Center for Devices and Radiological health (CDRH) and Office of Regulatory Affairs (ORA) “differs from the FDA’s traditional oversight model by allowing firms to voluntarily self identify and correct possible regulatory violations instead of undergoing FDA inspection.”

Regulated entities have to apply to participate, but those with violations that raise “imminent” public health concerns needn’t bother.

Here’s the FDA’s big carrot: “The FDA supports using new approaches to help companies come into compliance. These approaches benefit industry and may decrease the number of inspections that the FDA performs or permit the agency to focus on manufacturers with serious and ongoing problems.”

Pacemaker150Hmm. I guess I’m not super surprised that initial industry enthusiasm appears weak. To my knowledge, FDA has not released any statistics about participation. I’m basing my very early days’ assessment on discussions with medical device firms and consultants at recent trade shows and the like. I could be wrong, and VCIP might turn out to be a big hit.

If you want to get picked, know that FDA will identify manufacturers eligible to participate in VCIP through its 2014 inspection work plan and offer them an opportunity to apply rather. For the pilot, the FDA will choose three to five applicants. Of course, their feedback, whether official or in trade show hallway conversations, will tell us a lot about the merits of VCIP.

While it promises some benefits down the road, initial participation in VCIP sounds like it will just add another layer to a device manufacturer’s compliance program. VCIP participants will be required to retain an outside expert consultant to assess their manufacturing and quality assurance systems and to monitor and certify that they are following program requirements. Firms must also demonstrate the ability to define problems, analyze root causes, create appropriate corrective actions, and verify that the actions taken were effective.

If a firm does not meet its commitments under the VCIP, or if the FDA and the firm disagree about any of the results, then the firm may be removed from the program and undergo FDA inspection, which could lead to regulatory action. If a manufacturer ends its participation in the VCIP, it would be subject to FDA inspection and any resulting regulatory action.

FDA gets to the potentially big benefits toward the end of the new VCIP document. If you are selected and pass the tests, your firm “will not be subject to routine surveillance inspection while program participation is underway.” The exemption will be good for two years after a manufacturer successfully completes the program. FDA says it will also expedite review of export certificate requests and prioritize device and pre-amendment determination requests from program participants.

Clearly it’s too early to judge whether VCIP will be a success. And FDA is to be applauded, I think, for trying something a bit new.

Still, here’s hoping VCIP becomes the equivalent of sailing down the relatively empty highway at 65 mph, while others are slogging through heavy traffic at lower speeds.



Former FDA Inspector’s Crystal Ball: Cloudy With a Chance of Inspected Meatballs

Patrick Stone

Patrick Stone, President, TradeStoneQA

The FDA’s “Food Police” will be in full force to secure budget funds for food safety initiatives for FY 2014 as mandated by congress. More than half of the operating funds will be earmarked for food work. International food inspections will surely be a focus area for the coming year. The inspection goals/FTEs will be set low enough for the field staff to meet or exceed expectations. This again will ensure a steady flow of billions for operating costs. In recent years large chunks of the FDA budget were set for new facilities completion and the dreaded infrastructure technology (IT) upgrades which barely seem to keep up with private industry.

Opioid labeling rules newly penned will assist in identifying and tracking legal drugs, however Internet and backstreet sales will continue to plague the market. Insurance fraud is making it easier for mail-order diversion and out right second hand sales of the legally obtained opioids. So until the insurance scams are tapered this effort will only increase operating cost for the opioid manufacturers.

A medical device tax and new user fees will be required for doing business in our domestic market. It seems that every few years the fee structure increases and becomes more complex. Maybe this is part of the reason our health care cost are always going up exponentially. What will they think of next to add to the user fee list?

compounding pharmacyThe agency has issued product specific sterile drug consent decrees and lengthy 483s for cGMP violations across the nation. There are a few sterile drug manufacturers that judging by the 483 wording will be handed consent decrees very soon. These firms are major market shareholders that have had ample time for remediation without compliance. The recalls from these same firms have been persistent all year.

The great 2013 compounding pharmacy blitz and new regulations request for these manufacturers was not so much as shock and even less awe. The faster FDA defines what compounding drug manufacturing is and provides lengthy guidance on how it should not be done in a compounding pharmacy setting, the faster we will see market self-compliance. Compounding pharmacies must recognize themselves as manufacturing entities and adhere to strict USP <797> and 21 CFR 200 standards that are costly.

Compounding pharmacies are the first line of defense when it comes to the drug shortage so they must operate in strict compliance with sterile the drug cGMP systems approach. More patients will have adverse events and possibly die from non-compliant/contaminated compounded sterile drug preparations if the mindset of the manufacturers is not changed. The State board of Pharmacy cannot shield compounders from civil or criminal liability and the FDA may soon have what it needs for implementing jurisdictional authority.

Here’s to an exciting 2014!

Patrick Stone is the author of Bubble Gum Badge – An FDA His-Story. You can also follow him on Twitter.



Electronic Medical Records: Don’t Feel So Secure

Patrick Stone

Patrick Stone, President, TradeStoneQA

How often do we see HIPAA violations issued because a regulated entity did not secure the electronic records at the hospital and small clinics? Large scale security breaches and, sometimes, the selling of your e-records by various third party sources are in the news. In Massachusetts and New Hampshire an e-record vendor recently admitted to large scale e-record breaches. The FDA has provided some guidance on what is expected for e-records, but no real guidance on security. That may be one of the reasons that so many of the E-Systems I have reviewed meet the minimal requirements but have security vulnerabilities.

The second half of this story will send shivers down your spine, and then make you mad. Your e-records are being sold to insurance companies, debt collectors, and prospective employers. Yes your e-records are for sale to the highest bidder.  The 1996 HIPAA law left provisions for certain entities to access your entire medical record. Some of the stolen or hacked e-records get sold, and that’s terrible of course, but ironically most of the time your e-records are sold it is “legal.” Securing medical e-records comes with a price and even with some of the best security there may still be a breach. In most business models for building e-record systems security is last on the list. Sadly, it doesn’t appear to be much different in the healthcare industry.

So, what’s to be done?

doctor electronic health recordWill it take a 21st century modernization of HIPAA, written almost twenty years ago and before the e-record mandate? Or will we limp along with legislation that is increasingly showing its age?

In our digital age of e-records our security should be insured since we pay for the care we receive. HHS and congress should be focusing on this but they are currently being distracted by advocating or decrying Obamacare.

And speaking of Obamacare, that new law also has some troubling provisions about who is allowed access to your records, and some “interesting” exceptions to those provisions.

But don’t get me started on Obamacare implentation before we deal with HIPAA.

For now we can only trust (read: hope) but not verify who really has access to our medical e-records that are weakly protected by a 20th century law.

Patrick Stone is the author of Bubble Gum Badge – An FDA His-Story. You can also follow him on Twitter.



Eating GMOs Isn’t Kosher For Anyone

Kim Egan

Kim Egan, Founder, Saltbox Consulting

What do China, the State of Maine, the State of Connecticut, Chipotle, and Whole Foods have in common?   They all think you have a right to know whether the food you are eating contains any genetically modified organisms, known as GMOs.

I like that.  Why do I care? Because the genes in GMO plants have been altered in a laboratory to do something that the plant would not normally do.  This means that Mother Nature did not deem it good.  Mother Nature did not deem it good that a tomato should live forever in its fully ripened state, even after traveling around the world in a crate on a truck or boat or a plane and sitting in a grocery store for days if not weeks.  Mother Nature did not deem it good that corn should be able to kill insects while it grows.  Mother Nature created insects.  They are useful, whereas acres and acres of corn are not.  Mother Nature created corn to feed birds and deer and the occasional human.  Not to feed every livestock animal in the country or to sweeten the chemical concoctions that the soft drink makers dream up.

I find it ironic that the vote in Maine on labeling GMOs took place the same month that Edward Snowden demonstrated that he, too, thinks Americans have a right to know.  And that Congress – the greatest legislative body in the world – appears to agree that all Americans have a right to know all the super-top secret stuff the government is up to, but doesn’t think Americans have a right to know if they are eating GMOs.  I know I’m going out on a limb but I don’t think we should expect this Congress to pass a bipartisan bill to require all food manufacturers and restaurants to label GMOs anytime soon.

Okay, next one.  What do Amy’s Kitchen (frozen pizza), Blue Diamond (peanuts and almonds), Arrowhead Mills (stone-ground everything), and Silk (the company that brought tofu to America), have in common?  They all refuse to use GMO ingredients in their products.   Let’s all raise a cheer for these companies!  This is what makes America great!  Government won’t do something the people want?  Do it yourself!  Decide your elected representative is a lazy-good-for-nothing fat cat eating pork out of a barrel?  Take matters into your own hands!

corn_on_the_cobOkay, next one.  What do Judaism, the Church of England and Saudi Arabia have in common?  This one seems a little harder.  But it turns out that all three of the world’s major religions prohibit GMOs.  Saudi Arabia bans them outright, as does Algeria, Brazil, Egypt, the European Union, Peru, and Thailand. The Church of England won’t let any GMO crop trials on any church property, which amounts to 60,000 hectares in England.  A hectare is approximately 2.5 acres, which is 150,000 acres, or the equivalent of about 234 square miles.  That’s what the Church of England owns. The whole of England is only about 50,000 square miles big, from which, if you are a GMO scientist, you must subtract cities, towns, factories, airports, train stations, banks, houses, roads, outbuildings, seaside resorts, castles, Stonehenge, palaces, manor houses, Kew Gardens, etc.  I bet there’s not much left after that.  And lastly, GMOs aren’t kosher.  There’s so much more to it on that one.

There’s more to say about GMOs, such as the fact that the U.S. government regulates GMO corn as a pesticide, not a food (that’s why we want to know what we’re eating, right?!), or that Tasmania has declared GMO rapeseed to be a weed (weeds are bad, not good).

But the worst thing I learned researching this post is that M&Ms, Stoned Wheat Thins, Pringles, and all Pepperidge Farm cookies have GMOs in them.

The horror, the horror.


FDA Seeks to Plug Swiss Cheese-size Holes in Medical Device Security Systems

Michael Causey, Editor & Publisher,

Michael Causey, Editor & Publisher,

The Internet giveth and the Internet taketh away.

For years, we’ve been hearing about the benefits online tools will bring to the medical industry, especially at hospitals and physicians’ offices.  Many of those promises have come true, and its been a benefit for patients and industry.

But that sound you are hearing could be the other shoe dropping.

Perhaps reacting in part to a sobering year-long series by The Washington Post finding big, big holes in medical device security systems, the FDA this week (June 17) issued a new safety communication suggesting the hospitals take this threat to medical devices seriously.

Meantime, the FDA have been busy beavers. Last week the agency issued an alert and notices bulletin advising the industry to shore up key medical device security provisions.

Among its recommendations for responsible medical device manufacturers:

  • Swiss CheeseKick the tires on your program designed to limit unauthorized device access to trusted users.
  • Utilize stronger security controls such as user authentication, user ID and password, smartcard or biometrics; strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
  • Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”
  • Provide methods for retention and recovery after an incident where security has been compromised

No, neither Woodward or Bernstein were involved in The Post piece, but its pretty thorough and damning for the medical device industry nonetheless.

Security analysts at cyber security firm Cylance found it was depressingly easy to figure out hundreds of passwords for sensitive surgical equipment, patient monitors, among others.

“We stopped after we got to 300,” Billy Rios, who found the passwords with his colleague Terry McCorkle, told The Post.

They tell me Swiss cheese holes are the result of bacteria popping (some use a grosser word). I’m no foodie, leaving that to fellow blogger Kim Egan and celebrity chefs, but I do understand that these are “good” holes.

Holes in medical device security programs are not among them.


Taste’s Like Chicken — With a Side of Bacteria

Kim Egan

Kim Egan, Founder, Saltbox Consulting

FDA’s latest Annual Meat Report is out.   It analyzes foodborne bacteria in retail meat, particularly salmonella, campylobacter, enterococcus and E. coli.   Salmonella causes typhoid.  Campylobacter causes spontaneous abortions in animals and opportunistic infections in humans.  Enteroccus can cause meningitis and E. coli is the most common source of food poisoning.

Suffice to say, the news is bad.

The number of antibiotic resistant microbes in retail meat is going up, not down.   Over half of all retail meats – 55.7 percent — test positive for E. coli.  Contrary to popular belief, pork chops have the lowest prevalence – 30.4 percent – while ground turkey has the highest at 76.7 percent.  In fact, pork and beef came out rather well in this report, relatively speaking, compared to retail chicken and ground turkey.  Chicken and turkey do so badly, in fact, that it is amazing anyone eats retail poultry at all.

T-boneThe report also analyzes the extent to which these food contaminants are resistant to antibiotics, and assigns p values to measure statistical significance.  In other words, FDA made sure its findings are real and not the result of chance.  It turns out that:

  • Over a third (33.5 percent) of the contaminants in retail chickens and almost a fourth (22.4 percent) of those in ground turkey are resistant to third-generation cephalosporins.   Third-generation cephalosporins are supposed to be effective against hospital-acquired infections, pneumonia, and meningitis.
  • Almost half (40.5 percent) of contaminants in retail chickens and over half (58.4 percent) of those in ground turkey are resistant to ampicillin.  Ampicillin is supposed to be effective against staph infections, strep, and the flu. FDA said the change in ampicillin resistance in turkey from 2002 to 2011 is a “highly statistically significant” result.
  • Tetracycline resistance in poultry is up.   Tetracycline combats cholera.  So, that’s more bad news.
  • Gentamicin resistance in retail chicken and turkey is higher than that in beef and pork, or 20 percent compared to 5 percent.  We use gentamicin to fight staph infections, along with  the pathogens found in decomposing animal matter, sewage, manure soil, and human and animal feces.

On the theory that The Truth Will Set You Free, we can expect FDA to do something about this, right?  No.  Prediction: All FDA will do is write more reports and approve ever more powerful antibiotics for animals.

Makes you a little sick to the stomach, doesn’t it?

Kim Egan is the Founder of Saltbox Consulting, a firm that provides legal and compliance advice to entities regulated by FDA and USDA.  She can be reached at and on Twitter at @saltboxlaw.


Part II: Next Practices for Selecting an Enterprise Quality System

John Moroney of AssurX, Inc.

John Moroney, VP, Sales, AssurX, Inc.

Note: In part one, we looked at how to approach the selection process, assess vendor capabilities, and find the right philosophical “match” for your particular organization. In part two, we’ll take you through next practices for scoring vendors, conducting an effective vendor search, and clearly defining project scope and costs.

Beware of how to measure. Companies frequently will devote significant effort and elaborate scoring methods to grade vendor functions resulting in very precise but ultimately irrelevant scores. Academic studies of software project success indicate that product functionality contributes less to success than the customer and vendor implementation team and process.  Keep the assessments simple and double check major variances with the team members and the vendor.

One approach to avoid feature/function obsession is to develop scenarios for vendors to demonstrate. Select one to three primary areas of business improvement (CAPA, Customer Complaints, etc), develop an outline of how the team would like these processes to be and review the outline with key vendors. This may result in a more detailed scenario for each vendor to demonstrate, or simply request the vendors to show how they would support the original description.

Once the team has narrowed down to the final one or two vendors, it is advisable to speak with customers, but first consider what questions you would like to have answered. This will achieve at least three things:

  • Focus the team on the primary concerns with the vendor/product/project.
  • Assure that the reference company is appropriate.
  • Allow the reference company to have the correct person available.
  • Not miss any key points during the meeting.

This can be an excellent time to hear the lessons learned by the customer – not just about the product or vendor but the project itself and how it has evolved over time.

Quality WhiteboardDefined Project Plan and Costs

At this point the team should have firm costs and establish (possibly with the vendor’s help) a project timeline. If it has not been done already, a business case justifying the project is frequently required to secure executive approval.

The most common source of frustration and delay at this stage is the team not knowing the internal process for getting the project approved. In many companies a capital request and presentation is required. Contracts and agreements usually must be reviewed and/or modified requiring procurement and possibly legal resources. Vendor setup and approvals and possibly background checks may also need to be done. Depending on the company, a separate plan to work through this stage is sometimes helpful.

Often your project is vying with other capital needs for funding. Furthermore, few members of the capital committee or approval executives will know much about your project. It can be useful to create a summary presentation describing the business need for this software, the vendor selection process, general project plan, the benefits and when they will begin to accrue. Include the alternatives as well and the recommendation and consider framing the presentation to address these questions:

  1. Why do anything?
  2.  Why do it now?
  3. Why this recommendation/alternative?
  4. What does the company need to invest – not just money but what resources?


Embarking on the implementation of a new EQMS is much like any project where change is necessary. Success will hinge on consistent effort and working through obstacles and resource limitations as well as resistance to doing things differently.

Here are some final tips to help ensure success:

  • Secure solid management support – make sure the project leader has been given the time, the resources and organizational support necessary.
  • Get requirements defined, agreed upon and documented – reference and revise frequently.
  • Avoid the geek factor –  beware of flash. Remember, features can often be added later.
  • Don’t let perfection be the enemy of the good – a version 2.0 can come later.
  • Strong team and communication – better to get issues out early.
  • Focus on small wins, quickly – iterate, test and refine along the way.

Part I: Next Practices for Selecting an Enterprise Quality Management System

John Moroney of AssurX, Inc.

John Moroney, VP, Sales, AssurX, Inc.

Editor’s Note: In this two-part series, you’ll learn the most effective ways to select an Enterprise Quality Management system, why it’s a critical long-term decision, and common pitfalls to avoid.

First, let’s simplify things a bit: Selecting an Enterprise Quality Management system is no different than any other major business purchase decision. Broadly speaking, that means you’ll face similar issues and risks you’ve encountered before.

So, if you’ve already got experience making big purchases, you should begin the process with a relatively high degree of comfort.

Unfortunately, most companies do not make major purchase decisions very often, whether buying an enterprise software system, purchasing or leasing a new facility or committing to a major piece of capital equipment. These decisions have long lasting effects and can be career enhancing or threatening for those involved.

With that in mind, let’s examine some proven ways to improve your selection process.

Having a plan is usually the best approach, but what should the plan include? Experience shows the best have several stages:

  • Defining requirements & project objectives
  • Initial investigation of options
  • Detailed vendor reviews (not just product!)
  • Defined project plan & costs
  • Corporate approval and kickoff

quality circleConsider that this process will likely take several months, so one of the first steps is to set expectations within your organization. Explain to colleagues and superiors that this is like a major remodeling project. It has many steps, will require time and effort, and you only want to do this once, correctly.

Defining requirements & project objectives

It is surprising how few companies spend enough time defining the objectives and success metrics a new EQMs should deliver.

Start with the key business issues you want to address. For example:

  • Is there an inability to understand the root cause of product failures? How big is the problem – quantity, dollar impact, lost customers, etc. Who in the company is affected? What are the KPIs (Key Performance Indicators), and what values would be considered excellent? How difficult is it to collect that information?
  • What is the cost of supplier quality and how can that be reduced or charged back? Who are the best suppliers and the worst? What do they cost the company per year?
  • Is it difficult or impossible to determine how many complaints are received by a customer? What were the reasons for those complaints? How many were resolved and how long did it take? Who would like to have that information, and what is it worth to the company?

Performing this exercise yields three outcomes:

  • What constitutes success for this project?
  • What are the potential financial benefits of the project and agreement on what the project investment should be (the budget)?
  • What product/vendor capabilities are required to support the outcomes?

Although this stage of the project may be done by an individual, the creation of requirements should be based on interviewing all of the key stakeholders including users, managers and executives. A project selection team should also be recruited from these ranks and most often should include IT professionals as well.

Initial investigation of options

With so many options available, how can the team be sure to include the best choices? First, understand what the corporate ERP system vendor can deliver. Often this will be both the least expensive and the easiest to deploy, and at the very least should be evaluated to provide a base line to compare against other best of breed choices.

Some companies have a strict policy that no third party applications will be purchased unless a strong business case for not using the ERP vendor’s modules is first made. In larger companies, other divisions or business units may have already implemented an EQMS. Not only is there much to gain by interviewing those users, there may be corporate edicts or at least preferential pricing and implementation resources already available for deploying that product.

Other choices can be found through web searches, trade shows, etc. but one of the best approaches is to network with industry colleagues. Not only will you benefit from their experience, but to the extent their vendors have a focus upon your industry, best practices will be available to your team. Frequently, customers will have suggestions and possibly preferences for what system to select or at least a short list of what their other suppliers use.

Certainly one criteria at this point is cost, but another is whether to purchase the software or subscribe to a hosted solution. Some vendors offer both forms, but many do not, so part of the initial criteria needs to be settled with the IT organization and corporate policy.

Most companies will want to consider vendors with customer profiles similar to themselves, whether by size, industry, technology, etc. and/or a strong user group. For example, life science, aerospace and automotive companies have specific needs which will narrow the field of suitable vendors. It is important to engage the IT organization because there may be preferences for certain technology platforms such as Oracle versus Microsoft databases or integration to specific ERP systems.

How many vendors should be evaluated? It is difficult for a team to devote time searching for a vendor selection and “fitting in” their normal work; therefore most companies might interview six to ten vendors but whittle that down to three or five vendors for the next phase of detailed vendor reviews

Detailed vendor reviews

Now that your team has created a short list, it makes sense to take a deeper dive. Much of the focus at this stage should be the product functionality, and maybe “look and feel”. It is critical to establish criteria at this stage, as a “pretty” product may not be the best product available for your company. In the software industry a term frequently used is the “whole” product – not just the software. That would include, beside software functionality, elements such as:

  • Support – uptime performance metrics, Level One support issue and response times, what is the support process and what are the metrics?
  • User community – is there one, how active, who participates, is it vendor or customer driven?
  • Industry domain knowledge – does the vendor know your industry and have support staff with experience. Does the vendor know how to work with companies your size and scope?
  • Product reliability – how often do customers have problems, how severe are they?
  • Implementation track record – how often do customers fail to implement? Why? Is there an implementation process?
  • Vision and direction – is the vendor commited to being an EQMS, do they have a product plan and does their product and market strategy align with your company’s plans?
  • Customers – who are they and do they align with your kind of company? Are they highly dependent on the vendor or can they support themselves?
  • Total cost – beyond the initial project, what costs could there be in the future? Additional users, modules and/or changes? Is there a cost for future versions? What cost protections will the vendor provide? What are customer experiences?

Leading vendors understand the elements of the decision process and will be forthcoming with information. Successful sales people, who have participated in dozens if not hundreds of selection cycles, have a deep understanding of your industry’s best practices and the options in the market – usually much better than consultants or program managers who may lead selection projects only a few times per year.

Note: In part two, we’ll look at the most effective ways to “score” vendors, narrow the search process, and define project costs and scope.