Auditing ISO 9001 For Liability Exposure to Lawsuits #1

Introduction 

This is the first of three blogs that will address Auditing for Liability Exposure to Lawsuits – (1) the first will focus on ISO 9001, (2) the second will focus on CE Marked products such as machinery, toys, etc., and (3) the third will focus on FDA’s Quality System Regulation (QSR).

The auditing for liability exposure to lawsuits theme isn’t new, but it continues to elude manufacturers and in the case of ISO 9001 it also eludes quality managers, top management, corporate counsel and the companies that insure manufacturers. In addition, ISO 9001 continues to befuddle defense attorneys, corporate counsel and trial attorneys, e.g., what is it and how do I attack or defend it in a lawsuit? (Note: These same observations can be applied to ISO 13485.) 

In earlier blogs, I discussed how ISO 9001 has been at the center of lawsuits resulting in over a $100 million dollars of penalties brought by the US Department of Justice against Defense Contractors for defective products manufactured by failed ISO 9001 Quality Management Systems. Several of these products have resulted in military and law enforcement fatalities. In civil lawsuits, over $100 million dollars in punitive damages have been awarded by juries and in out of court settlements for failed products that caused extensive property damage and in some cases personal injuries. The losses now exceed $500 million for each category. 

I have served as legal expert/expert witness in several lawsuits in US Federal Courts and continue to be amazed at how badly the ISO 9001 standard is approached by both plaintiffs and defendants in lawsuits. Too often in discovery trial attorneys make a blanket request or ask for ISO 9001 quality manuals, procedures, records, etc., without specifying which procedures and records. Defense attorneys are only too happy to provide boxes of production manufacturing records swamping plaintiff’s attorneys with reams of meaningless paper. When questioned by a Judge, Plaintiff’s attorneys often find themselves unable to specify what they are looking for and why. Defense attorneys often try to be evasive or don’t understand the purpose of ISO 9001. Few attorneys understand ISO 9001 and how it might relate to their lawsuit.

The Deeper Problem

The day-to-day life of quality managers does not deal with the legal implications of an ISO 9001 quality manual, procedures, records and documents. If asked, they want nothing to do with legal issues, that is management’s responsibility. Consequently, the legal implications of quality procedures, records and documents does not receive any sort of intelligent legal scrutiny. Basically, quality managers audit their quality management system to make certain that the system is functioning according to their defined quality management system. Where problems are found by internal audits, those problems are addressed by identifying nonconformities, and determining what corrective and preventive actions might be needed to address the problem.

The fact that quality managers are not aware of the legal significance of quality records and documents should not be surprising. One of my first encounters with this dynamic was with a medical device company in Pennsylvania several years ago. (This was prior to FDA’s Quality System Regulation.) When I mentioned the possible legal implications of their ISO 9001 quality documents and records, he quickly said “that belongs to legal”, meaning their legal department. I subsequently learned he had been told by corporate attorneys that he should not get involved in any legal issues, that turf belonged to the attorneys.

How Attorneys Might Address The Problem

To begin, on the defense side, top management, corporate counsel, defense counsel and their insurance companies must become aware of the structure of ISO 9001, how it works and what the manufacturer hoped to accomplish with certification. On the plaintiffs’ side, trial attorneys need to better understand the ISO 9001 standard, how it might relate to their lawsuit and what information – quality manual, quality procedures, quality documents and records is important to make an intelligent request in discovery.

In the US, approximately 65,000 sites are certified, although the number has begun to decline in recent years. Internationally, the number exceeds 1 million with 500,000 in Europe alone and continues to grow. In many countries (including the US) and business sectors, ISO 9001 is a requirement for doing business. It is a DOD requirement for military contractors. 

In addition to understanding the basics of the standard, it also would be prudent to understand ISO 9004, the Guidance Document because it offers some intelligent suggestions concerning issues that could make the QMS more legally defensible in a lawsuit. The impetus for such a move will not come from quality managers, however, because ISO 9004 is viewed as not required and therefore a nuisance. Unfortunately, such a response is both expedient and ignorant. 

Product Design

An area of particular weakness in ISO 9001 is the lack of safety built into product design.

The design requirements contained in 7.3 Design and development, 7.3.1 Design and development planning, 7.3.2 Design and development inputs, 7.3.3 Design and development outputs, 7.3.4 Design and development review, 7.3.5 Design and development verification, 7.3.6 design and development validation and 7.3.7 Control of design and development changes. Unless safety is specified and added as a design requirement by the manufacturer it will not be a significant factor in design. Also, unless Hazards Analysis, Risk Assessment, Risk Analysis and/or Risk Management (or some combination) is added to product design requirements by the manufacturer, it will not be added by ISO 9001.

Audits and Audit Training 

All parties need to understand what audits are intended to accomplish in an ISO 9001 Quality Management System, especially Internal Audits. For an ISO 9001 Quality Management System to be effective the Internal Audit System must be effective. It is internal self-policing and magnificent when it works. Problems arise when nonconformities are discovered and ignored or incompetently resolved. Top management should be informed and participate in meaningful management reviews when nonconformities are discovered, denied or not resolved.

In one class action lawsuit, several machines (approximately 235 costing up to $240,000 apiece) were catching on fire, which was a nonconformity. The manufacturer sent an investigator into the field who had no experience with these types of machines and was not a fire expert. He declared that the fires were not a nonconformity, therefore no corrective or preventive action was needed. This finding was discussed and agreed to in a corrective action review.

Plaintiffs’ attorneys requested the corrective action review minutes, which was refused by the defense declaring that an attorney was present in the review and therefore the review was subject to attorney client privilege. Plaintiffs’ responded that while an attorney happened to be present in the meeting, there was no lawsuit at that time. The Judge denied the request, which made it all of the way to the US Supreme Court where Defendant’s Writ of Certiorari was denied. Eventually the matter was settled out of court. The Wall Street Journal hinted that the settlement was in the mid ten figures – $50 million dollars.

ISO 9001 Documents

Documents and records are essential elements of ISO 9001 therefore document control is vital: 

• If you can’t prove it, it doesn’t exist!

• Everything you write, e-mail, text or say verbally or electronically can and will be used against you in a court of law 

• Once legal action has begun, the destruction of documents is a criminal offense, including electronic and phone records (which can be retrieved by experts)!

• All documents can be obtained in legal discovery by Plaintiff’s Request for Production of Documents!

• Attorney client privilege cannot be used to withhold documents from Plaintiff’s Request for Production of Documents!

• Certain words and phrases have legal consequences and should not be used in ISO 9001 documents and records! 

I fleshed out several of these points in some of my earlier blogs in 2009. It appears it is time to revisit and update document control in a future blog. 

What To Do?

Listed below are a few suggestions for addressing ISO 9001 and Liability Exposure,

• Training is essential to understand the legal issues raised by ISO 9001. This includes training of Quality Managers, Top Management, Corporate Counsel, Defense Counsel and insurance personnel including underwriters. It also could be offered by insurance companies to their insureds for a fee – I have participated in such programs and they are well received. 

• Training also is essential for trial attorneys to better understand ISO 9001 and how to use it as a resource in a lawsuit.

• Audit training also can be especially effective. I have also put together different training courses for conducting Product Safety Audits and Product liability Audits that can be conducted internally in companies or sponsored by insurance companies for a fee.

• Hazards Analysis, Risk Analysis and Human Factor Analysis are essential to Product Safety and the integrity of any ISO 9001 QMS – Training is essential. 

• Finally, Document Control Training is essential in an era where documents exist in hard copy or electronically and where modes of communication have become more diverse. 

My primary focus is on International Regulatory Compliance, which includes both the requirements of regulatory authorities and the legal implications of compliance, non-compliance, documentation and sloppy attention to detail that could result in a lawsuit in a US Federal Court. I focus on product safety and the steps necessary to create a safe product. If you have questions regarding ISO 9001, FDA’s Quality System Regulation or CE Marking lawsuits you can contact me for a free preliminary consultation at my e-mail address jameskolka@gmail.com