Professional Documents
Culture Documents
Thanks for having me as a speaker tonight. Frankly, the best thing about ASQ is
the opportunity to talk about quality with people who are interested in the topic,
because at work, a lot of people duck and cover when they see me coming..
I clocked this talk at an hour and fifteen the other day, so hopefully, with the benefit
of a little adrenaline, we’ll get out a little quicker than that, even. I won’t be
offended if someone beats a hasty retreat for any reason.
A lot of people assume that since I’m from the FDA, I’m going to provide a
“regulatory perspective”---whatever that is. But I’m not here tonight to tell you
what the FDA thinks, and I doubt that most of you care what the FDA thinks,
anyway.
The fact is that I’ve only been at FDA for about seven years, and prior to that, I
worked for a living, most recently, as a design engineer for a telecommunications
company. So my perspective is basically that of a design engineer and engineering
manager.
As an engineer in the trenches, I found that I spent a significant portion of my time
trying to educate my bosses about the designs I was producing and the steps
necessary to get to the end result. I used to get frustrated with all the time I wasted
trying to explain to them what was obvious to me and my peers. But over time, I
began to see things from their perspective, and started to figure out that the time I
spent teaching my bosses was well rewarded. That was probably the first step in
my own enlightenment regarding design controls..
1
Author’s Notes
You are welcome to use (or adapt) any or all of this material in your
own work, since its development was paid for the U. S. taxpayers.
Obviously, attribution would be appreciated, but I won’t be checking
up on you.
The opinions expressed are mine, and do not necessarily have the
backing of my employer.
2
How to Reach the Author
Alford R. Taylor, Jr.
Engineering Team Leader
Medical Electronics Branch
Center for Devices and Radiological Health
U. S. Food and Drug Administration
12720 Twinbrook Pkwy HFZ-141
Rockville, MD 20852-1720
(301) 443-2536 x147
alt@cdrh.fda.gov
3
The Corporate Manager’s
Perspective
I still spend a lot of my time talking to senior managers, but most of them are
not my boss. When I talk to these folks about quality management systems,
they generally have a handle on document control, corrective and preventive
actions, internal audits, and so forth. But when the subject turns to design and
development, you can often actually see their eyes start to glaze over. These
are managers who have been neglected by their design engineers.
It’s not that they are bored. They have the same kind of hangdog look that you
tend to see in nursing homes. It’s the look of someone who has lost control,
someone with chronic pain.
So I have searched for a way to reach out to these people, and tonight, I’m
going to share with you the approach I’ve found. If you’re one of those people
who feels pain whenever you walk into the design engineering department, I
hope that my presentation helps you. CEOs, CFOs, and marketing managers
typically aren’t interested in clause 4.4.3 of ISO 9001. A senior manager at
FDA was quoted just the other day as saying, “I’m pulling on the levers, but
the ship isn’t turning.” Just because we preach quality management to
industry doesn’t me we do it ourselves---yet. But this manager wants to know
what a QMS is, and how it’s going to help him steer the ship.
Now I realize that most of you are not typical corporate managers, so if I’m
preaching to the choir, feel free to let loose with a hallelujah or two. Even if
you are familiar with design controls, you may find aspects of my approach
useful in your own quality consulting work.
4
Why All The Fuss?
A Real-World Example
5
Why All The Fuss?
After the product crashed and burned, I was engaged to perform a technical
review of the design, which I did. But in my presentations to management, I
emphasized that the fundamental issue for this company was not flawed
design, but flawed design process. After the crisis, I stuck around and helped
the VP of engineering to document a rudimentary design control process.
6
What Are Design
Controls?
Design controls are:
u an integrated set of management practices
(policies, processes, and procedures), which
are
u applied to design activities
u to control the quality of products and
services.
7
Typical
Process
Model
When people talk about processes, they tend to draw models that look
something like this. You start with an objective, perform some tasks, measure
the results, and apply constructive feedback, if you will, to optimize the
desired output. If you think in terms of the classical closed loop feedback
system, the parameter you are optimizing by this process is the quality of the
product or service you are designing.
Now, from a management point of view, that measurement step, represented
by the diamond, is critical because that’s where design decisions get confirmed
and cast in concrete. So it’s important to understand that ISO 9001 doesn’t
talk so much about what happens in the boxes. The focus of design controls is
on the the management and oversight of design activities, and that has more to
do with the diamonds, or decision points.
It’s also critically important to realize that design isn’t a straightforward linear
process, like I’ve shown here. It’s more of a three-dimensional array of
processes.
8
Environmental Management
Risk Management
Quality Management
Top
Management
Quality
Assurance
Production
Design
There is no single design process that gets a firm from concept to production.
Rather, the organization must define and document its organizational structure
for performing designs, identify the information flows between organizational
elements, define when and how reviews are conducted, and so forth. The
design processes tend to be defined in terms of development stages. At each
development stage, various organizational elements have specific roles to play,
and they have a range of overlapping concerns.
So design controls don’t exist in isolation. It doesn’t make sense characterize
any specific management activity as “design controls” versus “risk control” or
“production control.” The CEO doesn’t wear a Design Control hat one minute
and a Risk Management hat the next. Rather, at any stage of development,
there are some basic questions to be asked, and some checks and balances that
can be employed, that touch on a range of management concerns and
responsibilities.
9
ISO 9001 ISO 14001 ISO 14971
Quality Environmental Risk
Management Management Management
YOUR
MANAGEMENT
PROCESSES
10
ISO 9001 ISO 14001 ISO 14971
Quality Environmental Risk
$$
Management Management Management
YOUR
MANAGEMENT
PROCESSES
It seems like the issue of money is always looming large in the background,
and for a lot of organizations, money issues tend to take over. Fortunately,
management systems help to tame the money monster and keep it in the
background, under control.
11
What Are Design
Controls?
The specific design management practices
you need in your organization depend on:
u the size of your organization and
u the technologies you employ
Now I want to re-emphasize that ISO 9001 talks about general principles that
apply across the board. But the specific management practices you need
depend on the size of your organization and the technologies you employ.
If your organization is three people working in a garage, you don’t need a lot
of formal procedures for information flow and design approvals. Everybody
knows what everybody else is doing all the time. You do need formal
procedures regarding recordkeeping, however, because in that environment,
it’s all too easy to fly completely by the seat of your pants and not write
anything down.
When I talk to medical device manufacturers, they are always talking about the
industry practice for this or that. I tell anyone who will listen that there is no
such thing as as a medical device industry when it comes to design
management. I’m sure it’s the same at the Government Printing Office, or
NASA, or wherever you happen to work.
For example, if your product or service incorporates software---and these days,
that’s everybody---you are in the software engineering industry.
If your product needs to have structural integrity, whether it’s a bridge, a bone
screw, an automobile bumper, or a Barbie doll, there are mechanical
engineering tools and practices to be followed.
You find out about these management practices by studying textbooks,
technology-sector standards, and trade magazines. Remember that the
management responsibility section of ISO 9001 requires that your people have
the appropriate expertise. That applies to design managers as well as
production workers.
12
How Do Design Controls
Work?
u Via mechanisms to provide visibility (i.e.,
means to measure the controlled variable)
throughout the development process
u Via documented procedures to exercise
continuous (or at least frequent) control of
resources (i.e., feedback mechanisms)
u Via a semantic structure (language,
taxonomy) to facilitate communications
Visibility: If you’re buying a tract house, you can walk through the builder’s
model home to see what you are getting. A friend of mine is currently having
a custom house built, and he’s having a devil of a time communicating with
the builder. Most people aren’t trained in reading blueprints, and they can’t
generate a three-dimensional picture from what they see on the paper. It’s a
problem from the builder’s point of view, too.
Some examples of visualization techniques include: the requirements
document, rapid prototyping, computer simulation, design walkthroughs.
Here’s another practical example of visibility. A couple of my engineers are
currently designing some custom instrumentation for an X-ray calibration
facility. The customer, a physicist, was complaining that my engineers were
spending his money but not doing anything. So I had my engineers lay out a
detailed list of development tasks and we started having weekly status
meetings with the physicist. Now he has visibility into the process and the
progress. He has become more involved with the decision-making, because he
understands the context better when one of the engineers asks him for input.
Side benefits: developers can see what each other are doing, and developers
gain visibility into the needs of customers and bosses. (generals and trenches)
Resource controls: defined development phases, design reviews, supervisory
reviews, signoff procedures for design documents (the old principle of divide
and conquer)
Taxonomy---the principles of classification. R&D, V&V, design management
vs. risk management. There will be other examples of taxonomies later in the
presentation.
13
What Are The Limitations?
u Design controls do not assure the quality of
products and services (but they provide a
framework for assessing and documenting
quality).
u Design controls do not prevent design errors
(but they facilitate finding and correcting
errors earlier in the development process).
u Management still needs the right people and
the right tools to do the design work and
review the results for adequacy.
The most frequent criticism of ISO 9001 is that it’s only an end unto itself, that
it doesn’t affect quality. The “evidence” for this is firms who are registered to
9001 and still manage to consistently produce shoddy products or services.
I carry an excellent road map in my car. I still manage to get lost once in a
while, but that doesn’t mean the road map is worthless. In fact, it helps far
more often than not.
This road map might be worthless to some people, either because they don’t
know how to read it, or they don’t know how to transform its information into
meaningful action.
It’s definitely worthless if it sits under the driver’s seat and only comes out
once a year when you replace it with the latest edition you just bought.
14
Needs &
Intended Design Input
Uses
R eview
Process
Require-
Initial Design Possible
ments
Stage Interim
Reviews
Stage 1
Design
Output
... Nth Design
Stage
(N $ 1)
v erification Final
Design
Output
Production
V alidation Test
Articles
If you don’t have a good requirements document, you needn’t bother with the
rest of design controls. Throughout the development process, the requirements
document acts as the surrogate for the actual user needs. It’s the ground truth
that you come back to over and over to help decide how to implement the
design. At each stage of development, the requirements establish the basis for
verification of the design
Corporate managers I talk to have a lot of misconceptions about this business
of requirements, so let’s look a little closer.
16
Requirements Triad
u Functions
– What the device does
u Performance
– Accuracy, speed, reliability, environmental
influences
u Interfaces
– Input/output, power, data protocols, user
interface
17
Requirements---Guiding
Principles
u Must specify what is needed, not the
solution (example of machined aluminum
housing)
u Complete to an engineering level of detail
u Requirements are developed by engineers,
not by marketing department or users
u Capturing the requirements may consume
as much as 30 percent of the entire project
time budget
18
When Do Design Controls
Begin?
u There is necessarily some overlap between
research and development
u Rapid prototyping may occur outside of
design control process, but don’t make the
mistake of assuming that an apparently
functional prototype is anything close to a
finished design
u Design controls should be in place prior to
approval of the system-level requirements
document
19
Requirements---Reviewing
For Adequacy
u Unambiguous (objectively verifiable)
u Quantitative limits expressed with a
realistic measurement tolerance
u Self-consistent
u Environment completely characterized
u Completeness and relevance of external
references
First bullet: Ex. “finish shall be durable”. When challenged, they said that it
should withstand repeated cleaning as described in the service manual. OK,
but it’s ok to scrape off big chips of paint every time another instrument bumps
into it in the O.R. The best approach is to specify some objective durability
test, often a consensus standard test method, and let a qualified reviewer
determine whether the test is representative of the intended use.
Second bullet: Quantitative limits can go to either extreme. If the requirement
is for a 10 centimeter hole, the designer must infer what that means, and you
are likely to end up with grossly inaccurate solution, or an overly complex and
expensive solution. If you say you need a hole big enough to accommodate a
mechanic’s gloved hand, that’s better, but the designer has to do some legwork
to figure out what the actual dimension needs to be before designing the
component and its production process. If you say the diameter must be a
minimum of 14 cm to accommodate a mechanic’s gloved hand, the designer
has enough information to implement the design, and a qualified reviewer has
a basis for determining whether the requirement is is appropriate for the
intended use.
Last bullet. Completeness and relevance of external references (MIL-ST-810
example)
20
V&V
u Verification = assessing conformance to
requirements (did I do the design right?)
u Validation = objective evidence that
devices fulfills intended use (did I do the
right design?)
u I.e., verification is details-oriented and
validation is a cumulative summation of all
efforts to assess suitability of design.
u Validation almost always includes user
evaluation.
The military pioneered the concepts back in the 60’s and 70’s, but used words
like “first-article test” and “qualification”.
When software systems became complex, with many iterative stages of design
activity, the terms “V&V” came to mean something concrete. Let’s look at
that for a minute.
21
REQUIREMENTS PRELIMINARY DETAILED
CODING
DEFINITION DESIGN DESIGN
v v v
LEGEND
v = VERIFY
22
Needs &
Intended Design Input
Uses
R eview
Process
Require-
Initial Design Possible
ments
Stage Interim
Reviews
Stage 1
Design
Output
... Nth Design
Stage
(N $ 1)
v erification Final
Design
Output
Production
V alidation Test
Articles
When ISO 9001 was being formulated back in the 70’s, there were two
problems with this approach to V&V. First, some of the ISO committee
members really didn’t understand the complexities of software development.
Manufacturers of toothpicks had no need for all that complexity. And more
importantly, they realized that in most design situations, you can’t blame the
customer if you got the requirements wrong.
So they redefined verification to mean conformance to the specified
requirements, and validation to mean that the requirements for a specific
intended use are consistently fulfilled.
By these definitions, software V&V is all verification, because everything is
traced back to the written requirements. Validation is a whole different ball
game.
23
V & V---Semantic Differences
Software ISO 9000/Quality
Process Engineering
Engineering System Regulation
Domain
Domain Domain
This slide summarizes what I’ve said in a different form. I won’t dwell on it
here, but you have it in your handout.
24
V & V---Guiding
Principles
u V & V encompasses many activities: Tests,
Inspections, and Analyses
u V & V overlaps with design review to some
extent. Companies may draw the dividing
line anywhere reasonable.
u The design records should contain one or
more verification and validation reports
which summarize V & V activities, explain
discrepancies, and document approvals.
25
Design Reviews
u The cycle is:
– Design
– Audit (V&V)
– Review
For example, a design review for a molded housing would not take place until
the documentation was complete, and various verification activities had taken
place. These might include a tolerance buildup analysis, inspection and stress
testing of a prototype, etc.
There can be a lot of overlap between verification and review. Many activities
can be classified in either category.
Verification connotes structured labor-intensive activities, and often produces
what might be termed interim judgements of adequacy. Verification activities
are often unilateral---one analyst or one department performs the activity .
26
How Many Reviews?
u At least one; no pat answer
u Tied to business risk---review prior to
escalation of resource commitment
u If the requirements are at all complex,
review the requirements prior to
committing design resources
27
Who Are The Reviewers?
u Independent review means only a fresh
perspective---can be from same
organization, but must not have been
involved in phase of development being
reviewed
u Must have appropriate expertise
u Users should be represented
28
Design Review Procedures
u May be one-on-one, a meeting, or off-line
review followed by a meeting to discuss
findings
u Should not be adversarial---the designers
know better than anyone where the weak
points are
29
Resolution of Design
Review Findings
u Not all “problems” detected by reviewers
are real, or need to be corrected.
u There should be a procedure for tracking
concerns and ensuring followup.
u There should be a procedure for resolving
differences of opinion.
u Design review procedures should identify
who is in charge.
30
Everything Else
u Change control and configuration
management
u Design output---form and content
u Control of design documentation
u Design release
I hope that the next time you read the standard, it will make a lot more sense.
31