Customer journal no.86- III/2019 DQS COMPACT DQS Holding GmbH
WHEN SAFE ENOUGH IS NOT GOOD ENOUGH
In the automotive industry, the security of tional of utmost importance, and a strong information is absolutely critical to the OEM- selling point for DQS because we only appoint supplier relationship. That is why more and auditors with relevant industry experience.” more suppliers undergo a TISAX assessment, To provide potential customers with more in order to remain competitive. information what they can expect from TISAX Confidential information is the backbone of – aside from the certificate itself – we have the automotive industry. In order for an OEM asked Andre some more questions: to share their information with a supplier or service provider, such as consultants or soft- My OEM requires me to become a member ware “makers”, they first want to be con- of TISAX. How can I be sure my proprietary vinced that their information will be secure. information is safe? Until the advent of TISAX, this was usually The participants in TISAX share information accomplished by each OEM conducting their via a common online platform on the infor- own assessment – a method both redundant mation security status of another participant, and a burden on both suppliers and manufac- in the form of the results of assessments per- turers. With the Trusted Information Security formed. Important to know: not every TISAX Assessment Exchange (TISAX), participants participant automatically has access to the will need to undergo only one assessment assessment results of another participant. every three years, and information can be Who receives which information in the TISAX IN THIS ISSUE shared in a controlled and secure fashion. network is something the audited company
Based on the ISA questionnaire compiled by itself decides by explicit release from case to the German Automotive Industry Association case Page 2 - 3 VDA and essential aspects of ISO / IEC 27001, ISO 45001: Consultation and How much more work is TISAX compared to the VDA developed this common assessment Participation ISO 27001? and exchange procedure, adding prototype Page 4 protection, contract issues and connections Actually, it is less work, because the auditors TAPA: Quality in Logistics to third parties to its industry-specifc scope. focus on the VDA ISA questionnaire, which Oversight is carried out by ENX, a conglome- only includes 52 controls compared to 118 for Page 5 rate of European car manufacturers, suppliers ISO 27001. The amount of detail, however, is UPS: Certified GDP Pharma and associations. rather high and very specific. On the plus side, the assessment cycle is three years, with no Page 5 - 6 Unlike ISO 27001, which used to be the go-to surveillance audits. How much paper for quality? standard, TISAX is not limited to IT security, but incorporates information security ENX advises us that the questionnaire is con- Page 7 throughout the organization. The DQS Pro- stantly being reviewed and updated based on TDK Corporation celebration gram Manager for TISAX, Andre Saeckel, ex- feedback from suppliers, partners and audi- Page 8 pects a strong increase in demand, especially tors. So it is likely that it will be expanded in DQS Malaysia: first CB in Aero- among Tier-2 suppliers who are often in a the future. The lack of surveillance audits is space in Malaysia and Indonesia hurry because the OEMs have cut off their designed to reduce the audit burden on the system access pending a TISAX certificate. suppliers, in exchange for information sharing Currently, DQS is one of only ten audit provi- among partners. ders authorized by ENX. He emphasizes that “Both ENX and DQS consider the qualifi- cation of auditors both national and interna-
www.dqs-holding.com DQS Compact no. 86 2
TISAX: WHAT DO I HAVE TO DO NOW?
. Access to TISAX is via subscriber registration, which takes place online on the TISAX portal. . Registration is the prerequisite for being able to select DQS as your TISAX accredited audit service provider. . Registered participants will receive a list of accredited providers from which they can freely choose. An organization may also register several locations and have a group assessment carried out. . After an assessment based on VDA-ISA, information can be provided or obtained in TISAX. For more information about TISAX, please visit the website of ENX at www.enx.com.
To receive an offer or a cost estimation, please click here: or contact your DQS local office.
„While TISAX may be limited to the automotive industry today, the label provides a unique trademark to demonstrate that extra degree of quality and security in all negotiations. „
ISO 45001 – CONSULTATION AND PARTICIPATION
The different forms of worker representation The premier focus of a management system for occupational health and safety (OH&S) is of course the most important stakeholder, the employees. It is therefore only logical to include workers in the development, planning, implementation and continuous improvement of the OH&S management system in a variety of ways. ISO 45001 takes this into account by providing organizations with a suitable framework for worker consultation and participation in chapter 5.4. Among OH&S experts, chapter 5.4 is considered to be the key to an effective OH&S system according to ISO 45001. But what does “worker representation” mean in the sense of an OH&S management system?
First of all, there are two kinds of represen- “Participation” is the requirement to in- and resources (5.4.a), as well as worker tation in ISO 45001: clude workers or their representatives in representation, which according to Note 1 the decision making process of certain ty- “can be a mechanism for consultation and . “Participation” is involvement in pes of OH&S topics. participation”. Positioning this requirement decision-making in a Note with a rather cryptic wording is Top management requirements . “Consultation” is the seeking of views probably due to the fact that in some before making a decision The new OH&S standard usually mentions countries, there is no (effective) worker “the organization” that is supposed to do Both terms expressly include health & sa- representation, and that the standard does certain things. The chapter on representati- fety committees as well as workers’ re- not (want to) require such. on, however, directly addresses top ma- presentatives, where they exist. Not only does Top management have to nagement, while 5.2f requires that top ma- make available the resources listed for con- “Consultation”, therefore, requires top ma- nagement include a commitment to consul- sultation and participation, they also have nagement to consult with their workers or tation and participation of workers or their to ensure that workers or their representa- their representatives regarding certain ty- representatives in their OH&S policy. Chap- tives are provided with timely, clear, under- pes of OH&S topics, Ideally, this creates a ter 5.1.I and 5.4, respectively, provide that standable and relevant information about mutually beneficial dialogue as described in top management establish and maintain the OH&S management system (5.4b). The A5.4. The results of these consultations, processes for consultation and participation kind of dialogue promoted by the standard, however, are not binding upon top ma- in support of the overall aims of the OH&S where workers or their representatives can nagement. This term does not refer to the management system. consultation of employees with their re- provide feedback, cannot take place Doing that presupposes the availability of presentatives, which is of course permitted. without suitable information. suitable mechanisms such as time, training DQS Compact no. 86 3
With an eye towards “Participation”, ISO . Ensuring continual improvement (10.2b) 45001 requires that obstacles and barriers to There are seven topics listed that require EXECUTIVE SUMMARY participation be identified and removed or, participation, which tend to be closely re- where such removal is not possible, reduced ISO 45001 considers the consultation and lated to the working environment of the to a minimum (5.4c). participation of workers to be a key suc- workers, and that are more focused on de- What is meant by “obstacles and barriers” is termination, identification, and evaluation, cess factor for the OH&S management explained in Note 2: such as: system. Top management needs to take that into account when determining the . “failure to respond to worker inputs or . Determining the mechanisms for consul- processes for developing, implementing, suggestions” tation and participation maintaining and improving their OH&S . “language or literacy barriers” . Identifying hazards and assessing risks system. and opportunities (6.1.1. and 6.1.2) . “reprisals or threats of reprisals and poli- Ideally, the process of consultation is a cies or practices that discourage or pe- . Determining actions for elimination or two-way street, where employees who nalize worker participation” reduction of OH&S risks (6.1.4) are familiar with the OH&S risks can be asked for their opinion on how best to . Determining competence requirements, control them. Worker participation can When is it consultation, when participation? training needs, training and evaluating be seen as a form of cooperation be- training (7.2) ISO 45001 distinguishes based on the tween top management and the employ- question where actual participation of . Both consultation and participation may ees or their representatives, especially workers or their representatives is required, also be governed by relevant national when it comes to decision-making about or where opinions or an exchange of legislation on employee representation, OH&S performance, measures, and opinions (consultation) suffices. Chapter 5.4d which will need to be adhered to in addi- planned changes. Some examples of use- lists these with their respective require- tion to the requirements of ISO 45001. ful tools for this kind of cooperation and ments, and we can see that as a rule, topics Typical examples include works councils involvement that also support their func- of superordinate relevance to OH&S require and other forms of co-determination. tions within the OH&S system and help consultation before something is establis- to prevent barriers are: . According to ISO 45001, both consultati- hed, assigned or ensured. Some examples on and participation relate to employees . Access to relevant organizational are: that are not managers. Note 3, however, information . Establishing the OH&S policy (5.2), clarifies that managers are not necessa- . Provision of training for the identifi- rily exempt as long as they are also . Assigning organizational roles, responsi- cation and removal of hazards “impacted by work activities or other bilities and authorities (5.3) factors”. . Creating awareness of hazards and OH&S risks . Provision of resources and time “Participation” is the requirement to include workers or their representatives needed to allow for the above in the decision making process of certain types of OH&S topics. . Protection from dismissal, repercus- sions and disciplinary action for the reporting of or actions against haz- ardous situations . Continuous improvement of the pro- cess for consultation and participa- tion . Accepting suggestions for improve- ment . Developing and maintaining an or- ganizational culture that promotes and support the OH&S management system.
To learn more about ISO 45001 and how your organization can benefit from a certified occupational health & safety management aystem, contact the nearest DQS office. www.dqs-holding.com/contact DQS Compact no. 86 4
QUALITY IN LOGISTICS - trained by TAPA, certified by DQS
Transportation, warehousing and distribu- Following an earlier training in Germany in tion– safe and certified. March this year, it was now DQS Hellas’ turn to host two training sessions for an- Reliable drivers, controlled temperatures, other 25 future TAPA authorized auditors and the safety of transports and IT systems from a number of organizations in the lo- are some of the major concerns among gistics and security industry. logistics service providers these days. In the age of “one-click” purchases, markets Special thanks go to DQS Hellas and the have become more transparent, while sup- two TAPA trainers Dr. Panayiotis Laimos plier relationships have grown more dis- and Ms. Chrysanthi Laimou for their excel- tant. To offset this lack of personal control, the industry has developed several stand- ards in the EMEA region (Europe, Middle ards and quality seals to demonstrate qual- East, Africa). Since the beginning of this ity, reliability and trustworthiness. training project, DQS has successfully tri- pled the number of qualified TAPA auditors on the official TAPA website. With this and many other new qualifications, DQS contin- ues to expand our competence in the logis- tics sector. Recently, DQS Group partnered with TAPA
(Transported Asset Protection Associa- lent training, and congratulations to all Read more about our services here or con- tion) to qualify auditors and experts from participants! tact one of our offices near you. many countries and several organizations for both TAPA FSR (Facility Security Re- DQS is part of the limited number of certi- quirements) and TAPA TSR (Trucking Secu- fied bodies permitted to pursue audits and rity Requirements). certification according to the TAPA stand-
How can you make your company stand out more from the competition?
With any logistics certifica- tions by DQS, you can demonstrate the Transportation certification by DQS quality of your service to From TAPA to GDP, from ISO 28000 to IFS Logistics and beyond to custom-tailored potential clients! GC assessments, DQS Group offers a variety of services for organizations with their own logistics departments, forwarders and warehouses.
DQS Compact no. 86 5
TRANSPORTING PHARMACEUTICAL PRODUCTS SAFELY WITH UPS Now certified by DQS!
The EU Guideline for Good Distribution Practice of medicinal dispatching with UPS, as well as simplify risk evaluation process- products for human use (2013/C 343/01) stipulate minimum es. requirements for the performance of wholesalers and logistics UPS is a global leader in logistics, offering a broad range of solu- companies providing services to the pharmaceutical industry. In tions including the transportation of packages and freight; the addition, the Guidelines aim to minimize the risk for medicinal facilitation of international trade, and the deployment of ad- products during transport and storage. Adherence to this Good vanced technology to more efficiently manage the world of busi- Distribution Practice (GDP) allows for positive control through- ness. Headquartered in Atlanta, the company delivers to more out the chain of supply, and serves to maintain the quality and than 220 countries and territories. integrity of medicinal products. The DQS audit at UPS covered the scope of non-temperature controlled domestic and international parcel services for pharmaceutical products. “When it comes to healthcare, we at UPS know that we are deal- ing with patients, not packages,” states Frank Sportolari, Presi- dent of UPS Germany. “All UPS customers will benefit from this certification, which confirms something we and others have known for decades: that the intelligent global logistics network of UPS is designed to fulfill the high demands of our customers.” The GDP certification is based on a series of criteria, among them quality control, employee training, security, internal inspection procedures and cleanliness of facilities. This certification confirms that the UPS network is not only well suited to transporting drugs, but also other medical devices such as stabilized blood products, cosmetics or implants. Especially for pharmaceutical and bio- pharmaceutical manufacturers, as well as wholesalers, this certifi- cation serves as proof positive of high standards throughout the Guido Eggers, DQS GmbH (right), handing over the certificate chain of supply, which can also reduce administrative effort when to Frank Sportolari - Picture © UPS
HOW MUCH PAPER FOR QUALITY?
ISO 9001 in the age of digitalization Management systems have a reputation of being “heavy on paper” due to the need for documen- tation of information. Many organizations, therefore, opt for a software solution, in order to trans- form reams of paper into digital data. Digital data, however, are then subject to information security requirements and legislation, such as GDPR. „The protection and security of informati- Upon closer inspection of that situation, we actually find that: on and personal data - ISO 9001 has never had a requirement for “reams of paper” in order to establish, maintain and has always been a improve management systems; legitimate concern - Software solutions can only support management systems if the business processes themselves among stakeholders support digitalization. Otherwise, problems will only be transferred to another medium, which can such as customers, make the situation worse because digitalization creates its own challenges. partners and - The protection and security of information and personal data has always been a legitimate con- employees.„ cern among stakeholders such as customers, partners and employees. So how can an organization benefit from digitalization and still fulfill all the relevant requirements? A deeper look into ISO 9001 shows that this standard has a lot to contribute to this, actually. ISO 9001 is not only compatible with promoting digitalization, but can be used easily to facilitate and support digital developments. DQS Compact no. 86 6
Digitalization made easy with ISO enough to become “documented infor- for what information is required, its 9001:2015 mation”? ISO 9001:2015 tells us that an source and currency, and what infor- organization’s management system shall mation will be transferred. For a primary example of the “digital suita- include “documented information deter- bility” of ISO 9001:2015, let us look at the In addition to the differentiation between mined by the organization as being neces- revised version’s definition of documented information that is (decision) sary for the effectiveness of the system.” “documented information”. This term is relevant for an organization and its protec- Consequently, the norm focuses on the now being used to include, for example, tion, there is also the need to be conform- value of a piece of information, subject to quality management manuals, document- ant, to fulfill the relevant requirements of the specific situation, e.g. business sector, ed procedures, records and documents – interested parties. Legal requirements size and complexity of the organization in short, the entire system documentation such as GDPR and other, local laws usually and its processes, requirements and ex- in all its manifestations. If we want to see require that technology needs to be state- pectations of stakeholders, etc. what opportunities for digital transfor- of-the-art and organizational as well as mation this implies, we need to question Effectively protecting documented infor- technical measures need to be implement- what exactly is the meaning? mation: using “lessons learned” from ed to effectively protect information. Es- Information Security pecially personnel and customer data need to be protected according to their A quick look at ISO/IEC 27001 for Infor- value to the organization, above and be- mation Security shows that a risk manage- yond “simple” conformance. ment process for documented information needs to focus strongly on the PLAN as- In the end, each organization will have to pect of the PDCA cycle, which is the plan- decide themselves to what extent they ning of processes and systems. From here, want to utilize the possibilities of digital risk management is spread throughout the transformation, and make available the organization’s structure. This is the prem- necessary resources. When it comes to ier approach wherever modern communi- documenting information in a secure fash- What is “information” anyway? cation media, such as e-mail, social media ion, there are many options open to or- or cloud servers provide the basis for doc- ganizations today: from compliance with Information is the basis of all communica- umented information. That includes, GDPR to certified management systems tion and related structures. Information among other things, a focus on employee such as ISO 9001 or ISO/IEC 27001, there allows an organization to maintain and awareness. Because no matter how good is a high level of compatibility and being develop knowledge, and to share it on the any given technical or organizational solu- able to build up from one to the other. inside or outside as needed. The availabil- tion may be, if the human operator is not The standards mentioned above can pro- ity of information, its integrity and its con- sufficiently aware of the potential conse- vide guidance on relevant topics, and may fidentiality must be ensured regardless of quences of their actions, and the associat- lead their users to find solutions to reduce intended use. Most essential of all, ed risks, he or she will most likely not han- risk using the Best-Practice-Approach. though, is the security of information: the dle things in the most secure manner. demand for security standards for trans- mission and storing of data and infor- A focus on compliance mation has never been higher than today. The immensely short shelf life of infor- What may at first glance seem to be a mation and its impermanence are a partic- scattered collection of individual data be- ular challenge of our times and of continu- comes information as soon as this data is ing digitalization, which affects its distribu- sorted, amended or embedded and gains tion and processing. This makes it continu- significance in a specific context. And in- ously harder to identify those pieces of formation becomes invaluable when it information that are essential and relevant contains expedient and beneficial for an organization from the rest, which knowledge. In is in that sense that infor- brings us back to the importance of availa- mation is “data of value” – which value is bility, integrity and confidentiality. Any for the organization itself to determine. sequence of activities (=process) involving Original article by Andreas Altena and more than one person has to be reviewed Angelika Müller. So what kind of knowledge is relevant
ISO 27001 - certification with DQS Valuable information is the treasure chest of the 21st century – and a vulnerable asset. Keep your data safe with an information security management system certified to ISO 27001. DQS Compact no. 86 7
TDK CORPORATION CELEBRATION
Transportation, warehousing and distri- enabled us to create an ongoing successi- posted total sales of USD 12.5 billion and bution– safe and certified. on of innovative and valuable products.” employed about 105,000 people world- said company President and CEO Mr. wide. With its Quality Management (QM) system Shigenao Ishiguro and within the scope of its zero-defect TDK and the future go hand in hand. strategy, TDK Corporation is continually TDK Corporation is a leading electronics TDK technologies and processes are the improving both its processes and the con- company based in Tokyo, Japan. It was leading the way for technologies for the trol of these processes, and thus also its established in 1935 to commercialize ferri- future. For example, TDK MEMS motion products and services. Customers’ appre- te, key material in electronic and magnetic sensors can support the cars of the future, ciation of this strict commitment to quality products. TDK’s comprehensive portfolio which drive autonomously, use electricity is attested by the numerous awards the features passive components such as cera- and offer a high degree of safety and com- company has received. TDK is certified to mic, aluminum electrolytic and film capa- fort. TDK sensors for medical applications several Industry and regulatory standards citors, as well as magnetics, high- support the well-being of individuals by including but not limited to ISO 9001:2015, frequency, and piezo and protection de- enabling an easier, non-invasive diagnosis IATF 16949, ISO 13485, ISO 14001 and vices. The product spectrum also includes for example. TDK’s 7-Axis MEMS motion many more. sensors and sensor systems such as tem- and pressure sensors help medical drones perature and pressure, magnetic, and “Throughout the eight decades since the to fly stably to supply medicine for pati- MEMS sensors. In addition, TDK provides company’s founding, and bolstered by our ents in crisis regions. TDK’s MEMS micro- power supplies and energy devices, strong foundation in magnetics technology phones facilitate human-robot interac- magnetic heads and more. These products derived from ferrite, TDK has been stead- tions. TDK’s capacitors enable the realiza- are marketed under the product brands fastly pursuing the development of pro- tion and further growth of green energy by TDK, EPCOS, InvenSense, Micronas, Tronics ducts that have true value. Keeping alive realizing energy generation of off-shore and TDK-Lambda. TDK focuses on de- the venture spirit that defined our begin- windmills. TDK’s radio-frequency compo- manding markets in the areas of informati- nings, we have taken up the challenge of nents support the realization of 5G, on and communication technology and exploring new technologies while maintai- enabling for example real-time broadca- automotive, industrial and consumer ning a strong dedication to craftsmanship sting of sports events to millions of mobile electronics. The company has a network of as embodied in the Japanese Monozukuri devices around the globe. TDK’s MEMS design and manufacturing locations and concept— a dedication to quality and a ultrasonic time-of-flight sensors help reali- sales offices in Asia, Europe, and in North new era of electronic craftsmanship. This zing a truly immersive AR/VR experience. and South America. In fiscal 2019, TDK
(From left to right) Mike Curry, DQS Inc. Regional Sales Manager; Jon Nelson, TDK Corporation of America President and CEO; Brad McGuire, DQS Inc. President and CEO; Bill Ghandour, TDK Corporation of America Quality Compliance Specialist; Anwer Abbasi, TDK Corporation of America Director QA DQS Compact no. 86 8
DQS Malaysia: first in AEROSPACE! IMAGES DQS Malaysia is the premier certification body for Aerospace standards ISO 9100, 9110 and 9120 in Malaysia and Indonesia. Pictured here are their happy customers with their new certificates. Page 2: TISAX
Page 3: Abobe Stock
Page 4: DQS Hellas
Page 5: UPS
Page 6: Abobe Stock
Page 7: TDK Corporation
Page 8: SME, UPECA and AIROD
CONTENT From left to right: Ms. Siti Aminah Binti Abdullah (QMR of SME Aerospace) and Ms. Rose Abu Hassen All excerpts, translations and sum- from DQS MYS; Miss Sukanya Ramaiah from UPECA; and Madam Aliza Zainal from AIROD, also with maries published with permission. Ms. Rose from DQS.
Follow your local DQS office‘s activities and stay up-to-date!
DQS: Global presence - Local expertise DQS is one of the leading certification bodies for management systems worldwide. With 85 offices in 60 countries, and 2,500 auditors and experts worldwide, DQS is your trusted partner for sustainable success. DQS Holding, based in Frankfurt, provides the strategic leadership for all DQS offices worldwide. We strive for one common goal: to improve our customers' management systems and orga- nizational health by offering value-adding assessment services
Where to find us Please contact the local DQS office in your area. The list is available online at the Group website
published by responsible DQS Holding GmbH Dr. Dieter Stadler [email protected] Petra Träm/Nathalie Guilbot-Sumono www.dqs-holding.com IBD • Corporate Marketing 18 September 2019