Brad Savage has been an Exemplar Global-certified management systems auditor for 29 years and has worked for DEKRA Certification since 1992.
He is a lead auditor for ISO 9001 and AS9100, and a 20-year member of the U.S. Technical Advisory Group (TAG) to ISO/TC 176 on quality management systems.
In this conversation, we discussed his start as the first U.S. employee for certification body KEMA (which was acquired by DEKRA), a comparison of auditing military specifications vs. ISO standards, and the qualities of a good management systems auditor.
EXEMPLAR GLOBAL: Let’s start with a bit of your background as well as how and why you found your way to the auditing portion of your career.
BRAD SAVAGE: I started in quality assurance back in 1976. I was hired as an inspector for Teleflex, which is a large conglomerate. At the time, they had an aerospace division named SermeTel, which they later changed to Sermatech. They applied protective coatings mostly for ground turbines, for companies like General Electric and Pratt & Whitney. They worked on engines like the JT8D, the JT9D, and the PT6. That was in Limerick, Pennsylvania, less than a mile from where I was living at home with my parents. I was in my early 20s at the time. Soon thereafter, the company asked me to be their quality control manager for a new facility in Windsor Locks, Connecticut.
In 1984, I left Sermatech and I went to work for Joslyn Defense Systems in Vermont as quality assurance manager. There, we worked closely with the U.S. Navy on their A-6 aircraft pylon, doing cable assemblies and some integration boxes. We also had a big contract to work on the skid shield on the B-52 bomber. I was responsible for doing the quality assurance function on that project, with the reliability program plan as one of my key responsibilities. A few years later, a company by the name of Aerosmith Shelburne acquired Joslyn Defense Systems. We continued working primarily on projects with the Navy, at Point Mugu in California and some of their facilities on the East Coast.
Then, around 1992, I took a job with KEMA, which was later acquired by DEKRA. In fact, I was KEMA’s first employee in the United States. I found out about that job in an interesting way. My wife saw a help wanted ad in Quality Progress magazine. She said, “Brad, look at this. They’re looking for some kind of auditor for ISO 9001.” And I said, “Oh, that looks interesting.” (laughter)
Working with KEMA was quite a journey. I was kind of a jack-of-all-trades because I was still learning. From my background with Joslyn Defense Systems and Aerosmith Shelburne, I knew the nuts-and bolts of MIL-I-45208 for inspection system requirements and MIL-I-9858 for quality program requirements. I was doing a lot of travel in those days, going all over the world, visiting clients, doing trade shows. It was the very beginning of ISO 9001.
EG: How did you accumulate the knowledge about standards and auditing to first get the job with KEMA in the early 1990s?
BS: Being a quality assurance manager, I was responsible for the quality program from the top down. That included the internal audit process that we had in place at that time. Now, these were nothing like the internal audits that came in for ISO 9001 later, but they were good audits of the organization’s activities. We didn’t really audit by process because the process approach didn’t come in until ISO 9001:2000. But when I was working in industry, I was very comfortable with both MIL-I-45208 and MIL-Q-9858. Both fell short of getting involved with activities such as management review and things of that nature, areas in which ISO 9001 turned out to be very strong. In any event, MIL-I-45208, and MIL-Q-9858 were government requirements and so, if you wanted contracts with government entities like the Navy, you had to meet those requirements. Bear in mind that these were primarily based on product inspection activities, not management control activities.
Once I got involved with KEMA, I learned that I could become certified as an ISO 9001 auditor with Exemplar Global, which was known as RABQSA at the time. Once I had that certification, we started getting a lot of work. We couldn’t even accept all the work that was coming our way because I was the only certified auditor on the U.S. staff at the time. Auditors had to come over from the Netherlands to help us perform audits, and I learned a lot from those colleagues about the proper auditing methodologies—things like audit programs, initial audits, surveillance audits, renewal audits, etc.
It wasn’t before long that I was out on my own, performing contract audits and doing a lot more traveling. Based on my background, I did mostly aerospace audits, but at the time I was also heavily involved in the agriculture industry. In fact, I was told by experts in the field that I was the first ISO auditor in the world for agriculture. I helped start a standard called AG 9000, which was based on ISO 9001 with additional agricultural-specific requirements. That standard only lasted for a couple years because my aerospace work just started taking up too much of my time.
EG: Given your experience in different roles and within different industries, what is your perspective on the overall development of ISO 9001 over the years? Has it been a positive evolution in your view?
BS: When ISO 9001 came out in 1987 and it started catching on, it was all about element-based auditing. You would audit an organization against the standard section-by-section. KEMA was an early adopter of the process approach, working with their local accreditation body, the Dutch Accreditation Council (RvA). With ISO 9001:2000, ISO formally adopted the process approach, where they broke the organization’s quality management system into a big puzzle, with all the pieces representing different processes. When you put those pieces together, they all link to the appropriate elements of the ISO 9001 standard. You’ve got purchasing processes under section 8.4, training under 7.16 and 7.2, manufacturing under 8.5, corrective action in section 10, and so on.
It’s up to the audited company, however, to determine what the process is and which sections of the standard link to it. When you reconcile the elements of the standard to the processes, there should be no elements left and all the processes should be accounted for. Those were our marching orders as auditors when it came to ISO 9001:2000.
Risk started coming into the standard with the 2008 version and much more in ISO 9001:2015, when they addressed risk-based thinking. There are still no specific requirements for documented information about risk-based thinking in ISO 9001, however. There are not a lot of hard-and-fast requirements that the auditor can hang their hat on, because a lot of those had gone away by the 2015 version of the standard. There were still very valuable things for organizations who wish to demonstrate the effectiveness and efficiency of their quality management system: management review, internal audits, metrics, and quality objectives. The goal is to generate metrics that are value added, measurable, and realistic. As an auditor, what that means is you want to look at metrics that represent the pain areas of the company. Depending on the type of organization, that could involve things like scrap or returns. The value of ISO 9001 and other standards is that it allows the auditor to audit an organization to reduce the negative work and increase the positive work. That’s really the foundation of the standard now.
As an auditor, if you see that the audited organization is having issues, you want to do a deep dive into those areas to find out why. For instance, if the organization is having problems with on-time deliveries, or with higher-than-expected returns, a good auditor would ask about risk-based thinking from the top down. This is where proper management analysis comes into play, to drive an understanding of the opportunities for improvement down into all facets of the organization. Again, it’s all meant to improve the efficiency and effectiveness of the organization and, most importantly, to promote the highest level of customer satisfaction.
EG: Listening to you talk about interpreting the clauses of ISO 9001 and how they apply in the real world, it’s clear that auditors need a high degree of technical understanding and experience. In your opinion, what are the other attributes of a good auditor?
BS: First and foremost, you must be a go-getter. A good auditor is a perfectionist and very detail-oriented, in addition to being a good listener. If you tend to take over conversations, as an auditor you won’t let the auditee talk enough to really learn what they are doing. And then you’re not really giving them the benefit of your understanding so that they can improve their processes and the activities within the organization.
As an auditor, you are always learning something. I certainly don’t pretend to know everything. Every time I do an audit, I learn about working with people, I learn about new technologies, and I learn about how people do their jobs. A good auditor needs to have a good conscience and should want to partner with people to make the world a better place.
EG: Finally, what advice would you provide to that person who’s starting out as an auditor?
BS: Strong organizational skills are paramount. Be a good listener, focus on the details, and don’t procrastinate. Once you get finished with an audit, I would advise you to write up the report right away; otherwise it lingers, and you forget about important points of context. Stay up to date with the standards and take regular training courses.