Bonjours everyone,

there is debate here about the best structured process approach to auditing ISO 9001:2000. People have come up with different macro-process structures in which the various elements or sections of ISO can be plugged in. Here's my version. Let me know what you think please:

Quality System Processes ---> 4.1, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 5.4.2, 7.6 and 8.2.2

Management Processes ---> 5.1, 5.3, 5.4.1, 5.6, 8.4, 8.5.1, 8.5.2 and 8.5.3

Administrative Processes ---> 5.5.1, 5.5.2, 5.5.3 and 6.2.2

Customer Related Processes ---> 5.2, 7.2.1, 7.2.2, 7.2.3, 7.5.4 and 8.2.1

Product Related Processes ---> 6.3, 6.4, 7.1, 7.3, 7.4, 7.5.1, 7.5.2, 7.5.3,
7.5.5, 8.2.3, 8.2.4 and 8.3

I thank you in advance. Critique this all you want and to the max please. I'm looking for something that makes sense and is sellable to and useable by a team of auditors.

Alexander Keith
over & out

1st Welcome:bigwave:

Here's the deal........your list will only be good for basically the 1st question in each clause, after that it's "Katie-bar-the-door". Also, don't waste time looking at 4.1 because the only time it's met is when everything else is done.

For instance to verify 6.2.2 you're going to need 4.2.4, 5.5.3, 4.2.2, 7.5.1 and maybe one or two more.

In a process approach to auditing what you worked so hard doing is just the starting point.

Bonjours everyone,

there is debate here about the best structured process approach to auditing ISO 9001:2000. People have come up with different macro-process structures in which the various elements or sections of ISO can be plugged in. Here's my version. Let me know what you think please:

Quality System Processes ---> 4.1, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 5.4.2, 7.6 and 8.2.2

Management Processes ---> 5.1, 5.3, 5.4.1, 5.6, 8.4, 8.5.1, 8.5.2 and 8.5.3

Administrative Processes ---> 5.5.1, 5.5.2, 5.5.3 and 6.2.2

Customer Related Processes ---> 5.2, 7.2.1, 7.2.2, 7.2.3, 7.5.4 and 8.2.1

Product Related Processes ---> 6.3, 6.4, 7.1, 7.3, 7.4, 7.5.1, 7.5.2, 7.5.3,
7.5.5, 8.2.3, 8.2.4 and 8.3

I thank you in advance. Critique this all you want and to the max please. I'm looking for something that makes sense and is sellable to and useable by a team of auditors.

Alexander Keith
over & out

Alexander,

First of all, there is no requirement for "classifying" processes. It can be helpful, but not required. Part of this activity is to identify/determine your processes first. You can plug in the ISO 9001 requirements later on. Keep in mind that certain ISO 9001 requirements apply to various processes simultaneously. There's "overlap" so to speak and that is perfectly OK. Look for other threads here at The Cove Forums. You will notice that there are very diverse opinions about this process business. My advise? Keep it very simple and user-friendly. :agree1:

Good luck with this.

Stijloor.

Thank you, Thank you,

We are auditing application of the ISO 9001:2000 standard. The standard is loosely organized into macro-processes (section 4, 5, 6, 7 & 8). I have simply re-arranged this as per above. Within each of these macro-processes are individual requirements for which an organization will develop individual processes in order to achieve the end result.

I have a team of external auditors and each one is assigned a macro-process.

We use the PDCAA approach (say what you do, do what you say, prove it, act on the difference, show me the evidence). The PDCA part is the organization's responsibility to achieve the end result. The A part is the external auditor's responsibility to verify at each PDCA stage. Show me the money, show me the evidence of your plan, your execution, your verification and any CA or improvement that you did on that individual process.

As Randy has mentioned there will be overlap into other processes when verifying any one process. The team meets regularly to review these overlaps and probe further if necessary.

The macro-process structure is there for me and the team to help organize and visualize things better. Maybe I shouldn't have used the word best on the title... in fact, I just took it off now. It's one idea for a structure among many.

Thank you!

Thank you, Thank you,

We are auditing application of the ISO 9001:2000 standard. The standard is loosely organized into macro-processes (section 4, 5, 6, 7 & 8). I have simply re-arranged this as per above. Within each of these macro-processes are individual requirements for which an organization will develop individual processes in order to achieve the end result.

I have a team of external auditors and each one is assigned a macro-process.

We use the PDCAA approach (say what you do, do what you say, prove it, act on the difference, show me the evidence). The PDCA part is the organization's responsibility to achieve the end result. The A part is the external auditor's responsibility to verify at each PDCA stage. Show me the money, show me the evidence of your plan, your execution, your verification and any CA or improvement that you did on that individual process.

As Randy has mentioned there will be overlap into other processes when verifying any one process. The team meets regularly to review these overlaps and probe further if necessary.

The macro-process structure is there for me and the team to help organize and visualize things better. Maybe I shouldn't have used the word best on the title... in fact, I just took it off now. It's one idea for a structure among many.

Thank you!

Alexander,

Is your plan to audit against the requirements of the Standard or audit processes using the (srtrongly) recommended process approach?

There's a lot of information available here about auditing using the "Process Approach (http://www.google.com/custom?domains=Elsmar.com&q=Auditing+using+the+process+approach&sa=Search&sitesearch=Elsmar.com&client=pub-1385417534940691&forid=1&channel=6124086287&ie=ISO-8859-1&oe=ISO-8859-1&cof=GALT%3A%23008000%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A000099%3BALC%3A000000%3BLC%3A000000%3BT%3A0000FF%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BLH%3A50%3BLW%3A350%3BL%3Ahttp%3A%2F%2Felsmar.com%2Fpng%2Fheader-G-search.png%3BS%3Ahttp%3A%2F%2FElsmar.com%2FForums%2F%3BFORID%3A1%3B&hl=en)."

Stijloor.

Bonjours everyone,

there is debate here about the best structured process approach to auditing ISO 9001:2000. People have come up with different macro-process structures in which the various elements or sections of ISO can be plugged in. Here's my version. Let me know what you think please:

Quality System Processes ---> 4.1, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 5.4.2, 7.6 and 8.2.2

...etc

I thank you in advance. Critique this all you want and to the max please. I'm looking for something that makes sense and is sellable to and useable by a team of auditors.

Alexander Keith
over & out


Hello Alexander,

Your system looks like an adaptation of what we saw with ISO 1994 where every company suddenly had some 20 or so Procedures...all aligned with the Standard. It looks like you're doing the same thing, but using just 5 Procedures...again, aligned with the standard - Sections 4, 5, 6, 7 & 8.

It also appears that you're focusing on the elements as opposed to your processes which doesn't jive with the "process approach", as mentioned already.

While grouping the sub-elements together like this, may serve some purpose for your organization, I doubt that it's very representative of how your company actually works.

Even if you are only using this proposed configuration for auditing, it goes against the grain of what the process approach requires. You need to follow your processes, step-by-step...not a select set of sub-elements of the standard...unless of course, that sequence happens to conform with your actual processes.

Your approach begs the question...what do your processes look like? Flow charts? Narratives? If you're satisfied that your documentation complies with the standard...I would put the standard away and focus on your documented processes.

Seems like you're creating more work than necessary and deviating from the whole point of the process approach.

Patricia Ravanello

I guess I didn't explain myself clearly and maybe I even assumed that we are all auditing the same thing here.

Here's what I am auditing, and here's what I see, as a customer's rep, the majority of the time from our suppliers:

----- supplier has a documented quality system originally structured to ISO 9001 (94) but subsequently re-structured to meet ISO 9001:2000. They are basically the same procedures before and after the re-structurization -----

Isn't that what you guys see too? Don't most companies serious about their personnel implementing ISO 9001:2000 on a consistent basis have documented procedures?

Also; if I'm doing an audit of a welding process for example, now here's a set of inputs that involve people, methods, materials, environment, etc.

if I'm doing an audit of the management macro-process however, the inputs become 5.1, 5.3, 5.4.1, 5.6, etc. I review the procedures beforehand and develop my checklist of questions based on those procedures. In those rare instances that there is no procedure I have a set of prepared open-ended questions to ask. I don't like to wing it or let the company describe in words anything they can think of next just to answer my questions.

At the end of the day the audit, whatever approach you take, is suppose to give you enough evidence to determine whether requirement are fulfilled or not. I like my evidence in writing please. PDCAA ---> the company does the PDCA and shows me the A (evidence) when I come in to audit.

Am I a dinosaur or are there still others like me out there?

Alexander Keith
over & out

Hi Alexander,
Thanks for the clarifcation...I didn't understand that your were talking about "you, auditing your suppliers", and not your own organization.

Notwithstanding that fact, I don't know why you'd take a different approach than the "Process Approach", even for what you are calling the "Macro" processes...Why aren't they documented? (Actually, I already know why...most Senior Management has gotten away without documented Procedures for those processes...like they just "magically" know how to do Business Planning and Management Review. I don't agree with it, but it's fairly common).

I suppose that's why you go in with your own set of "reference questions" to ask, just to make sure that the requirements have been met (that's not the process approach). I don't know what luck you'd have challenging them if their CB grants them certification.

I'd say you're doing the best you can under less than ideal circumstances. Bottom line is, you have to satisfy yourself that your audit is comprehensive, and that your supplier is, in fact, doing what they say they do...and what is required of them.

You raise an interesting question and discussion. I'm curious to hear other input on the subject.

Patricia

----- supplier has a documented quality system originally structured to ISO 9001 (94) but subsequently re-structured to meet ISO 9001:2000. They are basically the same procedures before and after the re-structurization -----

Isn't that what you guys see too?

No. We have huge debates about the various ways of structuring manuals. I think that many people agree that a reasonably good and useful procedures manual is not just the 'same procedures' as there were for the '94 version, just 'tricked up' for the 2000 one.

It absolutely contradicts the process approach. Totally.

What kind of suppliers are you auditing? Are they all in similar fields?

Notwithstanding that fact, I don't know why you'd take a different approach than the "Process Approach" ...

I'd say you're doing the best you can under less than ideal circumstances. Bottom line is, you have to satisfy yourself that your audit is comprehensive, and that your supplier is, in fact, doing what they say they do...and what is required of them.

It is an interesting question and discussion.

Don't most companies serious about their personnel implementing ISO 9001:2000 on a consistent basis have documented procedures?

Yes to documented procedures. But if they're serious about 9001, I'd hope they'd be equally serious about the process approach, and that their procedures would then reflect this.
Are you second guessing the (external) auditors?

I guess I didn't explain myself clearly and maybe I even assumed that we are all auditing the same thing here.

Here's what I am auditing, and here's what I see, as a customer's rep, the majority of the time from our suppliers:

----- supplier has a documented quality system originally structured to ISO 9001 (94) but subsequently re-structured to meet ISO 9001:2000. They are basically the same procedures before and after the re-structurization -----

Isn't that what you guys see too? Don't most companies serious about their personnel implementing ISO 9001:2000 on a consistent basis have documented procedures?

Also; if I'm doing an audit of a welding process for example, now here's a set of inputs that involve people, methods, materials, environment, etc.

if I'm doing an audit of the management macro-process however, the inputs become 5.1, 5.3, 5.4.1, 5.6, etc. I review the procedures beforehand and develop my checklist of questions based on those procedures. In those rare instances that there is no procedure I have a set of prepared open-ended questions to ask. I don't like to wing it or let the company describe in words anything they can think of next just to answer my questions.

At the end of the day the audit, whatever approach you take, is suppose to give you enough evidence to determine whether requirement are fulfilled or not. I like my evidence in writing please. PDCAA ---> the company does the PDCA and shows me the A (evidence) when I come in to audit.

Am I a dinosaur or are there still others like me out there?

Alexander Keith
over & out


We see all kinds of variations. Not all processes must be documented. But the paradox is those companies who most insist on that prerogative, also usually have really weak systems and poor performance (not in every case). The best companies frequently have too much documentation. not sure if that is a cause and effect relationship, but it is pretty telling.

our suppliers supply aircraft parts that you can see and touch.
we are employees employed by the customer to audit our suppliers. It is our full time job. We don't register or certify. We just verify.

I don't want to sound negative ... BUT,

how can you accurately assess a supplier on whether he meets ISO 9001:2000 requirements using the process approach if you don't assess him against the requirments of ISO 9001:2000?

Using the process approach, the supplier might have the most beautiful process in the world that everyone is following BUT how do you know it meets the requirements of ISO 9001:2000?

Maybe I need to see and touch a real live example of a process approach! Does anyone have one?

Alexander Keith

Alexander,

I don't mean to sound terse, however, if someone has a solid process in all likelihood they are meeting the requirements of the ISO 9001:2000 standard.

The standard itself is structured such that a well controlled process using controlled documentation where necessary will meet the requirements.

Unfortunately, it isn't as cut and dry as it used to be in 1994. There isn't a Y/N checklist you can use.

In a previous thread, you mentioned you were new to ISO. It sounds like your company is trying to have you act like a "lead auditor" but only sending you to "Intro to ISO 9001:2000" training.

The cove is an excellent (world best?) location to obtain data and get feedback, advice, etc. as it relates to quality; however, it cannot replace solid training and experience.

Having said that, what works for me is to document what I obtain from my audit interviews, observations, etc; then, compare to procedural and standard requirements. Some things will jump out at you (finding a handwritten instruction on the floor, absence of training documents, non-identified product, no records of management review for an extended period, etc.) but some of it needs to be verified by reviewing the client's documentation and/or the standard.

If I was you, I would request more in-depth training as it related to auditing and the standard OR ask to be team member (not the lead) for a few more audits (assuming you have been on some).

Just my feedback,

John

Hi Alexander,

I think you are doing fine. We do the PCDA/SIPOC (plan, do, check act/supplier-inputs-process-outputs-customer) approach to process auditing then if we start to see a weakness we go straight to ISO clause auditing. This is exactly how our registrar does it as well.

Keep doing what you are doing, if your approach doesn't yield the results you or your customer want then improve it. You may even want to change up how you audit to get various perspectives of your suppliers quality system, such as doing a trace audit on a batch of RMA material all the way back to your suppliers incoming materials and their suppliers...those are pretty fun to do.

OK somerqc ... here's my answer to you:

Go fly a kite.

You sound like the reason why so many company's systems are registered to ISO 9001:2000 but aren't worth the paper their certificates are printed on.
Continue what you're doing, you create a demand for my type of job.

Alexander Keith
over & out

OK somerqc ... here's my answer to you:

Go fly a kite.

You sound like the reason why so many company's systems are registered to ISO 9001:2000 but aren't worth the paper their certificates are printed on.
Continue what you're doing, you create a demand for my type of job.

Alexander Keith
over & out

Dear Alexander...

You are so right...you have opened a Pandora's box...

Technically speaking, if Certification Bodies performed their jobs correctly, they would confirm in Phase 1 of their Certification Audit (which is the Documentation Audit), that the documented system conforms with the requirements of ISO 9000...but the sad fact is, they don't, and most documented systems give you no degree of confidence that the system is compliant. Hence, you have to do your job the way you currently are. You can't possibly follow the "Process Approach" with any degree of certainty that the documented system complies.

When I see flow charts, for example of "Internal Audit", that contain 5 boxes, with little to no explanation of the intent or description of the activity to be performed, who's responsible, resources required, or links to the other processes, or inputs and outputs to every step (and not just the macro process), I just shake my head - there's little I can do about it when every Certification Body out there does it...and it's become the norm.

I've attached an example of a documented procedural Flow Chart that anyone could audit with confidence. It gives you all the resources you need in order to conduct an audit (activity description and intent, responsibility, inputs, outputs, resources, associated or linked documents, and even a reference to the element/sub-element requirement from ISO or the customer, which isn't actually required...it's a bonus), and yet, this level of documentation is rarely seen, much less encouraged.

Along with it, a Matrix of the Standard and System Interface (Attachment 2) if provided, would give you a roadmap of where every single line of the standard interfaces with the procedures. That should provide the Certification Body 100% confidence that the documented system is compliant, which should then be confirmed in their Staage 1 Audit. If they did their job properly, you wouldn't have to deal with so much uncertainty...

But I'm one voice in the wilderness...few organizations or consultants are willing (or able?) to do the work up front, and often get little support from Senior Management...all they hear is, "Just get it done".

I can only sympathize with you, because I can't see it changing. At least I can concur with your observations, if that's any comfort.

Patricia Ravanello

...I don't want to sound negative ... BUT,

how can you accurately assess a supplier on whether he meets ISO 9001:2000 requirements using the process approach if you don't assess him against the requirments of ISO 9001:2000?

Using the process approach, the supplier might have the most beautiful process in the world that everyone is following BUT how do you know it meets the requirements of ISO 9001:2000? ...

Why do you suggest that the process approach does not audit the requirements of ISO 9001 (AS, TS, etc.).

Of course it does! It has to.

BUT, it audits the requirements by way of looking at the processes. It is not considered acceptable to just ask questions from a 50 question checklist following chapter and verse.

But, we have to audit all the requirements. Done well, it is better for the auditee, but much harder for the auditor. It requires good skills, and those probably come from good training.

I think your reply to SomerQ was out of line and simplistic. The advice was sound. It takes good skills to follow a process approach. We can't "just show you an example." It is much more complex than just a flowchart. I do a thorough 3 day training on the process approach, and even that just covers the beginning.

Alexander,
In a previous thread, you mentioned you were new to ISO. It sounds like your company is trying to have you act like a "lead auditor" but only sending you to "Intro to ISO 9001:2000" training.

This is inappropriate, unsubstantiated, and uncalled for.


Having said that, what works for me is to document what I obtain from my audit interviews, observations, etc; then, compare to procedural and standard requirements. .

Sounds to me like you don't follow the Process approach either. You should be auditing from their Documentation and verifying by questioning and observing. The Standard should already be evident in the documentation...and that's Alexander's point...he can't do a Process approach when the documentation is incomplete and unreliable, and is difficult for both Internal and External auditors to follow and to verify compliance to such a system.


If I was you, I would request more in-depth training as it related to auditing and the standard OR ask to be team member (not the lead) for a few more audits (assuming you have been on some).

Just my feedback,

John

From my perspective I think Mr. Keith understands abundantly well, exactly what's required. It's the non-compliant condition of most documentation that prevents him from doing what he understands needs to be done. Even you admit that you need to go back to the Standard...That tells me that you're not confident that the documented System is complete, and that should have been confirmed in the Stage 1 Documentation Audit.

Patricia Ravanello

Thank you Patricia,

Thank you for defending the interests of a a newbie and other newbies like me simply seeking to understand the mysteries of the process approach.
I don't want to say anything else about the process approach or any other approach. I have developed some theories and now it's time to put them to the test.
I'll be back, someday, with some real life results.

Alexander Keith
over & out

I have obviously upset some people. I didn't mean to.

However, I believe that audits need defined criteria that a company or person is audited to. One of these criteria in an ISO 9001 audit is the standard itself.

I agree with you, many systems do not document to the level that they should to ensure controlled conditions of their processes; however, it is not my job as an external auditor to tell them how to run their business.

If they choose at the time of the audit to not document a process and I do my job and audit the process (obviously taking an abundance of notes) the only criteria I am left to compare my observations and notes to is the standard. If they don't meet the requirements of the standard, then I have found a non-conformance. If they meet the requirements of the standard; however, I happened to notice weaknesses in the process - I can use the "recommendations" or "opportunities for improvement" to raise these issues to the auditee.

I actually do use many of the attachments that Alex attached in a previous post. They are very powerful and useful tools; however, I do not walk around the facility with them. I have found that I need to be able to talk english to people not "ISO"-ese in order for people to understand a requirement and/or why they are not meeting a requirement. In my experience, to start quoting clauses is not usually the most effective way (I have found people that do prefer to be quoted clause and verse as well).

From the sounds of things (please do correct me if this is wrong), his company is hired to check on companies that his company's clients have a relationship with. If their clients are going to this extent, there is obviously something that is triggering this action (i.e. poor performance) which may be a contributing factor to Alex's entire issue.

From the sounds of things (please do correct me if this is wrong), his company is hired to check on companies that his company's clients have a relationship with. If their clients are going to this extent, there is obviously something that is triggering this action (i.e. poor performance) which may be a contributing factor to Alex's entire issue.

Possibly, possibly not. I do think you make a large number of assumptions about things.

I do tend to agree with Patricia. Alexander certainly sounds as though he knows what he's talking about. He was asking a specific question about the 'process approach'. I think it's more helpful to focus on the question/s actually asked, rather than make assumptions or guesses.

Look forward to hearing from you again, I hope, Alexander.