Auditing ISO9001:2000 and Differences between ISO 9001:1994 and ISO 9001:2000

[Marc]

Just some thoughts:
*********************

From: ISO 9000 Standards Discussion
Date: Fri, 17 Nov 2000 15:52:30 -0600
Subject: Re: Auditing and the new standard /Oliveira/Hankwitz

From: "Hankwitz, John"

> In the new standard we will have, as a minimum, 6 procedures.
> How do we audit without a procedure? It will depend more on
> auditors habilities?
>
> Marcos Oliveira

Marcos,

Excellent question. I think we will see the answers to this question evolve over the next year or so. For now, we are looking at the basic changes in perspective presented in the new version of the standard, then tailoring our audits to look at the new perspective.

1. "Conformance" has shifted to "Performance"
2. ISO 9k2k is Based on a Modern "Business Model"
3. Focus on Efficiently and Effectively Providing Customer
Satisfaction instead of Preventing Nonconformity in Process
& Product.
4. Goals, Objectives and Resources are now driven by analysis
and fact.
5. Do It, Prove It, Improve It!

My vision of ISO 9k2k fits well into Deming's SIPOC Model. (Supplier-Input-Process-Output-Customer) The flow illustrated in the 9k2k standard is somewhat similar (using creative visualization) of how I envision the quality system to operate.

I see the "Process" as Product Realization (those process that provide added value to the ultimate customer - GEMBA?), then position Resource Management (those processes providing support to Product Realization) under, and feeding into Product Realization.

Feedback is provided from Product Realization, Resource Management, and the Customer into Measurement, Analysis and Improvement. Output from MAI feeds into Management Responsibility, stationed under, and feeding into Product Realization and Resource Management. Management then provides goals, objectives and resources to Product Realization and Resource management to enable effective and efficient provision of Customer Satisfaction. So, something like the following very crude flow would represent the Quality Management System:

 |----------|          |-------------|           |----------|

 | Supplier |  Input   |  Product    |  Output   | Customer |

 |(Customer)|--------->| Realization |---------->|          |

 |----------|          |-------------|           |----------|

                         ^        ^    .               |

                         |        |      .             |

                         |        |        .           V

                         |  |------------|   . |-------------|

                         |  |  Resource  |     | Measurement |

                         |  | Management |---->|   Analysis  |

                         |  |------------|     | Improvement |

                         |        ^            |-------------|

                         |        |                    |

                         |        |                    |

                     |----------------|                |

                     |   Management   |                |

                     | Responsibility |<----------------

                     |----------------|

I see our auditors checking how effectively and efficiently all these processes are meeting their intended goals. Exactly how we will do that is still somewhat fuzzy. We have only two to three years to figure it all out.

John Hankwitz

[This message has been edited by Marc Smith (edited 22 November 2000).]

[Marc]

From: ISO 9000 Standards Discussion
Date: Fri, 17 Nov 2000 15:57:56 -0600
Subject: Re: Auditing and the new standard /Oliveira/Green

From: Joseph & Susan Green

"Marcos Oliveira" stated and asked:
>
> I would like to propose a question:
> In the old version of ISO 9001/2, auditors compare procedures
> with records of actions. At that time, we had, as a minimum,
> 17 procedures.
>
> In the new standard we will have, as a minimum, 6 procedures.
> How do we audit without a procedure? It will depend more on
> auditors habilities?
>
> Marcos Oliveira

Joe Green's response:

1.
If an organization generates a product, the methods used to produce that product are to be defined by the organization. (call them processes, or whatever you like) ISO happens to use the term processes.
(To comply with 9K2K "realization processes" must be adequate to the task)

2.
Methods used to generate a product start somewhere advance in a sequence, interact with other methods and the logical result is finished product. (To comply with 9K2K "sequence and interactions must be identified")

3.
Methods used to generate a product must be capable, measurable, and analyzed to ensure product conformity and process effectiveness. (Hopefully those methods may be also subjected to scrutiny for improvement opportunities).

4.
An organization with no "visible" methods would be easy to identify.

5.
9K2K Standard Users are required to include "visible" (audit able) methods in their QMS.

6.
Auditor's are required to determine "visibility" and "effectiveness"
(Not Efficiency; though efficiency should be included sought by a sane organization.)

7.
The following minimum methods (processes) (procedures) must also be "visible". They are necessary to any organization who thoughtfully chooses to voluntarily comply with ISO 9001;2000 Document control
Records
Control of nonconforming product
Audits
Corrective/preventive action
Preventive action

I purposely numbered the above comments so that others may comment on the accuracy or lack of accuracy contained in each premise.

Joe Green

[Marc]

From: ISO 9000 Standards Discussion
Date: Mon, 20 Nov 2000 13:14:08 -0600
Subject: Re: Q: Beyond Compliance /Arter/Scalies

From: "Charley Scalies"

> From: Dennis Arter
> Beyond Compliance
> As many of you know, I teach and perform "management" audits,
> which are more than the usual compliance audits. (See my
> article in the June 2000 issue of the ASQ magazine Quality
> Progress for more details.) These audits examine compliance
> to rules, just like ISO 9001 registration audits. They also
> evaluate the effectiveness and suitability of those rules.
> Resulting findings are written as cause (problem) and effect
> (business pain), with supporting examples (observations). This
> is significantly more than the typical nonconformity issued
> from the registration audit.
>
> My colleagues are asking me, "Dennis, please tell us of
> companies that are successfully performing management audits,
> so that we may benchmark their methods." Unfortunately, I do
> not have any really great examples. (Hmmm. Is this just
> theory? I sometimes wonder.)

My training curriculum of internal auditors fall somewhere in the middle. (How boring!)

Certainly we do compliance audits but, more importantly, determinations of suitability and effectiveness are what internal audits should be all about. After all, internal auditing is a management activity. The greatest procedures in the world are of questionable value if they don't lead to the desired result. A cow chip wrapped in gold foil is not a nugget. While I instruct auditors to point out the pain, I leave the root cause up to the process owner. Of course, in the overwhelming majority of cases I deal with, the root cause hits you square in the face. There is little investigating needed. But because "my auditors" do not carry the organizational legitimacy/power of management auditors I try to keep them out of trouble.

While I am on the subject, I'll share a little exercise that I start every audit workshop with (poor grammar but I think you understand). "You have 30 minutes in which to conduct an internal audit to verify - with objective evidence - whether or not the quality system is effective. Can you do it? How would you do it?" By the end of the course they can. I suspect most list members could also.

Charley Scalies
Quality Pragmatitioner (cute, huh?)

John Hankwitz,
You listed the following items and claimed that they are basic changes in perspective between ISO 9001:94 and the 2000 version:
1. "Conformance" has shifted to "Performance"
2. ISO 9k2k is Based on a Modern "Business Model"
3. Focus on Efficiently and Effectively Providing Customer Satisfaction instead of Preventing Nonconformity in Process & Product.
4. Goals, Objectives and Resources are now driven by analysis and fact.
5. Do It, Prove It, Improve It!

I disagree entirely. In the scope of ISO 9001:94, customer satisfaction is identified as the primary aim of the standard and it is to be achieved through management’s implementation of the policy which is defined as being, ‘relevant to organisational goals’ and including ‘objectives for quality’. The purpose of improved conformance is improved performance and this hasn’t changed in any way with the introduction of 2000. There has been a lot of talk about focus on the customer but all that has been added is that we must identify the customer’s requirements and have an adequate means of communication with them. As was pointed out recently (by Marc I think) this is hardly the great innovation of the new millenium - some of us could figure that out for ourselves.

What is surprising about the 2000 version, is not it’s change in perspective and updated approach, but it’s lack of the same. The old system suffered from being seen as a quality technique rather than a management tool and in this, the new version has regressed rather than improved and we will suffer for it. As regards development of preventive measures - they are notable by their absence and the emphasis of the standard is still the old ‘wait til it goes wrong and then collect data’ approach. Modern business recognises that things such as market niche selection, communication, logistics, planning, material control, etc, etc are as important, or more so, than ppm, but there’s nothing about the quality of these things, in fact, there is still nothing about the quality of administration, despite the fact that managers, planners and decision makers can do more harm in a half hour than the production people can do in a year. I think it’s fair to say that the standard is still in the ‘60s and there’s no new perspective whatsoever.

Regards how to audit without a procedure;

The fact is that, for all practical purposes, you can’t. The standard requires that internal audit establishes whether the system conforms to planned arrangements. So let’s take an example; You go to a process that doesn’t have a procedure and ask the first operator what he’s doing.
‘Just banging these screws in with this hammer’.
‘Is that in accordance with planned arrangements?’
‘Sure is. Look, I know what you’re thinking - most people use a screwdriver, but can you imagine how much time and money we’ve saved since we started using the hammer? And we’ve never had a complaint.’

What are you going to do? Write him up against your own, personal, non-objective opinion? You can’t. In fact you can’t do any **** thing but trace back through the line of authority, trying to find someone that will tell you that it is wrong. If they all stick to the story, you haven’t a chance. If you find disagreement, then who is right? You have no way of finding out. You can initiate an investigation but, if the outcome still is to use the hammer, then you’re out of the game.

Auditing without a documented process against which to compare, is a contradiction of terms. It’s like clapping with one hand. Similarly, it is not possible to make objective decisions based on subjective material.

So forget it. You can’t do it. Don’t even try.

Personally, if I came across a process without a procedure, I’d write them up for it and, at the closing meeting, I’d refer them to 4.1 in ISO 9001:2000 where it tells them to document the quality system, and then I’d refer them to ISO 9000:2000, 2.7.1 where it defines documentation in terms of what it does, including; achieving conformity to customer requirements and improvement, provision of training, repeatability and traceability, objective evidence, evaluation of the effectiveness and continuing suitability of the quality management system. The implication is that, without documentation, you’re going to underachieve in these areas. To that, I’d add the impossibility of auditing and that thirty years in industry has taught me that, if it isn’t written down, it doesn’t exist.
rgds, John C

Dear colleagues:

May I remind you that the so frequently referred to "process" (against the less frequently cited "procedure") is considered by the new standard as documented for of the set of activities. If that does not mean procedure, I don´t know what it actually means.

So far, this current year, I have performed seven full assessments based on ISO/DIS and ISO/FDIS. The two following situations arose: 1)The new comers into ISO Quality Sistems insisted that just a few documents are needed (the 6 procedures) 2) The already certified against the departing ISO were thinking of elliminating documented procedures.

Both groups changed their minds when I called their attention to the concept of "procedure" as well as "institute" (document, review, implement and mantain information on a set of activities for a given purpose).

No doubt that we, lead assessors (mostly engineers) should review new concepts and definitions with a lawyer´s point of view and a dictionary at hand reach.