A macro-process structure approach to auditing for ISO 9001:2000(8)

A

Alexander Keith

our suppliers supply aircraft parts that you can see and touch.
we are employees employed by the customer to audit our suppliers. It is our full time job. We don't register or certify. We just verify.

I don't want to sound negative ... BUT,

how can you accurately assess a supplier on whether he meets ISO 9001:2000 requirements using the process approach if you don't assess him against the requirments of ISO 9001:2000?

Using the process approach, the supplier might have the most beautiful process in the world that everyone is following BUT how do you know it meets the requirements of ISO 9001:2000?

Maybe I need to see and touch a real live example of a process approach! Does anyone have one?

Alexander Keith
 
S

somerqc

Alexander,

I don't mean to sound terse, however, if someone has a solid process in all likelihood they are meeting the requirements of the ISO 9001:2000 standard.

The standard itself is structured such that a well controlled process using controlled documentation where necessary will meet the requirements.

Unfortunately, it isn't as cut and dry as it used to be in 1994. There isn't a Y/N checklist you can use.

In a previous thread, you mentioned you were new to ISO. It sounds like your company is trying to have you act like a "lead auditor" but only sending you to "Intro to ISO 9001:2000" training.

The cove is an excellent (world best?) location to obtain data and get feedback, advice, etc. as it relates to quality; however, it cannot replace solid training and experience.

Having said that, what works for me is to document what I obtain from my audit interviews, observations, etc; then, compare to procedural and standard requirements. Some things will jump out at you (finding a handwritten instruction on the floor, absence of training documents, non-identified product, no records of management review for an extended period, etc.) but some of it needs to be verified by reviewing the client's documentation and/or the standard.

If I was you, I would request more in-depth training as it related to auditing and the standard OR ask to be team member (not the lead) for a few more audits (assuming you have been on some).

Just my feedback,

John
 
Q

qualityboi

Hi Alexander,

I think you are doing fine. We do the PCDA/SIPOC (plan, do, check act/supplier-inputs-process-outputs-customer) approach to process auditing then if we start to see a weakness we go straight to ISO clause auditing. This is exactly how our registrar does it as well.

Keep doing what you are doing, if your approach doesn't yield the results you or your customer want then improve it. You may even want to change up how you audit to get various perspectives of your suppliers quality system, such as doing a trace audit on a batch of RMA material all the way back to your suppliers incoming materials and their suppliers...those are pretty fun to do.
 
A

Alexander Keith

OK somerqc ... here's my answer to you:

Go fly a kite.

You sound like the reason why so many company's systems are registered to ISO 9001:2000 but aren't worth the paper their certificates are printed on.
Continue what you're doing, you create a demand for my type of job.

Alexander Keith
over & out
 

Patricia Ravanello

Quite Involved in Discussions
OK somerqc ... here's my answer to you:

Go fly a kite.

You sound like the reason why so many company's systems are registered to ISO 9001:2000 but aren't worth the paper their certificates are printed on.
Continue what you're doing, you create a demand for my type of job.

Alexander Keith
over & out

Dear Alexander...

You are so right...you have opened a Pandora's box...

Technically speaking, if Certification Bodies performed their jobs correctly, they would confirm in Phase 1 of their Certification Audit (which is the Documentation Audit), that the documented system conforms with the requirements of ISO 9000...but the sad fact is, they don't, and most documented systems give you no degree of confidence that the system is compliant. Hence, you have to do your job the way you currently are. You can't possibly follow the "Process Approach" with any degree of certainty that the documented system complies.

When I see flow charts, for example of "Internal Audit", that contain 5 boxes, with little to no explanation of the intent or description of the activity to be performed, who's responsible, resources required, or links to the other processes, or inputs and outputs to every step (and not just the macro process), I just shake my head - there's little I can do about it when every Certification Body out there does it...and it's become the norm.

I've attached an example of a documented procedural Flow Chart that anyone could audit with confidence. It gives you all the resources you need in order to conduct an audit (activity description and intent, responsibility, inputs, outputs, resources, associated or linked documents, and even a reference to the element/sub-element requirement from ISO or the customer, which isn't actually required...it's a bonus), and yet, this level of documentation is rarely seen, much less encouraged.

Along with it, a Matrix of the Standard and System Interface (Attachment 2) if provided, would give you a roadmap of where every single line of the standard interfaces with the procedures. That should provide the Certification Body 100% confidence that the documented system is compliant, which should then be confirmed in their Staage 1 Audit. If they did their job properly, you wouldn't have to deal with so much uncertainty...

But I'm one voice in the wilderness...few organizations or consultants are willing (or able?) to do the work up front, and often get little support from Senior Management...all they hear is, "Just get it done".

I can only sympathize with you, because I can't see it changing. At least I can concur with your observations, if that's any comfort.

Patricia Ravanello
 

Attachments

  • SOP-0007.pdf
    204.9 KB · Views: 563
  • Standard and System Interface Matrix.pdf
    35.1 KB · Views: 345
Last edited:

Helmut Jilling

Auditor / Consultant
...I don't want to sound negative ... BUT,

how can you accurately assess a supplier on whether he meets ISO 9001:2000 requirements using the process approach if you don't assess him against the requirments of ISO 9001:2000?

Using the process approach, the supplier might have the most beautiful process in the world that everyone is following BUT how do you know it meets the requirements of ISO 9001:2000? ...

Why do you suggest that the process approach does not audit the requirements of ISO 9001 (AS, TS, etc.).

Of course it does! It has to.

BUT, it audits the requirements by way of looking at the processes. It is not considered acceptable to just ask questions from a 50 question checklist following chapter and verse.

But, we have to audit all the requirements. Done well, it is better for the auditee, but much harder for the auditor. It requires good skills, and those probably come from good training.

I think your reply to SomerQ was out of line and simplistic. The advice was sound. It takes good skills to follow a process approach. We can't "just show you an example." It is much more complex than just a flowchart. I do a thorough 3 day training on the process approach, and even that just covers the beginning.
 

Patricia Ravanello

Quite Involved in Discussions
Alexander,
In a previous thread, you mentioned you were new to ISO. It sounds like your company is trying to have you act like a "lead auditor" but only sending you to "Intro to ISO 9001:2000" training.

This is inappropriate, unsubstantiated, and uncalled for.

Having said that, what works for me is to document what I obtain from my audit interviews, observations, etc; then, compare to procedural and standard requirements. .

Sounds to me like you don't follow the Process approach either. You should be auditing from their Documentation and verifying by questioning and observing. The Standard should already be evident in the documentation...and that's Alexander's point...he can't do a Process approach when the documentation is incomplete and unreliable, and is difficult for both Internal and External auditors to follow and to verify compliance to such a system.

If I was you, I would request more in-depth training as it related to auditing and the standard OR ask to be team member (not the lead) for a few more audits (assuming you have been on some).

Just my feedback,

John

From my perspective I think Mr. Keith understands abundantly well, exactly what's required. It's the non-compliant condition of most documentation that prevents him from doing what he understands needs to be done. Even you admit that you need to go back to the Standard...That tells me that you're not confident that the documented System is complete, and that should have been confirmed in the Stage 1 Documentation Audit.

Patricia Ravanello
 
Last edited:
A

Alexander Keith

Thank you Patricia,

Thank you for defending the interests of a a newbie and other newbies like me simply seeking to understand the mysteries of the process approach.
I don't want to say anything else about the process approach or any other approach. I have developed some theories and now it's time to put them to the test.
I'll be back, someday, with some real life results.

Alexander Keith
over & out
 
S

somerqc

I have obviously upset some people. I didn't mean to.

However, I believe that audits need defined criteria that a company or person is audited to. One of these criteria in an ISO 9001 audit is the standard itself.

I agree with you, many systems do not document to the level that they should to ensure controlled conditions of their processes; however, it is not my job as an external auditor to tell them how to run their business.

If they choose at the time of the audit to not document a process and I do my job and audit the process (obviously taking an abundance of notes) the only criteria I am left to compare my observations and notes to is the standard. If they don't meet the requirements of the standard, then I have found a non-conformance. If they meet the requirements of the standard; however, I happened to notice weaknesses in the process - I can use the "recommendations" or "opportunities for improvement" to raise these issues to the auditee.

I actually do use many of the attachments that Alex attached in a previous post. They are very powerful and useful tools; however, I do not walk around the facility with them. I have found that I need to be able to talk english to people not "ISO"-ese in order for people to understand a requirement and/or why they are not meeting a requirement. In my experience, to start quoting clauses is not usually the most effective way (I have found people that do prefer to be quoted clause and verse as well).

From the sounds of things (please do correct me if this is wrong), his company is hired to check on companies that his company's clients have a relationship with. If their clients are going to this extent, there is obviously something that is triggering this action (i.e. poor performance) which may be a contributing factor to Alex's entire issue.
 
J

JaneB

From the sounds of things (please do correct me if this is wrong), his company is hired to check on companies that his company's clients have a relationship with. If their clients are going to this extent, there is obviously something that is triggering this action (i.e. poor performance) which may be a contributing factor to Alex's entire issue.

Possibly, possibly not. I do think you make a large number of assumptions about things.

I do tend to agree with Patricia. Alexander certainly sounds as though he knows what he's talking about. He was asking a specific question about the 'process approach'. I think it's more helpful to focus on the question/s actually asked, rather than make assumptions or guesses.

Look forward to hearing from you again, I hope, Alexander.
 
Top Bottom