SBS - The best value in QMS software

Do We Have to Comply with Our Own Procedures?

John Broomfield

Staff member
Super Moderator
So after all the principled 'brave new world' stuff over the last few weeks you're now 'pleased to report' there is a 'you shall follow procedures' requirement to be built in to the common text? :confused:
Paul,

All along I have said auditors should not assume that the procedures have been made mandatory by the standard (as was the case before the year 2000); auditors should first check with management:

  • Enlightened managers may cause employees to want to use, monitor and improve their procedures.
  • Other managers may threaten employees for not obeying procedures even when the employees know the procedures do not work.
Auditors need to sense A or B and how to investigate and report whether the management system is helping employees to meet requirements.

I still say that assuming the unimplemented procedure is effective and enforcing it remains something an auditor should never do. I say it is better to find out and report why the procedure is not being used.

John
 
Elsmar Forum Sponsor

Jim Wynne

Staff member
Admin
<snip>
I still say that assuming the unimplemented procedure is effective and enforcing it remains something an auditor should never do. I say it is better to find out and report why the procedure is not being used.
  1. Auditors should never be charged with enforcing anything.
  2. Auditors should objectively assess processes, including assessment of whether or not documented procedures are being followed.
  3. Audit findings should be reported to management at the relevant level, and if it's found that documented procedures are not being followed but the processes are effective, the documented procedures should be gotten rid of or changed to reflect actual practice.
 
T

tyker

Paul,

All along I have said auditors should not assume that the procedures have been made mandatory by the standard (as was the case before the year 2000); auditors should first check with management:

  • Enlightened managers may cause employees to want to use, monitor and improve their procedures.
  • Other managers may threaten employees for not obeying procedures even when the employees know the procedures do not work.
Auditors need to sense A or B and how to investigate and report whether the management system is helping employees to meet requirements.

I still say that assuming the unimplemented procedure is effective and enforcing it remains something an auditor should never do. I say it is better to find out and report why the procedure is not being used.

John
If the management has complied with 4.1 and 4.2.1 (c) and (d) then it has identified the necessary documents (including procedures) which are necessary for the effective implementation of the management system. If an auditor finds that those documents are not being followed a non-conformity can be raised for failure to implement and maintain the system. I've never come across an auditor even trying to, let alone being allowed to, enforce a procedure. I've experienced many instances of auditors reporting a failure to effectively implement a procedure but that's different.
Finding out why a procedure is not being followed is part of the corrective action which is management's job. The auditor might be curious to know and, particularly for internal auditors, may have helpful information. But it is not the auditors job to determine and/or implement the actions necessary to overcome the non-conformity.
 
One aspect of this discussion doesn't fully come to the front is whether the process/procedure being implemented (whether documented or not) is actually effective.

What someone actually does IS (frequently) effective, when compared to what was defined in a document (some of us remember examples of the instructions we tried to follow when assembling something we've bought) but I rarely hear of auditors (of any type) prosecuting the audit to determine effectiveness of that process/procedure!

This one fact, alone, will help management determine what is necessary in the matter of action. Sadly, and all too often it's missing from an audit report. "They weren't following procedure" has two potential outcomes. So the auditor didn't help management, did they? No wonder management don't get behind audits, or support any resulting actions, when the auditor didn't even give them much of a shove in the right direction!
 
Last edited:

Paul Simpson

Trusted Information Resource
One aspect of this discussion doesn't fully come to the front is whether the process/procedure being implemented (whether documented or not) is actually effective.
I tried to summarize the thread here.

<snip>

This is part of the thread (albeit to my memory nobody has directly mentioned the process approach). Let me summarize:
  • This all (re)started with Steve’s post here when he was asking whether internal auditors should follow the process and check to see if people are following what the process says they should be doing.
  • John Broomfield replied saying that they shouldn’t - here
  • My first post on the subject was challenging the idea that there is not a requirement for people to follow procedures and in particular John's statement: ‘Management may say "ISO 9001 says that you must obey our procedures" but that has been untrue since the year 2000.’
  • You entered into discussion with John Broomfield (who I had refused to debate with by this time) on the subject of process validation - here.
  • and my response just followed your thread - here

</snip>
because the thread had already gone a long way from the original question.

But your question is valid and better auditors will be able to assess and comment on how appropriate procedures are compared with actual practice. We are, after all, living in a world were there is even debate as to whether documented procedures are compulsory unless top management specifically say they are. :notme:
What someone actually does IS (frequently) effective, when compared to what was defined in a document (some of us remember examples of the instructions we tried to follow when assembling something we've bought) but I rarely hear of auditors (of any type) prosecuting the audit to determine effectiveness of that process/procedure!
True. But to do anything other than explain to the managers of a process that there is a discrepancy between what is required (by a documented procedure) and what is actually taking place requires an auditor with the competence to judge whether one is better than the other - I for one do not have a lot of faith that an auditor will be able to tell me that.

This one fact, alone, will help management determine what is necessary in the matter of action. Sadly, and all too often it's missing from an audit report. "The weren't following procedure" has two potential outcomes. So the auditor didn't help management, did they? No wonder management don't get behind audits, or support any resulting actions, when the auditor didn't even give them much of a shove in the right direction!
Again, apart from a gentle hint that actual practice could be considered effective we have to be very careful here. I have a couple of examples of following an auditor in and their 'helpful' recommendation would have lead to breaches of legislation and potential court action.
 

John Broomfield

Staff member
Super Moderator
  1. Auditors should never be charged with enforcing anything.
  2. Auditors should objectively assess processes, including assessment of whether or not documented procedures are being followed.
  3. Audit findings should be reported to management at the relevant level, and if it's found that documented procedures are not being followed but the processes are effective, the documented procedures should be gotten rid of or changed to reflect actual practice.
Jim,

Before the audit clause 8.2.3 requires the process to be monitored and it or its procedure corrected as necessary to be effective.

Instead of ignoring the monitoring (and replacing it with auditing in the minds of the auditees) why not audit processes through the effectiveness of their monitoring?

That way auditors avoid leaving the auditee with the impression that the auditor says they must obey their procedures.

John
 

Big Jim

Super Moderator
Jim,

Before the audit clause 8.2.3 requires the process to be monitored and it or its procedure corrected as necessary to be effective.

Instead of ignoring the monitoring (and replacing it with auditing in the minds of the auditees) why not audit processes through the effectiveness of their monitoring?

That way auditors avoid leaving the auditee with the impression that the auditor says they must obey their procedures.

John
I think you may be reading something additional into 8.2.3,

"The organization shall apply suitable methods for monitoring and, where applicable, measurement of the quality management system processes. These methods shall demonstrate the ability of the processes to achieve planned results. When planned results are not achieved, correction and corrective action shall be taken, as appropriate."

Procedures?
 
Fair point, Paul, about 'recommendations' and I get that. However, if any auditor has, objectively looked at the results and performance of a process surely it's not too 'opinionated' to suggest that what they are doing, rather than what the QMS documents define, is what is 'working'. No foul there, is there?
 

John Broomfield

Staff member
Super Moderator
I think you may be reading something additional into 8.2.3,

"The organization shall apply suitable methods for monitoring and, where applicable, measurement of the quality management system processes. These methods shall demonstrate the ability of the processes to achieve planned results. When planned results are not achieved, correction and corrective action shall be taken, as appropriate."

Procedures?
Jim,

As I see it procedures specify how processes are carried out and process monitoring determines the conformity and effectiveness or status of a process.

These days procedures include the process objectives and other criteria for process effectiveness.

It is therefore reasonable to expect the auditee to use their documented (or undocumented) procedures for monitoring their processes long before the auditor arrives.

When monitoring finds the process is ineffective it, or its procedure or both, is or are corrected as necessary by the auditee.

John
 
T

tyker

Jim,

Before the audit clause 8.2.3 requires the process to be monitored and it or its procedure corrected as necessary to be effective.

Instead of ignoring the monitoring (and replacing it with auditing in the minds of the auditees) why not audit processes through the effectiveness of their monitoring?

That way auditors avoid leaving the auditee with the impression that the auditor says they must obey their procedures.

John
No argument with the first sentence.
I can't agree with the second one though. No-one, as far as I'm aware, has suggested ignoring monitoring; it is, after all, a mandatory requirement. I don't see how you evaluate the effectiveness of the monitoring without visiting the process and auditing the implementation of the procedures the organisation has deemed to be necessary?
As an auditor, I have no difficulty telling the auditee that ISO 9001 requires them to determine the controls/documents/procedures that are necessary to ensure the processes are effective and then work to them. How else do you interpret the expression "implement and maintain"?
 
Thread starter Similar threads Forum Replies Date
J WAIVED ON Q1 - We Don't have to comply with FORDS customer specific requirements IATF 16949 - Automotive Quality Systems Standard 2
M FULFILMENT of compliance obligation versus COMPLY with compliance obligations ISO 14001:2015 Specific Discussions 2
L Proof of Concept Studies - Do we need to comply with SAE reporting? Medical Device and FDA Regulations and Standards News 3
M MDR, RED and LVD - Should our device comply with them? EU Medical Device Regulations 3
R MDR standards - which standards to comply with ? EU Medical Device Regulations 3
M Informational Some things the EU MDR 2017/745 does not tell you, but you may need to know to comply with it effectively – Part 1 Medical Device and FDA Regulations and Standards News 0
B How to comply with IATF 16949:2016 9.3.2.1k - Management review IATF 16949 - Automotive Quality Systems Standard 2
S How to make Single Sign On (SSO) Comply e-sig requirements? ISO 13485:2016 - Medical Device Quality Management Systems 4
Z Does a website needs to comply with Part 11? Qualification and Validation (including 21 CFR Part 11) 6
Q How to comply with ISO 9001:2015 Clause 7.4 Communication ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
B Quality Policy does not include a commitment to comply with legal requirements Quality Management System (QMS) Manuals 5
S A CE Marked Product that does not comply with the Standard EU Medical Device Regulations 7
H Job Descriptions to comply with ISO Standards ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
M Medical devices are CE mark but not sold in EU - Need to comply with REACH? RoHS, REACH, ELV, IMDS and Restricted Substances 9
M How do you comply with 7.2.3 Customer Comunication AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 9
M Do I need to comply with both the MDD and the PED for my Medical Device? EU Medical Device Regulations 8
S Selecting materials for implants to comply with ISO 10993 biocompatibility Other Medical Device Related Standards 4
A Type of Materials to comply with IEC 60601 (Dental Laser Case) IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
S Definition Comply - What does 'comply' mean to you? (Definition) Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 3
O Comply with 21 CFR 11, but no other FDA regulations? Qualification and Validation (including 21 CFR Part 11) 4
J ISO 9001 Clause 7.5.2 Validation of Processes - How to comply? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 32
A ISO/TS 16949 - Comply SPC requirements Statistical Analysis Tools, Techniques and SPC 22
K Identifying Required Testing to comply with IEC 60601 EU Medical Device Regulations 4
G What is meant by FAI (First Article Inspection) and how do we comply? AS9102 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 26
C Do all Class 1 Medical Devices (Electrical) have to comply with IEC60601-1? IEC 60601 - Medical Electrical Equipment Safety Standards Series 11
P Outsourced Manufacturing - Making Subcontractors comply with TL9000 TL 9000 Telecommunications Standard and QuEST 2
R Dielectric Strength of Triple Insulated Wire to comply with 2MOPP IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
Fender1 How to comply with ISO 9001 and provide quick/short lead-time orders? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
B Commitment to Comply - ISO 14001 Clause 4.2 - Environmental Policy ISO 14001:2015 Specific Discussions 6
G Are Component Manufacturers required to comply with ISO13485:2003 ISO 13485:2016 - Medical Device Quality Management Systems 4
G How to comply with 4.4.5 Contol of Documents - Documents of External Origion Miscellaneous Environmental Standards and EMS Related Discussions 6
J Which kind of medical equipment must comply with IEC60601-1-8? IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
A Procedure for Translating User Documentation to comply with MEDDEV 2.5/5 Other Medical Device Regulations World-Wide 14
H Proprietary Processes - How to Protect and still comply when performing an FAI? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
D How To Comply with ISO 9001 Clause 6.2.2 d (Personnel Awareness) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
P ISO 14971 - Is it a guidance document or should we fully comply with it? ISO 14971 - Medical Device Risk Management 14
J Does my company's Business Plan Contents comply with requirements of TS 16949? IATF 16949 - Automotive Quality Systems Standard 2
AnaMariaVR2 Link between failure to comply w/ Lab PPE standards & ISO9001 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
harrysons Automotive product transferring process what requirement to comply? IATF 16949 - Automotive Quality Systems Standard 3
A How to comply with ISO/IEC 17025 Laboratory Requirements ISO 17025 related Discussions 7
L Questions: Plastic Food Container to comply with FDA US Food and Drug Administration (FDA) 6
Q Product Realization Procedure - How to comply with ISO 9001 Clause 7.1 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
Q Suppliers Monitoring their Processes - How to comply with Clause 7.4.3.2 IATF 16949 - Automotive Quality Systems Standard 6
L How to comply with AS9100 Clause 7.6 - Monitoring and measuring devices to be used AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 31
I AS9100B Cl 7.5.1.3 - How to comply with validation of production tools requirement? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
K Quality Policy - Potential problem? Adding a Paragraph to Comply ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 27
N Requirements to Comply With FDA 21CFR820 For Invitro Diagnostic Device 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 8
N IVD Manafucturer in India - What Regulatory Requirements to Comply? ISO 13485:2016 - Medical Device Quality Management Systems 7
J How should customer complaints be handled to comply with ISO 9001? Customer Complaints 4
J How to comply with 7.2.1 - Customer Related Process ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6

Similar threads

Top Bottom