Do We Have to Comply with Our Own Procedures?

[John Broomfield]

Firstly I agree with Sidney that raking over the coals is non value adding when there is so much else of more worth to talk about.

But there is a general point worth making. When ISO went away from the 20 clause structure for the 2000 edition this meant a change of approach for both standard writers and users. So if you want to write in a requirement to manage a process and to ensure that employees follow any documented procedures intended to control the process then it is likely that this single requirement is incorporated in a couple (or more) requirements in the text.

I try to explain it as drawing threads through the standard to establish a requirement and, as has been mentioned, clause 4.1 describes processes and their control, 4.2 covers documenting processes, 7.1 covers planning, 7.5 control of operations (I still can't bring myself to use 'Product Realization' ) and (finally my particular answer to the question) 5.5.2 a for responsibility for ensuring these process controls and procedures are implemented.


Hope this helps.

Boris,

The embers are still glowing!

It is up to the organization's management to show their commitment to requirements. ISO cannot do it for them. The QM cannot do it for them.

ISO 9001 specifying that the employees shall obey their plans, procedures and instructions may have reflected the lack of management commitment to requirements but it did not help. It was a mistake.

So, in the year 2000 it was removed in favor of monitoring processes per 8.2.3.

Rather than report employees for failing to follow procedures why not investigate the effectiveness of monitoring that process?

All the best,

John

 

[Paul Simpson]

Boris,

The embers are still glowing!

Which is normally the reason for raking over them.

It is up to the organization's management to show their commitment to requirements. ISO cannot do it for them. The QM cannot do it for them.

Agreed. I don't think anyone has said this. The quote I gave was for MR, not QM. The whole point is that MR is at a high enough level to get the QMS implemented - hence part of the Management Responsibilities section.

ISO 9001 specifying that the employees shall obey their plans, procedures and instructions may have reflected the lack of management commitment to requirements but it did not help. It was a mistake.

I understand your point but feel you have missed mine. Effective implementation relies on people working to the procedures the MR decides are necessary.

So, in the year 2000 it was removed in favor of monitoring processes per 8.2.3.

IMHO process monitoring is more about general oversight and KPIs - not necessarily supervision of employees to see they follow procedures.

Rather than report employees for failing to follow procedures why not investigate the effectiveness of monitoring that process?

All the best,

John

This is taking the discussion into another area.

 

[John Broomfield]

Boris,

If I may paraphrase your point:

Effective implementation relies on people using and improving the procedures for control of the processes the MR decides are necessary.

The MR is a staff position. The MR may decide on the necessary processes but does not usually have the authority to supervise conformity to procedures. The MR is not the boss of the people doing the work.

He or she has to be careful to work through management so they demonstrate their commitment to requirements. The MR should not do this in place of of all the other managers.

Monitoring per 8.2.3 never stops. First it is by the operators, then the team leaders, then the supervisors, then perhaps the managers and then perhaps the top managers (rather like what is mistakenly called layered process auditing).

All this monitoring could or should have taken place before the auditor arrives. This is why I recommend, instead of reporting the lack of obedience, auditors should investigate the adequacy of monitoring processes (and procedures) for their conformity and effectiveness.

John

 

[Paul Simpson]

Boris,

If I may paraphrase your point:

No but I bet you are going to do it anyway.

Effective implementation relies on people using and improving the procedures for control of the processes the MR decides are necessary.

Implementing and improving are treated as two separate activities throughout ISO 9001 and that is why I delierately listed just implement (as this is related to the 'obey' question you posed). Similarly if you add in process that is just tautology if you use the ISO 9000 definition of procedure

- specified way to carry out an activity or a process ( )

The MR is a staff position. The MR may decide on the necessary processes but does not usually have the authority to supervise conformity to procedures. The MR is not the boss of the people doing the work.

I don't know what you mean exactly by 'staff position' - all 9001 says on the subject is that it is one of the responsibilities of top manangement to :

appoint a member of the organization's management who, irrespective of other responsibilities, shall have responsibility and authority that includes ...

So my reading of this is the head honcho(s) appoint someone with sufficient clout to make it happen.

Now we could discuss how most QMSs have people in the MR role who don't have this necessary clout but that is another discussion IMHO.

He or she has to be careful to work through management so they demonstrate their commitment to requirements. The MR should not do this in place of of all the other managers.

Nor has anyone said they should. This is just working life and each MR relies on a whole host of interpersonal skills to make sure the project gets delivered. With the same caveat above that many don't have the right blend of 1) those skills and 2) the authority.

Monitoring per 8.2.3 never stops. First it is by the operators, then the team leaders, then the supervisors, then perhaps the managers and then perhaps the top managers (rather like what is mistakenly called layered process auditing).

As I mentioned before this is not something I had planned to discuss.

All this monitoring could or should have taken place before the auditor arrives. This is why I recommend, instead of reporting the lack of obedience, auditors should investigate the adequacy of monitoring processes (and procedures) for their conformity and effectiveness.

John

On this we agree.

 

[Sidney Vianna]

Hence the need to audit process monitoring per 8.2.3 rather than employee conformity per no clause at all.

So, in the year 2000 it was removed in favor of monitoring processes per 8.2.3.

Rather than report employees for failing to follow procedures why not investigate the effectiveness of monitoring that process?

John, I salute you for making a strong case, but, I don't believe that ISO 9001 made the switch from an assessment of conformity to own's command media to assessing process effectiveness. They are not mutually exclusive; instead, they are complementary to each other. As I see it, an effective QMS has to have a component of strong discipline in terms of following established processes, and when needed, in a cost effective manner, improve them (the processes).

Conformity, effectiveness and efficiency of processes are all necessary, even though ISO 9001 does not touch the efficiency piece.

Cheers.

 

[Quality_Steve]

So to check my understanding, If what we are doing is producing the desired results or better, and the proper records are being kept to prove that, it is not a nonconformity in ISO's eye to deviate from the written process. But if the process is failing to meet expectations or failing to produce the records needed to demonstrate effectiveness then we have an issue.

Is this what I should be walking away with?

Thanks
Steve

 

[John Broomfield]

So to check my understanding, If what we are doing is producing the desired results or better, and the proper records are being kept to prove that, it is not a nonconformity in ISO's eye to deviate from the written process. But if the process is failing to meet expectations or failing to produce the records needed to demonstrate effectiveness then we have an issue.

Is this what I should be walking away with?

Thanks
Steve

Steve,

Your documented procedures may be exactly right and management may require strict adherence to these procedures.

After all it is management's job to help people to fulfill the requirements. Usually, though, delivering quality with process management is much more subtle than simply requiring conformity to procedures. Leaders engage their employees in finding better ways continuously.

ISO 9001 requires monitoring of process conformity and effectiveness but no longer requires that employees obey their procedures.

If required that is management's job to enforce not ISO's. Here I am talking about all managers not just the Management Rep or Quality Manager. The MR has to work through the other managers because he or she is not the boss of the people doing the work.

Implement the management system means use it to put it into effect including all of its processes and controls for managing change and improvement. Implement does not mean employees shall conform to procedures.

Last of all, waiting for the auditor to drive improvement makes the system depend on its auditors.

Failure to monitor and correct processes is a nonconformity with clause 8.2.3 and this should happen (a lot) before the auditor turns up.

The system should be driving its own improvements by engaging the employees in monitoring and improving their processes beyond what the procedures happen to specify. They update their procedures so they represent the latest known way of efficiently achieving process objectives. This improvement cycle is repeated by the employees when the employees see it demonstrated by top management (as perhaps, ably advised by the MR).

Cheers,

John

 

[Quality_Steve]

During an internal audit, is it necessary to follow the process or should I just be looking at results of the process?

My thinking is that I should follow them through the process to see if what they are doing matches what is documented, not to catch them doing it wrong, but so, I can improve the documentation to allow for the variation in doing it right, therefore, "maintaining" the system.

It seems to me that only looking at process results is more indicative of a system audit and doesn't really help to improve the processes.

Thanks for your input.

Steve

 

[John Broomfield]

During an internal audit, is it necessary to follow the process or should I just be looking at results of the process?

My thinking is that I should follow them through the process to see if what they are doing matches what is documented, not to catch them doing it wrong, but so, I can improve the documentation to allow for the variation in doing it right, therefore, "maintaining" the system.

It seems to me that only looking at process results is more indicative of a system audit and doesn't really help to improve the processes.

Thanks for your input.

Steve

Steve,

Ask the people operating the process how they know it is working effectively (4.1) and what they do on finding that the process is failing to fulfill its objectives (4.1).

Ask the people operating the process how they monitor conformity to their procedures (8.2.3) and what they do on finding that the procedure needs to be changed (8.2.3).

Auditees should already be improving their processes without the help of the auditors. If not find out why managers are not seeking information on where the system needs to be improved so the system is improved without relying on the auditors.

Focus on how well the management system (includes leadership) helps the employees to determine and fulfill requirements; including the requirement for continual improvement.

Do not allow auditors to become the only people enforcing the procedures and driving improvements. In a mature management system no more that 20% of the CARs should come from audit.

John

 

[Quality_Steve]

Thanks John, that makes a lot of sense. I will take another look at my audit plans and steer them in this direction.