Do We Have to Comply with Our Own Procedures?

[John Broomfield]

I don't get it ...

Do you say ISO 9001 doesn't require compliance to procedures ?

What's the whole point of having procedures if following them or not is irrelevant, then ?

Bonhomme,

Procedures are the result of designing the process or they may capture what is thought to be necessary to operate a process.

Process teams are led to use and improve these procedures. They may mark-up the procedures as they work to show where they deviated from the procedure or clarified the procedure. The process owner may review these suggested changes before the procedure is updated, simplified or scrapped according to the plan. This cycle never ends.

Or documented procedures may be issued and the employees instructed to obey them. They obey them even when they know they do not work. Fear rules and no one dares to question the procedure.

Rarely is as cut and dried as this but we are being simplistic when saying "conform to the procedures". This may be a reason* why ISO 9001 no longer specifies employees shall conform to procedures but this as the job on to top management (and not just the MR). *Another reason perhaps is that someone could be injured by an employee following a procedure.

Monitoring should align the process to its procedure and vice versa but we cannot assume the procedure is always right.

John

 

[Paul Simpson]

Boris,

Sorry for shaking your world!

My world may be rocking but not because of anything you have posted, John. Trust me.

I just want to correct a potential misconception that other Covers might have through reading your post(s) on this subject.

ISO 9001 no longer specifies that employees shall conform to procedures. It does however specify that top management shall demonstrate its commitment to requirements. Hence this would be top management specifying employee obedience not ISO 9001.

I'm not going into semantics on determine versus specify or any other nonsense like that. I will however be interested to see where you get your requirements for top management from. My copy of 9001 doesn't have that set of words.

BTW I do realize that there is no 'shall' statement in ISO 9001 that specifically says employees have to follow procedures but it is covered in a range of clause requirements. I quoted a few of these in my last post that taken together clearly (I thought) showed the link between top management developing and implemening their QMS and the need for audit to show that employees are following documented procedures. If I have misunderstood the posts you made please feel free to explain or if there is a fault in my logic then again please point it out.

It also requires internal auditors to determine conformity to planned arrangements.

I quoted the text in my last post - here it is with a bit more detail:

The organization shall conduct internal audits at planned intervals to determine whether the quality management system
a) conforms to the planned arrangements (see 7.1), to the
requirements of this International Standard and to the quality management system requirements established by the organization, and

b) is effectively implemented and maintained.

Now if you can't see compliance auditing in there then I give up.

The planned arrangements may be command and control or the opposite of command and control (autonomy) but the plan is probably somewhere between the two extremes according to the situation.

Again. If the organisation decides there is no need for documented procedures apart from the 'infamous 6' then there is no 'compliance' to be evaluated. If (as per the OP) the organisation decides it has to document a 'specified way to carry out an activity or a process' (procedure) then it is important that employees work to that procedure and therefore the auditor should check to see it is being done as specified.

Even if the planned arrangements are 100% command and control then it is top management that makes this clear to employees not ISO 9001.

By documenting a procedure top management are telling employees that it has to be done a certain way.

I realize this shakes the world of control freaks. It also shakes the worlds of people who unreasonably accuse ISO 9001 of specifying command and control management.

Now I suppose I have to take this comment with your opening apology for 'shaking my world' and this means you believe me to be a control freak. Well this perception is far from the truth and does you no credit. I will leave it there.

But we would be wise to loosen up and apply the degree of control and autonomy (both are plans) required to the situation instead of trying to create mechanistic management systems.

Give me an adaptive management system every time.

John

Nobody has made any judgement about

1. the number of procedures required in a QMS. The beauty is it is the organisation that decides
2. the complexity of any procedures required. They can be as simple or complex as the organisation decides
3. how often the procedures can be updated. The procedure can change to adapt to local requirements as often as you like
4. the approval process to change a documented procedure. The procedure can be changed by the end user if so required it doesn't have to go through a laborious control process if that isn't what is needed

So it seems you are reading bureaucracy into my posts that isn't there whereas my two points are simply:

1. If the organisation decides a documented procedure is required then anyone working in the process has to follow that procedure
2. An internal audit should evaluate whether people are following the documented procedure(s).

 

[Big Jim]

And it all flows from "I am here to see how well your management system helps you to do good work" not "I am here to verify your conformity to your procedures".

Cheers,

John

As opened 10 years ago, this thread was intended to invite divergent opinions, and it truly has and continues to do so.

Although intellectually stimulating and entertaining, I doubted that there was much enlightenment here until I read the above.

This is very insightful, but I would probably soften it somewhat to something more like "I am mostly here to see how well your quality management system performs and to a lesser extent to verify your conformity to your procedures".

I don't think we can ignore verifying conformity, but stressing performance is not only in keeping with the greater emphasis of the process approach that the 2000 version heralded, but is also far more value added.

Thanks again John. Until your post I was thinking of tossing in the popcorn icon for the entertainment value of this thread.

 

[Quality_Steve]

Hi, Steve. I take it when you say 'follow the process' you mean compare it with the documented procedure? Please correct me if I am wrong. I am also assuming this is an internal audit of your own system - again please correct me if this is not the case.

But in answer to the question - Yes - as part of your internal audit you should be looking at the procedure being used to see that people are complying. I'll pick up the 'why do this' below.

Paul, I'm working on building audit plans for internal audits of a packaging and distribution center. I'm looking to a level of work instructions in the form of flowcharts. For instance our shipping process is broke down to several flowcharts such as order generation, order picking, order processing and order closing. Each are detailed with the steps taken to complete each task. Our procedure only says "orders are completed utilizing SAP and considered successful unless we hear otherwise" to cover requirement for 7.5.1f. I think our procedure is very weak and not a lot there to audit to. So I want to drill into the detailed flowcharts to flow the process. To John's point if they are not picking orders exactly as the flowchart states, it may not be a nonconformity but it could be an opportunity for improvement. And that is up to management to figure out if the process needs updated, re-enforced, or deleted.

I deeply appreciate both of your outlooks on the subject and feel I can pull from both to create an audit that will create value for our company.

Thanks again,

Steve

 

[John Broomfield]

Paul, I'm working on building audit plans for internal audits of a packaging and distribution center. I'm looking to a level of work instructions in the form of flowcharts. For instance our shipping process is broke down to several flowcharts such as order generation, order picking, order processing and order closing. Each are detailed with the steps taken to complete each task. Our procedure only says "orders are completed utilizing SAP and considered successful unless we hear otherwise" to cover requirement for 7.5.1f. I think our procedure is very weak and not a lot there to audit to. So I want to drill into the detailed flowcharts to flow the process. To John's point if they are not picking orders exactly as the flowchart states, it may not be a nonconformity but it could be an opportunity for improvement. And that is up to management to figure out if the process needs updated, re-enforced, or deleted.

I deeply appreciate both of your outlooks on the subject and feel I can pull from both to create an audit that will create value for our company.

Thanks again,

Steve

Steve,

Often when interfacing with a computer system like SAP additional detailed documented procedures are not required.

Why not ask the process team members to take you through their process and how they monitor its effectiveness and the conformity of output.

The procedure is a combination of what is documented and what is established by training, tacit knowledge and the enforced SAP routines.

Picking errors are unlikely to be avoided by making the procedure more detailed. Such errors may be due to the way the process is designed with regard for human factors including the arrangement of the bins, part numbering, RFID, barcodes, scanners and the picklists themselves.

You seem to want more detail in the documented procedure so you have more to audit. Or have I misunderstood you? Do not use the standard or the documented procedure as an auditor's crutch - rely on preparation and your good sense. Show genuine interest and ask questions about control and effectiveness when the process team members show you how their process works. If you want, you could prepare for the audit by mapping the process first but resist the temptation to add your map to the management system.

Do not burden the system with more paper at this stage. You may find that critical controls are missing from the documented procedure but prompted by SAP itself and that may prove effective.

I would not assume that any part of the documented procedure was right but I would ask its users to demonstrate its value and any shortcomings. I may then ask if the shortcomings of the procedure were brought to the attention of management. I would then have a rather interesting fact-based discussion with the manager when I may learn that the documented procedure was countermanded or being developed out of the team's desire to improve it.

Some auditors may try to enforce less than fully effective procedures or insist on conformity to a procedure that the users know does not work. We all know what we think of such auditors!

John

 

[Jim Wynne]

I'm at a loss as to how anyone can hold the opinion that the organization's documents don't represent auditable QMS requirements.

4.2.1(d) of ISO 9001:2008 says what's required are "...documents, including records, determined by the organization to be necessary to ensure the effective planning, operation and control of its processes." (My emphasis)

We should be able to presume that QMS documents are intended to describe the organization's needs for (at least) the operation and control of processes. When the organization declares (tacitly, by inclusion) that certain documents are necessary, it is also declaring that the documents (and presumably the requirements expressed therein) are necessary elements of process control. In this sense they are no different from the "Big Six" that are explicitly required.

 

[Paul Simpson]

Paul, I'm working on building audit plans for internal audits of a packaging and distribution center. I'm looking to a level of work instructions in the form of flowcharts. For instance our shipping process is broke down to several flowcharts such as order generation, order picking, order processing and order closing. Each are detailed with the steps taken to complete each task.

OK, as I understand it these flow charts are already in place. Whatever they are called these are the documents that make up your QMS and your audit plan should include them.

Our procedure only says "orders are completed utilizing SAP and considered successful unless we hear otherwise" to cover requirement for 7.5.1f. I think our procedure is very weak and not a lot there to audit to. So I want to drill into the detailed flowcharts to flow the process. To John's point if they are not picking orders exactly as the flowchart states, it may not be a nonconformity but it could be an opportunity for improvement. And that is up to management to figure out if the process needs updated, re-enforced, or deleted.

Actually, and I don't want to make a meal of this, if people are not working to the defined procedure then it is an NC - by definition if the practice does not conform with the requirements as documented in the flow chart that are in place. You are absolutely right, though, the decision as to how management deals with your NC is down to them and could, as one option in my earlier post extend to withdrawing the flow charts. The decision as to the level of documentation in this process is completely your organization's but whatever is documented forms part of the audit and peole should comly with it.

I deeply appreciate both of your outlooks on the subject and feel I can pull from both to create an audit that will create value for our company.

Thanks again,

Steve

I am only sorry Steve that you are being given conflicting advice. It must be very confusing.

 

[John Broomfield]

My world may be rocking but not because of anything you have posted, John. Trust me.

I just want to correct a potential misconception that other Covers might have through reading your post(s) on this subject.


I'm not going into semantics on determine versus specify or any other nonsense like that. I will however be interested to see where you get your requirements for top management from. My copy of 9001 doesn't have that set of words.

BTW I do realize that there is no 'shall' statement in ISO 9001 that specifically says employees have to follow procedures but it is covered in a range of clause requirements. I quoted a few of these in my last post that taken together clearly (I thought) showed the link between top management developing and implemening their QMS and the need for audit to show that employees are following documented procedures. If I have misunderstood the posts you made please feel free to explain or if there is a fault in my logic then again please point it out.



I quoted the text in my last post - here it is with a bit more detail:
Now if you can't see compliance auditing in there then I give up.

Again. If the organisation decides there is no need for documented procedures apart from the 'infamous 6' then there is no 'compliance' to be evaluated. If (as per the OP) the organisation decides it has to document a 'specified way to carry out an activity or a process' (procedure) then it is important that employees work to that procedure and therefore the auditor should check to see it is being done as specified.


By documenting a procedure top management are telling employees that it has to be done a certain way.


Now I suppose I have to take this comment with your opening apology for 'shaking my world' and this means you believe me to be a control freak. Well this perception is far from the truth and does you no credit. I will leave it there.

Nobody has made any judgement about

1. the number of procedures required in a QMS. The beauty is it is the organisation that decides
2. the complexity of any procedures required. They can be as simple or complex as the organisation decides
3. how often the procedures can be updated. The procedure can change to adapt to local requirements as often as you like
4. the approval process to change a documented procedure. The procedure can be changed by the end user if so required it doesn't have to go through a laborious control process if that isn't what is needed

So it seems you are reading bureaucracy into my posts that isn't there whereas my two points are simply:

1. If the organisation decides a documented procedure is required then anyone working in the process has to follow that procedure
2. An internal audit should evaluate whether people are following the documented procedure(s).

Boris,

From today's news. What can happen when good people "following their procedures" for reporting child abuse allowed these procedures to trump the diagnosis of why the babies bones were so fragile.

http://www.lccsa.org.uk/news.asp?mid=71&ItemID=22690

Auditors rarely know ahead of the audit if the procedures are effective in avoiding adverse outcomes. This is why we should be careful to audit the monitoring of the processes against their written and unwritten procedures instead.

John

 

[Paul Simpson]

Boris,

You might want to do a hard refresh on your browser John (F5) as I have reverted to my given name.

From today's news. What can happen when good people "following their procedures" for reporting child abuse allowed these procedures to trump the diagnosis of why the babies bones were so fragile.

http://www.lccsa.org.uk/news.asp?mid=71&ItemID=22690

I haven't seen it but will gladly have a look.

Auditors rarely know ahead of the audit if the procedures are effective in avoiding adverse outcomes. This is why we should be careful to audit the monitoring of the processes against their written and unwritten procedures instead.

John

Auditors aren't there to make judgements but to report facts. I replied to your post because you made a sweeping and incorrect statement. You have gone on to insult me so I suggest you ignore my posts and I will ignore yours - except to say I disagree. Please feel free to do the same

 

[John Broomfield]

I'm at a loss as to how anyone can hold the opinion that the organization's documents don't represent auditable QMS requirements.

4.2.1(d) of ISO 9001:2008 says what's required are "...documents, including records, determined by the organization to be necessary to ensure the effective planning, operation and control of its processes." (My emphasis)

We should be able to presume that QMS documents are intended to describe the organization's needs for (at least) the operation and control of processes. When the organization declares (tacitly, by inclusion) that certain documents are necessary, it is also declaring that the documents (and presumably the requirements expressed therein) are necessary elements of process control. In this sense they are no different from the "Big Six" that are explicitly required.

Jim,

Of course the procedures are audit criteria but first they are criteria for monitoring processes.

As independent auditors we should not assume that the procedures are right. Therefore we involve members of the process team in showing us how they use their procedures to monitor the processes for conformity and effectiveness. We also examine evidence of corrections and corrective actions resulting from process monitoring.

That way we learn more about how well the management system helps employees to determine and fulfill requirements.

Command and control auditing to enforce procedures that are possibly ineffective or incorrect makes no sense to me.

John