SBS - The best value in QMS software

Do We Have to Comply with Our Own Procedures?

John Broomfield

Staff member
Super Moderator
#71
All,

From 1979, quality management system standards had required employees to obey their procedures. Here is how ISO 9001:1994 specified this (from clause 4.9c) to maintain controlled condtions:

“…compliance with reference standards/codes, quality plans and/or documented procedures”

This perpetuated demands from the “we know best department” for the employees to “follow the procedures” or “comply with the ISO System”.

This changed in the year 2000.

ISO 9001:2000 specified in clause 5.1 for top management to show their commitment to their management system and to requirements from customers, regulators (and their documented policy and objectives).

ISO 9001:2000 removed the specification for employee compliance to standard, codes, plans and documented procedures.

Instead clause 5.1 of ISO 9001 now specifies that top management shall:

“…provide evidence of its commitment to the development and implementation of the quality management system and continually improving its effectiveness”

...and 8.2.3 of ISO 9001 now specifies process monitoring for effectiveness

So, thankfully, we now have top management leading (or not!) the use and improvement of the management system through their words and actions.

Instead of assuming that top managers have made the procedures mandatory we seek evidence of their commitment to their management system’s requirements.

ISO 9001 no longer specifies that employees shall comply with procedures but, just in case I am quoted out of context, ISO 9001 does require top management to show their commitment to the requirements of their management system.

ISO 9001’s normative reference ISO 9000:2000 also differentiated compliance (a legal term) from conformity (for all other requirements).

So, here is a more accurate statement of what ISO 9001 now requires: “top management shall require conformity to the management system’s procedures”. Top management may express their commitment to the requirements of their management system in any number of ways but A and B below may explain the spectrum:

  • Process teams are led to use and improve these procedures. They may mark-up the procedures as they work to show where they deviated from the procedure or clarified the procedure. The process owner may review these and other suggested changes before the process is improved and its procedure is updated, simplified or scrapped according to the plan. This cycle never ends.

    or

  • Documented procedures may be issued and the employees instructed to obey them. They obey them even when they know they do not work. Fear rules and no one dares to question the procedure.
As you can see we are being simplistic when saying "conform to the procedures". Indeed, many modern policies, objectives, manuals, plans and procedures omit the word “shall” in favor of the clarity that comes from using the present tense of explaining how the management system works in work environment A above.

Given this we should no longer assume that top management has made the procedures mandatory. Instead we should seek evidence of their commitment by auditing:

  1. How they demonstrate their commitment to requirements (especially when faced with tough decisions)
  2. The psychological aspects of the work environment
  3. Their concern for how well their management system helps the organization to fulfill requirements
  4. Their concern for how well their management system helps the organization to fulfill its objectives
Auditing a process through the auditee’s monitoring of that process is one very effective way of obtaining this evidence.

John
 
Elsmar Forum Sponsor

Jim Wynne

Staff member
Admin
#72
<snippage>
So, here is a more accurate statement of what ISO 9001 now requires: “top management shall require conformity to the management system’s procedures”. Top management may express their commitment to the requirements of their management system in any number of ways but A and B below may explain the spectrum:

  • Process teams are led to use and improve these procedures. They may mark-up the procedures as they work to show where they deviated from the procedure or clarified the procedure. The process owner may review these and other suggested changes before the process is improved and its procedure is updated, simplified or scrapped according to the plan. This cycle never ends.

    or
  • Documented procedures may be issued and the employees instructed to obey them. They obey them even when they know they do not work. Fear rules and no one dares to question the procedure.
As you can see we are being simplistic when saying "conform to the procedures". Indeed, many modern policies, objectives, manuals, plans and procedures omit the word “shall” in favor of the clarity that comes from using the present tense of explaining how the management system works in work environment A above. <more snippage>
Again, I think you're creating a false binary choice. 4.2.1 of ISO 9001:2008 says (in part) that the following documents are required:

c) documented procedures and records required by this International Standard, and

d) documents, including records, determined by the organization to be necessary to ensure the effective planning, operation and control of its processes.


Do you think that the documented procedures in (c) should be considered mandatory as to execution? If so, how are the documents in (d) any different? Are you saying that if a process is carefully and deliberately designed such that optimum operating requirements have been determined and established, that operators should feel free to ignore the requirements and do things however they want to do them?

This is not an either/or question, however there are indeed times when flexibility is needed, and I fully support the idea of allowing people to think and act when it's necessary to do so. It's possible to differentiate between operations and processes with mandatory operating requirements and those wherein dynamic decision-making might be required.

We see people here all the time who have painted themselves into a corner with their own requirements, who feel they must do things because "ISO says so." We need to have people do things because they're the right thing to do, and in some cases the right thing to do is established as mandatory for good reasons.
 

Paul Simpson

Trusted Information Resource
#73
Nicely summarized, Jim.
<snip>Are you saying that if a process is carefully and deliberately designed such that optimum operating requirements have been determined and established, that operators should feel free to ignore the requirements and do things however they want to do them?
Exactly. What is the point of the standards committee distinguishing between process, procedure and documented procedure if people can do what they like so long as the process measures look OK? Bizarre. :nope:

This is not an either/or question, however there are indeed times when flexibility is needed, and I fully support the idea of allowing people to think and act when it's necessary to do so. It's possible to differentiate between operations and processes with mandatory operating requirements and those wherein dynamic decision-making might be required.
Again spot on! :agree1: The standard doesn't say how you have to decide which processes are documented or who decides. Similarly it doesn't say who documents any procedures - as is the case in a lot of lean companies it can be the operators themselves. Which kind of blows a hole in the 'command and control' argument. I've had many instances when I tell people that they don't have to document their procedures but they choose to.

We see people here all the time who have painted themselves into a corner with their own requirements, who feel they must do things because "ISO says so." We need to have people do things because they're the right thing to do, and in some cases the right thing to do is established as mandatory for good reasons.
Nice summary. If someone in the business believes it is necessary to document a procedure to ensure consistent output then people working to the procedure have to comply with it. This isn't a 'fix for all time' thing. If after a while you decide the document is no longer necessary you withdraw it.
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#74
Again, I think you're creating a false binary choice.
I agree. That's why I said, earlier in this thread
I don't believe that ISO 9001 made the switch from an assessment of conformity to own's command media to assessing process effectiveness. They are not mutually exclusive; instead, they are complementary to each other. As I see it, an effective QMS has to have a component of strong discipline in terms of following established processes, and when needed, in a cost effective manner, improve them (the processes).
 

John Broomfield

Staff member
Super Moderator
#75
Again, I think you're creating a false binary choice. 4.2.1 of ISO 9001:2008 says (in part) that the following documents are required:

c) documented procedures and records required by this International Standard, and

d) documents, including records, determined by the organization to be necessary to ensure the effective planning, operation and control of its processes.


Do you think that the documented procedures in (c) should be considered mandatory as to execution? If so, how are the documents in (d) any different? Are you saying that if a process is carefully and deliberately designed such that optimum operating requirements have been determined and established, that operators should feel free to ignore the requirements and do things however they want to do them?

This is not an either/or question, however there are indeed times when flexibility is needed, and I fully support the idea of allowing people to think and act when it's necessary to do so. It's possible to differentiate between operations and processes with mandatory operating requirements and those wherein dynamic decision-making might be required.

We see people here all the time who have painted themselves into a corner with their own requirements, who feel they must do things because "ISO says so." We need to have people do things because they're the right thing to do, and in some cases the right thing to do is established as mandatory for good reasons.
Jim,

In most circumstances I'd be perfectly happy to see the procedures specified by 4.2.1c and those required by the organization (4.2.1d) being used and improved as described below:

"Process teams are competent and led to use and improve these procedures. They may mark-up the procedures as they monitor their work to show where they needed to deviate from the procedure or the procedure needs clarification. Ideas for improving the process would also be noted. The process owner reviews these and other suggested changes before the process is improved and its procedure is updated, simplified or scrapped according to the plan. This cycle never ends".

Even 7.5.2c only requires employees to "use" of procedures for validated processes. And that is for processes that are "carefully and deliberately designed". BTW, this is a tad more onerous than the work instructions being "available" for the non-validated processes (7.5.1b).

John
 

John Broomfield

Staff member
Super Moderator
#76
All,

Thankfully ISO 9001 now requires organizations to run their processes to achieve the planned results.

We know this from the following extracts of clause 4.1 and 8.2.3:

4.1e monitor…these processes, and from 4.1f implement actions necessary to achieve planned results… of these processes
8.2.3 The organization shall apply suitable methods for monitoring…processes. These methods shall demonstrate the ability of the processes to achieve planned results. When planned results are not achieved, correction and corrective action shall be taken, as appropriate

Pre-2000, ISO 9001 specified that the employees had to follow the procedures for the processes to achieve the planned results.

Wisely, ISO 9001 now specifies the use of procedures as necessary and process monitoring and correction as necessary to achieve planned results.

Who knows? It may be best to follow procedures to achieve the planned process results (one should certainly hope so for validated [7.5.2] processes). It may be best to monitor the processes and make corrections to the procedures or processes as necessary to achieve planned results. Nobody knows this, particularly an independent auditor, until the process is run and monitored against its criteria (see 4.1c) which should include its objective (see 4.1c and 8.2.3).

Then we may perhaps conclude that following the procedure will cause its process to achieve the planned results – depending on other unknown causes of variation that may be revealed by monitoring the process.

IMO “follow the procedure” is so 1994.

Now we would be more accurate if we said ISO 9001 specifies “use the procedure and monitor the process to achieve the planned results”.

John
 

Big Jim

Super Moderator
#77
Jim,

In most circumstances I'd be perfectly happy to see the procedures specified by 4.2.1c and those required by the organization (4.2.1d) being used and improved as described below:

"Process teams are competent and led to use and improve these procedures. They may mark-up the procedures as they monitor their work to show where they needed to deviate from the procedure or the procedure needs clarification. Ideas for improving the process would also be noted. The process owner reviews these and other suggested changes before the process is improved and its procedure is updated, simplified or scrapped according to the plan. This cycle never ends".

Even 7.5.2c only requires employees to "use" of procedures for validated processes. And that is for processes that are "carefully and deliberately designed". BTW, this is a tad more onerous than the work instructions being "available" for the non-validated processes (7.5.1b).

John
Take another look at 7.5.2. The list, a-e, is an "as applicable" list. I read that as 7.5.2 c "use of specific methods and procedures" as being one of a list of ways to accomplish validation, not that 7.5.2 c requires that validation of special processes requires that procedures be developed and followed. Perhaps that is what you meant. I would agree that if that is appropriate and the method chosen, then the procedures would need to be followed.
 

Paul Simpson

Trusted Information Resource
#78
Reference to 7.5.2 is a red herring IMHO. There is sufficent reference to use of documented procedures (confusingly called work instructions) here:
7.5.1 The organization shall plan and carry out production and service provision under controlled conditions. Controlled conditions shall include, as applicable,

b) the availability of work instructions, as necessary,
There are plenty of processes where it is possible to verify the output (so not covered by clause 7.5.2) but, for reasons of speed or cost you wouldn't want to do this on every product. instead an organisation might choose to document the production procedure as a means of providing additional control of the process.

Take another look at 7.5.2. The list, a-e, is an "as applicable" list. I read that as 7.5.2 c "use of specific methods and procedures" as being one of a list of ways to accomplish validation, not that 7.5.2 c requires that validation of special processes requires that procedures be developed and followed. Perhaps that is what you meant. I would agree that if that is appropriate and the method chosen, then the procedures would need to be followed.
Clause 7.5.2 only applies to processes
... where the resulting output cannot be verified by subsequent monitoring or measurement and, as a consequence, deficiencies become apparent only after the product is in use or the service has been delivered.
and the requirement for
c) use of specific methods and procedures,
is after the process has been validated. An example might help:

Welding is one of the classic special process that comes under 7.5.2. In many industries where welding is used control is exercised through use of competent people. In others it is through use of calibrated equipment and in many industries - particularly using structural or safety critical welds welding procedures are developed covering:
  • welder qualification;
  • equipment type and calibration;
  • number of welds;
  • direction and orientation of each weld pass;
  • the welding consumables to be used for each pass;
  • speed and feed rates for weld consumables to control material deposition; and
  • post weld treatment processes
The weld procedure is developed during product design and development and generally a completed weld is sectioned and destructively tested to validate that the weld will give the necessary structural strength before the weld procedure is approved and issued for production.

Of course when this procedure is issued people can choose whether they follow it or not. :sarcasm:
 

Jim Wynne

Staff member
Admin
#79
Thankfully ISO 9001 now requires organizations to run their processes to achieve the planned results. <snip>
  1. In order for there to be "planned results," there must be a plan.
  2. The plan for each particular product or process almost always requires documentation beyond the six documented procedures required by ISO 9001:2008.
  3. If the objective is to achieve the planned results, the plan must be followed.
  4. A well-devised plan will allow for some discretion in methods when optional methods have been determined to be non-detrimental to the plan.
  5. #4 notwithstanding, there will be times when optional methods are not permissible, thus a deviation from the plan is a nonconformity (nonfulfillment of a requirement--ISO 9000:2005) under ISO 9001:2008
QED
 

John Broomfield

Staff member
Super Moderator
#80
  1. In order for there to be "planned results," there must be a plan.
  2. The plan for each particular product or process almost always requires documentation beyond the six documented procedures required by ISO 9001:2008.
  3. If the objective is to achieve the planned results, the plan must be followed.
  4. A well-devised plan will allow for some discretion in methods when optional methods have been determined to be non-detrimental to the plan.
  5. #4 notwithstanding, there will be times when optional methods are not permissible, thus a deviation from the plan is a nonconformity (nonfulfillment of a requirement--ISO 9000:2005) under ISO 9001:2008
QED
Jim,

Of course the procedure is the specified way to carry out the process.

But it is top management through their actions that makes the process specifications mandatory or not.

Indeed the procedure may not include a single “shall” but merely describe the latest known way of the process achieving the planned results.

Or, because top management ignores its own procedures, the employees know that even if the procedure is full of “shalls” it is window-dressing; perhaps for certification.

It appears to me that we have legions of auditors (and management reps) willing to do the bidding of managers who cannot or will not lead by example. Instead of enforcing unenforced procedures of an unknown quantity to counter a permissive environment, auditors should report the real system weaknesses that causes people to ignore their procedures.

This is why I said it is better to audit the process through the auditee’s monitoring of that process. Auditors and their auditees learn a lot more that way than assuming the procedure is correct or mandated by management.

John
 
Thread starter Similar threads Forum Replies Date
J WAIVED ON Q1 - We Don't have to comply with FORDS customer specific requirements IATF 16949 - Automotive Quality Systems Standard 2
M FULFILMENT of compliance obligation versus COMPLY with compliance obligations ISO 14001:2015 Specific Discussions 2
L Proof of Concept Studies - Do we need to comply with SAE reporting? Medical Device and FDA Regulations and Standards News 3
M MDR, RED and LVD - Should our device comply with them? EU Medical Device Regulations 3
R MDR standards - which standards to comply with ? EU Medical Device Regulations 3
M Informational Some things the EU MDR 2017/745 does not tell you, but you may need to know to comply with it effectively – Part 1 Medical Device and FDA Regulations and Standards News 0
B How to comply with IATF 16949:2016 9.3.2.1k - Management review IATF 16949 - Automotive Quality Systems Standard 2
S How to make Single Sign On (SSO) Comply e-sig requirements? ISO 13485:2016 - Medical Device Quality Management Systems 4
Z Does a website needs to comply with Part 11? Qualification and Validation (including 21 CFR Part 11) 6
Q How to comply with ISO 9001:2015 Clause 7.4 Communication ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
B Quality Policy does not include a commitment to comply with legal requirements Quality Management System (QMS) Manuals 5
S A CE Marked Product that does not comply with the Standard EU Medical Device Regulations 7
H Job Descriptions to comply with ISO Standards ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
M Medical devices are CE mark but not sold in EU - Need to comply with REACH? RoHS, REACH, ELV, IMDS and Restricted Substances 9
M How do you comply with 7.2.3 Customer Comunication AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 9
M Do I need to comply with both the MDD and the PED for my Medical Device? EU Medical Device Regulations 8
S Selecting materials for implants to comply with ISO 10993 biocompatibility Other Medical Device Related Standards 4
A Type of Materials to comply with IEC 60601 (Dental Laser Case) IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
S Definition Comply - What does 'comply' mean to you? (Definition) Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 3
O Comply with 21 CFR 11, but no other FDA regulations? Qualification and Validation (including 21 CFR Part 11) 4
J ISO 9001 Clause 7.5.2 Validation of Processes - How to comply? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 32
A ISO/TS 16949 - Comply SPC requirements Statistical Analysis Tools, Techniques and SPC 22
K Identifying Required Testing to comply with IEC 60601 EU Medical Device Regulations 4
G What is meant by FAI (First Article Inspection) and how do we comply? AS9102 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 26
C Do all Class 1 Medical Devices (Electrical) have to comply with IEC60601-1? IEC 60601 - Medical Electrical Equipment Safety Standards Series 11
P Outsourced Manufacturing - Making Subcontractors comply with TL9000 TL 9000 Telecommunications Standard and QuEST 2
R Dielectric Strength of Triple Insulated Wire to comply with 2MOPP IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
Fender1 How to comply with ISO 9001 and provide quick/short lead-time orders? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
B Commitment to Comply - ISO 14001 Clause 4.2 - Environmental Policy ISO 14001:2015 Specific Discussions 6
G Are Component Manufacturers required to comply with ISO13485:2003 ISO 13485:2016 - Medical Device Quality Management Systems 4
G How to comply with 4.4.5 Contol of Documents - Documents of External Origion Miscellaneous Environmental Standards and EMS Related Discussions 6
J Which kind of medical equipment must comply with IEC60601-1-8? IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
A Procedure for Translating User Documentation to comply with MEDDEV 2.5/5 Other Medical Device Regulations World-Wide 14
H Proprietary Processes - How to Protect and still comply when performing an FAI? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
D How To Comply with ISO 9001 Clause 6.2.2 d (Personnel Awareness) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
P ISO 14971 - Is it a guidance document or should we fully comply with it? ISO 14971 - Medical Device Risk Management 14
J Does my company's Business Plan Contents comply with requirements of TS 16949? IATF 16949 - Automotive Quality Systems Standard 2
AnaMariaVR2 Link between failure to comply w/ Lab PPE standards & ISO9001 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
harrysons Automotive product transferring process what requirement to comply? IATF 16949 - Automotive Quality Systems Standard 3
A How to comply with ISO/IEC 17025 Laboratory Requirements ISO 17025 related Discussions 7
L Questions: Plastic Food Container to comply with FDA US Food and Drug Administration (FDA) 6
Q Product Realization Procedure - How to comply with ISO 9001 Clause 7.1 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
Q Suppliers Monitoring their Processes - How to comply with Clause 7.4.3.2 IATF 16949 - Automotive Quality Systems Standard 6
L How to comply with AS9100 Clause 7.6 - Monitoring and measuring devices to be used AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 31
I AS9100B Cl 7.5.1.3 - How to comply with validation of production tools requirement? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
K Quality Policy - Potential problem? Adding a Paragraph to Comply ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 27
N Requirements to Comply With FDA 21CFR820 For Invitro Diagnostic Device 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 8
N IVD Manafucturer in India - What Regulatory Requirements to Comply? ISO 13485:2016 - Medical Device Quality Management Systems 7
J How should customer complaints be handled to comply with ISO 9001? Customer Complaints 4
J How to comply with 7.2.1 - Customer Related Process ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6

Similar threads

Top Bottom