Do We Have to Comply with Our Own Procedures?

[John Broomfield]

All,

From 1979, quality management system standards had required employees to obey their procedures. Here is how ISO 9001:1994 specified this (from clause 4.9c) to maintain controlled condtions:

“…compliance with reference standards/codes, quality plans and/or documented procedures”

This perpetuated demands from the “we know best department” for the employees to “follow the procedures” or “comply with the ISO System”.

This changed in the year 2000.

ISO 9001:2000 specified in clause 5.1 for top management to show their commitment to their management system and to requirements from customers, regulators (and their documented policy and objectives).

ISO 9001:2000 removed the specification for employee compliance to standard, codes, plans and documented procedures.

Instead clause 5.1 of ISO 9001 now specifies that top management shall:

“…provide evidence of its commitment to the development and implementation of the quality management system and continually improving its effectiveness”

...and 8.2.3 of ISO 9001 now specifies process monitoring for effectiveness

So, thankfully, we now have top management leading (or not!) the use and improvement of the management system through their words and actions.

Instead of assuming that top managers have made the procedures mandatory we seek evidence of their commitment to their management system’s requirements.

ISO 9001 no longer specifies that employees shall comply with procedures but, just in case I am quoted out of context, ISO 9001 does require top management to show their commitment to the requirements of their management system.

ISO 9001’s normative reference ISO 9000:2000 also differentiated compliance (a legal term) from conformity (for all other requirements).

So, here is a more accurate statement of what ISO 9001 now requires: “top management shall require conformity to the management system’s procedures”. Top management may express their commitment to the requirements of their management system in any number of ways but A and B below may explain the spectrum:

• Process teams are led to use and improve these procedures. They may mark-up the procedures as they work to show where they deviated from the procedure or clarified the procedure. The process owner may review these and other suggested changes before the process is improved and its procedure is updated, simplified or scrapped according to the plan. This cycle never ends.
  
  or
  
  
• Documented procedures may be issued and the employees instructed to obey them. They obey them even when they know they do not work. Fear rules and no one dares to question the procedure.

As you can see we are being simplistic when saying "conform to the procedures". Indeed, many modern policies, objectives, manuals, plans and procedures omit the word “shall” in favor of the clarity that comes from using the present tense of explaining how the management system works in work environment A above.

Given this we should no longer assume that top management has made the procedures mandatory. Instead we should seek evidence of their commitment by auditing:

1. How they demonstrate their commitment to requirements (especially when faced with tough decisions)
2. The psychological aspects of the work environment
3. Their concern for how well their management system helps the organization to fulfill requirements
4. Their concern for how well their management system helps the organization to fulfill its objectives

Auditing a process through the auditee’s monitoring of that process is one very effective way of obtaining this evidence.

John

 

[Jim Wynne]

<snippage>
So, here is a more accurate statement of what ISO 9001 now requires: “top management shall require conformity to the management system’s procedures”. Top management may express their commitment to the requirements of their management system in any number of ways but A and B below may explain the spectrum:

• Process teams are led to use and improve these procedures. They may mark-up the procedures as they work to show where they deviated from the procedure or clarified the procedure. The process owner may review these and other suggested changes before the process is improved and its procedure is updated, simplified or scrapped according to the plan. This cycle never ends.
  
  or
• Documented procedures may be issued and the employees instructed to obey them. They obey them even when they know they do not work. Fear rules and no one dares to question the procedure.

As you can see we are being simplistic when saying "conform to the procedures". Indeed, many modern policies, objectives, manuals, plans and procedures omit the word “shall” in favor of the clarity that comes from using the present tense of explaining how the management system works in work environment A above. <more snippage>

Again, I think you're creating a false binary choice. 4.2.1 of ISO 9001:2008 says (in part) that the following documents are required:

c) documented procedures and records required by this International Standard, and

d) documents, including records, determined by the organization to be necessary to ensure the effective planning, operation and control of its processes.

Do you think that the documented procedures in (c) should be considered mandatory as to execution? If so, how are the documents in (d) any different? Are you saying that if a process is carefully and deliberately designed such that optimum operating requirements have been determined and established, that operators should feel free to ignore the requirements and do things however they want to do them?

This is not an either/or question, however there are indeed times when flexibility is needed, and I fully support the idea of allowing people to think and act when it's necessary to do so. It's possible to differentiate between operations and processes with mandatory operating requirements and those wherein dynamic decision-making might be required.

We see people here all the time who have painted themselves into a corner with their own requirements, who feel they must do things because "ISO says so." We need to have people do things because they're the right thing to do, and in some cases the right thing to do is established as mandatory for good reasons.

 

[Paul Simpson]

Nicely summarized, Jim.

<snip>Are you saying that if a process is carefully and deliberately designed such that optimum operating requirements have been determined and established, that operators should feel free to ignore the requirements and do things however they want to do them?

Exactly. What is the point of the standards committee distinguishing between process, procedure and documented procedure if people can do what they like so long as the process measures look OK? Bizarre.

This is not an either/or question, however there are indeed times when flexibility is needed, and I fully support the idea of allowing people to think and act when it's necessary to do so. It's possible to differentiate between operations and processes with mandatory operating requirements and those wherein dynamic decision-making might be required.

Again spot on! The standard doesn't say how you have to decide which processes are documented or who decides. Similarly it doesn't say who documents any procedures - as is the case in a lot of lean companies it can be the operators themselves. Which kind of blows a hole in the 'command and control' argument. I've had many instances when I tell people that they don't have to document their procedures but they choose to.

We see people here all the time who have painted themselves into a corner with their own requirements, who feel they must do things because "ISO says so." We need to have people do things because they're the right thing to do, and in some cases the right thing to do is established as mandatory for good reasons.

Nice summary. If someone in the business believes it is necessary to document a procedure to ensure consistent output then people working to the procedure have to comply with it. This isn't a 'fix for all time' thing. If after a while you decide the document is no longer necessary you withdraw it.

 

[Sidney Vianna]

Again, I think you're creating a false binary choice.

I agree. That's why I said, earlier in this thread

I don't believe that ISO 9001 made the switch from an assessment of conformity to own's command media to assessing process effectiveness. They are not mutually exclusive; instead, they are complementary to each other. As I see it, an effective QMS has to have a component of strong discipline in terms of following established processes, and when needed, in a cost effective manner, improve them (the processes).

 

[John Broomfield]

Again, I think you're creating a false binary choice. 4.2.1 of ISO 9001:2008 says (in part) that the following documents are required:

c) documented procedures and records required by this International Standard, and

d) documents, including records, determined by the organization to be necessary to ensure the effective planning, operation and control of its processes.

Do you think that the documented procedures in (c) should be considered mandatory as to execution? If so, how are the documents in (d) any different? Are you saying that if a process is carefully and deliberately designed such that optimum operating requirements have been determined and established, that operators should feel free to ignore the requirements and do things however they want to do them?

This is not an either/or question, however there are indeed times when flexibility is needed, and I fully support the idea of allowing people to think and act when it's necessary to do so. It's possible to differentiate between operations and processes with mandatory operating requirements and those wherein dynamic decision-making might be required.

We see people here all the time who have painted themselves into a corner with their own requirements, who feel they must do things because "ISO says so." We need to have people do things because they're the right thing to do, and in some cases the right thing to do is established as mandatory for good reasons.

Jim,

In most circumstances I'd be perfectly happy to see the procedures specified by 4.2.1c and those required by the organization (4.2.1d) being used and improved as described below:

"Process teams are competent and led to use and improve these procedures. They may mark-up the procedures as they monitor their work to show where they needed to deviate from the procedure or the procedure needs clarification. Ideas for improving the process would also be noted. The process owner reviews these and other suggested changes before the process is improved and its procedure is updated, simplified or scrapped according to the plan. This cycle never ends".

Even 7.5.2c only requires employees to "use" of procedures for validated processes. And that is for processes that are "carefully and deliberately designed". BTW, this is a tad more onerous than the work instructions being "available" for the non-validated processes (7.5.1b).

John

 

[John Broomfield]

All,

Thankfully ISO 9001 now requires organizations to run their processes to achieve the planned results.

We know this from the following extracts of clause 4.1 and 8.2.3:

4.1e monitor…these processes, and from 4.1f implement actions necessary to achieve planned results… of these processes
8.2.3 The organization shall apply suitable methods for monitoring…processes. These methods shall demonstrate the ability of the processes to achieve planned results. When planned results are not achieved, correction and corrective action shall be taken, as appropriate

Pre-2000, ISO 9001 specified that the employees had to follow the procedures for the processes to achieve the planned results.

Wisely, ISO 9001 now specifies the use of procedures as necessary and process monitoring and correction as necessary to achieve planned results.

Who knows? It may be best to follow procedures to achieve the planned process results (one should certainly hope so for validated [7.5.2] processes). It may be best to monitor the processes and make corrections to the procedures or processes as necessary to achieve planned results. Nobody knows this, particularly an independent auditor, until the process is run and monitored against its criteria (see 4.1c) which should include its objective (see 4.1c and 8.2.3).

Then we may perhaps conclude that following the procedure will cause its process to achieve the planned results – depending on other unknown causes of variation that may be revealed by monitoring the process.

IMO “follow the procedure” is so 1994.

Now we would be more accurate if we said ISO 9001 specifies “use the procedure and monitor the process to achieve the planned results”.

John

 

[Big Jim]

Jim,

In most circumstances I'd be perfectly happy to see the procedures specified by 4.2.1c and those required by the organization (4.2.1d) being used and improved as described below:

"Process teams are competent and led to use and improve these procedures. They may mark-up the procedures as they monitor their work to show where they needed to deviate from the procedure or the procedure needs clarification. Ideas for improving the process would also be noted. The process owner reviews these and other suggested changes before the process is improved and its procedure is updated, simplified or scrapped according to the plan. This cycle never ends".

Even 7.5.2c only requires employees to "use" of procedures for validated processes. And that is for processes that are "carefully and deliberately designed". BTW, this is a tad more onerous than the work instructions being "available" for the non-validated processes (7.5.1b).

John

Take another look at 7.5.2. The list, a-e, is an "as applicable" list. I read that as 7.5.2 c "use of specific methods and procedures" as being one of a list of ways to accomplish validation, not that 7.5.2 c requires that validation of special processes requires that procedures be developed and followed. Perhaps that is what you meant. I would agree that if that is appropriate and the method chosen, then the procedures would need to be followed.

 

[Paul Simpson]

Reference to 7.5.2 is a red herring IMHO. There is sufficent reference to use of documented procedures (confusingly called work instructions) here:

7.5.1 The organization shall plan and carry out production and service provision under controlled conditions. Controlled conditions shall include, as applicable,

b) the availability of work instructions, as necessary,

There are plenty of processes where it is possible to verify the output (so not covered by clause 7.5.2) but, for reasons of speed or cost you wouldn't want to do this on every product. instead an organisation might choose to document the production procedure as a means of providing additional control of the process.

Take another look at 7.5.2. The list, a-e, is an "as applicable" list. I read that as 7.5.2 c "use of specific methods and procedures" as being one of a list of ways to accomplish validation, not that 7.5.2 c requires that validation of special processes requires that procedures be developed and followed. Perhaps that is what you meant. I would agree that if that is appropriate and the method chosen, then the procedures would need to be followed.

Clause 7.5.2 only applies to processes

... where the resulting output cannot be verified by subsequent monitoring or measurement and, as a consequence, deficiencies become apparent only after the product is in use or the service has been delivered.

and the requirement for

c) use of specific methods and procedures,

is after the process has been validated. An example might help:

Welding is one of the classic special process that comes under 7.5.2. In many industries where welding is used control is exercised through use of competent people. In others it is through use of calibrated equipment and in many industries - particularly using structural or safety critical welds welding procedures are developed covering:

• welder qualification;
• equipment type and calibration;
• number of welds;
• direction and orientation of each weld pass;
• the welding consumables to be used for each pass;
• speed and feed rates for weld consumables to control material deposition; and
• post weld treatment processes

The weld procedure is developed during product design and development and generally a completed weld is sectioned and destructively tested to validate that the weld will give the necessary structural strength before the weld procedure is approved and issued for production.

Of course when this procedure is issued people can choose whether they follow it or not.

 

[Jim Wynne]

Thankfully ISO 9001 now requires organizations to run their processes to achieve the planned results. <snip>

1. In order for there to be "planned results," there must be a plan.
2. The plan for each particular product or process almost always requires documentation beyond the six documented procedures required by ISO 9001:2008.
3. If the objective is to achieve the planned results, the plan must be followed.
4. A well-devised plan will allow for some discretion in methods when optional methods have been determined to be non-detrimental to the plan.
5. #4 notwithstanding, there will be times when optional methods are not permissible, thus a deviation from the plan is a nonconformity (nonfulfillment of a requirement--ISO 9000:2005) under ISO 9001:2008

QED

 

[John Broomfield]

1. In order for there to be "planned results," there must be a plan.
2. The plan for each particular product or process almost always requires documentation beyond the six documented procedures required by ISO 9001:2008.
3. If the objective is to achieve the planned results, the plan must be followed.
4. A well-devised plan will allow for some discretion in methods when optional methods have been determined to be non-detrimental to the plan.
5. #4 notwithstanding, there will be times when optional methods are not permissible, thus a deviation from the plan is a nonconformity (nonfulfillment of a requirement--ISO 9000:2005) under ISO 9001:2008

QED

Jim,

Of course the procedure is the specified way to carry out the process.

But it is top management through their actions that makes the process specifications mandatory or not.

Indeed the procedure may not include a single “shall” but merely describe the latest known way of the process achieving the planned results.

Or, because top management ignores its own procedures, the employees know that even if the procedure is full of “shalls” it is window-dressing; perhaps for certification.

It appears to me that we have legions of auditors (and management reps) willing to do the bidding of managers who cannot or will not lead by example. Instead of enforcing unenforced procedures of an unknown quantity to counter a permissive environment, auditors should report the real system weaknesses that causes people to ignore their procedures.

This is why I said it is better to audit the process through the auditee’s monitoring of that process. Auditors and their auditees learn a lot more that way than assuming the procedure is correct or mandated by management.

John