How do you audit past verbal approvals against ISO 9001 Clause 4.2.3a?

Elsmar Forum Sponsor
R

Request 20110311

#22
Re: How do you audit past verbal approvals against ISO 4.2.3a?

I'd tend to favor that people do this kind of bureaucracy because it's been written in How to do ISO books, off the shelf QMS in a box, and consultants and implementers also believe it's 'required'...a bit like members of the 'flat earth society' really!
I disagree that this is often the reason for such constructs.

What happens if the guy who gave verbal approval for operating documents leaves for another company, taking the document management guy with him and now there's only "folklore" to determine what system was in place for "management approved" instructions?

Isn't it just easier to sign the bloody thing?

By the time you fit all the controls around a "verbal approval" scenario you've more often than not doubled your effort, or halved your confidence in the process.

Admittedly though, certain pedantic members of the "QA Community" have indeed lost sight of what matters about approval.

Approval should be meaningful - the approvers should have some ownership of the process and some authority over it.

If someone is just signing because the Quality Manual says a Grade X person must approve the document and the signer actually knows nothing about the process being described by the document, then the signature is next to worthless.

The real issue with poorly contrived signature systems is not the signature requirement itself but the parameters used to judge the applicability of the signature.

For example: I would not have the Marketing Director approve a work instruction for manufacturing - I would have the Manufacturing Director approve it and if the Manufacturing Director felt they were too far from the details of the process to be able to add value in the form of their review and approval of the process then they should delegate that to their supervisors/managers who DO have the familiarity to make such review and approval meaningful.

If the QMS does not allow for this kind of meaningful, intelligent use of the approval signature construct, then the issue lies with the QMS, not with the act of signing things.

Further, as a company gets larger the case for written signatures only gets stronger. It is in the migration from small time operators to more significant market share players that a lot of companies find that their "culture" of "fast and loose" bites them and makes their transition harder.
 
J

JaneB

#23
4.2.3 requires document controls including approvals to be defined in a documented procedure, itself controlled according to the methods it specifies. Verbal approvals can satisfy 4.2.3 if they are consistently performed and effective. "Show me records of approvals" is an inappropriate audit question in such circumstances, because there's no requirement for them.

4.2.4 only requires records specified either in the standard or by the organization to be controlled. It does not require records of conformity with all elements of the standard.
Yes, exactly.

The "Oh, for heaven's sake, just sign the bloody thing!" argument is deceptively simple and on surface appearances a "solution". But it's not an appropriate one. Just as one single example, in a small organisation, where there's only a single MD (CEO), and only that person approves documents, and there is a culture in place that knows that and accepts it, forcing the MD to now do it by signing a form/record/whatever every time they approve something for use would be overkill to say the lease, and definitely unsuitable in their company culture.

As with many other aspects of 9001, it is up to individual organisations to make their own decisions about how approval will be done.

As Pat also said in an excellent post (I've added bold text to the point I want to emphasise):
There are risks, too, in insisting on documented approvals when the management culture is trusting, respectful and disciplined enough not to need them. The biggest such risk is of losing management commitment to the QMS by insisting on bureaucratic activities that deliver no value to the organization
Yes, indeed!

I am not arguing that no signing of approval (or whatever to create a record) is always inappropriate and/or should never be done. There will be situations and organisations where it is required or may be advisable.

But to insist that it be done in all cases? Nope. :nope: And nope again.

It is not required by ISO 9001. And please, let's not turn into the qwality cops enforcing things that don't add value. It's one of the practices that, misused or over-zealously applied, gives 'quality' a bad name, alas.
 
J

JaneB

#24
Re: How do you audit past verbal approvals against ISO 4.2.3a?

Isn't it just easier to sign the bloody thing?
Easier for who?

Easy to audit, yes. Perhaps it's much easier to say 'show me the signed approval form for documents A, B and C' than it is to audit whether there is evidence available that demonstrates that documents are effectively controlled and meet all the relevant requirements of the clause.

I don't see 'easier' as necessarily a good thing in this case. (I tend to agree with Andy about the reason the mythical law about 'approvals must always be in writing' are in place).

But then I'm in favour of effective systems that work for the people who operate within them, rather than the other way around.

I contend that the question 'how do you audit past verbal approvals' isn't the right question. A better question is: 'how do you audit whether documents are controlled in line with mandatory requirements'?

Yes, I agree with you that as companies grow and get larger they may and probably will find a need to apply more controls and that these may include more written approvals. But note I've said 'may' not must. There may also be other ways of doing it - eg, they might be built into a smart IT system, for example. I do know I've seen reasonably good sized companies operating with a relatively low level of signatures to denote approved documents, but that their system overall was robust, with a combination of responsibilities, processes, IT and company culture all playing part.
 
J
#25
Re: How do you audit past verbal approvals against ISO 4.2.3a?

I disagree that this is often the reason for such constructs.

What happens if the guy who gave verbal approval for operating documents leaves for another company, taking the document management guy with him and now there's only "folklore" to determine what system was in place for "management approved" instructions?
If this occurs than there was and is a major problem with the way the QMS system was set up and if an auditor never caught it then HE wasn't doing his job. As someone else already pointed out, there needs to be a document that describes how documents are approved....With this in place your scenerio above should not occur.

Isn't it just easier to sign the bloody thing?

By the time you fit all the controls around a "verbal approval" scenario you've more often than not doubled your effort, or halved your confidence in the process.
It might be. But much depends on the individual comapny.
I don't think that anyone here is saying NOT to have written approvals, only that, by the way the standard is written, it is not required.

Admittedly though, certain pedantic members of the "QA Community" have indeed lost sight of what matters about approval.
Well - there are all types in every field;):notme:

Approval should be meaningful - the approvers should have some ownership of the process and some authority over it.

If someone is just signing because the Quality Manual says a Grade X person must approve the document and the signer actually knows nothing about the process being described by the document, then the signature is next to worthless.
Good point. If a document is written as you suggest above, it is indeed a poorly conceived procedure.

l issue with poorly contrived signature systems is not the signature requirement itself but the parameters used to judge the applicability of the signature.

For example: I would not have the Marketing Director approve a work instruction for manufacturing - I would have the Manufacturing Director approve it and if the Manufacturing Director felt they were too far from the details of the process to be able to add value in the form of their review and approval of the process then they should delegate that to their supervisors/managers who DO have the familiarity to make such review and approval meaningful.

If the QMS does not allow for this kind of meaningful, intelligent use of the approval signature construct, then the issue lies with the QMS, not with the act of signing things.
Well I suppose there might be companies out there that have such poorly designed systems with unqualified people approving documents, but I suspect they are few.
Of course the flip side of your "poorly designed" system with signatures is that, if the review process is "well designed" and consistantly executed, without signatures the system will still be robust and well functioning.
So - The signatures make no difference in whether the system is good or bad.

Further, as a company gets larger the case for written signatures only gets stronger. It is in the migration from small time operators to more significant market share players that a lot of companies find that their "culture" of "fast and loose" bites them and makes their transition harder.
Agrred. I worked for such a small company and saw this to an extent where it was difficult to get them to let go of some of their "seat of the pants" operating methods. However I can tell you, from that same experience, that trying to impose too much too early will get you resistance that can kill a program, or at least seriously delay it's maturing into a good sound and widely accepted operating system.
The Quality Professional needs to be aware of potential needs that come from such growth and be prepared to suggest and implement appropriate changes as needed. Such changes can be increased controls, but such changes might also be a streamlining of controls and eliminating unnecessary paperwork. It all depends on business needs and on the maturity of the QMS.

So the bottom line still is - verbal approvals are acceptable under the standard provided teh method is documented, consistantly applied and effective.
You can require written approvals if that is best for your situation.
You can allow verbal approvals if that is best for your situation.

Peace
James
 
Last edited by a moderator:

Big Jim

Super Moderator
#26
I'm repeating what has already been said, but differently in the hope that it might be understood.

4.2.3 requires document controls including approvals to be defined in a documented procedure, itself controlled according to the methods it specifies. Verbal approvals can satisfy 4.2.3 if they are consistently performed and effective. "Show me records of approvals" is an inappropriate audit question in such circumstances, because there's no requirement for them.

4.2.4 only requires records specified either in the standard or by the organization to be controlled. It does not require records of conformity with all elements of the standard.

There's more authoritative information here:
http://www.iso.org/iso/iso_catalogu...cumentation_requirements_of_iso_9001_2008.htm

For many organizations (usually characterized by low mutual trust and respect, and chaotic or political behaviour) there are risks associated with verbal approvals. Documenting such approvals is a weak control unless it's backed by meaningful leadership and broad-based buy-in to the documented procedures.

There are risks, too, in insisting on documented approvals when the management culture is trusting, respectful and disciplined enough not to need them. The biggest such risk is of losing management commitment to the QMS by insisting on bureaucratic activities that deliver no value to the organization.

Hope this helps,
Pat
The link embedded here is likely the best portion of this entire thread. How many have followed the link and actually read it?
 
J

JaneB

#27
The link embedded here is likely the best portion of this entire thread.
Certainly worth reading, though I'm not sure I'd call it the 'best portion' of this thread.

Even with the referenced guidance, wouldn't you agree some experience as well as thought & debate are needed to understand and apply it? There's at least one slightly odd statement in there, such as the final sentence in this paragraph:

An organization with an existing QMS should not need to rewrite all of its documentation in order to meet the requirements of ISO 9001:2008. This is particularly true if an organization has structured its QMS based on the way it effectively operates, using a process approach. In this case, the existing documentation may be adequate and can be simply referenced in the revised quality manual.
Leading me to wonder, if the 'existing documentation' is adequate... what is this 'revised quality manual' from which one is referencing it?
 
J

JaneB

#28
Re: How do you audit past verbal approvals against ISO 4.2.3a?

Outlandish and ultra-specific scenarios involving very small companies using "verbal approval" for activities do not make written approval a "useless rule inflicted on a QMS".
Why are scenarios involving small companies 'outlandish'? And why use the term 'ultra-specific' (presumably meaning wrong/mistaken?) when a real example or two are given?

And why would not this presumably theoretical one not be considered as 'outlandish' for example?
What happens if the guy who gave verbal approval for operating documents leaves for another company, taking the document management guy with him and now there's only "folklore" to determine what system was in place for "management approved" instructions?
The Standard itself is both explicit and specific about the fact that it is intended to be:
applicable to all organizations, regardless of type, size and product provided. Application, 1.2
and explicitly acknowledging that the design and implementation of a QMS will be influenced by a range of diferent factors (see list in 0.1 General) and again explicitly stating that
It is not the intent of this International Standard to imply uniformity in the structure of quality management systems or uniformity of documentation. 0.1 general
It is not the intent of this International Standard to imply uniformity in the structure of quality management systems or uniformity of documentation
Despite commentary and implied assumptions to the contrary, it is not only for larger organisations!
 
K

Ka Pilo

#29
Consider this scenario. The verbally approved procedure supersedes the prior procedure with written approval. If someone violated the exiting procedure, it's hard to bring legal action. The offender can argue that he followed the legitimate procedure, meaning the signed one.

No, judge in a court would take your side, for your reason that a violation was made. A written approval always takes precedence over verbal approval, IMO.
 

Stijloor

Staff member
Super Moderator
#30
Consider this scenario. The verbally approved procedure supersedes the prior procedure with written approval. If someone violated the exiting procedure, it's hard to bring legal action. The offender can argue that he followed the legitimate procedure, meaning the signed one.

No, judge in a court would take your side, for your reason that a violation was made. A written approval always takes precedence over verbal approval, IMO.
You're mixing legal proceedings with how companies operate. We're not talking about legalities here in this thread. :notme:

Stijloor.
 
Thread starter Similar threads Forum Replies Date
I CB Scheduling ISO9001 Surveillance Audit 15 Months past Re-Cert Audit ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
A Quality Audit Advice - Past Due Device Calibrations due to Cal Supplier Issues Quality Manager and Management Related Issues 14
Q ISO 9001-2015 Internal audit finding Internal Auditing 12
lanley liao How to understand this words that the planning of internal audit shall take into consideration the results of previous audits? Oil and Gas Industry Standards and Regulations 10
P Audit check for IT company (ISO 9001) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
D Supplier audit Medical Device and FDA Regulations and Standards News 2
M Go Live With New ERP System before Recertification Audit General Auditing Discussions 6
A Add MDSAP to Internal Audit Schedule Medical Device Related Regulations 0
A Define timeline for Major and Miner Audit finding General Auditing Discussions 4
J IATF 16949 Internal Audit question - Auditor's responsibility Internal Auditing 6
A API Monogram audit review process Oil and Gas Industry Standards and Regulations 4
S IATF 16949 Internal Audit Example IATF 16949 - Automotive Quality Systems Standard 7
B Remote IATF 16949 audit preparation General Auditing Discussions 10
M AS9100D Registrar pre-audit requirements AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 15
I Do I need to sign off my annual audit calendar? Internal Auditing 2
R AS9100D internal audit checklist or ISO 9001 2015 to AS9100 D AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
M Nice and simple invitation email to an audit kickoff meeting Internal Auditing 1
M IATF 16949 - Audit of Remote Location/Support Site and IT IATF 16949 - Automotive Quality Systems Standard 4
Q IATF audit - Root Cause Analysis results IATF 16949 - Automotive Quality Systems Standard 5
Q Self-assessment audit information Quality Management System (QMS) Manuals 6
Le Chiffre Online training available for ISO/IEC 17021-1: Requirements for bodies providing audit and certification of management systems Training - Internal, External, Online and Distance Learning 3
xfngrs NIOSH Audit for N95 respirators US Food and Drug Administration (FDA) 1
Sidney Vianna IATF 16949 News Risked Based Audit Day Calculation IATF 16949 - Automotive Quality Systems Standard 2
T AS9100 audit due to facility move AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
M ISO 13485:2016 internal audit checklist Medical Device and FDA Regulations and Standards News 5
A Internal Audit Questions ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
B SAP Audit trail Periodic Review EU Medical Device Regulations 1
N What are the software audit and control steps Reliability Analysis - Predictions, Testing and Standards 2
R Gap Audit Aerospsace and Rail QMS Quality Manager and Management Related Issues 0
salaheddine96 Internal audit planning Internal Auditing 2
A MDSAP Audit Questionnaire Medical Device and FDA Regulations and Standards News 7
H Obligations as a contract manufacturer during an MDSAP audit ISO 13485:2016 - Medical Device Quality Management Systems 5
M What are the basics of Medical Device Single Audit Program (MDSAP)? ISO 13485:2016 - Medical Device Quality Management Systems 7
Sidney Vianna IATF 16949 News Update on the IATF CARA Project (“Common Audit Report Application”) - 12/2020 IATF 16949 - Automotive Quality Systems Standard 1
R ISO 17025 vertical audit checklist wanted Document Control Systems, Procedures, Forms and Templates 2
Z Rapid audit template for plastic parts manufacturing process Manufacturing and Related Processes 12
M ISO 9001 Major Nonconformance Internal Audit Schedule/COVID-19 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
S Quality Audit Training Activities Quality Manager and Management Related Issues 2
G IATF Rules for COVID 5th revision - Re-certification audit timing IATF 16949 - Automotive Quality Systems Standard 3
E MDR internal audit Internal Auditing 1
Ed Panek Remote Audit GOTOMEETING thoughts Coffee Break and Water Cooler Discussions 22
B ISO 9001 - "Remote Audit Fee" Registrars and Notified Bodies 13
L IATF external audit virtual (remote) IATF 16949 - Automotive Quality Systems Standard 13
M Audit Criteria Training Materials Internal Auditing 1
K New supplier audit as per V3.1 by French Automotive OEM General Auditing Discussions 2
S Complexity Rating - CB adding another audit day for "high complexity" AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
U Internal Auditor not trained but done Audit for some process Nonconformance and Corrective Action 5
B Looking for 10 Internal Audit Online Training Participants ISO 17025 related Discussions 2
K MDSAP Audit Approach 2020 for Brazil Other Medical Device Regulations World-Wide 1
K MDSAP Audit Approach 2020 ISO 13485:2016 - Medical Device Quality Management Systems 3

Similar threads

Top Bottom