IATF 16949 9.2.2.1 Internal Audit Program - "Process Changes"

[vailmij]

Hello everyone,

I know the Internal Audit Program section of the standard has been discussed dozens of times before on this forum, but what I think could be still useful is clarification of the term "process change" that is used in section 9.2.2.1.

Specifically, the sentence I am referring to states that "The frequency of audits shall be reviewed and, where appropriate, adjusted based on occurrence of process changes, internal and external nonconformities, and/or customer complaints."

Our quality team was discussing ways we can improve our internal audit program, and we came upon some different interpretations as to what exactly the standard is considering a "process change" in the context of this section. Throughout our procedures and several quality documents, we mention "process changes", but they are referring to a change in the way a part is processed through product realization, for example adding an additional cleaning step for a particular part before packing. So, a definition of process change in that context would be "any changes that impact product realization" [or perhaps something more specific]

Using this definition, it would then mean that any "process changes," such as the example above, would have to be an input during the internal audit reviews. It doesn't seem logical to me, however, that these types of changes have any bearing on the internal audit program. These changes are already controlled and verified using our Control of Changes procedures (see Sec 8.5.6).

What I would propose, in the context of the internal audit program, "process change" be defined as "any changes to the equipment, procedures, controls, or outputs of a QMS process." This definition is more appropriate, in my opinion, to the internal audit program because it is logical that if there have been any of these types of changes to a QMS process, then those changes should be reviewed when planning the internal audit schedule.

I hope I have made my distinction clear enough to spur a discussion. I would be very interested to know if your organization uses either of these interpretations of "process changes."

tl;dr In the context of reviewing the internal audit program, what is your organizations definition of a "process change"? How is the review of "process changes" incorporated into your organization's internal audit program?

 

[Golfman25]

Anything that has changed, should probably be audited. Both situations you describe would be applicable. The part processing change would be caught in your manufacturing process audits. The procedural/structural changes would be caught in your standard system audit.

 

[Tagin]

ISO 9000:2015 defines 'process' as "set of interrelated or interacting activities that use inputs to deliver an intended result".

Therefore, a process change would presumably be any alteration of the 'interrelated or interacting activities' or inputs comprising that process.

Your definition of "any changes to the equipment, procedures, controls, or outputs of a QMS process" attempts to make an explicit list of which elements of processes that are auditable if altered, but you are missing some elements, such as location change or environmental change.

My point is that an explicit laundry list of process elements may end up being problematic to use as a rule, and the higher-level more abstract definition from 9000 may leave more room for interpretation but will not unintentionally omit some auditable category of change.

Using this definition, it would then mean that any "process changes," such as the example above, would have to be an input during the internal audit reviews. It doesn't seem logical to me, however, that these types of changes have any bearing on the internal audit program. These changes are already controlled and verified using our Control of Changes procedures (see Sec 8.5.6).

I don't understand. Wouldn't "adding an additional cleaning step" modify your procedures, and therefore fall under your second definition of process change as being an auditable change?

 

[vailmij]

Thank you for the feedback!

Golfman25,

Anything that has changed, should probably be audited.

I completely agree with this. I'm thinking that these two different "process change" categories that I am proposing would need to be addressed slightly differently.

The part processing change would be caught in your manufacturing process audits.

In my understanding, organizations are already required to have Change Control (see Sec 8.5.6) already in place, which ensure that changes are proposed, reviewed, implemented, monitored and verified using the standard Quality tools that would be expected. In such cases, wouldn't these Change Control actions be at least as thorough and effective as an audit would be, making an audit redundant? If not, would a Product Audit be most appropriate?

Tagin,

ISO 9000:2015 defines 'process' as "set of interrelated or interacting activities that use inputs to deliver an intended result".

Therefore, a process change would presumably be any alteration of the 'interrelated or interacting activities' or inputs comprising that process.

Correct, but I suppose what I am trying to do is create two distinct categories under the broad definition of "process change," but I think you are right that we may fall into a trap by trying to create such explicit lists to distinguish them.

The thinking was, that if we are able to distinguish between these two types of process changes, then we would be able to avoid redundant reviews of "changes to part processing" type changes.

Wouldn't "adding an additional cleaning step" modify your procedures, and therefore fall under your second definition of process change as being an auditable change?

In this example, procedures would not be updated.
The cleaning process has been part of our manufacturing capabilities, it was just not being implemented for this particular part. Instead, we would go through our Change Control procedures, which include all of the actions noted above and updating the Control Plan, PFMEA, Process Flow, notifying the customer, etc.

 

[Golfman25]

Thank you for the feedback!

Golfman25, I completely agree with this. I'm thinking that these two different "process change" categories that I am proposing would need to be addressed slightly differently.


In my understanding, organizations are already required to have Change Control (see Sec 8.5.6) already in place, which ensure that changes are proposed, reviewed, implemented, monitored and verified using the standard Quality tools that would be expected. In such cases, wouldn't these Change Control actions be at least as thorough and effective as an audit would be, making an audit redundant? If not, would a Product Audit be most appropriate?

Change control gives you a method to implement the change. Audits come after the fact to make sure the change stuck.

 

[Tagin]

In such cases, wouldn't these Change Control actions be at least as thorough and effective as an audit would be, making an audit redundant?

My understanding is that the purpose of the internal audit is to check that the QMS conforms to your requirements and to the standard; therefore, the internal audit would be checking whether your Change Control actions are working properly and adhering to 8.5.6.

As I think about it, the idea of auditing individual changes may have some merit, but really you want to audit your Change Control process, which would provide the reassurance that the individual changes are being managed properly.

 

[Mikey324]

d. In such cases, wouldn't these Change Control actions be at least as thorough and effective as an audit would be[/QUOTE

Why not perform an audit to answer that question? Earlier you mentioned a new cleaning process as an example. You said this change would trigger an update to the FMEA and Control Plan. If you are using those documents during your internal audits, you already have the tools needed in hand to audit these changes.

 

[vailmij]

My understanding is that the purpose of the internal audit is to check that the QMS conforms to your requirements and to the standard; therefore, the internal audit would be checking whether your Change Control actions are working properly and adhering to 8.5.6.

This seems like a very reasonable way of approaching it.

So, say in the time since the last audit of our cleaning process, there were changes to the way parts X, Y & Z are cleaned. We would have all of the documentation regarding those changes that was recorded throughout our Change Control procedures. When we go to review our Internal Audit Schedule, as per 9.2.2.1, we would note the process changes of parts X, Y, & Z and during the next audit verify that the Change Control procedures were followed and are working properly and adhering to 8.5.6.

Hi Mikey,

You said this change would trigger an update to the FMEA and Control Plan. If you are using those documents during your internal audits, you already have the tools needed in hand to audit these changes.

That is correct, however we supply 300+ parts and changes such as the cleaning change example can occur a dozen or so times per year. Would the next internal audit of the cleaning process now require the auditor to review and verify the Control Plans, PFMEAs etc for all 12+ parts? This is the part that seems redundant to me because the changes were already controlled and verified by the Change Control procedures.

I think Tagin's explanation is very helpful, if I am understanding correctly. Keep the definition of "process change" abstract. When conducting the review our Internal Audit Schedule we would note the changes that took place and use those changes as consideration when determining the frequency of the upcoming audits. The audits themselves could then review the Change Control documentation to ensure the procedure was followed properly.

 

[Mikey324]

That is correct, however we supply 300+ parts and changes such as the cleaning change example can occur a dozen or so times per year. Would the next internal audit of the cleaning process now require the auditor to review and verify the Control Plans, PFMEAs etc for all 12+ parts? This is the part that seems redundant to me because the changes were already controlled and verified by the Change Control procedur

Just like any audit, you would only need to do a random sample. Just what they are running that day. That said, if you find problems, you would probably want to increase your sample size to measure the scale of the finding. We don't audit 100% of our parts. That's not feasible for most people. You just need to audit the process, based on the risk level.

 

[Tagin]

That is correct, however we supply 300+ parts and changes such as the cleaning change example can occur a dozen or so times per year. Would the next internal audit of the cleaning process now require the auditor to review and verify the Control Plans, PFMEAs etc for all 12+ parts? This is the part that seems redundant to me because the changes were already controlled and verified by the Change Control procedures.

I think Tagin's explanation is very helpful, if I am understanding correctly. Keep the definition of "process change" abstract. When conducting the review our Internal Audit Schedule we would note the changes that took place and use those changes as consideration when determining the frequency of the upcoming audits. The audits themselves could then review the Change Control documentation to ensure the procedure was followed properly.

Yes. An audit is almost always going to sample occurrences in a process, and not re-review every single occurrence (in this case, every single change control event) in a process, as the latter would be impractical, and redundant as you noted. So, part of the audit design is going to be determining how many samples (absolute number?, percentage? etc.) of a particular process you intend to audit. Obviously, if concerns are found, you can dig deeper as needed.