K
KMJA
Hi everyone, I hope I can get some help with this.
Currently my company has 3 major sites across the world, including our HQ. Of these, our HQ and one other site are both ISO 9001 and API Q1 certified, the third site will come online as the need for certification arises.
In order to manage this we have established a global management system which includes a number of internal standards that define our minimum requirements for getting things done (these are written to combine the requirements of API, ISO 900, some other standards we're compliant with and our own internal best practice). The intention was that sites would develop their own procedures to meet the requirements of our global standards, but the reality is that the standards tend to be prescriptive enough (including flowcharts and getting relatively detailed where appropriate) and the sites don't have a need for their own procedures outside of specific manufacturing procedures where equipment varies, etc.
My question is relating to how one goes about putting together an audit program for this kind of situation. At the moment we are performing full system audits to the ISO 9001 and API Q1 standards separately at each site; however, this only gives us the opportunity for a cursory glance at compliance with our own standards due to time and resource limitations. I should also mention that our auditors all come from our HQ site and are shipped around the world to perform these audits - our production sites tend to run very lean and there generally wouldn't be enough work for a specific QA rep at every site.
What we are currently proposing is two desktop audits against the ISO and API standards for our internal standards at our HQ level to verify compliance of the system as a whole, and then all site audits to be conducted against only our own internal standards. Is this something that is generally accepted? I note that both API and ISO9001 state that every site needs to compliance audited to the entirety of the respective standard; however, I don't see an easy way of doing this without repeating vast amounts of information in every audit that's conducted. Another concern that arises is that not everything in the standards generally needs to be documented in a process/standard, so how do we capture those things at the site level without performing a compliance audit? Essentially, how do I build an effective audit programme in this kind of setting with relatively limited resources?
Currently my company has 3 major sites across the world, including our HQ. Of these, our HQ and one other site are both ISO 9001 and API Q1 certified, the third site will come online as the need for certification arises.
In order to manage this we have established a global management system which includes a number of internal standards that define our minimum requirements for getting things done (these are written to combine the requirements of API, ISO 900, some other standards we're compliant with and our own internal best practice). The intention was that sites would develop their own procedures to meet the requirements of our global standards, but the reality is that the standards tend to be prescriptive enough (including flowcharts and getting relatively detailed where appropriate) and the sites don't have a need for their own procedures outside of specific manufacturing procedures where equipment varies, etc.
My question is relating to how one goes about putting together an audit program for this kind of situation. At the moment we are performing full system audits to the ISO 9001 and API Q1 standards separately at each site; however, this only gives us the opportunity for a cursory glance at compliance with our own standards due to time and resource limitations. I should also mention that our auditors all come from our HQ site and are shipped around the world to perform these audits - our production sites tend to run very lean and there generally wouldn't be enough work for a specific QA rep at every site.
What we are currently proposing is two desktop audits against the ISO and API standards for our internal standards at our HQ level to verify compliance of the system as a whole, and then all site audits to be conducted against only our own internal standards. Is this something that is generally accepted? I note that both API and ISO9001 state that every site needs to compliance audited to the entirety of the respective standard; however, I don't see an easy way of doing this without repeating vast amounts of information in every audit that's conducted. Another concern that arises is that not everything in the standards generally needs to be documented in a process/standard, so how do we capture those things at the site level without performing a compliance audit? Essentially, how do I build an effective audit programme in this kind of setting with relatively limited resources?