Poll: Should auditors promote the process approach?

[ISO 9001 Guy]

I sent the following question to TC 176: "Does a QMS defined by an element-by-element approach meet the requirements of ISO 9001:2008, 4.1a?"

I don't know that it will receive a response. While some have expressed that the question is not appropriate, the IAF sectretary seems to think TC 176 will be happy to answer the question. So, we'll see. I hope it doesn't hurt to consider what implications the result of this "yes/no" would be.

If it does receive a response, and the response comes back, "yes," then the process approach will seem to remain just a good idea endorsed by the standard.

However, if the response to the question comes back, "no," then would THAT mean definitively that the element-by-element approach does NOT meet the requirements of ISO 9001:2008, 4.1a? If this turned out to be the case, and a CB contracted by an organization to assess conformity to ISO 9001:2008 is legally bound to assess conformity to the requirements of 4.1a, would an auditor working for a CB be lawful in considering a QMS defined by the element-by-element approach as being compliant to 4.1a? In other words, would we be talking about legal enforceability here? If THAT turned out to be the case, and I were a CB, I would be very interested in ensuring that all of my auditors were competent "particularly" with regard to the process approach, wouldn't you?

Pesky little details. (Or is it good risk analysis to ponder these things?)

I also sent the following question to TC 176: "Does a QMS defined by an element-by-element approach meet the requirements of ISO 9001:2008, 4.1a effectively?"

It seems the answer expected of the first question (without eliciting the concept of effectiveness) might be, "Yes. But not effectively." (I could understand how TC 176 would answer the question "no" by assuming effectiveness or by asserting effectiveness into the question or answer.) By adding effectiveness to the question, it seems TC 176 must answer it, "No." (Assuming they choose to answer.)

 

[dknox4]

I also sent the following question to TC 176: "Does a QMS defined by an element-by-element approach meet the requirements of ISO 9001:2008, 4.1a effectively?"

It seems the answer expected of the first question (without eliciting the concept of effectiveness) might be, "Yes. But not effectively." (I could understand how TC 176 would answer the question "no" by assuming effectiveness or by asserting effectiveness into the question or answer.) By adding effectiveness to the question, it seems TC 176 must answer it, "No." (Assuming they choose to answer.)

Why submit a question if you presume to know how they "must" answer?

 

[ISO 9001 Guy]

Why submit a question if you presume to know how they "must" answer?

By answering both questions, TC 176 has the opportunity to illustrate the difference between simply meeting the requirements (by conforming with the letter of the requirements) and effectively meeting the intent of the requirements. Answers suggested by me seem to have been unclear or unsatisfactory, as you said yourself.
By having TC 176 answer the questions, my opinion is no longer an issue.

 

[Jim Wynne]

I also sent the following question to TC 176: "Does a QMS defined by an element-by-element approach meet the requirements of ISO 9001:2008, 4.1a effectively?"

Why submit a question if you presume to know how they "must" answer?

Why, indeed. Not only that, but I can't imagine what the difference might be between meeting the requirements and meeting them effectively in this context. Doesn't the idea of meeting the requirement include the assumption that the requirement is met effectively? What does "effective" even mean in this context?

 

[Doug Tropf]

The percentage of "no" votes in the poll seems to be on the rise, I wonder if the thread input has swayed some voters. I initially voted yes but am now having second thoughts.

 

[Jim Wynne]

The percentage of "no" votes in the poll seems to be on the rise, I wonder if the thread input has swayed some voters. I initially voted yes but am now having second thoughts.

It's also interesting to note that few of the people who've voted in favor have given their rationale for doing so.

 

[ISO 9001 Guy]

Why, indeed. Not only that, but I can't imagine what the difference might be between meeting the requirements and meeting them effectively in this context. Doesn't the idea of meeting the requirement include the assumption that the requirement is met effectively? What does "effective" even mean in this context?

In any context, if you have done something effectively, you have achieved a desired outcome. Not only did you DO it, but you did RIGHT--the results are acceptable, as expected, or good.

If the desired outcome (per 4.1a) is to determine processes needed for a management system, management has not effectively done so by defining processes--saying what they have determined them to be--according to the elements of the standard.

Our previous discussion about "identify" and "determine" might cast a little light here. The difference between just "saying" what something is and determining what something is.

Let's assume I was directed by management to label two restrooms with the following signs: "MEN" and "WOMEN." I could, without even looking in the restrooms, comply with with this directive by placing the "MEN" sign on the first door I find, and then putting the "WOMEN" sign on the other door. Because management did not specify to "do a good job" or to "do it right" or to "do it effectively," by assigning these labels to these doors, have I done a good job? Sure, I have complied with the letter of the directive. But did I comply with the intent? Surely I have complied with the directive--as stated--to label (or identify) the restrooms.

Conversely, to label the restrooms effectively--as if I assumed somebody wanted it done right in order to be useful--it would require some very simple investigation to determine which room is which. It might turn out that the restrooms are identical, so it doesn't matter. But to make sure you do a good job, or that you have done it right, how do you know which label to use until you make this determination?

 

[Jim Wynne]

In any context, if you have done something effectively, you have achieved a desired outcome. Not only did you DO it, but you did RIGHT--the results are acceptable, as expected, or good.

If the desired outcome (per 4.1a) is to determine processes needed for a management system, management has not effectively done so by defining processes--saying what they have determined them to be--according to the elements of the standard.

What if, in addition to the processes unique to a given company, the company has determined its processes to be those defined in the standard (product realization, design and development, etc.)? Are you, as an auditor, going to contend that those are not processes needed for the management system?

Our previous discussion about "identify" and "determine" might cast a little light here. The difference between just "saying" what something is and determining what something is.

Our previous discussion on that topic resulted in my belief that you're reading too much into whatever difference there might be between the two terms and belaboring things that we don't need to be concerned about.

Let's assume I was directed by management to label two restrooms with the following signs: "MEN" and "WOMEN." I could, without even looking in the restrooms, comply with with this directive by placing the "MEN" sign on the first door I find, and then put the "WOMEN" sign on the other door. Because management did specify to "do a good job" or to "do it right" or to "do it effectively," by assigning these labels to these doors, have I done a good job? Sure, I have complied with the letter of the directive. But did I comply with the intent? Surely I have complied with the directive--as stated--to label (or identify) the restrooms.

Conversely, to label the restrooms effectively--as if I assumed somebody wanted it done right in order to be useful--it would require some very simple investigation to determine which room is which. It might turn out that the restrooms are identical, so it doesn't matter. But to make sure you do a good job, or that you have done it right, how do you know which label to use until you make this determination?

This analogy fails on a very basic level, that being the idea that a person assigned to put those signs on washroom doors wouldn't realize that the proper doors need to be identified (determined) before hanging the signs. There will always be requirements that are tacit and don't need to be specified. If we're barred from making logical inferences, or we're not expected to be able to make them due to (perhaps) an intellectual deficit, there's a competency or leadership issue somewhere.

What the standard says and what you want it to say are two different things, I'm afraid. I can't imagine that your queries to TC 176 will be answered as you hope, and at best you're probably going to get a noncommittal canned response. I seriously doubt that the committee will offer sanctioned interpretations via e-mail.

 

[outoftown]

My understanding is that CBs are required to audit the complete standard, at least within the registration cycle (if not annually) so if you had missed some elements (it may even have been a case of incomplete recordkeeping in your notes) I would not be surprised to learn your employer was upset.

In the audit business, there are multiple masters. The accreditation body that gave me my license to audit. The client paying the fee. The CB. Those supplying the customer satisfaction ratings are also a stakeholder that can decide to ditch the 3rd party auditing scheme if they do not feel it is of value. When things are in harmony (everyone wanting a process-based audit), things are great. My post tried to explain that this is not always the case.

I think you meant to say audit the complete QMS. Verification that the QMS covers the entire standard is usually checked by a matrix of processes vs clauses which is sometimes included in the audit report. The difference of opinion is which axis of the matrix is the QMS. :^) From my experience, the QMS is usually audited in its entirety at the registration audit and once again during a three year audit cycle. Auditing to the standard, (interpreted here for the point of discussion as auditing to the shall statements) is the compliance portion of the audit. My point was that auditing to compliance only is what ISO 9001:1994 called for. I did hundreds of audits for the same CB with that 1994 standard and never had a problem. I cannot compromise audit integrity by doing the same thing today. Auditing for process effectiveness is the next level which is very much a part of ISO 9001:2000 and 2008, as many posts have pointed out with references to section 4.1. The problem is some still define the QMS as only what is written in the standard, all the elements or only what is contained within the document pyramid; i.e, the Quality Manual, Procedures, Work Instructions and other related documents. If someone wanted me to audit just for compliance to the standard or elements and the QMS is structured as a document pyramid, I would never have to leave the conference room and could probably do the audit with just access to the documents and records from a remote location. If that is what the CB or client wants, it would be an easy audit and all your findings would be document or record related and as a bonus, the findings all would be relatively easy fixes. Do you want to pay an auditor for this? Recently I have found work with another CB that values a process approach and currently there have been no issues with the clients, my reports or my audit methodology. It's coincidental, but the client I am doing the recertification assessment for this week used to use the CB with which I had a difference of opinion. They did not think the prior audits were providing any value. I hope more organizations realize they have other options.

I am glad this thread has generated a lot of posts. I think the sometimes heated discussion has pointed out the differences in what is expected if the auditor encounters a QMS system that is not process-based. I did not vote because although I believe in the process approach, it should not be left up to me to force any organization to adopt a process-based QMS. This crosses the line into consulting. Even clients that define their processes as sections 5, 6, 7 and 8 (or variations thereof), IMHO do not rate a nonconformity because that is how they identified their processes, even though it is with something as close to elements as they could come up with.

 

[Doug Tropf]

I am glad this thread has generated a lot of posts. I think the sometimes heated discussion has pointed out the differences in what is expected if the auditor encounters a QMS system that is not process-based. I did not vote because although I believe in the process approach, it should not be left up to me to force any organization to adopt a process-based QMS. This crosses the line into consulting. Even clients that define their processes as sections 5, 6, 7 and 8 (or variations thereof), IMHO do not rate a nonconformity because that is how they identified their processes, even though it is with something as close to elements as they could come up with.

In its round-about-way this thread indicates the need for clearer guidance on what is expected of auditors regarding element based vs process based systems. Your post indicates you advocate process based systems however your last paragraph seems to indicate that had you voted, you would have voted "no".