posted 22 November 2000 07:08 PM               

From: ISO 9000 Standards Discussion
Date: Fri, 17 Nov 2000 15:52:30 -0600
Subject: Re: Auditing and the new standard /Oliveira/Hankwitz

From: "Hankwitz, John"

> In the new standard we will have, as a minimum, 6 procedures.
> How do we audit without a procedure? It will depend more on
> auditors habilities?
>
> Marcos Oliveira

Marcos,

Excellent question. I think we will see the answers to this question evolve over the next year or so. For now, we are looking at the basic changes in perspective presented in the new version of the standard, then tailoring our audits to look at the new perspective.

1. "Conformance" has shifted to "Performance"
2. ISO 9k2k is Based on a Modern "Business Model"
3. Focus on Efficiently and Effectively Providing Customer
Satisfaction instead of Preventing Nonconformity in Process
& Product.
4. Goals, Objectives and Resources are now driven by analysis
and fact.
5. Do It, Prove It, Improve It!

My vision of ISO 9k2k fits well into Deming's SIPOC Model. (Supplier-Input-Process-Output-Customer) The flow illustrated in the 9k2k standard is somewhat similar (using creative visualization) of how I envision the quality system to operate.

I see the "Process" as Product Realization (those process that provide added value to the ultimate customer - GEMBA?), then position Resource Management (those processes providing support to Product Realization) under, and feeding into Product Realization.

Feedback is provided from Product Realization, Resource Management, and the Customer into Measurement, Analysis and Improvement. Output from MAI feeds into Management Responsibility, stationed under, and feeding into Product Realization and Resource Management. Management then provides goals, objectives and resources to Product Realization and Resource management to enable effective and efficient provision of Customer Satisfaction. So, something like the following very crude flow would represent the Quality Management System:

 |----------|          |-------------|           |----------|
 | Supplier |  Input   |  Product    |  Output   | Customer |
 |(Customer)|--------->| Realization |---------->|          |
 |----------|          |-------------|           |----------|
                         ^        ^    .               |
                         |        |      .             |
                         |        |        .           V
                         |  |------------|   . |-------------|
                         |  |  Resource  |     | Measurement |
                         |  | Management |---->|   Analysis  |
                         |  |------------|     | Improvement |
                         |        ^            |-------------|
                         |        |                    |
                         |        |                    |
                     |----------------|                |
                     |   Management   |                |
                     | Responsibility |<----------------
                     |----------------|

John Hankwitz

posted 22 November 2000 07:19 PM               

From: Joseph & Susan Green

"Marcos Oliveira" stated and asked:
>
> I would like to propose a question:
> In the old version of ISO 9001/2, auditors compare procedures
> with records of actions. At that time, we had, as a minimum,
> 17 procedures.
>
> In the new standard we will have, as a minimum, 6 procedures.
> How do we audit without a procedure? It will depend more on
> auditors habilities?
>
> Marcos Oliveira

Joe Green's response:

1.
If an organization generates a product, the methods used to produce that product are to be defined by the organization. (call them processes, or whatever you like) ISO happens to use the term processes.
(To comply with 9K2K "realization processes" must be adequate to the task)

2.
Methods used to generate a product start somewhere advance in a sequence, interact with other methods and the logical result is finished product. (To comply with 9K2K "sequence and interactions must be identified")

3.
Methods used to generate a product must be capable, measurable, and analyzed to ensure product conformity and process effectiveness. (Hopefully those methods may be also subjected to scrutiny for improvement opportunities).

4.
An organization with no "visible" methods would be easy to identify.

5.
9K2K Standard Users are required to include "visible" (audit able) methods in their QMS.

6.
Auditor's are required to determine "visibility" and "effectiveness"
(Not Efficiency; though efficiency should be included sought by a sane organization.)

7.
The following minimum methods (processes) (procedures) must also be "visible". They are necessary to any organization who thoughtfully chooses to voluntarily comply with ISO 9001;2000 Document control
Records
Control of nonconforming product
Audits
Corrective/preventive action
Preventive action

I purposely numbered the above comments so that others may comment on the accuracy or lack of accuracy contained in each premise.

posted 22 November 2000 07:26 PM               

From: "Charley Scalies"

> From: Dennis Arter
> Beyond Compliance
> As many of you know, I teach and perform "management" audits,
> which are more than the usual compliance audits. (See my
> article in the June 2000 issue of the ASQ magazine Quality
> Progress for more details.) These audits examine compliance
> to rules, just like ISO 9001 registration audits. They also
> evaluate the effectiveness and suitability of those rules.
> Resulting findings are written as cause (problem) and effect
> (business pain), with supporting examples (observations). This
> is significantly more than the typical nonconformity issued
> from the registration audit.
>
> My colleagues are asking me, "Dennis, please tell us of
> companies that are successfully performing management audits,
> so that we may benchmark their methods." Unfortunately, I do
> not have any really great examples. (Hmmm. Is this just
> theory? I sometimes wonder.)

My training curriculum of internal auditors fall somewhere in the middle. (How boring!)

Certainly we do compliance audits but, more importantly, determinations of suitability and effectiveness are what internal audits should be all about. After all, internal auditing is a management activity. The greatest procedures in the world are of questionable value if they don't lead to the desired result. A cow chip wrapped in gold foil is not a nugget. While I instruct auditors to point out the pain, I leave the root cause up to the process owner. Of course, in the overwhelming majority of cases I deal with, the root cause hits you square in the face. There is little investigating needed. But because "my auditors" do not carry the organizational legitimacy/power of management auditors I try to keep them out of trouble.

While I am on the subject, I'll share a little exercise that I start every audit workshop with (poor grammar but I think you understand). "You have 30 minutes in which to conduct an internal audit to verify - with objective evidence - whether or not the quality system is effective. Can you do it? How would you do it?" By the end of the course they can. I suspect most list members could also.

posted 03 December 2000 01:27 PM               

Regards how to audit without a procedure;
The fact is that, for all practical purposes, you canât. The standard requires that internal audit establishes whether the system conforms to planned arrangements. So letâs take an example; You go to a process that doesnât have a procedure and ask the first operator what heâs doing.
ÎJust banging these screws in with this hammerâ.
ÎIs that in accordance with planned arrangements?â
ÎSure is. Look, I know what youâre thinking - most people use a screwdriver, but can you imagine how much time and money weâve saved since we started using the hammer? And weâve never had a complaint.â
What are you going to do? Write him up against your own, personal, non-objective opinion? You canât. In fact you canât do any damn thing but trace back through the line of authority, trying to find someone that will tell you that it is wrong. If they all stick to the story, you havenât a chance. If you find disagreement, then who is right? You have no way of finding out. You can initiate an investigation but, if the outcome still is to use the hammer, then youâre out of the game.

Auditing without a documented process against which to compare, is a contradiction of terms. Itâs like clapping with one hand. Similarly, it is not possible to make objective decisions based on subjective material.
So forget it. You canât do it. Donât even try.
Personally, if I came across a process without a procedure, Iâd write them up for it and, at the closing meeting, Iâd refer them to 4.1 in ISO 9001:2000 where it tells them to document the quality system, and then Iâd refer them to ISO 9000:2000, 2.7.1 where it defines documentation in terms of what it does, including; achieving conformity to customer requirements and improvement, provision of training, repeatability and traceability, objective evidence, evaluation of the effectiveness and continuing suitability of the quality management system. The implication is that, without documentation, youâre going to underachieve in these areas. To that, Iâd add the impossibility of auditing and that thirty years in industry has taught me that, if it isnât written down, it doesnât exist.
rgds, John C