Blog Archive

Sunday, February 12, 2017

An Internal Audit Apocrypha



An “Internal Audit” Apocrypha
Now that ISO9001:2015 is well-established, with billions and billions of new registrations, I felt it time to review some of the well-worn sine qua non of quality management systems. These alternative facts are absolutely essential to the well-running and well-being of the modern QMS. 

Looking ahead to the application of AS9100D, the entire aerospace sector can only reap equivalent rewards gained from the application of such internal audit apocrypha. I leave it to other QMS experts more familiar with ISO-13485, ISO-16949, and the EHS QMS flavors to address their own specific urban legends.

Of course, as always, such phrases as these have been gleaned from publicly posted sources. No intent to defame is ever applied nor implied. And, now, read and enjoy!

Write to me! LarryC@strateja.com

·         Once-a-year internal audit is a requirement.
·         If once-a-year is good enough for the registrar, it’s good enough for me.
·         Annual internal audits are a requirement as have been told by our ISO consultant.
·         Make it once a year for the purpose of effectiveness; more than that it becomes one of the seven wastes which is "Over-processing".
·         The standard, as it is currently being interpreted by auditors is that all clauses must be audited every year.
·         While annual audits are NOT a requirement in ISO 9001, some registrars include this in their contracts, forcing you to do annual internal audits anyway. [I have proof - so not necessarily an urban legend.]
·         Waste, error, and inefficiency are often results of any proper internal audit.
·         It is always best to consider audits from the view of ROI (return on investment.).
·         Once a year is the way to go on the grounds of having to re-validate our certification annually.
·         The result of internal audit is an input of system analysis, conducted by management.
·         If you have a substantial history of compliance (no findings) you can extend the audit frequency out to 18 months.
·         All areas of the organization are to be audited in a two year cycle with primary (and therefore critical) areas audited yearly.
·         If the internal audit plan is acceptable to Top Management then it should also pass muster with any auditor.
·         I think it should be performed in months when there's an "r" in the name of the month...
·         Internal audits should be performed between February 29th and Feb 30th.
·         You should audit everything once a year, no matter what.
·         Make it an ongoing program instead of this huge mountain of work you have to try to schedule.
·         For calibration and certificates on walls, perform these audits these annually and use checklists and closed questions.
·         Checklists are like kryptonite to internal audits. There is no place for them.
·         Give your auditors t-shirts emblazoned with “I am auditing the system, not the person”.
·         No internal audit should take longer than 60 minutes.
·         Write a non-conformance if a audit discussion goes on for more than 1 hour.
·         Only the internal auditor can be a best judge to isolate weaknesses of his own organization.
·         Auditing each process in your quality management system once per year demonstrates compliance.
·         Internal audit shall be performed minimum once a year not limited to the problematic process areas.
 

Saturday, February 4, 2017

An ISO 9001:2015 Apocrypha




“A·poc·ry·pha

əˈpäkrəfə/

noun

·         writings or reports not considered genuine.”

In 2014, a well-respected consultant on the ISO 9001 group asked for inputs related to so-called truths about ISO 9001:2008. He formulated the ISO9001 Apocrypha, containing urban legends and CB auditor mandates touted as requirements. For the 2015 version, I am collecting similar urban legends, CB auditor mandates, and consultant/expert opinions, interpretations, and proclamations as to what are and are not “requirements”.

This particular apocrypha is not intended as a final version. It will evolve and grow. More and more people are asking questions about the 2015 standard which should have been raised during the DIS days of 2014. As it is, a certain learning-curve lag is expected, and I present a partial collection of so-called requirements for your enjoyment.

Keep in mind that (most of) these same so-called requirements apply to the AS91xx family of standards, since it is based on the 2015 ISO9001 flavor, which we’re all stuck with until 2030 (at least).

Disclaimer: This list has been collected from publicly-available material, clearly posted without copyright protection, and is presented without intent to defame the sources. Attempts to threaten with so-called defamation of character lawsuits will be treated as frivolous and without merit. If you wish to continue with such legal activity, the burden of proof – and expense - is on you.


Risk and Risk-based thinking
-       Risk approach is now formalized in the ISO 9001:2015.
-       Risk-based thinking is defined and is a requirement.
-       An organization is no longer permitted to use “preventive action” as a process under the new std.
-       FMEA is the only acceptable methodology for RCCA activities.
-       Risk registers are required.
-       Risk management is a formal requirement in the new standard.
-       A risk management process is required.
-       Auditors cannot accept verbal evidence at the huge risk of being conned
-       The current interpretation of RBT is to replacing Preventive Action in the 2008 standard
-       Risk records and registers are required
-       Risk-based thinking has always been a requirement
-       The auditor must ensure the client comprehends and understands RBT
-       RBT had been implicit and it is a requirement to have evidence that you are doing it.
-       The formal, official, auditable definition of RBT (and any corresponding process or practices) gets to be determined by the organization – based on its context and its QMS.
-       It is up the organization’s Leadership to decide what "Risk Based Thinking" is required to consistently meet the customer’s requirements
-       Preventive Action is no longer necessary. It is replaced by risk-based thinking.
-       We have to create typical HIRA Register (Hazard Identification and Risk Analysis) similar to what we follow in EMS and OHSAS standards.

Scope
-       A company's scope will change going from the 2008 std to ISO 9001:2015
-       The new standard does state that it [the scope] can't be a generic type scope
-       A simple organization must establish at least three essential management systems and four if it is energy consuming and five if they are dealing with information.
-       The scope must appear in the quality manual. If it is not, the CB auditor will issue a finding. However, the quality manual is no longer required by the 2015 std.


Former “Quality” Manual
-       No need for a manual.
-       A quality manual is not needed, even if the customer requires one.
-       An org will receive an audit nonconformance finding from the CB auditor if it deploys a “quality manual” to its customers under the new std.
-       The QMS manual will also define the various roles that are needed within the company such as who, will do what, and how. For example, QMS Manager, but also what role unit managers will play.
-       The QMS Manual drives the GAP Analysis.

Internal audits
-       The internal audit process has to be done by an external entity with higher competence
-       An audit of the IA process itself requires a much larger organization to see much value in that
-       Top management should participate as silent observers
-       Extra-deep internal audits are done ahead of surveillance audits in order to give the departments a chance for improvement
-       To do an audit on audit process means we conduct assessment of auditor competency
-       A simple benchmarking effort could clearly show if an auditor from a registrar is generating more findings than an internal auditor.
-       Number of findings as a metric of internal audit effectiveness
-       Black Belts must champion any "mini self audit program", they earn so well, after all, it's all QMS improvement that's their job
-       No separate audit for internal audit process makes sense.

Miscellaneous
-       The requirement for the management representative was removed. There is no longer any need or use for a management representative. This facilitates ISO-mandated downsizing.
-       Documents and records are now required to be called “documented information”.
-       Going ISO with the new standard is a long, hard, drawn-out effort.
-       Paper-based document control is forbidden under the new standard.
-       Clause-by-clause gap assessment/gap analysis is the only method allowed for transitioning to the new standard. Economic justifications are required for the transition, based on the gap assessments.
-       An organization is no longer permitted to retain the role of “management representative” under the new std.