Thursday, January 24, 2008

ISO 9001:2008 – How it will Impact your Auditing

By Craig Cochran
(Originally published in The Auditor, Jan-Feb 2008)

Auditing is all about comparing evidence to requirements. That’s why changing requirements always grab the attention of auditors. As most of you know, ISO 9001 is undergoing a revision that is scheduled to be published in 2008. The new standard, ISO 9001:2008, includes mainly editorial amendments: re-arranged words but few significant changes. There are a few things that auditors should take note of, though. Let’s take a look at the Draft International Standard of ISO 9001:2008 and discuss how it might impact your auditing.

Statutory requirements

The word statutory will be inserted in a couple of places within the introductory part of the standard. This is primarily to make the language consistent with section 7.2.1—determination of requirements related to the product—which has always required that the organization determine statutory and regulatory requirements for its products. Even though the concept is not new, the requirement reminds all auditors that they need to understand the legal requirements of the products they’re auditing. Statutory and regulatory requirements are often taken for granted by auditors, with the assumption that the organization knows what applies to its products. This is not always the case. During the planning phase, auditors must research the statutory and regulatory requirements on the product produced by the organization, and make sure they able to effectively evaluate this.

Technically, there is a difference between statutory and regulatory requirements. It’s a very fine difference, though. We’ll cover it briefly for the sake of completeness. Statutes are laws. They say what you can and can’t do in broad terms. Regulations are usually specific guidelines published and enforced by regulatory bodies. The bottom line is that statutes and regulations are both enforced by authorities that can make your life difficult. Understand what statutes and regulations apply to your products, and make sure you’re able to meet them. Satisfaction of this clause is typically achieved in a two part manner:

  • Developing a process for understanding and staying up-to-date with statutes and regulations
  • Compiling an index or listing of statutes and regulations applicable to your products

These processes are not specifically required by ISO 9001, but they would represent an effective way of meeting the requirement.

It’s worth noting that statutes and regulations can come from the country in which you are based, and they can originate from countries in which you’re selling your products. Multinational organizations have to consider statutory and regulatory requirements everywhere they operate in the world. Understanding and staying current with statutes and regulations can become somebody’s full time job for companies that operate around the globe.

This clause is also very significant for companies that produce highly-regulated products. Examples of highly regulated products include:
* Drugs and pharmaceuticals
* Medical devices
* Food
* Aircrafts and aircraft parts
* Explosives and firearms

Management representative

ISO 9001:2008 will clarify who can act as the management representative. That role must be held by a member of the organization’s management. This makes 2 things clear:
The management representative is an employee of the organization (not a consultant)
The management representative is someone with the responsibility and authority to make decisions, assign resources, and get things done.

In the past, the decision of who was assigned as management representative was usually unchallenged by auditors. This will need to receive some new scrutiny by auditors to ensure that the assignment meets the full intent of ISO 9001:2008. Besides being a member of the organization’s management, there are 3 responsibilities that must be carried out by the management representative and which auditors must verify:

1. The management representative will ensure that the processes of the quality management system are established, implemented, and maintained. This is the project management aspect of being a management representative. Establishing, implementing, and maintaining a QMS requires that the management representative must coordinate many different efforts and continually sell the benefits of the system. It bears repeating that the management representative does not own the system, though. Everybody owns the management system, led by top management.

2. The management representative will report to top management on the effectiveness of the management system. This happens during management review, possibly the most important process of the entire standard. The management rep does not need to personally collect and present the data on effectiveness, but they make sure it happens. The most effective management reviews involve a wide range of organizational managers and influencers, with the management representative coordinating their input.

3. This basically means that the management representative must help promote a customer focus throughout the organization. There is nothing more important to the organization’s success than the customer, and the management representative must continually remind everyone of this fact. Promotion of awareness can be accomplished in many ways, and here are a few simple ways that come to mind:
* Posting data on customer feedback trends
* Publishing product specifications
* Holding meetings that address customer issues
* Serving as a liaison between the organization and the customer
* Distributing memos and emails that clarify customer requirements

Competence

The competence and training requirements of ISO 9001 have long been some of the most confusing. The reason is that the standard specifies some broad requirements and gives the organization total discretion for how they will be applied. This discretion has been tightened a bit through the requirement that the organization “ensure the necessary competence has been achieved.” This replaces the previous requirements for evaluating the effectiveness of training.

Ensuring that competence has been achieved can take place in a number of manners, but the most obvious is a demonstration of the newly developed skills or abilities. This works especially well for competency building aimed at skills and training. “Okay, we’ve talked about the task, and we’ve demonstrated how it should be performed. Now you give it a try.” If the trainee is able to effectively perform the task over the period of observation, then they could be reasonably considered competent. Keep in mind that the period of observation could be an hour, day, week, or month. It all depends on the complexity of the skill being demonstrated. Most “on-the-job training” programs focus on this kind of evaluation. The trainee starts out as an apprentice and then gradually begins performing many of the tasks themselves. The training culminates in the trainee being able to demonstrate the full range of skills involved with the job.

The inspection of an employee's work or product can verify that competence has been achieved. For employees who produce a tangible good or deliver a service, this is often a reasonable indicator of whether training has had the desired effect. Many organizations already have existing systems for inspecting their products, and these systems can be channeled into the training program. But this will only work if the product's inspection is traceable back to individual employees.

Tests and examinations can be used to ensure that competence has been achieved, especially when the competence is related to knowledge and facts. Be aware that many individuals simply don't perform well on formal tests or examinations, regardless of the quality of the instruction and training materials, so this may not be an ideal gauge of effectiveness. Another drawback is that tests are heavy on administration, requiring someone to spend a great deal of time creating the tests, making sure that all learning objectives are addressed, creating answer keys, creating a grading scale, taking time to grade the tests, dealing with test anxiety and disappointment, and so on. Tests and examinations do have the advantage of resulting in a numerical score, which is easy to quantify and track over time.

Finally, some organizations use performance reviews to draw judgments on whether employees have achieved competency. Most organizations already use performance reviews of some sort. As long as a logical connection can be made between the training and the job performance, the system will work. One caution, however: Make sure to separate the record of performance review from the record of training effectiveness evaluation, as every organization seeking to keep or gain ISO 9001 registration will be required to provide evidence of the evaluation to its third-party auditor. Showing performance review records to outside parties will create ethical (as well as legal) problems, so you're far better off maintaining separate files.

Auditors will need to probe the issue of competence deeper than they have in the past. What was once accepted as meeting requirements may not meet the requirements of ISO 9001:2008.

Work environment

ISO 9001:2000 will add a note in order to clarify the scope of work environment. Notes are not auditable, of course, but they provide insights on how to interpret the requirements that are auditable. The note states that work environment includes physical, environmental, and other factors needed to produce the products in question. Consider the following examples:

Candy manufacturer: Raw materials are received into the facility and are immediately moved into a climate controlled storage area. The cleanliness of the storage area is immaculate, far different than most other warehouses. A weekly inspection is conducted to look for any evidence of pests. The raw materials are transported into manufacturing by personnel wearing white gloves and smocks, and all manufacturing is tightly controlled under Good Manufacturing Practices. All outside doors and windows are kept closed and the housekeeping is very strict; even the garbage cans are clean and spotless. Nobody with any kind of illness is permitted inside the facility, and no jewelry is permitted to be worn. Once manufacturing is complete, the finished product is stored in an area that is maintained at 40 degrees F, plus or minus 4 degrees, and the gauge used to monitor the temperature is calibrated. A weekly audit is conduced to evaluate the condition of finished product in inventory.

Insurance company: People are stationed at desks and perform work on computers and telephones. The office temperature is maintained at “typical office conditions,” which is usually a compromise between the women who like the office warmer and the men who like it cooler. Dress codes are enforced so personnel are not distracted in their work and to maintain a professional environment in the event customers visit. Personnel are not allowed to play music from their radios or computers, as the sound disturbs people in their work, even when played at low volume. Hot food items are restricted to the break rooms, as some employees were offended by the smells of certain foods that were consumed at desks. Personnel photographs are decorations are permitted in cubicles, but nothing that could constitute a threatening work environment are allowed. Everything about the office is maintained is a pleasant yet bland manner because this is the environment that was found to result in the highest productivity, lowest service defects, and fewest personnel problems.

Paper mill: The inside of the plant is very damp, and a half inch of water is on most of the floors. Additionally, the nature of the production process is very hot in some areas, and the ambient temperature in the summer can reach over 110 degrees. During winter months, temperatures in the warehouses are just a few degrees above freezing. For many years, the harsh environmental conditions were simply accepted as a given. The conditions didn’t negatively affect the product, so management felt no need to change anything. Recently it became clear that employees were becoming ill at a higher than normal rate, however. The increased illnesses affected the mill’s attendance rate, which in turn impacted its ability to produce paper on schedule. Work conditions are being improved now that the link between the environment and product conformity was recognized.

In all these cases, the work environment is focused on what is needed for the product in question. Sometimes organizations discover connections between the work environment and product conformity that they didn’t know existed, as in the paper mill example. ISO 9001 simply says that you will determine the environmental conditions that you require. Whatever you require is what you will be expected to provide and maintain.

Here are some typical controls related to specific work environment variables:

* Temperature and humidity: Gauges for monitoring, records of conditions, records of gauge calibration, investigation of affected product when conditions fail to meet environmental requirements

* Safety hazards: Identification of hazards, prioritization of risks, procedures for job safety, monitoring of compliance, records of monitoring, corrective action on accidents and near misses, regular meetings to discuss safety issues

* Lighting, noise, vibration: Specifications for characteristic, procedures for maintaining specifications, ongoing measurement of characteristic, records of measurement, calibration of gauges, records of calibration

* Housekeeping: Procedures for housekeeping, defined responsibilities, training of personnel, periodic audits of housekeeping, corrective action on nonconformities, signage to remind personnel of guidelines

* Personal hygiene & behavior: Documented policies for personnel, recurring training, monitoring by supervision, counseling for employees

ISO 9001 does not require documented procedures or records related to work environment, though it often makes sense to have such things. In cases where the organization establishes requirements for work environment, then the only way to verify that the environmental conditions were met would be through records. Documentation would also be required to consistently communicate the work environment requirements and controls.

17 comments:

Dadprice said...

CC - I have been looking for information on ISO 9001:2008 and what it means. Thanks for your insights. As usual you are on target.
Best always,
Elliot

Craig Cochran said...

Elliot, Thanks my friend. I wish I had some dramatic news to report, but the standard will pretty much remain the same. --Craig

Dennis Arter said...

I announced your new blog and placed a link to it from my site.
Dennis Arter, auditguy.blogspot.com

clayton1960 said...

Thanx for the info Craig. I will keep up with this. Excellent!

Craig Cochran said...

Dennis: Coming from a seasoned audit pro like you, this is an honor. Thanks a lot. --Craig

Craig Cochran said...

Clayton: Thanks, buddy! Keep up the fine work on the AS9100 project. --Craig

Dr. D said...

Hello Craig,

As usual - excellent writing! Thanks for sharing your thoughts and insights with us. I always love hearing your point of view!

My Best!

Dr.D

Craig Cochran said...

Thank you, Dr D! You are very gracious. Hope everything is treating you well.

Stijloor said...

Hello Craig,

Thanks for the blog. Great insightful article. With your permission, I will put a link to it on our website.

Keep up the great work!

wesbucey said...

Well, Craig, since we both know a number of second- and third-party auditors, have the questions arisen in your mind as they have in mine?:

1) If auditors are called upon to implement a more rigorous audit encompassing regulatory and statutory requirements, who will pay for the extra training and education to bring auditors up to speed on the regulatory and statutory requirements for each industry and geographic territory they cover?

2) How much extra time and expense will an audit take which encompasses compliance with statutory and regulatory requirements?

3) Will the end customers be happy paying higher prices for products and services from suppliers who have to pay for the extra rigor in an audit?

4) In view of the extra expense, will customers decide there is not enough "value added" to justify requiring suppliers to meet the more rigorous Standard?

5) Will we see more, not less, "made as instructed" audits where the primary criterion for audit approval is whether the check clears?

6) How much sunshine will there be on the audit process from training to competence assessments of auditors to review process for alleged nonconformances and subsequent corrective actions?

As I comment, Craig, just a few of the questions that come to mind after a career of the risk analysis we laughingly call FMEA!
-Wes Bucey, Quality Manager

Craig Cochran said...

Wes:

Great to hear from you, but you pose the most perplexing questions. Yes, anytime audit criteria is enhanced somebody is going to pay for it. My guess is that statutory and regulatory requirements will continue to be only peripherally audited, unless the company is in a highly regulated industry. These requirements have always been in the standard, but nobody has paid a great deal of attention to them. My thinking is that, for most companies, statutory and regulatory requirements can be addressed without adding too much cost. At least I hope so.

Stay warm,
Craig

Wallace Tait said...

I look forward to reading and contributing to your blog with my Visual mapping slant on the graphical communications needs of our business colleagues.
Nice to see Wes here too (Hi Wes)!
I'll be sure to spread the word for you blog Craig.
Cheers.

jelly1921 said...

The Chinese translation could be found at http://jelly1921.blogspot.com/2009/02/iso-90012008-how-it-will-impact-your.html

Anonymous said...

Hi

I like this post very much. It help me to solve some my work under my director’s requirements.

Apart from that, below article also is the same meaning

ISO 9001 audit

Tks again and nice keep posting
Rgs

Joshua said...

Wow! That was such a meaty article about ISO. I agree that success still depends on the employees and on how they will manipulate the system. Your blog just proved that it takes time, effort and perseverance to reach a certification of quality management systems.

mike said...

Hi

I like this post:

You create good material for community.

Please keep posting.

Let me introduce other material that may be good for net community.

Source: ISO 9001 training

Best rgs
Peter

Barton Wilson said...

It really is a wonder how much difference a few words can make. I think it’s really important that these changes to the provisions are studied and learned, especially by those who wish to maintain their certification. So much rides on how certified companies conduct themselves after changes like these take effect. It would probably be much easier to maintain the certification than to lose it, and then have to be re-certified under the new rules.

- B. Wilson -