1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Why auditing using the "Process Approach" may not be enough...

Discussion in 'ISO 19011 - Auditing Management Systems Guidelines' started by Andy Nichols, Aug 28, 2015.

  1. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,227
    Likes Received:
    2,613
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    So, we know that since ISO 9001:2000 mentioned the "process approach and auditors have been cajoled to use the "process approach" in their audits - often including using crazy box diagrams - it may not be sufficient to bring the real issues to managements' attention and, hence, corrective action.

    Conventional wisdom shows that auditing "clauses" doesn't work if you want to get past basic blocking and tackling compliance. Process auditing SHOULD be done, following the process from its inputs, checking the process controls are working, and that the output is being produced as planned. A much more comprehensive audit results, but even THAT doesn't mean the whole QMS is effective. Likewise, emulating a CB style of audit and taking a thin slice throughout the entire QMS is also not going to give much in the way of "value" to management. It's akin to the "sampling caveat"...

    What needs to be done is a hybrid. Something which looks at processes which interact, for it's THERE that the greatest information can be found about the effectiveness of processes. How one feeds another. That's where the gold is...
     
    Bev D and Jennifer Kirley like this.
  2. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    If you only have one perspective for an engineering drawing, it may not be sufficient to truly understand what the final product should look like. Multiple perspectives and suddenly you have better idea of the end goal, and can structure your activities to support achieving it.

    The same is said for a management system.

    If you audit by clause only, you simply see gain one perspective...yes, there is a corrective action system in place...yes, there is root cause analysis and action plans and all that wonderful stuff. Congratulations, you've just checked off the corrective action section of the standard.

    Now, we're off to Receiving, boys and girls. Look, they have inspection criteria...and a certificate with this incoming material. oooOOOooo...they're even inspecting some parts. Oh dear, those parts don't meet the specifications. Red labels and a quarantine area are used to ensure the bad stuff doesn't get used. Gosh, he's calling the supplier...he doesn't sound happy...but he has a complaint number and he's logging it into a system...Okay, Receiving looks good.

    To gain a true understanding of the state of a management system, its strengths and its opportunities, one must look at it from at least two perspectives, like a basketweave. By looking only at the clauses, you can determine if the applicable standard has been implemented. By looking only at the process, you can determine the "health" of the requirements and activities.
     
  3. Ganesh Sundaresan

    Ganesh Sundaresan Active Member

    Joined:
    Jul 31, 2015
    Messages:
    66
    Likes Received:
    36
    Trophy Points:
    17
    I try this analogy. Auditing is like running through a Newspaper. While it is easier to get trapped into some petty things (lets agree, Newspapers have many of them these days), one has to ignore them and focus on picking much more worthwhile events and information in a short span of time.

    As for Auditing mechanism, Call it Process approach or whatever, I have personally witnessed an External Auditor who starts his Audit with a particular team and end up getting every other relevant teams on board for verifying linkage activities. Unfortunately during Internal Audits, we did not find it easy to pull other teams at will.
     
  4. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,227
    Likes Received:
    2,613
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Ganesh - that's an approach built on external audit techniques. Little to no time is spent with management understanding a specific issue which is causing them problems (or risks). I'm not sure I understand your newspaper analogy, but (internal) auditors shouldn't be "wandering around" looking at "big picture" things to audit and report. Once again, to use an example of what one external auditor does, may not give us a clue as to how to approach internal audits. The fundamentals are quite different.
     
    MCW8888 likes this.
  5. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    I have used the checklist and process approach for conducting internal audits. Using the process approach, the weakest link to the process is determining the effectiveness in meeting the days target goals. Now I switch to Risk based internal auditing where I audit the Controls in place to make sure that the risk to people, asset, environment and reputation is low. Risk is classified as High, Med, and Low. High is a nonconformance, Medium is an observation and low is an opportunity for improvement. I found more issues using this risk-based approach than just asking an operator if he "walk his talk".
     
  6. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,227
    Likes Received:
    2,613
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Interesting. When you say that the weakest link is meeting the day's target goals, can you explain that? I don't understand at all.

    Also, what types of things would you find that are high risk, medium and low?
     
  7. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    Target goals for the day is associated with the accuracy of doing things Right First Time.
    The Findings that could be considered as high are those that could impact safety, health and environment as well as the the reputation to the customer. Medium are those that could impact our internal issues but does not affect the customer and low are considered opportunities for improvement. Thank you.
     
  8. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,227
    Likes Received:
    2,613
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I was wondering if you could give some concrete examples of what you've found. I understand the "grade" you've given them, but would like to understand what kinds of things you've encountered which warrant such a level of risk being applied... Some examples, please. Would a late shipment be a high risk? Let us know what you've been actually finding and the risk allocated.
     
  9. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    Sorry for the late reply. Here's one example of a high risk finding; I conducted an Internal Aduit based on the most recent incident that impacted the OEM customer. I walked the Control Plan of this product and at the process of receiving I noticed that 2 line items were missing in the Control Plan. I caucused with the auditees and the other supervisor and they all agreed that compliance to those 2 missing steps would've detected the failed product that was shipped to the OEM customer. These 2 steps were also missing in the PFMEA and PFD. The risk was high because it cost the company >$200,000 to recall the products. There is a guideline in our RAM that if it impacted customer satisfaction and over a certain amount, then the risk is high and must be corrected right away. Other high risk finding are those that could impact the health and safety of our employees and I call it a finding agains 6.4.1. This company has a zero tolerance of recordables. If there are chronic late shipment and this is one of your Quality Objectives, I would consider it a high risk because it impacts ASN for automotive. The auditor gives us a finding on a low score card from these OEM's if we do not address it internally through RCA and discuss during Management Review.
     
  10. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,227
    Likes Received:
    2,613
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Can I be very honest, MCW8888? If you do an audit after an issue like this came up and caused such a recall, I fear that your grading the finding as "High Risk" seems a bit of a "duh" moment, as the risk has passed and become a reality... In effect, the horse has bolted and your findings are a bit like a Monday Morning Quarterback's comments. Risk based auditing is taking a look at the process (or whatever) and saying what's the risk? Since you have the criteria: Customer dissatisfaction, $XXX,000 recall etc COULD happen, then that should stimulate the audit of the process as you did, as it was being used - real time.
     
    Neo113016 and Nirvana like this.