Ask the Standards Experts

ISO 9001 Procedure Vs. Process

Mr. Pareto Head and procedures

Q: I‘m seeking clarity and advice on a recent incident I was informed about.

An organization I am very familiar with and is fully certified to ISO 9001:2008 Quality management systems–Requirements (with no exemptions) recently had a new external auditor come in to conduct a certification audit.

While continued certification was recommended, a number of small areas of concern were noted.

I understand that most of the recommendations will improve the system, but one recommendation has caused me some concern.

A bit of history of the QMS of this organization:

This company originally gained certification under ISO 9001:2000 and has transitioned to ISO 9001:2008. They have a very robust quality management system (QMS), have clearly identified their processes, and have mapped their procedures to these various processes. They have implemented a rigorous internal audit program which has targeted these procedures and their interrelationship with the various processes.

My problem is that the report for this recent certification audit stated that under 8.2.2 of the standard, in order to ‘gain’ full certification to ISO 9001:2008, they have to conduct process audits rather than procedural audits, or their certification could be at risk. This has caused some angst with senior management, as their previous certification body was happy with their implementation of the standard.

8.2.2 b: Internal audit

“An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited…”

I can see no mandatory requirement in 8.2.2 to support the statement that process audits have precedent over procedural audits as long as the status and importance of the processes are taken into consideration.

My understanding would be that the requirements of 8.2.2 would be met if the organization’s processes are clearly identified and its procedures and their interrelationships are mapped to the processes and it can be clearly identified during the audit that process requirements are being addressed with the procedures.

Obviously if it can be shown that the processes are not adequately covered, then that must be addressed. But I do not believe this is the case here.

Your advice would be greatly appreciated.

A: I hope to answer your questions about process vs. procedure in ISO 9001:2008. I will offer several different definitions. This is not to confuse you, but to help you see how different people deliver the same message while using different words.

We will begin by trying to recognize just what a procedure is. You can have any number of procedures within a process. That means, a process requires one or more procedures. You take actions to get results. The actions you take are your procedures.

I once read it this way on the internet: procedures / actions / activities / work instructions all describe the lowest level of decomposition, i.e.: the procedure cannot be broken down further.

A process is “something going on.” It is a continuing natural or biological activity or function.

A process is a series of actions or operations conducing to an end. It is a continuous operation or treatment, especially in manufacturing.

A procedure is a particular way of accomplishing something. This is also defined as a series of steps in a regular definite order; a traditional or established way of doing things.

While the two could sound similar, they are clearly not the same thing. A process refers to a series of actions, but does not place a particular order on those actions.

Procedures however, are focused on steps, order and instruction. As the author Mark McGregor once wrote, “We can see that while a process may contain order, it does not require order to be a process. If we take away the order from procedure, then we don’t have a procedure, but we may still have a process.”

You are not alone in your questioning of this. It is like the ongoing controversy over continual vs. continuous in the quality arena. However, the distinction between a process and a procedure should be more clear to you after reading above.

Now, let’s consider why. Why is 8.2.2 worded the way it is? I think the most simple way to put it is this: in the past, it was not uncommon for internal audit teams to concentrate on element auditing. That is, they audited the verbiage of the documented procedures to see if they complied with that of the standard.

Each individual company has their own processes. It is through those processes, those actions, that you would comply with the intent of the standard. The value of controlling and improving on those processes is reflected in your audits.

Input -> Process -> Output

So, it does not matter how you word things. The product audit (or service audit) determines if tangible characteristics and attributes of a thing are being met. A process audit determines whether process requirements are being met. During the process audit, the auditor will examine an activity or sequence of activities to verify that inputs, actions, and outputs are in accordance with an established procedure, plan or method.

By now, you have seen a pattern to all the words above. My intention was not to muddy the waters further, but to help you recognize why so much light has been shined on process activities. To “do what you say you do” requires having documented procedures and following what they say. Doing all of this in an efficient and a profitable manner requires process control.

Finally, if you haven’t already done so, I strongly suggest that you acquire a copy of The Process Auditing & Techniques Guide by J.P. Russell. This is a good guide you can order through ASQ and it can help with setting aside some of your concerns and answer questions.

I hope this has been helpful.

Bud Salsbury
ASQ Senior Member, CQT,CQI

What’s the Difference Between ISO 9001 and ISO 19011?

Reporting, best practices, non-compliance reporting

Q: What is the difference between the ISO 9001:2008 and ISO 19011:2011 literature on your web site? Please provide a detailed explanation and their use.

A: I can see where the confusion might arise, as the numbers are very similar! But the contents are quite different.

ISO 9001 Quality management systems–Requirements is the mother of all quality management systems. It lays out the minimal requirements for an acceptable way of managing your business for quality. In the beginning, it was developed as a requirements document to lay on your suppliers. Then it became the foundation for registration (other countries might call this certification) of your own management approach to quality. About a decade ago, various business sectors – aerospace, automotive, medical devices, laboratories, etc., all used the ISO 9001 document as the base for their specific approaches. They didn’t take anything away, but added additional requirements. By far, the greatest use today is for registration/certification. This is somewhat sad, in that the standard itself is a beautiful way of managing the resources within the enterprise. Registration can get quite bureaucratic and not worth the expense.

ISO 19011:2011 Guidelines for the auditing management systems is the international auditing standard (my specialty). It was first developed as a means to get all the various registration agencies around the world to do their audits in a consistent manner. It also had support from the multinational companies that had factories – and thus registrations – all around the world and often with different cultures. Norms in Canada are not the same as China! Unfortunately, this registration emphasis in the standard made it somewhat hard for internal auditors and supplier auditors to use it. Plus, there is no requirement to use the standard, other than within the registration industry.

For these reasons, the U.S. wrote a supplement for the 2002 version of this standard, giving guidance on how to use the principles for internal audits and small organizations [note: development is underway to offer similar supplements for the ISO 19011:2011 version — anticipated end of 2012/early 2013.]. ASQ is the only place to get this version, which includes the supplement, along with the base document. As this auditing standard was revised, it picked up environmental auditing and safety auditing in the scope.

Dennis Arter
ASQ Fellow
The Audit Guy
Columbia Audit Resources
Kennewick, WA
http://auditguy.net

Is ISO 9004:2009 an Implementation Guide?

ISO documentation practices, requirements

Q: I am looking to purchase the latest ISO 9001:2008 Quality management systems–Requirements. However, in the past, ISO 9004:2000 Managing for the sustained success of an organization — A quality management approach, included the ‘requirements’ of ISO 9001 in boxes as a reference in ISO 9004 (used for implementation assistance). Is that still the case? I would much rather buy the revision, ISO 9004:2009 if the ISO 9001 requirements were in the standard…it’d be one less standard to have around.

A: We have consistently promoted the concept that ISO 9004 is NOT an implementation guide to ISO 9001. It is designed to provide guidance to organizations that desire to go beyond meeting minimum requirements towards achieving higher levels of performance.

There is much that is required of organizations today to sustain themselves and the next edition did try to focus on addressing issues that were essential to sustainability, perhaps at the expense of revisiting the old ground of content related to 9001 compliance which, by now, have become well understood by many organizations.

So, ISO 9004 is about going beyond ISO 9001. ISO 9004 is still consistent with ISO 9001, but it places more intensity on going beyond and less on hard line-by-line congruence.

Charlie Cianfrani
Consulting Engineer
Green Lane Quality Management Services
Green Lane, PA
ASQ Fellow; ASQ CQE, CRE, CQA, RABQSA Certified QMS-Auditor (Q3558)
ASQ Quality Press Author

For more on this topic, please visit ASQ’s website.

Merging With a Non-ISO 9001 Certified Organization

Reporting, best practices, non-compliance reporting

Q: My federal agency is comprised of many different internal organizations. We have a scenario where a recently certified organization to the ISO 9001:2008 Quality management systems–Requirements is planned to be merged with a non-certified organization that has no type of management system. The certified organization’s certification runs for three years but it will be more closely integrated with the non-certified organizations. Will the merger affect the certified organization’s certification? Do you have any insights on how these types of occurrences typically affect the management system itself when an organization that is certified for 100% of its operations now becomes 50% of a larger organization? It’s quite likely that the certified organization’s name will change at least in part.

A: With regard to your question, if company “A” is already ISO 9001:2008 certified and is now being merged with a non-certified company here’s what should be considered. First, the current ISO certification is only applicable to company “A” as defined in the scope of the quality manual as well as on the ISO 9001 certification issued by the ISO registrar.

Your ISO registrar needs to be immediately informed of changes effecting the company name, top management and/or processes. The registrar may very likely require the newly merged companies to be reevaluated for ISO certification and listed under one ISO certification.

Most ISO registrars will not issue ISO certification for just a portion of a company. All processes that comprise the quality system must be identified and included as a part of the QMS unless specific exclusion is stated in the quality manual as permitted by ISO 9001. The management representative will need to ensure that top management is aware of how this merge may affect the current QMS so effective actions can be taken to bring company “B” in line with the established QMS procedures and other ISO requirements. I hope this helps.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

For more on this topic, please visit ASQ’s website.

AS9100 Rev. C Document References

Airplane, aerospace, AS9100

Q: My organization is getting ready for our registration audit to AS9100 C– Requirements for Aviation, Space and Defense Organizations. There is a debate regarding procedures and the document references with those procedures. If the procedure does not mentioned a document within the body of the document we normally do not include it in the reference section of the procedure. Our internal auditor says that we should reference all documents that show linkage in the process approach.

For example, the auditing procedure references corrective action, preventive action, etc., but does not have any of the document mentioned in the body of the procedure.

Can you settle this matter? Our auditor says that we will get a finding if this is not done.

A: The process approach is more than including references to documents, especially with AS9100 C requirements to identify your product realization processes. I would encourage you to examine some guidance materials available on the ISO website:
Introduction and support package: Guidance on the concept and use of the process approach for management systems action procedures, but the narrative of the procedure does not include how these procedures tie into the auditing practice? It would seem that the auditing procedures body should support the referenced procedures and explain how they are applicable within the auditing process. If I was your auditor, I would issue an observation or opportunity for improvement for that condition.

Your first paragraph seems to indicate the reverse scenario. If a document is not referenced within the body of the document, then it is not a referenced procedure. Yes, that appears reasonable.

It is a good practice to show the interrelationship of documents to include parent-child relationships and referenced documents when appropriate.

Buddy Cressionnie
International Aerospace Quality Group Americas AS9100 Lead
Voting member of the U.S. TAG to ISO/TC 176
Southlake, TX

For more on this topic, please visit ASQ’s website.

Resources about Quality Culture

Q: I am a senior member of ASQ. I plan on giving a two to three hour workshop on quality culture at my company. Do you have any audiovisual materials and/or examples from other successful companies that I could use for my slide presentation? I would really appreciate it if you could provide me with more information on creating a quality culture.

A: According to The Quality Improvement Glossary by Donald L. Siebels, quality culture “consists of employee opinions, beliefs, traditions, and practices concerning quality within an organization”.

For more on this topic, please visit ASQ’s website.

ISO 9001 Management Representative

About ASQ's Ask the Standards Expert program and blog

Q: ISO 9001:2008 Quality management systems — Requirements defines the responsibilities of the management representative (MR). To carry out these responsibilities, the MR needs certain defined authorities. What principle authorities should a MR posses to meet the responsibilities defined? I am a quality manager and I report to the project director, who reports to the CEO. While auditing other directors in the organization, my boss (the project director), requested from me to discuss with him the audit results of other director’s’ audit findings since I am reporting to him. I pointed out that the MR Role is independent and it is not a part of the function of Quality Manager where I report to him.

How can I make it clearer that I need independent authorities to perform the role of the MR?

A: Section 5.5.2 Management Representative: defines the appointment and responsibilities of the management representative. He/she is appointed by top management. The implication is that top management can ask for reports on the MR’s responsibilities. A summary of these are:

Ensure QMS process are established, implemented and maintained
Reporting to top management on performance of QMS and need for improvement
Ensure promotion of customer Requirements in the Org.

It is true that management representative responsibilities are not those of the quality manager. But, ISO 9001 does not define responsibilities of the quality manager.

My suggestion is to go to the person who appointed you management representative and ask him if you should provide the information requested.

Sandford Liebesman, Ph.D.
Voting member of the U.S. TAG to ISO/TC 176
ASQ Fellow
Morristown, NJ

For more on this topic, please visit ASQ’s website.

ANSI/ASQC C1-1996 Supplier Testing

Schedule, calendar, timeline

Q: I need clarification on the following, please:

ANSI/ASQC C1-1996 — Specification of General Requirements for a Quality Program — has been included in the required specifications from a prospective customer. Section 3.3.4 states (in the last sentence) “Furthermore, the validity of certifications shall be periodically verified by the buyer through independent testing.”

What criteria (time-frame, suppliers, mills, etc.) should be used to comply with “periodically?”

What testing is to be performed for the required independent testing? Is it to be only a chemical analysis, or are mechanical tests to be performed as well?

Does this standard require independent testing of materials in purchased components such as gaskets, glass, bolts and fittings, or is “raw materials” only meant to be the base materials such as plate and sheet steel that we purchase?

A: To begin with, most establishments, including your customer, already know that materials most often come with material test certificates. For example, when you order a sheet of steel from EMJ Metals or another supplier, they will supply a test certificate along with it.

The certificates include that data which would be most important to your customer such as chemical analysis, mechanical properties, ASTM specifications, etc. You are probably already aware of all this.

As for “periodic” and “independent” testing, here is my opinion:

If you have, in writing, a document stating that all purchased materials will be subject to receiving inspection and such inspections will verify that customer requirements have been met, that will be step 1.

For step 2, if you go to the web site of almost any materials supplier, they will have documentation (quality manual, ISO certification, etc.) which you can use as evidence they are a qualified supplier.

You can then contact that supplier and ask if they will verify, in writing, that they also test the material they are sending. Steel suppliers, like most material suppliers, sell what they receive from the original mills. The material certs they provide to you are made of tests the mills run. A company such as EMJ, which I mentioned earlier, uses what is called a Niton tester to verify chemical make up of the product which they buy and in turn sell to their customers.

Finally, step 3: as with any quality management system, you must “do what you say you do.” So, if you say that part of your receiving inspection includes hardness testing, be ready to provide evidence of that (incoming inspection reports).

In closing, I feel confident that if you prepare the steps noted above, or something similar and communicate this to your potential customer, they will be doubly satisfied with your company. Doubly because all of this would display evidence of an organization with a mature QMS.

Bud Salsbury,
ASQ Senior Member, CQT,CQI

For more on this topic, please visit ASQ’s website.

ISO/TS 16949 Clause 8.2.4.1, Product Testing

Automotive inspection, TS 16949, IATF 16949

Q: Can you please clarify a requirement in clause 8.2.4.1 in ISO/TS 16949 Quality management systems—Particular requirements for the application of ISO 9001:2008 for automotive production and relevant service part organizations. The requirement is as follows: “A layout inspection and a functional verification to applicable customer engineering material and performance standards shall be performed for each product as specified in the control plans.”

We have a third-party auditor claiming that “product” means every part number. Our belief is that this is every product family, not every part number. As a company trying to stay in business, testing every part number is not feasible or cost efficient.

A: This is a controversial area as all production parts that conform to TS 16949 must be PPAPed which is, in effect, an inspection of each part that is produced. If parts produced have different part numbers depending on whom they are supplied to, then one PPAP would be OK. Also, it would be OK if the supplier can get a variance from its customers to the requirement “A layout inspection and a functional verification to applicable customer engineering material and performance standards shall be performed for ‘each product’ as specified in the control plans.” The supplier may want to seek a sanctioned interpretation by the International Automotive Oversight Bureau.

Ron Berglund
Voting member of the U.S. TAG to ISO/TC 176
ASQ Fellow
Canton, MI

Value of CQA Certification in Aerospace Auditing

Q: What groups recognize the ASQ Certified Quality Auditor (CQA) Certification? The CQA is not enough to conduct an internal audit to AS9100:2009 Revision C Quality management systems—Requirements for aviation, space and defense organizations, and I am not trained in AS9100C.

Why become a Certified Quality Auditor (CQA)?

A: Thank you for contacting ASQ Ask the Experts. The ASQ CQA is recognized by companies, industries and organizations worldwide as evidence of an individual that has demonstrated their ability to meet established criteria for quality management system auditing.

AS9100C contains requirements that are specific to the aerospace industry and exceed the ASQ CQA requirements.

Having an ASQ CQA would be a good start toward obtaining an AS9100C auditor certification. However, keep in mind that although first party internal auditors should be trained as auditors, rarely would they be required to be certified for the purpose of conducting internal (first party) audits. I hope this helps.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

For more on this topic, please visit ASQ’s website.