Blog

Posts Tagged PDCA

ISO 19011 – Guidelines for Auditing Quality Management Systems

The blog reviews additions and changes to the guidance for auditing quality management systems, ISO 19011, including guidance on remote auditing.

If you have ever taken a lead auditor course, one of the critical handouts for the class should have been ISO 19011. The title is “Guidelines for Auditing Quality Management Systems.” In November 2011, this Standard was updated, and the changes were not superficial.

ISO 19011 covers the topic of quality management system auditing. This Standard provides guidance on managing audit programs, conducting both internal and external audits, and how to determine auditor competency. Improvements to the 2011 Version of the Standard include:

  1. Broadening the scope to all management systems
  2. Clarifying the relationship between ISO 17021 and ISO 19011
  3. Introduction of remote audit methods
  4. Introduction of risk as an auditing concept
  5. Confidentiality is a “new” principle
  6. Clause 5, Managing an audit program, was reorganized
  7. Clause 6, Performing an audit, was reorganized
  8. Clause 7, Competence and evaluation of auditors, was reorganized & strengthened
  9. Annex B is new, and the contents of the help boxes were moved to this Annex
  10. Annex A now includes examples of discipline-specific knowledge and skills

One of the most common points of confusion in the lead auditor course is the difference between first, second, and third-party audits. In the previous revision of this Standard, this was just a note at the bottom of page one and the top of page two. The note was not very clear either. The new version of 19011, in Table 1 (reproduced below), the difference between these three types of auditing is crystal clear:

19011 table 11 ISO 19011   Guidelines for Auditing Quality Management Systems

The above table is just an example of the improvements made to ISO 19011, and of course, there is a little value-add to clarifying a definition. Figure 1 from the new version, “Process flow for the management of an audit program”, is a better example of a “value-add.” This vertical flow chart is reminiscent of Figure 1 from ISO 14971:2007. It categorizes the various stages of audit program management into the Plan-Do-Check-Act (PDCA) cycle. I highly recommend this style for presenting any process in your internal procedures as an example of best practices in writing an SOP. The flow chart even references each of the clauses in the Standard. Unfortunately, Figure 2, “Typical audit activities,” does not categorize the stages of audit activities (Clauses 6.2 – 6.7 of the revised Standard) into the PDCA cycle. I guess they needed to leave some improvement for the next revision.

The new version retained the opening meeting checklist that was in the previous revision (Clause 6.4.2), and Clause 6.4.9 has a brief closing meeting checklist. Figure 3, “Overview of the process of collecting and verifying information,” is a poor example of a flow chart. Should I make a better one? (Send me an email if you think I should.)

The most valuable changes in this revision are Clause 5.3.2, “Competence of the person managing the audit program,” and all of Clause 7. Most of the audit procedures I read neglect to define the qualifications and methods for determining the competency of the audit program manager. Clause 5.3.2 tells you how. Put it in your own procedure. Most of the procedures I read include qualifications for a “Lead Auditor,” but I seldom see anything regarding competency. Unfortunately, this Standard only specifically addresses the “Lead Auditor” competency in a two-sentence paragraph—Clause 7.2.5. When I teach people how to be a lead auditor, I spend more than an hour on this topic alone. 

ISO 19011 Standard

The Standard would be more effective by providing an example of how third-party auditors become qualified as a Lead Auditor. Third-party accreditation requires the auditor to be an “acting lead” for audit preparation, opening meetings, conducting the audit, closing meetings, and final preparation/distribution of the audit report. This must be performed for 15 certification audits (i.e., – Stage 2 certification or re-certification), and another qualified lead auditor must evaluate you and provide feedback.

The last significant additions to this Standard were the Appendices. Annex A provides examples of discipline-specific knowledge and skills of auditors. This section is a little on the dull side. I prefer to tell a story about the internal auditor that was auditing incoming inspection—but they had no idea how to check for calibration, or how to measure components.

Appendix B, the finale, has a table (Table B.1) that provides some guidance on how to conduct remote audits (i.e. desktop audits). I was pleased to see that conducting interviews is a significant part of remote auditing in this table. Section B.7 provides some suggestions concerning conducting interviews. Still, if you exhibit all 13 of the professional behavior traits found in Clause 7.2.2, then you don’t need any advice on how to speak with people. For the rest of us mortals, we could use a five-day course on interviewing alone.

Posted in: Auditing

Leave a Comment (0) →

How to Write A Procedure: 6 Secrets to Improve Effectiveness

The author, an experienced trainer, shares six secrets for how to write a procedure and improves its effectiveness.

During a CAPA course I taught earlier today, one of the attendees asked if I have a course on “How to Write Better Procedures.” Unfortunately, the only material I could offer was material from a course I taught on Training the Trainer.” That training course focused on visual communication. There are several books related to Lean Manufacturing that explain indepth how to use visual communication to replace text (i.e., – “a picture says a thousand words”). During my ride home, however, I thought of a few other ideas that might help anyone that is in the process of writing or re-writing a procedure.

1. Develop a standardized format for procedures. If you have a procedure for writing procedures, ensure you allow the flexibility to deviate from the standardized format. The Standard does require that procedures have a “mandatory” format. Referring to the standardized formatting as “suggested formatting” will avoid unnecessary nonconformities.

2. Avoid making unnecessary references to other external standards. If you are writing a procedure on risk management—it makes sense to reference ISO 14971. It does not make sense to reference all the other risk analysis standards, unless you are specifically using them to perform risk analysis. Included in this category would be references to other regulatory requirements, such as 21 CFR 820 or Part 1 of the Canadian MDR. Companies can claim compliance with other requirements in the Quality Manual instead. What should be referenced in a document is any related procedures or forms.

3. Avoid including the revision of a Standard. This is just another opportunity for unnecessary nonconformities. If you don’t specify the revision, then an auditor can only assume that the most current revision of the Standard is implied. If changes to a Standard are minor, no changes to a procedure may be warranted and a revision to the procedure can be avoided—assuming that the revision of the Standard is not specified. Some argue that you should include the revision and update the reference to document that the procedure was reviewed to determine if changes were warranted. This is unnecessary. A review of procedures, where the decision is made for “no change,” can easily be documented in the Management Review under the category of “New and Revised Regulatory Requirements.”

4. Indicate the process owner and training requirements associated with each procedure. By doing this, it is easier to define who is responsible for reviewing and revising procedures—as well as who is assigned CAPAs if there are findings related to the process in question.

For the training requirements, the process owner should specify who needs to be trained on the process. Why? They know the procedure best. If there is a “grey area,” this should be resolved with the department manager for the job function in question. In addition, retraining requirements should be specified. By this, I mean that it is a good idea to indicate if retraining is required when a procedure has been revised. If the revision is minor, training should only be required for people that have not been trained to a previous revision.

5. Adopt the Plan-Do-Check-Act (PDCA) model for the structure of procedures. For the “Plan” portion, the procedure should explain how to prepare to do something. This planning activity can apply to anything from planning to perform an audit to planning to inspect incoming raw materials. The “Do” portion is what most people refer to as the “Procedure” section. The “Check” portion of the procedure is a great place to specify the monitoring and measurement requirements for the process (see Section 8.1 of the Standard). Finally, the “Act” portion of the procedure should indicate what to do when target metrics are not met. For example, what should be done when an alert limit is reached? What should be done when an action limit is reached?

6. Include revision history. It’s extremely helpful to know which Engineering Change Order (ECO) approved the document revision, why the changes were made, the nature of changes, whether there is a related corrective action and when the change was made.

 

Posted in: ISO Certification

Leave a Comment (1) →