Understanding the process approach Helping the auditor to interpret the process approach If the auditor does not understand or misunderstands the process approach, direct him or her to recognized information sources, such as ISO 9000:2000 and ISO Guidance on concept and use of the Process Approach for management systems (ISO/TC176/SC2 N 648). (add a link)The certification body/registrar should ensure that all its auditors have received sufficient training regarding new requirements in ISO 9001:2000, in particular on the process approach. Thus the auditor should realise that several steps are needed, including the following:
- determining the processes and responsibilities necessary to attain the quality objectives of the organisation;
- establishing and applying methods to monitor and/or measure and analyse each process;
- establishing and applying a process for continual improvement of the effectiveness of the QMS.
The process approach concept must be so well understood by the auditor that he is not limited by the terminology in the standard; the auditee may use a more or less different one. The auditor must be aware that the application of the process approach will be different from organisation to organisation, depending on size and complexity of the organisation and its activities. Special consideration should be given to the situation in SME’s, so that the auditor does not expect so many processes in the QMS.
Helping the auditee to interpret the process approach If the auditor is faced with a complete misunderstanding by the auditee, this situation should normally be identified at the 1st stage audit.
The auditor should refer the auditee to recognized information sources, such as those indicated in the section above.
In particular N648 sets out different steps in the process approach and provides useful guidance with examples
The auditee should also pay sufficient consideration to
- identification of process objectives,
- process planning,
- availability of suitable records.
The auditee may have identified too many processes; some or all of them are activities which do not fulfil the requirements of a process in the sense that ISO 9001:2000 uses the concept. If so, the auditor should in the 1st stage audit propose that the auditee performs a redefinition of its processes based on e.g. the criticality of the activities. This might be particularly relevant for SME’s.
If by exception the misunderstanding is not detected until the 2nd stage audit an NCR should be raised. The auditor then has to consider the possibilities in accordance with the rules of the certification/registration body concerned, e.g. continuation of the audit, re-audit or even termination.
How to evaluate if the auditee has not implemented the process approach? The auditor should determine whether it is a real or a formal lack of implementation, or something in between. A real lack of implementation would be characterised by e.g. no clear flow of information and/or products between functions, long or inconsistent lead times from enquiry to delivery of products, in addition to absence of process objectives and analysis.
The other extreme would be when all activities of importance for a defined quality of the deliverables are found to be well implemented and interrelated, including e.g. purchasing, and responsibility for product lines from enquiry to, say, final transport is established, but the process approach concept is not used. If all requirements in clause 4.1 are in fact met, there should be no NCR raised with reference to that clause.
However, if the description of interrelations is lacking in the quality documentation there would seem to be a non-compliance with clause 4.2.2.
If the auditee has missed one or more of the requirements in clause 4.1 an NCR should be raised. Depending on the extent and importance of the non-compliance the auditor has to consider the possibilities in accordance with the rules of the certification/registration body concerned, e.g. continuation of the audit, re-audit or even termination.
What should the auditor consider when auditing a process? The auditor should form questions based on the definition of an ISO 9001:2000 process but transform them for the actual situation so that the auditee can understand what the auditor wants to know. Some of those basic ingredients are
- objective: what is the intent with the process?
- input: what is going to be treated? From where does it come?
- activities: what is done in these particular steps?
- output: what has happened with the input? What is the outcome? Where does it go? Is the output in line with the objective/intention?
- resources: what is needed for the activities in terms of personnel, information, equipment etc? Are the necessary resources available?
- monitoring/measuring: what is monitored or measured to see that the activities are performing as intended? Are the parameters selected for monitoring or measuring suitable? Are there any particular arrangements such as inspection?
- analysis: what is done with the information gained from monitoring or measuring of the activities? Who takes care of this?
- improvement: is improvement of the process included in the auditee’s program for continual improvement? The auditor should realise that all processes cannot normally be improved simultaneously; the auditee must prioritise. (check terminology with TF 1.2)
To get general information the auditor should find out who is responsible for the process, but he should be aware that ISO 9001:2000 does not require a formal “process owner”.
Processes versus subprocesses There is no requirement in ISO 9001:2000 or no generally accepted rule as to how complex or how simple a process can be. If all requirements in clause 4.1 are fulfilled, the auditor should respect any reason for the design of the processes put forward by the auditee.
Where a very complex process can be divided into two or more less complex processes, each of which fulfils all requirements in clause 4.1, the auditor may present this as a possibility but not as a recommendation – the latter could be interpreted as consulting and may also transfer undesired responsibility to the auditor.
Difference between documentation and implementation
The quality manual / documentation may lead the auditor to believe at the preparatory
stages that the systems is implemented according to the process approach, but the on-site reality may be the opposite.
In this case the auditor would find a lack of implementation characterized by e.g.
–the auditee’s essential functions or departments operating with weak interactions,
This would be a non-conformity with requirements of clause 4.1 and an NCR would most probably have to be raised. Depending on the extent and importance of the non-conformity the auditor also has to consider the possibilities in accordance with the rules of the certification/registration body concerned, e.g. continuation of the audit, re-audit or even termination.
Disagreement between the auditor and the auditee as to the “correct” way to implement the process approach There is no universally “correct” way to implement the process approach. The auditor and the auditee must be aware that the application of the process approach will be different from organisation to organisation, depending on size and complexity of the organisation and its activities. Special consideration should be given to the situation in SME’s, so that the auditee does not require or define so many processes that the application of the process approach will become a burden rather than a benefit to the SME. If all requirements of clause 4.1 are in fact fulfilled no NCR should be raised.
The auditor and the auditee should realise that what really matters is that the auditee
- operates with a well defined, consistent, effective and efficient flow of its activities, I including continual improvement, to attain the satisfaction of the interested parties,
- has a sound strategy for the future, and
- has the right to disagree with auditor’s possibly subjective interpretation of the requirements of the standard.