An IOP by Any Other Name – Part 3

OK, so here we are. We have been asked and answered a question in Part 1. We have looked at why the question came about in Part 2. Now we’ll look at how (at least) one approach for dealing with the requirement.

Do you remember that I said there was a NCR written to the IOP in the AS9100 Registration Audit? Well, that was because there was no dotted line around Continual Improvement as a Management R&A Process (MRP.) We argued that Continual Improvement was a result and not a process but the auditor challenged back that because it was a stand-alone with no relationship to MRP the organization had misrepresented its processes and actually had five, not four processes as claimed. The interim correction was to place the dotted line around it, thereby including it in the MRP and Corrective Action was to re-draw the IOP and reposition Continual Improvement as a Measurement, Analysis and Improvement sub-process.

Figure 5, in its present form, is simple and elegant and is ‘father to the man’ (Figure 1) in Part 1. You will note that each of the four processes include a finite number of sub-processes that may include related sub-sub-processes (yes, I meant to say that) but does not muddy the presentation by including everything. It also clearly depicts the four Key Process Indicators (KPIs) which are themselves determined by a combination of sub-processes.

iop5You will note that there are two major divisions COPs (Customer Oriented Process) or the Realization Process (old clause 7, now 8) and MOPs (Management Oriented Processes) support processes (everything else) broken into neat little packages that identifies a concept without including every element. This aids internal auditing – you can focus on either Realization or QMS which then facilitates identification of status and importance (remember that one?)

Within each of the 4 processes are the sub-processes and this shows how the pieces relate to the whole.

Continual Improvement, as mentioned earlier is included in the Management R&A Process but is not really a sub-process. It is more a planned result and is included to demonstrate commitment to improvement. (This was the only thing that might have, and did give rise to question and trying to explain it away by saying it’s an expectation that planned results will be achieved didn’t work.) Move along – these are not the droids you’re looking for… Correction took care of the problem and corrective action repositioned it where it rightfully belongs.

Now, as you move toward transition, process definition and sequence become more important and as we are reminded, as auditors, all you have is the IOP. If you ‘nail’ this one, everything else falls into place. You might also want to document Tuttle Diagrams for each “process” to describe inputs, outputs and how planned results are achieved because that will be the next question. The easier you make it for the auditor, the smoother the audit will go.

So how do we do that? Well, Mr. Philip Crosby (Remember him from the Quality Gurus?) makes it very easy. Basically, just recreate the diagram below (copy and paste from our website or Google it until you find a workable version) and connect the dots.

The process model worksheet is a simple yet powerful tool for defining new processes, analyzing an existing process to make it zero defect. It is very useful even to explain a process. The steps are as follows;

1. Name the process

2. Scope the process by defining the starting activity and the ending activity

3. Identify the outputs, customers and output requirements

4. Identify the inputs, suppliers and input requirements

5. Define the controlling inputs

Once this much is clarified, the work/process under consideration can be well understood, so that it proofed to perfection

iop6iop7Once you’ve defined your processes and sub-processes, mapped out their interaction, have identified inputs and outputs then you can decide which process (and sub-processes) are most important – KEY, and it very becomes easy to determine what you will measure to find out how effective your system actually is.

I hope this post series has been helpful.

An IOP by Any Other Name – Part 2

In Part 1 we answered a question, now we look at the why of the question.

Our author, just as so many before him, is struggling with a basic flaw in the system; that being a general acceptance (on the part of the auditors and not entirely their fault) of incomplete IOPs over the years and the rebounding that resulted from it.

The following is a good example.

iop2Up until ISO 9001:2000, the 20 elements, most if not all of which required procedures, were considered (interpreted) as ‘the processes.’ The planned results of which was supposed to be a quality product.

You probably noticed I didn’t add ‘service.’ That’s because it was a manufacturing standard. And up until now, everything revolved around product quality and its consistency because (as previously discussed) the Standard was based upon military purchasing requirements and everybody – auditor and auditee was on board with that.

The 2000 revision introduced the Process Approach and in 4.2.2(c) required that, “a description of the interaction between the processes of the quality management system” be included in the quality manual.

So what we saw (Figure 2) was a good representation of what transpired from the time the phone rang with an RFQ to the time product went out the door. And all was well with the world.

This model was easy for the auditor to follow and verify so they were happy and if the auditor was happy, the organization was happy and they paid the Registrar (CB), so they were happy and the Registrar paid the ANAB, RAB in those days (AB) who paid the IAF, so everyone got paid and everybody was happy and it went along this way for the next eight years.

I believe, although not 100% certain, that I mentioned at some point there is a mandatory revision process the Standard must go through, and so it did. In 2008, the next iteration which, by most accounts is nothing more than a re-packaging of the 2000 revision, ISO (is in essence, a publishing house and profiting from the sale of the Standards) needed to find a way to market its ‘latest and greatest’ offering and did so by pointing out that the 2000 revision, ‘rich in new concepts’ had largely been misunderstood, so the 2008 version was everybody’s last, best, chance to get it right – Ka Ching!

Guess what? Most, including the auditors, CBs and ABs didn’t get the message – Again! Figure 2 above, or something like it, depicting an incomplete interaction of processes (IOP) persisted. In some cases, the addition of a ‘rogue’ measurement and analysis, (i.e. Internal Audit) management or resource process found its way into the mix but it wasn’t until sometime later on that full understanding of intent evolved. And, with the introduction of ALL the elements, most IOPs continued as a hodgepodge of jumbled elements (Figure 3) that more closely resembled progression of a bacterial infection than what the organization was actually doing.

iop3There were some solid attempts at creativity (as seen in Figure 4) but for the most part organizations limped along as best they could and the auditors were letting it happen.

iop4For most it remained business as usual with every element included in the IOP and NCRs written for a single omission, hence my brother’s question.

For others it was ‘The Awakening,’ a realization that the Standard was a business model and I’ll share that revelation with you in Part 3.

An IOP by Any Other Name – Part 1

Yours truly recently received a question from one of our many followers, a brother auditor, who writes;

“I blew off… today so that I could conduct an internal audit for a repeat customer. One of their big changes is that they changed their IOP around. My question to you is; does an IOP have to specifically reference the internal audit & calibration processes? Or is reference to the analysis of data and MR sufficient enough? Their IOP last year referenced internal audits, but the new revision doesn’t. I think it should be referenced, but maybe I’m wrong.

”I answered back, “Excellent question! And, I’m impressed that you ask because it shows a level of maturity.” The level of maturity, in this case, is he’s starting to get it. He recognizes that it is the organizations responsibility, not the auditor’s, to define the processes and their interaction. It is the auditor’s responsibility to assess the organization’s compliance with the Standard and demonstrate that they are following documented activities to achieve planned results.

As I penned (typed) these words, it occurred to me that there may be others out there who are uncertain as to the requirements and I decided to share my response.

I went on to say, “I’ve attached a sample Interaction of Processes (IOP) and the following explanation. Caution – should you adopt my model – you will need to be prepared to defend it. Also note that I developed it for a specific client’s AS9100 audit, so in your case, it most likely will be challenged. And, I wouldn’t suggest this as a better way. It’s just another way.”

“Go back to your AS9100 training and think about PEAR (process effectiveness assessment report). The answer to your question lies somewhere between client opinion, your opinion, the interfaces between processes and sub-processes and supporting documentation. If everything hangs together, they’re good, if not, well, Houston, We Have a Problem.”

“Here’s my spin on it…


As you look at my graphic, (Figure 1) you will see, in the middle, the Realization Process (not processes) and surrounding the Realization Process are the Supporting Management Processes each with multiple sub-processes.

My goal was to distill the processes down and keep it as simple as possible so they could then argue, to more or lesser degree, what they do and how they go about doing it – verbally rather than graphically – connecting the dots. That way they had a lot more flexibility and their response could be tailored to fit the conversion at hand.”

“So they successfully argued that the organization had a total of 4 processes (we don’t count process development – bottom left-hand corner, which is more of a place holder and to balance the diagram – Note: this is not Design & Development, which is actually a Realization sub-process.)”

“The Realization Process (that thing which the company does) needs to be clear and match up with what they are actually doing, and theirs [addressing the author’s, client’s IOP] appears to be – although it’s muddy and convoluted which happens when you throw every element into the mix. I would have liked to see what they are measuring, and this is why I listed KPIs in my IOP model, but it’s not a requirement. And (I presume) there will be greater latitude given as auditors become more comfortable with 2015.”

This approach minimized the impact of PEAR (the auditor had only four to write, which made him very happy) and with only one ‘low score’ which had been previously, well documented, CAPA and Management Review, they passed the Registration audit with six minor findings (one of which was written against the IOP. Corrective Action was a slight revision as seen in Figure 1.)

More to come and the why of the question in Part 2.

Internal audit

If you are like most people with a quality system, you have procedures; one of which is concerned with Internal Audits. The standard states:

9.2.1 – The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system:
a) conforms to:
1. the organization’s own requirements for its quality management system;
2. the requirements of this International Standard;
b) is effectively implemented and maintained, and,

9.2.2 – The organization shall:
a) plan, establish, implement and maintain an audit program(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;
b) define the audit criteria and scope for each audit;
c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;
d) ensure that the results of the audits are reported to relevant management;
e) take appropriate correction and corrective actions without undue delay;
f) retain documented information as evidence of the implementation of the audit program and the audit results.

if you are like most people with Internal Audit procedures, you have carefully word-smithed the verbiage to address all the “shalls,” individually, just in case. And, if you are like most people who have addressed all the points, you most likely have a sentence in your procedure that addresses the requirement; “Auditors shall not audit their own work” which was passed down to us from time immemorial.

I understand what ISO was trying to communicate with this requirement and I also understand, in some cases, it is absolutely impossible for a small organization to meet the letter of the law. It is also regrettable that most Auditors looked upon this requirement as ‘Etched in Stone’ and woe unto you, poor quality guy, whose senior management wouldn’t spring for a team of trained in-house auditors or for a 3rd party audit of the processes you manage.

Yep – The MR Audit came into being for no other reason but to give you ulcers and a new line item in your annual budget! For the auditor it was just too easy to say;” Who audits you?” and wait as you stutter the name of an amorphic entity obviously made up internal-auditof Day-Glow Ectoplasm, the name of whom (if you have been really creative) may be on some sort of training record to prove competence, but whose handwriting is remarkably ‘similar’ to yours.

This is not exactly what ISO had in mind.

From the very beginning, ISO had presented us with a ‘Best in Class’ set of practices, their business model, if you will, to address the various issues organizations face, that if done so ‘properly,’ would lead to improvements in efficiency and effectiveness of performance processes.

The purpose of not auditing your own work was to prevent ‘cheating.’ Best Practices are transparent. Best Practices hold you accountable. So the point was to promote truth in disclosure.Internal Auditing is intended to be a process which honestly looks at the systems and assesses them fairly in order to make a recommendation as to the level of compliance with a particular requirement and if found to be not compliant, to make the necessary changes to bring about compliance. So, what’s a QA guy to do? You do the best you can. You audit fairly and honestly. You document weaknesses and initiate corrective actions regardless of who the process owner is. In short, you do your job!

The good news is with the advent of the revision to ISO 19011 (in 2011) and ISO 9001 (which has omitted that critical line, “Auditors shall not audit their own work”) and then provided ‘a way out’ with the inclusion of the guidance note: NOTE See ISO 19011 for guidance, all is now well with the world. Did you stay with me? Do you understand what this means? Have you read ISO 19011:2011 – Guidelines for auditing management systems?

It means we can ‘legally” audit our own work (if we have to) because *ISO 19011:2011 Section 4(e) states, “For small organizations, it may not be possible for internal auditors to be fully independent of the activity being audited, but every effort should be made to remove bias and encourage objectivity.”

Audit and be happy… and I suggest that, if you are like most people who have an Internal Audit procedure which addresses ALL the requirements of the International Standard you might want to make a small change to that verbiage with something like: “The MR ensures that auditors are independent of the area audited, wherever possible*.”

*See *ISO 19011:2011 Section 4(e).

Royalty-Free Image courtesy of