Yours truly recently received a question from one of our many followers, a brother auditor, who writes;
“I blew off… today so that I could conduct an internal audit for a repeat customer. One of their big changes is that they changed their IOP around. My question to you is; does an IOP have to specifically reference the internal audit & calibration processes? Or is reference to the analysis of data and MR sufficient enough? Their IOP last year referenced internal audits, but the new revision doesn’t. I think it should be referenced, but maybe I’m wrong.
”I answered back, “Excellent question! And, I’m impressed that you ask because it shows a level of maturity.” The level of maturity, in this case, is he’s starting to get it. He recognizes that it is the organizations responsibility, not the auditor’s, to define the processes and their interaction. It is the auditor’s responsibility to assess the organization’s compliance with the Standard and demonstrate that they are following documented activities to achieve planned results.
As I penned (typed) these words, it occurred to me that there may be others out there who are uncertain as to the requirements and I decided to share my response.
I went on to say, “I’ve attached a sample Interaction of Processes (IOP) and the following explanation. Caution – should you adopt my model – you will need to be prepared to defend it. Also note that I developed it for a specific client’s AS9100 audit, so in your case, it most likely will be challenged. And, I wouldn’t suggest this as a better way. It’s just another way.”
“Go back to your AS9100 training and think about PEAR (process effectiveness assessment report). The answer to your question lies somewhere between client opinion, your opinion, the interfaces between processes and sub-processes and supporting documentation. If everything hangs together, they’re good, if not, well, Houston, We Have a Problem.”
“Here’s my spin on it…
As you look at my graphic, (Figure 1) you will see, in the middle, the Realization Process (not processes) and surrounding the Realization Process are the Supporting Management Processes each with multiple sub-processes.
My goal was to distill the processes down and keep it as simple as possible so they could then argue, to more or lesser degree, what they do and how they go about doing it – verbally rather than graphically – connecting the dots. That way they had a lot more flexibility and their response could be tailored to fit the conversion at hand.”
“So they successfully argued that the organization had a total of 4 processes (we don’t count process development – bottom left-hand corner, which is more of a place holder and to balance the diagram – Note: this is not Design & Development, which is actually a Realization sub-process.)”
“The Realization Process (that thing which the company does) needs to be clear and match up with what they are actually doing, and theirs [addressing the author’s, client’s IOP] appears to be – although it’s muddy and convoluted which happens when you throw every element into the mix. I would have liked to see what they are measuring, and this is why I listed KPIs in my IOP model, but it’s not a requirement. And (I presume) there will be greater latitude given as auditors become more comfortable with 2015.”
This approach minimized the impact of PEAR (the auditor had only four to write, which made him very happy) and with only one ‘low score’ which had been previously, well documented, CAPA and Management Review, they passed the Registration audit with six minor findings (one of which was written against the IOP. Corrective Action was a slight revision as seen in Figure 1.)
More to come and the why of the question in Part 2.