IA Catchwords- Series- 6

No Clarity

Auditing process calls for clarity of thoughts, observation, and presentation. Thoughts are converted into questions, to elicit answers. A clear thought helps to observe, assess and question. Once the answers are elicited, clarity in identifying the non-conformances and arriving at what could be the process problem becomes easier. Auditors shall clearly distinguish between trivial many to the focused one problem. Clarity in recording and answering questions to the auditors is another important factor, to prevent wrong assessments during auditing. There shall be clarity in the various documents/process instructions used in order to sustain the process and to ensure obtaining consistent results. Many of the non-conformances observed are due to lack of clarity in understanding the process objectives.

No conclusions have been arrived at

Reviews and Meetings are essential for sustenance and growth. Discussions take place on the various issues pertaining to customers, operations, and business. Top Management conduct these meetings to identify and resolve those that had been pending due to decisions from the top management. Once planned, it is necessary to follow the routine. It has been observed that while the QMS reviews are being done, records of such reviews invariably do not provide responsibility for taking further actions, target dates for completion, specific actions and decisions to prevent the problem from recurrence, etc., Either it is a problem of recording or decision-making. In order to prevent such incomplete records, it is suggested that tailor-made templates are used for recording. A detailed planning is essential to design such templates, to cover all the agenda points needed. Further, data presentation in such reviews shall be focused to identify actions and solutions, and not merely as a raw data, without analysis. A combination of data analysis and attitude shall play the trick.

No controls

Process Control is an important activity. For any process, controls are to be established to obtain consistent outputs and results. Controls are of 2 types- specifications and processes. While specifications are given by the process design, control limits are given by the acceptance criteria for operations. No controls, means either operationally not meeting the limits, or the limits are not established. It may also mean that the limits are established, but not monitored and controlled, meaning thereby, that the process output has not been consistent. It could also mean that there is no process measurement in place to monitor and control. QMS standard calls for documents for effective planning, operation and control of processes. If any of the processes has gone out of control due to absence of documents identifying controls to be established calls for measurement, then they need to be brought under control.

No planning

Planning is a basic requirement for establishing and maintenance of QMS. QMS standard has identified Planning under the following categories- Documents to be planned for effective operation and control of processes, QMS planning at the organizational level (strategic/operational), process planning for product realization, planning of design processes for realizing the product design, planning of production/service, and planning of monitoring, measurement, analysis and improvement of processes and product. These are mandatory. However, under product realization planning, functional planning would help to achieve the functional objectives and measurement objectives. A comprehensive planning encompassing functions, resources, and operations, would go a long way to achieve the corporate and functional objectives. An auditor needs to spend considerable time in assessing the formulation of plans for arrangements, resources, and intervals, resulting in expected results, records, and documents. A few of the examples of Plns are Quality Plan, Control Plan, Sales Plan, Production Plan, Training Plan, Design Plan, Calibration Plan, Testing Plan, Material Procurement Plan, Design Verification and Validation Plan,

IA Catchwords- Series- 5

Frequency of review is not followed

Reviews and Meetings are essential for sustenance and growth. Discussions take place on the various issues pertaining to customers, operations, and business. Top Management conduct these meetings to identify and resolve those that had been pending due to decisions from the top management. The frequency of review is normally fixed taking into account the status and importance of the activities being reviewed and the availability of participants. Once planned, it is necessary to follow the routine. It has been observed that while Business reviews are done as per the schedule, the QMS reviews are invariably either delayed or cancelled. In order to avoid such incidences, it is suggested that the reviews are integrated with the Business reviews and/or done in 2/3 tier structure. If the reviews are not carried out or not effective, the result would be a weak system resulting in not meeting the Business Objectives.

Instructions were not available

Instructions are essential for effective planning, operation, and control of processes. They are a means by which information is passed on to carry out or test processes. They need to be clear, and unambiguous and provide Do's and Don’t's. Verification of availability of instructions to ensure process effectiveness is necessary, where the absence of such instructions would adversely affect the process performance. This includes visual, dimensional, functional, performance, comparison with standards/specifications, etc.,

Look at /Look for

"Looking at" is a powerful tool for an auditor. One looks at the documents, records, processes, people, equipment, measurements, data, etc., It is a phrase used to convey the observations in precise terms. This phrase is invariably followed by the phrase "looking for". One looks at the operations, documents, and records for conformance. In fact, it is a logical combination of observation and result.

Mapping of defect classification is not done

Defects are observed and recorded. In order to analyze the causes of defects, and identify corrective actions, they are to be prioritized. A good practice is to classify them according to their impacts on the final result. There are many ways of defect classification- such as impact-based, cause-based, results-based, process-based, product-based, customer-based, project-based, etc., The type of classification is influenced by the objective of the process/project, type of defects, and the stage of defect observation. Once the classification is done, investigation is carried out using a mapping technique. Mapping is done using techniques to identify patterns, and trends that might indicate causes.

IA Catchwords- Series- 4

 

Corrective actions are not identified

This applies to product, process and system related NCR's. Corrective actions are evolved/identified based on data collection during processing and internal auditing, periodically analyzed, identifying root causes of the problems and prioritizing them to identify corrective actions. While disposition actions addresses the immediate redressal/attending to the NCR for prevention of the specific product/process/system to go out of control, corrective actions are to be identified to eliminate the root cause and to prevent recurrence. There are many opinions on this issue. One is that for every product/process NCR, there shall be a Corrective action. Another point is that many problems may occur randomly, which may not repeat and hence such problems may not need Corrective actions. However, in the case of system related issues, for every observed NCR one may not be able to implement corrections, but Corrective action is to be identified and initiated. In the case of Customer complaints, many customers demand corrective actions for every NCR/Observation observed by them. Obviously, it needs to be addressed. Please remember that for every NCR, be it product, or process or system, there are 3 levels of addressing them- correction, Corrective Action and Preventive Action. Never gets confused between Corrective and preventive actions. While Corrective Actions prevent recurrence of problems, Preventive Actions prevent Occurrence of problems.

 

Customer complaints are not closed

Customer complaints are always causes for concern. It is imperative that these are complaints are properly recorded, irrespective of their nature. No filtering is recommended. A centralized system of recording is recommended to ensure customer focus. This recording shall ensure availability of complete details- both technical and systemic. The system shall have mechanisms for immediate redressal, including replacement, if any, and their closure to the satisfaction of the customer. The closure details shall be available along with the complaint details. Closure could be one of correction or of corrective action or both. A clear definition of the closure mechanism shall be established and documented. Closures shall be evidenced for all the recorded complaints. If it involves, the reporting the corrective actions to the customer, the same shall be evidenced. Closure shall include verification of effectiveness of the corrective actions taken by checking the elimination of the nature of the complaint. Closure actions shall include complete investigation, analysis and objective evidence of changes in the system. The absence of any one of the above would mean that the complaint is not closed.

 

Data is not being captured

Data and Measurements are the backbones of any QMS. Data capturing is essential for sustenance and improvement of the processes. Data may be available, but if not captured, the process performance cannot be measured. If one wants to know the status of any process, data capture is essential. There are many methods of data capture. It could be recorded either in soft or in hard copy. It could be automatic or manual. It could be in analog or in digital form. It could be elaboration of process parameters, performance details, personnel data, machine capabilities, specifications of products/ raw materials, delivery data, etc., In short, data capturing provides a complete snap shot of the processes. It could be vital/essential/desirable for the operations of the business. It could include both business and operational processes. If either the data captured is inadequate or ineffective, then it is necessary to review the process for improvement.

 

IA Catchwords- Series 3   Conditions are not specified   In order to achieve the process objectives, certain operating conditions may be needed. These may include -Men, Equipment, Method, Materials, Measurement, employee skills, testing, Environment, Specification, etc., If the absence of those conditions affects the product/process performance, it is necessary to bring them to the notice. Conditions are to be of measurable parameters		.
Control is not adequate   Controlling includes processes, and product. Adequacy of control is evidenced by measurement- outputs of processes as per the plans. The plans therefore, shall specify measurement criteria. Controls are identified by the Procedures, process instructions, work instructions, etc., Inadequacy of control is observed when the planned results are either not achieved consistently or achieved under conditions not specified.

DO INFORMATION TECHNOLOGY COMPANIES NEED BOTH CMMI AND ISO 9001 STANDARDS- AN OPEN DISCUSSION?

 
Conceptual
ISO 9001 is an "audit standard" and CMMI is a "process model". Hence, conceptually, they are quite different- it is almost like Apples and Oranges and hence cannot be compared, even though ISO 9001 standard is also based on "process approach".
CMMI focuses on engineering and project management processes whereas ISO's focus is generic in nature.
While, CMMI is a set of related "best practices" gathered from many product engineering and software development organizations, ISO 9001 standard is a certification tool that certifies businesses, whose processes conform to the laid down standards and is focussed on product and Service Quality
CMMI requires ingraining processes   into business needs so that such processes become part of corporate culture and do not break down under the pressure of deadlines. ISO specifies to conformance and remains oblivious as to whether such conformance is of strategic business value or not.
Although CMMI focuses on linkage of processes to business goals, customer satisfaction is not a factor in the ranking whereas customer satisfaction is an important part of ISO requirements.
Neither CMMI nor ISO requires the establishment of new processes. CMMI compares the existing processes to industry best practices whereas ISO requires adjustment of existing processes to confirm to the specific ISO requirements.
The comparison of CMMI Vs. ISO reveals that while CMMI is more focused, complex, and aligned with business objectives, ISO is flexible, wider in scope and not directly linked to business objectives.
ISO 9001 QMS- Strengths
The ISO 9000 Standards is a very practical management system, that ensures good quality of product or service in any business environment. The ISO 9001 Certification is recognized worldwide as a hallmark of professionalism and commitment to quality. The latest version, the ISO 9001:2008, is especially relevant to the Services Sector, focused on fulfilling customer expectations, improving the quality of an organization's business and management processes, so that when a job is done it is done well, first time, every time.


The ISO Certification process is extremely significant, as it is taken just once in the lifetime of any organization.

 
Benefits from an in-depth ISO 9001 implementation

• Creating an Organization structure, functional and flexible for growth
• Practical and easily implementable systems and procedures
• Developing a more systematic approach to day-to-day operations
• Consistency in the quality of the product or service being achieved
• High awareness of quality achieved, throughout the organization
• Reduction in operating costs like- employee costs, equipment costs in operation and maintenance
• Profitability increases by 10-25%. (when implemented properly)
  
• Makes organization systematic and reduces dependence on individuals.
  
• Clarity of responding and authority.
  
• Lesser defects
  
• Help to identify best practice and ensure everyone in the organization is moving in the right direction.
  
  

ISO 9001:2008 provide a tried and tested framework for taking a systematic approach to managing your Business activities. To get customers – and to keep them satisfied- your product or service needs to meet their requirements.
The ISO 9001 standards give organizations an opportunity to increase value to their activities and to improve their performance continually, by focusing on their major processes. The standards place great emphasis on making quality management systems closer to the processes of organizations and on continual improvement. As a result, they direct users to the achievement of business results, including the satisfaction of customers and other interested parties.

 

CMMI is meant to help organizations improve on their capability to consistently and predictably deliver the products, services, and sourced goods their customers want, when they want them and at a price they're willing to pay. From a purely inwardly-facing perspective, CMMI helps companies get from estimates to actuals in the black, keep customers happy, and purchase the right things the best way.

Strengths of CMMI

CMMI is just a model, it's not reality. Like any other model, CMMI reflects one version of reality, and like most models, it's rather idealistic and unrealistic -- at least in some ways. When understood as *just* a model, people implementing CMMI have a much higher chance of implementing something of lasting value. As a model, what CMMI lacks is context, specifically, the context of the organization in which it will be implemented for process improvement.
Putting it all together: CMMI is a model for process improvement from which (astute) organizations will abstract and create process improvement solutions that fit their unique environment.The Practices (which are much more numerous) are "expected" elements of the model. That means that the SEI expects that an organization will have to perform all of those Practices in order to achieve the Goals. Organizations occasionally employ "alternative practices" to achieve the Goals, and when they do, that is OK. As long as each Goal is achieved, the actual Practices that are employed are not an issue.


The Sub-Practices and other information in the CMMI are merely "informative" elements of the model. That is, they are there to provide additional information to help the reader to understand the intent of the Goals and Practices. There is no requirement (or even expectation) that an organization will perform all of the Sub-Practices.


Naturally, if your organization is not under a mandate to achieve a Maturity Level rating, then the Practices, and even the Goals in the CMMI take on more of a suggestive flavor.

The SEI designed the CMMI to be a roadmap for process improvement. When the CMMI is used by an organization that has no interest in process improvement, its use can (and often does) become abuse. Processes are written solely to satisfy a CMMI Appraiser, but with little or no thought for how they will affect the organization's work. Paperwork grows seemingly without bounds, and people feel that they are drowning in "process for process' sake".

In these organizations, the CMMI's primary purpose (a roadmap to improvement) is lost, and it becomes a straightjacket for the organization and its people. It becomes abusive as it is abused by those whose primary objective is a Maturity Level rating. And many of these organizations end up with no more than they sought: a Maturity Level rating and process binders sitting on shelves gathering dust while business goes on little improved from its starting point.

 
Supplementing strategy

 
A company having both CMMI and ISO 9001 has the advantages in running its Software processes to the optimum as well as having the product quality- the end result, in tact and with continual improvement in customer satisfaction and hence they are supplementary in nature. While the process mapping is in the domain of CMMI, process auditing is the backbone of ISO 9001.

 
Internal Auditing for conformance to ISO 9001 standards provides a framework for maintaining product/service quality. The internal auditing ensures that the business processes are stable, consistent, and followed as per the laid down requirements.

 
Hence, as a strategy, it would be a better option to maintain CMMI with a strong ISO 9001 internal Auditing. As an extended strategy, outsourcing of internal auditing helps to provide valuable inputs to the management on the health of the QMS standards.

 
Outsourcing Internal Audits

 
Although organizations consider that the third-party ISO 9001 Annual Surveillance Audits provide independence, integrity and value, their outcome is often simply permission to conduct business as usual. Competitive cost pressures have created a commoditized, streamlined environment where these audits focus narrowly on adherence to specific quality, safety, environmental or financial standards. As a result, these audits too often leave companies with a handful of persistent performance problems and unidentified business risks that can erode shareholder value.

In respect of Internal Quality Audits, the companies find that the findings initiated by their own company's employees, trained as internal auditors, were minor and did not add any value. Findings were of the document control type, incomplete tags which didn't move the company towards continuous improvement activities. These findings simply weren't important to them.

There is an option of making this Internal Auditing more effective, more value-adding and providing a business overview- outsourcing this function.

In the paper and presentation seen at the ASQ Audit Conference in October, 2008, "Effective Internal Audits: Is Outsourcing the Answer?" Denis Devos reveals results of his study which shows that "there is a growing tendency for organizations to rely on the services of professional auditors to perform audits". In his study, Denis completed a survey of 155 companies. 76% - 86% (nonautomotive companies vs. automotive companies) of the companies surveyed had outsourced the internal audit function, even though there was an "internal" audit team in place.

Today, experienced auditors go beyond the conformity by identifying levels of compliance with – and the effectiveness of – a company's own established best practices, management processes and business excellence framework. The detailed, customized analysis generated, gives business leaders a genuine insight into how effectively their current business management systems are performing and how they can use them to create even more value for customers and shareholders. Importantly, they also provide a road map for the continual improvement that many standards require and that is necessary to build and maintain competitive advantage. This can also be an effective tool for measurement of performance excellence


Conclusions

 
A sensible approach would therefore be to have both CMMI and ISO 9001 and reap the best of both thro' a strong ISO 9001 Internal Auditing

Dear All,

Interviews are the heart of every audit: they can provide key information to help understand the successes and challenges of systems, businesses, and the clients they serve

I was invited to participate in an evaluation of interviewing skills as an Auditor, towards building a successful relationship with an audit client.

This on-line evaluation was administered by Quality Professionals' Resource Center located in Canada, by leading experts in journalism.

I am happy to share the results of such an evaluation as given below

 

 

Dear Ramachandran,

Based on our evaluation of your interviewing skills, we would place you on the 'Trainer' level. Your technical skills and knowledge combine well with a customer-focused approach to your communication strategies. You are a good and observant listener. You know how to read the body language and non-verbal signals to understand what is important to the client and leverage this information for better results. Clients are happy with your audits and audit results in most cases.

 

 

 

 

IA Catchword- series 2

1. Authority for clearing the product when NC's are observed is not defined

First of all, it is necessary to define as to what constitutes a product NC. NC is observed, when the specified acceptance criteria are not met. Once the NC is identified, there are 4 ways by which this NC is disposed off/ cleared. They are Rejection to take the product out of the line altogether, Rework to the extent that it can be brought back to meet the specified acceptance criteria , Regrade to a lower quality category with a different acceptance criteria, if there is a provision to do so or Accept the product without doing Rework at a lower quality level. In all these cases, there is a degradation of quality to the customer and /or business profits. In order that occurrence of such an NC is made known to the concerned Top Management, it is necessary that specific authorities are defined in each of the above cases. It could be even the customer, whose concurrence is obtained before the product is released. The causes of the NC are also important to be identified, to ensure that correct decisions are taken.

2. Causes of Non Conformity not established

Once the Non conformity is observed, the first task is to always clear/dispose off the same, to ensure that the process moves on unhindered. Since the standard looks for recording such nonconformities, data is generated, identifying the NC's observed and the actions taken to dispose of the same. Over a period of time, the collected Nc's are to collated (Bunched) in a meaningful manner to identify the root causes of such NC's. This bunching is done in a systematic manner, using various tools, such as 7 tools of Quality Control. Ultimately, establishment of causes of NC, leads to one or many of the following -Men, Equipment, Money, Method, Materials, Measurement, Environment, Specification, etc., Again, during collation, care shall be taken to identify and prioritize clearly, the underlying causes and to eliminate the trivial many to selected few. The effectiveness of such an analysis depends on use of sound technical concepts, in addition to system tools.

3. Check

Check/Verify- is a standard Auditing phrase and is a part of the PDCA Cycle. Checking as per the standard means- monitoring, measuring processes and product against policies, objectives, and requirements for the product and reporting the results. One shall has to keep in mind that checking/verification is done against the requirements of the standards, procedures, records, etc., in order to ensure completeness, integrity, and effectiveness of the process.

To be continued…………………

Series on Internal Auditing

Series on Internal Auditing
Hi,
I would like to share my auditing experiences in the form of explanations on the NCR’s raised by auditors.
This would help the process owners to make sure that their processes are in compliance with the standards requirements. As internal auditors, these catchwords would help them identify non-conformance areas and write clear, unambiguous, and correct NC reports.
Kindly go thro the same and comment
Thanks
IA Catchword- series 1
1. A cause for concern
When you observe that the process is not adequately controlled and the trend of the compliance/product quality is deteriorating, it is a cause for concern. You may also find that there is an attitudinal problem and no actions are taken to contain the problem.

2. Acceptance criteria not specified
For any product/process being measured, there shall be a criteria/conditions which specify if the product/process is acceptable for further processing. This is applicable even for visual checking for attributes. The objective of this is to ensure that only processes/products which are acceptable are passed on further. Sometimes, the Inspector ignores/do not attach importance to the tolerances specified, stating that it will not affect the process/product. In such a case, Auditor shall identify as an observation and ensure that the acceptance criteria is reviewed, to reflect the existing conditions

3. Actions towards prevention of recurrence not evidenced
One of the important aspect of ISO 9001 is that actions shall be identified to prevent recurrence of chronic/repetitive problems. Invariably, many of those repetitive/chronic problems are not attended, either because they are minor in nature or solutions which calls for infrastructure improvement or just not analyzed. Auditor shall verify further if those problems have resulted in any customer concern or quality concern. in such a case, it is necessary to identify corrective actions to prevent recurrence.

4. Analysis of customer complaints not done
Continual Improvement is important for any Business growth. Towards this, one needs to collect information on the performance of the products/processes. Customer complaints offer an opportunity towards this. It is necessary, therefore to collect the customer complaints, collate the data with a view to analyze and in such a manner that probable causes are identified. Analysis of this data shall be done periodically, to elicit workable solutions. If the data is too trivial, and does not provide any meaningful causes, then also it is necessary to use the various analytical tools and arrive at a conclusion. Analysis shall be done thro' an investigation process and using various tools. The results of analysis shall be a list of controllable and uncontrollable factors and using a filtering technique, corrective actions shall be identified.

To be continued…………………

Preventive Actions
One of the difficulties in auditing a preventive action program is that some organizations don’t understand well the differences between corrective actions and preventive actions.

A corrective action is taken on a detected nonconformity to prevent it from happening again. An organization will first correct or contain the problem, and then determine its root cause so they can take corrective action to prevent its recurrence.

When we act to “prevent” a repeat of a detected nonconformity, that is full and complete corrective action, not preventive action.

Preventive action is when we anticipate a potential problem and take action to eliminate the possible causes and prevent the occurrence of the nonconformity.

Auditing a preventive action program begins with a review of the preventive action procedure required by ISO 9001:2008. Of course, an organization may choose to have corrective actions and preventive actions covered in the same documented procedure. This is acceptable as long as the requirements in both clause 8.5.2 and 8.5.3 are adequately addressed.

When a potential problem is identified, organizations must determine the action needed to eliminate the causes of the potential nonconformity and thereby prevent its occurrence. However, the action taken must be appropriate to the effects of the problem.

In other words, it would be acceptable to not take a preventive action if the anticipated problem is unlikely to happen, would have little impact, and would be easily detected. If a potential problem is low risk, the business decision may be to not attempt to prevent it.

However, if there is a need, the organization must determine and implement the appropriate preventive action. Records must be kept of the results. The action taken must be reviewed to assess its effectiveness in preventing the potential problem.

The best time to take preventive actions is early in the product cycle, e.g., performing Failure Mode Effects Analysis and conducting Design Reviews. However, these actions are integral to the process and won’t necessarily be captured on preventive action forms.

As a consultant to two different Software companies, I had an opportunity to interact with two different Certification Bodies. In both the companies, the core process happens to be Software development, specifically Project Planning, Developing codes, code testing, code reviews, and releasing the product. While one of the Certification bodies insisted that the Cl. No. 7.5.2 - Validation of Processes, cannot be excluded, the other body made us to exclude the same.
In my opinion, the exclusion is not applicable for software process, due to the basic process of coding which can be verified only after the total product is released, since the coding is always done in bits and pieces.
Any comments please,
Thanks

Hi,
Welcome to this Blog.
I have pleasure in launching this Blog , to exchange System, professional and product related information with all my Clients and the relevant professional.
It would cover the following topics
• System related issues
• Product/service related issues
• HR related issues
• Soft skills related
• Etc.,
Since i have built-up a good database on the above subjects over a period of time, i would like to share the same with like-minded professional to educate, enrich and get enriched

Here is a place, where you can pose questions/queries, and I shall be happy to provide you answers
Be generous in asking Questions- let it be useful to every one in this Circuit
You may also publish views for Open Source information.
Let us join together and make this a success
Pl give your opinions and ideas to make this better and the best
Thanks

Outsourcing Internal Quality Auditing functions

Although organizations consider that the third-party ISO 9001 Annual Surveillance Audits provide independence, integrity and value, their outcome is often simply permission to conduct business as usual. Competitive cost pressures have created a commoditized, streamlined environment where these audits focus narrowly on adherence to specific quality, safety, environmental or financial standards. As a result, these audits too often leave companies with a handful of persistent performance problems and unidentified business risks that can erode shareholder value.


In respect of Internal Quality Audits, the companies find that the findings initiated by their own company’s employees, trained as internal auditors, were minor and did not add any value. Findings were of the document control type, incomplete tags which didn’t move the company towards continuous improvement activities. These findings simply weren’t important to them.


There is an option of making this Internal Auditing more effective, more value-adding and providing a business overview- outsourcing this function.


In the paper and presentation seen at the ASQ Audit Conference in October, 2008, “Effective Internal Audits: Is Outsourcing the Answer?” Denis Devos reveals results of his study which shows that “there is a growing tendency for organizations to rely on the services of professional auditors to perform audits”. In his study, Denis completed a survey of 155 companies. 76% - 86% (nonautomotive companies vs. automotive companies) of the companies surveyed had outsourced the internal audit function, even though there was an “internal” audit team in place.


Today, experienced auditors go beyond the conformity by identifying levels of compliance with – and the effectiveness of – a company’s own established best practices, management processes and business excellence framework. The detailed, customized analysis generated, gives business leaders a genuine insight into how effectively their current business management systems are performing and how they can use them to create even more value for customers and shareholders. Importantly, they also provide a road map for the continual improvement that many standards require and that is necessary to build and maintain competitive advantage.


Can this be an effective tool for measurement of performance excellence


Inviting professionals to comment on this.