Auditing ISO 9001:2000 For Control and Improvement
Use PDCA for control and ACDP for improvement
by J.P. Russell
ISO 9001:2000 4.1c says, "The organization shall determine criteria and methods needed to ensure that both the operation and control of these processes are effective."
The word "control" is used in the titles of ISO 9001 clauses such as "control of nonconforming product" and in phrases such as "to carry out processes under controlled conditions."
Other standards contracts, procedures and documents also frequently use the word "control." It is one of those familiar terms that everyone seems to understand. Each person's understanding may be a little different, however.
There is no definition of the word "control" in the international vocabulary standard (ISO 9000:2000) either because the dictionary definition is believed to be sufficient or the meaning of the word is so obvious that it would be silly to try to define it.
Yet understanding of control is central to successful implementation of almost all standards. In fact, a standard may be thought of as a collection of controls management must implement for systems such as safety, quality, environment and accounting.
As a manager, I would want to know there is control over the important systems and processes of the organization. As an auditor, I want to be able to verify sufficient controls exist and report any shortcomings. Both managers and auditors should agree on the criteria for control.
Some have equated having a procedure with control: no procedure = no control. Unfortunately, it is not that simple. Having a procedure does not mean there is management control over a process.
I recall interviewing a truck driver for a transportation company. I asked him about the inspection process for his very expensive cargo. He responded, "Do you want to know what is in the procedure or what we actually do?" So establishing a method is certainly an important process control tool but does not guarantee there is management control of the process.
Some standard clauses requiring control include a highly prescriptive list of activities to be addressed. The control of documents clause in ISO 9001 is a good example of such a prescriptive list of activities.
There are two problems with relying on the standard to list everything needed for management control:
- It assumes the standard writers could anticipate every situation.
- It assumes every clause contains a detailed list of prescriptive requirements.
I don't think standard writers would claim they know everything, and sometimes the requirements are open-ended, without any specific prescriptive requirements. For example, a standard might require control of the environment or the conformity of the product without providing a prescriptive list detailing how to achieve control.
Another place to look for control criteria is ISO 9001:2000, clause 7.5.1: Control of production and service provision. This is a generic list of things to consider for control of processes and should be applied as applicable. It is a good list and should be a reference, but it is a list, not a concept. The list may not be sufficient for all situations and does not address improvement criteria.
A simple, yet powerful, method for testing the existence of controls is to use Walter Shewhart's plan-do-check-act (PDCA) cycle. The PDCA cycle can be used as a process technique to test for control (see Table 1).
Process technique to test control
For management to control a process or activity, it must establish a predetermined method. Without it, there is no basis to adjust or improve the process.
The predetermined method can be in any form and should reflect the level of process risk. Ways a predetermined method can manifest itself include a procedure, flowchart, outline or series of pictures.
In one of my first plant management jobs, operators used their knowledge and skills to operate the process. When we had problems and I attempted to improve the process, I found out each operator's skills and knowledge were different. I could not improve the operation because the operating method was a moving target.
So the first thing that had to be done was to establish a consistent method for operating. This is the plan part of the PDCA cycle.
Now just having a plan does not mean people follow it. There must be some type of assurance through auditing, monitoring, retrievable records or other means that people follow the plan. This is the do part of the test cycle.
Just following a plan is not enough to establish management control because every process has at least two outcomes (good and bad, acceptable and unacceptable). Therefore, management must next determine the criteria or objectives for success or acceptance. The process must be measured and monitored against these criteria. As long as the process outputs match the predetermined acceptance criteria, the process does not need adjustment. This is the check part of the test cycle.
When the results do not match the acceptance criteria (output targets, goals), action must be taken. This is the act part of the test cycle. The action may be sorting good and bad product or making adjustments to the process to bring it back in line.
Management control exists when the process or activity is planned, implemented, measured and acted upon. Based on this article's discussion so far, a possible definition for management control would be the following:
Management control: when predetermined plans are followed, monitored against acceptance criteria and adjusted as needed to achieve objectives.
However, ISO 9001:2000 requires more than just effective control. There must be continual improvement, too.
A system or process must be changed to improve it. Improvement is not a matter of working harder or being more careful. If there is no change in some aspect of a system or process, the outcomes will always be the same.
To test for improvement, we can use PDCA again, only backwards, as the ACDP (analyze-change-do-prosper) improvement cycle (see Table 2).
Many of us are familiar with what often happens to all the records and data collected--they are put into storage never to see the light of day again. For improvement to take place, the data must be analyzed for trends and identification of weaknesses. This is the analyze step of the ACDP improvement cycle. By comparing results to goals and objectives, we must analyze process data to identify risks, inefficiencies, opportunities for improvement and negative trends.
A change could be a change in procedures, but also in other elements of the process, such as the acceptance criteria or method of monitoring. Changes in equipment or technology may also be necessary for continual improvement. The merits of any change should be evaluated. This is the change part of the improvement cycle.
The do step of the cycle is the implementation of the change. Auditors can verify changes actually took place by reviewing documents and interviewing area personnel.
Continual improvement should enable the organization to prosper in some manner. Improvement may be quantified as increased profitability, lower costs, lower exposure of the organization to risks, gain in market share or some other measure of improved effectiveness and efficiency. Sometimes organizations group changes and assess the effectiveness of several changes to the process. This assessment represents the prosper step of the improvement cycle.
Auditing for control and improvement
When standards require control and improvement, both management and auditors need to know the components that must exist. It is management's job to establish and implement controls and ensure there is continual improvement.
It is the auditor's job to gather audit evidence to verify conformance to requirements. In the absence of specific guidance in performance standards (required procedures, records or schedules), it is essential that management be able to demonstrate conformance to requirements.
Thus, the PDCA and ACDP cycles are process tools that can be used as guides to test for control and continual improvement. The PDCA cycle establishes control of a process. Control is required by standards and is a good business practice.
The ACDP cycle should be used to test for improvement. ISO 9001:2000 requires continual improvement. Improvement can only come from change.
J.P. RUSSELL is president of JP Russell & Associates, sponsor of Web based training programs for auditing, standards and quality tools at www.QualityWBT.com. Russell is a Fellow of ASQ, secretary of the American National Standards Institute/ASC Z1 committee and a member of the U.S. technical advisory group for ISO/Technical Committee 176 and secretary of Technical Group 9001/4. Russell is an ASQ certified quality auditor. He is author or editor of several Quality Press books, most recently The ISO Lesson Guide 2000 and After the Quality Audit. Please post your comments on this article on the Quality Progress Discussion Board on www.asqnet.org, or e-mail them to firstname.lastname@example.org.