ISO 9000-3 Digest Wednesday, 19 February 1997 Volume 01 : Number 038
In this issue:
Re: Audits of QA department
Re: Audits of QA department
FYI: UC Santa Cruz ISO 9000 Series - A Practical Approach (fwd)
Re: Audits of QA department
Re[2]: Audits of QA department
QSAR/IAF Survey
----------------------------------------------------------------------
From: quality@sedona.net (Lew Levenson)
Date: Mon, 10 Feb 1997 09:18:49 -0700 (MST)
Subject: Re: Audits of QA department
From: quality@sedona.net (Lew Levenson)
dbarnes@cix.compulink.co.uk (Dave Barnes) said in response to my comment:
>From: dbarnes@cix.compulink.co.uk (Dave Barnes)
>quality@sedona.net (Lew Levenson) said in response to my comment:
>
>> Dave is correct that nothing in ISO9001 or in ISO9000-3 mandates that
>> the QA
>> dept must be audited.
>>
>> All either or both say regarding internal audits is "supplier shall
>> carry
>> out a comprehensive system of ... internal quality [system] audits to
>> verify
>> whether quality activities comply ...".
>
>My main point was that auditing the QA department is akin to checking the
>checkers - and this can be carried to absurdity. It's a bit like saying
>that you need to write test scripts to test the test scripts for your
>deliverable software. Perhaps it's a good idea in some circumstances but
>it's unlikely to be cost-effective under all circumstances.
Checking the checkers is inherent in any system. Tools are calibrated to
standards and confirmed to them. The human element is no different.
Absurdity, however, is absurd in any circumstance. Humans must make the
judgment that enough is enough, when it is clear the next level of detail is
too much, and has no added value. One must be careful with regards to in
whose eye the value is added. If it is not perceptible to the auditee, it
may not be needed. It is after all, the auditee that must perceive the
added value. We all know of situations where an auditee did not want to
hear what needed to be said, no matter how objectively derived or presented.
>
>The other problem is that in order to audit _any activity_ one needs to
>have a knowledge of the activity being carried out as well as having some
>training & experience of auditing itself. Even large companies baulk at
>the cost of training people to be auditors when this is not their primary
>role.
>
This begins to tread on losing the distinction between auditing a quality
management system or determining product quality. The more one *knows*
about the activity being carried out, the more temptation to get into how
well it is being done, rather than whether it is being done or not.
The auditee's internal systems are the judge of how well. Some auditees do
not consider their metrics to be useful, and therefore have a lot of
opportunity for improvement. But that can only be an observation on the
part of an auditor, hardly a nonconformance.
>>
>> When a quality department is not defined to be a quality activity, of
>> course
>> no internal audit is required.
>>
>> Personally, I think such a definition would be hard to uphold.
>>
>
>I consider that Quality activities are those which are in the value chain
>(see Michael Porter) because these activities bear directly upon the
>ability of the product to satisfy its requirements. A QA group is not (or
>shouldn't be) in the value chain - it should be supporting the value chain
>activities. As such, it is important but not _directly_.
This is one of many definitions of Quality. ISO is clear it is the quality
management system that is to be audited. Without disputing the Michael
Porter definition of quality, it would seem that quality assurance
department is an element of any quality management system, and as such,
should be the recipient of objective audits as well.
>
>My other point was that the QA function is checked by the Management
>Review (4.1.3). The internal auditing function is considered so important
>that it has its own clause in the standard so the external auditor checks
>it. So where's the benefit?
>
Depending on the external audit to audit the internal audit system obviously
excludes something from the internal audit system. On the other hand if
*internal audits* equate to the *quality assurance department* which equates
to *quality management system* it would seem that this is an effort to deny
that some activities that bear directly upon the ability of the product to
satisfy its requirements may be several links upstream in the value chain.
>The real issue here is whether or not one should allow an external auditor
>to increase your costs without good reason (ie the benefit provided is
>worth the cost incurred). If the answer isn't a _definite_ yes then I
>believe that the auditor should be told "No - I'm not doing this because
>....".
>
External auditors don't increase the costs, with or without good reason.
Auditees who react to inferences without thinking it through do. I agree
with the generality about a definite yes, but I know we may not know there
is a definite yes involved until the issue has been explored enough to
produce that conclusion.
>We auditors are not infallible gods - and no matter how good we are, we
>still don't know a business as well as the people who are working in it.
Of course not. But our role is to examine the effectiveness of the business
systems as defined by the people who run it, and determine whether the
elements of those systems taken together, meet the ISO standard.
>Only if there is objective, incontrovertible evidence should we raise a
>non-compliance report.
Obviously. Auditors who do otherwise have lost the picture of what
objectivity is about.
>
>Dave
>
>dbarnes@cix.compulink.co.uk
>
>"My views, not my employers - and I reserve the right to change
> my mind with little or no notice - just more experience."
>
>To remove yourself from this list, address a message to:
MAJORDOMO@QUALITY.ORG with only the words "unsubscribe iso9000-3" (without
the quotes) in the BODY of your message.
>
Regards to all,
Lew
quality @sedona.net
------------------------------
From: dbarnes@cix.compulink.co.uk (Dave Barnes)
Date: Mon, 10 Feb 97 21:25 GMT0
Subject: Re: Audits of QA department
In-Reply-To: <199702101618.JAA01628@merlin.sedona.net>
Lew Levenson replied (to my response to his response ...) and several bits
snipped:
LL>
LL> Checking the checkers is inherent in any system. Tools are calibrated
LL> to standards and confirmed to them. The human element is no
LL> different. Absurdity, however, is absurd in any circumstance.
LL> Humans must make the judgment that enough is enough, when it is
LL> clear the next level of detail is too much, and has no added value.
LL> One must be careful with regards to in whose eye the value is added.
LL> If it is not perceptible to the auditee, it may not be needed.
LL> It is after all, the auditee that must perceive the added value.
LL>
Agreed - especially with the last line.
LL>
LL> We all know of situations where an auditee did not want to
LL> hear what needed to be said, no matter how objectively derived or
LL> presented.
LL>
DB>>
DB>> The other problem is that in order to audit _any activity_ one needs
DB>> to have a knowledge of the activity being carried out as well as
DB>> having some training & experience of auditing itself. Even large
DB>> companies baulk at the cost of training people to be auditors when
DB>> this is not their primary role.
DB>>
LL>
LL> This begins to tread on losing the distinction between auditing a
LL> quality management system or determining product quality. The more
LL> one *knows* about the activity being carried out, the more temptation
LL> to get into how well it is being done, rather than whether it is being
LL> done or not.
LL>
I prefer to say "The more one *knows* about the activity being carried
out, the more pertinent the questions one is able to ask. Although I am a
TickIT auditor I would not accept a request to audit all and any software
development organisation - even though my main experience and background
is in bespoke, real-time, multi-processor, multi-bus, embedded,
safety-critical systems which Putnam suggests is the most difficult of all
software development (since it has the lowest productivity rating).
LL>
LL> The auditee's internal systems are the judge of how well. Some
LL> auditees do not consider their metrics to be useful, and therefore
LL> have a lot of opportunity for improvement. But that can only be an
LL> observation on the part of an auditor, hardly a nonconformance.
LL>
Not sure where metrics came from - but if they aren't being used I will
give a non-compliance against Preventive Action (4.14.3 a). As a minimum,
I would expect use of Pareto.
LL> >> When a quality department is not defined to be a quality activity,
LL> >> of course no internal audit is required.
LL> >>
LL> >> Personally, I think such a definition would be hard to uphold.
LL> >>
DB>>
DB>> I consider that Quality activities are those which are in the value
DB>> chain (see Michael Porter) because these activities bear directly
DB>> upon the ability of the product to satisfy its requirements. A QA
DB>> group is not (or shouldn't be) in the value chain - it should be
DB>> supporting the value chain activities. As such, it is important but
DB>> not _directly_.
DB>>
LL> This is one of many definitions of Quality. ISO is clear it is the
LL> quality management system that is to be audited. Without disputing
LL> the Michael Porter definition of quality, it would seem that quality
LL> assurance department is an element of any quality management system,
LL> and as such, should be the recipient of objective audits as well.
LL>
DB>>
DB>> My other point was that the QA function is checked by the Management
DB>> Review (4.1.3). The internal auditing function is considered so
DB>> important >that it has its own clause in the standard so the external
DB>> auditor checks it. So where's the benefit?
DB>>
LL> Depending on the external audit to audit the internal audit system
LL> obviously excludes something from the internal audit system. On the
LL> other hand if *internal audits* equate to the *quality assurance
LL> department* which equates to *quality management system* it would seem
LL> that this is an effort to deny that some activities that bear directly
LL> upon the ability of the product to satisfy its requirements may be
LL> several links upstream in the value chain.
I disagree with the assertion that
.. *quality assurance department* which equates to *quality management
system* ..
The QMS defines how the organisation operates and it belongs to the CEO -
not the QA department. Otherwise you end up with "Quality is the
responsibility of the QA department." syndrome. Just because the Q-word is
in the department title does not make this an activity which has the
"status and importance" to need auditing. The important activities are
identifying what to produce, its design and production.
DB>>
DB>> The real issue here is whether or not one should allow an external
DB>> auditor to increase your costs without good reason (ie the benefit
DB>> provided is worth the cost incurred). If the answer isn't a
DB>> _definite_ yes then I believe that the auditor should be told "No -
DB>> I'm not doing this because ....".
DB>>
LL> External auditors don't increase the costs, with or without good
LL> reason. Auditees who react to inferences without thinking it through
LL> do. I agree with the generality about a definite yes, but I know we
LL> may not know there is a definite yes involved until the issue has been
LL> explored enough to produce that conclusion.
LL>
Agreed. And I hadn't thought of it in these terms before - but it does
take a very brave auditee to say "No." to the external auditor -
especially if their bonus is riding on getting the certificate on the
wall.
- ---more bits snipped --
LL> Regards to all,
LL>
LL> Lew
LL>
LL> quality @sedona.net
Dave
dbarnes@cix.compulink.co.uk
My views, not my employers - and I reserve the right to change
my mind with little or no notice - just more experience and knowledge.
------------------------------
From: "Bill Casti, CQA (Moderator)"
Date: Mon, 10 Feb 1997 22:54:17 -0500 (GMT-0500)
Subject: FYI: UC Santa Cruz ISO 9000 Series - A Practical Approach (fwd)
NOTE: Respond *both* to the poster's address (see below the dotted line)
and to the list's posting address, OR as directed in the posting, but
definitely NOT to me.
Thanks.
Bill
- ---------- Forwarded message ----------
Date: Sun, 9 Feb 1997 21:27:31 -0500 (EST)
From: Bill Deibler
To: Bill Casti
Subject: UC Santa Cruz ISO 9000 Series - A Practical Approach
Bill,
I thought I would pass along the information below on a two course
ISO 9000 series being offered at University of Califonia, Santa Cruz
Extension. Feel free to pass along to the TQM and 9000-3 list folks if
appropriate.
Bill
- --------------------------------------------------------------------
Bill Deibler SSQC
http://www.concentric.net/~ssqc 2269 Sunny Vista Drive
Phone/Fax (408) 985-4476 San Jose, CA 95128
The following ISO 9000 courses are being offered by University of California,
Santa Cruz Extension:
Making the Case for ISO 9000--Overcoming the Obstacles to Registration
ROBERT BAMFORD, WILLIAM DEIBLER II
Enrollment limited.
Cupertino, CA
Wednesday, 9 am-5 pm, March 26. UCSC Extension, 10420 Bubb Rd.
EDP 963A13
A full description on the course and registration information is
available on the UCSC Web Page at:
http://www.ucsc.edu/unex/busman/963A13.html
Streamlining ISO 9000 Documentation--
An Efficient Approach to Meeting Requirements
ROBERT BAMFORD, WILLIAM DEIBLER II
Enrollment limited.
Cupertino, CA
Thursday, 9 am-5 pm, March 27. UCSC Extension, 10420 Bubb Rd.
EDP 963A14
A full description on the course and registration information is
available on the UCSC Web Page at:
http://www.ucsc.edu/unex/busman/963A14.html
UCSC Phone Contact information:
Information on Courses: Mary Rimovsky, (408) 342-0232
To register by phone call: 1 (800) 660-UNEX (8639); if calling
outside California, call (408) 427-6600; Monday-Friday, 8am - 7pm PST.
------------------------------
From: quality@sedona.net (Lew Levenson)
Date: Tue, 11 Feb 1997 08:04:47 -0700 (MST)
Subject: Re: Audits of QA department
Dave Barnes replied (to my response to his, etc...) and continuing to snip
where there is no disagreement or discussion warranted:
>DB>>
>DB>> The other problem is that in order to audit _any activity_ one needs
>DB>> to have a knowledge of the activity being carried out as well as
>DB>> having some training & experience of auditing itself. Even large
>DB>> companies baulk at the cost of training people to be auditors when
>DB>> this is not their primary role.
>DB>>
>
>LL>
>LL> This begins to tread on losing the distinction between auditing a
>LL> quality management system or determining product quality. The more
>LL> one *knows* about the activity being carried out, the more temptation
>LL> to get into how well it is being done, rather than whether it is being
>LL> done or not.
>LL>
>
>I prefer to say "The more one *knows* about the activity being carried
>out, the more pertinent the questions one is able to ask. Although I am a
>TickIT auditor I would not accept a request to audit all and any software
>development organisation - even though my main experience and background
>is in bespoke, real-time, multi-processor, multi-bus, embedded,
>safety-critical systems which Putnam suggests is the most difficult of all
>software development (since it has the lowest productivity rating).
Or the converse? The more questions one is able to ask, whether or not
pertinent?
I believe one needs to know enough to understand the language (technical, as
well as cultural) enough to understand whether the response is relevant and
pertinent to the question, and how both relate to the standard. The
standard is implemented by an organizations quality manual and systemic
documents, which frequently go into more detail than required by the
standard. So the auditee may be found not to conform to their details,
rather than the standard.
I believe the more one *knows* the more one is likely to be caught up in
that merry-go-round and lose sight of the system.
>LL> Depending on the external audit to audit the internal audit system
>LL> obviously excludes something from the internal audit system. On the
>LL> other hand if *internal audits* equate to the *quality assurance
>LL> department* which equates to *quality management system* it would seem
>LL> that this is an effort to deny that some activities that bear directly
>LL> upon the ability of the product to satisfy its requirements may be
>LL> several links upstream in the value chain.
>
>I disagree with the assertion that
>
> .. *quality assurance department* which equates to *quality management
> system* ..
>
>The QMS defines how the organisation operates and it belongs to the CEO -
>not the QA department. Otherwise you end up with "Quality is the
>responsibility of the QA department." syndrome. Just because the Q-word is
>in the department title does not make this an activity which has the
>"status and importance" to need auditing. The important activities are
>identifying what to produce, its design and production.
>
I also do not agree with the so-called assertion. It was intended as an
*if* statement, for purposes of discussion.
When an organization does not have the status or importance to need auditing
- -- on some frequency, or in response to some trigger -- it would seem to be
irrelevant to the organization's purpose. It is probably legitimate to
provide an observation to that point in the overall management system sense,
as it could not be a nonconformance, per se. In the real world, I guess
there will always need to be some place for a little bit of nepotism,
however, and there is no reason for that to become part of an auditor's
concern. Unless, of course, it is impacting on what is being decided to be
produced, designed, and produced.
>DB>>
>DB>> The real issue here is whether or not one should allow an external
>DB>> auditor to increase your costs without good reason (ie the benefit
>DB>> provided is worth the cost incurred). If the answer isn't a
>DB>> _definite_ yes then I believe that the auditor should be told "No -
>DB>> I'm not doing this because ....".
>DB>>
>
>LL> External auditors don't increase the costs, with or without good
>LL> reason. Auditees who react to inferences without thinking it through
>LL> do. I agree with the generality about a definite yes, but I know we
>LL> may not know there is a definite yes involved until the issue has been
>LL> explored enough to produce that conclusion.
>LL>
>
>Agreed. And I hadn't thought of it in these terms before - but it does
>take a very brave auditee to say "No." to the external auditor -
>especially if their bonus is riding on getting the certificate on the
>wall.
>
Interesting point. An auditee would have to be brave indeed, if their bonus
is riding on the certificate. Should an auditor expressing a requirement
outside the bounds of the standard, or of what is declared in the auditees
quality system, that objective situation should be brought to the registrars
attention for resolution. Withholding the certificate without supportable
objective evidence should not be the kind of blackmail any auditee should
have to knuckle under to.
- --------more snips -----
Thanks for the discussion.
Lew
quality@sedona.net
To remove yourself from this list, address a message to:
MAJORDOMO@QUALITY.ORG with only the words "unsubscribe iso9000-3" (without
the quotes) in the BODY of your message.
------------------------------
From:
Date: Tue, 11 Feb 1997 15:00 -0500 (EST)
Subject: Re[2]: Audits of QA department
I recall that all nonregistered contractor's (and subcontractor's) QA
departments must be thoroughly audited, but I don't have my standard handy
can someone supply the reference?
From a contract compliance view: all items of a contract
(financial, deliverables, or processes) are subject to verifications.
Auditors (internal/external) have training or specialized support for
manufacturing, chemical, nuclear, etc.
From a practical view, if a sub is not registered or does not have a
strong track record in the contacted performance domain, I would review
all QA and CM procs and sample the records.
-- Mike Berens, CSQE, CQA, CISA
------------------------------
From: "Dale Misczynski-CINF45"
Date: Wed, 19 Feb 1997 5:56:52 -0600
Subject: QSAR/IAF Survey
QSAR/IAF Business Survey
The International Organization for Standardization(ISO) and the
International Electrotechnical Commission(IEC) wish to enhance the
global recognition of accredited Quality Systems certificates. ISO and IEC
have jointly formed an organization named Quality Systems Assessment
Recognition (QSAR) to help achieve this objective.
The International Accreditation Forum (IAF), a consortium of national
accreditation bodies, is also working toward the same objective.
Currently,
twenty-eight national accreditation bodies are members of IAF. In 1993, IAF
began working towards an effective Multi-Lateral Agreement(IAF/MLA) to
improve the global recognition of accredited Quality System certifications.
Recognizing the similarity of their aims, IAF and QSAR determined to work
together via a Joint Task Group to find the best way forward.
The Joint Task Group seeks your insight and experiences to determine the
direction for IAF and QSAR. Our aim is to facilitate global trade, where
recognition of Quality (ISO 9000) and Environmental (ISO 14001) Management
Systems certificates are important aspects to trade. The Joint Task Group
appreciates your time in responding to the following set of questions.
============================================================
Section A
1. Is your company registered to ISO 9000?
2. What is the name of your registrar?
3. Which accreditation body(ies) are indicated on your certificate?
If you have a ISO 9000 certificate accredited by a national accreditation
body, please continue to Section B. Otherwise, you need not continue.
============================================================
Section B
The Joint Task Group wish to determine the frequency and magnitude of
problems relating to non-recognition of certificates. Basically,
nonrecognition involves a situation where a company, Company A, is trying
to sell its products to Company B. Company B may be located in a different
country than Company A. Company A has an accredited ISO 9001 certificate.
As a condition of purchase, Company B requests a copy of the ISO 9001
certificate from Company A. Company A sends Company B a copy of its
accredited certificate. Company B says that it is not satisfactory, and
requests a certificate issued by a different registration body or under a
different accreditation body.
1. How often do your customers request a copy of your accredited ISO 900x
certificate, as a condition of purchase? (Never, Infrequent, Often,
Always)
2. In those occasions, do your customers accept your accredited
certificate?
(Never, Infrequent, Often, Always)
3. Has your company encountered any difficulties in international trade
because your customers, or potential customers, refused to recognize your
accredited quality system certificate? (Never, Infrequent, Often, Always)
If your answer is never, then you need not continue with the questions.
4. Did government regulations influence your customers decision? (Yes, No
effect, Don't know)
5. Did the problem occur within the past 12 months?
6. In those occasions, which quality system registrar(s) or accreditation
body(ies) will your customer accept?
7. Was it resolved? How?
=============================================================
Section C
QSAR and IAF are considering two methods to solve the problem of
non-recognition of quality system certification. These methods are:
Method 1: IAF is developing a global Multi-Lateral Agreement (IAF/MLA)
among national accreditation bodies. The IAF/MLA will ensure that
participating members follow identical practices to the same high standards
for accrediting quality system registrars. For industry, a company will be
able to regard and claim that its accredited quality system certificates
are equivalent to another accredited certificate, if both accreditation
bodies are operating under the IAF/MLA agreement. It should also be
possible to arrange interchangeability of certificates between IAF/MLA
partners with minimal cost and time.
Method 2: QSAR would develop an international mark or logo. Accreditation
bodies, which are members of the IAF/MLA would allow their accredited
registrars to issue Quality system certificates with this mark or logo and
provide education and public awareness that such a mark or logo indicates
that the certificate was issued by a certification body which has been
accredited by an accreditation body that is a member of the IAF/MLA group
under the auspices of ISO/IEC QSAR.
QSAR and IAF realize that each of the two methods requires significant
initial and continued time and resources, where industry will ultimately
bear the costs. The Joint Task Group is seeking your opinion of these
two methods, to ensure our work is adequately addressing industry's
problem of non-recognition. Please take another few minutes to answer the
following:
A. For method 1, would a readily interchangeable accredited certificate
arrangement satisfactorily address your problem with customers that require
a certificate from a specific registrar or specific accreditation? If no,
why
not?
B. For method 2, would your customers likely recognize an ISO/IEC QSAR mark
or symbol, and would it satisfactorily address your problem?
If no, why not?
C. Assuming full implementation of method 1 will increase your
certification cost a minimal amount, less than 5%, would the benefit to you
and your customers outweigh the costs to achieve and maintain an
international IAF/MLA?
D. Assuming implementation of method 2 will increase your certification
cost a minimal amount, less than 5%, would the benefit to you and your
customers outweigh the costs to educate and maintain the integrity of a new
ISO/IEC QSAR mark/logo?
E. Should QSAR and IAF pursue implementing both an IAF/MLA and a ISO/IEC
QSAR mark/logo, or would one or the other be sufficient?
F. Should IAF pursue implementing both an IAF/MLA and a IAF mark/logo?
Please return your responses to the either of the addresses listed below.
The members of the Joint Task Group appreciate the time that you took to
respond to this inquiry.
Dale J. Misczynski
Co-chair of the Joint Task Group
Member of the ISO/IEC QSAR Board
Email: cinf45@email.mot.com
Telephone: +1-847-576-6481
Facsimile: +1-847-538-2663
Postal Address:
Dale J. Misczynski
Corporate Vice President, Director of Quality And Standards
Motorola Inc.
1303 East Algonquin Road T-4
Schaumburg, IL 60196
------------------------------
End of ISO 9000-3 Digest V1 #38
*******************************