Before we address that issue, procedures should not be cumbersome. Procedures should be easy to maintain, be useful as training documents, for auditing and for occasional reference. They are also the definitive document that defines the process. There is nothing in ISO that says they can’t, so if yours are not then the problem is not ISO.

That said there is generally some truth in the concern over the value of procedures. Regulated industries usually learn quickly that procedures are essential. Without them (including ensuring they are accurate) the regulatory authorities have concerns about how effective the organization is. When they are found inaccurate the authorities rightly question whether the organization has effective control.

The truth is that procedures are a poor form of control to make a process operate the way you want it to. They do a good job of defining it (so long as they are written well) but if you want something to happen you need to implement controls into the process. Controls come in many types and forms and some are more effective than others. Think of controls as those things along the way that keep things consistent and ensure we end up where we want to. When things don’t go right we need to put in place more controls. Often when things go wrong its because of the humans involved and the subsequent human error – whether it is “forgot”, a mistake, or even “too lazy.” While there are arguments that we have poorly trained or motivated humans in the process (and they may be valid root causes), the truth is that it is the humans who often cause the variation in our organizations management processes. From this it is possible to see that training is a control that we apply to a process but that it is not always as reliable as we would like. We could strengthen that control by defining repeated, regular (say annual) training so that it is hard to forget. Of course training is a process too and so there needs to be a mechanism – a control, that ensures the process is effective.

Common forms of control are forms (to ensure information is captured consistently ….and that forces behavior by requesting data), checklists (which are a form of procedure in their own right), templates, software, etc. It is possible to perceive how tooling is a form of control and even signs posted in an organization.
The better controls are the ones that cause behavior to be consistent and so it often captures data too – such as forms, checklists and many types of software. Signs may change behavior – they may not. But if you have to capture information on a form, then consistent behavior should ensue (of course it doesn’t always).
It is things like this that cause people to operate processes effectively. When you determine there are problems (perhaps a tangible nonconformance from an audit) you could/should look for solutions that include effective controls. Without them you may just be hoping that the problem doesn’t re-occur.

There is obviously more to it than this but the solution is a balance between all of the options. Well written, meaningful and optimal procedures, detailed work instructions, photo samples, product examples, forms, templates, software, etc. The exact balance – that’s up to you.

Cavendish Scott, Inc. helps organizations review their processes and where appropriate challenges the controls that exist. We document procedures that meet ISO requirements without changing what you do if the controls demonstrate conformance and suggest sensible alternatives where changes need to be made. Click here to ask for help.

Free e-Book: How to Avoid Famous Mistakes With ISO 9001

Want to avoid some of the most common auditing mistakes for ISO 9001? Get our free e-book on common ISO mistakes and how to avoid them.

Download Now

There is a lot of confusion over lead auditor training.

The main reason you should consider a lead auditor class is that it’s the best ISO training that you can easily get. There simply isn’t any other type of ISO training that is publicly available that provides such in-depth coverage of the ISO subject matter.  You won’t be an expert at the end of it but your level of understanding will soar.  Accredited courses cover the standard in some detail (interpretation, application, auditing), discuss how to audit (and be audited — including planning, documentation review, scheduling auditing technique, writing and arguing findings and report writing) and how to address findings — corrective and preventive action.  During most courses there is discussion about consulting, good and bad auditing techniques and how to get through an audit (without actually cheating).  The exposure to the content, the opportunity to discuss your specific issues with experts, and to interact with like-minded attendees with different experiences, ideas and situations will make your ISO project go much more smoothly, will give you ideas to improve your existing ISO system and, of course, it will show you what needs to be done for a decent audit.  Yes you can cut corners but don’t expect the results if you don’t commit to the right level of training.

However, there is actually no requirement in ISO for anyone to go through lead auditor training.  An organization is merely required to conduct audits by competent auditors (and lead auditor training is a good way of getting there).  There is no requirement for any type of qualification in ISO.  Many organizations impose this “lead auditor” requirement by defining the training requirements for their auditors (they must pass a lead auditor class) and then giving this title to the main auditor (or auditors) in the organization.  If you take the course and pass you do have a certificate.  And its about lead auditing.  So surely you can call yourself a certified lead auditor?  Seems reasonable.  No argument here.

One major advantage of accredited lead auditor classes is that they are accredited.  This doesn’t mean that there aren’t bad courses out there.  We have all suffered death by powerpoint and lead auditor courses are notorious for it.  300+ slides and a huge role-playing case study throughout.  But accreditation means that essential curriculum is covered, and that controls are in place for its quality.  This is not true of unaccredited training classes where there is simply NO oversight.

Yes it is possible to design a better class without the restrictions of accreditation.  A better class would be customized to your company, use your documentation in exercises and perform an audit on your location.  But if you are one person looking for a public class, then accredited is the way to go.  What’s more is that organizations who provide accredited training are required to have management systems in place.  When they provide customized and unaccredited training (because it is possible to — after all, we provide customized unaccredited training) then that training is provided by an organization that understands how to deliver training effectively and has demonstrated that through accreditation.  Without accreditation you have nothing to fall back on if it’s not as you would expect.

When considering customized in-house training, training provided by an accredited training organization does have some assurances that non-accredited organizations don’t provide.  Ask how many slides the training course has.  Avoid the Powerpoint boredom.

Cavendish Scott is an IRCA accredited training organization and offers a public ISO 9001 Lead Auditor training class.  We have about 25 powerpoint slides — the rest is exercises, quizzes, role-play and a live audit.  This class is ideal for ISO project managers, ISO coordinators and people running an ISO system, people at the management level, and of course, ISO auditors.  We customize this course when we provide it on-site so that it is relevant and meaningful to the organizations management system.  We have presentations from in-house management, use the organization’s documentation in exercises, and we perform a witnessed audit on the organizations processes.  We can present versions with ISO 9001, ISO 13485, AS9100, ISO 14001, ISO 27001 and can customize combinations of different standards.

Click here for more information about Cavendish Scott training.

Want to avoid some of the most common auditing mistakes for ISO 9001? Get our free e-book on common ISO mistakes and how to avoid them.

Download Now

We enjoyed working with you and want to thank you for your professional and congenial nature as you conducted our audit. All the employees had very positive things to say and enjoyed visiting with you both about what they do. We appreciate your knowledge and expertise of ISO and look forward to implementing your suggestions in order to improve and streamline our quality system. Since we did not know what to expect from an ISO audit, we were very pleased with the audit method and look forward to working with working with you both in the future. Thank you!

— JM, Management, Oil Industry Machine Shop, Colorado

The long awaited audit is next Monday-Thursday. I have finally gotten all the new procedures and manual read and touched up (nothing substantive so no worries!). When you were here they were reading like Mandarin and today I find they are crisp, clear and on point. You did a good job. Our Document Controller came around on not having an index and a number in the titles (I knew she would) so we are back to where you started on that. We had an all-hands training session earlier in the week with staff showing people how to get to all the quality documents, identify which procedures were important to each function, etc. One person was ready to fight to the death on having an index and a number in the titles and our Document Controller turned a brilliant shade of red — perhaps a new color in the spectrum. I have seen more people scurrying around trying to clean up their quality act in the last week than I’ve seen in the two years I have been here. That tells me that our decision to change course with you was the correct one. I had an epiphany in the middle of the last day when you and I were arguing about a CA on not having a training matrix. You said that we needed to change our culture and quit thinking about CA’s as bad things. I later found last year’s management report wherein our previous QA Manager established one of our measurement objectives as not having any CA’s. How funny is that!  Now we know why we have been so terrified of them. Anyway, in our meeting we also discussed not being afraid of the QMS. That we all needed to learn to work through the system instead of around it. I think I have identified 10 or 15 improvements we can make since you finished organizing our system and I am confident everyone else will come around. (I am struggling with when to call something a corrective action versus a preventive action.

Thanks again,

 — Director, Nuclear Services and Products Organization

Free e-Book: Upgrading to ISO 13485 From ISO 9001

Want to know why you should upgrade your ISO? Get our free e-book on making the transition from ISO 9001 to ISO 13485.

Kerri Williams of Platinum Registration was recently asked to make a presentation about upgrading an existing ISO 9001 management System to ISO 13485.

She kindly allows us to display her presentation.  With her agreement we have modified the content to remove background and benefit information about Platinum Registration. The presentation covers many of the differences between ISO 13485 and ISO 9001  but read below for more information about some of the issues which have to be considered.  You can see the presentation here: Upgrading to ISO 13485.

Organizations who are already registered to ISO 9001 are often interested in migrating to industry specific versions of the standard.  These include TS16949 (for the Automotive Industry), AS9100 (for the Aerospace Industry) and ISO 13485 (for the Medical Device Manufacturing Industry).  In some instances, customers are insisting on conformance and in others, organizations want the marketing advantage to break into or extend their involvement in the industry.

These versions enhance the requirements of ISO 9001 by adding additional requirements that must be built into the management system and implemented – with evidence, to demonstrate conformance to an auditor.

This presentation looks at the differences that exist between ISO 9001 and ISO 13485 but the principle is the same with the other standards.

With ISO 13485 the scope of the management system is very important.  ISO 13485 is used by the medical device regulatory agencies in Europe, Canada, Australia and Japan (among others) and has been accepted by a global harmonization task force which is supported by the US.  At this time, the FDA does not use ISO 13485 and thus steps must be taken to address their requirements (CFR 21 Pt 820) if it is also applicable.  For many higher risk devices, agencies require that this standard is implemented before they will allow the marketing of the medical device.

But these rules typically only apply to the device manufacturer.  Many contractors seeking ISO 13485 do not manufacture the actual device.  And even if they did manufacture a complete device, they would only have a secondary responsibility for meeting the regulatory requirements (including ISO 13485) unless it was their name on the label as the owner of the device.  More frequently a contractor is producing parts for the medical device company who might finally assemble and sell the device.  It is they who are subject to the regulatory requirements and they want an easy life justifying how some of their parts are made to their regulators.  Thus they are keen on the contractor registering to ISO 13485.

ISO 13485 contains a number of requirements that are applicable only to the device manufacturer.  For instance, the collection of post-market intelligence.  Being registered to ISO 13485 implies that you have the ability to collect post market intelligence about the medical device.  However, a contractor might not even know what device their part is used in.  In some situations the contractor cannot exclude these requirements (like for instance they might be able to exclude the requirement for the control of sterilization) and must be able to demonstrate an ability to do something that they will never have any use to do.

The contractor needs to think carefully about what they want their management system to cover (i.e. the scope) and make this clear to the chosen registrar and their auditor so that no surprises occur.  These things are not always spelled out in the standards and highlight the reason why experienced help is essential in order to achieve success.

Other differences and additions to the standard are much clearer and simply require updating or new documented procedures and the implementation of simple processes or training.  So long as the interpretation is understood (and it is not always clear) then this is a straight forward process that just takes time and resources.

All management systems require internal auditing.  Done well internal audits bring benefits by protecting against issues before they are found by the registrar, highlighting opportunities (and waste) and giving confidence in the effectiveness of the management system.  When upgrading to a new standard an internal audit needs to be conducted.  This will ensure you haven’t missed anything and show conformance to the new standard has been achieved.  Technically it is possible to audit only the changes but if this not done well, a registrar should reject the audit as ineffective.  Bearing in mind that an internal audit would be necessary anyway, a slightly enhanced audit for the new standard is just a little more effort than normal.

Cavendish Scott, Inc. has been consulting, training and auditing on the implementation of ISO 9001 and industry specific standards for 25 years.  Upgrading an existing ISO system to meet an additional standard is something we are frequently asked to assist with.  Typically we review documentation, make adjustments to existing documents and write new procedures, support with the training, understanding and implementation of new processes and changes.  We then conduct internal audits (which usually have to be completed anyway) at a slightly enhanced level to prove conformance with the additional standard – and guarantee successful registration.  For more information tell us a little about what you want to achieve by clicking here.

Click here for the presentation:
http://www.cavendishscott.com/articles-info/articles/wp-content/uploads/2010/06/ISO-13485-v-ISO-9001-060310.pdf

Free e-Book: Upgrading to ISO 13485 From ISO 9001

Want to know why you should upgrade your ISO? Get our free e-book on making the transition from ISO 9001 to ISO 13485.