There is a lot of debate about the use of flowcharts and the degree of documentation necessary for an ISO project.

Common misconceptions are that ISO requires only a minimum amount of documentation and thus you should try to have as little documentation as possible, and that flowcharts provide an adequate way of describing a process and thus meet ISO requirements. These myths have been propagated by poor auditors who allow inadequate procedures, however documented, but typically flowcharts. Also there has been an upsurge in Lean and Six Sigma training which frequently tends to denigrate the benefits of ISO (and in some cases is justified but not in principle and not generally) and substantially supports the use of flowcharts to define and describe processes.

Flowcharts have their place. Their goal in Lean and Six Sigma project is to provide enough information to allow an understanding of the process to perhaps look for waste or opportunity. Sometimes these flowcharts have considerable detail including timing information, production rates and other information. These flowcharts are great for that purpose.

ISO requires that processes are defined and that those processes meet certain requirements. A flowchart tends to be general in nature and so to be able to prove that the ISO requirements have been met, additional information has to be added to a general flowchart of the process in question. Sometimes this means adding extra boxes to describe the detail of the requirement. Then all of a sudden, a nice general flowchart with boxes of similar detail, have a couple of boxes that are out of context because they are provide substantial detail. For instance, three boxes might be “plan the activity”, “issue instructions” and “review results”. The ISO box might require “record details and person authorizing the release of the job”.

By the time you have added extra boxes for all of the ISO requirements the flow is broken.

Another approach is to add notes to side of the flow chart and associate them with the box. So now the note about “record details….” would be a note at the side related to the “review” box. This works and the flowchart can remain general or at least consistent in level of detail. Truth is that this is also potentially confusing. The box and notes are not often next to each other and thus referencing and cross referencing makes it different for the understanding to flow with the simplicity of the flowchart. Moreover, if the notes are going to be in sufficient detail to actually describe what the activity is (in order to meet the ISO requirement) then it might as well have been written in full as a procedure anyway.

Flowcharts provide a few key benefits. The provide a simple overview of processes. But they need to be consistent in level of detail, decision boxes cant be contrived (just to make the flowchart worthwhile) and they should ideally fit on one page – or you lose that special benefit of being able to see the whole process.

Obviously all of these issues must be taken with a “pinch of salt” but the bottom line is that if you are trying to create a comprehensive management system, documented procedures are the best way to do it.

Cavendish Scott has been consulting, auditing and training in ISO management system processes and systems since 1985 and has limitless experience of documenting systems, processes and activities. We can also provide training on documenting and implementing ISO management systems.

Unfortunately there are many consultants out there who don’t understand this either and they are providing the misdirection.

ISO 27001 is a management system standard. Its goal is to enhance information security but the way it does it is to build a management system that ensures success. It is NOT about information security controls and protecting information. Well, obviously it is about these things but only in outcome terms – not in terms of process.

Too many organizations pass the ISO 27001 project to the information security or IT organizations. Or a consultant is sought with expertise in information security. Typically these sources will focus on technical and security aspects of information security and spend a lot of time and money reviewing your security status, conducting tests and designing solutions. While this is definitely part of the program it is NOT what ISO 27001 is about and it wont get you registered. Further, this is the most expensive part of information security and takes the most time. Delays and cost are a turn off to top management.

The whole philosophy behind ISO 27001 is that you establish processes within your organization so that you understand your information security situation, what that means in risk terms, that your communicate it clearly to those ultimately responsible and take only the actions that you want to. That is it. It is not about physical security, network scanners or patching processes. If any of these are good ideas in your organization the management system will identify them, quantify what that means and allow those responsible to work out the risk return decision.

Addressing the controls can often take years and you don’t need to have done that to get ISO 27001 registered. If you start from the management system direction you can be ISO registered in a few months and have ever improving information security from then on.

The background of the consultant who can do this best is those with more ISO experience than security experience. If your consultant is pressing for too much security then you probably have a long wait and a lot more effort to go before you get ISO registered.

Cavendish Scott has been consulting, auditing and training in ISO management system standards since 1985. Our expertise is in processes and management systems and in the careful and precise interpretation of standards and regulatory requirements into organizational processes and management systems. We guarantee successful ISO registration when we take on projects.

The principle goes further. Europe recognizes that certain standards, which if adopted and met, will address other
requirements. Many of these standards are detailed technical standards and address a “few” requirements within the legislation. A complete technical standard might cover testing and validation of toxicity and address a single line in the legislation that says “ensure the product is not toxic”. As time goes on more and more technical standards are recognized as meeting requirements and more and more become harmonized.

Although there is not a downside, in some instances the harmonized standards may be overkill.

For instance, IEC 62304 -  medical device software – software life cycle processes, is a standard for how software should be developed for medical devices. If your device is simple and perhaps you are the only developer then a formal lifecycle process is not necessarily appropriate, although the principles are still valid.

It is important to note that technically harmonized standards are not mandatory. If you have a simple way to prove that your product is “not toxic” or that “software is developed under controlled conditions” then you don’t need to address a full standard.

It is also worth noting that notified bodies are keen to encourage the use of harmonized standards and it is likely that all relevant standards will be identified for your device and you will be quizzed about their applicability. Adherence to standards shows a comprehensiveness of approach and the notified body doesn’t need to challenge themselves and think about adequacy – because the standard is defined as adequate. Given this it is important that you look for harmonized standards, review them and are at least able to comment of their applicability.

Finally its worth noting that the concept of harmonized standards is actually adopted more widely including in Canada and the US.

Here is a link to the harmonized standards recognized by the EU: (Oct 2011)

http://ec.europa.eu/enterprise/policies/european-standards/documents/harmonised-standards-legislation/list-references/medical-devices/index_en.htm

Here is the link for Health Canada (it’s easiest to then click on the link for “List of Recognized Standards” and then click on the pdf view): (Oct 2011)

http://www.hc-sc.gc.ca/dhp-mps/md-im/standards-normes/index-eng.php

And here is the US FDA’s link: (Oct 2011)

http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Standards/default.htm

They expect you will extract from their list all that are applicable to your device.

Cavendish Scott helps organizations implement ISO 13485 management systems and assists with the preparation of device technical files including formats to address legislative requirements including through harmonized standards.

Free e-Book: Upgrading to ISO 13485 From ISO 9001

Want to know why you should upgrade your ISO? Get our free e-book on making the transition from ISO 9001 to ISO 13485.

Firstly there are the auditing classes: internal auditor and lead auditor.  Then there are implementation classes and awareness classes.

The awareness classes tend to be introductory and very general in nature.  Someone would understand what ISO is but wouldn’t be able to audit or manage an ISO project, for instance.  It might be useful for management or generally for all personnel.

Implementation classes do exist but they are rare.  Many people who embark on ISO have consultants or do it themselves from previous experience.  Thus these courses run only infrequently.  Although trainers publicize them, they don’t always run.  It is also important to remember that this is a substantial and complex subject and frankly a few days’ training is not really adequate to cover it well.  It might be a good introduction but it is unlikely to be all that is needed.

Auditing courses are more common.  This is because all ISO organizations need to do auditing and so there is quite a need to train auditors.

Lead auditing is a professional audit course that is “needed” by all certification body auditors.  It is popular with ISO project managers and implementation teams because it gives them an understanding of ISO from the point of view of their auditor.  Theoretically it trains them to understand the standard just as well.  The course is 5 days, detailed and intensive.  There is lots of content and it provides the best possible situation for providing in-house expertise.  In our lead auditor training course we constantly present the issues from the perspective of implementing ISO as well as auditing it — they are different perspectives.

Accredited ISO lead auditor classes (e.g. IRCA) are recognized worldwide and are a meaningful qualification to organizations (so it looks good on the resume).

Because the lead auditor class is so beneficial and “desirable” it is more likely to be available and is generally more popular.  Without hesitation it is the class that is most useful to the broadest number of people.

FREE E-BOOK:
Five Easy Pieces: The Basic Steps to ISO 9000

Need to begin implementing ISO 9000 but feeling overwhelmed and unsure where to start? Come get our free guide on the basic steps to ISO 9000:

Download Now

If the subcontractor is able to measure their process output, then it is not special to them (only to us because we can’t).  Therefore, a cert is acceptable and we prefer that it includes data as evidence of actual measurement.

If they are registered to 9001, AS or NADCAP, then we only require their ISO/AS/NADCAP cert because their QMS should meet the requirements of 7.5.2 if they cannot measure their process outputs on the product.

If they are not registered to 9001, AS or NADCAP and they cannot measure the products, then we need to audit them or review objective evidence of their system that they provide to us that might include work instructions, training evidence, process validation, etc.

So to answer the question, through supplier evaluation and approval, we will know which situation exists and therefore, we will know if a certificate is acceptable as all that’s required.

Free e-Book: How to Avoid Famous Mistakes With ISO 9001

Want to avoid some of the most common auditing mistakes for ISO 9001? Get our free e-book on common ISO mistakes and how to avoid them.

There structures can originate from many situations but typically when the procedure was written, the author was trying to “get ISO” and that’s what they did. The easy way for them to do it was to write a procedure that just mimicked the words in the standard. Thus the procedure meets ISO. Unfortunately it really doesn’t describe the actual processes that are followed to achieve say document control and thus often work instructions are written to explain the different activities — so although they are called work instructions and third level documents they often describe the management processes that would normally be in a procedure. Usually they also contain detail too. That alone would be bad enough, but over the years auditors, customers and others change the procedures and work instructions to suit their needs and what is left is a complex set of documents to describe a simple process, at different levels and containing both detail and management processes.

The goal of documentation is not just to achieve conformance by saying “we have addressed it somewhere” but to focus on what would be the most useful structure of our documentation so that it is easy to communicate the process, to train people in it and to refer to it if we need to.

ISO is such a useful standard. It focuses on the processes for “managing” the activities it introduces. It is the management of document control that is important in clauses 4.2.3 and this can practically be presented in a single document at an appropriate level of detail. ISO got it about right when they included the requirements under each section. Covering these requirements, expanding those that are more important and minimizing those that are less (if any) can be practically achieved in a single document. Thus it is a useful hint (not particularly just for ISO conformance but also for addressing the most common document control requirements) that these subjects could (and perhaps should — because it is useful and practical) be described in a single procedure.

It is still possible that some work instructions are necessary. Typically these would cover the detail of a specific activity but the “management procedure” (the procedure which explains how the process is managed), should describe the overall process including relevant variations and exceptions. How to operate software or levels of authorities would be better covered in lower level documents.

The philosophies behind these disciplines are fundamentally different.  ISO is about establishing a defined way of running the whole business so that it is effective and successful.  Lean is about eliminating (seven types of) waste from processes and is usually applied as a project based philosophy to production type processes.  Six Sigma is also a project based philosophy with the reduction of variation being its main goal.

Although Lean and Six Sigma purists will claim that these techniques apply to the whole organization (and truthfully they can be), they are normally applied to a single process (at a time) where a variety of techniques are applied to reduce waste, reduce variability and increase efficiency.  Such tools as Kanban, one-piece-flow, standard work, tact time, 5S, statistical techniques, etc. are applied to and around the process in order to achieve improvement.  While these techniques can be applied to combined processes and even the management system of the organization as a whole, nowhere in the origins of these philosophies is there discussion about an organizational model or a breakdown of key processes that is found in ISO.

“Doing” ISO first will establish basic definitions for all processes in the organization including fundamental controls for such things as record keeping and document control.  Once the basic discipline exists within an organization, Lean and Six Sigma can be successfully applied to improve individual areas.

There are no big problems with doing Lean and Six Sigma before ISO.  It is possible that during ISO you will reorganize the way that your processes operate (as you define what they are and what they are trying to achieve) and this could cause effort in a Lean or Six Sigma project to be wasted – although the same could be said about an ISO project.  However,  ISO establishes processes for document control, records management, corrective action, competency definition, and management responsibilities that would be extremely beneficial during any project – including Lean and Six Sigma projects.  It is not unusual for a Lean or Six Sigma project to become “lost” when it does not use established document control, competency control and records management processes.

ISO is intended to provide a fundamental base to organizing a business.  Operating by design and not by accident.  While it does then actually require organizations to improve, it does not restrict how that is achieved.  To many people rush off to the promise of a Lean or Six Sigma project without strong basics in place.

Cavendish Scott, Inc. has been implementing ISO management systems for over 25 years.  We have been exposed to thousands of organizations some of which have adopted Lean and Six Sigma philosophies.  We have relationships with Lean and Six Sigma training organizations and can help you implement a strong management system in an organized and successful way.  Contact us for more information including supporting activities which are often overlooked.  With this discipline and organization established ISO pushes for and Lean and Six Sigma can deliver project based imprv

Lean Manufacturing (From Wikipedia)

http://en.wikipedia.org/wiki/Lean_manufacturing

Lean manufacturing or lean production, often simply, “Lean,” is a production practice that considers the expenditure of resources for any goal other than the creation of value for the end customer to be wasteful, and thus a target for elimination. Working from the perspective of the customer who consumes a product or service, “value” is defined as any action or process that a customer would be willing to pay for. Basically, lean is centered on preserving value with less work. Lean manufacturing is a generic process management philosophy derived mostly from the Toyota Production System (TPS) (hence the term Toyotism is also prevalent) and identified as “Lean” only in the 1990s.[1] [2] It is renowned for its focus on reduction of the original Toyota seven wastes to improve overall customer value, but there are varying perspectives on how this is best achieved.

Six Sigma (From Wikipedia)

http://en.wikipedia.org/wiki/Six_Sigma

Six Sigma is a business management strategy originally developed by Motorola, USA in 1981.[1] As of 2010[update], it enjoys widespread application in many sectors of industry, although its application is not without controversy.

Six Sigma seeks to improve the quality of process outputs by identifying and removing the causes of defects (errors) and minimizing variability in manufacturing and business processes.[2] It uses a set of quality management methods, including statistical methods, and creates a special infrastructure of people within the organization (“Black Belts”, “Green Belts”, etc.) who are experts in these methods.[2] Each Six Sigma project carried out within an organization follows a defined sequence of steps and has quantified targets. These targets can be financial (cost reduction or profit increase) or whatever is critical to the customer of that process (cycle time, safety, delivery, etc.).[2]

The term six sigma originated from terminology associated with manufacturing, specifically terms associated with statistical modeling of manufacturing processes. The maturity of a manufacturing process can be described by a sigma rating indicating its yield, or the percentage of defect-free products it creates. A six-sigma process is one in which 99.99966% of the products manufactured are free of defects, compared to a one-sigma process in which only 31% are free of defects. Motorola set a goal of “six sigmas” for all of its manufacturing operations and this goal became a byword for the management and engineering practices used to achieve it.

FREE E-BOOK:
Five Easy Pieces: The Basic Steps to ISO 9000

Need to begin implementing ISO 9000 but feeling overwhelmed and unsure where to start? Come get our free guide on the basic steps to ISO 9000:

Download Now

Although it does not say in the standard, this is a common sense requirement that has been established as a rule imposed on certification bodies by the accreditation agencies.

Technically once you have audited thoroughly for a “few” years you might have collected evidence that will allow you to reduce the amount of auditing.  In practice this rarely happens.

Cavendish Scott, Inc.  performs internal auditing for many clients.  We are professional, quick and effective.  And it allows you to concentrate on your normal work.  Click here for more information

We adopt the basic principles of this in our training.  We ensure that training is substantially exercise based so that you have to learn for your self, so that you dont get bored and tired and so that you learn more.  Our training is fun and effective and better than the traditional style of training.  For instance, in our lead auditor training – 5 days,  we have about 30 powerpoint slides!

We use these same principles when we customize our training and bring it in house to your organization.

For information about our training - click here

Cavendish Scott performs internal audits for many organizations.  We are ISO and auditing experts and take all of the problems and worry out of your ISO system.  Outsource your internal audits and relax.

Schedule an ISO Audit