Clause 8.5 is all about improvement. To get the ball rolling, the standard starts with; 8.5.1 continual improvement. Not just sometimes, always.
Your manual and system should say something like this. Your company name continually improves (remember, not continuously, see later in the blog) the effectiveness of the quality management system through the use of the quality policy, quality objectives, audit results, analysis of data, corrective and preventive actions and management review.
An eloquent summary of all things improvement. Your quality policy therefore must refer to it. By definition within the standard, means your quality objectives need to be hard wired to it, with the standard then going on to refer to some of the improvement tools already mandated in the standard; audits, data, corrective action, preventive action and management reviews. Each of these aspects have requirements for planning and closed loop actions to ensure they are continual. For example, one of the inputs of management review is the follow up of previous actions / reviews. Nicely continual.
No requirements for documentation here other than the above references and tie-ins. I default to the ‘road map’ and move onto the next clause.
Now there is heaps of debate around the word ‘continual’ and that some of us less educated, interchange it with the word continuous. Now here is my spin on this controversy. Yes, they are different words, with different meaning but the split is; continuous means uninterrupted (without end), whilst continual means frequently (without pause). But who really cares. As always, it is the intent of that counts, so get on with it lots.
Tuesday, 23 October 2012
Thursday, 18 October 2012
Multi-site Sampling
It is rant time. There is so much BS in determining the number of sites for a certification. It is a dark art, and our friendly certification providers deliberately make it so. There is no transparency, well, there is at least an invisibility cloak surrounding the details. But enough of the hocus pocus.
You will need to dig very deep into a certification providers rules, guidelines and terms to find what criteria they are using to determine how many sites will be audited during a certification audit, a surveillance audit and a recertification audit.
Most will just, apparently, make up a number and then hide behind the statement, ‘these are JASANZ requirements’. Then there is the straight gouge, where no multi-site plan is even offered a client. They just see x number of sites, audit x number of sites. Some try and to appear user friendly and split the number of sites between 6 monthly visits but it is pure revenue chasing as the same 100% total is audited over a 12 month period.
The golden rule of multi-site auditing is a simple square root of the total number of sites. To be more accurate it is the square root of the number of sites having the same scope and then added together, which does add to the complexity but it will provide a saving. There are also complications due to risk of activities, more than one standard, more than one system and so on, but it is a negotiable point which needs to be clearly defined and redefined when circumstance demands.
Do not tolerate a subpar customer focus from your certifier just because they are too inflexible to meet your changing needs or because it is too complex requiring a create solution. Review your sample plan every time you add or subtract a site and make sure that every three years when your certificate is up for renewal, you get a new proposal, a new contract, a new sample plan for your business as ‘rules’ change and such changes may provide you with better outcomes.
You will need to dig very deep into a certification providers rules, guidelines and terms to find what criteria they are using to determine how many sites will be audited during a certification audit, a surveillance audit and a recertification audit.
Most will just, apparently, make up a number and then hide behind the statement, ‘these are JASANZ requirements’. Then there is the straight gouge, where no multi-site plan is even offered a client. They just see x number of sites, audit x number of sites. Some try and to appear user friendly and split the number of sites between 6 monthly visits but it is pure revenue chasing as the same 100% total is audited over a 12 month period.
The golden rule of multi-site auditing is a simple square root of the total number of sites. To be more accurate it is the square root of the number of sites having the same scope and then added together, which does add to the complexity but it will provide a saving. There are also complications due to risk of activities, more than one standard, more than one system and so on, but it is a negotiable point which needs to be clearly defined and redefined when circumstance demands.
Do not tolerate a subpar customer focus from your certifier just because they are too inflexible to meet your changing needs or because it is too complex requiring a create solution. Review your sample plan every time you add or subtract a site and make sure that every three years when your certificate is up for renewal, you get a new proposal, a new contract, a new sample plan for your business as ‘rules’ change and such changes may provide you with better outcomes.
Tuesday, 16 October 2012
Analysis of Data
Good old clause 8.4, analysis of data, probably the most ignored clause of the standard. Why? Well it is a bit squishy, a bit fluffy but mostly because the certifiers leave it alone but when they do give it some focus, they are like a dog with a bone. But I digress. Let us look at the requirements.
Your company determines, collects and analyses appropriate data to demonstrate the suitability and effectiveness of the quality management system and to evaluate where continual improvement of the effectiveness of the quality management system can be made. This includes data generated as a result of monitoring and measurement and from other relevant sources. The analysis of data provides information relating to; customer satisfaction, conformity to product requirements, characteristics and trends of processes and products including opportunities for preventive action, and suppliers.
As always it has the very big caveat of ‘appropriate’ data and only to demonstrate suitability, effectiveness of the quality management system and to evaluate continuous improvement. Sure they list a number of aspects of the business that contain ‘relevant’ data for analysis but nowhere does it prescribe what and how. So don’t be bullied and don’t run amok.
Always start with data that is generated now, especially data that get the owners, shareholders, stakeholders excited. So financial data is a good starting point. Then look at what other data that is collected and reported on. Next look at the fuzzy stuff. I won’t define what is fuzz and what isn’t, just remember, if you have to invent gathering tools and data just for the sake of the quality management system, then it is probably fuzzy.
This doesn’t mean fuzz is bad. Some companies need to redefine fuzz to core, because without it your probably cannot demonstrate appropriate, relevant, data and it’s analysis and if you can’t, then you probably cannot get certified either.
So define what data is core to the business, describe when it is gathered, when it is analysed, maybe even describe how it is analysed and demonstrate that you do it. I would normally put this in both the quality manual and a management review procedure, because at the end of the day, it needs to have a quality focus to meet the requirements of a quality management system.
Your company determines, collects and analyses appropriate data to demonstrate the suitability and effectiveness of the quality management system and to evaluate where continual improvement of the effectiveness of the quality management system can be made. This includes data generated as a result of monitoring and measurement and from other relevant sources. The analysis of data provides information relating to; customer satisfaction, conformity to product requirements, characteristics and trends of processes and products including opportunities for preventive action, and suppliers.
As always it has the very big caveat of ‘appropriate’ data and only to demonstrate suitability, effectiveness of the quality management system and to evaluate continuous improvement. Sure they list a number of aspects of the business that contain ‘relevant’ data for analysis but nowhere does it prescribe what and how. So don’t be bullied and don’t run amok.
Always start with data that is generated now, especially data that get the owners, shareholders, stakeholders excited. So financial data is a good starting point. Then look at what other data that is collected and reported on. Next look at the fuzzy stuff. I won’t define what is fuzz and what isn’t, just remember, if you have to invent gathering tools and data just for the sake of the quality management system, then it is probably fuzzy.
This doesn’t mean fuzz is bad. Some companies need to redefine fuzz to core, because without it your probably cannot demonstrate appropriate, relevant, data and it’s analysis and if you can’t, then you probably cannot get certified either.
So define what data is core to the business, describe when it is gathered, when it is analysed, maybe even describe how it is analysed and demonstrate that you do it. I would normally put this in both the quality manual and a management review procedure, because at the end of the day, it needs to have a quality focus to meet the requirements of a quality management system.
Monday, 8 October 2012
Control of Nonconforming Product
Clause 8.3. Your company ensures that product which does not conform to product requirements is identified and controlled to prevent its unintended use or delivery. The controls and related responsibilities and authorities for dealing with nonconforming product (and of course, or service) are defined in a documented procedure.
Yep, it is one of the mandatory requirements for a procedure and a good one too. It is so important that you have this clause under control, to have this process under control. The standard is quite prescriptive as to what you have to do. You must do one or more of the following; take action to eliminate the detected nonconformity; authorise its use, release or acceptance under concession by a relevant authority and, where applicable, by the customer; and lastly, take action to preclude its original intended use or application.
A nice hierarchy of control. Eliminate the problem, accept the problem or stop the problem by either of the first two. Once you have done this, you need to demonstrate via appropriate records that anything that you have done, has been done as per the procedure. Full stop. The standard goes on to say that if you fix a problem, then the ‘fixed’ product or service is again tested and verified to the requirements and of course, all the while keeping records to show it now confirms.
The quirkiest part of this clause is to describe what you have to do if the problem is detected after delivery or use has started. You need to define what you do with the ‘knock on’ ramifications of the problem. Do you recall? Do you compensate, replace, credit, etc. How far back do you go. When do you deem remaining stock is OK. This is a very large ‘piece of string’ scenario and can only be truly reviewed and controlled by thoughtful risk assessment, management and mitigation. For high risk industries, such as automotive, this is often described in legislation, codes, best practices. For the rest of us, listen to your customers and develop policy and process from their feedback.
Because of the importance of this clause I like to keep this procedure a separate procedure just to make sure that you are giving the importance to each of the aspects of this clause. This does not mean you cannot merge this procedure with others, such as corrective action, just make sure that you address every aspect, even if not applicable to your company.
Yep, it is one of the mandatory requirements for a procedure and a good one too. It is so important that you have this clause under control, to have this process under control. The standard is quite prescriptive as to what you have to do. You must do one or more of the following; take action to eliminate the detected nonconformity; authorise its use, release or acceptance under concession by a relevant authority and, where applicable, by the customer; and lastly, take action to preclude its original intended use or application.
A nice hierarchy of control. Eliminate the problem, accept the problem or stop the problem by either of the first two. Once you have done this, you need to demonstrate via appropriate records that anything that you have done, has been done as per the procedure. Full stop. The standard goes on to say that if you fix a problem, then the ‘fixed’ product or service is again tested and verified to the requirements and of course, all the while keeping records to show it now confirms.
The quirkiest part of this clause is to describe what you have to do if the problem is detected after delivery or use has started. You need to define what you do with the ‘knock on’ ramifications of the problem. Do you recall? Do you compensate, replace, credit, etc. How far back do you go. When do you deem remaining stock is OK. This is a very large ‘piece of string’ scenario and can only be truly reviewed and controlled by thoughtful risk assessment, management and mitigation. For high risk industries, such as automotive, this is often described in legislation, codes, best practices. For the rest of us, listen to your customers and develop policy and process from their feedback.
Because of the importance of this clause I like to keep this procedure a separate procedure just to make sure that you are giving the importance to each of the aspects of this clause. This does not mean you cannot merge this procedure with others, such as corrective action, just make sure that you address every aspect, even if not applicable to your company.
Tuesday, 2 October 2012
Monitoring and Measurement of Product
Good old clause 8.2.4. Let’s review. Your company monitors and measures the characteristics of the product to verify that product requirements have been met. This is carried out at appropriate stages of the product realisation process in accordance with the planned arrangements. Evidence of conformity with the acceptance criteria is maintained. Records indicate the person(s) authorising release of product. Product release and service delivery does not proceed until the planned arrangements have been satisfactorily completed, unless otherwise approved by a relevant authority and, where applicable, by the customer.
Don’t forget before I begin, that product / service are interchangeable. A very nice balance of prescription and where applicable (WA).
Prescription. Make sure what you make meets specification. Full stop. Too easy. Then, you get to pick when and by what method, frequency, etc. WA. And you do this based on your historical data or by when the characteristics can be measured but most importantly, when they are supposed to happen based on a predetermined plan. Goose bumps. True quality assurance (and yes, I need to get a life).
Prescription. Keep evidence. Keep records. Make sure such records demonstrate conformance and who did what when under what delegated authority.
Prescription. Do not proceed with the next stage of anything until the defined plan has been met, even if such a plan includes overriding by either higher authorities or that absolute being, the customer.
No procedure is needed here. No inspection and test plan is needed. Only process and the records to back it up. However, unless it is absolutely apparent, a simple flow chart or procedure or inspection and test plan would benefit the company. Don’t get hung up on the structure, just generate something that is useful, clear and concise that the ‘plan’ can be achieved.
Document Control - Part 1
Below is a cut and paste from the standard with [comments from me].
Documents required by the quality management system are controlled [and therefore by definition, those that aren’t, aren’t. In the bad old days, this meant that every other piece of paper has to identified as not being part of the system. Today, you can be clever with definition, registers, location, etc.].
Records are controlled according to the requirements given in 4.2.4. [records demonstrating document control need to be generated, legible, readily retrievable. They can be hard copy, electronic, in a register or embedded in the document itself].
A documented procedure has been established to define the controls needed [this means you have to have a procedure and you have to have it documented. No exceptions]
a) to approve documents for adequacy prior to issue, [set some rules, set some definitions, name names or titles]
b) to review and update as necessary and re-approve documents, [deem when is necessary, explain what the triggers are, what mechanisms you use to record the update and then define who re-approves, which is normally the person or title who approved the original document]
c) to ensure that changes and the current revision status of documents are identified, [identified is the key word here. It doesn’t mean embedded but it could. It means that either within the procedure, the register, amendment or the document itself. There are just so many options here. Pick the one that suits you, your readers, your organisational culture and stick with it].
Part two to follow shortly.
Subscribe to:
Posts (Atom)