Chapter 17 Internal quality audits Scope of requirements The requirements for internal audits apply to audits of the quality system, including the policies, practices, products, and services to which the quality system relates. They are not limited to audits of procedures. In order to determine whether the quality system is effective in maintaining control, you need to check that the resultant products and serv- ices meet the specified requirements and that prescribed quality objectives are being achieved. If the products and services are not meeting the specified requirements, or the prescribed objectives are not being achieved, something is clearly amiss with the quali- ty system. The requirements do not apply to audits of suppliers or subcontractors as they are covered in clause 4.6 of the standard. The purpose of quality audits is to establish, by an unbiased means, factual information on quality performance. Quality audits are the measurement component of the quality system. Having established a quality system it is necessary to install measures that will inform management whether the system is being effective. Installing any system without some means of being able to verify whether it is doing its intended job is a waste of time and effort  hence the importance of the internal audit requirement. Audits gather facts, they should not change the performance of what is being measured and should always be performed by someone who has no responsibility for what is being measured. Audits should not be performed to find faults, to apportion blame, or to investigate problems; other techniques should be used for these purposes. Further guidance is provided in the ISO 9000 Quality System Assessment Handbook and in ISO 10011. The requirements in element 4.17 are linked with other elements of the standard even when there is no cross reference. This relationship is illustrated in Figure 17.1. auto217.qxd 10/04/00 21:41 Page 507 Audit procedures (4.17.1) The standard requires the supplier to establish and maintain documented procedures for planning and implementing internal quality audits . The standard requires procedures for both planning and implementing audits and these should cover the following: l Preparing the annual audit program l The selection of auditors and team leader if necessary l Planning audits of each type l Conducting the audit 508 Internal quality audits Figure 17.1 Clause relationships with the internal quality audit element PREPARE SYSTEM AUDIT SCHEDULE (4.17.1) SELECT AUDITORS (4.17.1) PLAN SYSTEM AUDIT (4.17.1) CONDUCT SYSTEM AUDIT (4.17.1) REPORT AUDIT (4.17.1) QUALITY RECORDS (4.16) CORRECTIVE ACTION (4.14.2.1) SCHEDULE FOLLOW- UP AUDITS (4.17.1) MANAGEMENT REVIEW (4.1.3) PREPARE PROCESS AUDIT SCHEDULE (4.17.1) SELECT AUDITORS (4.17.1) PLAN PROCESS AUDIT (4.17.2.3) CONDUCT PROCESS AUDIT (4.17.2.3) PREPARE PRODUCT AUDIT SCHEDULE (4.17.1) SELECT AUDITORS (4.17.1) PLAN PRODUCT AUDIT (4.17.2.4) CONDUCT PRODUCT AUDIT (4.17.2.4) QUALIFY AUDITORS (4.17.3) auto217.qxd 10/07/00 16:53 Page 508 Internal quality audits 509 Figure 17.2 Internal quality system audit process PREPARE/UPDATE ANNUAL AUDIT PROGRAM ASSIGN AUDITOR AUDIT PREPARATION CONDUCT AUDIT PREPARE REPORT AGREE REMEDIAL & CORRECTIVE ACTIONS IMPLEMENT ACTIONS REPORT RESULTS SYSTEM IMPLEMENTATION VERIFY EFFECTIVENESS EFFECTIVE? No CLOSE REPORT Yes RECORDS CONTROL SCHEDULE NEXT AUDIT QUALITY SYSTEM MAINTENANCE VERIFY ACTION ACTION COMPLETE? Yes ESCALATE TO HIGHER MANAGEMENT REASON VALID? SET NEW TARGET DATE No Yes No auto217.qxd 10/07/00 16:53 Page 509 l Recording observations l Determining corrective actions l Reporting audit findings l Implementing corrective actions l Confirming the effectiveness of corrective actions l The forms on which you plan the audit l The forms on which you record the observations and corrective actions l Any warning notices you send out of impending audits, overdue corrective actions, escalation actions The system audit process is shown in Figure 17.2. Certain activities such as the opening and closing meeting have been omitted for clarity because they are not always needed for internal audits. The product audit process would be somewhat different but the prin- ciples would be the same. Further guidance on the conduct of audits can be found in Appendix C. The audit program (4.17.1) The standard requires audits to be planned but does not specify whether it is the system that should be planned or whether it is individual audits that should be planned. The overall plan is in fact a program because this should have dates on which the audits are to be conducted. There is no requirement for audits to be comprehensive; however, planned audits may not be comprehensive and comprehensive audits may not be planned, so there is a need to ensure that the audit program covers all aspects of the quality system in all areas where it is to be employed. The coverage of the audit pro- gram should be designed so that it obtains sufficient confidence in operations to be able to declare that the system is effective. There may be a need for different types of audit programs depending on whether the audits are of the quality system, processes, prod- ucts, or services. The audit program should be presented as a calendar chart showing where and when the audits will take place. All audits should be conducted against a standard for the performance being measured. Examinations without such a standard are surveys, not audits. Audits can also be con- ducted against contracts, project plans, specifications  in fact any document with which the organization has declared it will comply. The standard now requires system audits to be conducted to verify compliance with ISO/TS 16949 and any other system require- ments. 510 Internal quality audits auto217.qxd 10/04/00 21:41 Page 510 An audit of one procedure or requirement of the standard in one area only will not be conclusive evidence of compliance if the same procedures and requirements are also applicable to other areas. Where operations are under different managers but perform- ing similar functions you cannot rely on the evidence from only one area  management styles, commitment, and priorities will differ. In order to ensure that your audit program is comprehensive you will need to draw up a matrix showing what policies, procedures, standards, etc. apply to which areas of the organization. The program also has to include shift working so your auditors need to be very flexible. One audit per year covering 10% of the quality system in 10% of the organization is hardly comprehensive. However, there are cases where such an approach is valid. If sufficient confidence has been acquired after conducting a comprehensive series of audits over some time, the audit program can be adjusted so that it targets only those areas where change is most likely, auditing more stable areas less frequently. Procedures will contain many provisions, not all of which may be susceptible to verifi- cation at the time of the audit. This may be due either to time constraints or to work for which the provisions apply not being scheduled. It is therefore necessary to record which aspects have or have not been audited and engineer the program so that over a one to three year cycle all procedures and all requirements are audited in all areas at least once. Planning quality audits The detail plan for each audit may include dates if it is to cover several days but the main substance of the plan will be what is to be audited, against what requirements, and by whom. At the detail level, the specific requirements to be checked should be identi- fied based upon risks, past performance, and when it was last checked. Overall plans are best presented as program charts and detail plans as checklists. Audit planning should not be taken lightly. Audits require effort from auditees as well as the auditor so a well- planned audit designed to discover pertinent facts quickly is far better than a rambling audit which jumps from area to area looking at this or that without any obvious direction. Although checklists may be considered a plan, in the context of an audit they should be considered only as an aid to allow the auditor to follow trails that may lead to the dis- covery of pertinent facts. However, there is little point in drawing up a checklist then putting it aside. The checklist should represent the minimum aspects to be checked so that following the audit you have evidence indicating: l Which activities were compliant l Which activities did not comply l Which activities were not checked Internal quality audits 511 auto217.qxd 10/04/00 21:41 Page 511 Verifying compliance with planned arrangements (4.17.1) The standard requires the supplier to carry out audits to verify whether quality activities and related results comply with planned arrangements . The term quality activities is not defined in ISO 8402 and while it may seem obvious it can create confusion. If we list all the activities which can affect quality, we could say that these are all quality activities. But many of these are also design, purchasing, manufac- turing, and installing activities. Can they also be quality activities? Quality activities are not restricted to the activities of the quality department or other similar departments. The only clue in the standard as to what quality activities are is in clause 4.1.2.1 where it requires the responsibility of all personnel who manage, perform, and verify work affecting quality to be defined. So a quality activity is any activity that affects the ability of a product or service to satisfy stated or implied needs. The related results are the results produced by implementing the policies and proce- dures. They include documents, decisions, products, and services. It is not enough for internal audits to verify that procedures are being followed. They need to verify whether the outputs of these procedures comply with the prescribed requirements. Planned arrangements is another unusual term, especially when throughout the stan- dard the terms documented quality system and documented procedures have been used. However, so that audits are not restricted to documented procedures and policies, the term planned arrangement has been used. It encompasses contracts, specifications, plans, objectives, strategies  in fact any arrangement made by the organization to sat- isfy customer needs. You therefore need to define what constitutes your planned arrangements. One aspect often overlooked in carrying out audits is the working environment. The working environment becomes important when it can affect the product  such as clean- liness in the microelectronics and coatings industries. However, there are aspects which directly affect the product such as handling, cleanli- ness, temperature, etc. and those that indirectly affect the product such as lighting, housekeeping, ventilation, etc. If the personnel cannot see, or become dizzy through fumes, then the product may be damaged or nonconforming product may be released. If personnel could be injured and blood drip onto the product then obviously this needs to be prevented. The methods used to provide a safe and suitable working environment should be a part of your planned arrangements and be included in your audit checklists. The scope of the working environment should not be limited to manufacturing areas but include the working environment in the marketing, design, purchasing, quality assur- 512 Internal quality audits auto217.qxd 10/04/00 21:41 Page 512 ance departments, etc. In these areas there may be an indirect effect on product quali- ty if we take into account noise, housekeeping, and staff discipline. It is difficult to concentrate and make the right decisions when the working area is noisy and other col- leagues cause distraction. Audits can take several forms: l The system audit : to verify that the quality system complies with the appropriate part of ISO 9000. The system audit is a composite of a documentation audit and implementation audit (see below). This is now required in ISO/TS 16949 clause 4.17.2.2. VDA 6.1 provides general guidance and VDA 6.2 addresses services. l The strategic quality audit : to verify that the strategic plans of the organization address specified legal, environmental, safety, and market quality requirements. l The policy audit : to verify that the documented policies promulgate the require- ments of the standard and the objectives of the business. l The organization audit : to verify that the organization is equipped and resourced to implement the policies and achieve the stated objectives. l The documentation audit : to verify that the documented practices implement the approved policies and the relevant requirements of the standard. l The implementation audit : to verify that the documented practices are being fol- lowed and that there are no undocumented practices employed that affect quality. This can be divided into two parts, one addressing upper management and their implementation of the strategic plans and one addressing staff and their implemen- tation of the procedures. l The process audit : to verify that the result-producing processes control products and service within the defined limits. This is now required in ISO/TS 16949 clause 4.17.2.3. VDA 6.3 provides guidance. l The product or service audit : to verify that the resultant products and services meet the prescribed requirements. This is now required in ISO/TS 16949 clause 4.17.2.4. VDA 6.5 provides guidance. Internal quality audits 513 auto217.qxd 10/04/00 21:41 Page 513 Determining the effectiveness of the system (4.17.1) The standard requires the supplier to carry out audits to determine the effectiveness of the system . Even when you have verified that policies are being met, documented procedures are implementing policies, and these procedures are being implemented etc., you need a means of determining whether the system is being effective. You could be doing every- thing you say you will do but still not be satisfying customers. The requirement is also somewhat duplicated in clause 4.1.3 on management reviews. You are required to conduct management reviews to ensure quality system effectiveness and conduct internal quality audits to determine the effectiveness of the system. It would appear that the audit collects the evidence and the review ensures that it is collected. There are two dimensions to effectiveness: the results gained by measuring effectiveness and the effectiveness of the method used to determine the results. There are several methods which can be used to determine the effectiveness of the quality system: l Quality audit l Performance monitoring l Quality costing l Customer surveys Management should not be surprised by what customers are saying about them. They should know how good their products and services are and how well they satisfy cus- tomer needs. Part of this confidence should come from the quality audit. Audits should be providing management with knowledge they dont possess, not telling them what they already know as a fact. The audit and not the customer should be the first to reveal any problems. If audits only report historic facts they are ineffective. If having conduct- ed an audit, problems are later revealed which were clearly present when the audit was conducted, the audit has not been effective. If subsequent audits reveal facts that should have been detected during previous audits, measures should be taken to adjust the auditing method or the audit plan. Effectiveness is concerned with doing the right things rather than with doing things right. So if the system enabled management to stop the development of products for which there was no requirement, discover a potential safety problem, anticipate customer needs ahead of the competition, cut waste by 50%, successfully defend a product 514 Internal quality audits auto217.qxd 10/04/00 21:41 Page 514 liability claim, meet all the delivery targets agreed with the customer, you would proba- bly say that the system was pretty effective. If on the other hand the system allowed the shipment of defective products every day, lost one in three customers, allowed the devel- opment of unsafe products to reach the market, or the failure of a revolutionary power plant, you would probably say that the system was pretty ineffective. So the first thing you need to do is establish what you want the quality system to do, because without a yardstick as a measure, you cant determine whether the system is effective or not. Many systems are only designed to meet the standard with the result that you can deliver defective product providing you also deliver some which are not defective. The standard cannot and should not tell you what targets to meet; that is why you need to define your quality objectives (see Part 2 Chapter 1) and use performance monitoring as a means of determining whether these objectives are being achieved. One measure of quality is the cost of nonconformance. In order to discover whether you are doing the right things a measure of the distribution of effort would help. If you are spending 50% of the effort on appraisal and corrective activities, clearly your operations are not effective or efficient. Quality costs can help reveal this data and while it should not be used as a measure of absolute costs, it does help in determining whether there have been improvements if you take measurements before and after the introduction of change. So while not a requirement, it can be argued that quality costs should be used as one of the methods of determining the effec- tiveness of the quality system. Scheduling quality audits (4.17.1) The standard requires the supplier to schedule audits on the basis of the status and importance of the activity . Status of the activity Status has three meanings in this context: the first to do with the relative position of the activity in the scheme of things; the second to do with the maturity of the activities; and the third to do with the performance of activities. There is little point in conducting in- depth audits on activities that add least value. There is also little point auditing activities that have only just commenced. You need objective evidence of compliance and that may take some time to be collected. Where the results of previous audits have revealed a higher than average performance in any area (such as zero nonconformities on more than two occasions), the frequency of audits may be reduced. However, where the results indicate a lower than average performance (such as a much higher than average number of nonconformities), the frequency of audits should be increased. Internal quality audits 515 auto217.qxd 10/04/00 21:41 Page 515 Importance of the activity On the importance of the activity, you need to establish to whom is it important: to the customer, the managing director, the public, your immediate superior? You also need to establish the importance of the activity upon the effect of noncompliance with the planned arrangements. For example, not ordering the correct grade of steel may only delay fabrication if you are lucky but, if not detected in time, may result in the compo- nent failing in service. Getting the purchase specification correct is important so this activity should be audited. Importance also applies to what may appear minor decisions in the planning or design phase. If such decisions are incorrect they could result in major problems downstream. If not detected, getting the decimal place wrong or the units of measure wrong can have severe consequences. Audits should verify that the appropriate controls are in place to detect such errors before it is too late. Previously on the subject of the comprehensiveness of audits, it was suggested that you ensure all procedures and policies are verified in all areas at least once every one to three years. The status and importance of the activities will determine whether the audit is scheduled once a month, once a year, or left for three years. The independence of auditors (4.17.1) The standard requires that internal quality audits be carried out by personnel inde- pendent of those having direct responsibility for the activity being audited . By being independent of the audited activities, the auditor is unaware of the pressures, the excuses, the informal instructions handed down and can examine operations objec- tively without bias and without fear of reprisals. It is for this reason that it was considered appropriate for the auditor to have no direct responsibility for the work being audited: i.e. audits carried out by a manager, supervisor, or foreman of his/her own department or section do not qualify as internal quality audits in ISO 9001:1994. However, they will qualify under ISO 9000:2000. To ensure their independence, auditors need not be placed in separate organizations. Although it is quite common for quality auditors to reside in a quality department it is by no means essential. There are several solutions to retaining impartiality: l Auditors can be from the same department as the activities being audited, provid- ed they are not responsible for the activities being audited. 516 Internal quality audits auto217.qxd 10/04/00 21:41 Page 516 [...]... 522 522 Internal quality audits Internal quality audits questionnaire 1 In which documents have you defined your procedures for planning and implementing internal quality audits? 2 How do you verify whether quality activities and related results comply with planned arrangements? 3 How do you determine the effectiveness of the quality system? 4 Which documents constitute the internal quality audit plans?... legislation, sales, marketing, quality management, etc l An analysis of nonconformities, customer complaints, and other problems l Developing design skills (4.4.2), problem solving skills (4 .14. 1), statistical skills (4.20.2) l Introducing a quality system, thus requiring awareness of ISO 9000, the quality policies and objectives, and training in the implementation of quality system procedures, standards,...auto217.qxd 10/04/00 21:41 Page 517 Internal quality audits 517 l Separate independent quality audit departments could be set up, staffed with trained auditors l Implementation audits could be carried out by trained line personnel supervised by an experienced quality auditor You can show compliance with this requirement by defining where the auditors... whose judgement the determination of quality depends Providing for training (4.18.1 and 4.18.3) The standard requires the supplier to provide for the training of all personnel performing activities affecting quality The supplementary requirement requires provision of on-the-job training for personnel (including contractors) in any new or modified job affecting quality This requirement can be rather... is of interest to note that no reference is made to clause 4.16 of the standard regarding quality records The servicing reports therefore are not classed as quality records but are included in the list of documents to be used to detect, analyze, and eliminate potential causes of nonconformities (see clause 4 .14. 3) Servicing reports should specify the following as applicable: l The identity of the product... achievement, control, and assurance of quality requires personnel who are competent to carry out these tasks and although this clause of the standard only addresses training, it is adequate training rather than education that will give personnel the skills they need ISO 9004 identifies qualifications and motivation as well as training as key factors in achieving quality Academic qualifications are often... PROVIDE FORMAL TRAINING (4.18.1) RESPONSIBILITIES & AUTHORITY (4.1.2.1) PROVIDE ON-THE-JOB TRAINING (4.18.3) QUALIFY PERSONNEL (4.18.1) TRAINING RECORDS (4.18.1) QUALITY RECORDS (4.16) EVALUATE EFFECTIVENESS (4.18.2) CORRECTIVE ACTION (4 .14. 2) RESOURCES (4.1.2.2) Figure 18.1 Clause relationships with the training element one and the same, then it will become apparent that all employees will require... 21:41 Page 520 520 Internal quality audits Customers are likely to require internal auditors to at least have taken an Internal Auditor Training Course that meets the requirements of ISO 10011 but are unlikely to require Lead Auditor Registration VDA 6.3 on Process audits requires the auditor to have at least two years’ practical experience in process management in the automotive industry and to have... 21:41 Page 521 Internal quality audits 521 Task list 1 Decide on the scope of the audit program 2 Produce an annual audit program 3 Devise a method of determining when parts of the system were last audited 4 Decide on the types of audits to be conducted and the level of staff to conduct them 5 Determine the standards against which the organization is to be audited 6 Train your quality auditors to a defined... skill the competent people for specific assignments Increasing sensitivity to customer requirements (4.18.3) The standard requires personnel whose work affects quality to be informed of the consequences to the customer of nonconformities with quality standards This requirement is tougher than you might think but you can make it easier You have produced the Design FMEA and the Process FMEA and in these . of quality audits is to establish, by an unbiased means, factual information on quality performance. Quality audits are the measurement component of the quality system. Having established a quality. they also be quality activities? Quality activities are not restricted to the activities of the quality department or other similar departments. The only clue in the standard as to what quality activities. quality activities is not defined in ISO 8402 and while it may seem obvious it can create confusion. If we list all the activities which can affect quality, we could say that these are all quality