By Helmut Jilling, SQA Auditor

There is a common weakness in internal audits. The old element-based checklist method was easy to use - just a series of checklist questions and answers. But over time, the checksheets became less effective. Audits focused on the same few questions, again and again. They ceased to uncover other issues and improvements.

The ISO Process Approach is much better. It follows audit trails through the process and into related linked processes, but it is much harder to perform well. The major weakness is without checksheets, auditors have little guidance as to what to audit.

A solution is to develop tools and worksheets that provide auditors with guidance, but not specific questions. Worksheets should outline the necessary parts of a good process audit without limiting the auditor to a few specific questions and paths.

ISO/TS-16949 and other ISO 9001 based standards require audits be performed using a “Process Approach.” It is not enough to just audit the ISO standard, procedures or manufacturing. Audits must do more than check whether people “are following their work instructions.” Each process (Core and Support processes) in your Quality System should be thoroughly assessed for both conformance and effectiveness. Audits must assess how each process is performing to determine improvements.

For example:

• Is the process meeting objectives?
• Are customer needs being met?
• Are there bottlenecks?
• How effectively does it interact with other processes?
• Do people have good skills?
• Are work instructions clear?
• Are there areas where you can save time or money?

Audits need to address these areas and more if you want to improve your company’s processes and performance.

For more details and specific “how to’s” for the specific stages of process auditing and what you should have on hand for the audit report and closing meeting, download our white paper.

Smithers expertise is often recognized at national conferences. Representatives from Smithers Quality Assessments have joined with another Smithers business group, Smithers Rapra, at two major upcoming industry conferences.

Smithers Rapra is a global leader in rubber, plastics, polymer and composites testing and consulting services focused mainly on the tire, industrial, transportation, consumer and medical industries. It is one of the five business groups under the Smithers name.

From October 11 to 13, we will be at the Rubber Expo & Advanced Materials in Health Care at the Cleveland, OH I-X Center. Smithers Quality Assessments representatives will be at the Smithers Rapra booth answering questions about business management systems and quality issues.

We also will be at the American Association of Pharmaceutical Scientists 2011 AAPS Annual Meeting & Exposition from October 23 to 27. The AAPS Annual Meeting and Exposition features sessions focused on bioequivalence, Biopharmaceutics Classification System, combination products, modified release, nanotechnology, Quality by Design and systems analysis.

Read more.

We recently announced that as of August 22, 2011, any corrective actions resulting from a non-conformance identified during an audit should be accompanied by a root cause analysis  as part of the corrective action submittal.

Read our August 2011 Newsletter to learn why.

To assist you with this new requirement, we have developed a 5-Why tool which can be used as a simple root cause methodology, or you can submit your own version.

Access our 5-Why Tool.

For more information and background, please read:

• Smithers Advisory #10 "Corrective Actions"
• Smithers Advisory #15 "Determining the Root Cause"
• ANAB Heads Up #137 "Improved Corrective Action Responses"

Our goal is to help our clients' systems and improve our own systems through effective corrective action processes. We believe that you will benefit from using a root cause analysis tool to help you develop a robust corrective action.

Please contact your auditor for any organization-specific questions, or feel free to contact SQA.

AS91XX:2009: Deadline Almost Here!

July 1 is quickly approaching. Remember all AS9100 audits must be conducted to Rev. C utilizing the AS9101D requirements for the audit and reporting process. Your auditor will notify you 45-60 days prior to your audit to request the following information in order to better plan your assessment:

• Scope of audit including complexity
• Processes including sequence and interaction
• Criticality of products/processes including special processes
• Product related safety issues
• Results of internal audits
• Previous audit findings
• Performance measures and trends including those from customers
• Previous management review results
• Customer satisfaction and complaints
• Customer specific, statutory and regulatory requirements
• And any changes to the organization 

This is a requirement for all AS91XX assessments. If the requested information is not received within the required timeframe, we will add at least ½ day prior to the opening meeting to make any necessary adjustments to the audit plan.

As an organization you will see the following changes:

New Audit Report Format:
You will no longer receive the SQA audit report that you are accustomed to receiving at the close of the audit. Instead, the complete use of the AS9101D will be the method SQA will use to report the results of the audit.  This information also will be uploaded into OASIS. 

New forms:

• PEAR (Process Effectiveness Assessment Report) for all processes that you have designated in Product Realization (Section 7).
• OER (Objective Evidence Record for objective evidence of the audit findings including references to the reviewed or observed procedures, records, products, processes, non-conformances and OFIs (Opportunities For Improvement).
• NCR (Non-Conformance Report) containing the same information as the SQA Corrective Action Request.

AS9104 Requirements Change
Not only did the standard change, but the AS9104 Requirements for Aviation, Space and Defense QMS Certification Programs is also under revision.
Some of the changes planned will affect your organization:

• A table defining minimum on-site audit days. 
• Additional audit time added to each audit based on complexity, number of aerospace customers, number of statutory and regulatory requirements, to name a few. 

Every certification body is required to utilize the audit day tables.  If the required number of audit days is not utilized we cannot enter the audit information in OASIS.

Where an audit day is planned for over 8 hours to cover off–shift activities, this cannot reduce required audit duration.  For example, if your organization operates with 3 shifts and the audit duration per the minimum audit day table is 2.5 days on-site, the auditor cannot plan two 2, 12-hour days and meet the required 2.5 days on site.  The 2, 12-hour audits days is equivalent to 2.0 days.

Certification Structures Well Defined
The definition of certification structures will be better defined which may change the certificate scheme previously applied to your organization.  This in turn may also affect the number of audit days at each of your sites.

• Integrated audits with AS91XX will be defined outlining the allowable reduction of assessment time as long as it is justified and documented as to the level of integration.
• The same audit team leader will be limited to two consecutive certifications cycles (6 years).

These are just a few of the impending changes, once AS9104-1 is approved and published, SQA will start implementing the requirements of this standard.  We expect the standards will be published by year end 2011 and will keep our customers posted.

Certification to the AS9100 Standard has many obvious benefits, including access to the best practices of the aerospace industry, and clearly demonstrating your company’s commitment to quality products and services to your customers and prospects.

What you may not realize is that once you are AS certified, your company name is entered into the OASIS database. This database is a major resource many large OEMs use to find new suppliers with expertise in various areas. It can be a powerful lead generating tool.

In addition, AS9100 certification improves process consistency and stability across the organization. This leads to increased productivity and accountability among employees. When you have well-defined and well-documented procedures for your employee base, it takes the guesswork out of job assignments.
And when things go wrong, this defined, consistent work assists with root cause analysis and reduces the time required to analyze the problem and resolve the issue.

How to Engage Employees for AS9100 Success
However, this doesn’t just happen automatically. Employees need training to ensure they are competent and capable of doing the assigned job, which also improves productivity and assists with accountability.

Top-down communication across all areas of the organization helps employees understand their role in the quality of your product. When they feel ownership and are able to control the process in their area of responsibility, they are more accountable.

Ensure Product Quality Pre-Launch of AS9100
AS9100 certification also can detect or prevent a major error or flaw in product development. Rev C, for example, provides a structured platform for product development and additional documentation and analysis for product design and project management.

Risk analysis and team evaluation measures data provided during validation/verification and testing of the product prior to product launch. This improves the probability of detecting and preventing major errors or flaws in the product. 

The better your employees understand their roles and the more structured your documentation is, the more likely your company is to save money or experience financial growth after becoming AS9100 certified.

Additional benefits may include:

• Fewer customer product returns
• Reduced waste and rework
• Improved delivery time
• Fewer instances of ”fire fighting” in the manufacturing process
• Increased business with current customers
• Ability to appeal to new customers via referrals and your company’s reputation of quality products and services.

A key aspect of an effective and acceptable response to a Corrective Action Request (CAR) in a Quality Management System is the identification and statement of “Cause.”  A CAR is a procedure used in response to a nonconforming product, service or process.

The expectation from ISO guidelines is that the organization will investigate and resolve the process in their quality management system that:

• did not exist,
• failed, or 
• was weak to the point of allowing the identified problem to occur.

Often organizations identify “Cause” by restating what happened, rather than a statement of cause.  For example, a CAR was issued for active gages exceeding their calibration due date. The company’s response for “Cause” was:  “Quality Technician missed these gages when he/she did last month’s calibrations.” 

While this certainly is what happened, it does not address the process within the quality management system failed or why it failed.  An acceptable response may be:  “The organization did not provide adequate resources such as an effective data-based gage recall system. Instead, the organization relied upon a manual data review each month. Thus, it was possible that gages could be overlooked.”

The next step is to define effective short- and long-term corrective action.  Related to the example above, here are some possible corrective actions:

• Short-term:  Each month, the quality technician will meet with the quality manager and review next month’s gage calibration schedule as it now exists.  Once approved, the schedule will be broken down by production department.  Each sub-part of the schedule will be provided to the affected production supervisor.  Each production supervisor, in turn, will provide the list to the affected operators, the intent being to identify any gages that have not been listed or are missing.  Once the review is complete, the production supervisor will sign the list and return it to the quality technician.  The quality technician will update the list and execute the monthly calibrations.
• Long-term:  The organization will investigate currently available gage calibration software.  A selection will be made within the next two months; the selected system will be implemented within the next four months following delivery of the new system.  Three months following implementation, a special internal audit will be executed to assess the effectiveness of the new gage calibration process.

Generally speaking, “human error” is not an acceptable response. While there are cases where the person did not do what was required, these events need be the exception, not the rule. Companies benefit from an in-depth Cause analysis and process changes that prevent these failures from happening in the future, as well as a process for measuring the ongoing success of the new procedures.

Representatives from Smithers Quality Assessments will be on hand to answer questions and provide insight into the transition to AS9100 Rev. C. in a free March 8 Workshop sponsored by Purdue Manufacturing Extension Partnership.

Click here for more information.

Through a mixture of presentations and discussions, participants will:

• Discover that as of July 1, 2011 ALL AS9100 audits will be to the new standard
• Learn the differences between AS9100 Rev. B and Rev. C
• Experience what an AS9100 Rev. C audit looks like from a registrar’s perspective

As an auditor for the ISO 13485:2003 standard for the design, manufacturing and distribution of Medical Devices, I can attest to the benefits of preparing for and documenting audit information in detail. Through the implementation of ISO 13485, companies increase the probability of making safe and effective medical devices, meeting regulatory requirements, and ultimately meeting customer expectations. Many times a client may not realize that a comprehensive internal audit needs to be conducted before a registrar like Smithers can perform an official audit.

An internal audit involves a management review and the use of workbooks and materials to build an internal audit schedule. Each of the identified processes should also contain associated objectives.

Detailed documentation of objective evidence during an internal audit also is helpful. For example, if you are reviewing a medical device Purchase Order, record the specific Order Number.

View the steps to ISO 13485:2003 certification here. If these basics were followed, most of our noncompliance findings could be avoided. In addition, the FDA website offers detailed information to help with a 13485:2003 audit such as:
- How to determine the class of a device and what type of controls must be in place.
- Past problems others encountered with the device (if not new) and how they were addressed.
- Requirements for everything from pest control to record storage.

As organizations enter compliance with AS9100 C, there are many steps you can take to streamline the internal audit and certification process. These include defining your process so it encompasses all business areas; understanding the roles and responsibilities of your management team in the certification process; and viewing the internal auditing process as a business asset, not a function, and staffing it appropriately.

A clear and effective development plan for the life of your Quality Management System (QMS) ensures effective implementation, maintenance and continued growth of your QMS. Having a plan ahead of time versus inventing it as you go is much easier on all parties involved.

Don’t limit your definition of “internal processes” to manufacturing processes only. Think of them as business processes that make up the key matrix, performance and importance to your internal and external customers. This will help you make clear improvements to your business as a whole, not just your QMS. It also provides an opportunity for total commitment and belief by levels throughout the organization that the quality management system can provide value and not something less.

Pre-certification training before you enter a Stage 1 audit for ISO 9001/AS9100, for example, can be very helpful. All management personnel ought to undergo a comprehensive, fundamental training or consulting, such as a session by a third party, of the requirements and or possibly roles and responsibilities management has to adhere and improve a QMS. Consider identifying the QMS as a Business Management System instead and embed this term throughout your organization!

Here’s a story to illustrate the importance of preparedness for your QMS. While performing an ISO 9001 recertification audit that didn’t get off to a good start, the management team asked if “they could pick the sample to audit, or provide product and data from two to three years ago as the sample to review during the audit, because back then, we were much better.” While this was a creative request, it certainly didn’t follow protocol. Had they performed an internal audit prior to the certification audit, they could have identified the non-conformances and fixed the processes.  Several months later, this organization still has a suspended certification!