Case Study: Implementing an advanced global auditing program at GKN Driveline a Tier-1 supplier
Internal Quality Audit Best Practices based on the ISO 9001: 2015
JONATHAN: Good morning everyone and welcome to Nimonik’s Quality Webinar series. Very happy and safe Halloween to all of you. This webinar this morning is going to discuss the new automotive quality management standard 16949:2016, which is heavily based on 9001:2015, and we’re trying to bring together experts in the automotive industry and a collaborator of ours, Michael Wolfe from the McDae group, to discuss how the standard can be implemented and some of the challenges that we’ve seen across the industry. So, just a very brief introduction about Nimonik. Nimonik offers software solutions to help companies audit out in the field, and really, what we try to also provide is a lot of industry information analysis, audit protocols, checklists, and insights from experts around the world such as Michael. We’re gonna be providing some PDF’s, which are mostly blog posts and articles that Michael has written about the standard. You can download those in the handout section on the right-hand side of the GoToMeeting. There’s also a case study in there from a project we did with GKN Driveline, a Tier 1 auto supplier that provides drivelines around the world. So, feel free to download those handouts right now or throughout the presentation, they’re yours to keep and to distribute within your organizations, and over the last few months we have been publishing videos, shorter videos with Michael on different parts of this management standard, and those are all available on our website, on the blog, and you can certainly go and take a look at those. They’re usually two to three minutes long and you can share those as well within your organization. So, every three months we conduct a webinar on a hot topic, an industry topic, and this month – this quarter, I should say – we’re doing it on the IATF 16949 standard, so feel free to ask questions throughout the presentation. To ask your question, you’ll want to go into the chat window on the right-hand side of your go-to meeting, and you can just type a question in. Michael will see those questions throughout the presentation and depending on the question, he might address it during the presentation or keep it for the end. We’ll have a Q&A period where we can ask questions and you can dive into detail on specific topics. So, some other webinars that we’ve done, just so you know, include EHS trends in China where we work with a lot of automotive companies in China who are struggling to keep up with the regulatory changes over there, so if things in China interest you, feel free to reach out to us at Nimonik, we have a team over there in China. So, for today’s webinar on automotive quality management centres we’re working at the McDae group. The McDae group specializes in implementing quality management standards in a variety of industries, but especially the automotive industry, and Michael will dive into that in a little bit more detail, and again, Nimonik, at a very high level, what we offer is a software and a database of regulatory information, as well as industry standards such as IATF, and we help companies comply to regulations as well as to industry standards, and we worked a lot of the companies in the automotive industry. My name is Jonathan, I’m the president and founder of Nimonik, and I’m a newbie to the automotive industry. I’ve been driving in cars for many years, but I am only now learning the inner workings of the automotive industry through some really interesting projects we’ve done with automotive suppliers – Tier 1, Toer 2, as well as the OEM’s – and I’ve come to appreciate the complexity of the automotive industry at a whole other level than what I knew just a few years ago, but Michael here is the real expert. He’s our presenter today and he is a standards implementation consultant with the McDae group. He helps organizations in a variety of industries, but especially the automotive industry, implement quality management systems that are both audit- and user-friendly. So, that’s all I have for introductions. We have attendees from all over the world today, so good morning to some of you, good afternoon to others, good evening, and we’ll be sharing this presentation online afterwards, so you can distribute it within your networks on LinkedIn or within your organizations. I have a question here that says if our security blocked GoToWebinar, the attachments, we’ll be able to email as attachments, so we’ll send an e-mail out after the webinar with the handouts that we are providing as well as with the video of the presentation and the slides, you’ll get all that in e-mail later today or tomorrow. So, we’re gonna have a few polls throughout the presentation. We have, I believe, five polls, and these polls are just designed to get a bit of a sense who’s on the call, what some of your challenges are, and that way we can frame some of the presentation in that light. So, I’m gonna let Michael introduce himself in just a moment, but I’ll just read out the first two polls and that way you can start to think about them. The first poll is: have you read in the entirety the new IATF standard; and the second question that’ll come just after that one is: is your company that you work for or represent currently certified to the old version of the standard, the new version, the 2016 version, or are you not certified at all? So, those two polls get a sense of how familiar you are with the standard, and I’m gonna launch the first one and hand it over to Michael here for his presentation, and an introduction about himself.
MICHAEL: Thank you Jonathan. Again, I agree – good morning, good afternoon, good evening to wherever you are, and I appreciate everybody being willing to take a little bit of their valuable time to attend this webinar. I know your time is extremely valuable and we respect that, so I am going to move through the presentation slightly quickly because I would prefer to give as much possible information as I can in the time-frame I have been given. As Jonathan said, I am an implementation consultant at the McDae group, and there’s gonna be a slide near the end of the presentation about us, so I’ll save my introduction till that slide. I’ve been in the building, creating, and implementing quality management systems for about 15 years now. I’m probably well over three to four hundred quality management systems that I’ve created and implemented, so you’re in good hands, we’re going to have a good time, I’m going to try and keep it interesting, I’m gonna try and keep it enjoyable. As Jonathan said, there’s some polls going on the right side, if you wanna just jump on those, it gives us a chance to see who our audience is and it helps me guide the information a little bit more closely in line with what people need. So, Jonathan, the second one, I see that, got it, okay. So, here we go! Just a little bit first about the webinar objectives quickly. This webinar is going to provide a simple, high-level overview of the standard. Obviously, given 40 minutes to do a webinar on IATF would be impossible to give specific details of the standard, what’s in the standard and how to apply it to your organization, but I am going to give you a high overview. It’s going to briefly explain the foundation for an effective quality management system for IATF. Obviously, we can’t give implementation advice in 40 minutes, so what I’ve at least tried to do is categorize the foundations and give a little bit of tips and tricks and advice on the foundation of a quality management system, and I want to give you some tips for implementing and improving the effectiveness of the system. I’ve been on both sides of the industry, I have built systems and run systems in my own companies that have been audited, and I have been an auditor, so I understand the delicate balance of making sure your company is profitable and productive, but also satisfying what auditors are looking for, so I’m going to give some tips on how to do that throughout the presentation. First, let’s take a 10-minute tour through the standard. The first two slides are going to have a lot of words. I’m not going to read them to you and I’m gonna give you a chance to kind of peruse them as I talk through them, but the first two slides are just the idea of what is IATF, where did it come from. The first is the International Automotive Action Force is the organization that has created this IATF standard as the organization that manages the IATF standard and it includes members of a lot of the largest OAM and vehicle manufacturers in the world. The reason I like to at least put this slide here is to show you that if you go to IATFglobaloversight.org, there is a lot of free information on the IATF standard, so you can kind of see that – IATFglobaloversight.org. The next thing is, IATF, like Jonathan already referred to, has been built off of the new ISO 9001:2015 standard. In my professional opinion and experience, I think that was an excellent move, I think it was the right thing to do, and we are seeing the benefits of that. So again, if you’d like some more free information about the foundation of the IATF system, you can go to www.iso.org, but I think it was a good move. We’re very excited that they collaborated and there’s some free information available for you there as well. Okay, so let’s actually look at the philosophy of the IATF standard. The philosophy is based upon our ISO 9001 and basically if you think of IATF as a book with ten chapters, only chapters four through ten include requirements and are auditable, so we’re only going to focus on those chapters. But in a sense, chapter four, the organization and its context, is the input to your quality management system. In the old standard customer requirements was the only input. If you knew what your customers wanted you gave them what they wanted, you were in conformance into IATF, that’s what IATF cared about – do you know what your customers want and are you giving them what they want and are they satisfied? So now, with the collaboration with ISO 9001:2015, now we have this whole idea of issues and interested parties and strategic business direction, business risks, things of that nature, so that’s been added to the standard. The another really huge change from TS to IATF is the leadership section – under TS 16949 the leadership section was one of the exterior circles, and so they had one little piece of the quality management system. If you notice now, leadership is in the middle of the system, top management is now expected to participate in every aspect of the quality management system and to be engaged, there are a lot of things that they were allowed to delegate in the old standard that they are no longer allowed to delegate. Chapter six is the planning or the risk management chapter, and that’s talking about quality objectives, talking about your actions to address risks and opportunities with your interested parties and your issues, and so there’s a lot of risk-based thinking involved with chapter six. Chapter seven and eight is the resource section and the doing section, the operational section. This is your production, your inspection, this is all of the things that are involved in product realization and RFQ review, order review, design and development, manufacturing feasibility, production, inspection, all of those things needed from everything from understanding what your customers need and delivering the final product. Chapter is the performance evaluation chapter. This is talking about things like monitoring and measuring more KPI’s that we used to have to monitor and measure in the TS standard. This is the section without internal auditing management review, which has been really made more robust, and I’m going to talk some specifics about these later on in the slides, this is just again the high-level philosophy of the standard, and then chapter ten is the improvement chapter – corrective action, problem-solving, error proofing things of that nature, and the basic concept is this: based off a Deming cycle, and this isn’t new to anybody, but the basic concept is you understand your issues, your interested parties, and your customers’ needs once, and requirements, you make a plan, you resource the plan, you execute the plan, you evaluate the plan. If it worked, you pat yourself on the back and do it again. If it didn’t work, you make changes and try it again, and if you consistently follow that cycle, the natural outcome will be satisfied customers, great products and services, and a healthy quality management system. So, let’s talk about how this works in the real world, in everyday life. That first chart is what ISO and IATF present – this is more of a real world view – for a philosophy of an effective quality management system for IATF. It starts with an organization identifying relevant issues, issues that could help or hurt your business. Not product related issues, not on-time delivery related issues, not health and safety issues with employees. These are issues that could help or hurt the business, there are issues related to the strategic direction of a company and interested parties as well, so an organization identifies these issues that could help or hurt their company. They identify the interested parties and the requirements that those parties have that can help or hurt their company, and they create quality management system processes that umbrella the entire IATF standard and the entire company. Then we assign performance indicators to those processes with goals and targets, and that’s the way we’re going to make sure that our processes are working effectively, that’s going to be the mechanism that we use to understand how effective our processes are operating and where our processes are breaking down and what we need to do about them. Employees follow procedures and work instructions that support the operations of the processes and they generate records. Employee engagement and employee awareness has been put on steroids in the new standard, and employee engagement and employee awareness is one of the most critical aspects of an effective quality management system, and we’re going to talk a lot about that farther in the webinar. The next is the internal auditing is used to gather evidence, there’s a lot of criteria for internal auditing, we have a slide on that later in the webinar, this is just a high overview, but internal auditing is extremely important, hence the reason we have Nimonik here with us. We’re gonna talk a little bit about Nymonik’s system a little bit later, but just as an FYI, I use Nymonik’s auditing app for all of the audits that I do, for internal auditing and supplier audits that I do. And then, the last one is top management makes decisions based upon all of the data at management reviews. So that’s the way it works, very high-level, 50 thousand feet view of how a philosophy of a system fleshes itself out in an organization. Let’s look at the overall for a little bit. IATF 16949, it has ten chapters, if you think of it as a book with chapters, it makes a little bit more sense. It’s 160 auditable elements, so if you’re gonna do a full internal audit one-shot, you’re gonna have to look at 160 elements. It has 351 specific requirements, where we get that from is the word ‘’shall’’ when it appears in the IATF standard is translated into ‘’must’’, so if it says the organization shall do this or that, it’s really saying the organization must, which means that is a specific requirement. There’s also 42 required documents that are needed for an IATF 16949 system, and there’s 43 required records. It’s a high-level overview. Again, I’m not gonna read all of these in the bulleted list and obviously, you can see there’s not 42 bullets there, but as I’m talking about these documents and records that are required you can feel free to peruse the list with your eyes, and just kind of pick out a couple that you see there. So the biggest ones, obviously, are the quality manual, processes, procedures, and work instructions, that’s obviously the biggest piece of the quality management system, to IATF, but a couple specifics, the anti-bribery employee code of conduct, the ethics escalation policies, those are required to be documented somewhere, internal-external app scope, so a lot of these were already in the TS standard, but again, there’s been a few added here and there to the new IATF standard. The records that are required, some examples, again, your eyes can peruse this list, obviously, you can see there’s not 43 bullets there, but risk management activities are some new records that are required, so this is not necessarily the P FEMA’s and the D FEMAS’s, this is the actions to address risks and opportunities to the business, the issues, the interested parties, some of the more business risks that a company faces, not necessarily the product design and production risks. Employee confidence and training, there’s a lot more robustness that’s around and (inaudible 19:15) awareness, changes to production methods, there’s some new records that are required there, so again, feel free to peruse the list with your eyes. Obviously, it’s not the exhaustive list of all the requirements, all the records that are required, but basically, in the end of the day there is 43 records required for an IATF 16949 quality management system. Some examples of some key performance indicators – again, KPI’s were a large part of the TS standards, so KPI’s in and of themselves are not new – but one of the differences is they want to see KPI’s now for all of the processes, not just production, quality, and product-related things. They would like to see some KPI’s on business processes as well as production, quality and product-related processes. So again, feel free to peruse that list with your eyes. There’s not a specific number of KPI’s required by the IATF standard, so the sky’s the limit. Typically, I would recommend at least 25 to 30 KPI’s, but I’ve seen some companies go up to 40 and 50 KPI’s. So, that’s the ten-minute overview of the standard, the philosophy of the standard, I believe we have a poll question for the next section.
JONATHAN: Yep, so I’ll just share quickly the two polls we did right at the beginning of the presentation which was – have you read the new IATF standard? We had a – 59 % of people said yes, and 41 % of the attendees said they had not yet read the entire standard. That’s an interesting number. I maybe would’ve thought that more of us would have read the standard. I’ve read it, but it’s definitely worth going through, getting into those details. The second question was – is your company currently certified to the standard? – and 68% said yes and 32% said no. So, I’d be curious to know – for those who weren’t, who are not certified – why you’re not certified yet, if it’s something that’s in process or if it’s something that your company doesn’t feel it needs, so we can discuss that towards the end of the talk. The next poll that we have here is – is your company quality manual a copy-paste version of the standard or the alternative would be something that was more customized and tailored and built for your organization, taking into context your reality, so kind of curious to see how many of you copy-pasted the thing, and how many actually transformed it into something that’s very closely tied to your operations. And the third option there is that you don’t have a quality management manual, which is a little bit scary, but hopefully the people answering that maybe aren’t running the big auto suppliers or the big organizations. So, let me close this poll. The results – I’ll share the results right away – so we have 74 % saying it’s not a copy-paste, which is good news because we would certainly hope that people don’t just copy/paste, but 21% do have a more or less copy/paste version the standard and then 5% do not have a quality management. And then I think we have one for question – oh, sorry, no, I think that’s the question we had this portion of the talk, and I’ll kick it back over to Michael.
MICHAEL: Great, so I’m glad we did that poll question, actually that’s very encouraging to me, the 74 % of companies that have a customized quality manual. When I get involved in a lot of companies with my clients, I see that it is just a copy and pasted version, so that was a very encouraging poll number, so for you 74 % – great decision! For the 21 % I’m gonna talk through the pros and cons, and what I would encourage you to think about. So, the creating an effective quality management system starts basically with the quality manual. That is the foundation of a company, it’s your first impression to a customer because a lot of customers say – hey, send us your quality manual before we want to do business with you – so it’s a first impression of your company, your auditors are always looking at your quality manual, so it’s an opportunity to put your best foot forward. In my professional experience, I believe at a minimum these bulleted items should be in the quality manual. What I see a lot when I audit companies and when I go to help improve companies’ quality management systems, I see this idea of a copy and pasted standard where they take the standard they copy and paste it, and everywhere it says ‘’the organization shall’’, it says ‘’our company must’’, or ‘’our company does’’, or they even put their company’s name in it. So, for example, McDae does XYZ and basically they just say ‘’well this is what we do’’, but they don’t give any information, any quantifiable information on the why’s, the how’s, the who’s, the what’s, the where’s, and so it adds a lot of burden to a company, because the other problem is when you hire a new employee and you bring them in for orientation and you hand them a 65-page quality manual, usually when I do polls and I interview employees at those types of companies, basically 90 % of them admit to me they stop at page 5, they go to the last page, they sign that they read it, and they turn it back in, so it’s not adding a lot of value. So, the context of the organization, I believe, is important to have in the quality manual – who you are as a company, what value you add to the supply chain, where your company’s going, what direction you’re going, what makes you valuable, what makes you who you are, and why customers should use you. Corporate responsibility is required to be documented, so I encourage my clients to put that in the quality manual, simply because why manage two separate documents when you can put them in one? I encourage companies to put their quality policy and a quality objectives table in their manual. Here’s what I mean by a table. Anytime the standard has a bulleted list of generic requirements, I encourage my clients to create a table that they can embed directly in their quality manual, and each bulleted item has its own column. And so, what happens is, let’s just take communication, for example, the organization shall decide what they communicate, when they communicate it, who communicates it, how is communicated, and to whom it’s communicated. I put a column of information for each one of those bullets, and what it does is it makes your system both user-friendly and audit-friendly. It avoids a 45-minute conversation with an auditor because an auditor can look at the quality manual, can see the table, and can see that you adequately gave him information on how you can (inaudible 26:37) each one of those items in the bulleted list, so that’s what I mean by quality objectives table, because there are five bulleted items that are now in the new quality objective section in the new IATF standard. A roles and responsibilities table, that includes the personnel who have start/stop authority, that includes management representative, that includes all of the – there’s a large amount of bulleted lists in section five of the standard, 5.1, 5.3 of the standard, and I translate that information into a roles and responsibilities table. I think the most valuable piece of information that I encourage my clients to input into their quality manual is that QMS to IATF bridge table. What that means is it’s a table with two columns. The far left side column has every element number in the standard. Some companies actually put the name of the element as well, but I just put the number. And then on the right side it’s your process or your procedure or whatever documented information you have that addresses that specific element and the reason I like it is twofold. One, if you’re missing information in the right column, then you have a gap in your system, and so if the right column is completely filled with some type of documented information – a process, a procedure, a form, a record – then you know you’ve adequately addressed the entire standard. The second thing it does is it’s a quick reference point to an auditor, either an internal auditor or an external auditor. ‘’Hey, I need to audit Section 6.1.1, what should I look for?’’ Well, they go to this table, look at 6.1.1, and they see actions to address the risks and opportunities procedure. Now they know I can go right to the actions to address risks and opportunities procedure to audit 6.1.1. The other thing I like to do is the standard now requires that you document in your system, where specifically in your system your company addresses customer specific requirements. So I add a third column in that table, and so, for example, your customer XYZ motor company says you have to do something special with calibration and that document is called XYZ calibration one, then in your bridge table you would put YXC Calibration/1 in the 184.108.40.206 section of the bridge. So, it’s a way to accomplish multiple requirements, to address multiple requirements in one shot. What I try to recommend to my clients is if there’s one tool that we can use to satisfy four requirements of the standard, let’s use that one tool rather than managing four separate tools for those four separate requirements, and the QMS – IATF bridge table is a very effective way to satisfy three or four requirements in one tool, and then…
JONATHAN: Sorry, one question – sorry to cut you off there, but we’re just asking – do you have a- do you think you’ll be able to send out afterwards an example of this bridge table?
MICHAEL: I might possibly be able to. I’d have to get permission from the McDae group first, to see if they’d be okay with that, but yeah, thanks for jumping in, because, just so you know, I don’t see the chats or the questions. So by all means, feel free to jump in anytime like you just did, that was helpful.
JONATHAN: Well, we’ll try and let’s see, we’ll work with Michael to see if we can send at least a sample of this bridge table later to the attendees, who I think it would be something that would be quite helpful for them to see.
MICHAEL: Great. So then, basically, the communication analysis, the evaluation table. Now, you can put more in this isn’t a requirement of – well, this is all you’re allowed to have in your quality manual – this is just the foundation, in my opinion and professional experience of what I think is an effective content of a quality manual. Typically speaking, the quality manual is about maybe 16-17 pages long. You know, if your quality manual gets to be 30-40-50 pages long, it’s going to be burdensome for the people who are reading it. So that’s the quality manual. So, let’s go to the quality policy, the effective quality policy. So policy is a hot-button topic for me, I actually picked a fight on LinkedIn last night, two nights ago about it because people tend to think the quality policy is a waste of resources and is a burden, and they wish that IATF wouldn’t require a quality policy, and so my defence for that – because I think the quality policy is one of the most important parts of a system, that’s why it’s second to the quality manual. A lot of times what I see in my clients is the quality policy is a fluffy, feel-good, slickly worded poster that gets hung up somewhere in the building when you originally get certified, and it’s never to be looked at or discussed or talked about again, and when the auditor comes in and says ‘’does your company have a quality policy?’’ everybody has been mindlessly trained to just point to the poster and say ‘’it’s up there, go look at it if you’d like to’’. In my opinion, that’s very sad. An effective quality policy should be wrapped up with the strategic direction of the organization – this is who we are, this is what value we add, this is where we’re going, this is what it’s all about. It’s a driving force of an organization, it can be used as a filter when making business decisions and critical decisions, it should be a rallying point for employee engagement, it’s an elevator pitch for new business, it’s a picture of the organization’s culture. And so, it’s very important to take a look at your organization’s quality policy and ask yourself this question – is this just a slickly-worded phrase that is posted somewhere so an auditor can get off our back, or is this quality policy driving the culture of our company, who we are, where we’re going and what it takes to get there, is the quality objectives? So I really encourage my clients to really think about their quality policy. Interesting titbit about IATF – this is the first time that any standard has actually done this. They’ve actually encouraged the annual review and revision of a quality policy, not just ‘’let’s look at it for 10 seconds in management review, yep, we read the quality policy, we’re all happy!’’ Because the quality policy should be evolving with the organization, as the organization grows and changes and morphs, as the market conditions change, the client base changes and the customers change, your quality policy should be reflecting that changing in the evolution of the organization. A great quality policy must include the ability to set quality objectives, and a lot of times, when I come into a company, they have a very weak quality policy that’s just satisfying the requirements for an auditor, and they have these four generic quality objectives – ‘’yeah, we want to maintain 90 % on-time delivery, 90 % product quality, 90 % customer satisfaction’’ – and they’ve actually never changed their quality objectives in years, but effective quality objectives are company-wide, not department-specific, and they’re also business-related, not just product related. You have to have some product-related objectives, I get that, and you have to have on-time delivery objectives, I get that as well, but it would be so much more valuable to an organization to have business quality objectives, not just product and on-time delivery and customer satisfaction quality objectives. They need to be time-stamped, because now IATF is requiring these to be re-evaluated every year, and they need to be measurable with specific goals. Typically speaking, I encourage somewhere between 8 and 10 quality objectives, I’ve seen six and I’ve seen them well done, so maybe I could say between six and eight, maybe between eight and ten, but somewhere in that range, and these are also not your process KPI’s. That’s being managed separately under 4.4.1 and 9.1.3, so this is quality objectives, not process KPI’s. Process KPI’s obviously need to be measured and evaluated, but they’re separate from quality objectives. Processes – I think one of the best things that IATF and ISO got right, ISO 9001 technically was the one who got it right. This is the first standard where they finally separated processes and procedures, and we’re going to talk about this for a little bit because this is extremely important. In the past, all the standards said processes and procedures are basically the same thing, they’re interchangeable – process, procedure, toe-may-toe, toe-mah-toe, potato, po-tah-to, wah-ter, woh-ter – it’s the same thing, it’s just a different word it’s just phrased differently. For example, I’ve seen companies who have a calibration procedure and then half an inch below the title Calibration Procedure, it says Process Owner. So is it a procedure or a process? It didn’t matter in the old standard if it was a procedure process, they were interchangeable. ISO 9001/2015 finally nailed it and got it right – a process and a procedure are two completely different things, and here’s why it’s critical that we get this right. In the new standard and 4.4.1 there are eight specific rules that must be applied to everything that your company calls a process, so if you tell me you have 36 processes I need to see how you applied all eight rules to all 36 of those processes, and it will overwhelm you. It will be bloated, it will be very, very overwhelming. So it’s very important that we get it right, that we limit the amount of processes we have, and we make sure that those rules can be adequately and effectively applied to them. So an effective process describes what the company does, not how it does, but what it does. They transform planned inputs into outputs; they have KPI’s with goals to monitor their effectiveness; they have to adequately address all the applicable IATF requirements; they have to adequately address all the company’s activities, departments; they have to – in my opinion, they don’t have to be documented on a turtle diagram – but in my opinion, a turtle diagram is the most effective way to address in-document processes; and they have to point to the procedures that support them. So 4.4.1 in the new standard says you have to pick the processes and you have to apply all eight of these rules to every process. In 4.4.2 it says: the organization shall maintain documented information that supports the operation of its processes – that is where the procedures come into play. So this is a cultural shift for many companies. The old standard had – Level 1 was your quality manual, Level 2 was your processes/procedures, Level 3 was your forms and work instructions, Level 4 was your records, that has now been shifted. Level 1 is now your processes, Level 2 are your procedures, Level 3 are your forms and work instructions, and Level 4 are the records. So let’s talk about procedures.
JONATHAN: So, Michael, just before we jump to that, I think we have a poll on the processes, just to get a sense of what people are doing right now. So let me launch that one, and the poll is – are the company’s processes documented using turtle diagrams, are your company’s processes documented using turtle diagrams? Michael said you don’t have to use turtle diagrams, but they can be quite helpful, so we’re curious to know how many of you are using those. Let me just give it three more seconds, I’m gonna close the poll, and I will share that result just so folks can see… So, about half – that’s interesting! – about half of the attendees are using turtle diagrams, and then some are anonymously admitting that they don’t have any processes yet, so we won’t hold them to that. Alright, let me kick it back over to Michael, and then we’ll have one more poll once we’re finished with the procedures section.
MICHAEL: Excellent, so here are some examples of suggested processes. You do not have to word them this way, you do not have to combine some of them you do not have to, you know, this is just some examples to get you thinking. I’m not going to read the list to you so you can kind of peruse that list on your own, but there are a few places where the standard says ‘’the organization shall’’, so in other words, your company must have a documented process in this area. Every one of those phrases is represented in one of these examples, so if you use these examples as your processes, you would adequately address the few areas where the standard says ‘’the organization shall document a process on XYZ’’. So again, you can peruse that list there a little bit. This is where I get the idea from, that a good, strong IATF system, a healthy IATF system should have somewhere around ten processes. Now, if you have four or five it’s not going to be quite strong and robust enough. If you have 15 to 20, you’re beginning to add burden to your system and beginning to bloat your system. So let’s talk about, here’s an example of a turtle, and if you look at this particular turtle that I’ve created, it’s different than the ones that you would see on Google if you would google ‘’turtle diagram’’ or ‘’ turtle tool’’. Typically speaking, in the turtle diagrams or turtle tools you’ll see on the internet, the top left box says ‘’what’’, the top right box says ‘’who’’, the top bottom box says ‘’how’’, and the bottom right box says something else, but what I’ve done is I’ve created a turtle tool that adequately addresses six of the eight requirements – I’m sorry – five, five of the eight requirements at 4.4.1. So, for example, 4.4.1 says: you have to determine the risks and opportunities associated with the process, that’s in the top right box. You have to identify the responsibility and authority for the process, that’s in the top right box. You have to determine the KPI’s, that’s in the bottom right box etc. etc. The inputs and outputs are on the left and right, the middle box adequately addresses the requirement in 4.4.2: the organization must maintain documented information supporting the operation of its processes. So, in that middle box are the Level 2 procedures that support the operation of this specific process. The name of the process and all of the revision history is cut off on the picture – I apologize for that – but this is an outsource control process and that’s why you have supplier selection and approval, procedure purchasing, perceiver receiving verification, procedure etc. etc. So let’s talk procedures. Effective procedures describe who does what and when it’s done, if there is how-to specific, how-to information it does not belong in the procedure, that belongs in a work instruction. One of the biggest weaknesses I see in a lot of the clients that I get involved with is their procedures are 10-page, paragraph-based documents. I was at a company two weeks ago helping them upgrade to the new IATF standard – their calibration procedure was 16 pages long and it was filled with contradictions, it was filled with, it was just a mess because it had the why’s, it had the who’s, it had the how’s, it had everything all wrapped up in one, and the company was not doing well in the area of calibration. So an effective procedure describes who does what and when it’s done, not how it’s done, and then identifies a series of actions taken to complete something, it supports the operation of the specific process, and it highlights all these things. So my opinion and professional experience: flowcharts are the best way to document a procedure. So Jonathan, if you want to throw that second one up, I believe we’re gonna ask that question as well.
JONATHAN: Yep, so are your company’s procedures in the format of a flowchart, some paragraphs, text basically, or do you not have procedures implemented yet? So, kind of curious. I agree with Michael that flowcharts can be a lot easier to communicate, especially to new staff and staff who haven’t been working in the industry, or on a specific portion of the operation for many years, so flowcharts. Being visual often helps communication. Alright, let me close this poll and share the results. So we have about half again, so 46 % are using flowcharts, 54 % have text or paragraphs, and then some do not – sorry – nobody doesn’t have procedures yet, so that’s a good sign, but only half are using flowcharts, that’s an interesting result.
MICHAEL: So, a couple of things that I would encourage the 50 % not using them yet. One of the biggest purposes of procedures is not actually for your company, ironically, and sometimes it’s counter-intuitive, and I raise a lot of eyebrows sometimes when I say this – procedures are actually more of a tool for an external auditor and a registrar auditor, a customer auditor, an internal auditor. To understand quickly and easily what your company does, who does what and when it’s done, and then a lot of times I’ll ask an employee during an interview, during an audit, I’ll say, when’s the last time you looked at your procedure? And they say, well, about three and a half years ago when I got hired, and the reason for that is the procedure doesn’t have any how-to information in it. So once you understand that a procedure is more fit for an auditor, it’s more of a tool for an auditor come in and quickly and easily identify what your company’s doing, and it gives them a direction to go for auditing, what to look for, who to ask. It makes more sense to bring it over to a flowchart. Paragraph-based procedures are risky because usually if you read them from start to finish, there’s contradictions in there, and usually there’s a lot of pointing to other things in there. When you go look at those other things, it doesn’t quite jive together; and when you have paragraph-based flowcharts, and you hire new employees and say ‘’hey, read this 8-page document because this is your procedure’’, it’s very, very hard, it’s not very user-friendly. So paragraph-based little bit of risk and bloat to a system. Flowchart-based procedures make it more user-friendly and more audit-friendly. So as I’ve been talking, hopefully your eyes have been perusing that screen. Again these are not an all-encompassing list, these don’t have to be named this, obviously there’s not enough room on the screen to have them all listed. Typically speaking, a healthy IATF quality management system has around 30 procedures, in my professional opinion and my professional experience. I’ve seen somewhere around 30 procedures be a healthy point for procedures. Work instructions, that’s a different story, you can have hundreds, but procedures, Level 2 procedures, typically somewhere between 25 and 35 is a healthy level. Here’s again just an example, this is an example that I got permission from a company to share – configuration management procedure and internal audit procedure, and you can basically see what the flowchart looks like. I’m not going to read the content of it and I apologize that it’s a little bit fuzzy and hard to read because the content isn’t what I was hoping to show you, it was the concept to see how easy and how quickly it is to see who does what and when it’s done when you pull out a one- or two-paged flowchart. So now let’s move to implementing and improving the quality management system. Employee engagement, in my opinion, is the third most important part of a system. The most effective quality management systems have a strong internal audit program, a robust management review, and engaged employees. So again, this comes from experience of both owning and running certified companies and implementing on behalf of clients and auditing. So, getting employee input in determining the issues and interested parties in 4.1 and 4.2 is a very helpful way because if you wanna know if the company’s got issues, I can tell you right now, you ask the employees, they’re gonna be able to tell you very quickly – ‘’oh yeah, we got issues, and here they are’’. So top management shouldn’t get into a room in a bubble and in a vacuum, decide what the company’s issues are, they should allow the employees to have some input in that, because it will give employee engagement and employee buy-in. Centering the culture around quality policy, I’ve already shared enough about that, and the quality objectives, having a strong internal audit training program. Training is a weakness of a lot of companies that I go into for help. I see quarterly quality staff management meetings, things of that nature. Communication is extremely important for a strong, healthy system, and a lot of companies struggle with communication. Management mentoring program, professional development programs, public performance dashboards, posting all your KPI’s in a public place for people to be able to see on a consistent basis, things of that nature, semi-annual QMS staff meetings. I have one client who has an annual QMS awards luncheon. It is one of the strongest quality management systems I have ever seen in 15 years of auditing, and when I went around the company to find out why it was so strong, it was, they had an annual QMS awards luncheon that all the employees always looked forward to and they had the ability to participate in. So again, whatever it takes for your organization, find creative ways to get the employees to buy in. The more employees engage in a system, the stronger the system; the more valued the employees feel, the more they’re gonna buy in, the more value they’re gonna add, the more valuable they’re gonna be. It’s a cyclical, reciprocal process. Show the employees that the organization cares, bring them into the fold, the system, make them aware, help them know what’s going on, encourage them to know what’s going on, and your system will become stronger. Internal audits – implementing an effective internal audit program. First you would need to have comprehensive internal auditor training or you would need to outsource your internal audits, and the internal auditor confidence is a new part of the standard that has been causing a lot of stress in the industry, and that’s probably the area where I’ve gotten the most questions from. Your internal auditors do not have to be certified auditors by a SAI or by some type of an accredited agency. You do not have to have the same credentials as a registrar auditor, I just want to put that out there, I want to put that to death, that rumour is not true. Do they have to be trained? Absolutely, they have to be trained. Are their records needed for that training? Absolutely, there’s records needed for that training. And is the training going to be looked at and is the competency going to be looked at for the trainer and the trainee by the auditor? Yes, it will, but you do not have to have certified auditors in your company. The audit plan should be discussed and approved at management review. That is not a requirement of the IATF standard, but that is one thing that I encourage all my clients to do for two reasons. One, top management is involved in creating the audit plan, if it’s discussed in management review, and two, they can’t ever say, well, if we’d known we weren’t auditing this much, if the quality management system starts breaking down, they can’t pass the buck and they can’t blame it on, well, we didn’t know you were only auditing three times a year, if you had been auditing more, our system wouldn’t break down. So they can’t pass the buck and they can’t blame something else if they’re a part of approving and discussing audit plans, the annual audit plans. You have to identify all objectives, scopes, criteria, progressive is scheduled, QMS, full QMS, the standard requirement is your full system has to be audited every three years, in my opinion, I think that’s absolutely insane, and I encourage my clients to audit their entire quality management system every year. You’re not required to, but I think it would be insane not to. That’s just my opinion, though, it’s just opinion on seeing all the systems that I’ve seen over the years. Customer-specific requirement audits – some customers may say: hey, we need you to audit this, and we need you to audit this frequently – you must follow that. If your customer has more rules on auditing than the standard, you’re required to follow your customer’s rules. You have to do product audits and manufacturing process audits – same thing, manufacturing processes have to be audited, every manufacturing process has to be audited on a three-year cycle. So those are some titbits about internal audits, and we’ll talk a little bit more about how you can audit in a little bit. Management review, conducting an effective management review, I recommend one annual management review. Now, I get myself into some hot water every once in a while with some people who struggle with that. Here’s what I recommend doing. If you tell me your company has a management review, I am required to audit it, I’m required to see that you address the inputs, the outputs, the discussions, I gotta look at everything, I gotta dig through the records. So that’s why I don’t recommend having monthly or quarterly management reviews. What I do recommend is having monthly or quarterly QMS staff meetings and you can talk about everything that’s required to talk about in management reviews, you can talk about the inputs, the outputs, but I can’t audit you to it and I can’t look for the records of it because you didn’t call it a management review. We’re gonna talk about what the management review includes in a little bit. An effective management review is more of a presentation, discussion, decision-based meeting, that doesn’t change (inaudible 55:03), it’s basically – someone presents information to top management on all of the inputs, top management discusses the information that was presented to them, and collectively makes decisions based upon the discussion. One of the biggest differences between TS and the IATF version of management reviews is in TS you were allowed to look at snapshots. You were allowed to look at information from one period of time. Now you’re required to look at trends over a longer period of time. For example, if our customer satisfaction is at 95 % in 2014, we could pat ourselves on the back because our goal was 90 %, but in 2015 we were at 92 %, in 2016 we were at 91 %. In the old standard we were only required to look at the fact that, hey, in 2016 we were at 91%, we did a great job, but now we’re required to look at the overall long trend period, and we’re required to say, yeah, that’s great, we’re meeting our goal, but this is our third year of decline what’s going on? And so, the trends analysis has really become more valuable of a requirement than just looking at snapshots of information. There are 23 specific topics that are required to be included in management review, and there are three categories that are required to generate actions. Jonathan, do we have any questions for this section?
JONATHAN: We have a lot of questions for a number of the sections, and I know we’re already at 11 AM and we said we would end around now, so I just want to say what we’re gonna do is go through these questions, wanna make sure we address everybody’s questions, it’s a very complicated subject that’s affecting a lot of important companies. So Michael and I will stay here as long as necessary to answer all the questions. Many people probably have to l eave for meetings, what we’re gonna do is, we’re going to compile the questions and send out the responses by e-mail along with the slides, the video, and some additional resources. But just before some of you leave, just as a quick summary, Nimonik, we’re going to be doing a demonstration tomorrow of the internal auditing tool to do your internal audits around 16949, and certainly, if you have questions and concerns about your management system and would like help, Michael and everybody at the McDae group can offer a whole suite of services, they have years of industry experience, and they can really help you get ready for certification or for an audit or for implementing it for the first time. So, as a summary, that’s where we’re at. Michael, feel free to add anything about your group and the services that you offer, and then we can dive into some of these questions.
MICHAEL: Yeah, it was a great timeframe because technically we only had two slides left, Nimonik’s slide, which everyone has kind of already heard about, that Nimonik offers auditing software, which I personally use and love it. And yeah, the McDae group is here for you – www.mcdae.com – shoot me an e-mail, go to the website. But instead of doing a sales pitch here, I’d rather start shooting some of these questions out, Jonathan.
JONATHAN: Great, so we have a lot of questions, we might be here for a little while, Michael, but let’s see what we can get through. I’m gonna address these questions purely in order so that there’s no – and they were coming in throughout the presentation – so some of the questions will address earlier parts of the presentation. The first question – and I’ll let you address this, Michael – ISO 9001 does not address preventative and is replaced by risk-based thinking, as per 220.127.116.11, the standard requires preventative action to be addressed. There appears to be an anomaly. Please explain. So this question is from Kazi Rao and I believe that he’s looking for a – he or she, I apologize – is looking for clarification on preventative action and risk-based thinking, I’m not sure about that, Michael.
MICHAEL: So, a couple of things. ISO 9001 did take out a few things that some of the other industries – like the aerospace, the medical, the automotive industries – didn’t like that they took out. So ISO 9001 did take out the requirement for preventive action, and IATF said, well, we’re not okay with that, let’s put it back in, but they did put it back in slightly differently than it was in the old ISO standard. So in the old ISO standard corrective action was responding to a non-conformance. Preventive action was preventing the potential of a non-conformance. Now what they’ve done, they’ve said, okay, let’s pull it back in, ISO took it out, IATF, let’s pull it back in, but let’s morph it a little bit. What they’re looking for is companies to not necessarily predict non-conformances, but to predict issues that could hurt the company, to predict what interested parties have, what requirements they have that could hurt the company, and to take action to prevent those things. So for example, since automotive is one of the largest industries with unions, I want to use that as a tangible example because sometimes I don’t like to answer questions with information, I like to answer them with examples because it connects better with people. Let’s say that we know we have a union and we know the union contract is up in January. A preventive action to help mitigate the potential issues and bad things that could happen from the union strike would be to ramp up production six months before the contract is over, and to hold safety stock of parts, maybe hold two months’ worth of safety stock for parts. That way, if the unfortunate situation happens where there’s a strike, your company can continue to ship product to a customer and it does not negatively impact the customer. So you’ve identified a potential issue, a union strike, and you’ve addressed it with a preventive action to do that. So, that’s just 1 of 500 examples I could share, but that’s what they’re looking for is, you’re looking to identify things that could hurt your company, things that could hurt your customers, and you’re saying, now that we know this particular issue could hurt us or hurt our customers, what are we going to do to prevent it from happening?
JONATHAN: Great, I think that example really illustrates what this (inaudible 01:02:01) is trying to get at. The next question is from Deepak Dave and his question is can the interested parties be better understood by key stakeholders’ interests and expectations? So let me know what you think about that, I think he’s asking if the interested parties could be better understood as stakeholders’ interests and expectations.
MICHAEL: Yeah, stakeholders is a common word that I’m hearing, people translate interested parties into stakeholders. I’m not quite sure how to specifically answer the question, so what I’ll do is I’ll share a couple examples of some that a lot of people have not thought of yet, but I’ve thought of them for them. So for example, interested parties, what most companies are doing is they’re just checking the box by saying, our customers are interested parties, our employees are interested parties, and our suppliers are interested parties, and they’re checking the box and they’re moving on. They’re technically passing their audit by doing that, but it’s not adding value to the company. I know a small machine shop that unfortunately actually went out of business recently because they didn’t own their building. They’ve been in the building for 20 years, they renew their lease every five years. Came out to renew the lease again and they said, hey Mr Landlord, it’s time, we want to do another five years, and the landlord said, you know what, I got bad news for you, I’m actually going to be using the building for my son, he wants to start a business, he just graduated college, get out. Company went out of business, they went under, 23 people lost their jobs because they didn’t recognize that their landlord is an interested party, they didn’t recognize the requirements of the lease, they didn’t recognize the risk of the landlord saying no – they’ve been in this building 20 years, there’s no way that their landlord would say no to renewing, they never predicted that particular risk with that interested party. I’ve seen companies struggle where a regulatory agency changes a rule, and now the regulatory agency says, if you wanna have 55 gallon drums of this particular chemical in your building, you have to have four new fire escapes, and now they have to spend $65 thousand renovating their building, but they never thought of that because they didn’t look at that interested party. So interested parties are – this is how I would define it – any entity that could knock on your company’s front door and say, if you want to stay in business, you have to do this, and you would be forced to say, okay, we’re gonna do it. That’s an interested party.
JONATHAN: That’s a very interesting point. Alright, we’ve got a lot of questions, we’re gonna try and move through these. The next one is coming from Theodora Pedius and the question is: are all identified processes key or can we determine which are key after we have identified all the processes? What is ‘’key’’? I guess, how do you define which processes are key and which ones aren’t, and can you determine that after you’ve identified all the processes?
MICHAEL: So, 4.4.1 is the section in the standard that says the organization shall determine the processes needed for their quality management system. Unfortunately, IATF did force a few processes that you must have. In those areas it says the organization shall document a process for this, like design and development, for example. So what you do first is go through the standard and everywhere that the standard says – sorry, you must have a process for this – right there we automatically know, okay, those are some key processes, we have to have them, unfortunately, sorry. Then after you get those, you have to look at your company, how large is your company, is it multi-site, is it single-site, three shifts, one shift, 100 people, 500 people, how many departments do we have – and you have to identify to successfully, effectively run this company, and adequately address all the requirements of the standard. We feel that we need this process, this process, this process, and this process. The beauty of it is you get to pick. An auditor cannot come in and say, well, I think you should have that process and you don’t, that’s a non-conformance, and I don’t think that you should have this process because it doesn’t make sense to me, that’s a non-conformance. So as long as you’ve addressed all of the requirements that say you must have a documented process for this. Above and beyond that, it is completely your company’s decision.
JONATHAN: Right, that makes a lot of sense. So the next question I have here is also from Theodora, and the question is: require risk management activities, do we need a documented process for how we assess risk, or do we only need to show the results of the risk assessment?
MICHAEL: That is a fantastic question, excellent question! In my professional opinion and experience, I recommend companies to document risk management activities. Not all of them are required to be documented, so first, the answer is no, not all of your risk management activities are required to be processes or to be documented, but they are all required to be audited and they are required to be discussed at management review. The effectiveness of actions taken to address risks and opportunities is a required discussion point at management review. So if you’re not documenting them, then you’re at risk because your auditor’s gonna have to have a lot of conversations with you, and anytime you gotta talk to an auditor a lot, it gets ugly. And you’re gonna have trouble with your management reviews because people are gonna have to rely on their memory to evaluate what the company’s done with risks. So what I personally recommend is an actions to address risks and opportunities procedure and a Level 2 flowchart that addresses the requirements of 6.1.1 and 6.1.2, and it points to the use of a risk matrix to identify the risk and categorize the complexity or the level of the risk, and only take action on risks over a certain threshold, that’s what I recommend.
JONATHAN: Perfect, makes a lot of sense as well and allows people to focus on the high-risk activities and the things that really can impact our business. So there’s two questions that are quite similar, I’m gonna merge, them they’re questions from Patricia Phillips and Mitch Brinkham, and basically they’re both asking: is there a complete list of all the auditable elements, the specific requirements, the 42 documents and the 43 required records? So, do you, or do you know of somewhere where there’s a comprehensive list of all of those things that people can easily access and use?
MICHAEL: Yeah, typically if you would Google it, there’s a lot of people who have taken the time to make an Excel spreadsheet, for example, so to speak. I have personally not done that, mostly because I’ve been working with these standards for so many years it just becomes second nature to me, but I bet you if you’d Google it, you would probably find a document like that. The only hesitancy I would have with that is you’re trusting somebody else’s research, and there are a couple of fuzzy, grey areas in the standard that could be misinterpreted unintentionally, and so to take that document and then run with it and implement around it is a little dangerous and risky. One of the reasons I don’t provide that for my clients is a risk of allowing them a consultant to be a part of your system, his organizational knowledge. The consultant is the expert in the system, and then the consultant leaves because he/she doesn’t work for the company, the auditor comes in and can discern that the company doesn’t really know the standard well or their system well, and so I don’t create those specifically because I force my clients to actually dig into the standard, read it for themselves, and pull that information out for themselves because their system will be much more effective because of their level of knowledge, not because I’m knowledgeable.
JONATHAN: Yeah, I think definitely working a way through anything, whether it’s this quality manager system or something else. It helps you learn and really internalize the intent of the different requirements and the different parts of the standard.
MICHAEL: Let me follow that up real quick, though, with one more thought. If you do buy the electronic version, you can type in the find search box the word ‘’shall’’, and you can scroll through and see everywhere that the word ‘’shall’’ shows up and that’s where they get the 351 requirements from, and you can type in the word ‘’process’’ and do the same thing. So it’s not like you have to read it and hopefully you retain every… You can use the search feature if you buy the electronic version of the standard, so that’s a way you can kind of meet in the middle. Don’t read everything word-for-word and try to write it all down and memorize it, but at the same time don’t rely on somebody else’s research.
JONATHAN: Right. The next question, also from Theodora, and it’s about roles and responsibilities, so her question is: how are people documenting the roles and responsibilities, are they using an organizational chart list of responsibilities, using the job descriptions, what have you seen in the industry and what would you maybe recommend in terms of identifying those roles and responsibilities?
MICHAEL: Okay, so what I’ve seen in the industry is word charts, which I’m not a big fan of, I’ve seen job descriptions used, which I’m a fan of job descriptions for a different reason, but I don’t like to use them for roles, responsibilities and authorities in 5.1 and 5.3. I use job descriptions for 7.2. and 7.3. And I’ve seen people post things through workplace signage, but the one that I like the most and what I recommend and what I implement with my clients is that table in the quality manual, and on the left side of the table is the position, I don’t put names, I put positions because they’re (inaudible 01:12.56) turnover, and then the next column is the bulleted list of what they’re responsible for in authority, and I take that bulleted list right from the standard. That way there’s no misinterpretation of it, that way there’s no, I take the requirement of ‘’the organization shall define somebody to do YXZ’’. I put XYZ on the right side of the table, I put the position on the left side, so I recommend a table in the quality manual.
JONATHAN: Perfect. So, there was a request here for the shrine example, that bridge table, we’re gonna try and send a sample out after the talk, but there was a question just to kind of briefly mention the columns again that were in that bridge table, I think, that was quite an interesting subject and sounds like quite an interesting tool. So maybe, Michael, if you could just go through quickly, what were those columns in the bridge table that you were proposing that companies used?
MICHAEL: Okay, so the left-side column, the far left column is every element in the IATF standard, no 6.1.1, 6.1.2, 7.3, you know, every element in the standard is down the left-side, the left column. The middle column is the customer-specific requirements that, where and where they fall into the system, and then the right-side is your document and information that addresses it. So it’s either your process, your procedure, or a form work instruction, or a record, it’s on the right side.
JONATHAN: Perfect, that’s quite helpful. So another question here from Thomas Medivol is: for a multinational project or a large corporation, can the quality manual, quality policy and quality objectives be developed at the corporate level and be common to all sites? So if you’re a big company with lots of sites in multiple countries, can you have one quality manual, quality policy, and quality objectives developed at the corporate level?
MICHAEL: Yes, the answer to that question is yes. One of the other things that I specialize in is what we call on my side of the industry global quality management systems. Not global in a sense that they’re in different countries, although they can be, but global as in there’s multi sites, there’s multiple sites in different locations under one IATF certification and under one quality management system, and so the answer is yes, corporate-wide, you can have one quality manual cover all your sites, you can have one quality policy cover all your sites, and you can have quality objectives cover all your sites. Now, the quality objectives, the way that each site generates their data might be different, as long as the end result supports the quality objectives, so one site might generate data on a Pareto chart, the other site might generate data in an ERP system, the other site might generate the data through SPC, as long as the end result of the data supports the overall quality objective, but yes, you can have one policy, one set of objectives, one quality manual that covers all of the sites. I actually encourage that, and then if you want site-specific goals and targets, they would be covered under 9.1.1 and 9.1.3 in the standard, they wouldn’t be covered under quality objectives.
JONATHAN: Perfect. So another question here from George Hardy which is: what about showing risks within the turtle diagram? So let me know if that question is clear enough for you, Michael.
MICHAEL: Yeah, so what I do is the top-left box of the turtle diagram is the risks that are associated with that process. So you identify some high-level, and make it value-added. I mean, technically speaking, you could identify 100 risks I mean there’s risks everywhere, every time you breathe there’s a risk, so make it value-adding, you know, three or four major items that could be a legitimate risk to the process, and then what I would do is follow whatever procedure you use to address those risks. So in my example, what I try to do is I have a client doing actions to address risks and opportunities procedure, and so that procedure points to the use of a risk matrix, so you take the risk from the process turtle, you put it into the risk matrix, and that risk is evaluated against six or seven categories of impact, and a priority colour is determined green, no action required. Yellow, monitor the risk for a specified period of time. Red, take action to mitigate the risk and document what action you took. And so I put the risks on the top-left box of the turtle and then I flow them through a risk matrix.
JONATHAN: Perfect. While we’re on the subject of turtle diagram another question from Theodora here and the question is: so we cannot use a flow chart in the middle box of the turtle diagram, which I suppose Theodora’s question is: can you insert a flowchart within your turtle diagram when you’re dealing with the processes?
MICHAEL: No, I mean the technical answer is yes, there’s no requirement in the IATF standard of how a process needs to be documented or should be documented. My opinion, though, is I wouldn’t put a flowchart in the middle box of the turtle, I would just point to the Level 2 flowcharts, but by all means you have all the freedom in the world. If you find a different way to document, to point to the procedures, or to document the middle of that turtle diagram, the sky’s the limit. Whatever your creativity can imagine up is acceptable, as long as at the end of the day the process addresses 4.4.1 and 4.4.2 in the standard.
JONATHAN: Perfect, so I’ve another question that’s a bit similar to what we discussed earlier on about identifying the risks and the process, so, but maybe we’ll just repeat the question and answer it quickly to make sure that we don’t miss anybody’s question. The question is: do we have to have a process and show the activity that led to the final list of risks, or is just having that final list of risks acceptable under the standard?
MICHAEL: Yeah, correct, you don’t have to have a process that you’re, a documented process that you’re showing, to follow it, to find the risks, and technically speaking, depending on how you interpret standard, you know, you’re not even required to document your final list of risks, but it would be very unwise not to, and it would add a lot of burden to your system not to. So the way you identify risks is totally up to you and the sky’s the limit, use your creativity, use your imagination. You don’t have to tell me as an auditor how you identified the risks, but once you do identify them, it is really in your company’s best interest to throw them through some type of a risk matrix, and then that risk matrix becomes the documented information about the risks.
JONATHAN: Perfect, so another question here from Gunaz Mardanova, and the question is: what’s the difference between a process description and a procedure, could you please provide an example? So I think they’re just looking to get a little bit more clarity on what’s the difference between process description.
MICHAEL: Right. So, a process is what your company does, so for example, let’s say we have a product realization process. The turtle diagram tells us what the risks are with product realization, the inputs are a customer orders’ apart, the output is the delivery of that completed part to the customer in conformance to the requirements, so the input is a customer order, the output is a delivered part. The middle box, the procedures that you need to take the customers’ order and deliver the part is, you need an order review procedure so you can review the order correctly, you need a purchasing procedure so you can buy the raw materials, you need a receiving inspection procedure so you can inspect the raw materials when they come in, you need a machining procedure so you can machine the product with the raw material, you need an inspection procedure so you can inspect the product after it’s been machined, and you need a shipping procedure to ship the product to the customer. So the product realization process takes the input of a customer’s order, an output is the delivery of the part to the customer, But there’s no possible way that one process could adequately tell us who does what and when they do it to get from order to delivery, and so in the middle of that process, we have all those procedures – order review, purchasing, receiving production, inspection, shipping etc., and so the procedures tell us how we actually accomplish taking the order and delivering a part, who does what and when they do it is in the procedure.
JONATHAN: Great, so while we’re on the subject of processes, one question here from coming from Kazi Rao is: what – in your opinion – is the best documentation method for a process?
MICHAEL: So the turtle tool, in my opinion, my professional experience shows that a turtle tool is the most effective way to document a process. Some people use Cypox, but the Cypox only addressed two or three of the rules, where a turtle addresses five of the rules, but some people use a Cypox, I prefer a turtle.
JONATHAN: Great, so I have a question from Patricia, I think we answered it, but the question was: do you have an example of a flowchart procedure that you can share with us? I believe you put a couple of those up on the slides earlier.
MICHAEL: Yeah, there you go.
JONATHAN: So we’ll be sending out these slides after the presentation, so you’ll be able to get a closer look at this procedure, which is admittedly a little bit difficult to read on the screen, but that would be an example of a flowchart procedure.
MICHAEL: Yep, correct.
JONATHAN: Alright, great. We have a question here from Erin Hamm who’s asking: internal auditor training must show technical competency of the area they are auditing, how do you show this, how do you show that an internal auditor has the technical competency for the area that they’re auditing?
MICHAEL: Okay, so let’s unpack that a little bit. First, what I would recommend first is some type of internal auditor training from a company that actually audits. A lot of times you’ll get internal auditor training if you go to the big names in the industry because people tend to think brand name means something, and so they go to these large organizations that provide these trainings at hotels all across the world, but a lot of times those organizations haven’t, they don’t really audit, they’re not auditing organizations they’re informational training organizations. So my first recommendation is to get auditor training from people who actually audit, and since we’re here as a plug, McDae offers internal auditor training and we audit. Secondly, what you would want to do is make sure that there’s a training provider who also provides an aptitude quiz or an aptitude test along with that, because the answers to that aptitude test is going to be part of the record that shows you have the confidence to do auditing for the actual technical knowledge needed for the specific question. I like to use a resume, if you are going to select internal auditors for your company and have those auditors trained, if they already have a resume, that needs to become a part of the audit, the training record. If they do not have a resume or if their resume was not written well enough to show technical confidence in their area, help them write a new resume, and the point of that resume would be a record of confidence in that technical area. So the external training record along with the resume of confidence would be together what you would use to show a registrar auditor – this person has the ability to be an internal auditor for this area.
JONATHAN: Perfect, makes a lot of sense, again, documentation, documentation, documentation is key here. So a question coming from Randy Paul and the question is: process-efficiency concept is not new to the automotive standards, but is now a separate item in management review could you provide some examples of efficiency metrics for items such as sales HR information systems?
MICHAEL: Okay, great question, so I’ll do a couple. I recommend a management commitment and planning process. It’s not a required process in the IATF standard, and it covers Section 5 and Section 9 of the standard. And so how do you know this management commitment planning process is effective? Well first what you would need to do is you need to identify what procedures are involved, so in the management commitment and planning process, I involve management review procedure actions to address risks and opportunities procedure I have a managing the company’s context procedure, and so what do those procedures do? Well first let’s take management review, let’s say the company says – because this this happens to me a lot – let’s say the company says, we’re going to have management review in January and July, and the actual management review happened in March, and the next management review happened one day before the registrar (inaudible 01:27:28) because they forgot to do the management review in July. Is that process working effectively? No, it’s not. Well, how would you be able to capture that? Well, one way you would be able to capture it is on-time completion of management reviews. So that would be a new indicator that you would be tracking, you have a manager review scheduled, did you have it on time? Another thing that I commonly see with management review is top management will get together, they’ll have a 3-hour management review, it’s really awesome, it’s great, it’s documented, the records are amazing, they made 7 decisions, we’re gonna do these 7 things based upon this management review, and we want all 7 of these things done by the third quarter. Well, the fourth quarter comes around and only 3 of the 7 things have been done, and the other 4 have been forgotten about, is that process working effectively? No, the management commitment process is not working effectively, so how would we see that? Well, we would see that by tracking the completion, the on-time completion of management review action (inaudible 01:28:26). SO that’s some example for management review. So sales, if you have some type of a sales process, your company is probably already tracking the data for the sales personnel to determine: A) do we want to keep them employed? B) do they deserve a bonus, do they have a quota? So if your already has sales quotas in place, you could just roll them up to the effectiveness of the sales process. If all of our sales guys and gals are meeting their quotas, our process is working effectively. Some people do a quote win-loss ratio, we want to win 70 % of our quotes, and if we’re winning 40 % of our quotes, our sales process is not working very well because we’re not winning enough jobs. If we’re winning 90 % of our quotes and the industry baseline is 70 %, our sales people might be giving inaccurate information to just win sales jobs. They’re telling them 2-week (inaudible 01:29:23) time when it really takes 8 weeks. You can use quotas, sales quotas, you can use quote win-loss ratios, things of that nature.
JONATHAN: Perfect, so just to come back to a question you recently answered about the technical competency of the auditor is one question or clarification, maybe, from George Hardy is: can we not use 19011 as a guide to auditor competency?
MICHAEL: Yes, for the ISO 9001 version you can. Unfortunately, that particular standard doesn’t address product audits and manufacturing process audits, and because the standard, the IATF standard goes above and beyond the ISO 9001 standard, your ISO 19011 is only a guide to help get you moving in the right direction. The IATF auditors will be expecting more than 19011.
JONATHAN: That’s definitely good to know that you have to go above and beyond that. So we have about four, five questions left, and again, we’re gonna send out the slides, so everything you’ve seen on the screen you’ll get a copy of, we’re gonna send out the video and a transcript of this presentation the Q&A. So you’ll get all that later and you’re welcome to share it internally by your organization and frankly with anybody you like, if you wanna post it on LinkedIn, that is always appreciated by Michael and by myself. One question here coming from Riswa Khan Patan, and it’s a question that we’ve dealt with at Nimonik a fair bit, is: can you explain how to comply with requirements for product safety?
MICHAEL: Yeah, that would probably be a webinar all in of itself. That’s a tough one because that is such a specific and customizable issue that from one organization to another is so drastically different, it would really be hard for me to add any value or even be able to address it necessarily. Now that would be an example where somebody should reach out to the McDae group through the website, and there’s an email on the website to get some customizable and to get some specific tangible support in that particular area, because there’s probably 600 different discussion points we could have over that, you’ve got everything from air-bags and we look at the Takata recalls, and you’ve got electronic counterfeit products in the electronic industry, there’s so many issues that it would be hard for me to add anything valuable in this environment.
JONATHAN: I agree there, it’s a very complicated subject and it varies not only by subject, whether it’s air bags, electronics, but also by jurisdiction, that you’re producing it, you’re selling it. We worked with a client who told us about, they’d built a minivan or a sort of small minibus that they were selling into the Brazilian market, and between the time that they had finished all the design work, they had finalized all those specifications and the time they went to production, that was an 8-month gap there, and when they went actually into production, the regulations around seatbelt safety for Brazil had changed, didn’t pick up on it, and so they went into production, they started producing minibuses, and then they were trying to hit the market, hit the dealers, and they realized that all the seatbelts were out of compliance, and so they had stopped the production line, go back, retro-fit the things that had already been built, modify the production process. I think the cost estimate in terms of how much it cost them was in the tens of millions of dollars, and that was something that was due to a lack of monitoring of the safety requirements, which are regulations…
MICHAEL: Which is an interested party.
JONATHAN: Yeah, so that’s something that Nimonik works on a lot, it’s just monitoring regulatory change around the world with teams in a number of different countries because it is such a moving target, and especially in the emerging economies places like Brazil, South Africa, China, the regulations are moving very quickly, trying to catch up with the more developed countries, so it’s a full-time job and mistakes can be very expensive, so you definitely want to announce a system there.
MICHAEL: What I would say, because I would like to give at least some type of answer, I would say that when you do identify these safety issues, the best place to address them is in your control plan. So my answer would be: address them through your control plans, Jonathan’s answer would be: hey, call Nimonik, we’re here to help!
JONATHAN: Well, no, I mean, they have to be in your control plans as well, but the changing product safety requirements is probably where we can assist, that’s kind of what we do, but you’re right, they have to be in control plans’ documents and explained and controlled for. Alright, a couple of more questions, this one from Thomas Matthew, I’m just trying to decipher the question, the only problem – sorry, Thomas Matthew, if you’re still on the call – you asked a question, I think, that was referencing a comment that Michael made but I’m not sure which comment you are referencing, so if you’re still in the call, feel free to jump back in and just give me a little bit more information about, you’re talking about a problem when organization changes, force you to change the quality manual, but I’m a little bit lost as to what it’s referring to, so if you’re still in the call, just drop a message into the chat window, we can go back to your clarification. So question here from Sherry Brewster: what are the eight rules that must apply to a process?
MICHAEL: Okay, so I believe I do have to memorize, I’m working very hard on memorizing the standard, I had the 9001:2008 memorized. The first one is you have to identify and address the risks and opportunities with the process. Now these may be not in the order that they’re bulleted in the in the standard but you have to address, identify and address the risks associated with the process, you have to identify the inputs and the outputs expected from the process, you have to determine the criteria and effectiveness, method measurements, the KPI’s, you have to evaluate the processes that’s done a management review, you have to improve the process that’s just done over time from management review evaluating the KPI’s, you have to identify the resources needed and ensure their availability, and you have to identify the responsibilities and authorities with the process, and they are found in a bulleted list in 4.4.1 of the standard.
JONATHAN: Perfect. So question here from Ionis, I won’t try to pronounce your last name, I’m not very good with Greek last names, but the question here is: hello, in my company we are using pestle tool to address risks and opportunities to satisfy the 9001:2015 requirement. We’ve only addressed known risks, for which we have already planned actions to eliminate them and control, do we have to do it again for all IATF processes, but this time get more deep, or will this put us on a possible risk of getting a non-conformance if we haven’t planned any actions to resolve those risks?
MICHAEL: So a couple of things. One, if your company has – let me start again, just say it a little bit of a different way – some companies have already gone above and beyond the old TS 6949 requirements voluntarily because your company’s allowed to do anything you want above-beyond the standard, so some companies have already had a risk management system in place that addresses the risks with their processes, their issues, the interested parties. They just didn’t know it was called issues and interested parties, they didn’t know IATF was going to require it, they just did it on their own, and now they are inadvertently in conformance to the IATF requirements, so the only thing I would say is if you already have a risk management system in place, either auditing yourself or have an external auditor or somebody like me, for example, audit your current system for a gap analysis, and so what I would recommend to that company is do a gap analysis on the risk management sections of the standard and look at what you’re currently doing and what you’ve done in the past, and if it is already in compliance to the standard, you don’t have to do a thing but if it’s not in compliance to the new IATF version of the risk management areas, then you have what we call a gap, and all you need to do is fill that gap. Filling that gap could just be checking off a couple new risk boxes, could be just changing the procedure slightly or adding to the form or whatever record you’re using, but that’s what I would do. Don’t reinvent the wheel just because IATF came along and said, hey, now you got to do all this. If you’re already in conformance don’t change a thing, you’re okay, and so that’s another example where somebody could reach out to the McDae group, go to the website and shoot us an e-mail, and we could even perform a remote gap analysis of that specific system in conformance to the new requirement, and we could give them a detailed report of, hey, this this what you’ve got, you’re already in compliance, or here’s a gap and here’s what we recommend.
JONATHAN: Perfect. So I’m going to come back to this question from Thomas Matthew, he provided a bit of clarification and he’s saying he was referring to the responsibility matrix in the quality manual and was mentioning that the problem there is when the organization changes, you are forced to change the quality manual, so if you have your responsibility traits right in that quality manual and then there’s a reorganization, which we know lots of large companies love to do on a regular basis, they seem to think it’s the solution to many of their problems, then you have to go back and modify the quality manual, what are your thoughts on keeping that organizational matrix separate from the quality manual?
MICHAEL: So, it’s a cultural question, I’m actually a little bit counter-cultural, if you haven’t caught onto that by now, I’m a little different, I actually like when companies put things in their quality manual that forces them to go back and make changes on a consistent basis, and here’s one of the reasons why I like that. A lot of times when I go into audit the company or when a company hires me to help them fix a problem or upgrade their system to another standard, the first thing I see is nobody has any clue what’s in their quality manual, nobody’s read the quality manual in years, sometimes people even have trouble finding the quality manual, and that’s really sad to me because the quality manual, like I said, is the foundation of your company, it’s the foundation of your system. So Thomas is correct that there’s (inaudible 1:41:19) involved in the fact that if you put some types of information in, when the company makes a change, now you got to go back and revise it. So he is correct, it’s an absolutely true statement, I just flip it on the other side and I like that because I like when companies are forced to be in their quality manual consistently. But he’s correct, there is some information that changes a lot and if it changes too much then it should be separate, documented separately somehow.
MICHAEL: And I would recommend not names, but using positions because names do change more frequently than positions do.
JONATHAN: Yep, that makes a lot of sense. But I do like the idea of having to go back and go into your documentation on a regular basis and not just do it three weeks before an internal or an external audit, which we see happen a lot of times, but forcing yourself to go in and work with it, kind of make sure you eat your own dog food. So two more questions left, one from Karina Ramirez, excellent webinar, she says. Thank you, Karina, and especially for Michael, her question is: is it correct to implement layered processed audits, CQI 8 covering the clauses of IATF 18.104.22.168 management manufacturing process audit, so is it correct to use a layered process audit?
MICHAEL: Yeah, you can. When it comes to manufacturing process arts, the standard doesn’t really have any, you must do it this way or must do it this way or go this way or go that way, all they care about is that once every three years you audit all of the different manufacturing processes that are within your company, so some people use that format, some people just use a combination of their error proofing and their product, or some people use kind of a full… I’ve seen crazy approaches where somebody’s used the error proofing where they put their (inaudible 1:43:31) through and they’re caught, or they’re not caught and they use their product audits in combination with an internal audit and the queue and so it’s really disguised the limit on how you audit your manufacturing processes, but basically I’ve seen companies take their control plans, and they actually just watched the people on the line running the process and they ask themselves, okay, yes, and then they interview particular people along the line, so some people do it through a control plan system where they look at the control plan and they make sure that everybody’s doing everything according to the control plan, and so that’s the beauty of it, you get to pick how you audit your process, your production processes. IATF kept their hands out of the house in doing that.
JONATHAN: Right, so the last question here, which is touches on what you just discussed, but does the IATF standard define the frequency of manufacturing process audits, is it a definition?
MICHAEL: Yeah, once every three years.
JONATHAN: Right. I was gonna say that you mentioned earlier that doing audits and general intro audits in general every three years was a high-risk activity and certainly not recommended but that is what the standard…
MICHAEL: Yes, so all of your QMS processes in their entirety over a three-year window, so I still think it’s high-risk, but that standard allows you to do it over a three-year period.
JONATHAN: Okay, perfect, and just on our end, Nimonik, I mean, we’ve worked with a number of automotive companies, implementing internal audit programs, and like Michael said, there’s a lot of different ways to do it but what we’ve seen is, the trick is to make the internal audits as helpful as possible and reduce the burden on your operations as well, as if you’re auditing your suppliers, for example, reduce the burden on the suppliers. We worked with one company where the suppliers were getting audited multiple times by different parts of their customer, which was the Tier 1 supplier, so they were auditing, multiplying the tier 2 supplier, it was driving them nuts and increasing their costs, so investing in in a tool, whether it’s Nimonik or another product, is really critical, I think there’s far too many people still planning their internal audits with Excel and they’re missing out on the ability to coordinate and to attach documents and evidence and just make it a lot clearer for the auditee, the people getting audited, and the auditor, what is expected, when’s the audit gonna happen, how much time is it gonna take. So there’s really a lot of opportunity out there to digitize a lot of this work and reduce the burden so you can get more audits done, target your high-risk areas, and make sure you’re ready for those three-year required audits. Alright, two more questions came in and we did promise we’d address all the questions, so from Patricia Lona, she’s asking how should we document outsourced services in our quality management system, or how should we document outsourced services in our quality management, what have you seen on that front, Michael?
MICHAEL: I would agree that you should, and if you interpret the standard literally, it recommends, some people would say it requires it some people say it recommends it depending on your interpretation and style. I would add that as another table in the quality manual, and that would be a good example of where earlier in the slide, when I had those 8 or 9 bullet points of the quality manual, I had mentioned that your company could go above and beyond those and could do even more of those, so that would be a great fit for the quality manual, actually, for a table. Not necessarily to the depth of what particular vendors, you don’t want to go that that deep, but just an overall, hey, we outsourced plating, heat-treating, welding, or whatever the services are.
JONATHAN: Right, so a couple points here from Thomas, he’s saying that the new standard really increased the amount of documentation that’s required – I’ll assume, Michael, that you agree with that, that the new standard is really increased amount of documentation – and then he’s asking: should we have proof that we did a complete cycle of internal audits prior to the upgrade re-certification on it?
MICHAEL: Yes, so that’s a fantastic question. What you are expected to do is have a full quality management system audit internal audit to the entire IATF standard and a full management review prior to your upgrade audit by the registrar. That is extremely important and we’ve seen companies go into, I’ve seen some of my clients have gone into their registrar audits without the entire audit, internal audit and without the management review and they are now struggling to get their certification, that’s why they hired me.
JONATHAN: And so Thomas’ point after that – and hopefully I interpret this properly – he’s saying then we cannot have a three-year cycle, so I guess he’s saying that if we have to do that full internal audit and the management review, then you can’t necessarily stick to a three-year cycle?
MICHAEL: Well, what they’re looking for is there needs to be evidence in your internal audit that you have looked at your IATF 16949 system in its entirety and have audited to the elements of it, but then moving forward from there, you can start your three-year cycle. And then, what I would do too, just to be safe, because there are like a hundred gazillion registrars out there and they’re all drastically different and a lot of them don’t even follow the rules themselves. I would recommend to be careful, that I don’t get myself in a tough spot, I would recommend everybody that’s still on the webinar or everybody who jumps on and listens to the recording of it to reach out to their registrar with that particular question, because so far, the registrars that I’ve been dealing with have that requirement, but it wouldn’t surprise me if some of the other registrar audit companies do not, so it would be something that I would definitely tell you, to contact your registrar as soon as possible and ask that question as soon as possible.
JONATHAN: Yep, I think the point that we were discussing, Michael, before the call, which I think was quite important, is: there’s a lot of companies that get certified to ISO standards, whether it’s IATF or another standard, and they really only do the bare minimum to get certified so that they can put that up on their website ad provide it to their customers and obviously we don’t agree with that. Really, the standard needs to be deeply embedded into your culture, it needs to be really respected. and there are certifiers out there who unfortunately will certify a lot of companies who shouldn’t really be certified, and we see that especially outside of some of the developed countries, and that’s something that we’ve struggled with, but just a point, I think everyone on this call believes that, or else they wouldn’t be on the call today, but as we’ve seen in the industry, there’s a lot of companies out there that really aren’t necessarily certifiable, even though they do get certified, unfortunately. Okay, well Tom says this is now clear, thanks for your answer, Michael, so great! The last point here Mike Swift made was that doing an internal audit every three years would be insane and ineffective for an organization, sort of like eliminating a quality manual. I think you would agree with that, Michael, that three years is way too long, and the more frequently you do internal audits, definitely the better, and you don’t necessarily have to do the whole standard at once, you can break it up, do different parts of your business, different parts of the standard, but keep people on their toes, that’s the operating, the thing that we recommend strongly.
JONATHAN: Great, well I think that’s it, thank you to everybody who stuck around all the way to the end, here it is gone two hours instead of just an hour, we still have 60 people on the call from all over the world, so we really appreciate you taking the time to listen to Michael and ask all these great questions, and if you have any other questions for Michael, he can certainly be reached through the website of the McDae group, and anybody at Nimonik can be reached at the website at Nimonik, and tomorrow morning we’re gonna be doing a demonstration of the internal auditing software at 11 AM, so feel free to register for that, we will stick to 45 minutes, it won’t go on for two hours. It’s a lot simpler than what Michael has been discussing today, but thank you to everybody, we’ll send out the slides, the recording, and all the Q&A in the next couple days, and please don’t hesitate to reach out to Michael or to myself.
MICHAEL: Alright, thank you for allowing me to be a part of this, Jonathan!
JONATHAN: Alright, have a great day, everybody!