An organization’s context and existing plans for operating are important to consider when defining a management system and its associated internal processing requirements. An organization’s context depends on its product, industry, competence levels of personnel, complexity of operations, size, etc. All of these are important considerations when defining a management system and deciding what documentation is appropriate.
Risk-based thinking, coupled with a process approach, helps us define internal processing requirements appropriate for processing being carried out. These considerations have naturally already been addressed by organizations staying in business; establishing a formal management system from one already in operation requires management to develop or adjust system documentation to suit its application.
DIFFERENT CUSTOMERS, PRODUCTS, PROCESSES, AND RISKS
For example, if a twelve-person organization provides ball bearings to bicycle shops, the system is stable, and management controls over operations are sensible and simple, we would expect documentation describing the system to be fairly scant (though complete) relative to a 1,200-person company supplying surgically implantable electro-mechanical devices (e.g., pace makers) to hospitals. We would expect the latter to be not only complete, but much more robust, given the risks involved with the product and processes needed to produce it.
The risk to end users of these products is vastly different. The processes involved pose vastly different risks and different magnitudes and impact on the world. If a ball bearing were defective from this supplier, and it got into the field, someone’s bike might seize up. If a defective (or contaminated) pace maker is implanted, someone might die.
For example, packaging activities described in the ball bearing manufacturer’s Shipping procedure might be very simple, given the nature of the product and risk involved. “Pull finished ball bearings from stock and put twenty of them in a box. Affix a label on the box and place the packaged product on the shipping shelf.”
The analogous activities in a medical device context would be much more robust and specific. The work environment would be much cleaner (likely a classified cleanroom). For the ball bearing manufacturer, packaging operations could be completed right beside production machines belching out smoke. That’s partly why the packaging operation for the ball bearing manufacturer is so simple, as would documented information describing it.
When packaging pace makers for shipment to hospitals, however, all kinds of extra considerations come into play. Extra controls are probably in place to control bioburden (the presence of bacteria residing on surfaces in the cleanroom where packaging activities are carried out). Maybe procedures are in place to ensure clean room garb is donned properly to avoid introducing contaminants to the cleanroom (and product). Rather than twenty per box, packaging activities for pace makers involve placing each finished unit into a hermetically sealed pouch (handling it only with special gloves). And then signing some record for each one packaged.
All of these added process controls are in place in a medical device environment to reduce the risk of bacteria or other health hazards being included in packages and implanted in patients.
Not only because the processes of various organizations are unique to each organization, but because risks to quality are different in each organization, even though certain risks might be widely understood in the industry. Documented information describing these management systems should be expected to vary from company to company accordingly.
IGNORING RISK WITH UNIFORM QMS DOCUMENTATION
To define any system with the same out-of-the-box 20-some or 6-procedure-only, each organization ends up with two problems. First, the resulting set of documents isn’t helpful to organizations in describing their own processes as they view them, and second, this approach assumes the risk is the same for any organization’s management system. The individual risks to the organization, given its context, are vastly different from one to the next. How can the same set of generic procedures adequately address risks specific to industries and individual suppliers in those industries?
Cutting and pasting the same management system structure into organizations regardless of context is ignoring the relative importance of the requirements for each organization. In a sense, it amounts to paying a twenty-one-gun salute to each requirement regardless of the requirement’s impact on operations. Or, on the other hand, procedurally ignoring processing requirements that are essential to operations.
In some cases, ISO 9001 requirements have very limited application, and given the risk involved, a sentence or two would suffice in a sensible procedure, instead of a paragraph or an entire procedure or several procedures (as may be the case in a medical device environment). (Remember the packaging operations of the ball bearing supplier versus the pace maker manufacturer.)
RISK BASED THINKING + PROCESS APPROACH = KEEPING IT REAL
Risk-based thinking is what keeps our ball-bearing manufacturer from requiring its packaging operations are carried out in a cleanroom. Likewise, it’s what keeps pace makers from being packaged by people with greasy, contaminated hands.
The process approach is what focuses attention on systemic application of plan-do-check-act (PDCA). It’s applied at the activity, process, and system level to improve performance of the system and its processes. The process approach is what urges management to view and manage its operations as a system of processes working together to satisfy customers. Accordingly, procedures are dedicated to processes, thereby clearly, objectively defining internal processing requirements. Accordingly, procedures are not structured according to, or dedicated to, the requirements or clauses of ISO 9001. The process approach is what keeps us from having to redefine our management systems with each new revision of the standard.
Documenting a management system sensibly can be done many ways, but each involves defining processes at an appropriate level and in adequate detail for the risk involved. Sensible management system documentation depends on the context of the organization, the risks involved to quality, and most importantly, the way the organization operates successfully today.
Bio:
T. D. (“Dan”) Nelson has been closely involved with ISO 9000 since 1994 as a technical writer, quality manager, management representative, consultant, author, and CB auditor. Holding an MA in Business Administration from the University of Iowa, Dan also has 12 years of experience as an IRCA-certified QMS Lead or Principal Auditor, conducting registration audits and surveillance audits, and training Lead Auditor candidates in accredited courses. Using a process approach, Dan has taken several scores of clients of various shapes and sizes through registration to ISO 9001:1994/2000/2008 and related sector schemes (e.g. QS 9000, AS9100, ISO 13485, and ISO 17025). Dan’s numerous articles about the process approach have also been published by Quality Digest, Inside Quality, ASQ’s Quality Management Division, the Society for Manufacturing Engineers (SME), and the South African Quality Institute (SAQI); Dan has been featured as a guest blogger by RABQSA, and has been featured on Quality Digest Live. Dan is available for management consulting, training, and coaching, as well as auditor training and coaching. Contact: dan@tdnelson.com 720 412 7994