Quality Digest      
  HomeSearchSubscribeGuestbookAdvertise December 6, 2023
This Month
Need Help?
ISO 9000 Database
Web Links
Back Issues
Contact Us

by Kennedy Smith

Glossary of Acronyms

ANSI-RAB--American National Standards Institute-Registrar Accreditation Board

IAAR--International Association of Accredited Registrars

IAF--International Accreditation Forum

IqNET--International Certification Network

ISO/CASCO--The International Organization for Standardization’s Committee on Conformity Assessment

ITIC--Information Technology Industry Council

JAB--Japan Accreditation Board for Conformity Assessment

JAS-ANZ--Joint Accreditation System of Australia and New Zealand

RvA--Dutch Accreditation Council (Raad Voor Accreditatie)

SCC--Standards Council of Canada

SINCERT--Sistema Nazionale per l’Accreditamento degli Organsimi di Certificazione (Italy)

TGA--German Association for Accreditation (Traegergemeinschaft fuer Akkreditierung GmbH)

UKAS--United Kingdom Accreditation Service

As a growing number of businesses conduct Web-based conferences, sales transactions, training sessions and seminars, it’s not difficult to imagine that online auditing to quality management systems such as ISO 9001:2000 may soon be common practice. In fact, it’s not just a whim in the minds of technologically savvy quality professionals--it’s a reality.

Earlier this year, members of the International Accreditation Forum and QMS application providers convened to discuss the complexities of achieving a sound and successful remote assessment process. The meeting produced several points of concern, such as the security of the system itself, technical expertise required of the assessors, different maturity levels of e-based systems and knowledge gained from pilot projects. Although the specifics are still very much in the works, all the participants agreed that creating guidelines for remote assessment would be a successful venture.

Stanley Salot, president and CEO of Business & Quality Process Management LLC and a participant in the IAF’s knowledge-sharing session, first toyed with the idea of remote assessment back in 1997. “I was working for Hitachi implementing ISO 9000,” he remembers. “When the assessors came into the facility, they spent about 80 percent of their time in front of the computer. That was the trigger.”

The benefits are clear, says Salot. First, it makes sense technologically. “Industry has the tools to set up e-based quality management systems, and it’s up to the assessor to support those systems,” he says.

Second, it makes economic sense. With the repercussions of Sept. 11 affecting everything from air travel to stock prices, many companies are asking, “Why am I flying an assessor to my site when the entire process is visible via an Internet connection?”

Moreover, remote assessment has the potential to offer auditors access to much more information than previously available. Traditionally, organizations are audited at one point in time, whereas assessment via the organization’s e-based system could offer continuous monitoring of certain preselected performance indicators. This is advantageous to the assessor because it provides a better idea of the company’s process as a whole.

However, skepticism and opposition to the idea of remote assessment exists: How can you assess a facility you’ve never set foot in? How can you ensure that the information you see on the screen is a true reflection of the quality process? “About nine out of 10 people who learn about this are skeptical,” admits Salot. “They’re part of the old guard of quality professionals who basically say, if you can’t see the person and the process, you can’t assess conformity.”

Whatever the criticism, Salot believes that the industry is inevitably headed toward remote assessment--if not for first-time auditing, at least for recertification or surveillance audits. “When you implement a solid e-based management system, it’s already measuring your quality, your processes and your pulse, in real time,” he asserts. “Companies are taking more ownership of their quality processes, and the assessors must respond by educating themselves on e-based audit procedures.” The question is, how do you go from thinking about remote assessment to actually carrying it out?

Case application

Those interested in developing e-based assessment guidelines are looking closely at Japan Quality Assurance, which remotely audited several of NEC Corp.’s facilities for ISO 14001 re-registration. NEC developed an e-based document control system that could distribute regulations throughout the company in real time. According to NEC, the system has saved about 700,000 sheets of paper and 30,000 hours of management time per year.

This led to a partnership with JQA, and Net Audit, an environmental auditing system available over the Internet, was formed. Through Net Audit, JQA was able to check NEC’s documents and records, review records for all of the organization’s facilities at once and obtain preliminary information that would cut on-site auditing time by 60 percent.

JQA plans to expand its e-based auditing practices to include ISO 9000. Experts are looking at this example not only as a model for automating document control but also for creating an all-inclusive system that can track workflow, corrective/preventive action, audit trails and all other ISO standards requirements.

“Although the NEC and JQA accomplishment is compelling, it really only represents document control and the availability of documents over the Internet,” says Salot. “It doesn’t address the total business process, and it’s not clear whether they have true workflow management. However, this is definitely a step in the right direction.”

Important considerations

Participants of IAF’s knowledge-sharing session identified four key areas that must be recognized and accommodated in order for remote assessment to be successful: guidance, audit competence, recommendations for assessment mechanics and potential certification/registration body business models. It wasn’t the intention of the session to offer direction in these areas but rather identify them as key points for consideration.

Attendees included representatives from ANSI-RAB, SCC, RvA, SINCERT, JAB, UKAS, JAS-ANZ, TGA, IAAR, IqNET, and ITIC, Vintara, EtQ Inc. and BQPM.

The following outline gives a general overview of some of the topics covered at the meeting. These points are outlined in an IAF report written by Randy Dougherty of ANSI-RAB and Dale Misczynski of ITIC:

Guidance. Because of the velocity of technological change, participants agreed that any guidance developed concerning remote assessment should be kept at an IAF level, rather than to create ISO/CASCO documents. Furthermore, a higher level of technical expertise is required of both quality system implementers and assessors.

  • Stand-alone or annex. Guidance documents should be applicable to ISO guides 61, 62, 65, 66 and 17025. Potential application to ISO 17799 and ISO 13485 should also be considered.
  • Definitions. E-based management systems come in varying levels of complexity, and definitions must be developed for each. The management systems should contain document control, corrective and preventive management, application configuration management, security, audit trails, and visible workflow.
  • Maturity of implementation. Maturity (i.e., robustness, security and integrity) of the system must be considered in order to determine how remote the assessment should be. The certification/registration body must make a judgment concerning the maturity of a client’s e-based QMS in order to customize an appropriate certification approach.
  • Remote assessment. Remote assessment is possible using existing technology. A key concern is the way in which the certification/registration body gains secure access to the client’s system. The client may have to develop security nondisclosure agreements before allowing access.

    Additionally, because certification, recertification and surveillance audits vary, so must the method of e-based auditing in order to accommodate the client’s needs.
  • Formats. IAF should not standardize formats or terms. This may present a potential handicap for the assessor and can be mitigated by requiring the client to keep a controlled data dictionary and/or data flow diagrams. The dictionary/diagrams should be open at a user level and should never be considered confidential intellectual property.
  • Information validation. The certification/registration body would not be responsible for validating information flows; rather, it would be in charge of reviewing the client’s process for validating information flows.
  • Process validation. The certification/registration body must be confident in the validity of the client’s process. The body should not be responsible for process validation but rather ensure that process validation is in place.
  • Functionality. The client should provide the assessor with a system search engine, a guidebook, a site map, a data dictionary, an ad hoc report generator and any other tools to help the assessor perform the audit.
  • Sampling vs. total analysis. E-based environments may lend assessors the ability to search for discrepancies in a large number of records, as opposed to performing a spot-check, as is done in paper-based environments.
  • Point-in-time vs. continuous analysis. An e-based environment offers the ability to continuously monitor a QMS.

Auditor competence/education. Auditor education should cover e-based management. The report states: “It is doubtful that the current lead auditor training courseware can simply be upgraded to meet the requirements. Rather, a new curriculum, potentially from new unaccredited providers, will evolve to meet the requirements.” Application providers of e-based management systems may be of assistance in training auditors how to assess e-based QMSs.

  • Systems/process thinking. A systems/process thinking approach must be taken.

Recommendations for assessment mechanics. A minimum requirement of tools and facilities is needed to assist the assessor.

  • Bandwidth. Higher bandwidth offers a more time-efficient way to audit a system.
  • Orientation to the system. The client should provide orientation to the assessor about how its e-based QMS is set up.
  • Facilitator. A client-provided facilitator would significantly benefit the auditor.

Potential certification/registration body business models. Although remote assessment offers the potential for flexibility in the auditor/client relationship, it may also create the need for better oversight by the accreditation body.

  • System provider/operator. The certification/registration body may be a system provider, given that the systems are developed to be compliant to the standard. A model for Web-based packages is also feasible. However, this idea may not be commercially viable and may not provide sufficient impartiality.

What’s next?

The knowledge-sharing session also covered the desire to apply remote assessment techniques. The report states: “Pilots composed of clients, certification/registration bodies, accreditation bodies and potential application providers should be structured to gain wide visibility and experience. They should be encouraged to experiment, to test the limits, to provide ample opportunity to develop a solid structure for the future.”

About the author

Kennedy Smith is Quality Digest’s associate editor. Letters to the editor regarding this article can be e-mailed to letters@qualitydigest.com.