The Next Step for ISO 9001 and ISO Certification Advanced Surveillance and Recertification procedures (ASRP)

Transcription

1 Companies with mature management systems often feel a decrease in value and an increase in cost over time due to third-party audits. Advanced Surveillance and Recertification Procedures (ASRP) is a solution that shows demonstrated cost reductions in external audit frequency, but has also increased value through its unique approach. ASRP is an approved approach to certification-body assessments that have resulted in a standard ISO 9001 or ISO certificate (ISO 9001 and ISO can be interpreted to mean any currently accepted version of the ISO 9001 and ISO standards). ASRP is for organizations that have consistently demonstrated effectiveness in their quality management systems (QMS) or environmental management systems (EMS) over a period of time. The key concept of ASRP is that when an organization can demonstrate a mature management system, the certification body then has the ability to provide a solution that allows greater flexibility in auditing compliance and effectiveness of that system. This results in a number of benefits for qualifying organizations, such as: Strengthened internal management system oversight Increased emphasis on management system maturity Enhancement of performance indicators, management reviews, and corrective and preventive action (CAPA) processes A more effective and self-directed program of continual improvement Improved products and services through a more robust management system Reduced frequency, cost, and impact of third-party audits About ASRP The International Accreditation Forum (IAF) introduced ASRP in 2005 as an approved guidance to registrars (IAF-GM Application Guidance to Clauses of ISO/IEC Guide 62:1996 Annex 5 ). This provided certification bodies with the option to design customized assessment approaches for organizations with a mature QMS or EMS. Requirements include: Continuous registration to the ISO 9001 or ISO standard for a period of at least three years (i.e., one certification cycle, minimum) Appropriate key performance indicators to address and demonstrate ability to consistently provide products or services that meet customer and applicable regulatory requirements System incorporates requirements for the continual improvement of its effectiveness Evidence of continual improvement and objective measures of customer satisfaction Greater weight is also assigned to areas such as internal audit processes, management review, and CAPA. Additionally, the aforementioned are expected to be more robust and comprehensive. It s important to remember that the resulting certificates are identical to the standard ISO 9001:2008 or ISO 14001:2004 certificate as well as the process for review and issuance. ASRP s objective within this framework is improved effectiveness of the assessment and cost reduction, especially significant for large single sites, or for multiple-site certifications. The intent was to maintain the integrity of the certificate, certification process, and requirements for continued certification while allowing a more effective and efficient assessment of systems that have matured past the standard approach. A value added approach could go only so far under standard methodology.

2 How it works A key component of ASRP is using results of internal audits as a complement to, or even extension of, certification-body activities. An organization s auditing and review activities are expected to be equivalent to registrar activities in terms of independence, personnel competence, and integrity of results. IAF s MD 3:2008 Mandatory Document for Advanced Surveillance and Recertification Procedures permits registrars to place greater (but not total) reliance on the organization s internal audit and management review processes... to demonstrate conformity of the management system. Traditionally in the certification process, all assessment of management systems surveillance and recertification audits are performed by the certification body. Under ASRP, an organization can substitute internal audits for some of the required certification body audits. The result is an assessment program that can significantly reduce the number of certification body audit days on-site done by a certification body. This of course reduces thirdparty audit costs, but also reduces the impact of third-party audits in areas such as travel, employee time allocated to the third-party audit, and other areas. ASRP empowers the certification body and the organization to design an assessment program with a mix of three audit types. The first type of ASRP audits is witnessed audits. These are internal audits that are observed or witnessed, but not conducted, by the certification body. The certification body, working in partnership with the organization, will select internal audits that provide a sampling of both the organization s audited processes and of the organization s internal auditors. This observation provides the certification body an opportunity to evaluate the organization s audit process and by extension, the competence of its internal auditors. The second type of audits is delegated audits. These are internal audits that are also selected by the certification body and substitute for a portion of the certification body s audits, but are not participated in, nor observed by, the certification body. Records (e.g., audit plans and reports) from delegated audits go through a thorough review by the certification body. This review focuses on the effectiveness and compliance of those audited processes. Finally, the certification body will conduct traditional third-party audits of the organization during the year. ASRP audits led by a certification body are similar to non-asrp, but will have a greater emphasis on areas such as: Maturity level of compliance Management system changes and revisions Internal audits and audit results Corrective action implementation and effectiveness for all ASRP-type audit findings Customer-focus processes Continual improvement processes Management review processes, records, and outputs

3 DEKRA s role in ASRP DEKRA Certification was a key participant in defining and developing ASRP methodology. ASRP guidelines have resulted, in part, from experience gained from pilot alternative registration programs completed during DEKRA (at the time, KEMA) and Motorola were part of the initial ANSI-RAB and RvA (Netherlands Accreditation Body) pilot study. A second ISO ANAB pilot study with DEKRA and Seagate Technology was completed in DEKRA became the first certification body to earn ANSI-ASQ National Accreditation Board (ANAB) approval to register client organizations to ASRP. As a pioneer in this approach, the company early on recognized the unique needs and goals of organizations pursuing an ASRP approach. Its ANAB-approved ASRP methodology includes a maturity assessment for client organizations participating in ASRP. The maturity assessment produces a scored report indicating management system maturity in seven topic areas: Duration and history of certification Performance indicators Customer requirements Regulatory requirements Continual improvement Internal audit program Management review processes This assessment determines the extent to which an organization s audit processes can be used in lieu of third-party audits. Benefits of ASRP Companies that have achieved advanced status for certification under ASRP have found their surveillance and recertification audits now consist of: Internal audits witnessed by their certification body Delegated internal audits that substitute for a portion of the certification body s audits Reduced number of third-party audits performed by their certification body Under ASRP, the old system with greater emphasis on third-party audits is replaced by an advanced oversight methodology that provides a more efficient third-party audit process. A closer look at the results has shown the following benefits: Strengthened internal management system oversight The ability to substitute internal audits for a portion of certification body audits, coupled with annual self-evaluations of maturity, has shifted the focus from external to greater internal oversight. Reactive approaches to surveillances and recertification have been replaced by proactive improvement initiatives as companies take greater ownership of the responsibility for the maturity and effectiveness of their management systems. Increased emphasis on management system maturity Organizations conduct self-evaluation of their management system maturity at least annually. Regular maturity assessments have provided an institutionalized opportunity for business units to evaluate their maturity levels, identify opportunities for improvement, and implement solutions. Organizations have then used the results to include additional maturity topics in the evaluation. Following the approval by both certification body and ANAB, a revised and enhanced evaluation with customization that is specific to the organization is substituted for the original.

4 Enhanced performance indicators, management reviews and CAPA processes ASRP requires an organization to have performance indicators to consistently meet established performance targets. Management review and CAPA processes are given greater weight under ASRP and are expected to be more robust and comprehensive. Organizations augment their processes when needed to meet ASRP requirements. More effective and self-directed program of continual improvement Organizations have seen continual improvement programs significantly advance under greater internal oversight. Improvement initiatives have become self-directed. Proactive implementation of continual improvement occurs throughout all areas and locations of the organization. Improved products and services Self-directed initiatives to drive improvements also extend to products and services. Through ASRP participation, organizations have seen products and services continue to improve, driving increased customer satisfaction and sales. Reduced frequency, cost, and impact of certification body audits Organizations using ASRP have seen their employee count increase due to acquisitions and other growth factors. Using the traditional certification approach to ISO 9001, a matching growth in certification body audit days would have been required (IAF MD 5:2009 IAF mandatory document for duration of QMS and EMS audits ). But with the ASRP approach these organization s internal audits have substituted for a portion of certification body audits, producing an overall reduction in the number, frequency, and duration of certification bodyperformed audits. Certified to ISO 9001 since 1996, Qualcomm Inc. became the first U.S. company to achieve advanced status for certification to ISO 9001 under ASRP and has seen a reduction in third-party audits. The chart below illustrates the reduction after Qualcomm achieved ASRP status in The reduction in the number of certification body audits has led to: Decrease in billable certification body hours Reduced impact of third-party audits on business schedules and employee productivity

5 Third-party audits can require additional preparation time and sometimes generate stress for selected employee participants, thereby creating a negative effect on business operations. Internal audits, substituted for third-party audits, are generally viewed by employees as an expected, nonthreatening, and frequently valuable part of standard operations without the negative impact. ASRP eligibility Organizations that meet eligibility requirements can benefit from this alternative certification methodology. To be eligible for ASRP status, an organization must meet the following criteria: The organization must have been certified to ISO 9001 or ISO for at least three years (one registration cycle). All nonconformities identified during the preceding three years must have been successfully resolved. The organization must be in compliance with applicable legal requirements, with no regulatory sanctions imposed for the preceding three years. The organization must have performance indicators, agreed to by the certification body, that are suitable to evaluate the effectiveness of the management system and demonstrate that the organization is meeting performance targets, including meeting customer and regulatory requirements, and continually improving management system effectiveness. The organization must have enforceable arrangements with the certification body for access to relevant information, including all available customer satisfaction data. The organization s internal audit program must conform to the guidance of ISO The organization must have enforceable arrangements enabling the certification body to increase the scope, frequency, and duration of third-party certification body audits in the event the organization is unable to meet agreed performance targets. The greater flexibility afforded by ASRP has allowed companies to focus on their business needs while strengthening its management system and its ability to meet its customers requirements. About The Authors Chris Carson is Director of Sales and Marketing for DEKRA Certification Inc. Lindsey Waddell is a lead auditor at DEKRA Certification Inc. in Concord, California. Marilyn Platt is a staff quality assurance engineer at Qualcomm Inc. in San Diego, California. Steve Holladay is an executive assessment team leader at ANSI/ASQ National Accreditation Board (ANAB). *** 2014 Quality Digest Magazine. Copyright on content held by Quality Digest or by individual authors. Published 11/18/2013 in Quality Digest