The standard is broken out into five sections (numbered 4, 5, 6, 7 and 8). Section 4 of the standard describes how to document a management system and control records. Section 5 is about management commitment and responsibilities, and review of data collected by the management system. Section 6 is resource management; Section 7 is planning, producing and controlling whatever product or service the company provides.
Finally, Section 8 of the standard is about monitoring and measuring product processes and management processes through inspection, testing, validation and auditing, for example. In addition, Section 8 defines what to do when processes do not meet the desired result; these are control of nonconformance and corrective action. Section 8 ends by describing analysis of data and preventive action, and this small part of the standard is where an ISO 9001 system can really pay off. If a company is spending a lot of time conducting processes that generate data, but does not analyze that data, set objectives and goals, and act on preventive action opportunities to improve its bottom line, then it is a waste of time to collect the data in the first place.
ISO 9001 is about defining, measuring and improving processes. The key to a successful and meaningful ISO 9001 system is to understand how to measure the success of processes so it can then be determined which processes require additional focus for improvement. The following is a basic outline of the four steps required to accomplish continual improvement:
1. Plan: planning a processes could be writing a work instruction or flow chart or simply training the people involved in the process on how you plan for it to be conducted.
2. Do: perform the process according to the plan.
3. Check: inspect and verify the results of the process.
4. Act: if the results are not satisfied in accordance with the plan then action must be taken to correct the situation.
A few important programs must be implemented to support the use ISO 9001. These are based on the Plan, Do, Check, Act model. Two of these programs are called “management review” and “analysis of data” and are the output of the “Do” requirement. The output of a process is data and this data needs to be reviewed and analyzed by management in order to identify opportunities for improvement and actions required to satisfy customer requirements.
Another program required in the ISO 9001 standard is the “Internal Audit” program. This is the “Check” requirement. This is the program used by the company to inspect its own processes to ensure conformance to the plan, and more importantly to find areas for improvement.
Continual improvement and customer satisfaction are the most important objectives of any ISO 9001 system. This is why the “Act” step is so important. The “Act” will be the actions taken resulting from analysis of data and auditing your processes for improvement. During the auditing of a process, one must always ask the questions, “Why?” and “What if?” After there is a complete understanding of the process from the bottom-up:
• It can then be determined if there may be a requirement to implement corrective action to correct “why” something did not happen as “planned.”
• There may be an opportunity for preventive action or improvement (to prevent a problem from occurring or to make the process more efficient and effective).
There are many different interpretations of the ISO 9001 standard. In an effort to highlight some common misunderstandings, some of these myths, urban legends or perceptions of different requirements that may still exist will be examined.
Because the ISO 9001 standard is based on the process approach of Plan, Do, Check and Act, it is important that the company learn and understand the ISO 9001 standard before implementing or documenting their management system. One such way to accomplish this is to send key employees to an ISO 9001 course, and/or hire a trainer or consultant.
A consultant’s role is to teach employees the requirements of the standard and help them define their management system. The foundation of the management system needs to be based on the company’s culture, products and services, and how it will meet and continually improve on these requirements.
Often when a company hires a consultant to define, document and put in place how to meet requirements, the management system does not always match the company’s culture, or worse, a management system is put in place that the company does not understand. This makes enlisting employee support for the management system difficult and often is the reason the management system is not consistently used. If a consultant helps the company understand that the requirements of the standard are nothing beyond how it already does things, then the management system has a much better chance of succeeding.
The benefits of ISO 9001 when implemented correctly
The main purpose of implementing an ISO 9001 system is to improve a process, eliminate waste, save money and ensure that the company will be a contender in future markets. Every process in a company should have a measurement that shows if it is effective and/or met the desired result (the plan). The best platform to improve a processes is when the quality policy and measurable objectives are defined clearly, and communicated clearly throughout an organization.
In many instances, a company will not be able to find a way to measure the effectiveness of a certain process or understand how it feeds into overall goals and objectives. In these instances one must further investigate what is the purpose of this process and if it should be eliminated or modified to satisfy the company’s objectives-the why and what if questions.
Some processes are extremely difficult to measure and define, such as a process required to meet a safety requirement, regulatory requirement or customer requirement. It also is important to include the performance indicators of processes so that when an action is taken (corrective or preventive) the effectiveness of those actions can be measured. The most effective method to measure effectiveness is to measure and track costs. This includes cost of nonconformity so when problems are corrected and processes improved, cost savings can be measured.
Why do some companies get discouraged when implementing a management system? What can be done to prevent this?
Some of the horror stories about ISO 9001 implementations include companies that have binders of procedures, work instruction and forms and have been trying to implement ISO 9001 unsuccessfully for years. Some have spent $50,000 and others more than $200,000 on internal resources and/or consultants. Some have had a prior quality manager who wrote a management system and then left the company, and no other employee knew how to continue the management system requirements. Some have gone through three quality managers, each defining, adding to the last management system or adding confusion by changing requirements.
In many instances, companies that have invested considerable time and money in the process of certification have a hard time letting go of it even when it has proven not to be effective or useful. A company must decide if it wants to chase bad money with good money when faced with this problem. It must consider letting the existing management system go and documenting a new and effective management system from scratch. An important part of the ISO 9001 standard is preventing recurrence of a problem. Therefore, it is simple common sense to change or improve a management system and the associated philosophy when the management system is found ineffective.
PlanSome companies have over-documented their management systems to the point where they are useless, based on misperceptions or lack of understanding of ISO 9001. Nowhere in the ISO 9001 standard does it say how a company is required to do a process; it simply says that a company needs to meet a requirement-generally the customer requirements.
It is the company’s prerogative to decide how it defines processes and how it meets requirements. This is important and the main reason why companies often struggle and fail to create a cost-reducing, effective ISO 9001 program. Many companies, when trying to implement an ISO 9001 program, define their program based on what they think the standard implies or what an auditor may expect to see. If not for ISO 9001 requirements, most companies would never implement something they did not need to succeed in business. However, when it comes to implementing an ISO 9001 system, companies define many of the programs based on perception and not on the company’s actual processes or culture.
Documenting a management system
The first step in implementing an ISO 9001 system is to document a management system. The required documentation is a quality manual that could be called a business systems manual because it covers the scope of the entire business, not just the quality aspects. There also are six required procedures (control of documents; control of records; internal audits; and control of nonconforming product, corrective action and preventive action). The company may define any additional documentation.
The business systems manual. There are three requirements to be included:
1. A scope that includes any exclusions
2. The procedures or reference to the procedures for the management system
3. A complete description of the interaction between the various processes that are required to operate the business.
These are the only requirements of a manual. Yet so many companies write 30- to 60-page manuals that have so much detail and often refer to outdated processes or requirements. When written correctly, the manual could be a perfect marketing tool to send to customers that simply tells them the scope of the management system and provides a picture of the interrelation of processes. The interrelation of processes can be as simple as an overall picture of how a company’s processes flow, and needs to incorporate control of production/service (planning, measuring and monitoring) and continual improvement processes (control of nonconforming, corrective and preventive action, and internal audits, analysis of data and management review).
The six required procedures that need to be written are:
1. How the company controls its documents
2. How the company controls its records
3. How it processes nonconforming product
4. How it conducts and records internal audits
5. How it processes corrective actions
6. How it processes preventive actions
The standard does not dictate how to do any of these processes; it simply provides guidelines and states that a company must document how it performs these processes. A company should not document processes or required procedures based on perceptions of the standard or what an auditor looks for. A company must document its management system based on how it conducts business.
Any other work instructions-flow charts or procedures that a company feels it needs to effectively produce the given product or service-should be done in a format that best suits the purpose controlling these processes. The most important part of documenting any type of process-management process or product process-is to define the inputs, outputs and measurements of the process. The better a company defines how to measure each process, the easier it will be to monitor the outputs (data) and pin point the areas that require improvement.
The level of complexity or volume of a documented management system has nothing to do with the size or complexity of the processes of a company. The only direct relationship that would be found regarding the level of documents a company requires would be the effectiveness of training programs. The more effective the training programs are, the fewer documents one would expect to see. For example, a work instruction may be needed to teach an employee how to do something (training guideline/reference document), but after training, there is no more requirement for that document.
The common sense approach to documenting a management system
There are many requirements in the standard that say one must “define” a process. Define a process does not mean the same thing as document a process; it can be defined verbally, with pictures, in a video or in a document. For example, if a company has a process and it is deciding if it needs a procedure, flow chart, or work instruction to “define” it, the following questions should be asked, and the management systems should be documented according to the answers:
1. In order to perform this process consistently and correctly, does the company need step-by-step instructions to be used by the operator while performing the process? If the answer is yes, then document the steps of the process to be used by the operator.
2. In order to train employees on this process, are step-by-step instructions needed? If the answer is yes, the process can be documented as an instruction or as a training or guideline document that is used only for training new employees and not for conducting the process. Consider training videos in this instance.
3. Is it a required document-one of the six required by ISO 9001, a customer requirement, a regulatory requirement? If yes, then document the process.
4. Did last auditor say a process needed to be documented? This is not a valid reason to document a process.
A management system should not be documented for the sake of documenting a management system. If a document is written that nobody ever looks at or uses, and it is collecting dust on a shelf or taking up space on a computer, then it should be eliminated. The reason to document a process of any kind is so there is a clear understanding of the roles, responsibilities, tasks, inputs, outputs and-most importantly-measurable criteria of the process.
For example, if a company says that all forms will have a form number and revision on them, then all forms must have this. The standard does require forms to be controlled or to have a number or revision. This would be an example of a company adding a requirement beyond the requirements of the ISO 9001 standard. Requirements should only be added when it will benefit the company by ensuring better processes. Do not add this type of requirements based on a perception of the standard or advice given by an outside party-including an auditor.
DoAfter a management system has been documented and defined, processes can be carried out according to the plan. These processes can include production or service processes, supplier management, purchasing, receiving and calibration. Depending on what an organization does, some of these processes may be excluded from a management system. When the management system’s scope is defined, the company is able to exclude portions of Section 7 of ISO 9001 that do not apply.
CheckThere are many methods to verify processes and management systems. A company can check its production and service processes by inspection or verification. It also may check processes and its management system by conducting internal audits. Another check or verification that is at any company’s disposal may be third-party audits, performed by a consultant, registrar or customer.
Third-party auditors are there to perform an audit to measure conformance to the company’s documented management system and to the requirements of ISO 9001. It does not matter if they agree or disagree with how a company decides to document its management system, control its documents, conduct its management reviews, conduct its audits or measure customer satisfaction. The bottom line is that if a company says it does something in a certain way, does it that way and meets the requirement of the standard, the company is in conformance with the standard.
Third party ISO 9001 auditors (registrars) need to be very careful what they say or do in an audit. They are not permitted by the RAB/QSA to consult during an audit. Consulting must be left to consultants. As an ISO 9001 registrar, they are at the company one or two days, maybe a week at most. They are there to verify whether the company does what is says, says what it does and meet the requirements of the standard. The auditor is not there to tell the company how it should or should not do something.
If an auditor is going to write a nonconformance to the company, the nonconformance must be against a requirement in the standard that was not satisfied or a requirement that the company put on itself in one of its documented procedures that was not satisfied. A major portion of nonconformances written to companies is against the company’s documented procedures. The following are reasons that this situation exists:
Another common issue is how a company’s internal audit procedure says that it will audit every element of the standard at least once a year, or that it will respond to a corrective action request in 24 hours and so on. Again, it goes back to documenting the management system based on a common-sense approach. A process should not be documented based on what one wants it to be or what one hopes will happen. A process should be documented based on why the process is performed and what is desired from the process.
Using the above internal audit procedure as an example, the first question the company should ask is why it wants to conduct internal audits. There should be many answers, such as it is a requirement of the standard, but, more importantly, it should be because the company wants to measure the performance and effectiveness of its processes and identify opportunities for improvement.
Nowhere in the standard does it say that full systems audits must be performed once a year or using an internal audit form, or on a set schedule planned a year in advance. It simply says, “An audit program shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits.”
Again, the company decides how to do this. It should not be based on what it believes the auditor wants to see; it should be based on how the company will get the most out of it. For example, the company may decide that after it reviews trends of data and decides what areas need improvement, it will schedule an audit of that area or process, review the processes using the “why” and “what if” approach to try to discover areas for improvement that may eliminate these trends. Upon completion, the internal auditors shall review this with management to make a decision, or assign actions, to correct the trends and improve the process.
Audits and Analysis of Data
How a management system is audited and the data that comes out of a management system is analyzed will directly relate to how much money a company saves by using an ISO 9001 system. If a company wants the most from its internal audit system, it must go above and beyond checking to see if it does what it says, says what it does.” Questions such as these must be asked:
The answers to these questions are what management will review to decide if it needs to, or should, take action to improve the process. The management team does not really care about pages of filled out checklists in a book that says the processes match the procedures and that there were no findings. If the management team is going to invest time and resources into the auditing activity, it wants to have information brought to it on how it can improve processes and ultimately make the company better.
Analysis of data is important. Data (outputs of the processes) should be analyzed by cost and occurrence. The driving force behind implementation of an ISO 9001 system is the collection of data and methodical approach to reviewing and analyzing the data to identify areas where money can be saved or processes improved. Again, management review and analysis of data is not for the purpose of having a meeting, spending days creating fancy reports and graphs as a record for the ISO auditor. The reason that data and the performance of a management system is reviewed and analyzed is to identify opportunities, take action and follow up to see that these actions were effective.
There are many places in an ISO 9001 system where actions can be assigned. Coming up with the best method to assign, communicate and follow through on actions is the basis of continual improvement.
Unfortunately, companies often struggle with how to do this. There are companies who assign actions from internal audits on an internal audit form, customer complaints in a log, nonconformity reports on another form in another log, actions from a management review in the minutes, actions from a production meeting in a spreadsheet, action to vendors on another form and so on.
Many times there are so many actions open, past due, pushed out or not communicated that the company has no way of knowing if its actions are effective or not. Sometimes, the company may have a corrective action system that reminds personnel when an action is due, but there is no follow up for effectiveness. Other times actions are assigned in meeting minutes, and if the next meeting is not until the next quarter or the next year, the company has no way to know if the action was taken or not, let alone if it was effective or not.
The difference between closing an action and verifying whether an action is effective.
There is a huge difference between closing an action and verifying if an action is effective. For example, a company may have an action list in an Excel spreadsheet where actions are assigned from various meetings. The spreadsheet includes the problem statement, required action, who is responsible, when it is due and a closed (yes/no) column. In a meeting, managers go around the table and ask if the action was taken or not, and, if so, it can be closed. Who should care if it is closed or not? Should one not care about the action’s effectiveness?
Let us say the company found a problem and the action was to do some training or add a new fixture. When the training is completed, or the new fixture is implemented, the action is generally closed and put in the closed sheet of the spreadsheet. Would it not be more important to see if the training or the new fixture actually solved the problem? If it did, then the objective towards improvement has been accomplished. We have, in fact, prevented the problem from recurring. If the company is still issuing nonconformities for the same problem, then additional action needs to be taken.
Again, actions should not be assigned for the sake of assigning actions. If an action is assigned, it should be followed through to ensure it is effective.
Defending an ISO 9001 system
This is a true story to illustrate why one should not make changes to an ISO 9001 system based only on external advice:
A management representative of an ISO 9001 system inherits a management system that consists of more than 600 procedures and work instructions. An external auditor required the company to add many new requirements to its quality manual, which was already more than 40 pages long and at revision J or K at that time. The company also was instructed to create an audit schedule that resembled an audit report form that was more familiar to the auditor. Six months later, a new auditor arrived and the management representative was instructed to add even more specific requirements to the quality manual and more nonvalue-added items to the already over-revised management system. When the third auditor arrived six months later, the company was advised to change its management system back to where it was the year before.
Clearly, something was wrong. The management representative went to a lead auditor course to try to understand ISO 9001 and exactly what is required from the documentation. The management representative discovered that the ISO auditor had no business telling his company how to document its management system.
It is difficult not to be intimidated by an auditor. Executive management is habitually focused on becoming ISO 9001 certified (certificate for sales) and unfortunately, management’s perception to this prerequisite is to comply with the auditor’s requirements, because this will obviously “fast-track” the certification process. Frequently the company knows that they are right (common sense), but will choose compliance to the auditor’s requirements over confrontation. This choice performed year after year is the foremost reason why the company’s management system becomes less recognizable to its actual processes over time. It also is the cause of employee dissatisfaction with ISO 9001 and lack of participation.
Therefore, the only occasion a company should have to update a procedure, or add steps to a process, is when the company decides that it needs to be done based on its own analysis of the process and how to improve it.
Most auditors are looking for conformance to a standard when they are auditing. If they do find nonconformance, they generally are diligent in making sure it is valid and aligned with the standard or the company’s specific documented procedure. The only defense a company has against an auditor that may be giving bad advice-or unknowingly writing invalid nonconformities-is to understand the standard and its own documented management system to the point where it knows the difference.
It needs to be remembered that the role of an ISO 9001 auditor is to measure conformance of a company’s management system; furthermore, they are not permitted to perform consulting. When they do write a nonconformance against a management system, it must be against the standard or the company’s specific documented management system. If the nonconformance does not point to a requirement in the standard or the company’s specific documented management system, then the company should question it and only change the management system based on its own analysis of processes and ISO 9001 with consideration given to improvement. This is not to imply that a company should be defensive or fight every nonconformance. Certification to the ISO 9001 standard is a process and the registration audit is just one small part. The best defense is education and understanding of the ISO 9001 standard and its requirements for a specific industry.
An audit is a snapshot in time and an auditor cannot possibly understand the culture, the management style and the requirements best suited for a particular company in such a short period of time. Perhaps, the auditor may witness a process or procedure performed at another company that was successful and may share this information. The purpose is to initiate a thought process to analyze and evaluate if this process or procedure may work in another environment with another management culture and process requirements. An auditor is not permitted to demand that a company comply with this process or procedure.
One example of how to proceed when a nonconformity that is not valid is received:
Nonconformity Issued: An ISO registrar wrote a nonconformity against a company, saying that its forms are not in control because they did not have form numbers and were not controlled by revision or dates of approval.
Analysis of Nonconformity: After data is entered on a form it becomes a quality record and the record is controlled in accordance with the procedure for control of records. There was no basis found for this nonconformance in the ISO 9001 standard.
Actions Taken: The analysis was shared with the ISO auditor but the auditor did not accept the response. Therefore, the company requested that a higher department within the registrar review the nonconformity and that they provide specific ISO 9001 elements to support their nonconformity.
Result: The registrar changed the nonconformity to an observation for improvement that was based on a process that he had seen in other companies. The company thanked them for the suggestion but declined to revise its management system.
If the company had decided to comply with the auditor’s nonconformity that was not valid simply to expedite certification, then:
An auditor, consultant, employee who implemented an ISO 9001 program at his last company or customer should never be allowed to tell another company how its ISO 9001 system should be structured. The management team must define its own management system to meet the needs of its company and get the most out of it. This does not mean the management team cannot delegate responsibilities of implementing and maintaining the management system. It simply means the management team must define the management system and, more importantly, the expectations.
It is obvious to a third-party ISO auditor when a company has defined its own management system vs. when the management system has been written and provided to them. When a company defines its own management system, the ISO 9001 audit from the external registrar is simply a verification of the effectiveness of its management system and an opportunity for it to have a third set of eyes look at its management system and help identify areas for correction and/or improvement. This process is always less painful when the management system is created by the management team using the Plan, Do, Check and Act approach.
How to ensure an effective ISO 9001 implementation
1. The requirements of the standard need to be understood; this may mean sending key employees to an ISO lead auditor course or general ISO training.
2. The company should define its own management system; this may require guidance from a consultant.
3. After a management system is defined, the company needs to own and defend its management system; this means it is okay to question and analyze conflicting information from outside parties.
4. It needs to be understood that the ISO 9001 system is in place to help a company continually improve. If valid nonconformance is found in a management system (verified by analysis), this opportunity should be embraced to improve processes. Processes should be improved in such a way that does not just fix the immediate problem, but really identifies the root cause and initiates effective corrective action to the process.