Looking back at my quality career since 1984, I remember contributing to a quality manual of a Motorola Division in 1987-88 for ISO 9001 certification. The standards were released in 1987. Initially, the ISO 9001 standards were developed to benefit from industry best practices and implement a quality management system for consistency since variation was thought to be evil according to Dr. Deming. A shared understanding developed that ISO 9000 standards meant ‘do what you say in documents and say in those documents what you do.’ The implication was that people said very little in the documents.

I have also learned by working at quality-driven companies that good practices include developing and designing good processes for excellent performance and documenting them for consistency or ongoing excellent performance. However, the third-party focus on compliance led to questionable designs of the processes and as a result, ISO 9001 in its first generation created a perception of excessive documentation.

Subsequent versions of ISO 9000 quality management standards have been released in 1994, 2000, 2008 and 2015 with the intent of making the quality management system standards to be more business-performance driven and require reduced required documentation. ISO 9001:2000 version was a major structural change from the original version of the ISO 9001 standards. Even government, military and FDA quality management system standards aligned with the ISO 9001 standards. Although the ISO 9001:2015 does not introduce a major structural change, it does introduce a few key element-level changes. However, at least medical device standards ISO 13485 have preserved the pre-2015 clause, in the case of preventive action.

How do ISO 9001:2015 standards visibly identify changes in the quality management system? The list includes removing the preventive action, replacing with risk assessment, use of business context for its scope and stakeholders, and better use of the PDCA model and emphasis on the process approach.

Over the years I have learned that QMS is a way of doing work at a company and includes all activities and everyone. Quality is a state of mind leading to behaviors to excel in everything, which implies striving for target performance and verifiable actions (compliance) with the desired results (effectiveness). In other words, a quality management system is practically a business management system. That is how the QMS should be perceived and deployed in an organization, instead of a boxed-up ‘quality’ function. With the right strategies, if the business is not doing well, business problems are the quality problems and can be addressed as such. Once I heard Bob Galvin, then CEO of Motorola, told his leadership team to take care of quality and the business will be taken care of. 

Table 1: A High-Level Comparison of ISO 9001:2008 and ISO 9001:2015 Standards

Context of the Organization

To bring business relevance to a QMS, this section plays an important role and creates opportunities make a visible impact. Quality must make economic sense, and it must support achieving business objectives. In establishing a business context to our QMS, we used a stakeholder’s analysis matrix to establish their expectations and measurable objectives. Typically, stakeholders include customers, corporate, executives, employees, suppliers and community. QMS addressing all stakeholders’ expectations makes QMS relevant to each stakeholder. This section also has more explicitly required processes of the quality management system, and specified process inputs, sequence, interactions, outputs, criteria for effectiveness, and risks and opportunities, improvement and the required documentation including records. If the organization and its context are understood and specified as required in the ISO 9001 standards, the QMS could be designed for a ‘pull with benefits’ rather than a ‘push.’

Risk Assessment

ISO 9001:2015 identifies risks in the leadership and planning sections. The leadership section identifies risks associated with the conformity of products and services, and planning addresses risks associated with QMS. The leadership section is looking into risks with products and services, and the planning section addresses risks at the business level. SWOT (strengths, weakness, opportunities, and threats) can be used to identify business risks and process approach to identify product and services related risks.

SWOT Analysis

SWOT stands for strength, weakness, opportunities, and threats. A cross-functional team performing the SWOT analysis identifies organizational strengths to benefit from, and weaknesses to minimize the adverse impact, opportunities identify areas to improve and serve customers better, and threats point to the potential market, technology or people risks. Once the risks are identified primarily in weaknesses, opportunities and threats sections, they can be analyzed using the FMEA (failure modes and effects analysis) method and prioritized using the risk priority number (RPN). High-risk items are then addressed through specific action items.

Product or process-related risks can be identified at considering potential risks associated with material, information, machine, tool, method, approach, skills, and people. Design and process FMEAs can be used to identify product and process-related risks that can be minimized.

Preventive Action

Corrective and preventive actions are critical to the success of a QMS by driving continuous improvement and preventing recurring problems at the part, process or system level. There has been confusion between the corrective and preventive action. In a sense, even the corrective action shall be preventive in nature to avoid the recurrence of a problem. Experts have tried to articulate differences between corrective actions from preventive actions. Some people understood that corrective action is at a component or the opportunity level, while the preventive action is more at the higher system level. However, it was a constant confusion that eventually led to its removal from the ISO 9001:2015 standards. In intent, the preventive action has been replaced by the risk assessment and risk mitigation. However, the risk assessment and mitigation requirements are neither precisely articulated nor remedial actions accurately implemented.

I’ve learned in my early years at Motorola and AT&T Bell Labs that good companies implement quality management systems in order to produce good quality products and services with respect to its brand value. If a company has implemented an effective QMS to achieve its business objectives and comply with the ISO 9001 standards requirements, revisions in quality standards over time do not make a major impact on the success of its QMS. Organizations are not in the business of implementing a QMS, instead, organizations are in the business to serve customers using QMS. One must understand that all second or third party auditors are not equally equipped to perform effective quality audits against the requirements as intended. Instead, they perform compliance audits against the requirements as written.