(ISO) Quality Manual Chat

Though I’ve been through this many times, I’m a little nervous. In about 2 weeks I will be participating in the first ISO9001:2008 registration audit for a medium sized manufacturing company in Southern California. I’m the consultant, and we’ve worked for several months to get the documentation written and revised (many times!) and the people trained.

There’s always the possibility of a surprise. Even though we’ve conducted several internal audits of the entire quality system, audits can’t possibly find everything. I don’t have any serious doubts about passing the audit, but you just never know what kind of thing the auditor might find.

The company being audited was on a very aggressive schedule due to the owner’s wishes. I was, and am, a little uncomfortable with the rapid pace of everything. I like to see a company living with their completed quality system for at least 2 months before their registration audit. There are always unexpected things that pop up during those two months. Plus it gives everyone a chance to become familiar with any new procedures. Everything should be somewhat routine by the time of the registration audit, you certainly don’t want people forgetting stuff when the auditor is standing in front of them.

That being said, I’m 97% confident this company will pass their ISO9001:2008 registration audit on the first attempt.

In clause 7.5.3 of the ISO9001:2008 quality standard it states a requirement (where appropriate, of course) to identify your products by suitable means throughout your production process. I read this to mean that from the moment goods hit your door (or maybe sooner) those goods must be easily and accurately identified.

Recently I ran across a gentleman who believes that if the very experienced employees “just know” what an item is, sitting on an unmarked shelf, that’s good enough. This doesn’t seem like a great idea to me, and the ISO9001 standard doesn’t think so either. His system (no, he’s not ISO registered) is working for him now, as it has for the past 15 years. But it’s easy to find potential problems with a lack of product identification. People make mistakes. People forget things. People quit their jobs or are let go. People get ill or have accidents. Relying on an experienced employee to “just know” what your products are, without any sort of identification, will most certainly cause problems that could be easily avoided by using a simple method of identification.

I realize its not always easy to identify every component throughout every process. For example, you don’t want to attach an ID tag to a part that’s going through a paint process. The paint will cover up the tag, and the tag could mask a section of the part, ruining the paint job. In a case like this, how about having some kind of traveling document that stays “with” the part throughout the process? Maybe the tag, or traveler, could be on a hook labeled “rack 1″ while its associated part or parts are on paint rack 1. Or you could use a barcode and scanner system, with a bar code on the part or paperwork, and that barcode is scanned at the beginning of each process.

If the same part is always stored on the same shelf location, identification could be as simple as a piece of duct tape attached to the shelf face, with the part number written on it with a Sharpie. We’re talking about a 4 to 5 dollar investment in your identification process, it doesn’t have to be complicated or expensive. And even if this simple identification system saves just one mis-shipment down the road, isn’t it worth it?

There are undoubtedly many ways of identifying your parts. What method do you use?

One of the beautiful features of the ISO9001:2008 quality standard is that it gives users a lot of leeway in how to structure your quality system. ISO9001 might say “you shall evaluate training effectiveness”, but it doesn’t tell you how you have to do it. You can try to figure out the best way that works for you.

While its true that an ISO9001 quality system can be and should be tailored to your operation, there is such a thing as carrying it too far.

I recently met a man who read a little bit about ISO9001 and is positive that he can configure his quality system any way he wants, using a very loose interpretation of the quality standard, and still pass an ISO9001 audit. For example, the need to identify product throughout the production process is pretty clear in the standard, but my new friend believes that because his experienced people “just know what those things are”, and have not had any problems, that he can ignore the standard on this issue. And other issues.

The ISO9001:2008 quality standard was created to help businesses standardize and improve their practices. Not every part of the ISO9001 standard will be helpful to every organization out there in the world. Some people might think certain provisions of the standard don’t apply to them because no added value to their organization is perceived. They’d like to pick and choose elements of the standard to suit their needs, add value to their organization, and not create needless busywork.

Of course that’s fine, and I totally understand that way of thinking. If you’re simply trying to create a quality system for your own improvement, then kudos to you for doing so. However if you’re also trying to achieve ISO9001:2008 certification, then I’m afraid you can’t pick and choose which elements of the standard you like. They all apply to you and everyone else who wants to be registered to the ISO9001 quality standard.

There are exceptions, of course. ISO9001:2008 allows you exclusions, as long as you can justify them. For example, if you make pot holders for clients based strictly on customer-supplied drawings, you can probably justify excluding ISO9001 clause 7.3 Design and Development. And if you’re a car wash service, you don’t really have a tangible product that needs to be identified, so you can probably exclude clause 7.5.3.

But if you design products, you can’t exclude 7.3. And if you have products and materials in your shop, you can’t exclude 7.5.3.

It will be interesting to see how far my new friend goes through the ISO9001 registration process, and what things he learns along the way.

For the umpteenth time I’m working with a company that has just recently passed their first ISO9001:2000 registration audit. Needless to say there was considerable excitement, and lots of high-fives around the office when we found out we passed the audit. After many months of work, a few arguments, some compromises, and a lot of hand-holding, it was finally time to celebrate.

The temptation is definitely there to abandon everything they were taught, and go back to the familiar old ways. Knowing there are 11 months before the next “real” audit, its easy for people to forget they have to keep the ISO thing going.

Obviously it is important to keep some of the momentum going. Employees and management were certainly all fired-up in the months leading up to the registration audit. If we don’t relax TOO much, its easier to keep at least a little of that pre-audit energy going into the rest of the year.

I will have to say the really tough part is over. Creating a brand new ISO9001:2000 quality management system from scratch takes a lot of time and effort. Once it’s done, (is it ever really done?) it’s relatively easy to maintain.

At this point in the quality system’s life, it is extremely important to maintain an effective system of internal auditing. People have to know that the ISO quality system is not going away. Frequent, small internal audits are my choice to keep people on their toes, and to make sure nothing slips too far.

If you’ve read many of my posts compared them to most other ISO9001 consultants, you will probably notice that I’m a little more cynical than others. Many ISO types like to extoll the virtues of the quality management system and how it will increase customer satisfaction, decrease failures, etc. I don’t disagree with those benefits of ISO9001:2000. But the stark reality for most companies is that they MUST get ISO9001 certified in order to keep doing business. They don’t want to, mind you, but they must.

Keeping that in mind, one of the added tasks of an ISO quality system is to write, deal with, and record corrective action. I call them CAR’s, for Corrective Action Requests. CAR’s are a requirement of ISO9001:2000, and while certainly a valuable tool, they can be a pain in the rear to deal with.

You’ve got to do them if you want to keep your ISO9001:2000 certificate. So how many should you do? If you’ve got full time quality nazis on staff, they could easily turn corrective actions into a full time gig. I don’t think anyone wants that. Too many corrective action requests wastes everyone’s time, and pisses people off. Most people just want to do their jobs, not fill out extra paperwork because some quality person has a nit to pick.

It all depends on the size and complexity of your organization, of course. And also keep in mind this is only my opinion. I’m sure other ISO9001 professionals will tell you differently, and that’s fine with me. But for a company of under 20 people, I’d say that 1 or 2 CAR’s per month is sufficient. For a company of 21 to 100 people I would recommend at least 2 or 3 CAR’s per month. Only for much larger companies, with dedicated quality staff, would I recommend more than 3 corrective action requests per month. After all, you want to actually get work done, don’t you?

One recent consulting gig was done at a company that wanted to have the ISO9001:2000 certificate, but wasn’t too thrilled at the prospect of actually doing everything needed to actually implement an ISO9001 quality management system. Unfortunately there are far too many companies like this out in the world.

One major area of concern was calibrating the company’s measuring equipment. They have about 50 employees, and over 100 various gauges and test equipment that you’d think would need to be calibrated. You’d think so, but the company quality manager didn’t.

About 20 of the measuring devices were used in the inspection department, and the rest used by production people in the course of their job. The quality manager wanted to control and calibrate only the devices in the inspection department, and label the rest “for reference only”. The reason given for this is that only the inspection department devices are actually used to sign off the various processes. The production devices are only used for “monitoring”, and to get the piece “in the ballpark”. No nonconforming material could make it to the customer without a final inspection by the inspection department, so no problem there. The worst thing that could happen is that a small number of products might be made out of tolerance and would have to be reworked, or produced again.

This didn’t fly with me.

It seemed that they had way too many guages in the company, many of which were rarely or never used. The “for reference only” argument doesn’t make sense to me. I see it as a pretty much black-or-white issue. Either the measurement matters, and you calibrate the equipment, or the measurement does not matter, and you should not make it. Why complicate things if the measurement doesn’t matter? What value is added to your process by performing measurements with out-of-calibration instruments? Not much.

My advice- if there’s value added by performing a measurement, then do it right and calibrate your equipment. If you don’t think a particular measurement is important enough to warrant regular calibration of your device, then I’d say you ought to seriously consider deleting that measurement from your process.

One question that I’ve struggled with over the years…and still struggle with…is how to properly address the problem of an employee who makes the same mistake over and over. Sure, in the magical fairy tale land of ISO9001:2000, it’s easy to blame it on “insufficient training” and be done with it. But there are times when you can “train” someone until you’re blue in the face and it doesn’t make any difference. The person may appear to be competent and seems to understand your words. And for a day or two after training everything is OK. But then the same problem pops up.

Cultural differences between management and employees complicates the situation. I, being your typical college-educated white male, have a hard time understanding the motivation…or lack of it…among members of the Hispanic community that pervade workplaces here in Southern California. You can repeatedly ask an employee to do something, or not do something, and the employee will repeatedly tell you “OK, I understand”. Then the next day the same problem occurs. I just want to tear my hair out sometimes, but that obviously is not the solution.

I do believe that disciplinary measures are an effective last resort to resolving chronic misbehavior. This is assuming that top company management goes along with your assessment. If not, well then you may be screwed in your attempt to address a Corrective Action Request.

If there is an employee who appears competent, but continually repeats the same mistake, you might want to look at other factors.

There might be a medical condition, which you can’t really ask about, and most people won’t readily tell you about even if you do ask. Does the employee have dyslexia or another learning disability? This is a tough area to deal with, due to the aforementioned privacy issues. But if you suspect there may be medical factors to blame, you’ll either have to deal with it or move the employee to another area, if that’s an option.

There might be some other factor other than general employee disinterest. Does the mistake always happen at the same time? On the same day? Are there any other events that occur at that time? Does the mistake happen at the same time the cute UPS delivery lady arrives? You might look at a bigger picture of events surrounding the mistake to see if other factors are at work here, and take appropriate action.

Later we will discuss other possible ways to address repeat mistake makers.

Let’s say you own a small shop that manufactures spare parts. It is a sole proprietorship with you as the sole full time employee. You want to streamline your manual and procedures as much as possible, to include only the bare essentials to conform to ISO9001:2000. You’re the only person there, you need to maximize time making your product, but still have a quality system that satisfies customer requirements. What are the minimum requirements and how best to achieve them?

There are six required procedures in ISO9001:2000. They are as follows:
1. Document control
2. Control of Records
3. Control of non-conforming material
4. Internal audit
5. Corrective Actions
6. Preventive Actions

Beyond these, any additional procedures are optional. Sometimes you can get away with satisfying a requirement in your manual, without writing a separate procedure for it. For example, while it is a requirement that you have a periodic management review, it is not a requirement that you have a separate procedure for management review. You can document your management review method in your manual.

You have to make sure you follow all the requirements of the ISO9001:2000 quality standard. I assume you have a copy of the standard, or a good book that tells you all the requirements. If not, I recommend a book by Charles Cianfrani titled “ISO9001:2000 Explained”. This book contains all the elements of the quality standard, with very good explanations. It’s easy to read and I have found it invaluable for new clients.

There are many ways to keep it as simple as possible. For one thing, your quality manual sections and procedures should probably be 2 to 3 pages maximum. Any more than that and I’d guess you’re doing too much work.

I would also recommend you combine Corrective Actions and Preventive Actions, since they are so similar. You can use one form for both procedures, with just a check box on the form to denote whether it is a “corrective” or “preventive” action request. You may find that you can streamline other forms in a similar manner.

Without knowing your particular operation it is difficult to give any more specific recommendations. If you have a question about a specific area of your business, please feel free to post it here.

If you’re under the gun from a customer’s demand that you get ISO9001:2000 registered, and you have lots of personnel resources at your disposal, you might be able to get it done in a couple of months. If you’re trying to implement the quality standard while you’re learning it, and you have no time constraint, I’d expect it to take you up to 6 or 7 months.

If your operations are complicated it will take longer, if you run a rather simple business, it will be quicker, of course. There is no correct answer here, everyone takes as long as they have.

Tell us about your particular situation. How long do you think it should take?

Continuing this blog, we know that some of the general requirements of an ISO9001:2000 quality management system include:

• identifying and documenting the processes and procedeures used in your quality management system
• determining and documenting the sequence of your processes, and how they interact with one another.
• determining and documenting your criteria needed to show your processes are effective and what methods you use to accomplish this.

If you choose to outsource any process that affects your product’s (or service’s) quality,
then you must also take steps to make sure that outsourced process is under your control.

For example, let’s say you produce an NAS- standard aluminum washer to be used on a military aircraft. In your shop you’ve got the machines needed to stamp out bolts and put threads on them. But the military specification calls for a hard anodizing, and you don’t have capability to perform plating in your shop. No problem, just find an anodizing shop, right?

It’s not quite that simple. Who are your customers for that washer? What are their requirements? If you want to sell the washer to Boeing, you probably have to use a plating shop that is also approved by Boeing. In addition to customer requirements, you have to go thru the process (there’s that word again…) of finding and approving the plating shop you’ll use. Are they also ISO9001:2000 certified? How about AS9100? Have you inspected their facility? Can you be reasonably certain they are not farming the work out to another vendor that isn’t approved?

Once you’ve followed your process and approved the plating shop as your vendor, there’s more work to do to ensure your product meets YOUR requirements. The military specification calls for a total thickness of .085 inches, and your company specifications and drawings do the same. It is not ultimately your vendor’s responsibility to ensure your product is in conformance with your specifications. This is YOUR responsibility. Every shipment of washers should be inspected upon receipt from your vendor. I’m not saying that every washer should be inspected, but a reasonable sampling should be measured before any parts can be used or sold.

Remember that you want to make sure your product conforms to your specifications, and also your customer requirements. Many industries and products require documentation to prove that the various processes used are also in conformance and were done by approved sources.

Not only does the product have to conform to satisfy your customer, but you’ve also got to satisfy your ISO auditor. Have you taken reasonable steps to ensure your product is always in conformance? Is it possible that, even tho your products so far are in conformance, that maybe you’ve just been lucky? How likely is it that something could go wrong? Will your process stand up to the scrutiny of an outside auditor?

This is the second part of an occasional series on ISO9001:2000 Section 4.1, General Requirements.

Keep in mind that when the ISO9001:2000 quality standard uses the word “shall”, then whatever they’re referring to is a requirement, not a suggestion.

We’ve already written about how your company must identify and document all the processes that affect your quality management system. In addition to identifying and documenting them, you must also document how they interrelate with each other, and in what sequence. You’re basically writing an operational manual for how your company works. After all, you want all your people to be “rowing the boat” in the same direction, so its very helpful if they’re all looking at the same map.

You must also determine the criteria and methods needed to make sure that the operation and control of your processes are effective. If you’re turning out small, large, and medium widgets, what is your criteria for determining if they are good widgets? What size constitutes small, medium and large? How do you ensure that your criteria are being met? Who’s responsible for determining what is acceptable and unacceptable?

Another requirement in ISO is that you have available sufficient resources and information needed to support the operation and monitoring of your processes. Do you have adequate machinery? A sufficient quantity of adequately trained personnel? A sufficient quantity and quality of measuring devices?

More on this later.

Your comments are encouraged.

This is part one of a primer on the general requirements of the ISO9001:2000 quality management system. You can find these in section 4.1 of the standard.

1. Your organization or company must identify the processes needed for your quality management system, and you must also decide how these processes will be applied in your company.

What processes do you use (or will you use) in your quality management system? Do you have a procedure for handling sales orders? Purchase orders? You’ll probably need a written procedure on how to choose vendors, and a system of recording which vendors are approved. You might have an inspection at time of receiving, another in-process, and yet another at final shipment.

You must identify ALL of the processes used in your quality management system. It’s likely that you’ll have to create one or two processes to meet the requirements of the ISO9001:2000 quality standard. You might have no existing system for approving vendors, for example. Under ISO, you’ll not only have to develop a procedure for approving vendors, but you’ll also have to keep records of which vendors are approved, which have been disapproved, and you’ll also have to keep records of your vendors’ performance. There are a lot of records needed in an ISO9001:2000 quality system, get used to it!

A lot of people think they need a formal purchase order from their customers in order to satisfy the requirements of ISO9001:2000 section 7.2.2.

I do believe its a really good idea to have such a purchase order, but if you’ve had a long lasting relationship with your customers, and have done business for years verbally or by e-mail, there are ways to continue such business while still satisfying the requirements if ISO9001:2000.

Please realize that this, like most every part of ISO9001:2000, is subject to interpretation by your auditor. Most (but not all) auditors I’ve met are reasonable people, and chances are you’ll be able to make your system work to the satisfaction of your auditor, as long as you’ve made a good effort to satisfy ISO’s requirements.

For example, if you’ve always done business with a particular customer verbally, and your customer does not wish to start sending you formal PO’s, I have a couple of recommendations for you. First of all, your customer might be OK with sending you an e-mail PO. As long as the e-mail is identifiable as to who sends it, and contains the pertinent information such as part number, condition, quantity, price, etc, this should suffice. Be sure to write in your quality procedures that e-mail customer purchase orders are acceptable as long as they include the specific information you need.

Let’s say your customer orders only one thing from you, but orders regularly and includes only quantity and price, for example. To work around this, you might draw up a letter that your customer acknowledges with a signature. The letter, a one-time document, could spell out the customer’s requirements for quality, delivery, condition, description, etc. Having such a letter would go a long way toward satisfying an ISO audit when it comes time to look at 7.2.2.

If the customer only wishes to purchase verbally (yes, there are still a few of these people around) you could have your salespeople fill out a sales order form, with a checklist format. The form would include all the pertinent information, and maybe your procedure could state that the salesperson complete the form, read it back to the customer for their confirmation, check all the requirements on the form and sign it. Maybe you could even fax a copy to your customer for good measure.

There are usually ways to make any legitimate and reasonable style of business work with ISO9001:2000. If in doubt, ask your consultant or registrar, they’re usually very helpful in matters where you may be in doubt.