(ISO) Quality Manual Chat

I’ve covered this topic before, but so many people continue to ask about the differences in the revised standard that I feel compelled to write again.

As most reading this probably know, the ISO9001 quality system standard is revised periodically. There was a version in 1994, another in 2000, and the latest revision came late in 2008. Hence the updated standard is now called ISO9001:2008.

Here are some things to know about the latest revision.

There are no new requirements for 2008. Yay! The bad news is…..well, there isn’t any bad news! The 2008 revision includes additional text to clarify some sections of the standard.
The changes to the quality standard include the following:
Clause 0.2 – Process approach: Text added to emphasize the importance of processes being capable of achieving the desired outputs.
Clause 1.1 – Scope: Clarification that “product” also includes intermediate product. Explanation regarding statutory, regulatory and legal requirements.
Clause 4.1- General Requirements: Additional explanation about outsourcing. Types of control that may be applied to oursourced processes. Relationship to clause 7.4 – Purchasing. Clarification that outsourced processes are the responsibility of the organization and must be included in the quality management system.
Clause 4.2.1 – Documentation: Clarification on needed records. Explanation about combining required documents. Explanation about ISO9001 requirements being covered by more than one procedure.
Clause 4.2.3 – Document Control: Clarification regarding controlling external documents.
Clause 4.2.4 – Records Control: Editorial changes only.
Clause 5.5.2 – Management Representative: Clarification regarding Management Representative being a member of the organization’s own management.
Clause 6.2.1 – Human Resources: Clarification regarding competency requirements for personnel involved in the quality management system.
Clause 6.4 – Work Environment: Clarification regarding working conditions.
Clause 7.2.1- Customer Related Processes: Clarifies post-delivery activities, warranty provisions, contractual obligations, supplemental services.
Clause 7.3.1- Design and Development: Clarification regarding purposes of design and development review, verification and validation. Review, verification and validation may be conducted and recorded separately or in combination as appropriate to the organization.
Clause 7.3.3 – Design and Development Outputs: Clarifies information needed for production and service provision includes preservation of product.
Clause 7.5.3- Customer Property: Explanation regarding intellectual property and personal data.
Clause 7.6- now retitled Control of Monitoring and Measuring Equipment: Explanation regarding use of computer software.
Clause 8.2.1 – Customer Satisfaction: Notes added to explain monitoring of customer perception.
Clause 8.2.3 – Monitoring and Measurement of Processes: Notes added to clarify appropriate methods, and that the organization should consider the impact on conformity to product requirements and on the effectiveness of the quality management system.

One year after the publication of ISO9001:2008 all accredited certifications issued, whether they be new certifications or recertification, will be to the 2008 standard.

Your ISO9001:2000 certification will be valid for 24 months after publication of the ISO9001:2008 standard. After that, it will not be valid.

If you already have ISO9001:2000 certification, you should have no problem getting recertified to the new 2008 standard, as there are effectively no differences.

Yes, I know it’s going to be nearly 2009 before the 2008 ISO9001 revision comes out. No one ever said a bureaucracy moves quickly.

After a lot of rumors, speculation and innuendo, the new ISO9001:2008 revision is almost here. Here’s the good news: THE 2008 REVISION CONTAINS NO NEW REQUIREMENTS! That’s right…you won’t have to rewrite your manual.

You can’t get a new certificate that says “2008″ until the standard is actually issued, which will be late in 2008. However any registration or surveillance audits done after it’s issued can be done to the 2008 standard….which is essentially the same thing as the 2000 standard.

The 2008 revision contains clarifications of the existing standard, but no new requirements. Yay!

Your ISO9001:2000 quality management system requires you to perform a management review at planned intervals. In practical terms, the minimum is once per year. For a new quality management system I’d recommend you have management review meetings from 2 to 4 times per year. They don’t necessarily have to take all that long, unless you have some particularly long-winded people in your organization. After 3 or 4 years, once your quality management system has matured and people know their roles, you might think about reducing the frequency of management reviews to once or twice per year.

Its up to you to decide who attends your management review meeting. Members of top management should attend, along with relevant quality people and possibly department heads.

You must keep records of your management review meetings, including who attended.

You should have an agenda going into the meeting. Inputs to your meeting should include, at the mimimum:
-follow-up on previous management review meeting
-results of previous audits
-process performance and product conformity
-customer feedback
-status of preventive and corrective actions
-changes to your company that could affect the quality management system
-recommendations for improvement

One person, usually the quality manager or the management representative to the quality system, should prepare the agenda, notify everyone who should attend, and conduct the meeting.

Once you’ve gone thru all the items on your agenda, you’ll have generated some outputs. Management review outputs typically include:
-a record of the meeting
-corrective and/or preventive actions
-resource needs
-any other improvements to the effectiveness of the quality system, its processes, and/or your product or service.

Management review meetings may sound like some ominous burden, but in reality they may take as little as 30 minutes. It all depends on how prepared the people are, the complexity of your company, and the effectiveness of the person running the meeting.

What is ISO 9001?

ISO 9001 is a Quality Management System standard that helps organizations to get better organized, to produce and ship fewer discrepant products, and to help ensure they are meeting customer requirements. The ISO9001 standard was created to help the organization’s management is to implement systems to better run your business.

When I tell people about ISO9001:2000, many managers will say to me “Oh, that’s like a “best practices” kind of program”. Which is correct.

The ISO9001:2000 standard offers a more structured approach for various processes intended to help your business, such as:
Reviewing and meeting customer requirements;
Realization of your products and/or services;
How employees are hired and their competency determined;
Control of important company documents to make sure only current versions are used;
Periodic review of the quality system by company management;
Correction of unintended results, and prevention of their recurrence;
and other areas of business management.

The ISO9001:2000 standard is a 23 page document, and provides guidance in many areas of business. It does not deal with accounting issues such as A/P and A/R or payroll. The ISO9001:2000 standard can be purchased from ANSI (www.ANSI.org) the American National Standards Institute, or directly from the International Organization for Standardization in Switzerland (www.ISO.org) ISO9001:2000 can be applied to any business – no matter the industry or size.

What does ISO stand for?

The International Organization for Standardization is based in Geneva, Switzerland, and is comprised of standards organizations from 158 countries, including ANSI (the American National Standards Institute) in the United States. Because an acronym for their organization would be different in different languages, they used the word “ISO,” derived from the Greek word “isos” meaning “equal.” Standards of all types are intended to act as an equalizer for companies doing business around the world.

The ISO organization promulgates many different types of standards, from the popular business management system ISO9001:2000, to standards dealing with other issues such as food production, medical device inspection, and pollution emissions.

Why get ISO9001:2000 certification?

There are two primary benefits to implementing an ISO9001:2000 quality management system. The first is the organizational benefits derived from greater efficiencies, fewer discrepant products made, possible reduction of costs, and greater customer satisfaction. The second is that lovely little certificate that you can proudly show to potential customers in the hopes of convincing them you are a good company to do business with. In some industries, major players will not even consider purchasing from you unless you have your ISO9001:2000 certification.

The standard is based on best practices for organizations. It provides management with tools to objectively decide where things are working well and where to apply resources to make improvements. ISO9001:2000 helps to maximize the effectiveness of your business, enhancing growth through increased customer satisfaction, and reducing cost. It can give potential and existing customers confidence that you have an organization that can consistently meet their needs.

What will it cost?

It depends on the size and type of your business, and how much time you have to implement the standard. If you have some time and want to tackle it yourself (which is often feasible), the only real costs will be in the time dedicated to the implementation process by you and/or your staff, doing research, writing documents, and training personnel. If you don’t have much experience with quality systems, or if you don’t have a lot of time available, you might consider hiring some professional help, in the form of a consultant. Consultants range in cost from $300 to $600 per day, and the time needed will totally depend on the size and complexity of your company.

There is also the cost of the registrar, which is the company that will be performing independent audits of your quality system. Most registrars charge a certain rate per day to be on-site at your facility. These days registrars charge about $1,100 – $1,500 per day per auditor. Small companies of 2 to 15 people might expect one auditor on site for 2-3 days; larger companies may require several auditors for an extended site visit. Please note you CAN negotiate with registrars for their days and fees. ISO9001 registars are businesses just like you, and they want your business. They are often flexible in their quotes.

There will be an initial registration audit, and then surveillance audits. You might choose annual surveillance audits, or possibly semi-annual audits. Ask your registrar about your choices and how they’ll work best for you. Surveillance audit costs will be less than the original registration audit, as the time spent will be shorter. Once every three years the registrar’s auditors will return to audit your entire system.

More on this later.

According to section 5.5 of the ISO9001:2000 standard, to be in compliance with the ISO standard you must ensure that responsibilities are well defined. documented, and communicated throughout your organization.

One task you must do is appoint a management representative to the quality system, which we’ve discussed recently in another post.

Today we’ll go into the “internal communication” part of the requirements.

Your company’s top management must ensure that there are established and documented methods of communication within your company, and that communication actually takes place regarding the effectiveness of your quality system. Of course, in order to prove to an auditor that communication actually takes place, you must have records. Sorry, it’s not enough for you to simply tell your auditor something like “yeah, sure, we talk about the effectiveness of the quality system all the time!”.

As with most things relating to ISO9001:2000, the standard tells you what you must do, but leaves it up to you how you should accomplish the task. As long as your methods are effective for your particular situation, and they pass the scrutiny of an ISO auditor, you’re good to go.

One highly effective method of internal communication regarding the effectiveness of the quality system is the management review meeting. Periodic management review is another requirement of ISO9001:2000, so in a way you’re killing two birds with one stone by conducting management review meetings. Of course you’re recording your management review meetings, their input and output, etc, so this is one way to prove to your auditor that you have a method of communication and you’re actually communicating. The minimum frequency for management review meetings is once per year, but I highly recommend having them more frequently while your new quality management system matures. If you’re actively using your new quality management system, you’ll likely have to make quite a few changes in the first couple of years.

The management review process should not be the only method of internal communication used regarding the effectiveness of the quality management system. You can use things like memos, signs, other scheduled and non-scheduled meetings, training programs, and whatever other kinds of communication you can think of. Just be sure your methods of communication are well documented in your quality manual and/or procedures, and that there are records of these communications taking place.

Your ISO9001:2000 quality management system requires you to gather certain kinds of data, and periodically analyze this data to see how you’re doing. ISO9001:2000 is all about “continuous improvement”, after all. In order to show that you’re continually improving, you have to be able to measure certain objective parameters.

You must be able to show, through your data, that your quality management system is effective, and you also must be able to evaluate where improvements can be made. Data used for these purposes can be gathered from within your organization, and also from external sources. Every company is, of course, different, and the data you gather will be unique to your situation.

ISO does give some specific guidelines about what kind of data you must gather.

First of all, you have to gather information that allows you to objectively measure customer satisfaction. How you do this is up to you. Some people use customer surveys. You might have your outside salespeople fill out a report every time they visit a customer. You can have your inside sales or customer service people keep a log of customer comments, both good and bad. Keep in mind that you have to come up with some kind of objective measurement, so however you do it, it’ll be easier to deal with if you can turn your data into numbers.

You have to gather data that shows conformity to product requirements. This might take the form of inspection records, testing reports, rejection reports, etc. Nonconforming material reports might be used to keep track of how many rejections occur. Maybe you will compare the number of rejections versus the number of parts that pass, and come up with a percentage. Maybe one of your quality objectives is to have 99.9 percent of products pass inspection, and you currently have 99.2 percent. Now you have a concrete objective to work towards. Hopefully you can come up with ways to improve your product and/or processes so that over the next year you’ll reach 99.3 percent of products that pass inspection. It’s not much, but its improvement, and this is what your ISO auditor will be looking for. Quality objectives should be, in my opinion, slightly out of reach. You always want to be able to show improvement, but the moment you actually hit your goals, well now you’ve got to set your goals higher!

ISO9001:2000 requires you to gather data that show characteristics and trends of your processes and products, including opportunities for preventive action. This requirement has always seemed a little vague to me, and I’ve never heard a great way to accomplish this. Fortunately most auditors I’ve worked with apparently also think it’s vague, as I’ve never had to deal with this during an audit. As long as you have documented a system that includes preventive action, and you keep track of trends in your processes, you should be fine.

The last bit of data that ISO requires you to monitor is your suppliers. You must maintain records on your suppliers, showing their performance. Again, how you do this is up to you. Keep records of each supplier, and go thru and approve them at least once per year to show that you monitor their performance. If possible, keep track of your suppliers’ delivery and quality performance.

Work instructions are an optional part of an ISO9001:2000 quality management system. No, you don’t need them, they’re not required. Yes, they are often a good idea, and there’s a really good chance that you should have them.

If your people have lots of processes that would benefit from having documented instructions, and these instructions affect the quality of your product or service, then voila! you need work instructions.

Work instructions are another tier of your quality system documentation. So what are the requirements for constructing your work instructions?

Actually, there are no requirements for how you construct your work instructions.

There are various items that you might want to include in your work instructions, and these are similar to what you’d write an ISO procedure. Some of the items you might include in work instructions are: 1) purpose, 2) scope, 3) responsibilities, 4) definitions, 5) work instruction steps, 6) safety & environmental information, 7) associated documents, 8) document revision history.

But don’t feel compelled to include all of the above in your work instructions. In its essence, a work instruction pertains to a signle activity within a larger process. Keep your work instructions concise, to the point. You want to describe the who and the what and in which sequence things happen. Its a good idea to first write down all the necessary steps in carrying out that activity and then break it up into individual tasks. You’ll probably find it easiest to format your work instructions in a manner similar to your ISO procedures.

Keep in mind, though, that you don’t need to write your work instructions so detailed that a moron could follow them. It is reasonable to assume that the people who use the instructions have a fair degree of intelligence and experience, and your work instructions are written for them. So don’t go nuts.

Also keep in mind that work instructions can take many forms. A picture on a wall, a flow chart, a cartoon, a video, a set of example parts glued to a piece of wood, these are all forms of work instructions.

Ultimately you have to ask yourself “Can the worker do the job correctly, based on the work instruction?” If you can’t honestly say “yes”, then try, try again.

You’re a quality person, working for a company, doing your job. The company doesn’t really have any serious problems, but one day someone gets a bug in their ear that the company should have an ISO9001:2000 quality management system. Or, even worse, your company’s biggest and best customer has decided that you need to implement ISO. And you’re handed a due date. Yikes!

Whether you’re a quality professional working on ISO9001:2000 for the first time, or a quality consultant hired to get a company certified, you can’t do it alone. You will need help.

I recently started working with a customer who wants to get ISO9001:2000 mostly due to customers’ mandating it. The company isn’t perfect, they have a few organizational issues, but they don’t have any serious problems, and they produce high quality products with very few returns. They are recognized as the leader in their industry, and the people working there are mostly long term, dedicated employees. It’s obvious that top management has fostered an atmosphere of teamwork and cooperation.

The company has been trying to get ISO9001:2000 certification for a few years. Fortunately they have not had a customer deadline….yet. The main reason, in my opinion, why they haven’t been able to get registered is because they did not have the right person driving the quality program.

The last person charged with driving the ISO program was apparently an older curmudgeon who rubbed people the wrong way. Instead of listening to the people who already do a good job, he alienated people with his insistence that it was his way or the highway.

The employees already working at the company don’t really know much about ISO, and they don’t really care. They know the company needs it and wants it, but they are already very busy trying to do the best job they can at their position. For someone to come in and tell them they’re doing things the wrong way, and they have to change to satisfy ISO, well, this is not a great way to get people on your side.

While you certainly may need to implement some new records, maybe change around a few procedures, I am a huge proponent of avoiding large-scale changes at any organization just for ISO’s sake. Chances are that if a company is successful and well-established, they’re already doing a lot of very good things. Why mess with that?

ISO9001:2000 is somewhat malleable, and has some gray areas, as we all know. The ISO9001:2000 quality standard was intentionally written this way so it can apply to all sorts of different organizations.

I’ve run into many people who only know a little bit about ISO9001:2000, and they’re a little intimidated by it. They believe ISO will dictate exactly how their company must be run, and they’re afraid that with all the forms, procedures and records that they won’t be able to get any actual work done.

I think one sign of a successful ISO quality consultant, or a good quality professional of any kind just coming into a new company, is that he/she is a good listener. It’s amazing how much you can learn about a company just by listening to people. And by listening at first, you will probably find that people are much more receptive to what you have to offer later.

You will need help from others to implement a new ISO9001:2000 quality management system. No one can do it alone, unless its just a one person company.

The first two things I’d recommend to any person trying to implement ISO are:
1. Realize that you can tailor ISO to the company. If the company is already doing well, try to change company procedures as little as possible.
2. Listen to the people who work there. This will pay you huge dividends in the future.

We all joke about needing a whip to get people in line, but the reality is that you want people on your side in order to have an effective quality system. If you make a bunch of enemies at first, you’ll never be successful.

It’s clear that without solid management commitment, you will not have a successful ISO9001:2000 quality management system.

Some of the items that are required under section 5 of the ISO9001:2000 standard include:

Your top management must be able to provide evidence of its commitment to your quality system, and its continual improvement.

Top management must communicate to the organization that it is of the utmost importance that the company meet customer requirements, as well as any applicable government regulatory requirements.

Top management must establish a quality policy. This is usually a few sentences at the beginning of your quality manual. Think of it as a high level direction. If you were commanding an ocean liner, the equivalent would be to say “we’re going to New York”. The rest of your quality manual and procedures will give everyone detailed instructions on how you’re going to get there.

Top management must see that quality objectives are created, and that quality measurements are taken and recorded and compared against those objectives. One of the driving goals of ISO9001:2000 is “continual improvement”. You must be able to demonstrate continual improvement. This is done by establishing quality objectives (or goals) that are just slightly above where you are at now. A year from now, after a year’s worth of measurements, you should have evidence of improvement. If you don’t, you’re doing something wrong. Having your quality measurements (records) compared against where you were, and where you want to be, is a really good place to start figuring out how to improve your system.

Top management must conduct periodic management reviews. That is, management must review the quality system and make changes if necessary. And, of course, you have to be able to show evidence of your management reviews, so records are necessary.

Top management is also charged with the responsibility of ensuring that adequate resources are available to people within your organization. This means all resources, from adequate personnel (both quality and quantity of those personnel) an adequate environment to accomplish the work, the necessary tools, computers, paper clips…..everything needed to run the company, accomplish your goals, and continually improve.

The ISO9001:2000 quality standard says that you must review product requirements prior to your organization commiting to supply the product to your customer. Different companies handle this in wildly different ways, it all depends on what kind of company you are, and what your product is.

For some companies this is easy. You get a request for quote (RFQ) from your customer, which specifies their requirements. You prepare a bid or tender that states what you will supply. Your bid can simply reiterate your customer’s requirements, or you can state you own product specifications and how they might be different from your customer’s RFQ. Either way, you’ve got to let them know what you intend to supply.

Or it might be a lot more simple. If your organization sells consumer products such as, let’s say motorcycle brake levers, then life is a little easier. You make your product specifications known to your customers by way of advertising, catalogs, web sites, etc. Its a standard, well known product that is the same for every customer. The customer merely lets you know the part number they want to order.

Even in a case like the above mentioned brake lever company, you want to have procedures in place to make sure your sales people get the customer requirements right. Since many orders are placed verbally over the phone, you’ve got a couple of options to consider.

You could require all your customers to fax or email a copy of their PO to you. Of course, you would not be able to ship their order until they do so, as you’d need a confirming copy of their order on file. This is not practical for many companies.

Another thing you might consider is having your sales people follow a procedure to confirm the customer’s verbal order. You could require your people to repeat the complete order to the customer as confirmation. And as a record of this this confirmation you can have the salesperson sign the sales order. Maybe you could include some verbage on the sales order form that states “confirmed entire order with customer”, with the salesperson’s signature next to it. This way you are holding the salesperson responsible for making sure the order is correct. If problems arise due to alleged “communication errors”, you should be able to narrow down the problem to one person in your organization, and take appropriate corrective actions.

In chapter 7 of the ISO9001:2000 quality standard there is a requirement that you control devices you use for monitoring or measuring your product. Like so many parts of the ISO quality standard, you have a fair amount of flexibility in how you accomplish this.

First of all you should determine if you actually have monitoring and measuring devices. You might not. If, for example, you are a distributor of automotive distributor caps, and all you do is receive and ship boxes of distributor caps, this section of ISO probably does not apply to you. It is perfectly fine to claim you are exempt from this section of the ISO9001:2000 standard, as long as it’s true. If all you’re doing is visually verifying part numbers, and counting quantities, then you should make a note in your ISO quality manual that this section does not apply to you. However, be warned that if an auditor finds a calipers or a micrometer in your facility, you could have some explaining to do. If you’re going to exclude the “control of monitoring and measuring devices” section of ISO, then it would be best to make sure such devices are not to be found on your premises.

You may also be able to exclude individual devices, but again you’d better have a really good reason for doing so. One company I worked with has a company owner who rarely participates in the business, leaving the company operation to his partner. This owner still comes into the office each day, but works on personal projects that have nothing to do with the company. He’s a gadget freak, too, and has lots of cool little tools laying around. Again, his personal tools have nothing to do with the company, but they are on the premises and would certainly arouse the curiosity of an auditor.

What we did in this case was specifically exclude the owner’s personal tools and devices. We also had to label the devices as “uncontrolled” and instruct everyone in the company not to use those devices. It was an unusual situation, but it worked out fine.

The ISO standard states that “where necessary” your measuring and monitoring equipment must be periodically checked and calibrated to verify accuracy of your measurements. ISO gives you the flexibility to decide for yourself what kind of calibration is necessary, and how often. On one end of the spectrum, a yardstick is a measuring device that most likely does not need periodic calibrating. On the other end, a micrometer should probably be calibrated at least annually.

Calibration of measuring devices should be done by qualified technicians, and records must be kept. If a measuring device is found to be out of calibration, you should take steps to ensure that products measured with that device are rechecked. In extreme cases you may wish to consider a recall of products that already shipped.

ISO wants you to calibrate your measuring devices against measurement standards traceable to national or international measurement standards. If, however, there are no such standards for what you’re measuring, you must have records of what basis you use for calibrating your devices.

You should be able to quickly identify the calibration status of all measuring devices in your organization. A label on each device is usually sufficient.

More on this later.

ISO9001:2000 section 4.2 states the requirement to have a documented quality policy. Cynical people might look at the quality policy as a bunch of horse dung. And lord knows I’ve seen quite a few companies that don’t take any part of their quality system seriously. So its not surprising that some folks might not take their quality policy to heart.

Unfortunately, in many companies the quality policy is effectively meaningless. Empty words written just to be in compliance with the standard.

Part of the reason why you need a wll written quality policy is to make your employees understand that their job affects product quality, and therefore the success or failure of the company. Your people must be made aware that their individual contribution is vitally important to the company’s overall success.

If your quality policy is simply written to satisfy the requirements of ISO9001:2000, then it might be worthless. You should keep it simple and keep it relevant to your organization. Make it meaningful to the people in your organization.

Your quality policy can also be thought of as making a commitment to quality. If management doesn’t take it seriously, then employees won’t either. However if management demonstrates an actual willingness to improve product quality without throwing people under a bus, then maybe the employees will also get on board.

In many cases the quality policy is just a bunch of words that management agonizes over to get the wording just right. It gets printed in your quality manual, posted on some walls, and then it is promptly forgotten about. Until the next audit, that is.

Your people don’t need a bunch of fancy hogwash to know what good quality is. Everyone knows when your quality policy isn’t worth the paper its printed on. It is up to management to show everyone the way by their actions, not merely by their words.

Documents required by your ISO9001:2000 quality management system must be controlled. This is a requirement of ISO9001. See Section 4 of the quality standard. No ifs, ands or buts about it. But like most elements of ISO9001:2000, you have tremendous leeway in how you accomplish it.

By quality system documents, I mean your quality manual, quality procedures, and any work orders and forms you may have that are part of your quality system.

As you can tell from my previous posts, I’m a big fan of electronic document control where possible. With computers so reliable and prevalent, most companies should be able to control their documents electronically. This will save you lots of paper and avoid some headaches too.

Some old-school companies are still around, not fully computerized. Paper hard-copy quality documents might be the only option for such companies.

There must be a method of approving documents prior to issue. And, of course, you have to be able to prove that your documents were approved by the appropriate person in your organization.

There must be a method of updating your documents and re-approving them. Yes, you have to have a way to prove they were re-approved.

You must have a way to ensure that any document changes are identified, and a way to know the current revision status.

Your controlled, updated, current quality documents must be available to people who need them. You must have a way to ensure that obsolete documents are not used. If you have some reason to retain obsolete documents, they must be identified as such to prevent accidental use.

Your quality system documents must be legible, and easily identifiable.

Any documents from external origin (drawings from a customer, for example) must be identified and their distribution controlled.

An electronic document control system has several advantages. You can easily protect an electronic document with a password known only to authorized personnel. As long as the password is secure, it would be quite difficult for an unauthorized person to change a document.
And as long as you can prove you have a secure password system, you can prove that only authorized people have made any changes. And if changes were made only by an authorized person, you’ve also accomplished “approval for adequacy” at the same time.

In an electronic system there are no controlled paper copies of documents. I recommend you state “uncontrolled if printed” on every document, informing any reader that if they’re looking at a paper copy, it may not be the current revision. Every user has immediate access to the latest revision within seconds of the revision being made. No having to wait for copies to be made and distributed. No more going through reams of copy paper every time a small revision is made. No more trying to track down a binder that’s supposed to be in a particular place in your factory, but always gets lost. No more trying to read documents through coffee and jelly-doughnut stains.

You must also have a written procedure for occasional review of your documentation. I suggest you include this during your periodic management review. On your management review agenda (one of your controlled forms) include on your checklist “review quality system documentation and re-approve for adequacy, or identify changes that must be made”. Something to that effect.

If you’ve looked into an ISO9001:2000 quality management system, you’ve probably found dozens of online companies offering to sell you your ISO documentation. What do you think about that? Ever wonder what you get for your money? Would “bought” documents work for you?

I’m going to answer this with a definite “it depends”. I strongly do not believe that you can purchase your quality manual, procedures and forms and implement your quality system quite so easily. It may sound nice, but only to people who are not terribly familiar with the ISO registration process.

However some so called “do-it-yourself” ISO quality systems might be worth looking into.

Here’s the deal: Don’t spend a lot of money on do-it-yourself documentation. You can find perfectly good documentation for less than 50 bucks online. This is far, far cheaper than even one hour of a consultant’s time, and might be worth your time. Keep in mind, tho, that just like a free lunch, there is no such thing as a turn-key ISO quality management system.

You can purchase ISO documentation online for several hundred dollars, and the sellers may lead you to believe that all you have to do is plug in your company name and you’re good to go. This is highly unlikely. No matter how much you spend on documentation, in order to get a quality system that works for your company, you’re going to have to do a lot of modifications yourself. No two companies are exactly alike, therefore no two ISO quality systems will be exactly alike.

If you’ve decided you want to have a go at creating your own ISO quality management system, I applaud your decision. For a small to medium sized company, you can definitely do it yourself. Keep in mind this is going to take some time, and quite a bit of effort. And buying some sample ISO documentation for under $50.00 might be a good investment. I wouldn’t spend any more than that, though.

Go ahead and buy the 50.00 documentation, and also buy one or 2 books on the subject of ISO9001:2000 quality systems. With a little reading and writing, and some sample documentation to give you some guidance, you can definitely do this.

But please don’t spend hundreds of dollars “buying” your quality manual. You can get the same information for less than $50.00, and you’ll save enough to buy some books. I also recommend you purchase a copy of the actual ISO9001:2000 quality standard, either from www.iso.ch, or www.ansi.org.

One of the somewhat nebulous and confusing terms in ISO is “product realization”. It took me a while to understand this concept, and I know I’m not alone. The reality is that it is an extremely simple concept.

Product Realization is simply realizing your product. OK, maybe that’s a little too simple.

Here is Webster’s definition:

realization: 1) the action of realizing; the state of being realized

realize: 1a) to bring into concrete existence: ACCOMPLISH – as in “they finally realized their goal”

Product realization means making your product – the activities and processes necessary for you to bring your product into existence.

OK, so let’s say you are a Home Inspector who wants to get ISO certification…hey, it could happen. Your “product” is not a tangible object, it is a service. That’s OK, in the eyes of ISO9001:2000 a service can be considered as your “product”. Whatever processes you use to accomplish your final product or service is your process of product realization.

Chances are your product realization process is actually a series of several processes. I’ve never seen one business that has only one process needed to achieve product realization.

Product realization is simply doing whatever it takes to get your product (or service) to your customer.

According to reliable sources, it looks like ISO9001:2009 will be the next revision. The ISO Quality Standard has been undergoing much debate over how much to change it, and what kind of changes to make. There was a lot of speculation that 2008 would be the year, but it has been delayed until, most likely, 2009.

Here are some useful tips on what you and your organization should do, and NOT do, during your ISO9001:2000 registration audit:

1. Make sure everyone has been trained and knows as much as possible about what their areas of responsibility.

2. Don’t lie.

3. If you don’t know the answer to a question, tell the auditor you don’t know the answer, and offer to go find it.

4. If the auditor asks “what did your management tell you not to tell me?”, employees should say NOTHING! Of course, management should never tell employees things that they shouldn’t tell an auditor in the first place.

5. Answer the auditor’s questions directly and succinctly. Do not offer anecdotes or stories.

6. Don’t read more into the question than is there.

7. Don’t tell the auditor about things that are wrong with the company.

8. Don’t divulge company secrets without prior permission from top management.

9. Relax, don’t worry. Most nonconformances will be minor and can be fixed.

10. No one should take any questions personally. The auditor is checking on company processes, not any individual’s performance.

11. Be polite, pleasant, and honest.

One company owner I worked with took a while to understand what ISO9001:2000 is all about. At one point he wanted to include quality objectives that were not measurable. They were subjective evaluations.

He asked me if every objective needed to be measurable. Couldn’t they just have as an objective something to the effect of “better quality”, or “more satisfied customers”? The short answer is “no”. I suspect that while he was excited about getting the nice certificate on the wall, he wasn’t too keen on actually following the requirements if ISO9001:2000.

ISO9001:2000 is all about continual improvement. In order to steer a ship you need to know where you are, and where you want to go. It’s the same with a quality management system. Without concrete numbers, its difficult to know where you are, and how you are progressing.

Let’s say you’ve got a website that is a forum with news and reviews on a particular topic, such as motorcycles. You intend to have advertising on your site, so it is a profit making venture. How would you implement an ISO9001:2000 quality management system for such a business?

Your “product” would be your website. Your customers are the good people who will hopefully send you checks to advertise on your site. Would the ISO requirement for Design and Development apply? Probably. You are, after all, continually designing and developing your website. I think it would be fairly easy to document a process of how your website is designed and written. Maybe there could be a process whereby any new content is reviewed and must be approved by the company owner, or some person other than the writer. You could have an electronic signature on the document to provide proof that the process was followed.

How would you measure customer satisfaction? Since you don’t have a physical product, you can’t count the number of returns. There are a myriad of other ways you can measure customer satisfaction here.

You could always ask your customer how you’re doing and document the results. Hopefully you would format your questions so they’re in the form of objective numbers, which would be easy to quantity and track. Over time, hopefully, your customer satisfaction numbers should increase.

You could also count the number of clicks from your readers to the advertisers’ websites. I guarantee your advertisers are keeping track of this, you should too.

In a weird way it’s kind of interesting to think about esoteric little businesses and how ISO9001:2000 may or may not work out. I’ve yet to find a business where ISO doesn’t apply.

Your ISO9001:2000 quality management system (QMS) should be tailored to your organization. The Customer Related Process discussed here is one process that may be used by quite a few companies, but may not necessarily relate to your situation. You have to decide for yourself.

The Cycle Guys is a company that sells motorcycle parts. Orders are called in, or sent via a website. Occasionally a customer might call back to add something, change an item, or cancel their order. Obviously if the customer has waited too long, and the order has shipped, then there’s not too much Cycle Guys can do about it.

However there are times when the customer calls with changes before the order has shipped. The Cycle Guys must devise a way to control their order process so that the correct order is shipped to the customer. How to do this?

At The Cycle Guys, when a sales order is entered into their computer, a copy of the order is printed out for shipping.

The Cycle Guys quality procedure states that the salesperson taking the customer call must immediately walk out to the warehouse to find the physical copy of the order. If the order has already been picked, the salesperson must notify the shipping person that the order will be changed. Whether or not the order has already been picked, the salesperson must find the physical copy of the order and destroy it. Only after the physical sales order is destroyed is the salesperson to then enter the new sales order.

This system depends on the salesperson doing his job and following the procedure. There might be a better way to do this depending on software capabilities of the company, how many people work there, and a variety of other issues. But for a small, 4 person company such as The Cycle Guys, this procedure seems to be working fine.

Is it necessary to incorporate your employee manual into your ISO9001:2000 quality manual? Would you want to do this? What are the pros and cons?

First of all, it is not a requirement of the ISO9001:2000 quality standard. Other than determining competency of employees, ISO9001 does not delve deeply into personnel issues.

I’ve heard a few (very few) people claim that the employee handbook should be a controlled document, and should be included in their quality system. And I suppose this point of view has some merit. You do want to make sure that only authorized personnel are able to make changes in your employee manual, to be sure. And you want to ensure that all your people have access to the latest version of your employee manual. In this regard, controlling this document as you would control quality documents makes sense.

If your company uses the employee manual as part of training related to your quality system (I hope you’re not really doing this) then yes, your employee manual should be included as a controlled document in your quality system. Hopefully you’re not doing this, and you’re keeping your training documentation separate from your employee manual.

Also, if you’re responsible for quality at your organization, you’ve got plenty of time on your hands, and you want to enlarge your personal little kingdom within the company to enhance your job security, you probably will want to incorporate your company’s employee manual into your quality documents. After all, the more complicated you can make things, the better for you.

However, if you are like most companies I know of, with never enough time to run the freakin’ business let alone deal with excessive documentation, then I believe you should not incorporate your employee manual into your quality manual. There’s no requirement for doing this, and very few practical reasons for doing it.

No, it is not a requirement of ISO9001:2000 to measure top management’s commitment to the quality system. It would be kind of interesting if such a measurement was required, tho. Maybe it would weed out those company’s who are really interested in having the nice plaque on the wall, but not so interested in actually improving quality.

This is a topic that quality people often discuss, and I do find it interesting. Although, really, there’s not a lot you can really do if your company’s owner isn’t interested in quality.

One measurement might be something like this: How often does your company owner/president look at sales figures versus how often he/she looks at quality performance? Does company management EVER look at quality performance outside of your annual Management Review meeting? Ever?? I’ve known several who never did. Actually, now that I think about it, I can’t think of one who ever actively wanted to know how the company’s quality performance was doing. All of them only begrudgingly participated in Management Review meetings, at my insistence.

Have you ever met a company owner/president who was actually interested in quality performance? Do you think there are many out there who are? I’d guess they’re in a very small minority. What do you think?

Do you use external documents? External documents are those generated and (usually) updated by organizations outside your company. Documents such as government standards, MIL-SPEC documents, Federal Aviation Regulations, drawings created by your customers or vendors, etc. are considered external documents. Chances are your organization is not responsible for, or allowed to, modify external documents.

If you don’t want to control external documents, you must specifically state in your quality manual, and on the documents themselves, that they are “For Reference Only” and are not updated.

External documents that you depend on, and are updated occasionally, must be controlled in your quality management system. Revision is usually controlled by the publisher. You are responsible to ensure that you have a means to receive updates from the publisher (such as a current subscription) and that you periodically check to make sure that you have the latest revisions.

As part of your document control, you must also devise a way to withdraw the obsolete documents and prevent their accidental use, and also issue the new updated documents to the necessary personnel in your organization. Whatever process you use to make sure you have the latest revisions, you must document this in your quality manual.

A potential client once told me that a previous auditor recommended the client improve his vendor evaluation process. The client’s vendor evaluations only pertained to product vendors, not to services such as the building cleaning service, electrical contractor, and even the ISO auditor who provided the service.

I’ve also heard a few others in the ISO world proclaim that it would be a good thing to include service providers in the vendor evaluation process. However I don’t agree with this. Some ISO auditors and consultants seem to think that business people have all the time in the world to work on little details such as formal evaluation of service vendors. Personally I believe that section 7.4.1 applies to products and services that you use in goods or services that you sell to your customers, not necessarily vendors you use to maintian your building, or other vendors where YOU are the final customer.

While it sure would be nice to have the time and energy to perform a formal vendor evaluation on such vendors, I believe most business owners and employees would much rather spend their time trying to make their company profitable.

I would be interested to hear the justification from someone who feels otherwise.

Tim

If you’re considering writing an ISO9001:2000 quality manual for your organization, it’s good to include a section on “Customer Focus”. ISO is all about satisfying your customer. No matter what kind of organization you have, in one way or another there is some sort of “customer” that you want to satisfy.

A necessary part of your ISO quality system is to describe how you determine customer requirements.

It may or may not be readily apparent how you determine customer requirements. You might have a formal process, such as hiring a marketing research firm to survey potential customers as to what they are looking for. Automobile manufacturers do this all the time. Or, you might have a less formal process. If you’re a small company developing motorcycle products, you might not have the budget for formal market research. Maybe you talk to motorcycle enthusiasts at races and other gatherings.

Think about how it is that you decide what your customers want, which is, of course, the same as deciding what it is you’re going to supply. Write it down. You may not realize that you already do this process. Simply thinking about it and writing down will give you food for thought about how you might improve this process, increase customer satisfaction, which will lead to increase sales.

Is it necessary for you to include Design and Development in your Quality Management System? Being a huge fan of keeping things as simple as possible, I would encourage you to closely look at your processes and see if you truly must include Design and Development in your quality system.

Look at your product. Do you truly design it, or do you produce items based on customer drawings and specifications? Or are you a sales organization or a distributor, with no manufacturing or design processes?

Don’t let an ISO consultant or anyone else tell you that you should include Design and Development in your QMS, just because they think you should. I’ve met a couple of people in the ISO world who just can’t believe than anyone would want to exclude Design and Development from their quality management system. These people strangely believe that just about any company has some design processes, and therefore should include this in their manual and procedures. Don’t let them bully you into this.

As part of your quality management system, your organization should identify training needs, provide training, and periodically evaluate the effectiveness of that training. Employees should be made aware of the relevance and importance of their activities and how they contribute to the overall achievement of quality objectives and company goals.

One or two people in your organization should be made responsible for ensuring that personnel are adequately trained and are competent in their role.

Training needs may be identified at any time, from initial hiring to a changing role, or perhaps due to a corrective/preventive action request.

Your ISO9001:2000 quality manual should include a section on provision of resources. It should state something to the effect that management is committed to providing adequate resources for the implementation and improvement of your quality management system.

One member of top management should be designated as responsible for providing adequate resources to ensure the effectivness of your quality system.

This section of your quality manual should also specify some types of resources that may be needed. Examples include personnel, office equipment, measuring equipment, a workspace environment, and financial resources.

One member of top management must also be designated as having responsibility for determining what resources are required for the implementation and improvement of your quality system. This person may or may not be the same person responsible for ensuring that adequate resources are provided, as stated above.

Your process for determining resource requirements should also be stated. I imagine that most organizations determine resource requirements during management review meetings. It is sufficient for your quality manual to state something to the effect of ” the principal forum for determining and communicating resource requirements is during the management review of the quality management system”.

One of the requirements of an ISO9001:2000 quality management system is Management Review. Management review is a meeting of key company personnel with the intent to review the quality system.

Your management review should follow a structured format, and should include inputs and outputs.

Some possible inputs include the following:

- Results of internal audits
- Review of customer feedback and complaints
- Process data and product performance data
- Status of corrective and preventive actions
- Changes that could affect the quality system
- Follow-up actions from previous management reviews
- Recommendations for improvement
- Review of the Quality Policy and Quality Objectives

The inputs to your management review should reflect your company and your situation. The above listed inputs might be a good place for you to start, but you should choose inputs that best fit your company.

When embarking on a new quality management system, one of the most important decisions you’ll want to make is regarding what it is exactly that you want to accomplish. What you decide now will have a great impact on the direction your quality system takes.

A requirement of an ISO9001:2000 quality management system is to formulate an organizational quality policy statement. This is an overall, high level statement that gives a general idea of where your goals are. It should not be too specific. Something like “Our goal is to achieve 100 percent customer satisfaction, strive for excellence and continual improvement in all our activities” is a good example of a quality policy statement.

Quality objectives are also a requirement of ISO9001:2000. Quality objectives are intended to be specific, measurable goals that you keep track of on a regular basis, and keep records of how you’re doing. Your performance in relation to your quality objectives is one of the records that will be looked at during a third party audit.

With a modern computer system, it is entirely possible to control your required documents and records electronically. It is vital that your quality system documentation and records be adequately controlled, and you might find that keeping these on your computer network is the best bet.

Some advantages of controlling documents electronically include:
1. If properly password protected, the people you want to have access, will have access, as long as they have a computer on your network. The people you don’t want to have access, won’t.
2. Computer records, if backed up and stored properly, are less likely to undergo deterioration from the environment.
3. Documents and records that are properly password protected can not be altered or deleted by unauthorized personnel.
4. It is much simpler to update or change electronic documents. All users will instantly have the latest and greatest version of the document. There are no paper copies to update, no obsolete paper copies floating around.

Of course it takes a little discipline to have a system of controlling documents and records electronically. For example, your people must be somewhat trustworthy and not divulge passwords to unauthorized people. Also, it is important that people do not print copies of documents and records and leave these uncontrolled copies laying around. You may wish to consider labeling all documents “Uncontrolled If Printed”.

It’s a great idea to control your company’s records. By controlling, I mean that your organization should store important records in a secure environment, with access available to those who truly need to see the records, and access prevented from others. Controlling records pertaining to your quality management system is a requirement of an ISO9001:2000 quality system.

One of the beautiful things of ISO9001:2000 is that it gives you great latitude in how you choose to meet the requirements. As long as your methods are effective and will pass the scrutiny of a third-party auditor, you can do things pretty much how you like.

Records can be controlled in several ways…at least a couple I can think of. Of course, there’s always the paper variety, locked in a cabinet in an office. There are a few pros and cons to this method. Pros include simplicity and…um…simplicity. You don’t have to be a computer scientist to file pieces of paper in a cabinet. This doesn’t require any backup, passwords, or the like. Some cons include the fragility of paper, it is easily damaged or lost. And if you only have one copy, it might be inconvenient for some members of your team to see records that they need.

These days many people keep their records electronically, on their computer network. More on this later.