(ISO) Quality Manual Chat

We wish everyone (in the US and Canada, at least!) a happy, quality filled Thanksgiving Day holiday. We give thanks for all the great people we get to work with, and for family and friends who have always been there for us.

As readers of this blog may know, I’m an quality system consultant, helping people establish and maintain their ISO9001:2008 quality systems. (Formerly ISO9001:2000) This is just a bit of a rant, probably my biggest pet peeve about being an ISO consultant.

Every once in a while…actually, far too often….I run across some folks who really have no interest in participating in their ISO9001 quality system. Probably every ISO consultant has come across such people. Sometimes it’s the company’s top management, which is quite troubling. Sure, the business owner THINKS he wants an ISO9001 quality system, and he knows that being ISO9001 accredited will open customer doors that were previously closed to him. But he doesn’t really WANT a well organized quality system, and has absolutely no interest in actually doing the work necessary to maintain such a system.

And then sometimes you find company employees that, while they may be competent, productive employees in other ways, they too have no interest in doing any of the actual work involved in maintaining their company’s ISO9001:2008 quality system.

What’s particularly troubling for me is when there are such disinterested employees entrenched in a company for years and years, are seen as valued and nearly irreplaceable, but are resistant to change, and the company’s top management will not take action to enforce the needed change.

When I’m feeling particularly frustrated with the lack of cooperation at a company, I’ve told company owners that I think they’re wasting their money by hiring me. I can’t be there every day and perform every task. The company’s employees must actively participate in the operation of the quality system. If they don’t, then there’s no point in throwing money away on a consultant and the annual registration and auditing costs. If the company’s people are not committed to doing what is needed, then the company doesn’t deserve to have accreditation.

So many people want to have their ISO9001:2000 certificate, but don’t want to do the work needed. Maybe they think if they can just pay a consultant, and shuffle some papers around, that they can get that prized certificate on the wall. But that’s not how I work.

Maybe I just shouldn’t care quite so much. It would be easier that way.

OK, that’s a series of words that probably hasn’t been written before. What does an ISO9001:2008 quality management system have to do with motorcycle riding? Read on, brother.

A friend of mine, Don, is a very wise and experienced ISO auditor as well as a fellow motorcycle rider. When talking about ISO9001:2008 (or, in the past, ISO9001:2000) Don often describes ISO as nothing more complicated than good business practices. I totally agree with Don, of course. It’s funny how so many people I talk to seem intimidated about ISO, thinking its some mysterious, complex system involving lots of paperwork and records. When you tell people ISO is essentially an organized system of good business practices, people start to listen.

As you might have seen from some of my previous posts, I like to take this line of reasoning one step further and apply the principles of ISO9001 to daily life. Since I’m self-employed, its often difficult to distinguish where my work life ends and my personal life begins, so I like to think about quality system principles can improve all facets of daily life.

Probably my biggest passion in life (other than my darling wife and my family) is riding motorcycles.
Sportbikes…crotch rockets…Ninja’s….race replicas. Trust me, I have the speeding tickets that attest to my desire for two-wheeled speed. Years ago track days started to become available, where riders could show up at a bona-fide race track, pay their fee, and hone their skills with laps on the track. Many of the same sensations as road racing, but without the commitment and expense of real racing.

Many modern race-replica motorcycles feature built-in lap timers, using various switches and buttons on the handlebar so you can have a record of each lap time. Being a somewhat competitive male, I naturally want to improve my lap times each day I’m at the track.

My “quality policy” in this case is to have fun and improve my riding skills. The customer here is me.

Now that I’ve had 50 birthdays, my goals for improvement are modest, but they do exist. From the start of the day to the end, my goal is to shave 8 seconds per lap off my time. Sound familiar? Measurable goals for improvement?

While at the track I don’t keep written records, I do keep mental notes of times at various tracks, and try to improve my riding each day. Do I ever screw up? You bet! Turn 6 at Willow Springs is an area where I might mess up my line, which screws up my drive for the back straight. I give myself a mental corrective action request, with a plan to fix the problem and ensure it doesn’t happen again. In this case, I might follow a better rider around the track, or sign up for additional training from one of the instructors at the track. Or I could attack the problem from a different angle, perhaps adjusting the preload or compression damping in the forks to make the bike work better at a particular track. The bike’s setup at California Speedway is a little different than the Streets of Willow, for example. At the end of a good track day, I feel on top of the world, knowing I’ve improved my skills ever-so-slightly that day. Even at my “advanced” age, learning new things to improve myself is immensely rewarding.

In business, of course, continually improving your processes, and your customer satisfaction, will result in personal rewards, and, of course, financial rewards.

ISO9001:2008 is not necessarily just good business practices. It’s good life practices. Have a general quality policy on how you want to live your life and pursue your passions. Set goals…reasonable, measurable goals…and constantly be trying to improve yourself. When you make a mistake (we all do) learn from it. Give yourself a corrective action request. Give some thought to how you’re going to fix the problem. And how are you going to keep it from recurring?

Organized, thoughtful, meaningful and continuous improvement. Couldn’t we all benefit from a little more of that?

Felix writes: “Greetings, can you please send details about Quality Objectives explanation, including how to create Quality Objectives (Referring Quality Policy), how to link with Quality Policy, how to achieve Quality Objectives (With example). If not meeting the requirement how to close. Can you please provide all with examples.”

Here’s a stab at this:

Quality objectives should be measurable, and should be relevant to the various functions within your company. When thinking about what your quality objectives should be, try to think about what ways you want your company to improve your customers’ satisfaction. I usually try to leave such areas as pricing and sales out of the quality objectives, instead focusing on things such as quality and delivery.

Quality objectives should be written specifically for your company, and should be relevant to your particular situation. You do not need to “link” your quality objectives to your quality policy. Your quality policy is an overall guiding philosophy for your organization, its not something that needs to be measured.

Quality objectives can be achieved by continual improvement of your organization. For example, let’s say your company manufactures chairs. Right now 90 percent of the chairs pass your quality inspection, and 10 percent are rejected and reworked or scrapped. This is one area you want to improve, as it will help speed up delivery to your customers, as well as help reduce costs for your company. So you can create a quality objective of “a rejection rate for manufactured chairs of 5 percent or less”. Now you have a goal, an objective, something to strive for. It may take a long time to achieve your goal, and maybe you’ll never achieve it. That’s OK. The value of having an ISO9001-2008 quality system is that you should be continually improving your operation. If your goal is no more than 5 percent rejects, and right now you’re at 10 percent rejects, then maybe within one year you can improve your system to 9 percent rejects. That’s an improvement from 10 percent. As long as you can show an honest effort to improve, and you can show actual measured improvement, well then your company is doing better than before.

It is not necessary that you achieve your quality objectives, although it is necessary that your organization show continual improvement. If your objective is 99 percent good parts, and you’re now doing 90 percent, you might increase your performance to 91 percent one year, then 92 percent the next, then 93 percent the third year…etc. And that’s perfectly OK. In fact, if you do ever achieve your quality objectives, now you’ll have to change those objectives to be even more strict, as ISO9001 requires continual improvement. Or if there are areas in your company that are just about perfect, then maybe its time to look for other areas that need improvement. It’s perfectly fine to change quality objectives over time, as your organization changes. Your ISO9001-2008 quality system documentation is intended to be a living, changing document that reflects what’s going on in your organization.

OK, this is it….this is officially the first time I’ve used the term ISO9001:2008 in a blog post. We all have to get used to it eventually, so I thought I’d try it out. Not so painful after all.

The ISO gods have blessed us with a revised quality standard that’s really not so revised. As of this writing the new standard has not yet been released. From what I’ve heard it may be out in December 2008. I suppose it will be a good idea to purchase the new quality standard, and enrich the coffers of the ISO organization, but I’m not completely sure it’s necessary. This is a decision I can delay for a while.

But I digress…..today’s real topic is to offer tips on how to be an effective internal auditor.

I have the luxury of being a consultant, not an employee, for companies with ISO9001:2000 quality management systems. Its easier for me to conduct internal audits when I don’t have to be at that company 5 days a week. You see, I, like many people, am happier when other people like me. I prefer to be liked, not disliked. And to be an internal auditor is not always the most popular position in a company. But as a consultant, I just show up occasionally, so I don’t really have time to develop friendships with anyone at my client companies.

But whether you’re a consultant, employee, or business owner, there are some things you can do to make your internal audits less painful and more effective.

The most important thing is the right attitude. Do have a positive attitude, and always let people know you’re only interested in solving problems and helping to improve the organization. Never be the guy (or gal) who points fingers and tries to assign blame in order to fix problems. If you’re always trying to throw people under the bus, no one will want to work with you. And while some folks might be stubborn enough to think that employees should follow the rules no matter what, I’m of the opinion that it’s SO much easier, and SO much more effective, to conduct internal audits with a positive attitude. No matter how many problems you find, try to remind people often that we’re all just trying to make the company better. Kill ‘em with kindness.

Another tip is to be organized. Be sure to let people know they’ll be involved in an internal audit well in advance. Surprises are to be avoided. Your registration or surveillance audit never comes as a surprise, and neither should an internal audit. It’s just common courtesy, and people respond better when treated with courtesy and respect.

Work off a checklist, and keep it as brief as possible. Most likely your interview subjects have a lot of their own work to do, and consider your internal audit as a necessary evil. Your subjects aren’t thrilled to be there in the first place, so don’t make it any more painful for them than necessary. Work off a checklist so you cover all your bases and don’t forget your questions. And please don’t elaborate or expand on your questions more than what is absolutely necessary to get your point across. Brevity is next to godliness. Ask your questions, take your notes, and let your subject get back to work.

Treat your interview subjects with respect. Even the lowest paid janitor probably can teach you something about the company. You’ll get better information if you treat people with respect rather than foster an adversarial-type relationship between the quality system administration and the rest of the organization.

Have you ever considered taking the tenets of your ISO9001:2000 quality management system and applying them to your daily life? At first glance you might think this is just absurd. However if you take a moment to think about it, it might not be such a crazy idea.

Now I’m not proposing you write yourself a personal quality manual and set of procedures, and I’m hopeful no controlled forms need be involved. But let’s take a look at some parts of ISO9001 and see what we can use.

Say what you do, and do what you say. Yes, I know this isn’t exactly in the ISO9001:2000 standard, but it’s a popular catch phrase when describing an ISO9001 quality system. And it works great in daily life too. Do you have friends who flake out on you? Do they say they’ll show up at your party, or help you move, but then don’t show? Pretty annoying, eh? After a few no-shows, are you going to be inclined to keep these insensitive folks as your friends? Probably not.

Check out your vendors. In ISO9001:2000 it’s necessary to check out your vendors to ensure quality before you purchase things. Nothing could be more true in your personal life. Haven’t you ever researched the purchase of a car, a TV, an audio system, a house? You can definitely save yourself lots of headaches and money by doing a little research before you spend your hard-earned paycheck.

Corrective actions. I’m not proposing a formal written procedure of course, but you’ll likely find more success in life if you recognize your mistakes and take conscious action to correct them and prevent them from happening again. Years ago I impulsively bought a used motorcycle that sure looked cool, but had some serious internal engine problems. That $1000 motorcycle ended up costing me twice that much. I made a mental note that future purchases would undergo a much more thorough inspection process, and I got some formal training so that I’d know what I was looking at. Not only have I not made that mistake again, but friends now ask me to come along when they’re looking at a used bike.

Contract review. Before quickly agreeing to something, take a moment to think about it and make sure you can live up to what you’re about to promise. Even if you need to call the person back tomorrow, its far better to make sure you can live up to your obligation before you commit to it. Better to lose a deal you’re unsure of than to accept the obligation and screw it up.

There are many more examples of how ISO9001:2000 can apply to your daily life. Can you think of any?

One concern many people have regarding an ISO9001:2000 quality management system is if they can use outside companies to supply products or processes for their product or service. And the answer is yes, of course you can use outside companies as part of your production process. The key for passing your ISO9001 audit is to adequately control those processes or products, no matter where they come from.

If the other companies are ISO certified it does make your job a little easier, but if they’re not its still OK. Outside companies can supply product or services as part of your production process, you just have to make sure you adequately control the processes and can verify quality inspections. You’ll have to include these vendors, and all your product quality related vendors, in your vendor approval process of course.

You may want to specify in your quality manual that you conduct periodic inspections of these vendors, or that they have to be certified to a certain standard (ISO, UL, etc), or have to maintain specific kinds of equipment, or other requirements you might deem necessary to ensure their process/product meets your requirements. Its totally up to you how you do this, of course. Just keep in mind that whatever controls you specify had best be sufficient enough to pass muster with your auditor.

How long will it take us to get our ISO9001:2000 accreditation?

This is a really tough question, kind of like asking “how long will it take us to get our company organized?”. It all depends, and on several factors.

It depends on things like:
The size of your organization
The quantity and complexity of your processes
The level of organization and documentation already in place
How many man-hours you will commit each week to implementing it
Whether or not you hire an experienced person, either as an employee or consultant

If you’ve got a company of 10 people, you don’t have many complex processes, and you’re really motivated, you can probably get it done in 6 weeks. For companies of 11 to 50 employees, I’d estimate a time of 3 to 4 months. Larger companies can expect it to take from 4 to 8 months. If you’ve got more than 100 employees, and don’t have a lot of man-hour commitment, it could conceivably take a year. I’m talking here about the time needed to figure out your processes, add new ones if needed to meet the ISO standard, document everything according to ISO9001 standards, and train everyone in the new way of doing things.

Once you’ve got your new quality system in place, you’ll need some time to operate it and produce evidence that you’ve actually implemented it. Typically I’d advise at least 2 months, maybe 3 or 4, from the time you’re system is fully implemented to the time you get your registration audit. During this time you will be creating certain records that must be there to provide your auditor with evidence that you’re meeting the requirements of ISO9001:2000. If you’re under the gun from a customer to get certified, remember to take into account this period of time.

What kind of documentation is needed? Is it as complicated as I’ve heard?”

Many people who’ve heard of ISO9001:2000 are under the misconception that a mountain of documentation is needed to achieve certification. There is documentation needed, to be sure. But it’s probably not as bad as you think. Again, it depends on the size and complexity of your organization.

A quality manual is required, and a set of quality procedures is required. Your quality manual could be as little as 5 to 10 pages, or as much as…..well, as much as you like. The ISO standard requires a minimum of six quality procedures, which are specified by the standard. You’ll probably want to have more procedures which are necessary to operate your specific business, but only six are required. The six required procedures are:
1. Control of documents
2. Control of records
3. Internal audit
4. Control of nonconforming product
5. Corrective actions
6 Preventive actions

You might want to document other procedures, such as how to approve vendors, how to process sales orders, shipping and receiving inspection, things like that. But that’s optional.

Also optional are work instructions. Work instructions might be procedures on how to operate a particular printing press, how to mix chemicals for a certain process, how to process a purchase order, or anything else you feel is important enough to document. You want to make sure everyone is doing things the way you want them to be done. Documented procedures also make it easier to train future employees.

Implementing an ISO9001:2000 quality management system means you’ll be keeping some records that you probably don’t already keep. Some of these records may seem a little confusing until you become more familiar with the quality standard.

Some of these, such as records relating to design and development, may not apply to your organization if you don’t design anything. Maybe you only distribute products, or you’re trying to get ISO certification for your convenience store. (Hey, it could happen.) In this case, you can specifically exclude yourself from section 7.3 Design and Development, and you won’t have to keep the associated records.

And, of course, you might decide to keep more records than are listed here, if you feel your organization needs them. But as I always preach, keep your system as simple as possible. The fewer documents and records you keep, the fewer things that will be audited, and the more time you’ll have to actually run your business.

Also keep in mind that you are free to combine some of these records where it makes sense. For example, I always combine the Corrective Action Request and Preventive Action Request records, with a simple checkbox to note which one it is. I also combine both CAR and PAR’s onto one form, again with a check box to designate if its a Corrective or Preventive action request.

Here then is the list of 21 records required by ISO9001:2000. Please note this is a list of the records you’ll be required to keep. This does not deal with required documents (quality manual, quality procedures, etc.) which is a whole different topic.

Clause Record required
5.6.1 Management reviews
6.2.2 (e) Education, training, skills and experience
7.1 (d) Evidence that the realization processes and resulting product fulfil requirements
7.2.2 Results of the review of requirements related to the product and actions arising from the review
7.3.2 Design and development inputs relating to product requirements
7.3.4 Results of design and development reviews and any necessary actions
7.3.5 Results of design and development verification and any necessary actions
7.3.6 Results of design and development validation and any necessary actions
7.3.7 Results of the review of design and development changes and any necessary actions
7.4.1 Results of supplier evaluations and any necessary actions arising from the evaluations
7.5.2 (d) As required by the organization to demonstrate the validation of processes where the resulting output cannot be verified by subsequent monitoring or measurement
7.5.3 The unique identification of the product, where traceability is a requirement
7.5.4 Customer property that is lost, damaged or otherwise found to be unsuitable for use
7.6 (a) Basis used for calibration or verification of measuring equipment where no international or national measurement standards exist
7.6 Validity of the previous measuring results when the measuring equipment is found not to conform to requirements
7.6 Results of calibration and verification of measuring equipment
8.2.2 Internal audit results and follow-up actions
8.2.4 Indication of the person(s) authorizing release of product.
8.3 Nature of the product nonconformities and any subsequent actions taken, including concessions obtained
8.5.2 Results of corrective action
8.5.3 Results of preventive action

A few years ago I consulted with a small aircraft parts company that did big business with a major aerospace manufacturer. The huge customer required that their suppliers be ISO approved, and eventually required AS9100 certification.

The really strange thing I learned was that the huge customer asked if they could observe internal audits conducted by my client company. This seemed like a really horrible idea to me, for several reasons.

I can, in a way, understand why the customer asked this. I suspect there may have been trust issues, that is, the customer might have had a hard time believing my client company actually conformed to the ISO9001:2000 quality standard. The client company owner had previously been caught being less than truthful with the customer. There were times I was amazed the customer continued to purchase from the client company, but that’s another story.

Internal audits are intended to help you catch and correct problems at an early stage, before those problems reach your customer. Why would anyone allow a customer to observe their internal audit? Would you be 100 percent truthful and honest in your audit if you had an important customer watching the process??? Heck no! I wouldn’t want to risk making my company look bad in front of the customer.

Providing that customer with a summary might be OK, tho really that’s even a lot to ask. But to have the customer there with you, looking over your shoulder during the audit? I say you’ve got to be kidding to ask this.

If I ever run across this in the future, and the client company owner wants to go along with the customer request, I’d have no choice but to conduct TWO internal audits. The first one would be in private, and it would be the actual audit. The second one would be strictly for show purposes.