CHAPTER 1: ISO 9001 REQUIREMENTS, MYTHS, AND GUIDANCE

In this chapter, we look in-depth at the requirements of ISO 9001:2015, including some of the more common myths associated with each requirement and guidance based on more than 6 years of implementation in more than 50 organizations. A copy of the ISO 9000, and ISO/TS 9002 standards should be obtained to gain the best understanding of ISO 9001.

At the time of writing, ISO 9004 is being considered for updating as a requirements document to complement ISO 9001, so comments regarding that guidance are not included. Readers may wish to visit the ISO website for the latest details. More on these guidance documents later.

Some of the myths may have originated around the earlier versions and are commonly applied to the 2015 version of ISO 9001, so have been included here for those readers coming to ISO implementation for the first time.

ISO 9001 has five key sections:

1. Introduction

2. Scope

3. Normative References

4. Terms and Definitions

5. Quality Management Systems – Requirements

Rarely are all the texts of this 27-page document ever fully read and completely understood. Instead, most readers tend to focus on the section 4 requirements, mainly because that is where the requirements for a QMS are specified. It is these requirements, plus the desire by an organization to be certified, which draw attention away from key information found in sections 1 through 3! Sadly, this is a little like children being taught to recite multiplication tables without knowing the mathematical purpose.

History has shown us that, typically, quality management activities in an organization were frequently performed to meet customer requirements – often through compliance with a contractual obligation. Customers flow down their supplier quality assurance requirements or require a supplier to be ISO 9001:2015 certified as a basis of doing business with them. No doubt many readers will be seeking information on ISO 9001 for that very purpose. This is still true today, however, if we adopt the popular maxim of Dr. Deming: “Quality is everyone’s responsibility.” Clearly the quality system should be embedded in the organization’s everyday operations and functions, and not seen as an ‘appendage’ to the core of that organization.

It was only with ISO 9001:2000 that any thought was really given to providing, in the document itself, a description of how all the requirements of the Standard were supposed to come together – as the basis of the organization’s QMS.

This situation, where users simply refer to only the section 4 requirements, exists despite volumes of guidance being published by the ISO technical committees and a significant number of books on implementing and auditing ISO 9001! Not spending time to grasp the whole document may delay the fullest understanding of its application. Following a major online survey of users in 2014, the technical committees responsible for the creation of the ISO 9000 standards have attempted to make the requirements align better with the needs of an organization to help make the QMS integral to the organization’s business processes.

Now entering the sixth year of publication and with another user survey being closed in December 2020, it has been decided that there will be no revisions to the 2015 requirements – this should see users through to 2025 without any changes being necessary to their QMSs.

Top tip

Introduction

The introduction to ISO 9001 talks about the adoption of a QMS as being a strategic decision and to help improve overall performance and as a basis for sustainable development initiatives. It lists the potential benefits of implementing a QMS based on the requirements of the Standard:

• Consistently supplying products and services that meet applicable requirements (customer, regulatory, etc.)

• Opportunities to enhance customer satisfaction

• Addressing risks and opportunities associated with the organization’s context and objectives

• Demonstrating conformity (this would include third-party certification)

• It further states that the Standard doesn’t imply any type of formal approach to risk management

It is interesting to note that the word ‘risk’ is introduced – but then mentioned only a few times in the requirements sections 4 through 10. Perhaps controversially, many quality professionals will offer opinions that the concept of risk was always embedded in the application of ISO 9001 – now it is clearly stated.

Quality management principles are described in section 0.2 of the Introduction, including:

• Customer focus

• Leadership

• Engagement of people

• Process approach

• Improvement

• Evidence-based decision making

• Relationship management

Despite being mentioned in the Introduction and throughout the various requirements sections, the description refers the reader to ISO 9000 2.3 for further explanations of each.

The “Process Approach” is section 0.3 of the Introduction, which describes several concepts that are supposed to be incorporated in the organization’s approach to quality management – a system of interlinked and interacting processes. A diagram, on page viii of ISO 9001 (figure 1), shows elements of a single process in terms of:

• Sources of inputs (predecessor processes)

• Inputs (energy, matter, information)

• Activities

• Outputs (energy, matter, information)

• Receivers of inputs (subsequent processes)

Also shown are possible control points for measurement and monitoring (specifically at input and output).

Figure 1: Elements of a process

It is worth remembering that some key features which should have caused the conventional wisdoms of previous versions of ISO 9001 to be laid to rest have, instead, created more mythology.

These include the following:

• There is no required quality manual. Only the scope of the QMS, quality objectives, and quality policy are required to be documented.

• There is no requirement for a formal approach to risk management – it even states this in Annex A.4 “Risk-based thinking”.

• There is no requirement to have objectives for all the QMS processes.

• There is no requirement for any of the processes of the QMS to be documented.

• There is no requirement for internal audits to be process-based.

• There is no requirement to have a process for preventive action.

It would be easy for users to fall into the trap of believing these because the Standard doesn’t mandate any types of manuals, procedures, or other types of documentation; the organization could simply write the documents that are specifically mandated by ISO 9001 and leave it at that. Nothing could be further from the truth, however, if we consider the requirements stated in section 4, “Context of the Organization”; in meeting the “needs and expectations of interested parties,” it is likely that the organization would identify a need to document certain things for:

• Training purposes

• Knowledge retention

• Governance or similar policy

• Meeting customers’ expectations/requirements, or regulatory agencies’ requirements

Indeed, it is difficult to conceive that improvements may be made to any process or related aspect without formally defining and documenting those things, so that improvements can be a) identified and b) implemented.

It is, as most readily understand, difficult to hit a moving target, and writing things down is a universally accepted place to start the improvement journey.

Another consideration of interested parties, especially customers and (if applicable) regulatory agencies, is that they may require the organization to document many of the plans, processes, responsibilities, authorities, controls, and actions necessary to assure the products had a good chance of being correct to the specification.

Top tips

QMSs: Requirements

Scope (1)

Before anyone leaps into implementing a QMS based upon the ISO 9001 requirements, it’s highly recommended to read through the Scope at the very beginning – something which is often overlooked. The Scope section defines the conditions when an organization considers implementing a QMS, when it:

• Needs to demonstrate its ability to consistently provide products and services that meet customer and applicable regulatory requirements

• Aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements

It goes on to state that the requirements are generic and are intended to be applicable to any organization, regardless of its type or size, or the products and services it provides.

Top tip

Normative References (2)

Since the ISO 9001 standard is written to have the same meaning in many languages, it is important that words which represent key concepts on which a QMS are built have common definitions. Without a clear understanding of these key words, designing, implementing, and improving a QMS are not going to be as effective.

Discussions on Internet forums will quickly reveal how important it is to have a common understanding of terminology. One example, which we will explore in a later section, is defining competence. Online dictionaries show several definitions that may not fully address the intent, in the context of ISO 9001. This key definition isn’t found in the Standard itself, however, but in ISO 9000, which is the “Normative Reference.” It contains the terms and definitions necessary to guide the reader through the ISO 9001 requirements.

Competence, which is the subject of section 7.2 of ISO 9001, is defined in the vocabulary document – ISO 9000 (3.10.4) – as the “ability to apply knowledge and skills to achieve intended results.”

In considering the requirements specified, it is easier to see that once competencies have been defined (and demonstrated), some actions may be necessary, including training, to address any shortfalls identified. Such a process will, now a better understanding has been gained, lead to time and money being saved, compared to conventional training programs in which a number of hours of training are required, regardless of any need being identified for an individual employee.

Top tips

Terms and Definitions (3)

ISO 9001 has employed the terminology of “product” as the resulting output from the QMS. The background to the development of ISO 9001 was, after all, the military hardware-oriented Defence Standards. From user feedback since 1987, it became obvious that organizations which provided services (often alongside their product) had struggled to implement the requirements of ISO 9001, although having a formal QMS was found to be useful and often a customer requirement. The need for less product-oriented terminology was called for.

Under this heading, a clear statement is made that where “product” is mentioned, users may substitute “service” if this is applicable to their needs. Also, a reference is made here to the use of ISO 9000 – the vocabulary document – for other definitions and how the terms used are linked. This is particularly useful to demystify some relationships, for example the roles of controlling non-conformance and the need for corrective actions, which are frequently lumped together with (financially) disastrous results! Oddly, many organizations balk at spending the US$250 or so, when that cost can easily be avoided by using the direction the vocabulary provides. Compare that to the cost of responding to a certification body audit report that identifies major nonconformities!

The Context of the Organization (4)

The inclusion of this requirement was intended by the technical committee to provide an ‘anchor’ or connection from the issues of running an organization to the development and implementation of a QMS. Historically, quality and management systems have been perceived as something that is additional or extra to the actual business of managing an organization. Indeed, the word ‘quality’ often means the responsibility for its management is offloaded onto a designated individual, usually a quality manager. Part of the Annex SL or high-level structure adopted across many of the management systems-related ISO standards (ISO 14001, ISO 27001, et al), the Clause 4 requirements are intended to direct the organization to look to the future – a sort of strategic planning, without calling it that.

For the first time in traditional QMS requirements, there has been an attempt to align the organization’s quality system with its business operations in a manner that makes the resulting goals, processes, controls, measurements, and actions assist the overall success!

Sub-clause 4.1, “Understanding the organization and its context,” includes the need to “determine the external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended results of its Quality Management System.”

Reference is also made to the need to “monitor and review information” related to these issues.

However, as with many strengths, they can also be viewed as a weakness. In this case, many of these experienced and skilled employees are facing retirement. This ‘silver tsunami’ will result in the potential loss of a significant amount of organizational knowledge. Due to a variety of factors, education systems and employers have not prepared people to enter the workplace with even basic skills that are transferable to the workplace. The ‘risk’ becomes how the organization will address this weakness since it will, inevitably, adversely affect the ability to deliver a quality product.

The question becomes, within the scope of the QMS, what to do about this risk?

The ISO 9001 requirement doesn’t make it clear what is supposed to be done with this information. However, when considering the input to management review, it is clear that this information is the source of what would be reviewed and the results of addressing the weaknesses and threats, for example. More on this later, in section 6, “Planning”.

Once the SWOT is performed, it makes sense to keep a watchful eye on its content because changes, over time, will affect the analysis.

The Standard goes on, in sub-clause 4.2, to require the organization to “Understand the needs and expectations of interested parties.” Referencing ISO 9000, we can see that interested parties simply means stakeholders, i.e. the organization’s owners, customers, employees, and suppliers, and, as applicable, regulatory agencies. It is a requirement for the organization to determine:

• “The interested parties that are relevant to the Quality Management System and

• The requirements of these interested parties that are relevant to the Quality Management System.”

Once again, the need to monitor and review information about this is required.

One drawback of ISO 9001:2015 that can affect users is grasping how the requirements are intended to interrelate to form a true system. As we read through the sections, there are backwards references to previously stated requirements as a nod to their connectedness. Unfortunately, there are few (one?) forward-looking references and experience shows that the context of the organization requirements can be related to a key feature of an effective QMS – the “Management Review” requirement (9.3). As we will discuss later, there is no guidance within the Standard that points out this interrelationship to help readers understand how this system should function. Instead, they would have to purchase yet another ISO publication, in this case ISO/TS 9002 (which is a technical specification providing implementation guidance for ISO 9001), to obtain any information on such connectedness between clauses.

Top tips

The last part of the clause on the context of the organization deals with determining the scope of the QMS (4.3). As the word ‘scope’ suggests, an organization has some degree of flexibility to select what functions and activities, products and services fall within the ‘focus’ or the boundaries of the QMS – with some exceptions: If conformity to the ISO 9001 requirements is going to be claimed – let’s say for the purpose of being certified by a third-party conformity assessment body (a registrar) – then the requirements cannot be claimed to be not applicable if they affect the organization’s ability or responsibility to ensure conformity of products and services and customer satisfaction. In simple terms, if the organization creates new product design work, it cannot avoid compliance of the QMS with the 8.3 requirements – for any reason.

For example, if Apple were seeking ISO 9001 certification, it would not be able to claim that product design was inapplicable. Similarly, it cannot claim to manufacture, since – at the time of writing – manufacturing Apple products such as the iPhone, iPad and Apple Watch are carried out by contractors such as Foxconn Technology (the trading name of Taiwanese business Hon Hai Precision Industry Co., Ltd.). This may seem obvious at first sight, but the application of scope to a QMS is fraught with nuance and many rules.

In considering what is in and out of the scope of the QMS, the organization needs to consider the requirements above, relating to 4.1 Understanding the context and 4.2 Understanding the needs and expectations of interested parties.

The scope is required to be maintained as “documented information” – the first time this somewhat obtuse reference to any form of documentation is made. This terminology is referenced and discussed later. Typically, a scope statement might describe the products and services the organization offers to the marketplace, locations, and justification why some ISO 9001 requirements are not applicable – not performing product design is a classic example.

Examples include:

• “The design and manufacture of…”

• “The manufacture, maintenance, and servicing of…”

• “The distribution of…”

• “The management of technical engineering staff to…”

• “The installation, commissioning, service, and repair of…”

The product(s)/services are usually described, including other descriptions of specific industries served, materials used in the product, process types employed, etc., to give details to prospective buyers of the capabilities of the organization.

Turning to the final sub-clause of the first major requirement of ISO 9001, we see it relates to the QMS (4.4) and the processes that are included within it.

The key is that the organization’s leadership should determine how it wants the processes to operate in coordination to be most effective. Using what the ISO 9001 standard refers to as “The Process Approach,” the organization can focus its efforts on understanding how product and information should flow from one function to another (see figure 1 on page viii of ISO 9001).

Top tips

Top tips

Leadership (5)

Leadership and commitment are key to any initiative undertaken by the organization, if it is to be successful. The implementation of an ISO-based QMS is no different in that respect. Commitment comes, for the most part, from the leadership’s active participation in the planning, creation, implementation, performance, and improvement of the QMS.

While it is – or should be – widely recognized that no implementation project is going to be successful without the active participation of the organization’s leadership, including setting aside the necessary budgets, progress reviews, and so on, it is perhaps paradoxical that few myths exist around this role – that of leadership. Few nonconformities are found and reported relating to much, other than the failure of personnel to adequately respond to the audit question: “How do you affect the quality policy?” or “What is the quality policy, in your own words?” or some variation of this line of inquiry.

Clearly, leadership is far more than putting a signature on some ‘executive order.’ We see world leaders do this regularly, yet totally fail at leading their respective countries through all manner of privation. The reasons are manifold.

Top tips

Use the above as the basis of meeting the requirements of “Management Review” (9.3) and focus on the third and fourth items relating to the management review agenda, as applicable to the specific process – presented by the process owner. Reference can be made to the results of the internal audits as validation of the details (the ‘story’) behind the process owner’s reporting.

The sub-clause of “Customer Focus” (5.1.2) is an interesting one, especially when viewed from a commercial perspective – or to put it another way: “It’s not quality at any cost.” If the aim of any organization is to satisfy a customer’s needs, then establishing those needs is predominantly the role of the sales and marketing functions. Prices and delivery are usually part of establishing needs and expectations, along with product/service specifications. Agreement usually comes in the form of a contract. The product or service is delivered and some attempt may be made to ‘survey’ the customer as to their level of satisfaction – with varying degrees of success or accuracy. But did the organization make any money? What was the cost of goods sold? The margin or mark-up? 25%? What is eroding that margin? The supplier rejects because the procurement/purchasing policy is to buy at lowest cost? The number of design engineering changes processed due to manufacturability/testability issues? The unrecorded costs of the processing associated with scrap, rework, and repaired product? Any warranty and recall costs? All these, and others, determine the actual revenue associated with doing business. Who is paying for that? To be truly customer focused, an organization needs to get these costs identified, accurately measured, under control, and improved – for survival.

Planning (6)

The first sub-clause of this section of the Standard is entitled “Actions to address risk and opportunities.” (6.1)

This requirement is intended to direct the organization to take those issues identified in considering the context of the organization – the (prioritized) results of a SWOT analysis plus the understanding of the needs and expectations of those interested parties – and put them into a plan that includes integration of the actions into the processes.

As previously discussed, the prevailing ‘silver tsunami’ of retiring, skilled, and competent workers is likely to put an organization’s ability to deliver good quality at risk. The organization should, therefore, plan to address this risk and identify what is to be done to mitigate the effects. Clearly, this is a risk that affects many organizations, so simply hiring replacement skilled workers isn’t a viable option. What to do?

Once commonplace, apprenticeships were a way of developing the next generation of skilled workers, but those programs had slipped into obscurity. Simply put, most organizations employ workers who might have been apprentices, but the training processes have not been maintained. Add to this secondary schools and many community colleges have cut back on those educational programs that prepared younger people for work and the organization cannot sit on its hands hoping someone else will step in. Furthermore, many organizations’ training processes typically only deal with the basics of onboarding and on-the-job training specific to the narrow focus of product/process tasks.

What’s needed is for the organization to develop a process, within the QMS, that will create the skilled workforce it will need in the future. Fortunately, experience shows that, because many others are in a similar boat, further education colleges and schools also are developing and offering the supporting educational programs in the much-needed development of skills.

This section of the Standard also contains a couple of guidance notes regarding risk treatment, including options for addressing risks, such as avoidance, elimination of sources of risk, changing the likelihood or consequences, sharing the risk, or retaining the risk by informed decision or even pursuing an opportunity through taking a risk. Opportunities are detailed as something an organization may identify as ‘new’: a process, product, technology, et’. It’s not clear that ‘new’ and ‘risk’ are often viewed as going hand in glove.

Quality Objectives (section 6.2) are required to be established at relevant functions, levels, and processes. This gives a great deal of latitude for the organization to think about the link to the quality policy (which itself is linked to the context of the organization) to establish the goals for the QMS. Before setting objectives, it is worth noting that they should be:

• Measurable

• Take into account applicable requirements

• Be relevant to product conformity and enhance customer satisfaction

• Be monitored

• Be communicated

• Be updated as appropriate

The quality objectives are also required to be maintained as documented information (but the Standard doesn’t say where they are to be documented or how).

Top tip

Be selective on which processes have OTIS applied to them. It is easy to overwhelm people with multiple objectives. It might be tempting to set objectives for the document or records control processes, but these are hardly likely to directly affect the achievement of customer satisfaction.

The last requirement in Planning is devoted to planning of changes to the QMS, when the organization determines they are needed. There is a reference back to 4.4 and that changes need to be carried out in a planned manner. These should be viewed as changes identified at a strategic level, not the day-to-day changes that are covered within other clauses of the Standard, such as changes to customers’ requirements, product designs, and process controls.

It is well established that changes can be the source of problems without a robust plan. The requirements list the considerations the organization should make in its planning:

• The purpose of the change and consequences

• The integrity of the QMS

• The availability of resources

• The allocation or reallocation of responsibilities and authorities

Support (7)

This requirement of the Standard deals with those parts of the QMS that support or are in place to enable the other processes to function more effectively. It includes:

Resources (7.1.1)

An organization must be selective at what it takes on, in the name of satisfying customers’ needs and expectations. People can move heaven and earth, but you have to give them time, tools, and a budget as a minimum. The resources are necessary for the whole of the QMS implementation and for process operation and control. These include the following:

People (7.1.2)

Despite the saying, “The factory of the future will be run by a man and a dog. The man is there to feed the dog and the dog is there to keep the man away from the machinery,” most organizations need people to do work to satisfy their customers’ demands and for the effective operation of the QMS. Oddly, having mentioned People, there is no reference to the other sub-clauses (7.1.6, 7.2, 7.3, 7.4) that go on to develop more on the theme of People…

Infrastructure (7.1.3)

Try as we might, it is a practical impossibility to produce a good-quality product, even with all the necessary people, without the appropriate equipment, power, computers, information, and so on. The infrastructure requirements to ensure product conformity should be identified and provided by the organization, including such items as process equipment, buildings, utilities, workspace, and services.

Environment for the Operation of Processes (7.1.4)

In step with the above, the work environment can also have an effect on product conformity. There is a note underneath the ISO 9001 requirement that defines typical environmental factors, such as noise, humidity, lighting, or weather. Others might include temperature, air quality, dust, etc. These factors must be managed.

Monitoring & Measuring Resources (7.1.5)

This requirement of ISO 9001 is possibly one of the most confused and abused, being open to interpretation, especially by those with minimal understanding of the topic. Commonly called ‘calibration’ and applied to equipment used to measure product characteristics and/or process parameters, the section starts by simply stating that measuring resources are provided to ensure valid and reliable results. It goes on to state that the resources provided are suitable for the measuring and monitoring activities and are maintained to ensure fitness for purpose. It doesn’t even mention calibration or verification! Interesting, isn’t it?

A sub-section called “Measurement traceability” points out that it may be a requirement (Customer? Regulatory?) or if the organization considers it essential to provide confidence in the validity of measuring, results can be calibrated, verified, or both.

Top tips

Organizational Knowledge (7.1.6)

How does an organization know what it knows about how to satisfy customers’ needs and expectations for products and services? Clearly, it isn’t about specific technologies, processes, equipment, people, suppliers, etc. It must be a combination of all these and more. Reference to the notes at the foot of the page shows that ISO recognizes it is experience and based on sources that are both internal and external.

The Standard is pretty clear: Maintain the knowledge (it doesn’t say it needs to be in any form of documentation) and make it available.

Top tips

Competence (7.2)

With a strong link to the Operation requirements (section 8), specifically 8.3 and 8.5, the need for competent personnel is much more than simply training people. Training makes people dangerous!

It would be easy to assume that an experienced person is someone who has reached unconscious competence, and could be grandfathered into their job. That would be potentially a missed opportunity, partly because these are not concrete phases.

An article in a British motorcycle enthusiasts’ magazine discussed the background to why significant numbers of British motorcyclists were being killed in crashes on the roads. There were some shocking statistics, including that no one else was involved, just the bike and its rider. Another was the average age of the victims, which was 50 years. These were very experienced bikers, with many years of motorcycling informing their riding skills in addition to any tests they may have taken to receive a license.

What was causing these riders to get into these lethal situations? Analyzing the facts associated with each crash revealed that changes had occurred, which had affected the riders’ abilities, such as eyesight acuity, speed of reactions, and the power and capabilities of the motorcycles being ridden. All have an effect on the riders’ competencies, compared to their early years of riding. The final analysis of these events showed that just because someone attains phase 4 – unconscious competency – doesn’t mean they stay there!

Top tips

Communications (7.4)

Although it may be seemingly important that the organization communicates that it is using ISO 9001 to develop a formalized approach to its process controls, too much reference to ISO can be counterproductive.

In an effective implementation, most of the emphasis goes on ensuring people are aware of the fundamentals of the organization’s QMS, and why these are important to them in getting their work done, for regulatory compliance, to ensure customers’ needs are met, etc.

As with an organization that sets SMART objectives for its people, the communication of progress toward meeting those objectives, the ‘wins,’ the ‘losses,’ are all important to be known throughout.

Management should not treat performance like a game of Texas Hold ’Em poker. Everyone has a stake in the results, after all.

There are many ways that communication may take place of the reasons for an organization to use ISO 9001, including why the organization has chosen to formally define and implement a QMS, and ultimately become certified by a third party. This isn’t really “training” and 99% of personnel don’t need to know much of the “back story”. Far better to describe these through the use of ‘brown bag’ lunch meetings, newsletters, staff meetings, and other events – and no records are required!

Top tips

Documented Information (7.5)

The requirement for the organization to include documented information as part of its approach to developing a QMS is in two distinct parts:

1. That documented information which is required by ISO 9001:2015, including:

• The scope of the QMS

• Quality objectives

• Quality policy

2. That documented information which is required by the organization to be included within its QMS.

This is to support the operation of the processes of the QMS. Once again, the Standard does not make it clear that there are other clauses that should be considered when attempting to determine what is required, in practical terms, to be documented. If we consider the Introduction, there are several reasons listed that provide background on which to base the consideration for creating and maintaining documentation.

Furthermore, if the “Needs and expectations of interested parties” are also understood, it should be seen that documentation may be required by customers, regulatory agencies (if applicable), and the personnel of the organization – to help them achieve objectives, as a training aid for people new to a job, to ensure control or processes, and to maintain knowledge of how work is accomplished. A lot of (good) reasons!

Top tips

Operation (8)

Operational Planning and Control (8.1)

In section 6 we reviewed the strategic planning required of the organization. In this requirement, the focus is on the planning at a tactical level.

Customer Communication (8.2.1)

To avoid misunderstandings, and hence create opportunities for customer dissatisfaction, there must be control over communications, whether that’s regarding the organization’s website and claims for products, performance, availability, and so on. Similarly, how customer inquiries, quotes, ordering, and changes to these are handled must, as with any process, be controlled, avoiding errors.

Handling feedback to elicit the most accurate and useful information takes a special relationship and understanding – and is probably best handled by a few individuals. Of course, once the feedback is obtained, it is likely that the organization’s customers will expect to see the results of some action.

Although not prescribed by ISO 9001, providing plan B to take care of customers in the event that plan A didn’t work out is key to maintaining good, if not perfect, customer relationships.

Determination of Requirements for Products and Services (8.2.2)

The requirement touches on four basic factors:

1. Determining customer requirements

2. Determining requirements not stated by the customer but still necessary for use, where known

3. Statutory and regulatory requirements

4. Anything else thought necessary by the organization

Often, with innovative product designs, these factors are determined during development through market/customer research, some time before sales or agreement to supply the customer occurs. Indeed, a note indicates that the review may be of product catalogs or advertising materials.

Review of Requirements Related to the Product (8.2.2)

Before any commitment is made to supply customers, a review must be undertaken. Once again, the review isn’t simply a case of checking a customer order for the stated requirements – although that is important – but on receipt of a customer request for quote (RFQ/RFP), on receipt of an order, and when change orders are received by the organization.

The purpose of the review is to ensure that:

1. The product requirements are defined

2. The order and any previous offer (proposal, for example) are compared and differences resolved

3. The organization has the ability to meet the stated requirements

4. Records of the reviews and actions that arise are maintained

There are situations where organizations that take orders from customers verbally (telesales), and without any documents being used, cannot reasonably perform a review. In such cases, confirmation of the customer’s requirements is necessary. This can take the form of an order confirmation (email, fax, etc.) or by verbally confirming with the customer (which often is recorded). Design & Development of products and services (8.3)

Product design and development is where a lot of problems in manufacturing, with suppliers, and in the marketplace can be avoided with an effective process and relevant controls, responsibilities, authorities, etc.

Time to market often is a huge part of driving new product developments and their introduction. The needs to wow the market, beat competitors, etc. are powerful factors. No one wants an underdeveloped product that, once released, takes unplanned resources (time/money) to resolve manufacturability issues, warranty costs, and potentially loss of market share through unsatisfied customer experiences – all of which should be added to the original development schedules/budgets for a true picture.

The product design and development process requirements of ISO 9001 are fairly simple and intended to ensure that the organization only designs products that can be produced, installed, and serviced without problems and that are safe for use – and customers get what they really want!

Often known as the new product development cycle (NPD or similar), the ISO 9001 requirements form a basic framework for controls that should enable not reduce creativity. The ISO 9001 8.3 requirements cover:

• Design Development Planning

• Design and Development Inputs

• Design and Development Outputs

• Design and Development Reviews

• Design and Development Verification

• Design and Development Validation

• Control of Design and Development Changes

Experience shows that there are a few key indications of how effective the design and development process is, and they are easily identified and measured:

• The number of post-release design changes (not resulting from customer inputs)

• The ‘on time’ and ‘on budget’ performance

• The retention of engineering staff

The last point is directly linked to the first; however, it is rarely seen in this light. Similarly, where parts of the new product under development include aspects that must be obtained from suppliers – particularly those working to specifications developed by the organization – early supplier selection is critical as it is proven that their input to the design is invaluable. Not only are changes avoided but also the high costs of supply disruptions from rejections, etc.

Let’s take a look at a typical new product design engineering process to understand the indicators of an ineffective process:

Figure 3: New product design engineering process

A robust product design and development process should release a set of product specifications to manufacturing and (as applicable) servicing organizations (whether those activities are performed internally by the organization or by its suppliers) that can be produced within the capabilities of those manufacturing and service processes. The product of the design engineering process is not unlike the product of the manufacturing process(es) in that it should not be necessary to ‘touch it twice’ to make it correctly (to specification) and it must be delivered on time and at the planned cost. Therefore, three key indicators of the effectiveness of the new product design and development process are:

1. Delivery to schedule

2. Development cost on budget

3. Post-release changes

This last point has been well studied because the cost of changing a product design, after release to production, is a significant factor. It is suggested that a fault found in the design phases might cost X to rectify, would cost ten times that value (10X) if detected in production, and 100 times more (100X) if found while in customers’ hands.

Often, it is necessary to process product design changes once the product has been released to be produced, either by the organization’s own manufacturing function or by its suppliers. Often, such changes are given to those design engineers who have recently qualified and been recruited, much to their chagrin.

Newly qualified product design engineers are probably under the impression that once they take a position in industry, designing new products is exciting and they will get to use their expertise, bringing innovative and creative ideas to light. In reality, they may be assigned (initially) to work on existing product design changes. This presents two challenges for these engineers:

1. It is often very difficult to re-engineer a product

2. They are often not sufficiently experienced to re-engineer products and this can be demotivating

A study of major Japanese new product introductions showed that the majority of changes to product designs occurred before release into the marketplace, and that few changes were undertaken after that. The results? Improved customer perception, lower warranty costs, happier service staff, and improved market image, to name a few.

Control of Externally Provided Processes, Products and Services (8.4)

Top tip

Production and Service Provision (8.5)

Control of Production and Service Provision (8.5.1)

For an organization to produce a quality product (or service), it is generally held that the product-related processes must be carried out such that they are controlled. Although the requirements are seemingly simple, what is often missed is the concept behind controlling the production and service processes, which is to have ‘standard work.’ That is, each activity can be replicated over and over again, without variation, which may lead to a non-conforming product or process. A well-known example is a famous fast food restaurant chain, which has produced the same basic hamburger, serving billions by following the same process and methods, in every location, by thousands of people. Process control comes from one or more of the following:

• “Availability of documented information defining:

o Product characteristics, services provided, or activities

o Results to be achieved

o The availability and use of measuring and monitoring resources

• Implementing measuring and monitoring activities at appropriate stages to verify that process control or output criteria are met and acceptance criteria for products and services have also been met

• Use of suitable infrastructure and environment for process operation

• Appointment of competent personnel

• Validation and periodic revalidation of the ability to achieve planned results or the processes, where the results cannot be verified by subsequent measurement and monitoring

• Implementation of actions to prevent human error”² (also known as mistake proofing and poka-yoke)

It is important to note that any one requirement should not be considered without reference to at least one other. This requirement of ISO 9001 specifically requires consideration of a significant number of others. Take the requirement for the “availability of documented information,” for example. The addition of the words “as applicable” might be considered ‘weasel words’ as they allow us to weasel out of having to comply! So, is it justifiable to not make some kind of documentation available to people performing product-related activities? A clue is in understanding the relationship to other ISO 9001 requirements that have influence on 8.5:

As noted previously, the people who are responsible for the control of a process may be assigned based upon competence (7.2). This may obviate the need for a document. However, we must not overlook the requirements from much earlier – the needs and expectations of interested parties. Surely there may be situations where:

• Customers will require some form of documentation to be used in production of what they are going to receive

• Regulatory agencies may require the organization to define documentation for control of processes

• Employees may benefit from having the process controls being documented to ensure effective training, for reference, for consistency, etc.

Furthermore, the use of documentation regarding production processes is a way of maintaining the contemporary knowledge of how the process is being operated – often called best practice.

For some processes, the quality of the resulting output cannot be reasonably (economically or practically) tested or inspected. This requirement of ISO 9001 defines what the organization must do to ensure that an acceptable product is produced. For many, determining what processes fall into this category can be a challenge. In previous versions of ISO 9001, these processes were known as “special processes,” but even this didn’t adequately describe them – for such processes are quite common for organizations that perform them and not, therefore, considered special!

Which processes fall into the category of needing validation/revalidation? Some typical examples include:

• Gluing and bonding

• Welding, brazing and soldering

• Heat treatment and sterilization

• Plating, painting, and coating

• Torquing screw fasteners

As anyone who has attempted to repair a broken item at home (let’s say a vase) knows, following the instructions on the glue packaging is of vital importance to a good result. We are told to clean the mating parts, often with some proprietary degreaser/spirits/cleaner. The mating surfaces being joined might be roughened with sandpaper to provide a key for the adhesive. Of course, the temperature may also need to be between some values that represent a typical summer’s day.

Having prepared the surfaces, it may be necessary to coat the mating parts with the adhesive and allow it to cure (at least partially, when it is less tacky and dry to the touch). At this point, the mating parts may be required to be brought together and held, often under some pressure for a defined time. We also know it is tempting to test our newly created join in the precious vase to see if it is fixed! We might try to break the joint! How quickly our surprise turns to frustration when the joint does break and we have to start over! Oh, the temptation to check the joint once more…

Performing a test or similar on a sample from the process is a way to reduce the risk of failure in the other products being processed. This is still fraught with potential problems and can be wasteful too. We are left with imponderable questions about how representative the sample is. How is that validated? By the time steps have been taken to check that, the requirements for process validation have been met, so there is now no point in sacrificing a sample!

It is also worth considering that processes are subject to variation. Despite the fact that the ISO requirements do not mention it, for most organizations that produce any appreciable volume of products, their processes – particularly equipment – are subject to an amount of variation that can take the product out of specification.

Top tips

Identification and Traceability (8.5.2)

Property Belonging to Customers or External Providers (8.5.3)

Customer property is anything the customer gives the organization that is used in the deliverables to that customer. Items falling into this category tend to include raw materials (often bought in bulk to save money) and products intended for repair/service.

When dealing with customer property, it is normal to invoke a number of other requirements of ISO 9001 to handle the processes that deliver the property to the customer.

A traditional application of this would be a car taken into a dealership or garage for servicing or repairs. The car represents customer property and, as such, it is the dealership’s responsibility to:

• Take care of it to ensure no damage is done to the car while it is in their custody, by them or while parked on their premises (e.g. vandalized).

• Report anything found during the work that may affect the ability of the work to be carried out. For example, if the car had a non-functioning parking brake, the dealership would probably not want to be responsible, since the car may run away down a slope when ‘parked.’

Organizations that service and/or repair products as part of the quality management scope (see section 4) – perhaps in addition to designing and manufacturing them – deal with customers’ property as a core process. It is not unusual for a product to appear on the receiving dock with minimal/zero instruction on what the customer requires to be done or even a purchase order. In such a case, it is up to the organization to determine what work is required and report this to the customer, as the basis for establishing agreement on cost and return/delivery.

Preservation (8.5.4)

Happily, there do not appear to be many common myths with this requirement. It is generally understood that it is important to take care of everything, from incoming raw materials, through work in progress, to final product. Preservation can apply not only to the product, keeping it to specification and free of damage caused by neglect, physical damage, etc., but also preservation of quantity.

Keeping an accurate inventory – by quantity and location (where it is applicable to the product) – is key in ensuring customer requirements can be met, and production isn’t halted awaiting the correct quantity of materials and products.

Moving to post-delivery activities, 8.5.5, if the organization includes (within its QMS scope) activities beyond delivery, such as installation, commissioning, servicing, repair, decommissioning, and so on, there are considerations to be made:

• Statutory and regulatory requirements

• Potential undesired consequences associated with the products

• The nature, use, and intended lifetime of products

• Customer requirements and feedback

Although ISO 9001 is focused on product and service quality, here are some considerations that get remarkably close to environmental, health, and safety considerations. Experience shows that if customers’ satisfaction is uppermost in an organization’s consciousness, consideration must be given to conditions that affect the product’s use and ultimately its disposal. For example, some vehicles sold in the US were designed and built with an electrical switch containing mercury. At the end of their useful life, the vehicles present a health and safety issue to the recycling businesses handling them as scrap. This situation could have been avoided during the new product design process. The electronics industry has a huge problem with personal computers being discarded. They feed the electronics counterfeiting industry with ‘recycled’ computer devices, and cyber crime with data from old hard drives.

Control of Changes (8.5.6)

As mentioned previously, “The factory of the future will be run by a man and a dog. The man is there to feed the dog, the dog is there to keep the man away from the machinery” is a quote attributed to Warren G Bennis. The message here is clear: Once a process is established as capable of meeting the necessary requirements and in control, don’t let anyone fiddle with it! This is a concept that is common practice in the pharmaceutical and drug industries, due to oversight regulations. These exist because variation of process and product can have disastrous consequences and the product cannot be tested after the fact. ISO 9001 had already made it a requirement to change control documents, customers’ orders, and product designs, so it is interesting to note that process change control has only been included since 2015!

If we draw a page from the automotive manufacturing world, in which changes are anathema, we will be able to see that the customer has to be notified or even approve changes in:

• Materials

• Production tooling

• People (shift working)

• Production machinery/methods

• Suppliers

Control of Non-conforming Outputs (8.7)

One of the reasons for monitoring and measuring a product is to detect any nonconformities (rejects) before they escape the organization and get to the customer. In regulated industries, this is especially important to ensure that defective products cannot be shipped and, therefore, used. When taking the basic controls into consideration, there are many myths that surround the controls for a non-conforming product.

The full requirement for controls for a non-conforming product is often overlooked. The simple(r) aspects such as tagging or disposition are frequently given more emphasis than those that help to identify what caused the nonconformity and how it can be effectively processed subsequently. In particular, the decision on the disposition of a non-conforming product has to be given to the relevant authority and potentially by the customer.

There is certainly no specified need to treat each and every situation of nonconformity with a corrective action. Indeed, nothing else will bring the organization’s QMS to a grinding halt quicker. Practically speaking, we know there is a likelihood of nonconformity when processing. In understanding process control, there are two causes of variation:

1. Common cause

2. Special cause

Common cause variation can be controlled and the risks of nonconformity mitigated. Special cause variation is just that: special. Things break. Without warning. They cause variation and that may also lead to nonconformity.

Sometimes, we have to shrug our shoulders, note the facts, and move on. It may not be economical to do anything other than that. In a line from Forrest Gump, a runner remarks to Gump that “Sh*t happens” and runs on.

The nature of the nonconformity is important to record, NOT what happens to it. Saying something is scrap may be convenient, but how it became so is vitally important to be recorded, along with where (in the process) and how many were affected, as a minimum. This requirement fundamentally affects the ability of the organization to define a problem and, thus, solve it.

One example demonstrates how off the rails this can go. A factory had been making molded plastic parts and scrapped off $600,000 of product in one year. Of course, this is a low estimate. In seeking to resolve the losses, a cross-functional team was assembled and used the 8D Problem Solving Method to determine the root cause and work on its removal. D2 is defining and being able to describe what the problem is and, with 15 people gathered around the table, it became abundantly clear that they were unable to define the problem.

There had been little analysis, evaluation, or testing of the reported defect. A list of eight actions that could be taken at almost zero cost to the company! As with many things in life, recognizing you have a problem is the first step in resolving it!

Performance Evaluation (9)

Monitoring, Measurement, Analysis, and Evaluation General (9.1.1)

Having established a QMS and set the relevant SMART objectives (OTIS) and controls in place for the various processes of the organization, it would be appropriate to perform measurements to confirm the product meets specifications and to see how the QMS is performing. As part of the PDCA cycle, this requirement of ISO 9001 can be ‘checking’ as a precursor to the ‘act’ of improvement.

The General requirements specify three basic areas of importance to be planned and implemented as measurement/monitoring activities, leading to the identification and action needed for improvement:

1. Product – to demonstrate conformity

2. QMS – to demonstrate conformity

3. Continual improvement – of the effectiveness of the QMS, linked to the objectives (performance) set for the processes (identified in 6.0)

Monitoring and measuring is, for those who drive a vehicle, something we do each time we take a trip. Drivers use the information on the dashboard of their car to help them. Let’s review what information is provided to get a sense of monitoring and measuring and why it is important:

• Speed

The speed of the car should be monitored and measured. Why? Because it is a law that drivers must comply with on any given journey. If you don’t pay attention, you’ll be fined!

• Fuel

It is normal to monitor the amount of fuel used during a journey to ensure it doesn’t run out! We may be interested in the amount of fuel used to ensure that the vehicle is obtaining a certain specific fuel economy, is running properly, etc.

• Engine condition

Either through the use of the rev. counter, which indicates the speed the engine is turning, or from the coolant temperature, we can tell something of the running conditions of the engine. However, we never need to know the values of, say, the coolant, which is normal at about 74 degrees Fahrenheit. Knowing the value isn’t important, which is why most temperature gauges show only ‘C’ or blue for cold, ‘N’ or green for normal, or ‘H’ or red for hot. The temperature values at these positions on the gauge aren’t of interest, per se, but the position in the range is for monitoring purposes.

• Tire pressures

Modern cars are fitted with tire pressure monitoring of some kind. These can flash a warning when loss of air is detected. They monitor a parameter that is related to the loss of air pressure, not actually measuring the pressure.

There are many other values that can be used to indicate that an engine is performing correctly: oil pressure, inlet vacuum, oil temperature, for example. Other values could be taken from the ancillary equipment on the engine, like the voltage and current from the generator, battery condition, and ignition dwell angle, etc.

Indeed, the modern Formula 1 racing car has thousands of measurements made every second of hundreds of parameters to give the engineers a total picture of just about everything the car is doing in response to the driver’s control inputs. But then, the objectives – and costs – of running a Formula 1 racing car are totally different to that of driving an everyday road car.

We can also see that if all these values were to be presented to us as the driver, we would soon be overwhelmed. Indeed, some of these values are only of use if we are diagnosing a problem.

By keeping an eye on the basics, speed and fuel, most drivers can ensure they will complete their journey objectives: on time (speed over distance), on cost (fuel used), and without penalty (speeding ticket).

If we take this analogy in the context of the organization’s QMS, when it comes to measurement and monitoring of products and processes, it is important to consider any statutory or regulatory requirements that may affect the products and processes (product regulations in the medical device world, for example). In lieu of these, the customer is next in line when it comes to identifying what is important to measure/monitor.

Identification of key features and characteristics of products is very common in many markets – automotive customers, for example, will identify classes of features on their product specifications, in terms of product safety (handed down from them through the supply chain), appearance, and fit/function, for example.

Customer Satisfaction (9.1.2)

Often thought of as a goal or an objective of the organization, its customers’ level of satisfaction with the performance of the QMS is a useful indicator that the Standard doesn’t require to be measured. Customer satisfaction is strongly linked to the effectiveness of the organization’s ability to plan and control its processes to meet what it understands as the needs and expectations identified in the Context (section 4).

This requirement is also strongly linked to the organization’s quality policy and objectives. In that section, we discussed whether it was truly intended to meet and exceed customer expectations, especially since expectations are not always communicated.

In a real-life situation, an organization approached significant customers (by highest sales revenue, product volume, etc.) and identified the key (customer) representatives:

• Purchasing

• Logistics

• Quality

• Engineering

The top manager would make a short call and ask if the price of their products was acceptable, if the delivery/packaging was acceptable, and if the quality of the product also met their requirements. Each of the first three customer representatives expressed their satisfaction. However, the engineering representative stated: “’You don't love us!” Further discussion revealed that the engineers were uncertain if their choice of product (selected from an online catalog) was correct in their chosen application. In short, the sales engineers were not visiting to participate in the design reviews, etc. – easily remedied!

Naturally, having given the organization their feedback, it is highly likely that customers will expect the organization to take action!

Internal Audits (section 9.2)

The requirement for Internal Audits seems to have been the subject of a significant quantity and variety of myths over the years. This is due, in part, to the lack of prior knowledge or experience of what a QMS audit is like. Some organizations may have been subjected to customer or regulatory body audits, but these are by nature external audits and, as such, cannot be relied upon as an appropriate model for setting up and running an effective internal audit program. Add to this the fact that most of the training and publications on the topic of ISO 9001 internal audits are based upon this model of external auditing and often drawing heavily on ISO 19011 – the ISO guidelines for management systems auditing – and so the resulting internal audits tend to be a bit like putting a square peg in a round hole. The focus, timing, methods, etc. of internal audits are, in many ways, substantially different to those of external audits.

Top tips

Internal audits are one of the requirements of ISO 9001 that are not ‘institutional’ to the way an organization works. Some form of audit is a familiar practice to most organizations, although it is often from a financial perspective or, as has been discussed above, through being evaluated by a customer or regulatory body. Since internal audits are required and, as we know, external ‘certification’ of compliance is not necessarily a goal for an organization that uses ISO 9001, what is the purpose of including these audits in the Standard?

Naturally, verification of compliance of the organization’s QMS with the ISO 9001 standard is a given. The organization must determine that its QMS meets the requirements of ISO 9001, as long as management requires it. But that is often where the use of internal audits starts and stops. Let’s see why.

It is not uncommon that internal audits begin with sending someone on an auditor training course. This is a great way to get started on the basics of an audit. The agenda for most courses will cover the fundamentals of planning, preparing, conducting, and reporting audits.

A typical internal auditor training course can (typically) be two or three days (16 – 24 hours), and a lead auditor course is typically 32 – 36 hours. Many courses are even accredited, which means they are recognized as being designed and delivered following the requirements of the ISO Guidelines on Management Systems Auditing, ISO 19011.

Once trained, it is tempting for the new auditor to create a checklist or an audit schedule or calendar that shows what is intended to be audited in the coming year. An organization cannot be successful if it requires certification of its QMS without having first implemented internal audits. In the run-up to the certification audit, the focus of the internal audit program is to ensure that no significant issues are found by the certification body auditor. This is further detailed in the chapter on certification. To accomplish this goal, it is often sufficient to simply do audits, armed with the ISO 9001 requirements turned into questions and some evidence – usually auditors’ notes and audit nonconformity reports – to jump that hurdle. Sadly, the bar is, in many cases, set very low.

Once the organization’s QMS is found to be in compliance and certified, the internal audits should be managed to a higher level and to ensure that the focus changes to bring another value to the organization beyond simple compliance with the ISO standard. To do this, the scheduling of audits must be changed from a ‘push’ system, where audits are scheduled to an annual ‘calendar,’ to one of a ‘pull’ or demand system, where they are scheduled according to management’s needs for the business.

The ISO 9001 requirements for internal audits (9.2.2) state that the organization shall conduct internal audits at planned intervals to provide information on whether the QMS:

• Conforms to the organization’s own requirements

• Conforms to the requirements of the Standard

• Is effectively implemented and maintained

This requirement gives us opportunities to consider that all processes are not created equally, that some might need to be audited as a priority and possibly more frequently than others. So, how can an audit program meet these requirements and be value-added to an organization?

Let’s consider what is meant by the status of the processes of the QMS. Status might include something being new and/or changed, performing below or above expectations. Having something new or changed in relation to the following is also frequently associated with causing problems:

• Customers and requirements

• Suppliers

• Technology

• Regulations

• Process requirements

• Materials, equipment, etc.

The above are normally considered risks to the business. In fact, how many of us have heard that it’s not a good idea to buy a new model car or similar until after it’s been on the market for a year – to ‘work out the bugs’?

Likewise, a process not performing to expectations, causing scrap, rework, and downtime – in fact any kind of waste – is also a risk. Got a process that exceeded its goal? Better find out why! Once the reason has been discovered, it could be used to improve other, similar processes.

In some cases, these are planned situations – including the new and changed aspects. Some, like poor performance, are unplanned. What could be done to prioritize an audit of a new, changed, or poorly performing process? This is where the importance of that process must be considered. We have to ask whether the process is important to meeting:

• Customer needs and expectations

• Regulatory compliance

• Costs

The importance of the process to the customer or other aspects of business can be considered as the impact of that process on the business.

It is common for internal audit programs to be developed on an annual calendar that predicts which aspects of the QMS are going to be audited. Often the objectives for developing the schedule are to ensure that the entire system is audited in that year, or to ensure all the ISO requirements are covered, etc. However, since there is no requirement to perform audits in that way, these internal audits often miss critical processes when they become an issue.

In one company, interns were recruited to cover on an assembly line during summer vacation time, which resulted in almost predictable product quality problems. The internal audit schedule forced the auditors to focus on features of the management system that were rarely problematic – instead of taking a critical look at the training and competency of the new people.

Imagine the hapless line supervisor having to act like a mother hen to their new operators while attempting to answer auditors’ questions about product labeling, document control, etc.! Had the audit schedule directed the auditors to the training process when it was being implemented, it is highly likely to have diagnosed the problem with the process and attracted management’s support for corrective actions.

An annualized calendar forces audits of processes that are either not a high priority or before/after any problems transpire, instead of helping to identify what contemporary actions need to be taken to improve things. No wonder, then, that in many organizations, the internal audit program is not well supported! Internal audits should be scheduled using current process performance data, feedback from customers, etc. to ensure that auditors are focused on what is on management’s radar.

Internal audit management programs scheduled based on risk and impact can help usher in a new era, synonymous with risk assessment and continual improvements, rather than something done simply for compliance. Furthermore, the role of the auditor becomes elevated in status similar to that of a Six Sigma/Kaizen practitioner. Improving the internal audit program in this manner will help to ensure a domino effect on corrective actions and the management reviews of the QMS as a whole.

The selection of people to be auditors is made on the basis of finding someone who is independent of the process being audited. Someone from manufacturing can audit purchasing, someone from sales gets to audit design engineering, someone from customer service can audit sales.

Although it is important to maintain impartiality of auditors, this is one technique that a certification body employs which can be successfully mimicked. Certification body auditors are qualified by industry code (EAC/NACS, etc.), which means, in broad terms, they have experience in that sector or industry. So, why not consider that internal auditors should have a passable knowledge of the process/function they are assigned to audit?

Although many will say internal audits are a process and should be measured, experience tells us that there are no meaningful metrics to show they are effective. Some have suggested that the number of nonconformities, or conformity to an audit schedule, is a measure of internal audits; however, what is a ‘good number’ of audit nonconformities? 1 or 10? Indeed, since the requirement appears in the measurement and monitoring section of the ISO 9001 standard, audits are themselves, part of measuring and monitoring. The best we can hope for is that the organization’s management takes an active, leadership role in deciding what and where internal audits should be performed.

Management Review (9.3)

Another requirement of ISO 9001:2015 – and its predecessors – that has failed to be realized for the benefit it provides is that of management review of the organization’s QMS. While there may not be a lot of myths about it, those strike at the fundamentals of the purpose, participation, and timing of the review.

One way to consider management reviews of the QMS is to think of them as a navigating exercise on board a vessel, like a yacht.

When starting out on a voyage, it is wise to have a plan (map) and objectives, a way to measure progress, clear responsibilities for the crew, someone in authority (a captain), and resources (trained crew, food, water, etc.) available to support getting to the planned destination on schedule.

Once a course has been determined and plotted, everyone can go about their processes and tasks of sailing the yacht. To ensure that the voyage ends at the planned destination, it will be necessary for the captain to confirm that the vessel is still headed in the planned direction and that weather and tides haven’t moved the yacht from the intended course. In addition, progress should be measured to ensure that the objectives of the voyage are kept in sight and still achievable. Consideration may also be given to the available resources and whether they are sufficient to support the objectives, too. Course corrections may be required, and speed adjustment may be necessary to ensure the journey is completed on time.

Clearly, consulting the map, or checking progress or even waiting until a destination is reached, would be ineffective in ensuring objectives were met; the correct destination may not be reached, resources may be expended before the voyage is completed, arrival may be delayed, and measurements taken during the voyage may not have been accurate.

Of course, at the end of the voyage, it would be helpful to take stock of the situation to see if there were any lessons to be learned. In addition, it would be very prudent to ensure that the plan is consulted at least once or twice while en route to discover any deviations, before they put the voyage in jeopardy. If the vessel is large enough for a crew, then it will be those with assignments (think process owners) who report on the status, the past performance to the objectives set, and any actions necessary.

The same applies to management’s review of the QMS. Once a year is of no value; twice won’t tell you too much more. Quarterly would give opportunities to manage the performance of the processes, taking a timely look at the need for correction or improvements along the way. In fact, there is no need to schedule any review – simply plan them. An effective review of the QMS is the cornerstone to maintaining and improving its effectiveness and while a number of events a year may be planned, others may or may not be needed, when performance dictates.

The idea of reviewing all the inputs would be inappropriate too. Let’s take the actions to address risk and opportunities. If this included, as an example the (biggest) risk of availability of skilled people, then if the organization addresses that risk by developing an apprenticeship program – typically lasting four years – a quarterly review is likely too frequent, and at the end of four years is too late! When indicators are green, a cursory review is appropriate. When some are yellow, then let’s lift the lid and look at those. When a red status occurs, action is necessary, plus a review of those also affected, including the impacts on requirements such as corrective actions, customer satisfaction, and the internal audits.

Process owners should be able to describe their responsibilities for their process, performance to goals, how that’s measured, and what actions are being taken to correct/improve that performance. In this scenario, the internal audits provide validation that the QMS is providing the necessary controls on the processes.

Improvement (10)

We now find the QMS at a point where improvements are required – after all, there is a good chance that something didn’t work out as planned and, even if it did all go well, the organization probably cannot rest on its laurels.

It is, perhaps, notable that ISO 9001 treats nonconformity and improvement in the same requirement. It may need some cultural adjustment by the organization to consider that the idea of correcting nonconformity is improvement. Indeed, if the organization is in the automotive supply chain, it is generally recognized that if a process is not robust, capable, and in control, it isn’t at the required status that will be ready for improvement! This is, in part, due to the need to establish the IQ, OQ, and PQ (discussed previously).

The approach the organization adopts in implementing any improvement should be appropriate to its needs. For example, the Six Sigma methodology can be considered a project or breakthrough type of improvement. People trained and qualified as either black belts or green belts comprise a team of improvement specialists. They participate in a project, following the DMAIC (Define, Measure, Analyze, Improve, Control) steps or similar. Implementation of a Six Sigma project tends to take time to carry out, sometimes running into months, with periods of no improvement, often while the next opportunities are identified. As a result, a typical graph of improvements (measured in savings) over time might look like this step chart:

Figure 4: Graph of improvements

Improvements can also come from small-scale activities, such as the Kaizen events normally associated with the famous Toyota Production System or Lean manufacturing techniques. Kaizen is a Japanese word meaning “change for the better” and focuses on the reduction of waste. Improvement events are often characterized by small-scale events lasting one or two days, which happen regularly – often weekly or monthly. They can be represented by an (almost) straight line. We can see that the net result is the same, in terms of savings over a similar period.

¹ Martin Broadwell c. February 1969.

² ISO 9001:2015. For more information, visit: www.iso.org/standard/62085.html.