Wednesday, September 25, 2030

Welcome to the "ISO Myth Busters" Blog!

With over 30 years of Quality Management experience, I enjoy sharing my knowledge with those who are seeking answers or a better way to implement ISO 9001 requirements. For too long, there have been myths and legends about how to implement a variety of requirements from the International Standard. These myths and legends often come from the need to pass an ISO Certification audit, and, go along with the "Say what you do, Do what you say" mantra coined during the early 1990s.

In this blog, we'll cover such diverse issues as the myths surrounding document control, equipment calibration, management review and internal auditing. We'll also take a look at the role of the Certification Body/Registrar and what to consider if you're looking for one to work with.

I hope you'll find the posts to be helpful, that people will contribute to the posts and create enjoyable discussions and that we'll all learn. So, let's make a start on busting the first myth:-

ISO 9000 Means 'Say What You Do, Do What You Say'...NOT!

In my view, nothing could be further from the truth! The implementation of a Quality Management System, to meet ISO 9001:2008 requirements, takes a lot more than simply writing down what the organization does!

This phrase was, I believe, taken by early adopters of Third Party Certification. It is true to say that much of what ISO 9001 requires to be included in an organization's Quality Management System, may be based on what's institutional to an organization and should be documented in some form. It is, after all, what's made the organization successful and could be captured as the basis for improvement etc.

As an example, a printed circuit board supplier used by my employer during the 80s, had a phenomenal system for reviewing customers' supplied artworks and specifications. This supplier simply knew, from hard won experience, that what they were given by their customers simply couldn't be used for fault-free manufacture. Once received, their process engineers would review what the customer supplied for clearances, alignments, potential plating problems - in fact all the features that could cause quality problems. They listed these issues and communicated them back to the customer for approval to continue, or allow them to engineer an appropriate solution. In such a case, this process of review would have been satisfactory to document as it was practiced - to meet ISO 9001:2008 7.2.

You Can't Simply Write Anything, Y'know!

By contrast, there are quite a number of specific requirements in ISO 9001:2008 which are not institutional, so there maybe no clearly defined practice, methodology or process to document! Take internal quality management audits for one:

When did any member of an organization leap out of bed, in a "Eureka" moment, and decide that internal quality audits would be worth doing? It took the need to comply with ISO 9001 before the organization found some training (or similar) and started implementing them. Hardly a 'say what you do' scenario!

The same is true for corrective action, for preventive action (rarely is this requirement understood at all well) and the (key) requirement of performing management reviews. Such requirements are not normally practiced sufficiently well to be regarded as needing only a written procedure or process. Typically, processes are incompletely and/or ineffectively implemented, especially when compared to the full ISO 9001 requirements. Therefore, some form of planned action is necessary to ensure these deficiencies are addressed, and subsequently documented, as a means to capture what's now known to work.

Don't Document Things For the Mary Celeste!

In the early versions of ISO 9001 (the 1987 and 1994 revisions) the need for effective management systems was not specified clearly enough to help us. As a result, organizations often created masses of documentation which described, in painful detail, what was actually being done - and without much thought for practicality or effectiveness. Instructions are documented to a level of detail, such that "if everyone got sick, you could hire new people without an impact on quality". How bizarre! To my knowledge such an event only happened once, on the Mary Celeste and I doubt if writing things down would have helped anyone who found her!

With the advent of the year 2000 revisions, the addition of clear quality objectives and measurement of processes, ensures the organization must now be able to demonstrate an effective management system and therefore, actions must be taken to ensure that what is defined and documented actually delivers results.

As much as 20 - 25% of the ISO 9001:2008 requirements may not have been effectively implemented in an organization. Just as an architect designs a building, only when all the client requirements are well understood, along with a detailed understanding of the actual building construction, materials, building codes and usage, does he begin the design process.

It's the same concept with the design of a Quality Management System.  No-one should start to document a process, if you have only a sketchy idea of what's really behind the requirement! We'll cover this topic at a later date.

I hope this initial blog entry has shown "where I'm coming from" on the subject of ISO 9001 implementation and Quality Management Systems. Keep an eye open for more posts with a different twist on ISO Myths

Tuesday, November 10, 2015

What Will The ISO Auditor Ask?

It seems that, since Third Party Certification became an option to demonstrate compliance to a standard such as ISO 9001, ISO 14001 etc., it's been common for organizations to try and determine what a Certification Body (aka "Registrar) will ask during their audits. As a consultant, I've been asked many many times, "What will the auditor ask for?" or "How will they interpret this requirement?"

The simple - but unhelpful - answer is: "Who knows?"

The fact is, each auditor has their own unique approach to the auditing process, so it's very difficult to predict what any individual is going to ask about the management system.

It has been common, since Certification audits began, to prepare employees to answer a Certification auditor's questions. This preparation might include strict instructions:

  • Answer only the question you're asked
  • Don't elaborate
  • Don't try to answer if you don't understand the question
  • Don't give your opinion
  • If you don't know, refer the auditor to your supervisor
These "rules of engagement with the auditor" are often seen at work stations, posted in office cubes and so on. In a previous career as a Certification Auditor, I can tell you that when this approach is adopted, it can make employees overly anxious and nervous - and frankly - a good auditor will be totally able to overcome this apparent "stone-walling". In many cases, it can bring down what could have been an effective audit because communication becomes ineffective. It really is playing games, whether it's understood that way or not. And even the best of auditors will struggle to keep a smile on their face. Let's face it, this is not supposed to be an interrogation where the Geneva Convention rules apply: "Name, rank and serial number..."

A far better way to answer the imponderable question "What will they ask" and avoid any negativeness from a Certification auditor, by "stonewalling", is to do the following:

  • Take control of the audit, take the auditor to a person to...
  • Have people explain what they do, then
  • Have them demonstrate how they do it
  • Describe how the process is controlled through any applicable documents
  • Explain what they do when things might go wrong (if applicable)
  • What records are generated (if applicable)
  • If the process is performing as planned to the established goals (if applicable)
  • Their contribution to customer satisfaction and improvements
I'm not a big fan of people being able to whip out a card and recite the quality policy - it's often trite and meaningless (the policy, I mean) so what does it prove?

By taking control of the audit in this manner, the outcome of the audit will become more predictable, the auditor doesn't get to ask (obviously) dumb questions, it makes it easier for them to just audit (which is, after all, a listening activity for which they need to remain silent). As a result, the auditor gets a good feeling that this isn't going to be "one of those audits", where people don't answer freely. This automatically raises the auditor's perception in a positive way. They are able to listen, take vital notes and the pressure to be thinking of the "next question" become less of a burden.

In fact, it's less to do with "passing the audit" and more about the organization actually confirming that it has competent people, who know how to control their processes, what to do when something unplanned happens and so on - vitally important to any organization, whether they are going for ISO Certification or not. Every manager and supervisor should have confidence that their employees know their stuff!

I'd suggest that if your organization has prepared for a Certification audit, that you seriously rethink why you are doing it at all. You are probably avoiding a real issue - that of demonstrating leadership and confidence in your process controls. Imagine if a customer was hearing your people answer "just the question asked", instead of confidently describing what's done, why and how it meets their needs. I know which I'd be more impressed with, in all three roles - auditor, manager and customer.

Thursday, October 29, 2015

ISO 9001:2015 Is here! New Myths Being Created While You Read!

Back in September, the latest revision of ISO 9001 was published (technically, September 15th). Since social media is used much more than it was back when the previous revision - the year 2000 - there's been a greater amount of discussions on various platforms such as LinkedIn, Twitter, Youtube etc about what's in each iteration of the drafts, prior to publication than we had back in 1999.

The standard has been revised heavily and now looks quite different when compared to the previous edition, ISO 9001:2008. This is due to the adoption, by the writing committee ISO/TC 176, of the so-called "Annex SL" High Level Structure.

Annex SL

This is the title of the internal-to-ISO document which defines the structure or format of standards and helps with the alignment of topics or requirements across a range of management systems requirements, such as ISO 14001 (Environmental), ISO 27001 (Information Security) and so on. Instead of hunting through the clauses, it's a lot easier to locate, for example, the internal audit requirement. (9.2.2). The adoption of the Annex SL is primarily intended to allow for easier integration of management systems' requirements. An example would be the merging of a product Quality Management System, with an Environmental Management System.

Annex SL is structured around 10 headings, whereas the 2008 edition of ISO 9001 has 8. One thing that's also notable is that the heading names are quite different.


"We'll have to renumber our Quality Manual to map to the new structure, to show the CB auditors how we address each ISO requirement"


Although the new edition doesn't make a quality manual a requirement (keep an eye open for another blog post on this topic) if an organization decides for one reason or another, to have or retain a quality manual, it doesn't need to follow the format of the 1-10 headings or clauses of ISO 9001. Indeed, even the supporting Quality Management Documents don't need to reference the new clauses of the international standard, either. It's a lot of work, doesn't add any value in real terms for the users and, more importantly, the mapping of requirements to the Quality Management System can be done much simpler and without involving a lot of work.

If a table or document tree is created (in Excel or similar) to cross reference the various documents which currently exist or have been (newly) created to meet the various clauses and sub clauses, it can be used by anyone who needs to know what's been mapped to what ISO 9001 requirement.

While we're on the topic of the Quality Manual, it's gone! Yes! There's no longer a stated requirement for the organization to have a Quality Manual. What were the Technical Committee thinking when they dreamed THAT one up?

If we reflect, for a minute, it may not have been such a bad thing. Let's face it. Most organizations have something which slavishly emulates the layout and content of the actual ISO standard itself. In many cases, just a simple substitution for key words and phrases has been made - for example replacing "The Organization" with "Company X" or something similar. Who wouldn't want to get rid of it?


WooHoo! We can get rid of the Quality manual. No-one reads it anyway, except for the CB auditor".


Whoa there! Before you go consigning the Quality Manual to the recycling/bonfire/shredder, consider this:

Is it the Quality Manual which is the problem? Maybe it's the content which puts people off reading it. After all, if it's 30+ pages long, or uses terminology of the standard maybe THAT's the issue to address. After all, what organization calls their Engineering or Operations functions "Product Realization"? On top of that, there's some weasel words in the standard, too. "Where applicable" and similar terms are scattered throughout, so how is a reader to determine when it is applicable?

Let's revisit the whole idea of a Quality Manual for a minute - with a clean slate.

The "Context of the Organization" is key.

If we consider for one minute, a new requirement of the "Annex SL", which is termed the "Context of the Organization", we might give some thought to the position the organization holds in the market and what they have identified as the needs/expectations of their so-called "interested parties". These might include:
  • Customers and their representatives
  • Regulatory bodies and their representatives
  • Employees
  • Stakeholders
There may well be an expectation or need for some kind of quality manual to be maintained to satisfy one or more of the above. Long before ISO 9001 and certification by 3rd parties came along, it was common practice to create and maintain a document which was very like a quality manual, even if it wasn't actually called that. Furthermore, employees might find one useful, too!


If the context of the organization is properly understood, then creating and maintaining a document - call it a Quality Manual if you wish - which describes the organization, key processes, links to common organization-wide processes and much more may well be seen as a value proposition and not something done "to keep an external auditor happy".

Sunday, November 13, 2011

A Rose By Any Other Name

Previously, we discussed the fact that ISO 9001:2008 requires documentation of the organization's Quality Management System, including a Quality Manual, some procedures, and probably other types of documents of an indeterminate type. The need for any form of documentation is actually defined in the standard, under 4.2.1, in the phrase "documents...determined by the organization to be necessary to ensure effective planning, operation and control of its processes. This gives people quite a lot of freedom to create whatever quantity, content and format of documents it chooses, especially if they choose NOT to be constrained by the hierarchical "pyramid" we discussed previously.

We've established, in a previous blog entry, that the need for and content of many documents is going to be, in good part, dependent upon the competency of the people who use them. In general terms, the higher the competency of the person using documents, the less detailed the description in the document needs to be. A key consideration is that someone will probably figure out pretty quickly what the document is about, if they are competent.

Try this simple example; write down the preparation and cooking of scrambled eggs - for yourself! How detailed would such a task need to be for someone with experience in a kitchen? These are fairly simple concepts and practices, so why do people make the creation of "ISO" documentation so complex?

Form Over Function?

Where people start going off the rails in the design (format) of their Quality Manual (see 4.2.1.b). If we take a look at the ISO 9001 section which defines what should be included in a Quality Manual (4.2.2) it says:

"The organizations shall .... a quality manual that includes:-

a) the scope of the quality management system (and some stuff we won't concern ourselves with here)

b) the documented procedures - or reference to them, and

c) a description of the sequence and interaction of the QMS processes"

Pretty simple, really. If we add a couple of other requirements of ISO 9001 which would seem appropriate to include in such a manual:
  • and organization chart or some way to show who 'top management' are (5.1, 5.5.1)
  • the Quality Policy (5.3)
  • Quality Objectives (5.4.1)
  • Who the "Management Representative" is (5.5.2)
Then, maybe assign a page to each of these (which might be considered overkill), adding a nice cover page, we have a total document of some 7 pages. Going beyond what ISO-says, perhaps including some really useful information, like a description of the history/background to the company, details of markets served, products, office/factory locations, contact details, including a web address etc. we might expand it to 10 pages.

One example of an ISO 9001-compliant Quality Manual I saw was actually a tri-fold, made from an 81/2 x 11 sheet. It was prepared in the same way as a company marketing brochure might be, from the front outer cover showing a photograph of the building, the 4 "inside" pages containing the "ISO stuff" and the back page being a map, address, phone numbers etc. What a good looking, useful and very readable document! Imagine being given that on your first day at work, or as a potential customer...

It's interesting, then, to note that in spite of these (minimal) requirements, many people create (or even buy) a document which closely resembles the layout of the ISO 9001 standard itself. Since the Quality Management System is supposed to describe the key or core processes of the organization, which are responsible for determining customers' requirements, through to delivering product/service to those customers, and also the process which support and enable the key/core processes, why use ISO 9001 as a template? It clearly isn't laid out in this manner! 

If we take a look at other types of documents the standard mentions (or people think are necessary), it's common to employ the following format for procedures and work instructions, which often  includes:
  • Purpose
  • Scope
  • Applicability
  • Definitions
  • ISO 9000 reference(s)
  • Responsibilities
  • Flow chart (possibly)
  • Procedure
  • Records
  • Change History
In one (extreme case), even the office stationery needed to complete the work was listed!

Good grief! Look at how much "stuff" has to be waded through before any mention of a procedure is made! Plus, with all this content, how many pages are the result? No wonder people have heard that "ISO" is a paperwork nightmare!

Good Design - You Know It When You See It!

Rigorous adherence to a format is NOT what is required. Well communicated requirements and controls are! The documented management system is a product first and foremost. And good product design considers, first and foremost, the needs of the user. In fact, good product design is elegant! If you look up “elegant” in a dictionary, one of the definitions is:
"gracefully concise and simple; admirably succinct"
Notice it doesn’t just say “concise” or “simple” or “succinct”, but “gracefully concise” and “admirably succinct”. And, for many of us, we know it when we see it. Consider Apple products, if you want a really good example. People actually get "carried away" with their ownership of Apple iPhones, Macs etc. OK, so maybe that's a little extreme as a comparison for QMS documentation, but why shouldn't an organization strive to make its documentation at least "friendly" to users? Why does everything have to be forced to fit this structure?
The answer is, of course, that it doesn't. Now, we all use documentation in our everyday lives - outside of any ISO based QMS - without the need for an similar format. Take, for example a humble bank note, or a bus or train ticket. Often they contain a lot of information. Some of it is for us, some used by the issuing agency. Do they need the structure above, to enable them to be used by a huge population of users with all levels of education etc?

Frankly, I see no real reason to force such a set of descriptors on what should be simple documents. What are we attempting to use QMS documents for? Convey the requirements for effective process "planning, operation and control", elegantly...

Sunday, October 23, 2011

Save the Pyramids for the Pharaohs!

If one word is (over) used to describe the implementing of an ISO 9001, Quality Management System (QMS), it's "documentation". A lot of peoples' perception is that complying with the ISO standard is all about creating and maintaining documents—lots of documents.

Although the early versions of ISO 9001 were prescriptive in making it necessary for many "documented procedures", the current International Standard doesn't rely so heavily on the need for them, leaving it up to an organization to decide what is necessary to maintain effective control over its business processes. Indeed, the ISO requirements are worded in a manner to allow an organization the freedom to decide how and what requires to be documented.

Somewhere To Bury Your Documents?

In the early years of ISO 9001 implementation, the visual metaphor of a pyramid became common to describe the multiple levels of the Quality Management System's documentation, probably because the early ISO 9001 requirements referred to procedures in nearly every section and, in one, the need for work instructions (..."where the lack would adversely affect quality"). 

As a result, and somewhat in line with the "Say what you do, Do what you say" mantra, many organizations chose this format (or something similar) for its Quality Management System structure: 

Level 1 - Quality Policy Manual

Level 2 - Quality Operating Procedures

Level 3 - Quality Work Instructions

Level 4 - Quality Forms/Quality Records

A feature of this hierarchical approach is that the amount of detail in the documents becomes greater, from the top of the pyramid to the bottom. That is to say, the policy manual says very little about the details of the processes of the organization, the procedures say what is done within a process and work instructions describe how the process is performed at a task level. As a result, the value of some of the documents is lost. Take for example the Quality Manual. Typically, the Quality Manual is a regurgitation of the ISO 9001 document, with key words changed to make it look more like the organization actually wrote it. Often, the terminology from the standard remains substantially unchanged, which is a bit like putting a square peg in a round hole!

Procedures are often written around the requirements of the ISO standard or a department, rather than describing a process, which may require multiple parts of the organization to be involved in. This writing of departmental procedures tends to reinforce the "silo effect" from which organization suffer. 

Another aspect of using levels of documentation which really indicates that it's not a good "fit" is the commonly asked question; "Is this document a procedure or a work instruction?" Of course, the reply should be "Does it matter what it's called?"

The pyramid diagram even appeared in the (now obsolete) North American Automobile Industry's Supplier Quality Requirements document, known as "QS-9000", which was based on ISO 9001:1994 and, as a result, tended to add the endorsement of the "Big 3" automakers to such an approach.

Happily, ISO 9001:2000 was a major departure from the emphasis on documents and shifted away from each requirement stating a documented procedure was required, to requiring just 6 procedures—leaving the implementing organization to determine what others might be needed, if any. Emphasis is placed, instead, on having defined processes which opened up lots of opportunities to think "outside the pyramid" (so to speak) and completely revisit the whole role that documentation plays in a Quality Management System.

It's also unfortunate that many organizations - who previously implemented the procedure-heavy ISO 9001:1994 requirements—simply re-numbered their documented Quality System to align with ISO 9001:2000. In doing so, they missed a great opportunity to change the 'architecture' of the Quality System and relieve themselves of the constraints the pyramid places on them. Instead of maintaining a bureaucracy, the documentation could have been revamped into something which better represents the needs of the organization.

Beauty Is In the Eye of the Beholder

Good (product) design is a rare thing. It blends many requirements, including style, usability, performance to name just three. Consider great designs like the Fender Stratocaster guitar, original Morris 'Mini' car, Sony Walkman, Apple iPod and so on.

If the Quality Management System is considered to be somewhat similar to a product design, using a pyramid for the basis doesn't make much sense! Each organization has different needs for it's QMS and using such a "cookie cutter" can't provide for them. After all, the manner in which an organization operates is generally along its processes which:
  • Add value to the Customer, in transforming materials, information etc. into what they need
  • Add value to the organization, in supporting those processes needed to satisfy the customers' needs.
These processes are often considered as running "horizontally" through the organization, across functions and departments, from the point at which customers' needs are identified, through delivery to the customer. The documents used often provide information to enable the organization to process products and other information. So, why shouldn't the model for the Quality Management System structured horizontally?

A clue is found in the ISO 9001 requirements for the QMS, namely 4.2.1 which states (in part) that the organization should determine the "sequence and interaction of the processes" of the QMS. By choosing to map the business processes, it can be decided what documents are needed to define the inputs, process controls and outputs for the various processes. An ISO Guidance document was created to give assistance.

A form, previously called a "level 4" document, may be completed as the input to a process which may have been created as a "level 2" document. The output of the process may be the same form, with more information added - an approval for example. No "level 3" document may have been needed by the person completing the process, because of their competence in the tasks. This vitally important influencer of documents was, previously, not considered. It may also be that to complete a process, a checklist—which might have been a "level 3" document or "work instruction"—is used to describe the various steps of a process and is completed (checked off and information recorded on it) as the process is performed. Now, we can understand peoples' confusion with how to pigeon-hole documents by level.

By approaching the task of documentation based on the needs of the organization and its processes, it's not the level in some arbitrary hierarchy that's important, but the use of the document in ensuring effective process control and (QMS) performance.