In this blog, we'll cover such diverse issues as the myths surrounding document control, measuring equipment calibration, management review and internal auditing. We'll also take a look at the role of the Certification Body/Registrar and what to consider if you're looking for one to work with.
ISO Myth Busters
Helping you sort out the difference between what people do to pass an ISO Audit and what it takes to practically implement an effective Quality Management System
Saturday, July 3, 2021
Welcome!
In this blog, we'll cover such diverse issues as the myths surrounding document control, measuring equipment calibration, management review and internal auditing. We'll also take a look at the role of the Certification Body/Registrar and what to consider if you're looking for one to work with.
Thursday, July 1, 2021
Document Control? Follow the Money!
Previous versions of ISO 9001 detailed the need for a Quality Manual, documented procedures and, at the process-control level, work instructions. It may be noted that these types of documents are no longer prescribed by the international standard, ISO 9001:2015. Now, it is left to the organization to decide what is needed based on an understanding of multiple factors.
WHAT DO YOU KNOW ABOUT CONTROL?
This lack of prescription is a major departure from previous ISO 9001 versions. However, once an organization has determined specific documentation is useful, that documentation must still be controlled to an extent. The need for control is something that hasn’t (substantially) changed since ISO 9001 was first released in 1987. Yes, the requirements for controlling documentation are now defined in a clause entitled, “7.5 Documented Information,” but the details of what constitutes the control of documentation are very similar to earlier editions.
The actual requirements for the control of documented information are found in subclause 7.5.3, where it defined what “control” should ensure:
- Availability and suitability for use, where and when it’s needed
- Adequate protection (e.g. from loss of confidentiality, improper use or loss of integrity)
Furthermore, the clause goes on to require the following activities to be considered:
- Distribution, access, retrieval and use
- Storage and preservation
- Control of changes
- Retention and disposition
There’s nothing on the level of rocket science here, yet a review of ISO Certification data shows this is a “target-rich environment” for (external) audit findings. Could it be that the controls an organization implements are too rigid? Have we complicated this simple concept?
If we stop to think about the basics of controlling documents, we need look no further than the bank notes in our wallets, purses, pockets and under the mattress! These are controlled documents that comply (through minting and banking processes) with the activities and requirements previously listed: They are available, protected (from counterfeiting), distributed and change-controlled (with obsolete versions of bank notes being dispositioned as “destroy by incinerating”). All these are controlled by the document source, through some network of people who are responsible for a degree of document control but without the fullest authority for the bank notes.
Throughout the years, as ISO 9001-compliant Quality Management Systems have been implemented by thousands of organizations around the world, the associated documentation and controls often have created monsters that must be fed. You can spot the monsters very easily when you know what to look for, as they tend to make things much more difficult than necessary. Often, people avoid the controls altogether…
DOCUMENT NUMBERING
Quality management documents frequently bear arcane coding to distinguish the type of document and other parameters. Below is a common example:
0012009 AE 2022010 AC
Broken down part by part:
- The first block of digits is the Julian date: January 2009
- The next block with letters represents the quantity of documents created on that date
- The third block of digits is the date the document was modified: 2/02/2010
- The fourth block identifies the specific documents revised on that date
Pity the hapless user who tries to locate the “sales quote form” from a long list of similarly coded paperwork…
CONTROL OR UNCONTROL, THAT IS THE QUESTION
Organizations faced with compliance to ISO 9001 may have to consider a massive pile of “legacy” documents created in previous years of doing business, wondering, “Do we really have to follow all those controls on these old documents?”
When faced with the potential of codifying hundreds or even thousands of these legacy documents, especially if using the method shown earlier, it becomes obvious that a simpler control solution must be chosen. Some then decide, “Let’s make them uncontrolled!” After all, “control” is a bear. What could be easier than somehow identifying documents as “Uncontrolled – For Reference Only”? Therein lies the trap.
The bait in the trap is the phrase, “For Reference Only.” Think about it – why else would a document be used? Indeed, communities have places where books are stored for exactly that purpose – for reference (in a reference library). We trust that the reference books kept there are the correct version, the latest information and so on. But wait! If we then want to identify the same document as “Uncontrolled,” it’s now untrustworthy - unapproved, not the latest version, changed or something else.
It’s no wonder the people using the documentation of the Quality Management System get so confused when they’re tasked with such a mind-warping challenge! The real, simple answer can be found in your wallet!
Spinning Around with Records?
In another post, I related ISO 9001 documentation to both the Pyramids of Giza and currency. Now, let's turn our attention to what is referred to as “retained documented information,” or more commonly known as “Quality records.”
The international standard for Quality Management, ISO 9001:2015, references the term “retained documented information” no fewer than 24 times. In addition to these required areas, an organization may have extra records which are generated as a result of doing business and, therefore, included in Clause 4.4.2., Quality Management System (QMS) and Processes.
Despite its extensive presence throughout ISO 9001:2015, there’s long been some uncertainty regarding what exactly a documented record is. Many heads have spun trying to make this important distinction, with confusion stemming from a few clichés born out of earlier versions of ISO 9001:
- “Say-what-you-do, Do-what-you-say” – This saying caused people to create a lot of manuals, procedures and instructions that formally “recorded” what was happening in the organization, where no records previously existed. In the past, such a mantra may have been enough to pass a certification audit, but that’s not the purpose of using ISO 9001. Implementing a QMS to comply with the 2015 version requires much more than simply documenting what’s done today.
- “If it isn’t recorded, it didn’t happen” – This is partly true, however it misses the point. Records were required in all previous versions of ISO 9001, but it was only recently that the real purpose of keeping records – other than to pass an audit – was made clear. The generation and retention of records is key to determining the performance of the QMS; it requires an organization to define quality objectives while fulfilling the need for analysis and evaluation of data and information.
Documented information can be simplified as existing in two fundamental categories:
- Planning documentation, or documents created as an intention to do something, and
- Results documentation, or documents created to show that what was intended to happen actually happened
Most of us are familiar with both types of documentation. When we buy or lease a car, there’s often a sizeable package of documents that describe, in one form or another, information regarding the effective operation/ownership of that car. Included in this documentation is a schedule detailing the extent and frequency of the required preventive maintenance to support the driving experience. On each visit to the dealership, a comprehensive note with key data regarding the service(s) provided is taken by the dealer’s service writer, including:
- Customer information (address, phone number, signature, etc.)
- Car information (VIN #, make/model, mileage)
- Service to be performed (oil and filter change, tire rotation, etc.)
Upon completion, the service writer produces a copy of the original detailed notes, adding the details of what was done by the service technician, including:
- Technician information (name and license #)
- Work performed (oil grade and quantity, filter type)
- Measurements made (tire tread depth, brake pad thickness, tire pressures)
- Additional information (recommendations for additional work needed, campaign/warranty work needed, next service mileage)
These service records – normally maintained by the dealer on their computer network – provide useful information for the owner, dealership(s) and even future purchasers (in the event the vehicle is sold later) to effectively build confidence that the requirements have been satisfied. As an example, it’s rare to find a pre-owned car or truck for sale without a “CarFax” report – a detailed record of the life history of the vehicle.
Using Records to Improve the Business
Philosopher and writer George Santayana is credited with saying, “Those who do not learn history are doomed to repeat it.” Records contain invaluable information about the historical performance of the QMS. If an organization takes the time to evaluate this data, past mistakes can be avoided and cost benefits realized. After all, you wouldn’t take your car in for an oil change before it’s due!
For example, say an organization buys top-of-the-line torque wrenches and has them calibrated at an ISO/IEC 17025 accredited calibration laboratory every year at a cost of $110 each, which includes the usual data from the calibration activities. A review of the “as found” condition from more than five years’ worth of data shows there had been no real change in performance and no adjustments were necessary. Essentially, the records showed that the costly calibration was not needed every year. This could have added up to hundreds of savings on just one wrench alone.
Similarly, when one larger manufacturer analyzed the reasons for product rejections, they uncovered an estimated $8M savings in administrative costs alone, which were associated with processing non-conforming products. These savings likely never would have been identified without having detailed records in place.
Rather than simply maintaining documents just to pass an audit, consider dragging out those old records to get a look at the company’s past to find new opportunities for growth and stop repeating history, like a record spinning ‘round and ‘round…
“You spin me right round, baby
Right round like a record, baby
Right round round round
You spin me right round, baby
Right round like a record, baby
Right round round round”
-“You Spin Me Round (Like a Record)” by Dead or Alive
Is Your Quality Policy Exceeding Your Abilities?
Policies. Every day we are governed by them. They provide direction to us on a wide variety of issues at work: the way we dress, the way we act, who gets hired, when/where we can eat, drink and smoke, or which websites we can access on our computers. These policies often are expressed in simple terms for everyone to understand and implement. “No smoking.” “Mask required.” “No open-toed shoes.” We are all familiar with these.
According to Wikipedia, a policy is, “a deliberate system of principles to guide decisions and achieve rational outcomes.” Although this definition sounds straightforward, many organizations struggle when it comes to creating a relevant Quality Policy statement, as defined in ISO 9001 Section 5.2.1. This requires organizations to fulfill the following conditions in their policies:
“Top management shall establish, implement and maintain a policy that:
- Is appropriate to the purpose and context of the organization and supports its strategic direction
- Provides a framework for setting quality objectives
- Includes a commitment to satisfy applicable requirements
- Includes a commitment to continual improvement of the quality management system”
Knowing this, why is it that things often go awry when trying to establish and maintain a Quality Policy? To better understand this phenomenon, let’s consider common wording found in most quality policies: “We strive to meet and exceed customers’ needs and expectations.”
DIGGING DEEPER INTO ‘THE NEED TO EXCEED’
At first glance, this phrase appears to be appropriate to include in a Quality Policy. However, when compared closely to the requirements listed above, this might not be so true. In considering the first item of the requirement, the policy to “meet and exceed” may not always be “appropriate to the purpose of the organization,” however laudable the intention. Imagine this situation:
A customer orders a burger and fries at a fast food drive-thru. In response, the cashier asks over the speaker, “Would you like a glass of Merlot with your burger?” Is this congruent with the customers’ needs and expectations? Or the organization’s strategic direction? Probably not. The customer needs and expects just what they ordered – nothing more, nothing less.
Wikipedia goes on to mention that policies can have unintended effects: “The policy formulation process theoretically includes an attempt to assess as many areas of potential policy impact as possible, to lessen the chances that a given policy will have unexpected or unintended consequences.” Applied to the above example of “meeting and exceeding customer needs and expectations” at the drive-thru, it is possible to see how there might be some unexpected and unintended consequences.
Depending on where your business sits in the supply chain, just doing what the customer asks is fine for many organizations. Of course, through the sales processes of quoting and order taking, customers might be advised what is (commercially) achievable from an organization, so that the third item from the ISO 9001 policy requirements is followed – “satisfying applicable requirements.” However, care should be taken not to over-commit to something the organization is unprepared to deliver. Here, it is best to follow the motto of, “Under promise, over deliver.”
HOW ‘SMART’ IS YOUR POLICY?
Once the policy is effectively written according to the requirements, how can we be sure it’s being successfully adopted? Many policies are readily observed, for example the ‘no smoking’ policy, the personal protective equipment policy, equal opportunity employment, etc. How is a Quality Policy demonstrated as being effectively implemented?
One way to measure this is to apply SMART objectives, which are Specific, Measurable, Attainable, Realistic and Time-Based, in accordance with the Quality Policy, such as the second requirement listed:
b) Provides a framework for setting quality objectives
If an organization has a Quality Policy that is truly aligned with the needs and expectations of the customer, the fundamental principles of “On Time, In Specification,” or OTIS, can be applied across various functions and processes of the organization:
- Sales – quotes are accurate (in spec.) and delivered to a customer on time
- Manufacturing - processes produce product (in spec.) on time
- Maintenance - keeping equipment running (in spec.) and performed on time
- Training - ensuring people are competent to do their jobs (in spec.) when they need it (on time)
- New Product Development - creating products (in spec.) released on time (time to market)
- Shipping – delivering the right product (in spec.) on time
These SMART objectives provide a method for tracking and measuring performance to determine how successful the application of the Quality Policy really is. Targets may be established, for example, for 93% on time, 98% first pass yield, etc., for precise goal tracking as well.
THE FINAL STEP: KEEP IMPROVING
Peter Drucker, noted management consultant and author, often is credited with the quote, “If you can’t measure it, you can’t improve it.” This leads to the final requirement of ISO 9001’s Quality Policy:
- Includes a commitment to continual improvement of the quality management system
The established Quality Policy should drive the need for improvement. It has never been sufficient – in any sized business – to rest on the laurels of what brought success. There must be growth and improvement. Rarely are customers’ needs, let alone expectations, always met, so we should be driven to continuously analyze performance to look for ways to improve all business processes.
Sunday, June 21, 2020
Got No Time For ISO 9001 Quality Systems? Maybe You Need a Time Machine!
The meaning behind the song’s lyrics, while strongly applicable to everyday life, also is an apt description for the way certain clauses of ISO 9001:2015 are implemented. Often, requirements including Management Reviews, Internal Audits and Calibration of Measuring Equipment are planned according to a misperception that they must be conducted at certain intervals, generally throughout a calendar year.
However, an examination of the relevant clauses reveals there is zero mention of when to implement the requirements, as seen below.
7.1.6 Monitoring and measuring resources
“…calibrated…at specified intervals…”
9.2 Internal audit
“…conduct internal audits at planned intervals…”
“…an audit program(s) including the frequency…”
9.3 Management review
“…at planned intervals…”
Of course, there may be external influences that impact when these parts of the Quality Management System (QMS) are implemented. Your contract with a Certification Body, for example, might set additional guidelines requiring you to audit the whole QMS in one year. However, in my experience, when organizations choose to adopt a simple time-based approach to implementing these requirements, significant opportunities are lost and costs incurred which may have otherwise been avoided.
In one situation, a company bought the best (and most expensive) torque wrenches they could find, sending them to an ISO/IEC 17025 accredited lab for calibration every year thereafter. A quick review of calibration results obtained over the next five years revealed no appreciable change in the “as found” condition compared to the previous “as received” condition. So, why bother sending them out at all? Aside from an arbitrary schedule telling them a calibration was due, there was no reason or need to continue having them calibrated in this way.
Consider another instance where, due to the frequency of use, a thread plug gauge was becoming worn out of specification in a matter of a few months. But, because the organization only checked equipment on an annual basis, the worn out gauge was in use for eight or nine months longer than it should have been, with potentially damaging results in that period.
A further example is when an organization chose to internally audit their management system according to a 12-month calendar. In July, most assembly workers left for vacation and were back-filled with seasonal workers for the first two weeks of the month. The impact on product quality was predictable – resulting in increased rejections, rework and delays. Did the internal auditors ever audit the training process to see if it was actually used during this time? No! Because the schedule arbitrarily directed them to only audit Product Identification (which had never been an issue) in that month. Clearly, despite the audits being completed according to plan, they were almost a waste in determining the cause of the problems in July.
Management Review is a key function of the QMS and, as such, should be employed as a means to examine business operations, identifying the status of plans, related performance and actions needed to keep the organization on track. This is particularly important when encountering situations that are, by their very nature, not what was planned to occur. Since these perturbations in business performance are rarely experienced at a predictable point, management’s review shouldn’t be done to simply satisfy a calendar.
If any organization implementing an ISO 9001:2015 compliant QMS finds themselves doing mundane things simply “because ISO says so,” there’s a good chance management should revisit their understanding of these ISO 9001 requirements. Otherwise, they are at risk of becoming just like the rest of the song:
“Fritter and waste the hours in an offhand way.
Kicking around on a piece of ground in your home town,
Waiting for someone or something to show you the way…”
Tuesday, April 30, 2019
All Internal Audits Are Process-based? Er, No...
A customer or regulatory requirement - which might be implemented in select parts over one or more process;
A physical area or location - a warehouse, for example
A specific requirement of ISO 9001 - if it is new or changed
A project: improvement, product design, new technology etc
A specific activity as part of a bigger process.
It's quite reasonable - if there's a clear justification - for choosing any focus for your internal audit programme. After all, ISO 9001 does say process MUST be audited and external auditors can't dictate requirements. Try it! You might just like it and find it useful!
Saturday, March 30, 2019
WTH? A Useful Quality Manual?
Welcome!
Welcome to the "ISO Myth Busters" Blog! With over 30 years of Quality Management System's experience, I enjoy sharing my ...
-
Welcome to the "ISO Myth Busters" Blog! With over 30 years of Quality Management System's experience, I enjoy sharing my ...
-
Previous versions of ISO 9001 detailed the need for a Quality Manual, documented procedures and, at the process-control level, work instruct...
-
In another post, I related ISO 9001 documentation to both the Pyramids of Giza and currency . Now, let's turn our attention to what i...