Welcome!

Welcome to the "ISO Myth Busters" Blog!

With over 30 years of Quality Management System's experience, I enjoy sharing my knowledge with those who are seeking answers or a better way to implement ISO 9001 requirements. For too long, there have been myths and legends about how to implement a variety of requirements from the International Standard.

These myths and legends often come from the need to pass an ISO Certification audit and as a result, people get the wrong ideas about what implementing an ISO 9001-compliant Quality Management System is truly about.

In this blog, we'll cover such diverse issues as the myths surrounding document control, measuring equipment calibration, management review and internal auditing. We'll also take a look at the role of the Certification Body/Registrar and what to consider if you're looking for one to work with.

I hope you'll find the posts to be helpful. Let's make a start on busting the first myth:-

ISO 9000 Means 'Say What You Do, Do What You Say'...

Coined in the early 1990s (by DuPont de Nemours, I believe), it's more accurate to say that this is what organizations did to pass an ISO 9000 Audit, by a Certification Body/Registrar. Indeed, experience shows organizations created mounds of bureaucratic paperwork - creating a monster which it's still being fed today!

Passing an audit should be about an organization demonstrating that its business processes are defined and, more importantly, in control such that the outcomes meet the "specified requirements" (ISO-speak for what was agreed to, or mandated by regulations)

I hope this initial blog entry has shown "where I'm coming from" on the subject of ISO 9001 implementation and Quality Management Systems. Keep an eye open for more posts with a different twist on ISO Myths

If you spam my blog with your links, they will be removed, so don’t waste your time…

Document Control? Follow the Money!

Previous versions of ISO 9001 detailed the need for a Quality Manual, documented procedures and, at the process-control level, work instructions. It may be noted that these types of documents are no longer prescribed by the international standard, ISO 9001:2015. Now, it is left to the organization to decide what is needed based on an understanding of multiple factors.

WHAT DO YOU KNOW ABOUT CONTROL?
This lack of prescription is a major departure from previous ISO 9001 versions. However, once an organization has determined specific documentation is useful, that documentation must still be controlled to an extent. The need for control is something that hasn’t (substantially) changed since ISO 9001 was first released in 1987. Yes, the requirements for controlling documentation are now defined in a clause entitled, “7.5 Documented Information,” but the details of what constitutes the control of documentation are very similar to earlier editions.

The actual requirements for the control of documented information are found in subclause 7.5.3, where it defined what “control” should ensure:

• Availability and suitability for use, where and when it’s needed
• Adequate protection (e.g. from loss of confidentiality, improper use or loss of integrity)

Furthermore, the clause goes on to require the following activities to be considered:

• Distribution, access, retrieval and use
• Storage and preservation
• Control of changes
• Retention and disposition

There’s nothing on the level of rocket science here, yet a review of ISO Certification data shows this is a “target-rich environment” for (external) audit findings. Could it be that the controls an organization implements are too rigid? Have we complicated this simple concept?

If we stop to think about the basics of controlling documents, we need look no further than the bank notes in our wallets, purses, pockets and under the mattress! These are controlled documents that comply (through minting and banking processes) with the activities and requirements previously listed: They are available, protected (from counterfeiting), distributed and change-controlled (with obsolete versions of bank notes being dispositioned as “destroy by incinerating”). All these are controlled by the document source, through some network of people who are responsible for a degree of document control but without the fullest authority for the bank notes.

Throughout the years, as ISO 9001-compliant Quality Management Systems have been implemented by thousands of organizations around the world, the associated documentation and controls often have created monsters that must be fed. You can spot the monsters very easily when you know what to look for, as they tend to make things much more difficult than necessary. Often, people avoid the controls altogether…

DOCUMENT NUMBERING
Quality management documents frequently bear arcane coding to distinguish the type of document and other parameters. Below is a common example:

0012009 AE 2022010 AC

Broken down part by part:

• The first block of digits is the Julian date: January 2009
• The next block with letters represents the quantity of documents created on that date
• The third block of digits is the date the document was modified: 2/02/2010
• The fourth block identifies the specific documents revised on that date

Pity the hapless user who tries to locate the “sales quote form” from a long list of similarly coded paperwork…

CONTROL OR UNCONTROL, THAT IS THE QUESTION
Organizations faced with compliance to ISO 9001 may have to consider a massive pile of “legacy” documents created in previous years of doing business, wondering, “Do we really have to follow all those controls on these old documents?”

When faced with the potential of codifying hundreds or even thousands of these legacy documents, especially if using the method shown earlier, it becomes obvious that a simpler control solution must be chosen. Some then decide, “Let’s make them uncontrolled!” After all, “control” is a bear. What could be easier than somehow identifying documents as “Uncontrolled – For Reference Only”? Therein lies the trap.

The bait in the trap is the phrase, “For Reference Only.” Think about it – why else would a document be used? Indeed, communities have places where books are stored for exactly that purpose – for reference (in a reference library). We trust that the reference books kept there are the correct version, the latest information and so on. But wait! If we then want to identify the same document as “Uncontrolled,” it’s now untrustworthy - unapproved, not the latest version, changed or something else.

It’s no wonder the people using the documentation of the Quality Management System get so confused when they’re tasked with such a mind-warping challenge! The real, simple answer can be found in your wallet!

Spinning Around with Records?

In another post, I related ISO 9001 documentation to both the Pyramids of Giza and currency. Now, let's turn our attention to what is referred to as “retained documented information,” or more commonly known as “Quality records.”

The international standard for Quality Management, ISO 9001:2015, references the term “retained documented information” no fewer than 24 times. In addition to these required areas, an organization may have extra records which are generated as a result of doing business and, therefore, included in Clause 4.4.2., Quality Management System (QMS) and Processes.

Despite its extensive presence throughout ISO 9001:2015, there’s long been some uncertainty regarding what exactly a documented record is. Many heads have spun trying to make this important distinction, with confusion stemming from a few clichés born out of earlier versions of ISO 9001:

• “Say-what-you-do, Do-what-you-say” – This saying caused people to create a lot of manuals, procedures and instructions that formally “recorded” what was happening in the organization, where no records previously existed. In the past, such a mantra may have been enough to pass a certification audit, but that’s not the purpose of using ISO 9001. Implementing a QMS to comply with the 2015 version requires much more than simply documenting what’s done today.
• “If it isn’t recorded, it didn’t happen” – This is partly true, however it misses the point. Records were required in all previous versions of ISO 9001, but it was only recently that the real purpose of keeping records – other than to pass an audit – was made clear. The generation and retention of records is key to determining the performance of the QMS; it requires an organization to define quality objectives while fulfilling the need for analysis and evaluation of data and information.

Documented information can be simplified as existing in two fundamental categories:

• Planning documentation, or documents created as an intention to do something, and
• Results documentation, or documents created to show that what was intended to happen actually happened

Most of us are familiar with both types of documentation. When we buy or lease a car, there’s often a sizeable package of documents that describe, in one form or another, information regarding the effective operation/ownership of that car. Included in this documentation is a schedule detailing the extent and frequency of the required preventive maintenance to support the driving experience. On each visit to the dealership, a comprehensive note with key data regarding the service(s) provided is taken by the dealer’s service writer, including:

• Customer information (address, phone number, signature, etc.)
• Car information (VIN #, make/model, mileage)
• Service to be performed (oil and filter change, tire rotation, etc.)

Upon completion, the service writer produces a copy of the original detailed notes, adding the details of what was done by the service technician, including:

• Technician information (name and license #)
• Work performed (oil grade and quantity, filter type)
• Measurements made (tire tread depth, brake pad thickness, tire pressures)
• Additional information (recommendations for additional work needed, campaign/warranty work needed, next service mileage)

These service records – normally maintained by the dealer on their computer network – provide useful information for the owner, dealership(s) and even future purchasers (in the event the vehicle is sold later) to effectively build confidence that the requirements have been satisfied. As an example, it’s rare to find a pre-owned car or truck for sale without a “CarFax” report – a detailed record of the life history of the vehicle.

Using Records to Improve the Business
Philosopher and writer George Santayana is credited with saying, “Those who do not learn history are doomed to repeat it.” Records contain invaluable information about the historical performance of the QMS. If an organization takes the time to evaluate this data, past mistakes can be avoided and cost benefits realized. After all, you wouldn’t take your car in for an oil change before it’s due!

For example, say an organization buys top-of-the-line torque wrenches and has them calibrated at an ISO/IEC 17025 accredited calibration laboratory every year at a cost of $110 each, which includes the usual data from the calibration activities. A review of the “as found” condition from more than five years’ worth of data shows there had been no real change in performance and no adjustments were necessary. Essentially, the records showed that the costly calibration was not needed every year. This could have added up to hundreds of savings on just one wrench alone.

Similarly, when one larger manufacturer analyzed the reasons for product rejections, they uncovered an estimated $8M savings in administrative costs alone, which were associated with processing non-conforming products. These savings likely never would have been identified without having detailed records in place.

Rather than simply maintaining documents just to pass an audit, consider dragging out those old records to get a look at the company’s past to find new opportunities for growth and stop repeating history, like a record spinning ‘round and ‘round…

“You spin me right round, baby
Right round like a record, baby
Right round round round
You spin me right round, baby
Right round like a record, baby
Right round round round”

-“You Spin Me Round (Like a Record)” by Dead or Alive

Is Your Quality Policy Exceeding Your Abilities?

Policies. Every day we are governed by them. They provide direction to us on a wide variety of issues at work: the way we dress, the way we act, who gets hired, when/where we can eat, drink and smoke, or which websites we can access on our computers. These policies often are expressed in simple terms for everyone to understand and implement. “No smoking.” “Mask required.” “No open-toed shoes.” We are all familiar with these.

According to Wikipedia, a policy is, “a deliberate system of principles to guide decisions and achieve rational outcomes.” Although this definition sounds straightforward, many organizations struggle when it comes to creating a relevant Quality Policy statement, as defined in ISO 9001 Section 5.2.1. This requires organizations to fulfill the following conditions in their policies:

“Top management shall establish, implement and maintain a policy that: 

1. Is appropriate to the purpose and context of the organization and supports its strategic direction
2. Provides a framework for setting quality objectives
3. Includes a commitment to satisfy applicable requirements
4. Includes a commitment to continual improvement of the quality management system”

Knowing this, why is it that things often go awry when trying to establish and maintain a Quality Policy? To better understand this phenomenon, let’s consider common wording found in most quality policies: “We strive to meet and exceed customers’ needs and expectations.”

DIGGING DEEPER INTO ‘THE NEED TO EXCEED’
At first glance, this phrase appears to be appropriate to include in a Quality Policy. However, when compared closely to the requirements listed above, this might not be so true. In considering the first item of the requirement, the policy to “meet and exceed” may not always be “appropriate to the purpose of the organization,” however laudable the intention. Imagine this situation:

A customer orders a burger and fries at a fast food drive-thru. In response, the cashier asks over the speaker, “Would you like a glass of Merlot with your burger?” Is this congruent with the customers’ needs and expectations? Or the organization’s strategic direction? Probably not. The customer needs and expects just what they ordered – nothing more, nothing less.

Wikipedia goes on to mention that policies can have unintended effects: “The policy formulation process theoretically includes an attempt to assess as many areas of potential policy impact as possible, to lessen the chances that a given policy will have unexpected or unintended consequences.” Applied to the above example of “meeting and exceeding customer needs and expectations” at the drive-thru, it is possible to see how there might be some unexpected and unintended consequences.

Depending on where your business sits in the supply chain, just doing what the customer asks is fine for many organizations. Of course, through the sales processes of quoting and order taking, customers might be advised what is (commercially) achievable from an organization, so that the third item from the ISO 9001 policy requirements is followed – “satisfying applicable requirements.” However, care should be taken not to over-commit to something the organization is unprepared to deliver. Here, it is best to follow the motto of, “Under promise, over deliver.”

HOW ‘SMART’ IS YOUR POLICY?
Once the policy is effectively written according to the requirements, how can we be sure it’s being successfully adopted? Many policies are readily observed, for example the ‘no smoking’ policy, the personal protective equipment policy, equal opportunity employment, etc. How is a Quality Policy demonstrated as being effectively implemented?

One way to measure this is to apply SMART objectives, which are Specific, Measurable, Attainable, Realistic and Time-Based, in accordance with the Quality Policy, such as the second requirement listed:

b) Provides a framework for setting quality objectives

If an organization has a Quality Policy that is truly aligned with the needs and expectations of the customer, the fundamental principles of “On Time, In Specification,” or OTIS, can be applied across various functions and processes of the organization:

• Sales – quotes are accurate (in spec.) and delivered to a customer on time
• Manufacturing - processes produce product (in spec.) on time
• Maintenance - keeping equipment running (in spec.) and performed on time
• Training - ensuring people are competent to do their jobs (in spec.) when they need it (on time)
• New Product Development - creating products (in spec.) released on time (time to market)
• Shipping – delivering the right product (in spec.) on time

These SMART objectives provide a method for tracking and measuring performance to determine how successful the application of the Quality Policy really is. Targets may be established, for example, for 93% on time, 98% first pass yield, etc., for precise goal tracking as well.

THE FINAL STEP: KEEP IMPROVING
Peter Drucker, noted management consultant and author, often is credited with the quote, “If you can’t measure it, you can’t improve it.” This leads to the final requirement of ISO 9001’s Quality Policy:

4. Includes a commitment to continual improvement of the quality management system

The established Quality Policy should drive the need for improvement. It has never been sufficient – in any sized business – to rest on the laurels of what brought success. There must be growth and improvement. Rarely are customers’ needs, let alone expectations, always met, so we should be driven to continuously analyze performance to look for ways to improve all business processes.

Got No Time For ISO 9001 Quality Systems? Maybe You Need a Time Machine!

“Ticking away the moments that make up a dull day…” go the lyrics of Pink Floyd’s song “Time,” taken from the seminal album The Dark Side of the Moon. This iconic work of progressive rock music reflects on the negative effects of performing mundane or routine actions and how time can control one’s life.

The meaning behind the song’s lyrics, while strongly applicable to everyday life, also is an apt description for the way certain clauses of ISO 9001:2015 are implemented. Often, requirements including Management Reviews, Internal Audits and Calibration of Measuring Equipment are planned according to a misperception that they must be conducted at certain intervals, generally throughout a calendar year. 

However, an examination of the relevant clauses reveals there is zero mention of when to implement the requirements, as seen below. 

7.1.6 Monitoring and measuring resources
“…calibrated…at specified intervals…”
9.2 Internal audit
“…conduct internal audits at planned intervals…”
“…an audit program(s) including the frequency…”
9.3 Management review
“…at planned intervals…”

Of course, there may be external influences that impact when these parts of the Quality Management System (QMS) are implemented. Your contract with a Certification Body, for example, might set additional guidelines requiring you to audit the whole QMS in one year. However, in my experience, when organizations choose to adopt a simple time-based approach to implementing these requirements, significant opportunities are lost and costs incurred which may have otherwise been avoided.

In one situation, a company bought the best (and most expensive) torque wrenches they could find, sending them to an ISO/IEC 17025 accredited lab for calibration every year thereafter. A quick review of calibration results obtained over the next five years revealed no appreciable change in the “as found” condition compared to the previous “as received” condition. So, why bother sending them out at all? Aside from an arbitrary schedule telling them a calibration was due, there was no reason or need to continue having them calibrated in this way. 

Consider another instance where, due to the frequency of use, a thread plug gauge was becoming worn out of specification in a matter of a few months. But, because the organization only checked equipment on an annual basis, the worn out gauge was in use for eight or nine months longer than it should have been, with potentially damaging results in that period.

A further example is when an organization chose to internally audit their management system according to a 12-month calendar. In July, most assembly workers left for vacation and were back-filled with seasonal workers for the first two weeks of the month. The impact on product quality was predictable – resulting in increased rejections, rework and delays. Did the internal auditors ever audit the training process to see if it was actually used during this time? No! Because the schedule arbitrarily directed them to only audit Product Identification (which had never been an issue) in that month. Clearly, despite the audits being completed according to plan, they were almost a waste in determining the cause of the problems in July.

Management Review is a key function of the QMS and, as such, should be employed as a means to examine business operations, identifying the status of plans, related performance and actions needed to keep the organization on track. This is particularly important when encountering situations that are, by their very nature, not what was planned to occur. Since these perturbations in business performance are rarely experienced at a predictable point, management’s review shouldn’t be done to simply satisfy a calendar. 

If any organization implementing an ISO 9001:2015 compliant QMS finds themselves doing mundane things simply “because ISO says so,” there’s a good chance management should revisit their understanding of these ISO 9001 requirements. Otherwise, they are at risk of becoming just like the rest of the song:

“Fritter and waste the hours in an offhand way. 
Kicking around on a piece of ground in your home town, 
Waiting for someone or something to show you the way…”

All Internal Audits Are Process-based? Er, No...

Since ISO 9001:2000, it’s become increasingly common to consider that an organization’s Internal Quality Audits be performed using the so-called “Process Approach”. At the time of publication, that particular version of the International Standard for Management Systems contained no description of what the process approach was. The recently introduced 2015 version makes the “Process Approach” a lot clearer by describing what is envisaged, in section 0.3 of the Introduction to the Standard – and how it applies to the quality management system development, implementation and improvement. Reading further, the text goes on to describe the Process Approach involving the “systematic definition and management of processes, and their interactions, so as to achieve the intended results.” There’s no mention of anything to do with conducting internal audits in any particular fashion.

Perhaps the Internal Audit requirements, found in clause 9.2, will reveal something…

This particular clause states that “the organization shall:

a)       Plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the process concerned, changes affecting the organization, and the results of previous audits;”

Interestingly, even this statement, which deals with the actual planning and implementation of the internal audits, doesn’t require that those audits shall (or even should) be conducted using the “process approach”.  In basic terms, it simply states that the audit programme has to consider the importance of the (quality management system) process concerned. Nothing requires an actual audit of a process! So, why has the mantra of “Process-based Internal Audits” become so pervasive?

Maybe “mission creep” has occurred from the influence of the Certification Body auditors who were required to change their approach to one of auditing process(es), around the time ISO/TS 16949 was published. This era ushered in the use (by CB auditors) of the “turtle” diagram for audit planning, which has become wide spread throughout their client base, too.

Although not advocating against the internal audits of (only) processes, a risk-based approach to the considerations of what to audit and when can be very useful. Empirically, we know that risks occur in business and they don’t always occur within a process. Traditionally, risks are associated with something new and/or changed or activities affecting an organization:

·         Product designs & specifications

·         Sources of supply

·         Personnel

·         Technology

By reference to the diagram below, adapted from James Reason’s “Managing the Risks of Organizational Accidents”, (ISBN-10: 1840141050), it can be seen that risks occur throughout an Operation.

Clearly, the selection of a specific process may help when considering what part(s) of the management system to audit, however, further planning may reveal that it’s not always the whole process which should fall under the audit spotlight… It may be a relatively simple activity contained within the process; Perhaps a review of a requirement (customer order) and a subsequent change to that requirement may mean that a second review isn’t as robust. In such a case, auditing the entire process may be unnecessary in determining where the change “slipped through the cracks”. Experience also shows that it can be the interaction between processes where issues manifest themselves – at the interface of 2 (or more) processes.

It follows then, that without a clear, specific requirement to audit (only) processes, an organization is free to choose a specific audit “scope” and “criteria” if those define something within the quality management system which represents risk to effectiveness in achieving intended results. In addition to considering a process as the scope of an audit, the following may also be used:

A customer or regulatory requirement - which might be implemented in select parts over one or more process;

A physical area or location - a warehouse, for example

A specific requirement of ISO 9001 - if it is new or changed

A project: improvement, product design, new technology etc

A specific activity as part of a bigger process.

It's quite reasonable - if there's a clear justification - for choosing any focus for your internal audit programme. After all, ISO 9001 does say process MUST be audited and external auditors can't dictate requirements. Try it! You might just like it and find it useful!

WTH? A Useful Quality Manual?

One of the first things which comes to peoples’ minds when describing Quality Management Systems and “ISO 9000” is documentation, which often includes a Quality Manual. The background to Quality Management Systems started with (big) procurement organizations such as government agencies and Fortune 500 companies making Quality Systems a contractual requirement. Frequently, these requirements included the need for a document, which was often called a “Quality Manual”, a “Quality Plan” or similar. These were used, by a supplier, to describe the approach to be used to fulfil the contract requirements and assure the quality of the deliverables.

Today, a hall mark of ISO 9001 Quality Management Systems documentation is a Quality Manual – one has been a requirement of the International Standard since 1987. Manuals produced by many organizations emulate the format and content of the ISO 9001:2008 clauses (4 through 8) to the extent that the words “The organization shall” have simply been replaced by the name of the company! This often leads to documents which run into 25 or more pages, written in arcane terminology which has little relevance to the business of the organization. The result? People rarely read the document, it’s often only rubber stamped by auditors and it gathers dust on an office shelf somewhere…

Amazingly, the 2015 edition of ISO 9001 dropped the requirement for a quality manual – indeed any type of traditional quality documentation, such as procedures, work instructions etc -  leaving it up to the organization itself to determine what it needs, based on understanding customer, regulatory expectations and its own requirements for documentation.

Based on their experience with Quality Manuals, it might be tempting to an organization to discard theirs, after all, it only sees the light of day when the Registrar auditor is on site – and no-one else reads it!

But wait! Before that particular baby is discarded with the bath water, why is it that no-one reads the Quality Manual? Maybe it’s because it’s not helpful, uses arcane language and is formatted on an ISO document no-one has reason to read!

There’s a better model on which we can base our Quality Manual which might bring some help to users: The “Quick-Start Guide” you get with some items of house hold electrical equipment etc is a clue. These guides cover the basics of what the (new) user needs to know to get “up and running”. For more detailed descriptions, including navigating the complete set of functions, features and also for fault finding etc, reference can be made to the more comprehensive manual which is also included.

Will your upgrade to the 2015 ISO 9001 requirements be heralded by a new, useful Quality Manual “Quick Guide to the Quality System”?