Saturday, July 3, 2021


Welcome to the "ISO Myth Busters" Blog!

With over 30 years of Quality Management System's experience, I enjoy sharing my knowledge with those who are seeking answers or a better way to implement ISO 9001 requirements. For too long, there have been myths and legends about how to implement a variety of requirements from the International Standard.

These myths and legends often come from the need to pass an ISO Certification audit and as a result, people get the wrong ideas about what implementing an ISO 9001-compliant Quality Management System is truly about.

In this blog, we'll cover such diverse issues as the myths surrounding document control, measuring equipment calibration, management review and internal auditing. We'll also take a look at the role of the Certification Body/Registrar and what to consider if you're looking for one to work with.

I hope you'll find the posts to be helpful. Let's make a start on busting the first myth:-

ISO 9000 Means 'Say What You Do, Do What You Say'...

Coined in the early 1990s (by DuPont de Nemours, I believe), it's more accurate to say that this is what organizations did to pass an ISO 9000 Audit, by a Certification Body/Registrar. Indeed, experience shows organizations created mounds of bureaucratic paperwork - creating a monster which it's still being fed today!

Passing an audit should be about an organization demonstrating that its business processes are defined and, more importantly, in control such that the outcomes meet the "specified requirements" (ISO-speak for what was agreed to, or mandated by regulations)

I hope this initial blog entry has shown "where I'm coming from" on the subject of ISO 9001 implementation and Quality Management Systems. Keep an eye open for more posts with a different twist on ISO Myths

If you spam my blog with your links, they will be removed, so don’t waste your time…

Thursday, July 1, 2021

Document Control? Follow the Money!

Previous versions of ISO 9001 detailed the need for a Quality Manual, documented procedures and, at the process-control level, work instructions. It may be noted that these types of documents are no longer prescribed by the international standard, ISO 9001:2015. Now, it is left to the organization to decide what is needed based on an understanding of multiple factors.

This lack of prescription is a major departure from previous ISO 9001 versions. However, once an organization has determined specific documentation is useful, that documentation must still be controlled to an extent. The need for control is something that hasn’t (substantially) changed since ISO 9001 was first released in 1987. Yes, the requirements for controlling documentation are now defined in a clause entitled, “7.5 Documented Information,” but the details of what constitutes the control of documentation are very similar to earlier editions.

The actual requirements for the control of documented information are found in subclause 7.5.3, where it defined what “control” should ensure:

  • Availability and suitability for use, where and when it’s needed
  • Adequate protection (e.g. from loss of confidentiality, improper use or loss of integrity)

Furthermore, the clause goes on to require the following activities to be considered:

  • Distribution, access, retrieval and use
  • Storage and preservation
  • Control of changes
  • Retention and disposition

There’s nothing on the level of rocket science here, yet a review of ISO Certification data shows this is a “target-rich environment” for (external) audit findings. Could it be that the controls an organization implements are too rigid? Have we complicated this simple concept?

If we stop to think about the basics of controlling documents, we need look no further than the bank notes in our wallets, purses, pockets and under the mattress! These are controlled documents that comply (through minting and banking processes) with the activities and requirements previously listed: They are available, protected (from counterfeiting), distributed and change-controlled (with obsolete versions of bank notes being dispositioned as “destroy by incinerating”). All these are controlled by the document source, through some network of people who are responsible for a degree of document control but without the fullest authority for the bank notes.

Throughout the years, as ISO 9001-compliant Quality Management Systems have been implemented by thousands of organizations around the world, the associated documentation and controls often have created monsters that must be fed. You can spot the monsters very easily when you know what to look for, as they tend to make things much more difficult than necessary. Often, people avoid the controls altogether…

Quality management documents frequently bear arcane coding to distinguish the type of document and other parameters. Below is a common example:

0012009 AE 2022010 AC

Broken down part by part:

  • The first block of digits is the Julian date: January 2009
  • The next block with letters represents the quantity of documents created on that date
  • The third block of digits is the date the document was modified: 2/02/2010
  • The fourth block identifies the specific documents revised on that date

Pity the hapless user who tries to locate the “sales quote form” from a long list of similarly coded paperwork…

Organizations faced with compliance to ISO 9001 may have to consider a massive pile of “legacy” documents created in previous years of doing business, wondering, “Do we really have to follow all those controls on these old documents?”

When faced with the potential of codifying hundreds or even thousands of these legacy documents, especially if using the method shown earlier, it becomes obvious that a simpler control solution must be chosen. Some then decide, “Let’s make them uncontrolled!” After all, “control” is a bear. What could be easier than somehow identifying documents as “Uncontrolled – For Reference Only”? Therein lies the trap.

The bait in the trap is the phrase, “For Reference Only.” Think about it – why else would a document be used? Indeed, communities have places where books are stored for exactly that purpose – for reference (in a reference library). We trust that the reference books kept there are the correct version, the latest information and so on. But wait! If we then want to identify the same document as “Uncontrolled,” it’s now untrustworthy - unapproved, not the latest version, changed or something else.

It’s no wonder the people using the documentation of the Quality Management System get so confused when they’re tasked with such a mind-warping challenge! The real, simple answer can be found in your wallet!

Spinning Around with Records?

In another post, I related ISO 9001 documentation to both the Pyramids of Giza and currency. Now, let's turn our attention to what is referred to as “retained documented information,” or more commonly known as “Quality records.”

The international standard for Quality Management, ISO 9001:2015, references the term “retained documented information” no fewer than 24 times. In addition to these required areas, an organization may have extra records which are generated as a result of doing business and, therefore, included in Clause 4.4.2., Quality Management System (QMS) and Processes.

Despite its extensive presence throughout ISO 9001:2015, there’s long been some uncertainty regarding what exactly a documented record is. Many heads have spun trying to make this important distinction, with confusion stemming from a few clich├ęs born out of earlier versions of ISO 9001:

  • “Say-what-you-do, Do-what-you-say” – This saying caused people to create a lot of manuals, procedures and instructions that formally “recorded” what was happening in the organization, where no records previously existed. In the past, such a mantra may have been enough to pass a certification audit, but that’s not the purpose of using ISO 9001. Implementing a QMS to comply with the 2015 version requires much more than simply documenting what’s done today.
  • “If it isn’t recorded, it didn’t happen” – This is partly true, however it misses the point. Records were required in all previous versions of ISO 9001, but it was only recently that the real purpose of keeping records – other than to pass an audit – was made clear. The generation and retention of records is key to determining the performance of the QMS; it requires an organization to define quality objectives while fulfilling the need for analysis and evaluation of data and information.

Documented information can be simplified as existing in two fundamental categories:

  • Planning documentation, or documents created as an intention to do something, and
  • Results documentation, or documents created to show that what was intended to happen actually happened

Most of us are familiar with both types of documentation. When we buy or lease a car, there’s often a sizeable package of documents that describe, in one form or another, information regarding the effective operation/ownership of that car. Included in this documentation is a schedule detailing the extent and frequency of the required preventive maintenance to support the driving experience. On each visit to the dealership, a comprehensive note with key data regarding the service(s) provided is taken by the dealer’s service writer, including:

  • Customer information (address, phone number, signature, etc.)
  • Car information (VIN #, make/model, mileage)
  • Service to be performed (oil and filter change, tire rotation, etc.)

Upon completion, the service writer produces a copy of the original detailed notes, adding the details of what was done by the service technician, including:

  • Technician information (name and license #)
  • Work performed (oil grade and quantity, filter type)
  • Measurements made (tire tread depth, brake pad thickness, tire pressures)
  • Additional information (recommendations for additional work needed, campaign/warranty work needed, next service mileage)

These service records – normally maintained by the dealer on their computer network – provide useful information for the owner, dealership(s) and even future purchasers (in the event the vehicle is sold later) to effectively build confidence that the requirements have been satisfied. As an example, it’s rare to find a pre-owned car or truck for sale without a “CarFax” report – a detailed record of the life history of the vehicle.

Using Records to Improve the Business
Philosopher and writer George Santayana is credited with saying, “Those who do not learn history are doomed to repeat it.” Records contain invaluable information about the historical performance of the QMS. If an organization takes the time to evaluate this data, past mistakes can be avoided and cost benefits realized. After all, you wouldn’t take your car in for an oil change before it’s due!

For example, say an organization buys top-of-the-line torque wrenches and has them calibrated at an ISO/IEC 17025 accredited calibration laboratory every year at a cost of $110 each, which includes the usual data from the calibration activities. A review of the “as found” condition from more than five years’ worth of data shows there had been no real change in performance and no adjustments were necessary. Essentially, the records showed that the costly calibration was not needed every year. This could have added up to hundreds of savings on just one wrench alone.

Similarly, when one larger manufacturer analyzed the reasons for product rejections, they uncovered an estimated $8M savings in administrative costs alone, which were associated with processing non-conforming products. These savings likely never would have been identified without having detailed records in place.

Rather than simply maintaining documents just to pass an audit, consider dragging out those old records to get a look at the company’s past to find new opportunities for growth and stop repeating history, like a record spinning ‘round and ‘round…

“You spin me right round, baby
Right round like a record, baby
Right round round round
You spin me right round, baby
Right round like a record, baby
Right round round round”

-“You Spin Me Round (Like a Record)” by Dead or Alive

Is Your Quality Policy Exceeding Your Abilities?

Policies. Every day we are governed by them. They provide direction to us on a wide variety of issues at work: the way we dress, the way we act, who gets hired, when/where we can eat, drink and smoke, or which websites we can access on our computers. These policies often are expressed in simple terms for everyone to understand and implement. “No smoking.” “Mask required.” “No open-toed shoes.” We are all familiar with these.

According to Wikipedia, a policy is, “a deliberate system of principles to guide decisions and achieve rational outcomes.” Although this definition sounds straightforward, many organizations struggle when it comes to creating a relevant Quality Policy statement, as defined in ISO 9001 Section 5.2.1. This requires organizations to fulfill the following conditions in their policies:

“Top management shall establish, implement and maintain a policy that: 

  1. Is appropriate to the purpose and context of the organization and supports its strategic direction
  2. Provides a framework for setting quality objectives
  3. Includes a commitment to satisfy applicable requirements
  4. Includes a commitment to continual improvement of the quality management system”

Knowing this, why is it that things often go awry when trying to establish and maintain a Quality Policy? To better understand this phenomenon, let’s consider common wording found in most quality policies: “We strive to meet and exceed customers’ needs and expectations.”

At first glance, this phrase appears to be appropriate to include in a Quality Policy. However, when compared closely to the requirements listed above, this might not be so true. In considering the first item of the requirement, the policy to “meet and exceed” may not always be “appropriate to the purpose of the organization,” however laudable the intention. Imagine this situation:

A customer orders a burger and fries at a fast food drive-thru. In response, the cashier asks over the speaker, “Would you like a glass of Merlot with your burger?” Is this congruent with the customers’ needs and expectations? Or the organization’s strategic direction? Probably not. The customer needs and expects just what they ordered – nothing more, nothing less.

Wikipedia goes on to mention that policies can have unintended effects: “The policy formulation process theoretically includes an attempt to assess as many areas of potential policy impact as possible, to lessen the chances that a given policy will have unexpected or unintended consequences.” Applied to the above example of “meeting and exceeding customer needs and expectations” at the drive-thru, it is possible to see how there might be some unexpected and unintended consequences.

Depending on where your business sits in the supply chain, just doing what the customer asks is fine for many organizations. Of course, through the sales processes of quoting and order taking, customers might be advised what is (commercially) achievable from an organization, so that the third item from the ISO 9001 policy requirements is followed – “satisfying applicable requirements.” However, care should be taken not to over-commit to something the organization is unprepared to deliver. Here, it is best to follow the motto of, “Under promise, over deliver.”

Once the policy is effectively written according to the requirements, how can we be sure it’s being successfully adopted? Many policies are readily observed, for example the ‘no smoking’ policy, the personal protective equipment policy, equal opportunity employment, etc. How is a Quality Policy demonstrated as being effectively implemented?

One way to measure this is to apply SMART objectives, which are Specific, Measurable, Attainable, Realistic and Time-Based, in accordance with the Quality Policy, such as the second requirement listed:

b) Provides a framework for setting quality objectives

If an organization has a Quality Policy that is truly aligned with the needs and expectations of the customer, the fundamental principles of “On Time, In Specification,” or OTIS, can be applied across various functions and processes of the organization:

  • Sales – quotes are accurate (in spec.) and delivered to a customer on time
  • Manufacturing - processes produce product (in spec.) on time
  • Maintenance - keeping equipment running (in spec.) and performed on time
  • Training - ensuring people are competent to do their jobs (in spec.) when they need it (on time)
  • New Product Development - creating products (in spec.) released on time (time to market)
  • Shipping – delivering the right product (in spec.) on time

These SMART objectives provide a method for tracking and measuring performance to determine how successful the application of the Quality Policy really is. Targets may be established, for example, for 93% on time, 98% first pass yield, etc., for precise goal tracking as well.

Peter Drucker, noted management consultant and author, often is credited with the quote, “If you can’t measure it, you can’t improve it.” This leads to the final requirement of ISO 9001’s Quality Policy:

  1. Includes a commitment to continual improvement of the quality management system

The established Quality Policy should drive the need for improvement. It has never been sufficient – in any sized business – to rest on the laurels of what brought success. There must be growth and improvement. Rarely are customers’ needs, let alone expectations, always met, so we should be driven to continuously analyze performance to look for ways to improve all business processes.


Welcome to the "ISO Myth Busters" Blog! With over 30 years of Quality Management System's experience, I enjoy sharing my ...