appendix ix 000o9 s i

IX-i

APPENDIX IX

ISO 9000

Table of Contents

IX.1 Introduction to International Standards Association

IX.1.1 What Prompted the Setting up of ISO 9000 Quality Standards?

IX.1.2 What Is ISO 9000?

IX.1.3 What Is Quality?

IX.1.4 What Activities Are the ISO 9000 Standards Concerned With?

IX.1.5 How Are Standards Achieved?

IX.1.6 Are ISO 9000 Standards Compulsory?

IX.2 The ISO 9000 Series

IX.2.1 Basic Functions of the ISO 9000 Standards

IX.2.2 Development of ISO 9000 Standards

IX.2.3 International Standards Adopted as National Standards

IX.2.4 Why Has ISO 9000 Become So Important?

IX.2.5 Industries

IX.3 The ISO 14000 Series

IX.4 The ISO 9000 Registration Process

IX.4.1 What Is ISO 9000 Registration?

IX.4.2 Why Should a Company Consider Registering for ISO 9000?

IX.4.3 What Exactly Does a Company Have to Register?

IX.4.4 Management of the Business

IX.4.5 Important Criteria for Certification

IX.5 Starting the Process of ISO 9000 Certification

IX.5.1 Steps in the ISO 9000 Application Process

IX.5.2 Management Reviews

IX-ii

Canadian Corporate Finance Manual

IX.6 Selecting a Registrar

IX.6.1 Beware of Conflict of Interest

IX.6.2 Costs of Registration

IX.7 Importance of Documentation

IX.7.1 What Should Be Documented?

IX.7.2 Why are Quality Documents and Quality Records Important?

IX.7.3 Defining the Quality Manual, Quality Documents and Records

IX.7.4 Quality Documents and Records List

IX.7.5 Content of the Quality Manual

IX.7.6 Quality Procedures

IX.7.7 Purposes of the Production Quality Plans

IX.7.8 Content of Project Quality Plans

IX.7.9 Design Control

IX.7.10 Problems That Are Most Often Reported

IX.7.11 Regular Revisions for ISO 9000 Standards

IX.7.12 Effect of ISO 9000 on an Existing Quality System

IX.7.13 Benefits of Implementing ISO 9000 Standards

IX.7.14 What Will It Be Worth?

IX.7.15 Effect of ISO 9000 on Customers

IX.7.16 Can ISO 9000 Provide a Competitive Edge?

IX.7.17 Save Money with ISO 9000

IX.8 Sources of Information

IX.9 Financing of ISO 9000 Registration

IX.9.1 Business Development Bank of Canada Consulting Group

IX-1

APPENDIX IX

ISO 9000

IX.1 Introduction to International Standards AssociationThis section provides an overview of the ISO 9000 quality standard; it is not intended as a step- by-step process that could be used to achieve one of the ISO 9000 designations. More detailed procedures are required.

In order to compete in the new global economy, companies must become truly world class. The criterion for world-class stature is quality in products and services, practices and proce-dures. This quality must be maintainable and a company has to be able to prove it through adequate documentation. Quality can be a competitive weapon and is being used by a grow-ing number of companies to achieve a competitive edge. Therefore, more and more busi-nesses are moving to ISO 9000 certification. The best companies are starting to insist on it from suppliers and for themselves. Typically, companies that wish to do business in Europe or Japan must have ISO 9000 certification.

IX.1.1 What Prompted the Setting up of ISO 9000 Quality Standards?In the past, a company had to go through a costly and time-consuming procedure every time it had to justify its quality procedures to a specific customer to obtain an order. This was particularly difficult when dealing with foreign customers. Businesses, therefore, recog-nized the need for a common set of universally accepted quality standards.

To meet this requirement, in early 1980 the International Organization for Standardization (ISO), located in Geneva and established in 1947, set up international technical committees. These committees finalized their proposals in 1987 and today they form the nucleus of the ISO 9000 quality management and assurance series.

IX.1.2 What Is ISO 9000?ISO 9000 is a set of international standards for both quality management and quality assurance that has been adopted by almost 150 countries worldwide. These standards set the basic tenants for quality systems, from concept to implementation, whatever the product or service. They are applicable to manufacturing a product or delivering a service. They should ensure that a supplier has the capability to produce the required goods or services to customer expectations.

The actual family of ISO 9000 standards is quite large but the major documents are as follows:• ISO 9000: Quality management systems — Fundamentals and vocabulary• ISO 9001: Quality management systems — Requirements• ISO 9004: Quality management systems — Guidelines for performance improvements

IX-2


In addition to these, a number of industry-specific interpretations have emerged, most notably ISO 16949 (automotive) and ISO 13485 (medical devices).

It should be noted, however, that ISO 9000 describes how to go about making sure that a given supplier has the capability of meeting these specific standards and delivering a good quality product or service. It does not guarantee that this supplier really delivers a product adequate for a precise purpose. It is a certification based on a company’s quality processes. It is not a product certification but a quality system standard.

Quality must relate to a standard specification. Requirements for a chemical product or process differ widely from those for a refrigerator or for the services of a hotel, a bank or an airline company. The end product must be taken into consideration in ISO 9000 assess-ments but it may, nevertheless, still be necessary to review the product separately for its functionality in a given environment. Specific separate product or service standards may, therefore, be required for testing the final product.

A distinction must, therefore, be made between assessing a company’s ISO 9000-based quality system and standards, and certifying the final product itself.

Certification or registration can cover a specific location or facility, or several sites or facili-ties of a company that are audited simultaneously but not necessarily an entire company. Registration of a particular plant is usually good for three years. Audit costs range from $10,000 to $30,000, but could be higher depending on size and scope of the audit.

IX.1.3 What Is Quality?Quality in industrial production has been considered to be the ability to meet all the expec-tations of the purchaser of goods or services. A more technical definition is in the Interna-tional Standard ISO 8402 (Quality — vocabulary):

The totality of features and characteristics of a product or service that bear on its abil-ity to satisfy stated or implied needs.

IX.1.4 What Activities Are the ISO 9000 Standards Concerned With?The primary standard deals with quality in manufacturing systems. Subsidiary standards provide guidelines relating to service industry systems and specialized systems, such as software development.

Guidelines are even prepared for auditing procedures and proficiency of auditors.

IX.1.5 How Are Standards Achieved?The ISO 9000 series standards list the basic rules governing quality systems. A quality system is comprised of a series of checks and balances that will ensure quality products or services. ISO 9000 identifies 20 requirements that affect quality.

How a quality system is implemented must be specifically designed for the actual produc-tion for which a registration is sought. For instance, ISO 9000 rules state, irrespective of the product manufactured, that testing equipment must be regularly calibrated. This is the gen-eral rule. When a company is assessed to determine whether it meets ISO 9000 standards for a given final product, it is not enough to just confirm that testing equipment is regularly calibrated and how. It is also necessary to review what testing equipment is used, whether

IX-3

APPENDIX IX | ISO 9000

it is appropriate for this product, what calibration procedure is being used for the product, etc. This is why it is necessary for ISO 9000 assessment teams to include personnel who are familiar with a particular business or product line.

IX.1.6 Are ISO 9000 Standards Compulsory?Companies that wish to use ISO 9000 certified systems do so on a voluntary basis. Nobody is compelled to use the ISO 9000 standards unless the designation is a prerequisite to do business with governments and other companies. This type of demand is growing world-wide at an increasing rate.

The ISO 9000 standards are not necessarily a goal by themselves. They could be looked at as a first step in the direction of the ultimate total quality concept prevailing in certain countries.

The ISO 9000 standards apply to all types of organizations, large and small, and in many industries.

The ISO 9000 standards require the following:• a standard language for documenting quality practices• a system to track and manage evidence that these practices are instituted throughout

the organization• a third-party auditing model to review, certify and maintain certification of

organizations

IX.2 The ISO 9000 SeriesThe ISO 9000 series classifies products into generic categories: hardware, software, pro-cessed materials and services. The standards are published in a series of five publications, each covering a specific area:

1. ISO 9000Explains the fundamental quality concepts and provides guidelines for the selection and application of each standard. ISO 9000 elaborates on the general philosophy of quality systems standards, their characteristics, the existing types, where and when they are best used, and describes what elements quality assurance models should incor-porate. It also deals with demonstration and documentation requirements, pre-contract assessment and contract preparation.

2. ISO 9001Covers quality assurance for companies involved in all of the following steps for pro-ducing a product or service: design, development, production, installation and servic-ing. ISO 9001 is the superset of the contractual models for quality systems. It contains 20 quality system elements, each of which specifies requirements for a component of the quality system.

ISO 9001 requires the development of a quality manual and documented procedures which define the organization and operation of the quality system. It is the responsi-bility of a company to create and maintain these documents so that they are relevant to the specific business operation. It applies specifically to manufacturing companies where the company designs, installs and services its own products.

IX-4


3. ISO 9002ISO 9002 is limited to quality management in production and installation of manufac-turing systems. ISO 9002 is almost word-for-word equivalent to ISO 9001 except that it does not include requirements for design control. It contains 19 elements or require-ments (i.e., there is no requirement for design control).

ISO 9002 requires the development of a quality manual and documented procedures which define the organization and operation of the quality system. It is the responsibil-ity of a company to create and maintain these documents so that they are relevant to the specific business operation.

This standard is often used by contractors and service industries, such as banks, hotels, restaurants and hospitals.

4. ISO 9003ISO 9003 covers quality assurance in the areas of final inspection and testing. This is the designation for quality systems which do not include design or production. ISO 9003 contains about half of the requirements of ISO 9001, (12 elements instead of 20) and modifies some of the requirements specifically to suit the inspection and final test application.

Again, ISO 9003 requires the development of a quality manual and documented proce-dures which define the organization and operation of the quality system. It is also the responsibility of a company to create and maintain these documents so that they are relevant to the specific business operation.

5. ISO 9004ISO 9004 provides the guidelines for the applications of standards in quality management and quality systems. It is the basic element in the building-up process of a quality system suited to specific situations. It is the tool for internal quality management purposes.

A chemical company may, for example, decide to put in place a 9000 quality system. To do this, it will look through all the elements in ISO 9004 and decide which ones it will retain and which ones it can do without. The company must ensure that it takes everything it needs for incorporation into its own quality management specifications. Another chemical company that goes through the same process will, in all likelihood, come to about the same choice. A computer manufacturer will come up with a differ-ent list, as will a parts manufacturer or a hotel. There is usually a minimal list of topics which must be part of any system to deserve the quality label.

Topics covered in ISO 9004 cover 20 different detailed chapters, including the following:a. risks, cost and benefitsb. management responsibilityc. quality system principles, system documentation and auditingd. economicse. quality in marketing, quality in specification and designf. quality in procurement, quality in productiong. control production, product verificationh. control of measuring and test equipmenti. nonconformity, corrective action

IX-5


j. handling and post-production actionk. quality documentation and recordsl. personnelm. product safety and liabilityn. statistical methods

From the above, it should be obvious that the ISO 9000 and ISO 9004 are guidance standards. They describe what is necessary to accomplish the requirements outlined in standards 9001, 9002 or 9003. Therefore, ISO 9001 is the superset standard, with ISO 9002 and ISO 9003 being progressively smaller subsets of that standard. Organizations choose the standard under which they want to register based on their structure, their products or services, and their specific function.

Documentation is at the core of ISO 9000 conformance. In fact, the standards have been described as: “Say what you do. Do what you say. Write it down.”

The ISO 9000 standard itself is clear on the importance of document management. Section 4.5 of ISO 9001 states the following:

Your organization shall control all your quality systems documents to assure availability of documented information to those who require it.

IX.2.1 Basic Functions of the ISO 9000 StandardsThe ISO 9000 standards define “quality” in manner and terms that have been recognized and accepted worldwide. The ISO 9000 standards are broad enough to cover many differ-ent kinds of quality in many different industries, yet they can be used to achieve some very specific definitions.

The ISO 9000 series was developed for contractual business relationships when a supplier and its customer are based in different countries. The goal is to increase customer confi-dence in the quality system used by their suppliers.

The standards are designed to:• establish consistent language and terminology• provide baseline quality practices that are accepted internationally• reduce the need for costly on-site supplier assessments

IX.2.2 Development of ISO 9000 StandardsThe International Standards Organization in Geneva, Switzerland, was founded in 1946 to develop a common set of standards in manufacturing, trade and communications. It is composed of the national standards institutes and organizations of 97 countries worldwide. The ISO publishes thousands of standards but the ISO 9000 series is having a major impact on international trade. First published in 1987, the standards have been rapidly adopted by organizations in Europe, Asia and North America. The standards have been endorsed by the American Society for Quality (ASQ), the European Standards Institutes and the Japa-nese Industrial Standards Committee.

In the U.S., the ASQ runs the Registrar Accreditation Board (RAB), which is accountable to ISO in the context of certification. The RAB has recognized over 40 certification bodies that have trained certified auditors.

IX-6


IX.2.3 International Standards Adopted as National StandardsEach country participating as a member body in the ISO 9000 Standardization Program brings the ISO 9000 Standards Series back to its respective country and has these standards translated into its native language. After acceptance of these standards for national use, an identification number is issued, suitable and unique to the country and its standards system. For example, in Malaysia, the ISO 9000 Standards Series was adopted and is identified as MSISO 9000 1/2/3/4 Standards Series and in Canada as Q 9000 Standards Series. Currently, more than 100 countries have adapted the standards and have assigned their unique identi-fication number to standards. In addition to the full text of the ISO 9000 series, the Q 9000 series contains supplements taken from the original Canadian Standards Association (CSA) quality management series, the Z 299 series.

IX.2.4 Why Has ISO 9000 Become So Important?More and more companies, both domestically and internationally, are requiring that sup-pliers conform to the ISO 9000 standards. Now that there is one internationally accepted standard of quality, a way to determine and measure that quality, and a way to prove it, companies should not wait to consider certification.

Many suppliers are also demanding that their subcontractors and subsuppliers comply with the ISO 9000 quality standards so that they can also claim compliance to their custom-ers. This reinforcement gives customers a common identity of quality and gives suppliers a means by which to judge the likely quality of a subcontractor. Manufacturers are, there-fore, gearing up for conformance to remain competitive and to distinguish themselves from competing suppliers. Some companies believe that certification can lead to dramatic increases in productivity and reduced costs.

Many companies are also implementing ISO 9000 programs as a foundation for total qual-ity management (TQM) programs.

IX.2.5 IndustriesIt is difficult to name an industry that will not be affected. Virtually every manufacturing company should be aware that the ISO 9000 standards will impact on the companies they sell to and to their suppliers. Any industry that is regulated can expect to have to conform to ISO 9000 standards in the near future.

The European Economic Community (EEC) is continuing to identify certain sectors of manufactured goods that will be regulated to conform to ISO 9000. Some commodities are already under the EEC requirement to conform to ISO 9000 standards. These include:• medical devices• telecommunications equipment• industrial safety equipment• industrial laboratory equipment• commercial scales• gas appliances

This means that manufacturers of these commodities must be compliant in order to sell these commodities into the EEC. And to this list, add the following:• any company that does business internationally or uses international suppliers• any company that does business in regulated industries or to governmental agencies• any company that cares about improving its quality systems and is instituting TQM

IX-7


Companies worldwide are using ISO 9000 registration as a means to differentiate quality companies from those which have elected not to pursue or have postponed the registration process. As of December 31, 2012, there are approximately 1.2 million companies worldwide which are registered and compliant with ISO 9000 standards.

Therefore, whether through government regulation or voluntary choice of individual indus-tries, ISO 9000 compliance is a requirement for doing business in an increasing number of markets.

Top 10 Countries for ISO 9000 Certification — 2010

Rank Country No. of certificates

1 China 297,037

2 Italy 138,892

3 Russian Federation 62,265

4 Spain 59,854

5 Japan 59,287

6 Germany 50,583

7 United Kingdom 44,849

8 India 33,250

9 United States 25,101

10 Korea 24,778

IX.3 The ISO 14000 SeriesWhereas the ISO 9000 series was focused on quality management and quality assurance, the ISO 14000 series is focused on environmental matters.

These environmental standards reflect global consensus on good environmental practice in the international context that can be applied pragmatically by organizations all over the world in their particular situation.

The ISO 14000 series takes a two-pronged approach to meeting the needs of stakeholders. First, it offers a wide-ranging portfolio of standards for sampling and test methods to deal with specific environmental challenges. Second, it has developed standards that help organi-zations to take a more proactive approach to managing environmental issues.

IX.4 The ISO 9000 Registration Process

IX.4.1 What Is ISO 9000 Registration?Registration or certification is acquired after an assessment of a company’s quality system by an independent third party. This third party is referred to as a quality system registrar. An on-site audit by a team from the registrar is required to become registered. The purpose of the visit is to evaluate the facility’s compliance with the ISO 9000 series standard. If the

IX-8


organization’s quality system conforms to the registrar’s interpretation of the standard, the company is then registered or certified to any one of the ISO 9000 standards, depending on the type and scope of its business.

An organization chooses the standard based on its operational and business practices. For example, ISO 9001 is selected by organizations that have design, manufacturing and/or test-ing functions located in one facility. ISO 9002 is used by a facility that manufactures, tests and distributes a product but the design function is provided by outside organizations. It is the quality system used to produce the organization’s product, not the product itself, that is registered.

Interpretation of what is required to conform to the standards usually varies from regis-trar to registrar. The registrar also cannot tell the organization how to set up systems to conform or even what systems are needed. It is ultimately a decision made by members of the ISO 9000 team within the organization to decide how they should best approach and attempt to qualify to the ISO 9000 standards.

IX.4.2 Why Should a Company Consider Registering for ISO 9000?The reason that a company should consider registering for ISO 9000 can be summed up in one word — customers. More than just a quality standard, ISO 9000 has become a competi-tive advantage. In many countries, ISO 9000 compliance is a must for organizations that sell to buyers of industrial products. In the U.S. and Canada, it is becoming increasingly important to manufacturers across all industries.

Companies which have achieved ISO 9000 certification enjoy a significant advantage in satisfying their customers and gaining new ones. It also helps maintain approved vendor status, as the trend is to reduce the number of suppliers.

When an organization has achieved ISO 9000 certification, it means that it has a docu-mented quality system which is being followed by personnel and maintained as an integral part of its policies, procedures and practices.

A U.K. study of certified companies that was reported in the Quality Systems Update, revealed that ISO 9000 certification had also brought unexpected benefits, such as greater operational efficiency, increased profitability, savings in administrative costs and improve-ments in marketing and sales activity.

IX.4.3 What Exactly Does a Company Have to Register?ISO 9000 standards specify that “it is the quality system used to produce a product, not the product itself, that is registered.” Individual product lines can be separately registered, or a single site, or even a division with multiple sites. If these sites all conform to the ISO 9000 standards and they can be audited simultaneously, they may be covered under one registration.

There is no need to register it all at once, however. By registering logical groupings individ-ually, an organization can learn from each audit process and transfer that knowledge and experience base to each subsequent grouping.

IX-9


IX.4.4 Management of the BusinessISO 9000 standards don’t tell you how to run your business. They only define the critical documented elements that must be taken into consideration to produce a quality product.

IX.4.5 Important Criteria for CertificationISO 9001 is the broadest standard because it is designed for companies that perform the entire product life cycle — from design to manufacturing, from testing and training to delivery and service.

The ISO 9002 is a subset of the ISO 9001 standard and is appropriate for organizations that do not perform product design functions.

ISO 9003 is the standard with the fewest requirements and relates primarily to distribution and warehousing functions.

IX.5 Starting the Process of ISO 9000 CertificationEven though management may recognize and endorse the important benefits of ISO 9000 registration, it may take some time to achieve registration. Depending on the size of the organization and its goals, the entire process can take from several months to two years.

Management should take a project management approach to ISO 9000 certification. The following steps are essential to those companies which succeed:

• Select one senior manager to head the ISO 9000 planning team. The individual could be the company president, chief information officer, chief financial officer or the vice-president of quality, manufacturing or engineering.

• Staff the ISO 9000 planning team with members from cross-functional groups. Give them the responsibility and authority for selecting a registrar, evaluating document management systems, setting goals and objectives and weighing the benefits of using consulting services. Commitment to ISO 9000 registration requires cross-functional groups, teamwork, communication, education and training as well as in-depth plan-ning. An electronic system that can integrate information from existing applications, such as word-processing, spreadsheet, MRP, CAD, scanning and email systems, means team members can access a cohesive set of tools to help plan, design, implement, con-trol, analyze and maintain an ISO 9000-compliant quality system.

• Keep the project moving by ensuring that the ISO 9000 team has all the tools and authority it needs to manage and fund the process effectively. Ensure that there are open lines of communication between senior management and the team by establishing a formal method of communication, either by regular memos and/or regular meetings. In most cases, it will be necessary to work closely with suppliers and develop close ties with ISO 9000 consultants and the registrar. It may even be necessary to form strategic partnerships with document management experts.

• Management must define the objectives and policies for commitment to quality. Man-agement must ensure that these objectives and policies are understood, implemented and maintained at all levels in the organization. A training course explaining the com-pany’s overall quality objectives and policies should be given to all those in a position to implement the process.

IX-10


• The company’s quality management objectives should include the commitment to provide quality products and services (focus on the customers’ needs and requirement) and to achieve customers’ satisfaction with an improvement in efficiency. The quality policy may include quantifiable objectives (e.g., to reduce rework from 10% to 5%).

• When the quality management objectives and policies have been established, they must be documented and signed by the chairman or the chief executive officer of the company. They should then be included in the quality manual and made available for internal and external use.

• Management must define the responsibility and authority of all personnel who manage, perform and verify work affecting quality. This is particularly significant for personnel who need the authority to:

— initiate action to prevent product non-conformity — identify and record product quality problems — initiate, recommend and provide solutions — verify the implementation of solutions — control further processing delivery or installation of non-conforming product

until the deficiency or unsatisfactory condition has been corrected

IX.5.1 Steps in the ISO 9000 Application ProcessAfter the ISO planning team has been selected, there are eight basic steps to every registra-tion process:

1. Select a registrarEnsure that the registrar you select has experience in auditing and certifying compa-nies in your industry. (See Section IX.6 of this chapter.)

2. Application for registrationAfter the registrar has been selected, you will have to complete the registrar’s appli-cation for certification. The application process will include contractual conditions between the organization and the registrar, fees, confidentiality and liability issues. It will also detail the scope, standard selection, company business description and the time period for registration.

3. Initial document reviewThe quality manual, prepared by management, is provided to the registrar early in the process to provide an overview of the quality systems currently in place. The quality manual is the mission statement of the organization’s quality system and should be broken down into the corresponding ISO 9000 elements of the selected standard. The planning team must evaluate existing quality procedures against the requirements of the ISO 9001-9003 standards selected by the firm.

It should be noted that the quality manual should not be mailed to the registrar until it is evaluated by management and the appropriate improvements have been made to conform with the ISO 9000 series standards. Policy manuals and other important documents can also be submitted for review at this time. An on-site review could also be done.

IX-11


4. Pre-assessment auditThis step is optional. It can be performed internally with the assistance of an employee or consultant who has attended the ISO 10011 auditor training course. This is an effective method to identify deficiencies in either the quality system or in the documentation.

5. Internal assessmentAn internal assessment will assist your organization in making certain that it is ready for the registration audit. If the assessment is performed by employees trained in ISO 9000, this can take the place of a pre-assessment audit with a registrar.

The pre-assessment audit and the internal assessment involve an evaluation of the current quality system and the documentation that supports it. These audits should include reviews of key documents that involve policies and procedures for new product releases, engineering changes or test and inspection processes. In addition, records, such as batch production records, work instructions, analysis and test results and even meeting minutes, should be examined for compliance.

6. Full assessmentWhen a company believes it is ready, the on-site assessment audit is scheduled. A full assessment for ISO 9001 involves two or three auditors and takes approximately two to four days to complete.

The on-site audit consists of management and team meetings, daily reviews and often a draft report of the findings of the audit team that includes its recommendation on registration. The audit team will require escorts to assist in meeting personnel on all levels and in examining the documentation produced or used. Confidentiality should not be a concern as published information only gives two details:a. to which ISO 9000 standard a company is registeredb. for which product or service

No other data is disclosed.

7. RegistrationThe assessment will result in approval, conditional approval or disapproval.

Approval can occur with only minor deficiencies outlined in the registration report. Registration means that the quality system has been verified to conform to the require-ments of the ISO 9000 standard and the registrar will issue you a certificate.

The certification is then listed in a public register. The company may also display the registrar’s mark in its advertising, stationary, bids and proposals. From this, it is obvi-ous that ISO does not assign registrations; these are given by specific organizations. A registration claim is legally valid only if it is backed by a certificate from a recog-nized registrar. Any company can claim to follow ISO 9000 rules; however, it is illegal to state that a company is a registered company if it has not received a certification from an appropriate registrar.

Conditional approval occurs when the organization has systems documented but for some reason they are not all fully implemented. Insufficient documentation or improper access and control of documentation are the most common reasons organiza-tions fail a first-time registration audit. The ISO 9000 auditor will pay careful attention

IX-12


to what a company says it does and what it actually does. In any case, the company will be told the reason for non-conformance and it will then have the opportunity to cor-rect it. The auditor’s report will include the necessary corrective actions. As soon as the company fulfils these, it can reapply for registration with no penalty. In many cases, the implementation of an electronic document management system gives companies an edge toward gaining ISO 9000 certification on the first try.

8. SurveillanceMost registrations are valid for a three-year period. During that time, the organization must maintain and improve the quality system that was certified. Organizations usu-ally have a maintenance contract with the registrar for ongoing surveillance.

Depending on the registrar selected by the organization, surveillance audits can be at regular six month intervals or other schedules. Some registrars will conduct sched-uled surveillance audits, while others will arrive to audit unannounced. The quality system must be ready to substantiate that processes in place at the time of the original ISO 9000 certification still exist or are surpassed. Your chances of maintaining certifi-cation are better with an electronic document management system.

During the surveillance period, appropriate systems should be established to identify and resolve issues and problems. Open lines of communication with the registrar that include the sharing of improvements in document control and distribution systems will afford a more organized, smoother approach to maintaining the ISO 9000 certifica-tion. Modifications to the quality system should be well-documented and provided to the registrar regularly. A complete reassessment is usually required when certifica-tion expires.

IX.5.2 Management ReviewsThe quality system adopted to satisfy the requirements of these standards must be reviewed by management at appropriate intervals to ensure its continuing suitability and effective-ness. Records of such review shall be maintained.

The management review is usually conducted once or twice a year. The review should be chaired by the managing director and attended by the whole management team. At the project level, more frequent mid-level reviews are desirable.

The purpose of the management review is to provide an opportunity for management to assess the continuing effectiveness of the quality system. The agenda would normally include the following:• review of quality costs and non-conformance (e.g., complaints received)• assessment of the results of internal system audits• records of improvements and actions taken in response to earlier complaints and

problems.

Management review should be formal sessions with minutes kept. The minutes should also include responsibilities, actions and time scales. These are the quality records for manage-ment review.

IX-13


IX.6 Selecting a RegistrarA registrar is an independent company whose business is evaluating a company’s quality system for ISO 9000 conformance.

The first step is to obtain a list of registrars, which is available from the RAB in the U.S. or the Standards Council of Canada (SCC). The RAB and SCC perform initial audits of regis-trars, issue accreditation certificates, perform regular surveillance and maintain a directory of accredited registrars. Every registrar is different, with experience in various industries.

Once a short list of registrars to interview has been made, the following questions could be asked:• Are they independent or are they connected to a consultant?• What experience do they have in your specific industry?• How many organizations have they certified?• What has been the scope of their experience with each of the three ISO standards?• Do they have experience certifying companies to the standard you have selected?• Do they have project management experience?• Do they have checklists for consistency?• Do they have international recognition?• Do they have necessary accreditation: SCC, RAB-U.S.A., Dutch Council for Accredita-

tion (RVA)?• Do they have acceptance (MOUs) with other International Registration Bodies?• Do they have knowledge of EC Directives?• Do they participate in International Committees (e.g., TC 176 and TC 207)?• Will they provide names and references?• Do they have a multi-site sampling plan, if required?• What are their fees, terms and conditions?• How do they conduct their on-site audit? How many auditors?• What are the auditors’ backgrounds, training and experience?• How do they conduct surveillance visits? Scheduled or unscheduled?

This is a preliminary list of questions only. Choosing a registrar is just like any other busi-ness decision and, since your relationship with the registrar will be long term, make certain that you have complete confidence in your choice.

IX.6.1 Beware of Conflict of InterestSome registrars have a consulting organization that advises or “tutors” organizations in achieving ISO 9000 certification. This may involve setting up a quality system or writing up the quality documentation that is being assessed. The ISO requires strict separation of assessment and registration services and consulting. This means that the company selected as a consultant may not perform the registration audit for ISO 9000 certification.

IX.6.2 Costs of RegistrationThe fees for registration vary based on the size of the organization, the country and the ISO standard selected. Costs include the application fee, the registrar’s cost for review of docu-mentation as well as the initial visit and the formal audit. A rough rule of thumb is between $15,000 and $50,000 — more for a large organization.

IX-14


IX.7 Importance of DocumentationSince approximately 75% of all business information is in document form, senior managers realize that information is their most important asset. How they manage that information, in the form of documents, is critical to their success.

For ISO 9000, documentation is the means to communicate about the quality of an organi-zation. Poorly documented systems often lead to company failures. Many organizations are still partially paper-based in the creation and distribution of their critical documents.

A paper-based system can create quality problems when procedures are frequently changed in a test procedure or assembly instruction. In this case, managing ongoing changes to documents can be a labour-intensive, manual, error-prone process. Even when changes are approved, it is sometimes difficult to ensure that the right version of the procedure or instruction is actually being used by an operator.

Because of situations like this, an electronic document management system is necessary for ISO 9000 compliance. Managing documents electronically automates the document change and distribution process: personnel can focus on improving what they do, not how they record it. This has additional benefits as it enables the company to change processes and procedures to adjust to changing needs in the market.

IX.7.1 What Should Be Documented?The document control requirements are fully described in the ISO 9000 standard and cover the breadth of the organization. It begins with the quality manual and broadens out to the “Three Tier Document Structure” that consists of standardized electronic templates, revi-sion control, active document intelligent authoring and linking of related information.

The level 1 quality manual document states the organization’s philosophy and vision. The quality manual represents the strategic plan for an organization’s quality system. This is a relatively short document that addresses each of the ISO elements. For example, an organi-zation seeking ISO 9001 certification creates a quality manual of about 20 pages — one page per element.

Level 2 documents are procedural documents. These include departmental policy and procedure manuals — the manuals that describe the actions to take place, who is respon-sible and when they should be carried out. Examples of level 2 documents are new product development procedures, training policies, and test and verification policies.

Level 3 documents are the quality documents that represent how tasks are executed, such as design specifications, operating instructions and assembly instructions.

Quality records, sometimes referred to as level 4 documents, document the results of actions specified in level 3. For example, calibration reports and batch records are quality records.

IX-15


IX.7.2 Why are Quality Documents and Quality Records Important?The ISO 9000 standards require two specific kinds of documents: quality documents and quality records.

Quality documents tell “what to do.” For example, work instructions would be a quality document. They may include how to assemble, test, package, store or ship a particular prod-uct. They can also be the specifications for a new product design, which list engineering requirements for the design and govern the product-development cycle.

On the other hand, quality record is evidence that your organization has fulfilled the actions described in quality documents. Using the example of product testing, the quality record would describe who did the test and would include the date, time, location, which product, test result and then the actions taken.

IX.7.3 Defining the Quality Manual, Quality Documents and RecordsThe quality manual drives the ISO 9000 quality system implementation. Policies and pro-cedures describe the quality practices — what each department must do. Quality documents describe the process — how procedures are to be done at an individual level. Quality records report the outcome of processes and support the results.

IX.7.4 Quality Documents and Records ListExamples of quality documents and records generated from quality processes that require control are as follows:

• Quality documentation — drawings — specifications — inspection instructions — blueprints — test procedures — work instructions — operation sheets — quality manual

• Quality records — inspection reports — test data — qualification reports — defect checklist — validation reports — audit reports — calibration data — factory log

Quality documents document the process. Quality records prove the process was executed and specify the results.

IX-16


IX.7.5 Content of the Quality ManualThe quality manual contains the essence of the company’s quality system. It must give the leader a clear overview of the system practised by the company. The manual is, therefore, rather simple and can be an effective promotion tool for the company. The manual should contain the following:• introduction to company and scope of business• control policy for manual and procedures• quality policy and objectives signed by the chairman or chief executive• company organization and typical site organization• responsibilities of key officers• management representatives (quality system manager)• summary of the different procedures that are being prepared, with cross reference

made to the procedures• review of the system, both management review and internal quality system audits• reference to all the requirement of ISO 9001 or ISO 9002 and demonstration that

they are being addressed in the system

IX.7.6 Quality ProceduresThe company will have to determine which procedures are to be included. As a guide, all procedures that have a direct impact on the company business and quality of services and products must be included. A good way to start will be to draw the business flow chart to identify the key activities.

Quality procedures should preferably be drafted by the person in charge of each section. The procedures should include the following:• the scope and purpose of the procedure• sequence of actions to show how an operation is carried out• the person responsible in the execution• the person responsible for the checks, if any• reference to supplementary literature, such as the statutory acts and regulations,

product standards and codes of practice• checklist of forms to be completed following each operation — sample forms could be

attached to the procedures• actions should be taken if any non-conformance is detected in the operation

IX.7.7 Purposes of the Production Quality PlansThe production quality plans set out the strategy to achieve the desired quality in each production line. It also serves as a summary of the production that is easily available for reference. It is a dynamic document, since project requirements are usually refined in the course of production. The production quality plan should be prepared at the inception of the project by the production manager.

IX.7.8 Content of Project Quality PlansThe project quality plan includes the following:• customers’ brief• production team from the company and organizational chart• project program and deadlines

IX-17


• design reviews, if company is involved• special technical / design requirements• coordination instructions• additional procedures that are peculiar to the project• test or tests required• appropriate records and retention period• progressive decisions affecting quality

IX.7.9 Design ControlISO 9000 certification requires that control and verification of products is the company’s responsibility, from design to delivery. Section 4.4 of ISO 9001 is specific:

Your organization shall control and verify the design of its product to assure it meets specified requirements.

The company has to start by documenting its design, and then ensure that all plans for the development of the product, including any changes in design and specification, are updated regularly. This means that the company must be able to substantiate that their design pro-cess reflects the specification requirements.

The company must also provide verification that any applicable regulations are being fulfilled. It is not only the design process that must be documented but also (and even more importantly) the design change process. And that is where an advanced document manage-ment system can make compliance faster and easier.

Clause 4.5.1 requires the supplier (contractor) to establish and maintain procedures to control all aspects of documents and data that relate to the requirements of the ISO stan-dard. It specifically requires that such documents be reviewed and approved for adequacy by authorized personnel prior to use. Section 4.5 of ISO 9001 states the following:

Your organization shall control all your quality system documents to assure availability of documented information to those requiring it.

The fact is that those companies that use state-of-the-art document management technol-ogy to create, manage and distribute policy, product and procedure information, are best positioned for success. And because certification is an ongoing commitment, an electronic compliance system will make it easier to maintain.

IX.7.10 Problems That Are Most Often ReportedQuality experts believe that there are three major areas that cause organizations to fail to achieve ISO 9000 compliance. They include one or all of the following problems:

1. Document control problemsa. outdated versions of procedures, work instructions and other important

documentsb. lack of documentation in processes or proceduresc. missing or inaccurate documentation (where needed) for implementation

2. Document maintenance problemsa. inadequate “paper trail” of the status of documents in the systemb. changes made on documents that have not been fully incorporated into

new versions

IX-18


3. Contractual documentation problemsa. Many organizations do not have a formal, documented process to respond to a

request for proposal (RFP) or an invitation to tender. Yet, this area is a critical part of the ISO 9000 standards. ISO 9000 specifies a contract review between the purchaser and the supplier. Any changes in the product, the specifications or even the delivery date must be negotiated and put in writing. This not only ensures ISO 9000 compliance but also prevents potential disagreements and even lawsuits. In this respect, ISO 9000 represents a better way of doing business.

IX.7.11 Regular Revisions for ISO 9000 StandardsAll ISO standards are reviewed in principle every five years. The ISO 9000 series itself is assured of a reasonable stability because a manufacturer should be able to amortize the outlay in getting ISO registration before changes are introduced.

IX.7.12 Effect of ISO 9000 on an Existing Quality SystemThe work that has already been done in the area of improving quality and quality prac-tices can be used as a baseline to achieve ISO 9000 certification. For many companies, the process of applying for ISO 9000 certification enables them to document their quality system and ensure that they will continue to maintain the quality they have developed. Many companies already have level 2 and level 3 documents in different systems — materials requisition program, multiple CAD systems, word processing systems or on paper.

Organizations should work to capitalize on their current systems. An electronic document management system will leverage these systems, contributing to a compliant, controlled system that will help an organization achieve registration.

Some experts believe that the greatest impetus for ISO 9000 registration is simply market pressure. Organizations that can prove higher quality will outperform those that cannot or will not.

IX.7.13 Benefits of Implementing ISO 9000 StandardsThe key benefits of implementing the ISO 9000 Standards are:• enhances the company’s corporate image• increases customer confidence• improves employee participation and morale• ensures everyone can communicate on quality assurance using a common language• enables organizations in a wide range of industries to develop quality systems from

scratch and start implementing them• facilitates and promotes third-party auditing and certification• satisfies customer requirements• improves the overall business efficiency

IX-19


IX.7.14 What Will It Be Worth?The benefits of ISO 9000 certification have been studied and quantified. In a September 1991 study for the British government, Survey of Quality Consultancy Scheme Clients 1988-90, researchers (Pera International and Salford University Business Service Ltd.) contacted over 2300 firms. The survey of registered companies found that:• 89% reported greater operational efficiency.• 48% reported increased profitability.• 76% reported improvement in marketing.• 26% reported increased export sales.

According to leading experts, the ISO 9000 standards result in greater quality awareness, greater operational efficiency, increased productivity, reduced overtime payments, reduced administrative costs, international recognition and elimination of unnecessary procedures as there is standardized control of documentation. A positive “cultural” change was also observed.

And while some people think that ISO 9000 benefits are mainly for large organizations, studies have shown that they also produce significant savings for smaller companies, such as subcontractors.

IX.7.15 Effect of ISO 9000 on CustomersA company will be more confident in a supplier’s products if it has documented proof of higher quality. The ISO 9000 standard has been written to be attached to a contract between two companies. In fact, one of its most important functions is to assure that an organiza-tion delivers whatever it has agreed to by contract and that it has permanent systems in place to maintain that capability. ISO 9000 certification can eliminate the need for some audit visits by customers. This decreases the cost of establishing agreements and doing business between suppliers and customers. It is an excellent way to ensure quality and confidence.

IX.7.16 Can ISO 9000 Provide a Competitive Edge?A company can use ISO 9000 certification to gain or maintain approved vendor status, even when companies reduce the number of their suppliers. A company should be able to enter new and lucrative markets that were previously closed. A company can successfully compete with virtually any other company in their industry.

In the U.S., Canada and Europe, buyers of industrial products are insisting on ISO 9000 compliance and procurement specs from their suppliers. And virtually every industry seeks ISO 9000 certified suppliers.

IX.7.17 Save Money with ISO 9000At the present time, most manufacturers have to accept their customer’s definition of quality. Since different customers have different requirements, many manufacturers have to undergo customer-driven “quality audits,” which can be expensive and time consum-ing. ISO 9000 practically eliminates the need for many customer-driven quality programs. ISO 9000 certification is a uniform standard, accepted and recognized internationally.

IX-20


Therefore, a company should save money. That also means an organization can allocate time and resources toward improving the real quality of their processes and products not measuring up to individual supplier standards.

A company also begins to accrue benefits even before it achieves ISO 9000 certification. The preparation for ISO 9000 registration involves a close analysis of a firm’s existing quality systems. This is at the heart of the ISO 9000 standards. It presents the firm with the perfect opportunity to standardize and document its procedures. In some organizations, this will be the first time this has been done. It enables management to communicate this informa-tion to employees, to increase productivity and profits.

ISO 9000 can improve overall business efficiency because ISO 9000 standards require man-agement to document the procedures and practices affecting every area of the organization. During this process, management will quickly realize the wasteful and unnecessary proce-dures. This can provide the first clear picture of exactly how the company does business and will reveal ways in which it can improve.

ISO 9000 requires that documents be readily accessible to every employee who needs them. Therefore it can ensure timely, accurate, accessible information, since documents are the major vehicle of communication in every company.

ISO 9000 can help a company develop “best practices” and eliminate costly surprises. Once the organization has documented the optimum way to do things, there is no returning to second best. With an electronic document management system, management can be sure that everyone will be working with the most up-to-date, accurate information. There should not be any expensive mistakes.

ISO 9000 improves the quality of information and that can only improve the quality of decisions.

IX.8 Sources of InformationIn the U.S. and Canada, the American National Standards Institute (ANSI), SCC, and the ASQC all offer significant resources regarding the ISO 9000 standards. These organizations may be contacted at:

American National Standards InstituteWebsite: www.ansi.org

Standards Council of CanadaWebsite: www.scc.caEmail: [email protected]

American Society for QualityWebsite: www.asq.org

In Canada, the SCC operates the Program for the Accreditation of Organizations Register-ing Quality Systems. Accreditation under this program indicates that a registrar has been thoroughly assessed and found to provide service of the highest calibre and competence. The program is voluntary and open to any registrar operating within Canada. Applicants

IX-21


are judged on a number of attributes, including organizational base, administrative prac-tices, human resources, physical resources, documented policies and procedures, and independence of operation.

Accreditation by the SCC lends credence to registrars and to the registration certificates they issue to Canadian companies. As a result, these certificates are respected by clients in Canada and abroad. They are a trusted indication of quality.

To further enhance acceptance of Canadian registration certificates in the international market, the SCC is working toward formal agreements with accreditation bodies in other countries that would provide official recognition of Council-accredited registrars.

The SCC maintains a list of accredited registrars available in all parts of Canada. They also have available publications and books that provide extensive details on ISO 9000 registra-tion. They have a website at www.scc.ca that provides lists of registrars, publications, etc. or they can be contacted at the above email address.

The information service provided by ISO, called ISO 9000 Forum, is available through the SCC. The service includes two regular publications, ISO Bulletin and ISO 9000 News as well as discounts on the ISO 9000 series, books, conferences, training documents and directories.

IX.9 Financing of ISO 9000 RegistrationBecause of the importance of ISO 9000 to the competitiveness of Canadian business, the Business Development Bank of Canada (BDC) has developed a program to provide ISO 9000 consultants to small / medium companies nationwide and to provide specific funding assistance for the costs. See Part B, Chapter 7, Government Funding, for more information.

IX.9.1 Business Development Bank of Canada Consulting GroupThe BDC has created a group to provide ISO 9000, ISO 14000 and Hazard Analysis Critical Control Point (HACCP) services to clients across Canada. The service brings together the resources of the BDC and the expertise of selected private practitioners to assist businesses in implementing their ISO 9000 quality system, ISO 14000 environmental protection system and HACCP food safety system.

With offices and locations across Canada, the BDC ISO — HACCP Services group can assist any business certify the whole company at minimal expense. Wherever possible, travel costs are eliminated by using a local practitioner in each location under the BDC national umbrella. The ISO — HACCP Services group works with manufacturing companies, resource-based companies and service providers.

The goal of the ISO 9000, ISO 14000 and HACCP Services groups is to be a continuing companion to clients, even after they are certified, by helping with internal audit require-ments, if needed, and by providing expert advice toward the goal of continuous improve-ment, total quality management, improved environmental processes and food safety systems.