iso 9001 articles

8/3/2019 Iso 9001 Articles

http://slidepdf.com/reader/full/iso-9001-articles 1/35

Implementing the Process ApproachLeveraging ISO 9001 for Real Business Value

"Having an effective process management process may be a "missing link" in your current QMS and this gapmay be a key reason ISO has lost some of its luster in recent years."Ensuring that ISO 9001:2008 remains a vital, relevant tool for your top management to improve businessperformance is often of concern by those responsible to oversee the "ISO program" within your organization.It is too common for ISO to become "yesterday's news" if you've been certified for several years and today's"big event" is the annual return of the Registrar's auditors. If your organization has struggled to showmeasurable and sustainable improvements in performance for your customers or toward top-prioritymanagement goals, then ISO may be thought to be in "maintenance mode" within your organization, ratherthan a vital tool to address today's critical business needs.

The observable symptoms of this situation might include:

1. The same corrective actions come up again and again.2. Audit reports identifying seemingly "petty" issues.3. Management review meetings "going through the motions" and often poorly attended.4. Improvements made in the past don't show sustained results today.5. There is a "burn out" factor within your internal auditor team.

These indications point to a quality management system (QMS) that has generally lost its focus. But, whydoes this occur?

Why are we off track?In many organizations, a careful "root cause" investigation may point to a lack of understanding about howprocesses drive performance or a lack of effective implementation of what ISO 9001 calls the "processapproach".

In previous editions of ISO 9001, the standard was organized for auditors, not managers. The requirementswere structured around 20 "elements" (whatever that means!) and read like an auditor's checklist. Thecentral theme of these earlier ISO versions was to "document what you do, and do what you document". Inother words, procedures! In many of today's certified companies, this legacy mentality still reigns andnumerous documents that were written to "get ready for ISO" now gather dust unless an auditor stumblesacross them. Many managers ask (rightly) "what's the point of that!"

A change in focus in the current standard To cure us of our fixation on documents (as if that was the point of ISO anyway) the year 2000 version of the standard introduced the process approach to turn our attention toward a means to drive real businessvalue with our QMS. In the words of the introduction of ISO 9001:2008:

This International Standard promotes the adoption of a process approach when developing, implementingand improving the effectiveness of a quality management system, to enhance customer satisfaction bymeeting customer requirements.

For an organization to function effectively, it has to identify and manage numerous linked activities. Anactivity using resources, and managed in order to enable the transformation of inputs into outputs, can beconsidered as a process.

... the application of a system of processes within an organization, together with the identification andinteractions of these processes, and their management. can be referred to as the "process approach"(ref.

0.2).More simply, in order to improve business results, both for the customer and the company, your approach toyour QMS should be built around processes ... namely, those processes that have the biggest impact onyour business performance.

In a related article, we discussed the importance of identifying the most critical cross-functional processesthat most impact the customer and business performance and formally managing them as the central themeof your QMS. Once in place, these key processes serve as the focal point for management planning,resource allocation, performance monitoring and continual improvement efforts. Your documentation,training and corrective actions should also stem from these processes. In some respects, your key processesand their improvement become the chief targets of your QMS.

http://www.9000world.com/index.php?app=ccp0&ns=display&ref=isoarticle_processapproach&sid=sqa46o88z7a6ekh919vh05i699sqcn5w






So, the selection of your key processes and their day-to-day management by assigned "process owners" isamong the most important responsibilities of the management representative (see 5.5.2 a) and topmanagement (see 5.4.2).

The problem of white space in the organizationA question might come to mind, then, "Why do processes need to be managed?". Or, "why don't theymanage themselves?". This uncertainty often springs from an assumption that if we put procedures in place,and manage them (including auditing the @%#& out of them) doesn't that make our processes work right?

The answer can be found by looking more closely at our procedures. Most company procedures are writtenby a specific department within our organization. Each department looks at how they do things anddocuments the general steps in a written procedure. They might also check the ISO standard to see if thereare any changes they need to make to stay out of audit trouble. A procedure, then, is focused on theactivities within the department who develops it.

Some examples The limitation of that approach is that key processes are bigger than individual departments. Consider thefollowing examples:

What's clear about these processes is that they span several departments within an organization. It takesthe efforts and good performance from each department to get good results from the process. And it takesmore.



What is "white space"? In most businesses, the most common areas where obstacles to processes arise are in the hand-offsbetween departments, groups or individuals, or what is called the "white space" of an organization(*). Theterm white space comes from looking at a typical organization chart or diagram showing the reportingrelationships of the various departments. The common chart shows job titles and how people fit in theoverall organization. The intention of such a diagram is to show where people are focused in their jobs.Managers, then, place their attention on making sure each person fulfills their responsibilities within their

defined job duties.Where there is NO focus is on the spaces between the boxes on the organizational chart – or the "whitespace" on the chart. This tends to be "no mans land" in the organization where no one claims to have fullresponsibility or accountability. As work flows through the organization within larger processes, problemscrop up when "balls get dropped" or "things fall into a black hole" in the white space.

The process approach looks at the business differently. Instead of the top-down (vertical) view through theorganization chart, a process view sees how work flows horizontally through the business. In reality, themost important work flows across the company without regard to the reporting structure of the organization.Yet, that same organization structure often impedes the performance of the process.

This occurs because of how goals are set departmentally and how problems get addressed by having to go"up in the chain of command" for resolution, especially when there are particularly sticky issues to resolve.This only creates delays in decision making and typically removes those closest to the work and the problembeing discussed, from the final decision made. These management decisions can be subject to compromisebetween conflicting priorities of the process and department goals. In process terms this is called sub-optimization.

The importance of managing white space To balance the top-down view, processes need to be managed horizontally within their own structure. The

ISO 9001:2008 process approach provides such a structure. The horizontal view does not conflict with thecompany reporting structure but complements it. By identifying the few key processes that are essential tobusiness performance and assigning responsibility for management and improvement of these processes,this can pull everyone involved together in understanding how to better arrange the process for best results.

The key then is to define how to manage cross-functional processes within a functional organization. Theremainder of this article will focus on some proven suggestions to how to structure your QMS to maximizeprocess performance across your company.

A cross-functional approach to managing key processes



The ISO 9001:2008 does not specify the structure to use to manage your processes (see section 4.1 in theISO standard). It simply states that you must:

1. Identify your key processes, how they flow though the organization and their relationships to oneanother.

2. Establish methods to measure the performance of the processes.3. Make sure resources and information needed are available.

4. Monitor, analyze and improve the processes.

But how to set all this up within your QMS is up to you. We should say it is more than simply putting a list of your processes in your quality manual. In some companies, that's about all the thought that is put into theirprocesses.

Questions to consider An effective approach to process management would address these questions:

1. Who "owns" each process? That is, is there an individual assigned to be responsible and accountablefor the performance of the process?

2. What departments and job positions are involved in the execution of the process? What does eachone need to successfully support the process?

3. Where are the most common "white space" breakdowns in the process? How can they be morecarefully managed?

4. How do we keep everyone involved informed as to how the process is performing and whatproblems need to be addressed?

5. What day-to-day obstacles do people run into in performing the process? Do we have an official wayfor these type of problems to be easily reported and addressed?

6. How to we measure the progress of our ability to manage processes? If one process is "bettermanaged" than another, what's the difference in approach between them?

There are certainly more questions to consider, but these should serve as a starting place for setting up a"process management process" in your organization.

Getting your process management process started Here are some general suggestions for getting started:

Assign "ownership" of each process to a member of the top management team. This will ensure

there is enough clout and visibility to process management. Recruit a cross-functional team to work with the process owner to oversee the process on an

ongoing basis.

Have the process management team formally document the process in a process flowchart showingall of the hand-offs and white spaces.

Determine and implement formal measures of effectiveness for each process that are reported aspart of top management meetings and management review.

Authorize your process management teams to make changes to their processes for improvement,even if it disrupts the current organizational structure and job responsibilities.

Set process goals based on top-level company and quality objectives.

Provide training to your process management teams on process improvement techniques and theirrole within the organization.

Also provide training to your teams on how to analyze data, how to investigate root causes toprocess issues and how to take effective corrective and preventive action.

Review your current procedures to see which processes they support and if they are aligned withthe purpose of the processes. Consider eliminating procedures that don't support a key process.

Establish formal criteria for process management teams and their effectiveness. Rate them againstthe criteria to measure progress.

Write a QMS procedure on your process for managing processes and ensure it is audited as part of your internal audit schedule.

You'll have to tailor some of the suggested steps above to your organization depending upon its size andorganizational complexity. Be sure to work closely with your top management in setting up your "process



approach" so that you have their support and involvement. It's an ideal situation when the top managementteam integrates process management into their normal business management activities and regularlyidentifies processes requiring change or improvement when business issues or opportunities arise.

Driving sustainable improvementHaving an effective process management process may be a "missing link" in your current QMS and this gapmay be a key reason ISO has lost some of its luster in recent years. You may be weathering your audits justfine with only a handful of minor findings each time. But passing the audit may be all the benefit you're

getting from your investment in ISO 9001:2008 certification.

By managing processes with a more structured approach, you can turn your ISO QMS into a lever foraddressing nagging problems with customers, recurring wastes internally and for taking advantage of newbusiness opportunities that require your business to "move up a notch" in its capabilities. A practicalapproach is found in the ISO 9001 process approach and you'll find your efforts to re-tool your QMS will payback benefits for years to come.

(*) See the book "Improving Performance", Rummler & Brache, Jossey-Bass Publishers, for the originaldiscussion about "White Spaces" in an organization and how to manage processes to overcome them.



Understanding the Process ApproachDemystifying the ISO 9001 Requirements

What Exactly Is the Process Approach?"The process approach means that you improve your business by managing and improving certain keybusiness processes that directly impact your ability to serve your customer."Since the year 2000 release of ISO 9001, all ISO certified companies have wrestled with the practicalapplication of the "Process Approach" that was introduced in the current version of the standard. In fact,other than the reduction of the number of "required" (i.e. prescribed) documents, the shift to the ProcessApproach was the most significant change from older editions of ISO 9001. This struggle has beenexpressed by a number of common questions:

1. What exactly is a "process" as required by ISO?2. How do we document our processes?3. How does the rest of the Quality Management System (QMS) support our processes?4. How do we audit using the Process Approach?5. What are the Registrar's auditors really looking for?

If you've found yourself asking these or similar questions, or you've had other people in your organizationask them and you've struggled with a response, then understand that you're not alone. The continuedconfusion about this aspect of ISO 9001 stems from the generic language of the standard and the variousways companies have attempted to comply. It hasn't helped that Registrars seem to have differentapproaches to interpreting and auditing these requirements. Let's see if we can take some of the mysteryout of this for those of us trying to make ISO add value to our businesses on a day-to-day basis.

A simple explanation From the language of the ISO 9001 standard itself, the "process approach" is described as:

"The application of a system of processes within an organization, together with the identification andinteraction of these processes, and their management" (ref. section 0.2).

Let's put that into simpler terms. The process approach means that you improve your business by managingand improving certain key business processes that directly impact your ability to serve your customer. Sinceyour business processes are basically "how you get things done", by improving these processes you improveyour company's ability to meet customer requirements. Gains made by improving your key processes paydividends today and in the future as your QMS drives meaningful improvement in your business.

So, that takes the focus of your ISO efforts off of "getting ready for the next audit." While a necessary partof ISO, passing the audit will only maintain your certification. This is the minimum benefit you shouldreceive from your efforts.

The real opportunity for measurable business benefit from ISO 9001 is for better efficiency, reduced failuresand higher levels of performance for your customers. The most effective ISO "lever" to achieve these resultsis the management and improvement of key business processes. Often, the most critical processes in yourbusiness are cross-functional, cutting across boundaries within you organizational structure. Improvementsin these processes have an ongoing payback if such improvements are sustainable and sustained. Theprocess approach, when correctly applied to your QMS, is the way this gets done.

So, what is a process? For those who may not have a strong background in studying processes and quality improvement, it iscommon to ask, "What exactly is a process?". Using the text from the ISO 9001 standard:

An activity using resources, and managed in order to enable the transformation of inputs into outputs, canbe considered as a process (ref. 0.2).

In other words, a process is basically how you are operating a certain activity within your business toconvert something such as an unfinished product, some data or information, an untrained employee, orother "input" into an "output" such as a finished product, decisions based on data or information or a fullyskilled employee. The steps you've followed to accomplish the intended results is the process.



Keep in mind that your business processes exist whether or not you understand them or are trying toimprove them. Some are more informal than formal. Others are less effective than you assume. There are

those that are surprisingly effective though you're not sure why. Processes are simply "the way we getthings done".

Processes come in different shapes and sizes. A process can be as "small" as a task someone has to do,such as entering data into a computer. A somewhat larger process would involve several people within acertain department to complete something, such as putting together and implementing a new marketingcampaign. A process can also span several departments who all have to work together for a common goal,such as developing, producing and releasing a new product or service.

These different process scopes illustrate how smaller processes "fit" into larger processes and support them.Generally you should consider bigger processes to be more important to your business performance overallthan the smaller ones. But it is often the case that the broader cross-functional processes are not wellmanaged, despite their greater importance.

This is because cross-functional processes cut across organizational boundaries, involving severaldepartment heads. The organizational structure, in this case, tends to work against efficiency because of the"hand-offs" between departments and conflicting goals between organizational groups. Yet, because of theirimportance to meeting customer requirements and management objectives, they should be consideredamong your most critical "key processes" to be managed within your ISO system.

What's involved in managing processes? The management of key business processes basically involves the following:

1. Identifying the processes that most directly impact your customer and overall businessperformance.

2. Establishing reliable measures of performance for those processes.3. Assigning responsibility for monitoring and improving each process.4. Proper procedural documentation to control each process.5. Effective action to root out obstacles in the process and to resolve root causes to performance gaps.6. Integrating the process with the requirements of other business processes.

The management of your key processes should serve as the "top level" of your QMS – that is, it shouldprovide the overall purpose and structure to your procedures, work instructions, training, etc. In addition,

the selection of processes and establishment of process measures should be derived from your overallbusiness and quality objectives.



What does ISO require?When reading the ISO 9001:2008 standard, it's easy to miss this central emphasis on managing keyprocesses. This is in part because the requirements for managing processes are sprinkled throughout thestandard under various headings. Piecing together a complete understanding involves pulling a number of

requirements together.

0.2 Process approach It is helpful to start with the Introduction to the standard that introduces the concepts of managing yourbusiness through the identification and management of a "system of processes". Four parts of managing keyprocesses are listed:

1. understand and meet requirements

This indicates that the purpose of each key process is to meet specified requirements. If thoserequirements are not clearly defined and communicated, those involved in the process won't know if they are achieving what is needed.

2. consider the added value of the process

Processes to be managed should be selected based on the "value" they add to the ability to meetcustomer requirements or to meet business objectives. That means that you should start with themost "key" (critical) processes to your business.

3. monitor process performance and effectiveness through actual results

Once you've identified and defined your key processes, each should be monitored using a fewperformance measures. The measures should be selected based on the most important objectivesfor each process and its overall purpose.

4. data-driven continual improvement

Monitoring these results and analyzing the data will clarify specific improvements needed in theprocess to drive performance up. Using root-cause analysis to determine needed corrective action(and preventive action) will ensure that improvement efforts pay off with better overall results.



The model shown in Figure 1 within the ISO 9001:2008 standard helps to give a "big picture" of how theoverall QMS works to ensure that customer satisfaction is achieved (see page 7 of the ISO 9001:2008standard). Essentially, the model depicts how your organization translates customer requirements intocustomer satisfaction through your internal QMS processes. The model aligns with the 5 major sections of the standard (4.0 – 8.0) to help you understand how the requirements fit together. From a conceptualperspective, the diagram is helpful.

Specified requirements for processes The practical requirements for managing key processes are found in several passages within the standard.

ISO 9001:2008Reference Key Process Management Requirement

4.1 (a) & NOTE;7.1; 7.2; 7.4.1;8.1

Identify your key processesThis is typically done with a simple flowchart for each process; be sure to includeprocesses related to management activities, provision of resources andmeasurement.

4.1 (b); 4.2.2 (c) Determine how these processes fit together and impact each otherThis can be done by showing one process as an input to another process on yourprocess maps; the process maps should be referenced or included in your qualitymanual

5.5.2 (a) Assign responsibility for managing these processes on an ongoing basisThat is, determine an "owner" for each process; your management representativeoversees the process owners to ensure the processes are effectively managed.

4.1 (c); 5.4 Establish formal measures of performance for each process based on the process

purpose and objectivesEnsure these process measures are linked to your overall objectives for thebusiness and quality.

4.2.1 (d) Develop formal procedures needed to control these processes; relate them to yourkey process mapsnly implement formal documented procedures where they help the process runmore smoothly - don't document for the sake of documenting.

4.1 (d); 6.0; 7.2.3;7.3.3 (b); 7.4.2

Determine the resources needed for each process and establish a planning processto ensure needed resources are providedEstablish effective information-flows with your customers, internal processes andsuppliers; evaluate what information is needed at each hand-off and determinehow that information will be managed and maintained.

5.5.3 Establish a communication plan to ensure everyone working in or affected by your

key processes understands how the processes are performing.4.1 (e); 5.6.2 (c);8.2.3; 8.4 (c)

Monitor and evaluate the performance of your processes to determine if objectivesare being metOne of the venues for this evaluation is your management review.

5.6.3 (a); 8.5 Determine actions needed to improve the performance of your processes asdetermined by your process measuresIn addition to corrective actions, trends can indicate opportunities for preventiveaction.



Do we have to Audit using a Process Approach?One final question is commonly asked relating to whether or not your internal audit program must bereorganized to audit "processes" rather than "ISO requirements". Many ISO internal audits are structuredaround a requirement-by-requirement review of the quality management system following the sections of ISO 9001:2008. It is common for an audit checklist to itemize questions to confirm whether the QMS:

... conforms to the planned arrangements (see 7.1), to the requirements of this International Standard [i.e.ISO 9001:2008] and to the quality management system requirements established by the organization (ref.8.2.2).

The scheduling in such an audit program is often by departments within the company. If this is your current

procedure for auditing, the question that comes to mind is "do I have to change to auditing processes? If so,how do I do that?"

Well, the ISO standard does not really say how you need to organize your audits; just that you need toconsider in your audit plan:

The status and importance of the processes and areas to be audited, as well as the results of previous audits(ref. 8.2.2).

So, bottom line is that you are not required to rearrange your audit program to "audit processes" per se. Butyou do need to be sure your auditors are aware of your processes and how they are organized, managedand currently performing. They can then provide useful feedback to your key process owners as to how wellthey are implemented and areas needing improvement. As a minimum, you need to determine the scopeand frequency of your audits based on, among other factors, how well your key processes are performing.

The Need for a Process to Manage ProcessesSo, an effective implementation of the "Process Approach" would start by laying out how you will select,

manage and improve the most critical business processes that impact your customers and internalmanagement objectives. This would include assigning responsibility to certain individuals or teams to takecharge of your key processes. Teams work well when processes cut across your organizational structure.Then, these process owners will monitor and improve these processes on an ongoing basis taking fullresponsibility for their performance.

Perhaps, then, one of your first processes to establish is the process for how you will manage your keybusiness processes within your organization.

For additional help on getting started with managing your processes, see the article Implementing theProcess Approach.

http://www.9000world.com/index.php?app=ccp0&ns=display&ref=isoarticle_implementprocessapproach&sid=sqa46o88z7a6ekh919vh05i699sqcn5w








4.2.2 The Quality ManualEstablishing rules for the quality management system

DEFINITION

A quality manual is a document stating the company management's intentions for operating the qualitysystem. It includes policies for all areas of the business affecting or affected by the quality system. Thesepolicies authorize department managers to implement procedures within the boundaries specified in thequality manual. They also serve to provide a measure for procedures, processes and results.REQUIREMENTSThe quality manual is a stated requirement of the ISO 9001 standard. Here is the relevant section:

4.2.2 Quality manual The organization shall establish and maintain a quality manual that includes:

1. the scope of the quality management system, including details of, and justification for, anyexclusions (see 1.2),

2. the documented procedures established for the quality management system, or reference to them,and

3.

a description of the interaction between the processes of the quality management system.

One thing to note about this requirement is that no guidelines are given regarding the format ororganization of the manual. These decisions are left to the company to determine how to structure thedocument to best support its objectives.

In terms of contents, as a minimum, the quality manual must include the following:

1. The company's quality policy (showing the company's commitment to quality).2. An explanation of the company's documentation structure.3. Policy statements demonstrating management's intention to comply with ISO 9001 requirements

(less any appropriate exclusions). The policies must cover all areas of the ISO standard and betraceable (reference) to them. These policies must include:

o How management expects company operations to function.o Who is responsible to implement these expectations (by function or job title).

o Where and when the policies are applicable within the organization.o What interdependencies exist between functions and processes.

4. Reference to the "second tier" operating procedures of the company.5. Assignment of one or more "management representatives" for quality in the organization.6. A description of the company's organization (usually in the form of an organization chart, top level

of the company only).

NOTE 1: The quality manual would normally contain no proprietary/confidential information and is usuallymade available to customers and third party auditors.

NOTE 2: A clear distinction should be made between the contents of the quality manual and operatingprocedures. The quality manual defines what management's intentions for operation of the quality systemwhile the operating procedures define how these intentions are implemented within the organization.

USES

The primary uses of the quality manual are:

1. To communicate management's expectations for quality to the organization.2. To demonstrate the company's compliance with ISO 9001 requirements.3. To serve as a measure for compliance to management's expectations for:

o Internal auditso ISO Registrar auditso Customer audits

DEVELOPMENT



The development of the quality manual follows several steps:

1. List policies to be written (note any ISO 9001 requirements that do not apply).2. List second tier operating procedures, cross-referenced to policies.3. Draft policies based on ISO 9001 requirements.4. Circulate for input from all departments.5. Note quality system inadequacies identified.

6. Determine format and structure of the manual.7. Publish first draft of manual.8. Formal review, approval and release.

EXAMPLEAs an example of how the quality manual policies should reflect the requirements of ISO 9001 see thefollowing:

ISO 9001 Requirement

5.6 Management review

5.6.1 General

Top management shall review the organization'squality management system, at planned intervals,to ensure its continuing suitability, adequacy andeffectiveness. This review shall include assessingopportunities for improvement and the need forchanges to the quality management system,including the quality policy and quality objectives.

Records from management reviews shall bemaintained (see 4.2.4).

5.6.2 Review input

The input to management review shall include

information on

a) results of audits,b) customer feedback,c) process performance and product conformity,d) status of preventive and corrective actions,e) follow-up actions from previous managementreviews,f) changes that could affect the quality managementsystem, andg) recommendations for improvement.

5.6.3 Review output

The output from the management review shallinclude any decisions and actions related to

a) improvement of the effectiveness of the qualitymanagement system and its processes,b) improvement of product related to customerrequirements, andc) resource needs.

Sample quality manual policy

X.X Management review

X.X.1 General

The management of XXX company reviews thecompany's quality system to ensure its continuingsuitability, adequacy and effectiveness. Themanagement review includes determiningopportunities for improvement and the need forchanges to the quality system, including thequality policy and quality objectives. Themanagement review convenes on at least anannual basis.

Records of the management reviews aremaintained in accordance with the company'squality records policy (ref. xxx).

X.X.2 Agenda and Minutes

The agenda of the management review is asfollows:

a) results of internal and external auditsb) customer feedbackc) process and product quality resultsd) follow-up actions from previous managementreviewse) organizational or business changes that couldaffect the quality systemf) action items for improvementg) other business

Minutes are kept as a record of the managementreviews, to include at least:

a) action items to improve the effectiveness of the quality system and processesb) action items to improve product qualityc) resources needed to successfully implementabove action items

***



4.2.3 Document ControlKeeping your QMS Current

THE IMPORTANCE OF DOCUMENT CONTROLA cornerstone of the quality management system (QMS) is the control of documents. While not a particularly

glamorous activity, document control is an essential preventive measure ensuring that only approved,current documentation is used throughout the organization. Inadvertent use of out-of-date documents canhave significant negative consequences on quality, costs and customer satisfaction."It behooves those responsible for managing their organization’s QMS to design a document control processthat is simple to use, easy to monitor and effective to prevent the use of incorrect documentation."

Because of its importance, companies often invest heavily in dedicated staff, detailed procedures andspecialized software programs to keep control of their QMS and other business documents. Auditors(internal and external) also pay particular attention to document control disciplines resulting in frequentaudit nonconformances (it is commonly reported that document control generates the mostnonconformances in and ISO 9001 QMS). It behooves those responsible for managing their organization'sQMS to design a document control process that is simple to use, easy to monitor and effective to preventthe use of incorrect documentation.

DESIGNING YOUR DOCUMENT CONTROL PROCESSBefore reviewing the specific ISO 9001 document control requirements, let's briefly discuss essential designcriteria for an effective document control process.

Less is often better than more. While it may see obvious, it's easier to control a smaller number of documents than a larger number of documents. Document control starts with document design. Encourage your document authors to be conciseand make their documents multi-purpose when possible. An annual documentation review to spotredundancies, documents no longer needed, and opportunities to consolidate will help keep your QMSdocument set lean.

Navigation, hierarchy & structure Developing a layered structure for your documents helps users find what they are looking for. An ISO 9001structure typically organizes itself into 4 levels:

Policy - the company’s position or intention for its operation

Procedure - responsibilities and processes for how the company operates to comply with its policies Work Instruction - step-by-step instructions for a specific job or task

Forms and Records - recorded information demonstrating compliance with documentedrequirements

This logical arrangement clarifies the authority, scope and interrelationships of each document. Lower-leveldocuments must agree with requirements of related higher-level documents. Higher-level documentsgenerally reference lower-level documents for easy navigation.

The mixed blessing of cross-referencing It is common for companies to add multiple references to related documents within the body of theirdocuments. While this can help a reader quickly find additional information on a topic, the ability to maintain(update) all references to a document can be difficult. If you choose to use cross-references, be sure youhave a way to comprehensively search for all instances of a specific document reference so they can bereviewed and updated if needed when a document is revised.

Alternatives to intra-document referencing might include:

Carefully designed document numbering systems

A document master list showing parent-child relationships between documents

The use of an electronic document management system that helps manage documentinterrelationships and provides for easy searching of document contents

Reviews & approvals As a document is written, it is often helpful to solicit input from others before it is finalized. Circulating the



document for review can include future users of the document, managers responsible for the activity,workers in areas affected by the activity and other interested individuals. Planning a "review cycle" into yourdocument development procedure can help document authors improve the quality of the resultingdocumentation.

Document approvals are mandatory and must be kept as a record as well. When determining who shouldapprove a particular document you must balance the desire for gaining buy-in and accountability by affecteddepartments with the need for efficiency of the document control process. Often it is helpful to ask, "what

value does each signature add to the document?" and limit approvals to those with direct knowledge orresponsibility for the document.

Generally, the more signatures you require, the longer the approval process will take. An alternative to along approval list would be to include more individuals in the review process, giving everyone a chance tocomment on the document before it is released.

REQUIREMENTS FOR DOCUMENT CONTROLThe ISO 9001 standard includes specific document control requirements that will be subject to all internaland external audits (ref. 4.2.3).

Documents required by the quality management system shall be controlled.

This includes all policies, procedures, work instructions, forms, specifications, and other company documentsaffecting quality or customer satisfaction.

Records are a special type of document and shall be controlled according to the requirements given in 4.2.4.

A documented procedure Records often (though not exclusively) result from a form that is completed and filed. A separate ISOExplained article will cover the requirements of records in detail.

A documented procedure shall be established to define the controls needed

A document control procedure is one of six mandated procedures in the ISO 9001 standard and it mustinclude the company's processes for the following requirements:

a) to approve documents for adequacy prior to issue,

Approval signatures must be recorded prior to the release and use of the document. Approvals may be inthe form of a written signature or a password-protected electronic approval record. The date of all approvalsmust precede the document's release date.

While not explicitly stated, this requirement also applies to temporary memos or postings that are used tocommunicate QMS or product-related requirements. Any temporary documents must be clearly identified,

signed and dated. It is advisable to include an expiration date on temporary documents to ensure they areremoved from use when intended.

b) to review and update as necessary and re-approve documents,

All documents must be reviewed periodically and updated and re-approved if needed. This review can betied to a company's internal audit process, management review or scheduled on some periodic (annual?)basis. A record of such reviews must be kept.

c) to ensure that changes and the current revision status of documents are identified,

When a document is updated, a record must be kept of the change (the reasons for and nature of thechange). In addition, current revision status must be maintained. This includes the current developmentstage (draft, review, approval, etc.) and the date or revision level (number or letter) identifying the currentversion of the document.

d) to ensure that relevant versions of applicable documents are available at points of use,

The storage and access of documents must easily allow individuals to find the appropriate version of adocument to use where needed. Note that older versions of a document that are still needed (e.g.specifications for an older product) may remain active if necessary, but the revision level must be madeclear.

You should consider where designated controlled locations of your documents will be established andwhether short-term reference copies of controlled documents will be permitted. Typically, the easier it is foremployees to access controlled copies when needed, the fewer times they will feel the need to use anuncontrolled copy of a document. Ensuring timely and convenient access to documents is frequently thesource of high costs and repeated discrepancies.



4.2.4 Control of RecordsMaintaining objective evidence of compliance

Record keeping is one of the most painstaking, and important requirements in the ISO 9001 standard.Painstaking, because records must be identified, filed, protected and controlled throughout their lifecycle.

Important, because they contain the history of how your quality management system (QMS) is functioning.The energy, effort and expense of keeping up your quality records are ongoing investments in building areference-base for analysis, compliance and improvement.

WHY KEEP RECORDS?The discipline of maintaining your QMS records ensures that you will have an objective means of assessingQMS effectiveness. With this historical evidence you can:

Understand how well your QMS is performing

Trace back to the source of problems

Demonstrate compliance to requirements

Evaluate trends in QMS performance

Monitor improvements

" The energy, effort and expense of keeping up your quality records are ongoing investments in building areference-base for analysis, compliance and improvement. "

With your quality records you can answer questions such as "why did this happen?", "when did this problemfirst appear?" and "is the problem gone?". With such valuable information at your fingertips, your recordsshould be treated as invaluable.

Additionally, your quality records are a primary reference for your internal and external auditors to assessyour compliance to requirements. As each record is filed, keep in mind that an auditor may want to retrieveit in order to evaluate the effectiveness of the QMS.

WHAT RECORDS SHOULD BE KEPT?The ISO 9001 standard has a built-in reference to all required records wherever the phrase "see 4.2.4" isfound (4.2.4 is the paragraph dealing with Control of Records). The 20 mandated ISO 9001 records are:

1. Document Control (4.2.3)

2. Management Review (5.6.1)3. Education, Training, Skills and Experience

(6.2.2)4. Product Realization (7.1)5. Customer Requirements Review (7.2.2)6. Design and Development Inputs (7.3.2)7. Design and Development Review (7.3.4)8. Design and Development Verification (7.3.5)9. Design and Development Validation (7.3.6)

10. Design and Development Changes

(7.3.7)11. Supplier Evaluations (7.4.1)12. Production/Service Processes (7.5.2)13. Identification and Traceability (7.5.3)14. Damaged/Lost Customer Property

(7.5.4)15. Calibration (7.6)16. Internal Audit (8.2.2)17. Product Conformity (8.2.4)18. Nonconforming Product (8.3)19. Corrective Action (8.5.2)20. Preventive Action (8.5.3)

In addition, you might give careful consideration to other records you might need to include in your QMSthat would give you an important historical reference for critical areas. You may want to include records formaintenance (6.3) and customer satisfaction (8.2.1), for example.

WHAT ARE THE ISO 9001 REQUIREMENTS?All 20 required quality records that are applicable to your organization's processes, and any additionalrecords you decide are important to maintain, must be kept according to the "Control of Records"requirements in the ISO 9001 standard:

Records established to provide evidence of conformity to requirements and of the effective operation of thequality management system shall be controlled. The organization shall establish a documented procedure to



5.0 Management ResponsibilityThe Leadership Challenge

THE RESPONSIBILITY OF TOP MANAGEMENT:The ISO 9001 standard contains high expectations for top management leadership and involvement to

provide guidance to the overall quality management system. In fact, nearly 15% of the standard's text isdevoted to the subject of top management responsibility. Clearly, the designers of the standard haverealized the imperative for the perspective and authority that top management must bring to ensureeffective operation of the system.

Because of this, it can be expected that ISO registrars will approach the auditing of the standard with aheightened focus on the function of management in the system. The auditors will be looking for objectiveevidence that management has a regular discipline of involvement and leadership as prescribed by thestandard. This evidence must be more than merely words of support for quality. The activities outlined inthe requirements are all demonstrable, and records of such activities will be carefully reviewed.

This extra focus on the role of management is explained in the opening text of the ManagementResponsibility requirements section:

"Top management shall provide evidence of its commitment to the development and implementation of thequality management system and continually improve its effectiveness..." (ref. 5.1, ISO 9001).

REQUIREMENTS FOR TOP MANAGEMENT:The ISO 9001 standard lists six distinct requirements for top management. By "top management" thestandard refers to the individual at the top of the organization (e.g. CEO, President, Chairman) and his/herdirect reports. Depending upon the size and structure of the organization, one or two layers of managementbelow this top group may be included in this scope.

In summary, the requirements for this leadership group are:

1. Consistent commitment to making the quality management system effective as demonstrated byregular communications, establishment of a quality policy and quality objectives, managementreviews and resource provision (ref. 5.1).

2. Ensuring customer focus throughout the organization as demonstrated by clearly determining andconsistently meeting customer requirements resulting in improved customer satisfaction (ref. 5.2).

3. Establishment and communication of a quality policy that articulates management's intention thatthe company complies with all requirements (customer, regulatory, etc.) and will continually striveto improve the overall quality management system's effectiveness (ref. 5.3).

4. Ongoing planning of measurable product quality and process quality objectives to be sure they areestablished and met throughout the organization, even when changes to the quality managementsystem are made (ref. 5.4).

5. Defining and communicating responsibility and authority for everyone affecting the qualitymanagement system, including a designated management representative who has the authority toensure the system is established and maintained and is responsible to report the system'sperformance to top management (ref. 5.5). This requirement also includes the need to establisheffective communication processes within the organization regarding the effectiveness of the qualitymanagement system.

6. Conducting a regular management review of the quality management system to ensure that itremains suitable, adequate and effective to satisfy the company's quality policy and accomplish theorganization's quality objectives (ref. 5.6).

A management team responsible for preparing their organization for ISO 9001 registration will need to givefocus and attention to the planning and implementation of the specific requirements for top managementand the oversight of the development of the organization's overall quality management system.



5.4 Management PlanningSetting a direction

WHAT'S THE POINT?To some, the point of ISO 9001 registration is a certificate. While important to convince customers thatcertain procedures are in place, a certificate can be a very expensive piece of paper if that is the only benefitrealized by the organization. To others, the point of IS0 9001 is measured performance improvement for theorganization, and the certificate is merely a confirmation of an effective quality management system (QMS).This results-focused view of ISO 9001 is confirmed by the growing number of companies pursuing"compliance through self-certification" instead of a formal registrar-certification of their QMS.

The framers of new standard also saw performance improvement as the central point of the standard. Theexpanded top management responsibilities make clear who must lead the charge toward measurable results.

Top management shall ensure that quality objectives … are established … within the organization. (ref.5.4.1)

The quality system must be planned and implemented by top management:

in order to meet … the quality objectives. (ref. 5.4.2)

"The point of IS0 9001 is measured performance improvement for the organization."

Many ISO 9001 professionals believe the establishment of meaningful, measurable quality objectives towardwhich the entire QMS is directed is a very important part of the ISO 9001 standard. For it is in the settingand achieving of business-essential objectives that a real return-on-investment (ROI) can be found.

So, as top management sits down to discuss quality objectives, they must define quality for theirorganization and its customers. Surely the quality of products and services should be included. Certainlymeasures of customer satisfaction would be on the list of key objectives. But what about other drivers of aquality organization such as:

Delivery performance

Percent of total market share

Sales generated from new products

Through-put time from sale to delivery

Time to order fulfillment

Cost of rework and scrap

We could name a dozen additional measures of a quality company, but the determination of "quality

objectives" may not be much different from setting "business performance targets" as part of strategicplanning. While a (surprisingly) few measures are mandated in the ISO standard, it is left to theorganization's management to set objectives most useful to the organization and its customers.

BREAKING DOWN THE STANDARDThe section entitled "Planning" (5.4) starts with a mandate for senior management:

Top management shall ensure that quality objectives, including those needed to meet requirements forproduct [see 7.1 a)], are established at relevant functions and levels within the organization. (ref. 5.4.1)

The primary responsibility for the establishment of quality objectives cannot be delegated, though involvingthe rest of the organization can help ensure the objectives are realistic with a high degree of buy-in. Topmanagement must determine performance targets for the organization as a whole, and then break themdown into smaller sub-objectives that can be assigned to divisions, departments, teams or individuals, asappropriate.

As is stated, the objectives must include required product quality goals as specified in section 7.1, Planningof Product Realization:

In planning product realization, the organization shall determine the following, as appropriate:

a) quality objectives and requirements for the product (ref. 7.1)

The additional objectives set are left to the judgment of management based on the organization's size,market, product mix, complexity, etc. It is typical that the organization limit the number of objectives tothose most vital to the organization's success.

DEFINING MEASURABLE OBJECTIVESThe objectives must also be measured:



The quality objectives shall be measurable and consistent with the quality policy. (ref. 5.4.1)

This would eliminate "motherhood-and-apple-pie" statements that are mere slogans espousing a generaldesire for quality. By stating that objectives must be "measurable", an objective set of data gathered,reported and analyzed should be able to clearly indicate whether or not specific objectives have beenreached.

In establishing measurable objectives, many companies define the following for each:

Objective – Statement of the performance area to be achieved.

Measurement – Data to be collected to monitor actual performance.

Baseline – Historical level of performance; establishes the starting point.

Target – Specific performance goal for the objective.

Target Date – Date by which the target is to be achieved.

Owner – Person/group responsible to gather, report and analyze the measurement data.

Reporting Frequency – Schedule for reporting, analyzing and responding to the measurement data.

Review Frequency – Schedule for reviewing the objective and corresponding target for possiblemodification to ensure ongoing relevancy for the organization.

While this format is not specified by the ISO 9001 requirements, an organization might want to considerincluding many of these elements in their quality objectives planning.

It is also required that all quality objectives are "consistent with the quality policy" (see 5.3). That meansthere must be logical relationship between the performance targets of the organization and topmanagement's statement of intention that it intends to achieve quality as a result of the company'soperation (see the ISO Explained article on "The Quality Policy" available from www.9000world.com formore information on how to establish a quality policy). The consistency between the quality policy andquality objectives must be clear to third-party auditors as well as those more familiar with the company.

GENERAL QMS PLANNINGIn addition to setting quality objectives, management is responsible for planning the overall QMS.

Top management shall ensure that

a) the planning of the quality management system is carried out in order to meet the requirements given in4.1, as well as the quality objectives, and

b) the integrity of the quality management system is maintained when changes to the quality managementsystem are planned and implemented. (ref. 5.4.2)

First, the QMS must be planned (and implemented) to be sure the requirements listed in the "GeneralRequirements" for the QMS (ref. 4.1) are met. These requirements are summarized below:

1. The QMS must be established and continually improved.2. QMS processes must be identified (including processes outsourced by the company) and their

sequence and interactions determined.3. Criteria and methods of control must be established to be sure the QMS processes are effective

(NOTE: The company's quality objectives can meet this requirement).

4. Needed resources and information must be available to operate and monitor the QMS processes.5. QMS processes must be monitored, measured and analyzed.6. Actions must be taken to meet planned results (quality objectives) and continually improve QMS

processes.7. The QMS processes must meet the requirements of the ISO 9001 standard.

So, the QMS planning must incorporate all of the requirements found in section 4.1, and compliance withthese requirements must be maintained.

http://www.9000world.com/index.php?app=ccp0&ns=display&ref=isoarticle_qualitypolicy&sid=sqa46o88z7a6ekh919vh05i699sqcn5w






Second, the QMS must deliver results. It is expected that top management monitor the company'sperformance against its stated quality objectives and take necessary actions to be sure these objectives aremet. Third-party auditors will certainly be looking to see a strong pattern of meeting stated objectives.

Third, the QMS planning process must respond to significant organizational changes by making necessaryadjustments to policies, procedures, quality objectives, etc. Changes that could require QMS modificationsmight include new product lines, customers with new requirements, marked organizational growth ordownsizing, acquisition or divestiture of company facilities, management reorganizations, etc.

THE POINT OF IT ALLThis brief set of management "planning" requirements has huge implications for any organization seekingISO 9001 compliance or registration. Senior management must "direct the ship" by steering the organizationtoward clearly stated, consistently measured and carefully analyzed quality objectives. It is through the useof quality objectives that top management can keep the organization focused on what is most important tothe company and its customers, ensuring improving results that deliver real, demonstrable qualitythroughout the company.



Coordinating the reporting of results

Guiding the discussions through the agenda

Suggesting needed improvements to the QMS

Publishing minutes of the management review

Effective and clear reporting will give top management the information needed to manage and improve the

QMS effectiveness.ENSURING AWARENESS The third primary responsibility of the MR is to ensure that customer requirements are communicated throughout the organization so all employees are aware of requirements that pertain to their jobresponsibilities. This does not necessarily mean that all communications must come directly from the MR.Instead, the MR must monitor how effectively this communication takes place and identify breakdowns thatneed to be addressed.

This duty of ensuring employee awareness has been frequently criticized as being too open-ended to bepractical. What specific "customer requirements" must employees be "aware" of? Must all employees beaware of all customer requirements? What criteria is used to assess whether this communication has beeneffective?

As with many areas of the new standard, the use of general (aka "open-ended") language leaves theinterpretation open for the company to define for their own unique needs. Since the MR is responsible toensure this awareness of requirements, he/she might do well to start by defining which customerrequirements need to be addressed to which employees.

Here are some leading questions that might help you get started:

QUESTIONS:

What requirements are explicitly stated by ourcustomers? How? In what format?

What might be considered a customer requirementbecause of our advertised promises?

What requirements might be implied by ourcustomers as just doing good business?

EXAMPLES:

- Specifications- Purchase orders- Quality criteria- Other documented criteria

- Proposal details- Quotations- Catalog specifications

- Warrantees and return policies- Marketing materials

- Delivering on time- Prompt, accurate communications- Reliable packaging

Once a list of customer requirements is made they can be associated with the employees (by position,workgroup or department) that affect the company's ability to meet the requirements. Then the questionmust be asked, "How does this employee become aware of this requirement?" By asking "how?" the MR willbe able to evaluate the communication processes that are in place (or not in place as the case may be) toensure that the awareness of requirements is maintained. Some examples of the types of communicationprocesses that might be used are:

Standard meeting agendas

Routing sheets for specifications Approvals

Standard distribution lists

Employee bulletins

Procedure reviews

Controlled wall postings

Data charts showing the company's performance against requirements

Employment handbooks

Electronic workflows



This list could obviously be expanded based on a company's unique circumstances. By focusing oncommunication processes, and ensuring these processes are defined and implemented (including, perhaps,being subject to auditing), the MR can ensure effectiveness and repeatability throughout the organization.Keep in mind, though, that the MR's direct responsibility is to "ensure" that the communication takes placeand that it is effective, not necessarily to provide all the communication directly.

QUALITY LIAISON A final (suggested) duty for the MR is that he/she serves as:

liaison with external parties on matters relating to the quality management system. (Ref. 5.5.2)

This can include coordinating audits with customers or your ISO registrar or other quality relatedcommunications that may be needed.

ARE YOU UP FOR THE JOB?What characteristics and skills might you need to be effective in the role of Management Representative?Here are some thoughts:

Strong knowledge of ISO 9001 requirements

Broad knowledge of your company's operation and its QMS

Ability to listen and influence

Ability to summarize information and communicate effectively

Project management and organizational skills

The Management Representative plays a critical role in your company's QMS. The more clearly youunderstand the responsibilities being asked of you, and the more clearly the rest of the organizationunderstands your role, the more effective you can be.



6.2 Competence, Training and AwarenessDealing with "people issues"

You may have heard the old saying, "Management would be easy if it weren't for all these people issues!"Let's try it again, "Quality would be easy if it weren't for all these people issues!"

It seems that dealing with people issues must have been a hot topic of discussion during the developmentand revision process of the ISO 9001 standard. While an earlier version of the standard said we needed toidentify training needs, deliver the training and keep records, the most recent revision (ref. 6.2.2) includesphrases such as "achieving the necessary competence" and "evaluate the effectiveness". The somewhatobvious implication in the new requirement is that we have to deal with the people issues in a way thatactually works, not just to go through the motions.

The centerpiece of the requirement is competence. The dictionary definition of competence is:

a. The state or quality of being adequately or well qualified; ability.

b. A specific range of skill, knowledge, or ability.

"Within the quality management system, the point is certainly the employee’s ability to do the job in such away that requirements are met - both procedural (process) requirements and customer requirements."

Qualified to do what? Ability to do what? The job, of course. Within the quality management system (QMS),the point is certainly the employee's ability to do the job in such a way that conformity to requirements isachiveved – both procedural (process) requirements and customer (product) requirements. So, the qualityprocess(es) put in place to deal with the "people issues" must result in conformity to requirements (i.e.effectiveness).

By shifting the focus beyond a method (training) to a result (competence), the bar has been sufficientlyraised in recent revisions. As you consider how best to organize your training and other people-relatedprocesses to meet the ISO 9001 requirements, keep your eye firmly on the main point – competence.

WHAT'S REQUIRED?Let's look through the requirement to understand what should be in place and how we can ensure ourpeople-processes are effective.

Define the essential abilities The first requirement says the organization must:

Determine the necessary competence for personnel performing work affecting conformity to productrequirements (ref. 6.2.2 a)

All work done as part of the QMS directly or indirectly affects the company's ability to satisfy its customersand meet requirements. Therefore, the job functions responsible for each activity defined in the QMS mustbe staffed by qualified people.

As with much of the ISO language, it is left to the organization to define what "competence" means in theirspecific context. To break this down a bit, we might borrow from the human resources profession whichdeveloped the categories of "knowledge, skills and abilities" (KSAs) to describe the competencies requiredfor a job. To define requirements for each job position you might ask:

"What job-specific knowledge area(s) must be well understood by someone in this job?"

"What manual, mental or interpersonal skills must an employee have to do this job well?"

"What natural abilities or talents must someone possess to be effective in this job?"

What results from an exercise like this would be a list of competencies for the job that can be used for hiringpurposes and subsequent training and development plans. Once the list is prioritized to include only themost critical competencies (10 – 15 maximum?), you'll need to document them in some appropriate manner(job descriptions, training matrix, or other means).

Now that you've identified the required competency areas for each job, you need to translate it into atraining and development plan for your employees. Generally, this is done by evaluating or assessing youremployees' current knowledge, skills and abilities against the requirements for the job.



Maintain appropriate records of education, training, skills and experience (ref. 6.2.2 e)

These records relate to both pre-hiring requirements and competency development that occurs once theemployee is on board. Many job positions have prerequisite requirements that must be met in order to beconsidered for employment with the company.

However, as many experienced managers have learned, prerequisite hiring requirements cannot always befully met given the available applicants when a position is filled. Occasionally, exceptions need to be made in

the requirements with the expectation that follow-up support, training or other competency developmenttechnique will be used to close the gap. In these cases, the company would do well to make provision forthese instances in their policies and procedures. Perhaps an approach that allows for supplemental trainingafter hiring would suffice.

Another issue relating to pre-employment requirements is that many companies consider employmentapplications and employee résumés or CVs confidential and are reluctant to make these available duringinternal or external audits. If that is the case, a record may be made during the hiring process that theemployee qualifications were reviewed and found satisfactory. This record could then be made available tothe auditor. If this approach is used, a statement that specifies employee application documents asconfidential and that they will not be made available for audits should be made in the company's policy.

Other than the special circumstances mentioned here, complete records of education, training, competencyevaluations and skill-development job experience and assignments that were completed after hiring must bemaintained. These records are considered quality records and must be kept according to the requirements of section 4.2.4 in the standard.

KEEPING IT SIMPLEAs we have discussed, the requirements dealing with employee competency, training and other developmentactivities are varied and can be somewhat intimating. You might consider a strategy that emphasizessimplicity and broad involvement. By keeping your procedures and record-keeping as straightforward aspossible, the challenge can be manageable. It will also help to provide the tools and then assignimplementation responsibility to employees and their immediate supervisors, whenever practical.

In any case, the quality processes designed to address the "people issues" that affect quality are vital to theeffectiveness of your QMS and your ability to satisfy your customers.

***



7.4 PurchasingDeveloping a supply-chain that satisfies your customers

The Purchasing requirements in the ISO 9001 standard help to ensure that products and services youpurchase from various suppliers fully meet your needs so that you can, in turn, satisfy your customers. Thedisruption and cost to your organization stemming from supplier problems can impact your customers andyour own bottom-line. So, having processes in place that prevent problems and provide consistency withinyour supply chain is a key focus of your ISO quality management system (QMS).

CONTROLLING WHAT IS NOT UNDER YOUR DIRECT CONTROL"It is surprising how many times a 'supplier problem' actually has its root cause in your own organizationstemming from internal miscommunication, inaccurate information or other mishaps that lead to 'mistakes'made by a vendor."While your suppliers' operations are not under your direct control, your purchasing power can give yousignificant influence over which suppliers you do business with and how they meet your needs. Thisinfluence starts with you having a clear understanding of what your needs are regarding purchasedmaterials and services. These needs then must be translated into criteria for choosing suppliers andrequirements for them to meet. Without this clarity, neither you nor your suppliers will know what is to beexpected and will inevitably lead to problems down the road. It is surprising how many times a "supplierproblem" actually has its root cause in your own organization stemming from internal miscommunication,

inaccurate information or other mishaps that lead to "mistakes" made by a vendor.

The ISO 9001 requirements for Purchasing (section 7.4) itemize basic processes that will put you and yoursuppliers on the same page.

Your ISO QMS then begins with you firming up your own purchasing processes to improve the informationsuppliers will rely on to meet your requirements. Then, controls are put in place to monitor supplierperformance and to take corrective action, if needed. By establishing strong internal procedures forpurchasing, you'll more easily exert the influence needed to assure quality coming into the loading dock.

MAKING THE RIGHT CHOICEThe purchasing requirements begin with a recognition that your company is responsible to:

… ensure that purchased product conforms to specified requirements. (ref. 7.4.1)

To do this you'll establish controls for your suppliers and your purchased product that are appropriate based

on how the supplied product might impact your products and/or services delivered to your customer. If asupplied part is critical, you'll exert more control than if a part is less important to the quality of yourcompany's output.

This control begins with the selection of suppliers that you'll depend on to meet your own customers'requirements. You'll implement processes for initially qualifying suppliers based on appropriate criteria suchas cost, quality and delivery requirements. The criteria you establish should make sense for your business.

Once qualified, suppliers must be reassessed to reconfirm their continuing ability to meet yourrequirements. This re-qualification will be based on data analysis relating to your suppliers' performance.Section 8.4 of the standard itemizes these requirements. Records for the selection, evaluation and re-evaluation of your suppliers must be maintained.

COMMUNICATION IS KEYHow you communicate with your suppliers has a direct impact on their ability to meet your requirements.Your documented purchasing requirements define the target they must hit when delivering their products or

services. The accuracy, clarity and level of detail provided in your purchasing documents must be ensuredthough good internal administrative processes.

Your purchasing information should clearly specify what is required, including as appropriate:

a) requirements for approval of product, procedures, processes and equipment

b) requirements for qualification of personnel, and

c) quality management system requirements. (ref. 7.4.2)



On purchase orders or other documentation be sure that the details adequately describe the product orservice you require including technical specifications, packaging and delivery requirements and specialrequirements for your supplier's internal processes. Again, depending upon the type of product or servicepurchased, the information will include more or less details. Your internal procedure should ensure that allpurchasing information is reviewed before being sent to your supplier.

MAKING SURE IT'S RIGHTThe third purchasing process to address is how you verify that received material and services are what you

ordered and that they fully meets your requirements. This verification may be through a simple confirmationwhen the product is received or may involve formal inspections or testing. If necessary, you may even wantto verify the product before it is shipped, or allow your customer to do so, by visiting your supplier's facilityfor an inspection. If this is required, you'll need to specify this in your purchasing documentation when theorder is placed or the contract is signed.A STEP BY STEP APPROACHAs you prepare to implement an ISO 9001 compliant purchasing processes, you might want to follow thesesteps:

Step 1: Define Criteria for Suppliers

On what basis will you choose your suppliers? What minimum requirements must they meet?

Step 2: Evaluate Current Suppliers

Which of your current suppliers meet your minimum requirements? Which might need to improve to remain

qualified or face being replaced?

Step 3: Establish Qualification Process for New Suppliers

How will you identify, evaluate and qualify new suppliers? How will these qualifications be recorded?

Step 4: Set up Supplier Performance Monitoring Process

What is the best way to track supplier performance? Who will review the data? When will action be taken?

Step 5: Review Purchasing Communication Process

How are your requirements documented for your suppliers? How do you ensure it is accurate, clear anddetailed enough to communicate what is ordered?

Step 6: Review Purchased Product Verification Process

What procedures are needed to confirm that you receive what you ordered? When might a visit to asupplier's facility be needed to verify a shipment?

For many organizations, bringing your purchasing processes up to ISO 9001 standards is an investment of time and effort that must fit into an already busy schedule. But this effort will not only support your ISOinitiative, it can also be off set by fewer interruptions and unnecessary costs resulting from poor supplierperformance.



8.2.2 The Internal AuditorSelecting the right people for the job

ROLE OF THE INTERNAL AUDITOR:The internal auditor role is normally staffed by a number of experienced employees from throughout theorganization. The purpose of the internal audit is to confirm that the company’s documentation meetsrequirements (e.g. ISO 9001, OSHA, etc.) and that day-to-day operations follow the documentation. So, theinternal auditor must serve as:

A catalyst

An interface between different groups

An advisor

A reporter of fact

As the auditor serves in this role, he/she must be careful to bring an objective, professional perspective tothe job. This means the auditor is not:

An inquisitor

A fault finder or rock thrower

Biased (for or against)

Dishonest

A policeman

An inspector of products

AUDITOR QUALIFICATIONS:Selection of candidates for the role of internal auditor should be made based on several factors:

Personal interest

Desire to take on extra responsibility.

Qualifications

Knowledge, skills, abilities, experience.

Work ethic

Ability to high quality and efficiency without direct supervision.

Specific minimum qualifications that should guide the selection of auditors include:

Education

Demonstrated competence in clear and fluent oral communications and in written concepts andideas.

Experience

Three to four years full-time workplace experience.

Understand the role of individual units within the overall organization.

Personal Qualities

Communication skills



8.5.2 Corrective ActionCorrecting a problem means correcting the process

Executive Summary: ISO 9001:2008

Corrective Action

"The secret to an effective approach to correcting and preventing problems through a corrective actionprocess is surprisingly more simple than expected... Once you gain an understanding of what makes thingswork right, it becomes obvious what makes things go wrong."The centerpiece for driving improvement in an ISO 9001:2008 quality management system is yourcorrective action process. While some companies appear to miss this critical point and seem to "go throughthe motions" of root cause and corrective action, many other organizations learn how to use correctiveaction to its fullest advantage.

When problems occur, either once or on a recurring basis, the root cause investigation starts with anunderstanding that nonconformities originate in a process that has failed. Processes that work well are thosethat follow four basic rules. When a process fails, then one (or more) of the rules have been broken and thisbroken rule is called the "root cause" of the problem.

An effective root cause and corrective action process for ISO 9001:2008 is then the investigation into theprocess that failed to determine the process rule that was broken and then determining the correct actionsfor corrective action. By addressing corrective action from the perspective of the process approachunderlying the entire ISO 9001:2008 standard, long term solutions and better overall results are achievable.

This article presents a practical approach to root cause and corrective action you can use to transform yourcorrective action process into an effective tool for improved results for your organization and, ultimately,your customers.

Improved Results are None-Too-Common

In addition to the marketing benefits of an ISO 9001:2008 certification, measureable improvement in resultsis a promise sought by nearly every company who implements an ISO-compliant quality management

system. The ISO 9001:2008 standard itself promotes a "Process Approach" intended to improve "results of process performance and effectiveness" and "continual improvement of processes based on objectivemeasurement" (see 0.2, ISO 9001:2008). The expectation is that ISO 9001:2008 will have a measurablereturn-on-investment (ROI) in terms of better efficiency and effectiveness, not merely satisfy customerrequirements for a certification.

Unfortunately, better results are not always realized. Many managers who have "been through ISO" in thepast have, through experience, found little payback from the huge effort put into preparing for andmaintaining an ISO 9001:2008 certification. Too often, with the inordinate focus on writing endlessdocumentation and scrambling to show auditors what they want to see, ISO is seen as an ancillary routineto the real business.

To these realists, the familiar adage "document what you do, and do what you document" represents thesum total of what they expect from an ISO effort.

This hardened perspective is reinforced by:

Issues recurring that were supposedly "fixed" in the past

Problems escaping to impact the customer that should have been caught

Company performance suffering due to mistakes that were "obvious"

Hard lessons learned being too often "forgotten" by the organization

... and all of this happening with an ISO certificate proudly hanging in the lobby of the building. Is this thebest we can expect?



Those that Do vs. Those that Don't

If you were to visit several companies with similar frustrating experiences as an objective outsider (as Ihave the privilege to do as an ISO consultant) you would begin to see a general pattern emerge that beginsto explain, even predict, such disappointing results. You would find business owners and managers whogenuinely care about the company and its customers. You would see leaders who react quickly to problems

to minimize the impact on the customer. You would find them in endless meetings trying to understand whatwent wrong. You would observe them taking actions intended to stop problems from happening again in thefuture. And, too often, you would see the aggravation on their faces when the same problems recur despitethe cost and effort expended to "solve" them in the past.

There are, however, a good percentage of ISO 9001:2008 certified companies that have a very differentexperience. While every company faces problems and challenges, some find ways to quickly learn from theirerrors and put lasting solutions in place. When they face an issue, they not only resolve the immediateconcern and its impact, they have a way of digging into the "root" of the problem and changing things sothat it is permanently fixed. Their investigations into problems are not haphazard, but systematic andrational. Measurable progress in improvement is seen in results that matter to the business and itscustomers. I personally know this to be true because I have had the privilege of working with many of thesesuccessful companies.

The interesting thing about companies at both extremes of the ISO spectrum is what they have in common:

Both have talented and experienced management

Both have committed and skilled employees

Both experience problems that have to be addressed

Both expend time, effort and money to address problems

Both have the same ISO certification

The difference is not in the problems they face, nor the effort they expend, but in HOW they respond toproblems. It is in the way they investigate to find the reasons problems occur. It is in the conclusions theydraw from those investigations. It is in the corrections they make to their processes to alleviate the sourceof the problems. It is in the follow-up actions they take to ensure problems are permanently resolved.Overall, it is in their perspective and understanding of the nature of recurring problems and how toeffectively address them. So, what's their secret?

The secret to an effective approach to correcting and preventing problems through a corrective actionprocess is surprisingly more simple than expected. It doesn't normally require big expenditures. It doesn'toften involve complex statistics and analysis. It doesn't usually need complicated engineering solutions. Thesecret is found in gaining a simple understanding of what makes a process work well when it does – howthings run smoothly when they do. Once you gain an understanding of what makes things work right, itbecomes obvious what makes things go wrong.

Making a Process Work Right

A process is basically the way in which work gets done. It is a series of steps that have been planned toresult, if followed consistently, in what was expected. Manufacturing has processes that result in products.Engineering has processes that result in designs. Purchasing has processes that result in quality productsand services received. Sales has processes that result in new orders or contracts. Service companies havetheir own unique series of processes. All businesses and all parts of an organization have processesdesigned to produce results; and often individual processes are connected together in bigger processes toproduce bigger results.

In order for any process to produce its intended results, it must follow a few basic rules:

1. The process must be defined by those who plan the work2. The process must be understood by those who do the work3. The process must be easy to carry out on the job4. The process must be measured to understand its results



No matter what type of process in whatever kind of business, every process must follow these four rules tobe effective. Break any of the rules and the process will fail. For example,

If a process isn't defined clearly, it will be up to the individual worker how to get the job done; thismeans that the process will be done differently by different people.

If a process isn't fully understood by each individual worker, it will result in individuals to developtheir own understanding of the process based on "educated guesses" and "trial and error".

If a process is difficult to follow because of various obstacles (problems with equipment, materials,schedules, instructions, etc.) workers will be forced to work "around the system" to get the jobdone; this will produce differing results.

If a process is not measured with reliable data, no one will really know how well results are beingachieved and whether or not changes to the process should be made.

When a process is working well with good, predictable results, the four rules are being followed. Take a lookat several well-running processes your organization and see if you can observe the four rules in action.

Finding the "Root Cause" of a Problem

Problems occur when a process goes wrong. A "one time" problem results from a single breakdown of aprocess. A "recurring" problem comes from a process that consistently breaks one or more of the four rules.In either case, when trying to solve a problem so that it is permanently resolved, a few basic questions willguide you to an understanding of what's wrong with the process that created the problem and, moreimportantly, what to do to correct it. In quality assurance lingo, this step in an ISO 9001:2008 correctiveaction process is called investigating the "root cause".

Here are some investigative questions you can use to find the root cause of any process-related problem:

1. Where is the process formally defined?2. Can those doing the work demonstrate complete understanding of the defined process?3. Are there obstacles in the process that prevent consistent adherence to the defined process?4. Do the measured results show the process capable of consistently meeting requirements?

These four simple questions are remarkably powerful in diagnosing the root cause of a problem. When usingthe questions, keep two general guidelines in mind. First, asking the four questions presupposes that youknow which process originates the problem. In most problem-solving situations, there is a single processthat has failed and has led to the problem. Be aware that because processes are linked, a problem seen"downstream" at the end of a series of processes may have resulted from a breakdown "upstream" at aprevious process. Asking "why?" several times will help guide you to the original process that failed.

Secondly, the four questions must be asked in order. For example, it is meaningless to ask workers todemonstrate their understanding (question 2) of a process that is not defined (question 1). Any reliableprocess first must be defined which means that it is documented, at least at a basic level. If then theprocess is defined and documented, checking understanding is based on specific requirements for theprocess, rather than the individual experiences and opinions of various workers. Likewise, looking forobstacles in the process that cause people to "work around" the official process (question 3) is futile if theyfirst cannot demonstrate understanding of the process (question 2).

This methodology for investigating the real reason behind a problem brings us to a definition of the "rootcause":

The root cause of a problem is the weakness in the process that originates the problem.

There are, therefore, four possible "root causes" to any problem:

1. Inadequate definition of the process.2. Inadequate understanding of the process.3. Obstacles in the process leading to "mistakes" or "shortcuts".4. Incapable process as shown by measurable data.



Accurately identifying the weakness (using the four questions) in the failed process is fundamental todetermining the right corrective action to take to prevent the problem from recurring.

Corrective Action is as Easy as 1, 2, 3 ... 4

As critical it is to find the root cause of a problem, it is useless if action is not taken to correct the process.Fortunately, the four questions not only guide the investigation of the cause, they also direct us to the rightcorrective action. What a waste it is when a problem is well understood and the root cause is identified yetthe effectual action is not taken, much like running a 1-mile race and stopping 100 yards from the finishline.

Corrective actions become clear based on which of the four questions reveal the root cause:

1. If the process is not defined adequately, create or update necessary documentation.2. If the process is not fully understood, provide training.3. If the process has obstacles, identify and remove them.4. If, after addressing 1-3 above, the process measures show the process incapable of meeting

requirements, re-design the process (then ask questions 1-3 again).

The result is that companies that learn how to effectively resolve problems find the investment in ISO 9001certification provides a foundation for future success. Care and diligence in the process corrective actiondrives the improvement in business processes that impact their customers and their own bottom line.