Manuals and the Management System Standards

June 22nd, 2011 By The Quality Manager

The requirement for a “Quality Manual” from ISO 9001 is a long standing one from BS 5750 (the precursor to ISO 9001) and was typically a large document (“never mind the quality – feel the width”).

The current version of ISO 9001 still requires a “Quality Manual” as one of its documentation requirements but states that it needs (only) to include:

  • The scope of the QMS
  • The documented procedures established for the QMS or reference to them
  • A description of the interaction between the processes of the QMS

At its simplest this could be a sentence or two covering the scope, a list of procedures, and a system diagram or flowchart of the QMS processes.

ISO 14001 does not specify a manual but also requires documentation covering:

  • The scope of the EMS
  • The documented procedures established for the EMS or reference to them
  • A description of the interaction between the processes of the EMS

BS OHSAS 18001 again does not specify a manual but requires the same three elements to be documented:

  • The scope of the OH&S management system
  • The documented procedures established for the OH&S management system or reference to them
  • A description of the interaction between the processes of the OH&S management system

In summary then, none of these three standards require “manuals” in the physical sense but all three require key elements of each management system to be documented. None of these documents need be large and it should be possible to cover all three requirements in each case in a few pages.

Note that certification bodies sometimes expand the requirements of the standards to suit their own purposes and make their auditing and assessment easier but there is no foundation for this in the basic standards.

ISO is aiming to “standardise” the management standards over the next few years and I expect that the requirement in ISO 9001 for a “Quality Manual” will disappear and the standard will simply ask for the three elements as do the other standards. 

Posted in ISO 14001, ISO 9001, OHSAS 18001 | No Comments »

Integrating your management systems

January 18th, 2010 By The Quality Manager

As organisations adopt more formal management system standards (such as ISO 9001, ISO 14001, ISO/IEC 27001 and ISO/IEC 20000) these are frequently implemented as standalone systems.

However, there are 6 common elements in these management system standards that can be managed as a integrated management system across all these standards (including ISO 22000 and OHSAS 18001 as well) to the benefit of the whole organisation.

These common elements are:

  1. Policy
  2. Planning
  3. Implementation and operation
  4. Performance assessment
  5. Improvement, and
  6. Management review

Although each standard has its own specific requirements that need to be addressed, these six elements are present in all the above management system standards. ISO is working, through its ISO Guide 72, to ensure not only that these elements exist in all management system standards, but that they have the same clause numbers in each standard.

PAS 99:2006 Specification of common management system requirements as a framework for integration has been produced to help organisations benefit from consolidating the common requirements. If your organisation has adopted, or is adopting, more than one of these standards, the use of this integrated approach can reduce duplication and complexity and make internal and external audits more effective and efficient.

Posted in Audits, Certification, ISO 14001, ISO 22000, ISO 9001, ISO 9001:2008, ISO/IEC 20000, ISO/IEC 27001, OHSAS 18001, Standards | No Comments »

ISO 9001:2015

November 4th, 2009 By The Quality Manager

This may be a bit of a surprise when we’re just getting used to ISO 9001:2008 but the next version of ISO 9001 is now being considered and it’s likely to be 2015 before it’s published.

The committee responsible for ISO 9001 is in the early stages of working out what changes need to be made in the next version of the standard. The first version of ISO 9001 (1987 version) took 7 years to develop. The 1994 edition took another seven years and the major revision ISO 9001:2000 took 6 years. The 2008 version, which had only minor changes, took another 8 years (though that was more to allow the 2000 version to settle rather than the scale of changes in ISO 9001:2008).

The next version could therefore be as early as 2013 but 2015 seems more likely.

One of the difficulties to be faced in the next version is the increase in the number of “management system standards”. ISO 9001 was the first but was followed by others such as ISO 14001 for environment management systems. ISO has stated that all management system standards need to be aligned to the extent that they have as far as possible identical clause titles, sequence of clauses, definitions and as much identical text as feasible.

This drive for commonality amongst the management system standards may detract from the need to include new ideas in ISO 9001. One of the criteria for developing ISO 9001:2000 was that no “new” requirements were added – it was more of a structural change. So many of the concepts in ISO 9001:2000 and the 2008 edition are unchanged from the 1994 version and if the next version doesn’t appear until 2015, and no new concepts are introduced it will contain concepts that are over 20 years old!

In the post about David Hoyle’s ISO 9000 Quality Systems Handbook, I mentioned that the book is openly critical of ISO 9001’s inconsistencies. So, despite the fact that ISO 9001 has become a worldwide baseline for quality management, there are lots of improvements that could be made.

For example, the purpose of ISO 9001 is still largely misunderstood. It is not a “model quality management system”. To many organisations and consultants that advise them seem to think that paraphrasing the ISO 9001 standard is the correct way to document a quality management system. ISO 9001 is a list of the requirements that a quality management system shall meet to enable it to be assessed. It is not a documented quality management system (that’s just one of the requirements to be met).

Another improvement would be to deal with the challenge that ISO 9001 stifles innovation by placing a greater emphasis on compliance that on improvement.

How can you influence what goes in the next version of ISO 9001? Get in touch with your national standards body – the British Standards Institution in the UK – or email the UK representative on the ISO committee Charles.Corrie@BSI-global.com

Posted in ISO 9001, ISO 9001:2008, ISO 9001:2015 | No Comments »

Preventive Action, Corrective Action and Correction

August 17th, 2009 By The Quality Manager

What’s the difference between corrective action and preventive action? Are separate procedures required by ISO 9001?

The corrective action process is a problem-solving process and the preventive action process is a risk-analysis process.

Corrective action

Corrective action is defined in ISO 9000 as “action taken to eliminate the cause of a detected nonconformity or other undesirable potential situation” and notes that corrective action is taken to prevent recurrence. ISO 9000 also points out that corrective action differs from correction which is defined in ISO 9000 as “action to eliminate a detected nonconformity”. Put simply, if something has gone wrong then the action you take to fix that instance is correction. For example, if a part comes off the production line with a screw missing, then putting the missing screw back is correction. The action you take to stop it happening again is corrective action. Using the same example, making sure the correct number of screws are supplied for each part would be corrective action. It gets confusing when that is referred to as preventing a recurrence. In ISO 9000 terminology that action is not preventive.

Correction

There has to be a problem for you to take corrective action. If no problem exists but there is a possibility that a problem might occur, preventing that potential problem is preventive action.

Preventive action

Preventive action is defined in ISO 9000 as “action taken to eliminate the potential causes of a nonconformity or other undesirable potential situation”. ISO 9000 distinguishes preventive action from corrective action by noting that “preventive action is taken to prevent occurrence” as opposed to recurrence which characterises corrective action. In the example used above, planning the production of the part to ensure that all the screws are fitted would be preventive action.

A risk management process is a good example of preventive action. Assessing the impact and likelihood of a risk occurring and taking action to prevent occurrence is preventive action.

Other examples of methods for identifying potential nonconformities are:

  • trend analysis for process and product characteristic (where a worsening trend indicates a potential problem)
  • monitoring of customer feedback
  • evaluation of problems in similar processes or products
  • planning of new processes and products

Procedure RequirementsNote that in the above discussion, reference is made to ISO 9000 and not ISO 9001. ISO 9000 contains the concepts and terminology on which ISO 9001 is based and is essential reading to gain a full understanding of ISO 9001.

On the question of procedures, ISO 9001:2008 makes it clear that a procedure is required for corrective action and also a procedure is required for preventive action. But there is no stipulation that these should be separate documents (see the NOTE 1 under 4.2.1 in the standard). However, the combination of a corrective action procedure and a preventive action procedure into a single document is not recommended as it then becomes more difficult to clearly separate the two distinctly different approaches. You may also find it difficult to demonstrate to an external assessor that the processes are separate and that you actually perform both types of action.

Posted in Corrective Action, ISO 9001, ISO 9001:2008, Preventive Action | No Comments »

BS 10012:2009 Data Protection – Specification for a Personal Information Management System

August 10th, 2009 By The Quality Manager


The Data Protection Act applies to any organisation in the UK that holds personal information about living individuals. Compliance with the Data Protection Act is required by law and this standard will help you demonstrate compliance.

The BS 10012 standard:

  • provides a framework for developing an infrastructure to maintain and improve compliance
  • allows you to assess your current level of compliance, recognise weaknesses and provide opportunties for improvement
  • enables effective assessment of compliance by internal auditors and external assessors

This is provides in a straightforward format following the management system style of “plan-do-check-act”, also known as the Deming cycle, used in ISO 9001, ISO 14001, ISO 27001, etc.

The standard is available in hardcopy and PDF download for £100 (or £50 for BSI members) from BSI.

BSI also publish a simple guide to the Data Protection Act – Data Protection Pocket Guide – Essential Facts at Your Fingertips.

Posted in BS 10012, BSI, Data Protection, Deming, Deming Cycle, ISO 14001, ISO 9001, ISO/IEC 27001, Plan-Do-Check-Act | No Comments »

ISO 9001:2008

August 3rd, 2009 By The Quality Manager

The fourth edition of the ISO 9001 standard “ISO 9001:2008 Quality Management Systems – Requirements” was published in November 2008.

This was a minor amendment rather than a revision and was meant to clarify the standard to address feedback on the use of the standard over the eight years since the major revision in ISO 9001:2000.

The amendments include:

  • 0.1, 1.1, 1.2 The term “regulatory” in relation to requirements has been changed to “statutory and regulatory”.
  • 0.2 The term “identify” has been changed to “determine” implying that rather than just recognising and establishing something, a degree of reason needs to be applied and a decision reached.
  • 4.1 The requirement to “measure” in subclause e) has been changed to “measure (where applicable)”. Some organisations believed they needed to measure every process.
  • 4.1 The reference to outsourced processes also now requires them to be “defined” and not just “identified”. In the Notes it is now made clear that processes need to include those for analysis and improvement. Also in the Notes it is made clear that an outsourced process is one that is needed for the organisation’s quality management system but the organisation has decided to have it performed by an external party. A new note identifies the factors that influence the control of an outsourced process. All these changes require much more careful thought about outsourcing. 7.4.1 is equally applicable to outsourcing.
  • 4.2 A note has been added to say that more than one procedure requirement may be covered in a single document. For example, the separate requirements for a procedure for corrective action and a procedure for preventive action may be met in a single document. The ISO 9001 requirement for six procedures does not mean six documents.
  • 4.2.3 Subclause f) has been amended to make it clear that only those external documents needed for the planning and operation of the quality management system need to be identidied and controlled – not all external documents.
  • 5.5.2 The management representative must be a member of the organisation’s own management. Some organisation outsourced this role to a different organisation or to a quality consultant. This is now not allowed.
  • 6.2.1 A clarification has been made to the effect that anyone performing work that impinges on product requirements needs to be competent. The implication before was that only quality control and quality assurance staff needed to be competent.
  • 7.1 Measurement has been added as a required activity in the planning of product realisation. A new note aims to ensure that organisations take full account of post-delivery activities in product realisation.
  • 7.3.3 A new note reminds organisations that in considering design and development output, the product packaging needs to be considered.
  • 7.6 A new note explains that confirmation of software used in monitoring and measuring would include verification and configuration management.
  • 8.2.1 A new note has been added to illustrate some of the ways of monitoring customer satisfaction other than carrying out customer satisfaction surveys which were often seen as the only way of meeting this requirement.
  • 8.2.2 The requirement is to keep records throughout the audit and not just the report produced at the end of the audit. The need to apply immediate correction of any nonconformity is made clear in addition to any corrective action to be taken later.
  • 8.2.3 The monitoring and measurement of processes needs to be appropriate to the process, the impact on requirements, and the effectiveness of the quality management system. Again, not just measurement for measurement’s sake.
  • 8.2.4 Evidence of release of product is rquired only when it is released to the customer – not at each stage of the process leading up to delivery.
  • 8.3 It is now made clear that one or more of the four ways of dealing with a nonconformity can be used as applicable. This section is worth re-reading as the text has been reorganised to make its intent clearer. In particular the requirement for dealing with rework is clarified.
  • 8.5.2 and 8.5.3 It is now clear that the effectiveness of corrective and preventive action needs to be verified and not just that actions have been taken.

Annex A has been brought up to date to reference ISO 14001:2004. Annex B now shows the correspondence of ISO 9001:2008 with ISO 9001:2000 rather than with ISO 9001:1994 as this is no longer relevant.

The list of standards in the Bibliography has been brought up to date.

Many sections of the 2000 version remain unchanged in the 2008 amendment including:

  • 4.2.2 Quality manual
  • 5.1 Management commitment
  • 5.2 Customer focus
  • 5.3 Quality policy
  • 5.4 Planning
  • 5.5.1 Responsibility and authority
  • 5.5.3 Internal communication
  • 5.6 Management review
  • 6.1 Provision of resources
  • 7.2.3 Customer communication
  • 7.3.4 Design and development review
  • 7.3.5 Design and development verification
  • 7.3.6 Design and development validation
  • 7.3.7 Control of design and development changes
  • 7.4 Purchasing
  • 8.5.1 Continual improvement

Organisations with ISO 9001:2000 certificates need to be compliant with ISO 9001:2008 by December 31st, 2009. You should contact your certification body to help with this. In most cases they will audit you against the new version of the standard at your next surveillance visit.

If you would like your quality management system assessed against ISO 9001:2008 please leave your a comment below and we will get in touch. Please also get in touch via a comment below if you require further information on any of the changes in ISO 9001:2008.

Posted in ISO 9001, ISO 9001:2000, ISO 9001:2008 | No Comments »

Auditing Practices Group

July 27th, 2009 By The Quality Manager


The ISO 9001 Auditing Practices Group is an informal group of quality management system (QMS) experts, auditors and practitioners, drawn from the ISO Technical Committee 176 Quality Management and Quality Assurance (ISO/TC 176) and the International Accreditation Forum (IAF).

Their website provides ideas, examples and explanations given reflect the process-based approach that is essential for auditing the requirements of ISO 9001:2008 and is primarily aimed at QMS auditors, consultants and quality practitioners.

The information includes:

  • An introduction to the Auditing Practices Group
  • Measuring QMS effectiveness and improvements
  • Understanding the process approach (critical to understanding ISO 9001)
  • How to determine and audit requirements in ISO 9001 that are stated as “where appropriate”
  • Auditing management processes, the quality policy, quality objectives and management review
  • How to document a nonconformity, preventive action, internal communications
  • A code of conduct and ethics for auditors

etc . . . .

The site is well-worth a visit for material to improve your auditing of ISO 9001 in particular.

A related page web page (the Accreditation Auditing Practices Group) provides guidance to accreditation auditors working for the certification bodies.

In a future post, I will look at the technical committee at ISO that is responsible for the continual improvement of ISO 9001 and at the plans for the next version of ISO 9001 that is scheduled for 2015 and the plans to revise ISO 19011, the auditing standard, currently planned for next year.

I’ll also take a look at ISO 9004 Guidelines for Performance Improvements, a valuable member of the ISO 9000 family of standards that is often ignored but provides guidelines to cover efficiency (not covered by ISO 9001) as well as effectiveness (the purpose of ISO 9001). The revised version of ISO 9004 is due August 2009.

Posted in Accreditation Practices Group, Auditing Practices Group, Audits, ISO 19011, ISO 9001, ISO 9004 | No Comments »

Showing ISO 9001 Compliance

July 20th, 2009 By The Quality Manager


This spreadsheet was created in Excel 2007 to illustrate a simple way of showing how compliant an organisation is with the clauses of ISO 9001.

It uses the icon sets in Microsoft Excel and the MIN function to map compliance across each clause and subclause of ISO 9001.

Each subclause is scored 1 for non-compliant resulting in a red button, 2 for partially compliant resulting in yellow button and 3 for fully compliant resulting in a green button.

For each grouping of subclauses, the minimum score for each subclause determines the overall score. For example, subclauses 5.5.1 and 5.5.3 are fully compliant but 5.5.2 is only partially complaint so 5.5 is partially compliant.

This works up all the way to the main clauses – 4, 5, 6, 7 and 8.

Clause 5 is non-compliant because 5.3 is non-compliant even though all the other subclauses are either fully compliant or partially compliant. For example, subclause 5.5.1 is partially compliant but 5.5.3 is fully compliant.

The Microsoft Excel 2007 file used to create the above diagram will be sent to you if you provide your email address in a comment below. The spreadsheet does not work with earlier versions of Excel as they do not have the icon set that is used in this example.

Posted in Compliance, ISO 9001 | No Comments »

12 Myths surrounding ISO 9001

July 6th, 2009 By The Quality Manager


There are many myths surrounding ISO 9001.

Let’s start off by dealing with the twelve most common ones.

Myth #1 – Implementing and maintaining ISO 9001 is expensive.

Beyond the costs of third-party assessment there should be no additional costs. All organisations should have clearly defined how they work to ensure customer satisfaction.

If you document what you do and put in place processes to improve what you do it doesn’t need to be expensive. You probably already have most of what you need.

Myth #2 – ISO 9001 is the responsibility of the Quality Department and you must have a Quality Manager.

You don’t need a Quality Department to run ISO 9001 and you don’t necessarily need anyone full time to run it. Your ISO 9001 quality management system should be about how you run your business – not how you run your Quality Department if you even have one.

Myth #3 – To implement ISO 9001 you just copy the standard inserting the name of your company.

There are many quality consultants who offer to provide a customised quality manual based on rewording the ISO 9001 standard. The quality manual should describe how your business works, the scope of the management system, the procedures used and their interaction. The ISO 9001 standard lists the requirements your management system needs to meet – it isn’t a quality management system itself.

Myth #4 – Every process must be documented.

The ISO 9001 standard says that the extent of the documentation can be tailored according to the size of organisation, the type of activities, the complexity of the processes, and the competence of personnel. The ISO 9001 standard only requires six procedures to be documented – plus any procedures that are needed to ensure that the planning, operation and control of the organisation’s processes is effective.

Myth #5 – A cross-reference must be maintained showing how each process meets each requirement of the standard.

Whilst this is useful in ensuring that all the requirements of the standard are met it is not, in itself, a requirement of the standard. It is often “demanded” by assessors and auditors because it makes their work easier. [See ISO 9001 4.1]

Myth #6 – Procedures (and forms) have to be signed, numbered and have version numbers and dates on them.

The standard requires that documents have to be controlled but there is no requirement for them to be signed, dated, numbered or version controlled. Forms are not mentioned in the standard. [See ISO 9001 4.2.3]

Myth #7 – A master list of documents (procedures and forms) has to be maintained showing what the latest version of each document is, where it is kept and for how long.

The standard does not require such a list. [See ISO 9001 4.2.4]

Myth #8 – The management review has to be a meeting that covers all the inputs of ISO 9001 5.6.2 and outputs of ISO 9001 5.6.3.

The review does not have to be a meeting and only the relevant requirements in 5.6.2 and 5.6.3 need be considered. [See ISO 9001 5.6]

Myth #9 – All suppliers have to be rated and regularly re-assessed.

The organisation should decide when and how it evaluates its suppliers based on the impact the purchased product has on the finished product. [See ISO 9001 7.4.1]

Myth #10 – Every piece of measuring equipment has to be calibrated or be given a reference-only sticker or label.

There is no requirement for stickers or labels. [See ISO 9001 7.6]

Myth #11 – Customer surveys have to sent out regularly to customers to measure their satisfaction.

The standard requires that the organisation monitors their customers perception as to the extent to which the organisation has met their requirements. How this is done is up to the organisation to decide. [See ISO 9001 8.2.1]

Myth #12 – The audit schedule must cover 12 months, all procedures must be audited within 12 months and all clauses of the standard must be audited over a 12 month period.

The standard requires that audits are planned and take into account the status and importance of the activities to be audited and what happened at previous audits. No timescales are defined. [See ISO 9001 8.2.2]

There is no substitute for carefully reading the ISO 9001 standard, being clear about what it requires, and deciding how best to meet those requirements in your organisation. Don’t let any consultant, auditor, or assessor try to tell you that there’s a “best practice” that you should follow. Decide what’s right for your organisation, check that it meets the actual requirements of the ISO 9001 standard, and you will have nothing to worry about!

Posted in ISO 9001, Myths | No Comments »

Welcome!

June 29th, 2009 By The Quality Manager


Since 1989, when I established Parker Quality Consultants to help organisations to maintain and improve their quality management systems and to achieve ISO 9001 Certification, I have worked in a wide variety of markets with companies from the very smallest to some of the largest.

With the launch of a new website planned, this seems a good time to start to bring quality matters, as I see them, to a wider audience.

I plan to bring you the latest news in the quality world. I’ll try to dispel some of the myths surrounding ISO 9001 and explain how you can improve your quality auditing. I’ll let you know what’s happening in the world of quality standards – including the already launched 2008 version of ISO 9001 and the soon to be published revised ISO 9004. I’ll also be recommending some books and websites to help you along the way.

Stay tuned and thanks for reading!
David R Parker
Quality Consultant

Posted in Certification, ISO 9001, ISO 9004 | No Comments »