Implementing the Process Approach

Leveraging ISO 9001 for Real Business Value

"Having an effective process management process may be a "missing link" in your current QMS and this gap may be a key reason ISO has lost some of its luster in recent years." Ensuring that ISO 9001:2008 remains a vital, relevant tool for your top management to improve business performance is often of concern by those responsible to oversee the "ISO program" within your organization. It is too common for ISO to become "yesterday's news" if you've been certified for several years and today's "big event" is the annual return of the Registrar's auditors. If your organization has struggled to show measurable and sustainable improvements in performance for your customers or toward top-priority management goals, then ISO may be thought to be in "maintenance mode" within your organization, rather than a vital tool to address today's critical business needs. The observable symptoms of this situation might include: 1. 2. 3. 4. 5. The same corrective actions come up again and again. Audit reports identifying seemingly "petty" issues. Management review meetings "going through the motions" and often poorly attended. Improvements made in the past don't show sustained results today. There is a "burn out" factor within your internal auditor team.

These indications point to a quality management system (QMS) that has generally lost its focus. But, why does this occur? Why are we off track? In many organizations, a careful "root cause" investigation may point to a lack of understanding about how processes drive performance or a lack of effective implementation of what ISO 9001 calls the "process approach". In previous editions of ISO 9001, the standard was organized for auditors, not managers. The requirements were structured around 20 "elements" (whatever that means!) and read like an auditor's checklist. The central theme of these earlier ISO versions was to "document what you do, and do what you document". In other words, procedures! In many of today's certified companies, this legacy mentality still reigns and numerous documents that were written to "get ready for ISO" now gather dust unless an auditor stumbles across them. Many managers ask (rightly) "what's the point of that!" A change in focus in the current standard To cure us of our fixation on documents (as if that was the point of ISO anyway) the year 2000 version of the standard introduced the process approach to turn our attention toward a means to drive real business value with our QMS. In the words of the introduction of ISO 9001:2008: This International Standard promotes the adoption of a process approach when developing, implementing and improving the effectiveness of a quality management system, to enhance customer satisfaction by meeting customer requirements. For an organization to function effectively, it has to identify and manage numerous linked activities. An activity using resources, and managed in order to enable the transformation of inputs into outputs, can be considered as a process. ... the application of a system of processes within an organization, together with the identification and interactions of these processes, and their management. can be referred to as the "process approach"(ref. 0.2). More simply, in order to improve business results, both for the customer and the company, your approach to your QMS should be built around processes ... namely, those processes that have the biggest impact on your business performance. In a related article, we discussed the importance of identifying the most critical cross-functional processes that most impact the customer and business performance and formally managing them as the central theme of your QMS. Once in place, these key processes serve as the focal point for management planning, resource allocation, performance monitoring and continual improvement efforts. Your documentation, training and corrective actions should also stem from these processes. In some respects, your key processes and their improvement become the chief targets of your QMS.

So, the selection of your key processes and their day-to-day management by assigned "process owners" is among the most important responsibilities of the management representative (see 5.5.2 a) and top management (see 5.4.2). The problem of white space in the organization A question might come to mind, then, "Why do processes need to be managed?". Or, "why don't they manage themselves?". This uncertainty often springs from an assumption that if we put procedures in place, and manage them (including auditing the @%#& out of them) doesn't that make our processes work right? The answer can be found by looking more closely at our procedures. Most company procedures are written by a specific department within our organization. Each department looks at how they do things and documents the general steps in a written procedure. They might also check the ISO standard to see if there are any changes they need to make to stay out of audit trouble. A procedure, then, is focused on the activities within the department who develops it. Some examples The limitation of that approach is that key processes are bigger than individual departments. Consider the following examples:

What's clear about these processes is that they span several departments within an organization. It takes the efforts and good performance from each department to get good results from the process. And it takes more.

What is "white space"? In most businesses, the most common areas where obstacles to processes arise are in the hand-offs between departments, groups or individuals, or what is called the "white space" of an organization(*). The term white space comes from looking at a typical organization chart or diagram showing the reporting relationships of the various departments. The common chart shows job titles and how people fit in the overall organization. The intention of such a diagram is to show where people are focused in their jobs. Managers, then, place their attention on making sure each person fulfills their responsibilities within their defined job duties. Where there is NO focus is on the spaces between the boxes on the organizational chart or the "white space" on the chart. This tends to be "no mans land" in the organization where no one claims to have full responsibility or accountability. As work flows through the organization within larger processes, problems crop up when "balls get dropped" or "things fall into a black hole" in the white space. The process approach looks at the business differently. Instead of the top-down (vertical) view through the organization chart, a process view sees how work flows horizontally through the business. In reality, the most important work flows across the company without regard to the reporting structure of the organization. Yet, that same organization structure often impedes the performance of the process.

This occurs because of how goals are set departmentally and how problems get addressed by having to go "up in the chain of command" for resolution, especially when there are particularly sticky issues to resolve. This only creates delays in decision making and typically removes those closest to the work and the problem being discussed, from the final decision made. These management decisions can be subject to compromise between conflicting priorities of the process and department goals. In process terms this is called suboptimization. The importance of managing white space To balance the top-down view, processes need to be managed horizontally within their own structure. The ISO 9001:2008 process approach provides such a structure. The horizontal view does not conflict with the company reporting structure but complements it. By identifying the few key processes that are essential to business performance and assigning responsibility for management and improvement of these processes, this can pull everyone involved together in understanding how to better arrange the process for best results. The key then is to define how to manage cross-functional processes within a functional organization. The remainder of this article will focus on some proven suggestions to how to structure your QMS to maximize process performance across your company. A cross-functional approach to managing key processes

The ISO 9001:2008 does not specify the structure to use to manage your processes (see section 4.1 in the ISO standard). It simply states that you must: 1. 2. 3. 4. Identify your key processes, how they flow though the organization and their relationships to one another. Establish methods to measure the performance of the processes. Make sure resources and information needed are available. Monitor, analyze and improve the processes.

But how to set all this up within your QMS is up to you. We should say it is more than simply putting a list of your processes in your quality manual. In some companies, that's about all the thought that is put into their processes. Questions to consider An effective approach to process management would address these questions: 1. 2. 3. 4. 5. 6. Who "owns" each process? That is, is there an individual assigned to be responsible and accountable for the performance of the process? What departments and job positions are involved in the execution of the process? What does each one need to successfully support the process? Where are the most common "white space" breakdowns in the process? How can they be more carefully managed? How do we keep everyone involved informed as to how the process is performing and what problems need to be addressed? What day-to-day obstacles do people run into in performing the process? Do we have an official way for these type of problems to be easily reported and addressed? How to we measure the progress of our ability to manage processes? If one process is "better managed" than another, what's the difference in approach between them?

There are certainly more questions to consider, but these should serve as a starting place for setting up a "process management process" in your organization. Getting your process management process started Here are some general suggestions for getting started:

Assign "ownership" of each process to a member of the top management team. This will ensure there is enough clout and visibility to process management. Recruit a cross-functional team to work with the process owner to oversee the process on an ongoing basis. Have the process management team formally document the process in a process flowchart showing all of the hand-offs and white spaces. Determine and implement formal measures of effectiveness for each process that are reported as part of top management meetings and management review. Authorize your process management teams to make changes to their processes for improvement, even if it disrupts the current organizational structure and job responsibilities. Set process goals based on top-level company and quality objectives. Provide training to your process management teams on process improvement techniques and their role within the organization. Also provide training to your teams on how to analyze data, how to investigate root causes to process issues and how to take effective corrective and preventive action. Review your current procedures to see which processes they support and if they are aligned with the purpose of the processes. Consider eliminating procedures that don't support a key process. Establish formal criteria for process management teams and their effectiveness. Rate them against the criteria to measure progress. Write a QMS procedure on your process for managing processes and ensure it is audited as part of your internal audit schedule.

You'll have to tailor some of the suggested steps above to your organization depending upon its size and organizational complexity. Be sure to work closely with your top management in setting up your "process

approach" so that you have their support and involvement. It's an ideal situation when the top management team integrates process management into their normal business management activities and regularly identifies processes requiring change or improvement when business issues or opportunities arise. Driving sustainable improvement Having an effective process management process may be a "missing link" in your current QMS and this gap may be a key reason ISO has lost some of its luster in recent years. You may be weathering your audits just fine with only a handful of minor findings each time. But passing the audit may be all the benefit you're getting from your investment in ISO 9001:2008 certification. By managing processes with a more structured approach, you can turn your ISO QMS into a lever for addressing nagging problems with customers, recurring wastes internally and for taking advantage of new business opportunities that require your business to "move up a notch" in its capabilities. A practical approach is found in the ISO 9001 process approach and you'll find your efforts to re-tool your QMS will pay back benefits for years to come. (*) See the book "Improving Performance", Rummler & Brache, Jossey-Bass Publishers, for the original discussion about "White Spaces" in an organization and how to manage processes to overcome them.

Understanding the Process Approach

Demystifying the ISO 9001 Requirements
What Exactly Is the Process Approach? "The process approach means that you improve your business by managing and improving certain key business processes that directly impact your ability to serve your customer." Since the year 2000 release of ISO 9001, all ISO certified companies have wrestled with the practical application of the "Process Approach" that was introduced in the current version of the standard. In fact, other than the reduction of the number of "required" (i.e. prescribed) documents, the shift to the Process Approach was the most significant change from older editions of ISO 9001. This struggle has been expressed by a number of common questions: 1. 2. 3. 4. 5. What exactly is a "process" as required by ISO? How do we document our processes? How does the rest of the Quality Management System (QMS) support our processes? How do we audit using the Process Approach? What are the Registrar's auditors really looking for?

If you've found yourself asking these or similar questions, or you've had other people in your organization ask them and you've struggled with a response, then understand that you're not alone. The continued confusion about this aspect of ISO 9001 stems from the generic language of the standard and the various ways companies have attempted to comply. It hasn't helped that Registrars seem to have different approaches to interpreting and auditing these requirements. Let's see if we can take some of the mystery out of this for those of us trying to make ISO add value to our businesses on a day-to-day basis. A simple explanation From the language of the ISO 9001 standard itself, the "process approach" is described as: "The application of a system of processes within an organization, together with the identification and interaction of these processes, and their management" (ref. section 0.2). Let's put that into simpler terms. The process approach means that you improve your business by managing and improving certain key business processes that directly impact your ability to serve your customer. Since your business processes are basically "how you get things done", by improving these processes you improve your company's ability to meet customer requirements. Gains made by improving your key processes pay dividends today and in the future as your QMS drives meaningful improvement in your business. So, that takes the focus of your ISO efforts off of "getting ready for the next audit." While a necessary part of ISO, passing the audit will only maintain your certification. This is the minimum benefit you should receive from your efforts. The real opportunity for measurable business benefit from ISO 9001 is for better efficiency, reduced failures and higher levels of performance for your customers. The most effective ISO "lever" to achieve these results is the management and improvement of key business processes. Often, the most critical processes in your business are cross-functional, cutting across boundaries within you organizational structure. Improvements in these processes have an ongoing payback if such improvements are sustainable and sustained. The process approach, when correctly applied to your QMS, is the way this gets done. So, what is a process? For those who may not have a strong background in studying processes and quality improvement, it is common to ask, "What exactly is a process?". Using the text from the ISO 9001 standard: An activity using resources, and managed in order to enable the transformation of inputs into outputs, can be considered as a process (ref. 0.2). In other words, a process is basically how you are operating a certain activity within your business to convert something such as an unfinished product, some data or information, an untrained employee, or other "input" into an "output" such as a finished product, decisions based on data or information or a fully skilled employee. The steps you've followed to accomplish the intended results is the process.

Keep in mind that your business processes exist whether or not you understand them or are trying to improve them. Some are more informal than formal. Others are less effective than you assume. There are those that are surprisingly effective though you're not sure why. Processes are simply "the way we get things done". Processes come in different shapes and sizes. A process can be as "small" as a task someone has to do, such as entering data into a computer. A somewhat larger process would involve several people within a certain department to complete something, such as putting together and implementing a new marketing campaign. A process can also span several departments who all have to work together for a common goal, such as developing, producing and releasing a new product or service.

These different process scopes illustrate how smaller processes "fit" into larger processes and support them. Generally you should consider bigger processes to be more important to your business performance overall than the smaller ones. But it is often the case that the broader cross-functional processes are not well managed, despite their greater importance. This is because cross-functional processes cut across organizational boundaries, involving several department heads. The organizational structure, in this case, tends to work against efficiency because of the "hand-offs" between departments and conflicting goals between organizational groups. Yet, because of their importance to meeting customer requirements and management objectives, they should be considered among your most critical "key processes" to be managed within your ISO system. What's involved in managing processes? The management of key business processes basically involves the following: 1. 2. 3. 4. 5. 6. Identifying the processes that most directly impact your customer and overall business performance. Establishing reliable measures of performance for those processes. Assigning responsibility for monitoring and improving each process. Proper procedural documentation to control each process. Effective action to root out obstacles in the process and to resolve root causes to performance gaps. Integrating the process with the requirements of other business processes.

The management of your key processes should serve as the "top level" of your QMS that is, it should provide the overall purpose and structure to your procedures, work instructions, training, etc. In addition, the selection of processes and establishment of process measures should be derived from your overall business and quality objectives.

What does ISO require? When reading the ISO 9001:2008 standard, it's easy to miss this central emphasis on managing key processes. This is in part because the requirements for managing processes are sprinkled throughout the standard under various headings. Piecing together a complete understanding involves pulling a number of requirements together. 0.2 Process approach It is helpful to start with the Introduction to the standard that introduces the concepts of managing your business through the identification and management of a "system of processes". Four parts of managing key processes are listed: 1. understand and meet requirements This indicates that the purpose of each key process is to meet specified requirements. If those requirements are not clearly defined and communicated, those involved in the process won't know if they are achieving what is needed. 2. consider the added value of the process Processes to be managed should be selected based on the "value" they add to the ability to meet customer requirements or to meet business objectives. That means that you should start with the most "key" (critical) processes to your business. 3. monitor process performance and effectiveness through actual results Once you've identified and defined your key processes, each should be monitored using a few performance measures. The measures should be selected based on the most important objectives for each process and its overall purpose. 4. data-driven continual improvement Monitoring these results and analyzing the data will clarify specific improvements needed in the process to drive performance up. Using root-cause analysis to determine needed corrective action (and preventive action) will ensure that improvement efforts pay off with better overall results.

The model shown in Figure 1 within the ISO 9001:2008 standard helps to give a "big picture" of how the overall QMS works to ensure that customer satisfaction is achieved (see page 7 of the ISO 9001:2008 standard). Essentially, the model depicts how your organization translates customer requirements into customer satisfaction through your internal QMS processes. The model aligns with the 5 major sections of the standard (4.0 8.0) to help you understand how the requirements fit together. From a conceptual perspective, the diagram is helpful. Specified requirements for processes The practical requirements for managing key processes are found in several passages within the standard.

ISO 9001:2008 Reference 4.1 (a) & NOTE; 7.1; 7.2; 7.4.1; 8.1

Key Process Management Requirement

Identify your key processes This is typically done with a simple flowchart for each process; be sure to include processes related to management activities, provision of resources and measurement. 4.1 (b); 4.2.2 (c) Determine how these processes fit together and impact each other This can be done by showing one process as an input to another process on your process maps; the process maps should be referenced or included in your quality manual 5.5.2 (a) Assign responsibility for managing these processes on an ongoing basis That is, determine an "owner" for each process; your management representative oversees the process owners to ensure the processes are effectively managed. 4.1 (c); 5.4 Establish formal measures of performance for each process based on the process purpose and objectives Ensure these process measures are linked to your overall objectives for the business and quality. 4.2.1 (d) Develop formal procedures needed to control these processes; relate them to your key process maps nly implement formal documented procedures where they help the process run more smoothly - don't document for the sake of documenting. 4.1 (d); 6.0; 7.2.3; Determine the resources needed for each process and establish a planning process 7.3.3 (b); 7.4.2 to ensure needed resources are provided Establish effective information-flows with your customers, internal processes and suppliers; evaluate what information is needed at each hand-off and determine how that information will be managed and maintained. 5.5.3 Establish a communication plan to ensure everyone working in or affected by your key processes understands how the processes are performing. 4.1 (e); 5.6.2 (c); Monitor and evaluate the performance of your processes to determine if objectives 8.2.3; 8.4 (c) are being met One of the venues for this evaluation is your management review. 5.6.3 (a); 8.5 Determine actions needed to improve the performance of your processes as determined by your process measures In addition to corrective actions, trends can indicate opportunities for preventive action.

Do we have to Audit using a Process Approach? One final question is commonly asked relating to whether or not your internal audit program must be reorganized to audit "processes" rather than "ISO requirements". Many ISO internal audits are structured around a requirement-by-requirement review of the quality management system following the sections of ISO 9001:2008. It is common for an audit checklist to itemize questions to confirm whether the QMS: ... conforms to the planned arrangements (see 7.1), to the requirements of this International Standard [i.e. ISO 9001:2008] and to the quality management system requirements established by the organization (ref. 8.2.2). The scheduling in such an audit program is often by departments within the company. If this is your current procedure for auditing, the question that comes to mind is "do I have to change to auditing processes? If so, how do I do that?" Well, the ISO standard does not really say how you need to organize your audits; just that you need to consider in your audit plan: The status and importance of the processes and areas to be audited, as well as the results of previous audits (ref. 8.2.2). So, bottom line is that you are not required to rearrange your audit program to "audit processes" per se. But you do need to be sure your auditors are aware of your processes and how they are organized, managed and currently performing. They can then provide useful feedback to your key process owners as to how well they are implemented and areas needing improvement. As a minimum, you need to determine the scope and frequency of your audits based on, among other factors, how well your key processes are performing. The Need for a Process to Manage Processes So, an effective implementation of the "Process Approach" would start by laying out how you will select, manage and improve the most critical business processes that impact your customers and internal management objectives. This would include assigning responsibility to certain individuals or teams to take charge of your key processes. Teams work well when processes cut across your organizational structure. Then, these process owners will monitor and improve these processes on an ongoing basis taking full responsibility for their performance. Perhaps, then, one of your first processes to establish is the process for how you will manage your key business processes within your organization. For additional help on getting started with managing your processes, see the article Implementing the Process Approach.

4.2.2 The Quality Manual

Establishing rules for the quality management system
DEFINITION A quality manual is a document stating the company management's intentions for operating the quality system. It includes policies for all areas of the business affecting or affected by the quality system. These policies authorize department managers to implement procedures within the boundaries specified in the quality manual. They also serve to provide a measure for procedures, processes and results. REQUIREMENTS The quality manual is a stated requirement of the ISO 9001 standard. Here is the relevant section: 4.2.2 Quality manual The organization shall establish and maintain a quality manual that includes: 1. 2. 3. the scope of the quality management system, including details of, and justification for, any exclusions (see 1.2), the documented procedures established for the quality management system, or reference to them, and a description of the interaction between the processes of the quality management system.

One thing to note about this requirement is that no guidelines are given regarding the format or organization of the manual. These decisions are left to the company to determine how to structure the document to best support its objectives. In terms of contents, as a minimum, the quality manual must include the following: 1. 2. 3. The company's quality policy (showing the company's commitment to quality). An explanation of the company's documentation structure. Policy statements demonstrating management's intention to comply with ISO 9001 requirements (less any appropriate exclusions). The policies must cover all areas of the ISO standard and be traceable (reference) to them. These policies must include: o How management expects company operations to function. o Who is responsible to implement these expectations (by function or job title). o Where and when the policies are applicable within the organization. o What interdependencies exist between functions and processes. Reference to the "second tier" operating procedures of the company. Assignment of one or more "management representatives" for quality in the organization. A description of the company's organization (usually in the form of an organization chart, top level of the company only).

4. 5. 6.

NOTE 1: The quality manual would normally contain no proprietary/confidential information and is usually made available to customers and third party auditors. NOTE 2: A clear distinction should be made between the contents of the quality manual and operating procedures. The quality manual defines what management's intentions for operation of the quality system while the operating procedures define how these intentions are implemented within the organization. USES The primary uses of the quality manual are: 1. 2. 3. To communicate management's expectations for quality to the organization. To demonstrate the company's compliance with ISO 9001 requirements. To serve as a measure for compliance to management's expectations for: o Internal audits o ISO Registrar audits o Customer audits

DEVELOPMENT

The development of the quality manual follows several steps: 1. 2. 3. 4. 5. 6. 7. 8. List policies to be written (note any ISO 9001 requirements that do not apply). List second tier operating procedures, cross-referenced to policies. Draft policies based on ISO 9001 requirements. Circulate for input from all departments. Note quality system inadequacies identified. Determine format and structure of the manual. Publish first draft of manual. Formal review, approval and release.

EXAMPLE As an example of how the quality manual policies should reflect the requirements of ISO 9001 see the following:

ISO 9001 Requirement 5.6 Management review 5.6.1 General Top management shall review the organization's quality management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the quality management system, including the quality policy and quality objectives. Records from management reviews shall be maintained (see 4.2.4). 5.6.2 Review input The input to management review shall include information on

Sample quality manual policy X.X Management review X.X.1 General The management of XXX company reviews the company's quality system to ensure its continuing suitability, adequacy and effectiveness. The management review includes determining opportunities for improvement and the need for changes to the quality system, including the quality policy and quality objectives. The management review convenes on at least an annual basis. Records of the management reviews are maintained in accordance with the company's quality records policy (ref. xxx). X.X.2 Agenda and Minutes

a) results of audits, The agenda of the management review is as b) customer feedback, follows: c) process performance and product conformity, d) status of preventive and corrective actions, a) results of internal and external audits e) follow-up actions from previous management b) customer feedback reviews, c) process and product quality results f) changes that could affect the quality management d) follow-up actions from previous management system, and reviews g) recommendations for improvement. e) organizational or business changes that could affect the quality system 5.6.3 Review output f) action items for improvement g) other business The output from the management review shall include any decisions and actions related to Minutes are kept as a record of the management reviews, to include at least: a) improvement of the effectiveness of the quality management system and its processes, a) action items to improve the effectiveness of b) improvement of product related to customer the quality system and processes requirements, and b) action items to improve product quality c) resource needs. c) resources needed to successfully implement above action items
***

4.2.3 Document Control

Keeping your QMS Current
THE IMPORTANCE OF DOCUMENT CONTROL A cornerstone of the quality management system (QMS) is the control of documents. While not a particularly glamorous activity, document control is an essential preventive measure ensuring that only approved, current documentation is used throughout the organization. Inadvertent use of out-of-date documents can have significant negative consequences on quality, costs and customer satisfaction. "It behooves those responsible for managing their organizations QMS to design a document control process that is simple to use, easy to monitor and effective to prevent the use of incorrect documentation." Because of its importance, companies often invest heavily in dedicated staff, detailed procedures and specialized software programs to keep control of their QMS and other business documents. Auditors (internal and external) also pay particular attention to document control disciplines resulting in frequent audit nonconformances (it is commonly reported that document control generates the most nonconformances in and ISO 9001 QMS). It behooves those responsible for managing their organization's QMS to design a document control process that is simple to use, easy to monitor and effective to prevent the use of incorrect documentation. DESIGNING YOUR DOCUMENT CONTROL PROCESS Before reviewing the specific ISO 9001 document control requirements, let's briefly discuss essential design criteria for an effective document control process. Less is often better than more. While it may see obvious, it's easier to control a smaller number of documents than a larger number of documents. Document control starts with document design. Encourage your document authors to be concise and make their documents multi-purpose when possible. An annual documentation review to spot redundancies, documents no longer needed, and opportunities to consolidate will help keep your QMS document set lean. Navigation, hierarchy & structure Developing a layered structure for your documents helps users find what they are looking for. An ISO 9001 structure typically organizes itself into 4 levels:

Policy - the companys position or intention for its operation Procedure - responsibilities and processes for how the company operates to comply with its policies Work Instruction - step-by-step instructions for a specific job or task Forms and Records - recorded information demonstrating compliance with documented requirements

This logical arrangement clarifies the authority, scope and interrelationships of each document. Lower-level documents must agree with requirements of related higher-level documents. Higher-level documents generally reference lower-level documents for easy navigation. The mixed blessing of cross-referencing It is common for companies to add multiple references to related documents within the body of their documents. While this can help a reader quickly find additional information on a topic, the ability to maintain (update) all references to a document can be difficult. If you choose to use cross-references, be sure you have a way to comprehensively search for all instances of a specific document reference so they can be reviewed and updated if needed when a document is revised. Alternatives to intra-document referencing might include:

Carefully designed document numbering systems A document master list showing parent-child relationships between documents The use of an electronic document management system that helps manage document interrelationships and provides for easy searching of document contents

Reviews & approvals As a document is written, it is often helpful to solicit input from others before it is finalized. Circulating the

document for review can include future users of the document, managers responsible for the activity, workers in areas affected by the activity and other interested individuals. Planning a "review cycle" into your document development procedure can help document authors improve the quality of the resulting documentation. Document approvals are mandatory and must be kept as a record as well. When determining who should approve a particular document you must balance the desire for gaining buy-in and accountability by affected departments with the need for efficiency of the document control process. Often it is helpful to ask, "what value does each signature add to the document?" and limit approvals to those with direct knowledge or responsibility for the document. Generally, the more signatures you require, the longer the approval process will take. An alternative to a long approval list would be to include more individuals in the review process, giving everyone a chance to comment on the document before it is released. REQUIREMENTS FOR DOCUMENT CONTROL The ISO 9001 standard includes specific document control requirements that will be subject to all internal and external audits (ref. 4.2.3). Documents required by the quality management system shall be controlled. This includes all policies, procedures, work instructions, forms, specifications, and other company documents affecting quality or customer satisfaction. Records are a special type of document and shall be controlled according to the requirements given in 4.2.4. A documented procedure Records often (though not exclusively) result from a form that is completed and filed. A separate ISO Explained article will cover the requirements of records in detail. A documented procedure shall be established to define the controls needed A document control procedure is one of six mandated procedures in the ISO 9001 standard and it must include the company's processes for the following requirements: a) to approve documents for adequacy prior to issue, Approval signatures must be recorded prior to the release and use of the document. Approvals may be in the form of a written signature or a password-protected electronic approval record. The date of all approvals must precede the document's release date. While not explicitly stated, this requirement also applies to temporary memos or postings that are used to communicate QMS or product-related requirements. Any temporary documents must be clearly identified, signed and dated. It is advisable to include an expiration date on temporary documents to ensure they are removed from use when intended. b) to review and update as necessary and re-approve documents, All documents must be reviewed periodically and updated and re-approved if needed. This review can be tied to a company's internal audit process, management review or scheduled on some periodic (annual?) basis. A record of such reviews must be kept. c) to ensure that changes and the current revision status of documents are identified, When a document is updated, a record must be kept of the change (the reasons for and nature of the change). In addition, current revision status must be maintained. This includes the current development stage (draft, review, approval, etc.) and the date or revision level (number or letter) identifying the current version of the document. d) to ensure that relevant versions of applicable documents are available at points of use, The storage and access of documents must easily allow individuals to find the appropriate version of a document to use where needed. Note that older versions of a document that are still needed (e.g. specifications for an older product) may remain active if necessary, but the revision level must be made clear. You should consider where designated controlled locations of your documents will be established and whether short-term reference copies of controlled documents will be permitted. Typically, the easier it is for employees to access controlled copies when needed, the fewer times they will feel the need to use an uncontrolled copy of a document. Ensuring timely and convenient access to documents is frequently the source of high costs and repeated discrepancies.

e) to ensure that documents remain legible and readily identifiable, The format and storage of your documents must protect a document from being rendered unreadable due to wear or damage and that every document can be clearly identified through a title, document number or other suitable identification. f) to ensure that documents of external origin determined by the organization to be necessary for the planning and operation of the quality management system are identified and their distribution controlled, and Documents that do not originate within your organization, but are necessary for ensuring quality and meeting customer requirements must also be controlled. These can include customer, supplier or industry documents (including your copy of the ISO 9001 standard). However, the extent of control is limited to clear identification and controlled distribution. A log or other record would suffice to track external documents. g) to prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose. Out-of-date documents or older versions of revised documents must be protected from unintentional use. This usually requires segregation or disposal of obsolete documents. Any obsolete documents that are kept for reference or other purposes must be clearly identified through markings, separate storage areas, or other means. MEASURING SUCCESS How can you measure the performance of your document control process? Here are some suggested metrics: 1. 2. 3. 4. 5. User satisfaction Periodically survey your employees regarding the usability of your documentation. Use the results to improve the format of your documents and training of your authors. Document errors Track the number of document revisions due to information mistakes in your documentation. Results will often reveal weaknesses in your review and proofreading processes. Up-to-date Count the number of document revisions or audit discrepancies stemming from a document that is out-of-date. This will tell you whether your periodic document reviews or obsolete document provisions are effective. Cycle time Measure the time it takes a document to be developed or revised from initial draft to release. Work to improve the efficiency of your document control process as you would any other business process. Cost Consider tracking the costs associated with your documentation including developing, revising, storing, retrieving, distributing, filing, auditing, reviewing, approving, etc. Of these potential costs, document retrieval is often an expensive hidden cost generated when individuals must search endlessly for a document because of inadequate indexing, organization, storage or training.

Results of the performance measures of your document control process can help you determine how to drive continual improvements into your entire QMS.

4.2.4 Control of Records

Maintaining objective evidence of compliance
Record keeping is one of the most painstaking, and important requirements in the ISO 9001 standard. Painstaking, because records must be identified, filed, protected and controlled throughout their lifecycle. Important, because they contain the history of how your quality management system (QMS) is functioning. The energy, effort and expense of keeping up your quality records are ongoing investments in building a reference-base for analysis, compliance and improvement. WHY KEEP RECORDS? The discipline of maintaining your QMS records ensures that you will have an objective means of assessing QMS effectiveness. With this historical evidence you can:

Understand how well your QMS is performing Trace back to the source of problems Demonstrate compliance to requirements Evaluate trends in QMS performance Monitor improvements

" The energy, effort and expense of keeping up your quality records are ongoing investments in building a reference-base for analysis, compliance and improvement. " With your quality records you can answer questions such as "why did this happen?", "when did this problem first appear?" and "is the problem gone?". With such valuable information at your fingertips, your records should be treated as invaluable. Additionally, your quality records are a primary reference for your internal and external auditors to assess your compliance to requirements. As each record is filed, keep in mind that an auditor may want to retrieve it in order to evaluate the effectiveness of the QMS. WHAT RECORDS SHOULD BE KEPT? The ISO 9001 standard has a built-in reference to all required records wherever the phrase "see 4.2.4" is found (4.2.4 is the paragraph dealing with Control of Records). The 20 mandated ISO 9001 records are:

1. Document Control (4.2.3) 2. Management Review (5.6.1) 3. Education, Training, Skills and Experience (6.2.2) 4. Product Realization (7.1) 5. Customer Requirements Review (7.2.2) 6. Design and Development Inputs (7.3.2) 7. Design and Development Review (7.3.4) 8. Design and Development Verification (7.3.5) 9. Design and Development Validation (7.3.6)

10. Design and Development Changes (7.3.7) 11. Supplier Evaluations (7.4.1) 12. Production/Service Processes (7.5.2) 13. Identification and Traceability (7.5.3) 14. Damaged/Lost Customer Property (7.5.4) 15. Calibration (7.6) 16. Internal Audit (8.2.2) 17. Product Conformity (8.2.4) 18. Nonconforming Product (8.3) 19. Corrective Action (8.5.2) 20. Preventive Action (8.5.3)

In addition, you might give careful consideration to other records you might need to include in your QMS that would give you an important historical reference for critical areas. You may want to include records for maintenance (6.3) and customer satisfaction (8.2.1), for example. WHAT ARE THE ISO 9001 REQUIREMENTS? All 20 required quality records that are applicable to your organization's processes, and any additional records you decide are important to maintain, must be kept according to the "Control of Records" requirements in the ISO 9001 standard: Records established to provide evidence of conformity to requirements and of the effective operation of the quality management system shall be controlled. The organization shall establish a documented procedure to

define the controls needed for the identification, storage, protection, retrieval, retention and disposition of records. Records shall remain legible, readily identifiable and retrievable. (ref. 4.2.4) Lets briefly clarify each requirement: Legible You must ensure handwritten records can be easily read and that you protect paper records from deterioration that might affect their readability. Readily Identifiable Each record should be uniquely identified through a number, code, title, date, storage location or other appropriate method. Anyone looking at the records should be able to easily tell what they are looking at. Retrievable Every record should be filed and stored in such as way as to be easy to find and access when needed. In addition, you must have a documented procedure for controlling records. In the procedure you must address how your organization handles the following: Identification What minimum information must be added to every record for identification (see "Readily Identifiable" above). Storage How hardcopy and electronic records are stored to protect them. Protection What methods must be used to preserve records from loss or deterioration. For hardcopy records, you may want to include where files are kept, in what types of storage containers and any environmental concerns (moisture, temperature, etc.). For electronic records, be sure to include how the data is backed-up regularly. Retrieval Describe how records are indexed or otherwise organized to facilitate easy access (see "Retrievable" above). Retention Time Specify minimum and/or maximum retention requirements for each type of record. Be sure to establish a schedule to review your records according to your requirements. Disposition Determine how you will dispose of records when scheduled. For confidential records, be sure you are explicit about how you intend to destroy the records. HOW CAN WE KEEP IT SIMPLE? With at least 20 types of quality records to maintain according to the ISO 9001 requirements, organizations are often seeking to simplify their approach to record keeping. Here are some suggestions:

Assign clear responsibility for filing, maintaining and disposing of each record. Provide adequate storage capacity so filing can be maintained. Keep your records only as long as necessary, then dispose of them. evelop a records retention matrix that shows who is responsible, storage locations, protections, security, retention requirements and disposal methods. Move as many records as possible to a searchable, electronic format to keep storage costs down and make them easy to retrieve when needed.

By keeping your record keeping as simple as possible, you'll keep your costs down, prepare for seamless audits and keep your ISO-life somewhat manageable. ***

5.0 Management Responsibility

The Leadership Challenge
THE RESPONSIBILITY OF TOP MANAGEMENT: The ISO 9001 standard contains high expectations for top management leadership and involvement to provide guidance to the overall quality management system. In fact, nearly 15% of the standard's text is devoted to the subject of top management responsibility. Clearly, the designers of the standard have realized the imperative for the perspective and authority that top management must bring to ensure effective operation of the system. Because of this, it can be expected that ISO registrars will approach the auditing of the standard with a heightened focus on the function of management in the system. The auditors will be looking for objective evidence that management has a regular discipline of involvement and leadership as prescribed by the standard. This evidence must be more than merely words of support for quality. The activities outlined in the requirements are all demonstrable, and records of such activities will be carefully reviewed. This extra focus on the role of management is explained in the opening text of the Management Responsibility requirements section: "Top management shall provide evidence of its commitment to the development and implementation of the quality management system and continually improve its effectiveness..." (ref. 5.1, ISO 9001). REQUIREMENTS FOR TOP MANAGEMENT: The ISO 9001 standard lists six distinct requirements for top management. By "top management" the standard refers to the individual at the top of the organization (e.g. CEO, President, Chairman) and his/her direct reports. Depending upon the size and structure of the organization, one or two layers of management below this top group may be included in this scope. In summary, the requirements for this leadership group are: 1. 2. 3. 4. 5. Consistent commitment to making the quality management system effective as demonstrated by regular communications, establishment of a quality policy and quality objectives, management reviews and resource provision (ref. 5.1). Ensuring customer focus throughout the organization as demonstrated by clearly determining and consistently meeting customer requirements resulting in improved customer satisfaction (ref. 5.2). Establishment and communication of a quality policy that articulates management's intention that the company complies with all requirements (customer, regulatory, etc.) and will continually strive to improve the overall quality management system's effectiveness (ref. 5.3). Ongoing planning of measurable product quality and process quality objectives to be sure they are established and met throughout the organization, even when changes to the quality management system are made (ref. 5.4). Defining and communicating responsibility and authority for everyone affecting the quality management system, including a designated management representative who has the authority to ensure the system is established and maintained and is responsible to report the system's performance to top management (ref. 5.5). This requirement also includes the need to establish effective communication processes within the organization regarding the effectiveness of the quality management system. Conducting a regular management review of the quality management system to ensure that it remains suitable, adequate and effective to satisfy the company's quality policy and accomplish the organization's quality objectives (ref. 5.6).

6.

A management team responsible for preparing their organization for ISO 9001 registration will need to give focus and attention to the planning and implementation of the specific requirements for top management and the oversight of the development of the organization's overall quality management system.

5.4 Management Planning

Setting a direction
WHAT'S THE POINT? To some, the point of ISO 9001 registration is a certificate. While important to convince customers that certain procedures are in place, a certificate can be a very expensive piece of paper if that is the only benefit realized by the organization. To others, the point of IS0 9001 is measured performance improvement for the organization, and the certificate is merely a confirmation of an effective quality management system (QMS). This results-focused view of ISO 9001 is confirmed by the growing number of companies pursuing "compliance through self-certification" instead of a formal registrar-certification of their QMS. The framers of new standard also saw performance improvement as the central point of the standard. The expanded top management responsibilities make clear who must lead the charge toward measurable results. Top management shall ensure that quality objectives are established within the organization. (ref. 5.4.1) The quality system must be planned and implemented by top management: in order to meet the quality objectives. (ref. 5.4.2) "The point of IS0 9001 is measured performance improvement for the organization." Many ISO 9001 professionals believe the establishment of meaningful, measurable quality objectives toward which the entire QMS is directed is a very important part of the ISO 9001 standard. For it is in the setting and achieving of business-essential objectives that a real return-on-investment (ROI) can be found. So, as top management sits down to discuss quality objectives, they must define quality for their organization and its customers. Surely the quality of products and services should be included. Certainly measures of customer satisfaction would be on the list of key objectives. But what about other drivers of a quality organization such as:

Delivery performance Percent of total market share Sales generated from new products

Through-put time from sale to delivery Time to order fulfillment Cost of rework and scrap

We could name a dozen additional measures of a quality company, but the determination of "quality objectives" may not be much different from setting "business performance targets" as part of strategic planning. While a (surprisingly) few measures are mandated in the ISO standard, it is left to the organization's management to set objectives most useful to the organization and its customers. BREAKING DOWN THE STANDARD The section entitled "Planning" (5.4) starts with a mandate for senior management: Top management shall ensure that quality objectives, including those needed to meet requirements for product [see 7.1 a)], are established at relevant functions and levels within the organization. (ref. 5.4.1) The primary responsibility for the establishment of quality objectives cannot be delegated, though involving the rest of the organization can help ensure the objectives are realistic with a high degree of buy-in. Top management must determine performance targets for the organization as a whole, and then break them down into smaller sub-objectives that can be assigned to divisions, departments, teams or individuals, as appropriate. As is stated, the objectives must include required product quality goals as specified in section 7.1, Planning of Product Realization: In planning product realization, the organization shall determine the following, as appropriate: a) quality objectives and requirements for the product (ref. 7.1) The additional objectives set are left to the judgment of management based on the organization's size, market, product mix, complexity, etc. It is typical that the organization limit the number of objectives to those most vital to the organization's success. DEFINING MEASURABLE OBJECTIVES The objectives must also be measured:

The quality objectives shall be measurable and consistent with the quality policy. (ref. 5.4.1) This would eliminate "motherhood-and-apple-pie" statements that are mere slogans espousing a general desire for quality. By stating that objectives must be "measurable", an objective set of data gathered, reported and analyzed should be able to clearly indicate whether or not specific objectives have been reached. In establishing measurable objectives, many companies define the following for each: Objective Statement of the performance area to be achieved. Measurement Data to be collected to monitor actual performance. Baseline Historical level of performance; establishes the starting point. Target Specific performance goal for the objective. Target Date Date by which the target is to be achieved. Owner Person/group responsible to gather, report and analyze the measurement data. Reporting Frequency Schedule for reporting, analyzing and responding to the measurement data. Review Frequency Schedule for reviewing the objective and corresponding target for possible modification to ensure ongoing relevancy for the organization. While this format is not specified by the ISO 9001 requirements, an organization might want to consider including many of these elements in their quality objectives planning. It is also required that all quality objectives are "consistent with the quality policy" (see 5.3). That means there must be logical relationship between the performance targets of the organization and top management's statement of intention that it intends to achieve quality as a result of the company's operation (see the ISO Explained article on "The Quality Policy" available from www.9000world.com for more information on how to establish a quality policy). The consistency between the quality policy and quality objectives must be clear to third-party auditors as well as those more familiar with the company. GENERAL QMS PLANNING In addition to setting quality objectives, management is responsible for planning the overall QMS. Top management shall ensure that a) the planning of the quality management system is carried out in order to meet the requirements given in 4.1, as well as the quality objectives, and b) the integrity of the quality management system is maintained when changes to the quality management system are planned and implemented. (ref. 5.4.2) First, the QMS must be planned (and implemented) to be sure the requirements listed in the "General Requirements" for the QMS (ref. 4.1) are met. These requirements are summarized below: 1. 2. 3. 4. 5. 6. 7. The QMS must be established and continually improved. QMS processes must be identified (including processes outsourced by the company) and their sequence and interactions determined. Criteria and methods of control must be established to be sure the QMS processes are effective (NOTE: The company's quality objectives can meet this requirement). Needed resources and information must be available to operate and monitor the QMS processes. QMS processes must be monitored, measured and analyzed. Actions must be taken to meet planned results (quality objectives) and continually improve QMS processes. The QMS processes must meet the requirements of the ISO 9001 standard.

So, the QMS planning must incorporate all of the requirements found in section 4.1, and compliance with these requirements must be maintained.

Second, the QMS must deliver results. It is expected that top management monitor the company's performance against its stated quality objectives and take necessary actions to be sure these objectives are met. Third-party auditors will certainly be looking to see a strong pattern of meeting stated objectives. Third, the QMS planning process must respond to significant organizational changes by making necessary adjustments to policies, procedures, quality objectives, etc. Changes that could require QMS modifications might include new product lines, customers with new requirements, marked organizational growth or downsizing, acquisition or divestiture of company facilities, management reorganizations, etc. THE POINT OF IT ALL This brief set of management "planning" requirements has huge implications for any organization seeking ISO 9001 compliance or registration. Senior management must "direct the ship" by steering the organization toward clearly stated, consistently measured and carefully analyzed quality objectives. It is through the use of quality objectives that top management can keep the organization focused on what is most important to the company and its customers, ensuring improving results that deliver real, demonstrable quality throughout the company.

5.5.2 Management Representative

What it takes to make a difference
Leadership. Direction. Coordination. Communication. Coaching. All terms that could describe the critical role of the Management Representative (MR) in an ISO 9001 quality management system. Just as the point guard on a basketball team is responsible for setting up plays for his teammates, the MR is an enabler of the quality system. But, don't confuse responsibility for enabling the quality management system with developing and implementing the quality management system. The ISO 9001 standard clearly places the latter responsibilities with "top management" (see ISO 9001 5.1 and Core Business Solutions' ISO Explained article on "Management Responsibility"). The standard requires that the MR must be "a member of management" serving primarily as the "eyes" and "ears" of top management to monitor how well the quality system is developed and implemented. The MR primarily provides feedback to top management on the effectiveness of the quality management system. "The Management Representative primarily provides feedback to top management on the effectiveness of the quality management system." The MR might want to be careful not to insolate top management from their responsibilities. The writers of the ISO 9001 standard perhaps saw the possibility of top management taking a "backseat" role in the operation of the quality system by delegating implementation responsibility to the "quality guy" (or gal). The result of this separates the real authority in the organization from the responsibility (i.e. accountability) for quality, including conformance of the QMS leading to lower effectiveness and efficiency overall. That said, the effective MR will accept the responsibility and exercise the authority of enabling the proper functioning of the QMS to meet its objectives. These duties, "irrespective of other responsibilities" include: a) ensuring that processes needed for the quality management system are established, implemented and maintained, b) reporting to top management on the performance of the quality management system and any need for improvement, and c) ensuring the promotion of awareness of customer requirements throughout the organization. (ref. 5.5.2) Let's look at each of these individually. ENSURING IMPLEMENTATION The first responsibility of the MR is to ensure that all necessary QMS processes are adequately defined, effectively deployed, and continually kept up. To accomplish this, the MR generally takes the role of project manager for the design and implementation of the QMS. This is often coordinated through one or more project teams who define processes relating to their areas of responsibility and involving appropriate functional managers. The MR may also coordinate or provide training to those developing the QMS processes and related documentation to ensure an adequate understanding of what is required. As processes are defined (and documented), the MR may also oversee the document control function as it pertains to the control of QMS documentation. This will ensure that the processes are effectively described in terms that will satisfy all requirements. Finally, the MR is often the coordinator of the internal auditors who monitor the compliance and effectiveness of the QMS. The effectiveness of the audit program is essential to the MR's ability to ensure proper implementation and maintenance of the required processes. REPORTING RESULTS Beyond overseeing the implementation of the QMS, the MR is also responsible to report on the effectiveness and needed improvements of the QMS to top management for review and action. One means of reporting is the distribution of internal audit reports to the appropriate functional managers and tracking open issues through successful resolution. The other primary means of MR reporting is by taking the role of facilitator for the management review. This can include:

Establishing the management review schedule Developing the management review agenda

Coordinating the reporting of results Guiding the discussions through the agenda Suggesting needed improvements to the QMS Publishing minutes of the management review

Effective and clear reporting will give top management the information needed to manage and improve the QMS effectiveness. ENSURING AWARENESS The third primary responsibility of the MR is to ensure that customer requirements are communicated throughout the organization so all employees are aware of requirements that pertain to their job responsibilities. This does not necessarily mean that all communications must come directly from the MR. Instead, the MR must monitor how effectively this communication takes place and identify breakdowns that need to be addressed. This duty of ensuring employee awareness has been frequently criticized as being too open-ended to be practical. What specific "customer requirements" must employees be "aware" of? Must all employees be aware of all customer requirements? What criteria is used to assess whether this communication has been effective? As with many areas of the new standard, the use of general (aka "open-ended") language leaves the interpretation open for the company to define for their own unique needs. Since the MR is responsible to ensure this awareness of requirements, he/she might do well to start by defining which customer requirements need to be addressed to which employees. Here are some leading questions that might help you get started:

QUESTIONS: What requirements are explicitly stated by our customers? How? In what format?

EXAMPLES: Specifications Purchase orders Quality criteria Other documented criteria Proposal details Quotations Catalog specifications Warrantees and return policies Marketing materials

What might be considered a customer requirement because of our advertised promises? What requirements might be implied by our customers as just doing good business?

- Delivering on time - Prompt, accurate communications - Reliable packaging

Once a list of customer requirements is made they can be associated with the employees (by position, workgroup or department) that affect the company's ability to meet the requirements. Then the question must be asked, "How does this employee become aware of this requirement?" By asking "how?" the MR will be able to evaluate the communication processes that are in place (or not in place as the case may be) to ensure that the awareness of requirements is maintained. Some examples of the types of communication processes that might be used are:

Standard meeting agendas Routing sheets for specifications Approvals Standard distribution lists Employee bulletins Procedure reviews Controlled wall postings Data charts showing the company's performance against requirements Employment handbooks Electronic workflows

This list could obviously be expanded based on a company's unique circumstances. By focusing on communication processes, and ensuring these processes are defined and implemented (including, perhaps, being subject to auditing), the MR can ensure effectiveness and repeatability throughout the organization. Keep in mind, though, that the MR's direct responsibility is to "ensure" that the communication takes place and that it is effective, not necessarily to provide all the communication directly. QUALITY LIAISON A final (suggested) duty for the MR is that he/she serves as: liaison with external parties on matters relating to the quality management system. (Ref. 5.5.2) This can include coordinating audits with customers or your ISO registrar or other quality related communications that may be needed. ARE YOU UP FOR THE JOB? What characteristics and skills might you need to be effective in the role of Management Representative? Here are some thoughts:

Strong knowledge of ISO 9001 requirements Broad knowledge of your company's operation and its QMS Ability to listen and influence Ability to summarize information and communicate effectively Project management and organizational skills

The Management Representative plays a critical role in your company's QMS. The more clearly you understand the responsibilities being asked of you, and the more clearly the rest of the organization understands your role, the more effective you can be.

6.2 Competence, Training and Awareness

Dealing with "people issues"
You may have heard the old saying, "Management would be easy if it weren't for all these people issues!" Let's try it again, "Quality would be easy if it weren't for all these people issues!" It seems that dealing with people issues must have been a hot topic of discussion during the development and revision process of the ISO 9001 standard. While an earlier version of the standard said we needed to identify training needs, deliver the training and keep records, the most recent revision (ref. 6.2.2) includes phrases such as "achieving the necessary competence" and "evaluate the effectiveness". The somewhat obvious implication in the new requirement is that we have to deal with the people issues in a way that actually works, not just to go through the motions. The centerpiece of the requirement is competence. The dictionary definition of competence is: a. The state or quality of being adequately or well qualified; ability. b. A specific range of skill, knowledge, or ability. "Within the quality management system, the point is certainly the employees ability to do the job in such a way that requirements are met - both procedural (process) requirements and customer requirements." Qualified to do what? Ability to do what? The job, of course. Within the quality management system (QMS), the point is certainly the employee's ability to do the job in such a way that conformity to requirements is achiveved both procedural (process) requirements and customer (product) requirements. So, the quality process(es) put in place to deal with the "people issues" must result in conformity to requirements (i.e. effectiveness). By shifting the focus beyond a method (training) to a result (competence), the bar has been sufficiently raised in recent revisions. As you consider how best to organize your training and other people-related processes to meet the ISO 9001 requirements, keep your eye firmly on the main point competence. WHAT'S REQUIRED? Let's look through the requirement to understand what should be in place and how we can ensure our people-processes are effective. Define the essential abilities The first requirement says the organization must: Determine the necessary competence for personnel performing work affecting conformity to product requirements (ref. 6.2.2 a) All work done as part of the QMS directly or indirectly affects the company's ability to satisfy its customers and meet requirements. Therefore, the job functions responsible for each activity defined in the QMS must be staffed by qualified people. As with much of the ISO language, it is left to the organization to define what "competence" means in their specific context. To break this down a bit, we might borrow from the human resources profession which developed the categories of "knowledge, skills and abilities" (KSAs) to describe the competencies required for a job. To define requirements for each job position you might ask:

"What job-specific knowledge area(s) must be well understood by someone in this job?" "What manual, mental or interpersonal skills must an employee have to do this job well?" "What natural abilities or talents must someone possess to be effective in this job?"

What results from an exercise like this would be a list of competencies for the job that can be used for hiring purposes and subsequent training and development plans. Once the list is prioritized to include only the most critical competencies (10 15 maximum?), you'll need to document them in some appropriate manner (job descriptions, training matrix, or other means). Now that you've identified the required competency areas for each job, you need to translate it into a training and development plan for your employees. Generally, this is done by evaluating or assessing your employees' current knowledge, skills and abilities against the requirements for the job.

This can be a simple process of having each employee rate themselves in each competency area, identifying strengths and weaknesses, then reviewing the rating with their immediate supervisor. Or, the supervisor could do the employee ratings on their own. A more in-depth approach would be to develop a formal certification to evaluate employee competencies. Regardless of the method chosen, any competencies that fall below the required performance level become the development needs for the employee. For new employees, the same process would be followed when hired resulting in a similar list of needs for competency development. Provide a process for competency development Once the competency needs are identified this should be followed by an appropriate intervention to close the "learning gap". In the words of the standard, the organization must: Where applicable, provide training or take other actions to achieve the necessary competence (ref. 6.2.2 b) Again, it is left to the organization to determine the appropriate method. This can be in the form of on-thejob or off-the-job training, job shadowing, mentoring, public seminars, educational courses or any other suitable method. Follow-up to ensure the competency was learned Following the training or other intervention, an appropriate evaluation of the employee's competency level should be completed. The standard requires the organization to: Evaluate the effectiveness of the actions taken (ref. 6.2.2 c) Once more, the organization can determine a method that works in their specific context. Verification of effectiveness could be as simple as repeating the competency rating process mentioned above to ensure the gap has been closed. Other approaches could include:

Special inspection of the employee's work until the needed quality level is reached Written test following the training Formal certification process Supervisor follow-up 60 days (or so) following the training or intervention Formal performance review

Some companies have also indicated that their internal-audit program and/or corrective action process is a secondary evaluation of training effectiveness as these would indicate "people issues" that affect conformance to requirements, albeit after the problem has negatively impacted the QMS. Ensure quality awareness The fourth requirement requires that the organization: Ensure that its personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of the quality objectives (ref. 6.2.2 d) This communication can take any appropriate form as long as the result is the same employee understanding of how they impact quality. More specifically, each employee must know how their job affects the QMS as a whole and how their work helps the company reach its quality objectives. To accomplish this the organization might use techniques such as:

Announcements at employee meetings Review of the employees job description when hired, and perhaps annually thereafter Review of procedures and work instructions pertaining to the employees job Regular bulletins, memos or postings Standard departmental meeting agendas when quality objectives are reviewed

To confirm that this awareness has been achieved, the organization might consider asking employees questions relating to their impact on quality during the internal audit process or employee performance reviews. Since it is required that the company "ensure" that employees are aware of quality issues, consider what quality records you might keep as objective evidence that this has been achieved. Keep records As with most required quality processes in the ISO 9001 standard, records must be kept. Specifically, the company must:

Maintain appropriate records of education, training, skills and experience (ref. 6.2.2 e) These records relate to both pre-hiring requirements and competency development that occurs once the employee is on board. Many job positions have prerequisite requirements that must be met in order to be considered for employment with the company. However, as many experienced managers have learned, prerequisite hiring requirements cannot always be fully met given the available applicants when a position is filled. Occasionally, exceptions need to be made in the requirements with the expectation that follow-up support, training or other competency development technique will be used to close the gap. In these cases, the company would do well to make provision for these instances in their policies and procedures. Perhaps an approach that allows for supplemental training after hiring would suffice. Another issue relating to pre-employment requirements is that many companies consider employment applications and employee rsums or CVs confidential and are reluctant to make these available during internal or external audits. If that is the case, a record may be made during the hiring process that the employee qualifications were reviewed and found satisfactory. This record could then be made available to the auditor. If this approach is used, a statement that specifies employee application documents as confidential and that they will not be made available for audits should be made in the company's policy. Other than the special circumstances mentioned here, complete records of education, training, competency evaluations and skill-development job experience and assignments that were completed after hiring must be maintained. These records are considered quality records and must be kept according to the requirements of section 4.2.4 in the standard. KEEPING IT SIMPLE As we have discussed, the requirements dealing with employee competency, training and other development activities are varied and can be somewhat intimating. You might consider a strategy that emphasizes simplicity and broad involvement. By keeping your procedures and record-keeping as straightforward as possible, the challenge can be manageable. It will also help to provide the tools and then assign implementation responsibility to employees and their immediate supervisors, whenever practical. In any case, the quality processes designed to address the "people issues" that affect quality are vital to the effectiveness of your QMS and your ability to satisfy your customers. ***

7.4 Purchasing
Developing a supply-chain that satisfies your customers
The Purchasing requirements in the ISO 9001 standard help to ensure that products and services you purchase from various suppliers fully meet your needs so that you can, in turn, satisfy your customers. The disruption and cost to your organization stemming from supplier problems can impact your customers and your own bottom-line. So, having processes in place that prevent problems and provide consistency within your supply chain is a key focus of your ISO quality management system (QMS). CONTROLLING WHAT IS NOT UNDER YOUR DIRECT CONTROL "It is surprising how many times a 'supplier problem' actually has its root cause in your own organization stemming from internal miscommunication, inaccurate information or other mishaps that lead to 'mistakes' made by a vendor." While your suppliers' operations are not under your direct control, your purchasing power can give you significant influence over which suppliers you do business with and how they meet your needs. This influence starts with you having a clear understanding of what your needs are regarding purchased materials and services. These needs then must be translated into criteria for choosing suppliers and requirements for them to meet. Without this clarity, neither you nor your suppliers will know what is to be expected and will inevitably lead to problems down the road. It is surprising how many times a "supplier problem" actually has its root cause in your own organization stemming from internal miscommunication, inaccurate information or other mishaps that lead to "mistakes" made by a vendor. The ISO 9001 requirements for Purchasing (section 7.4) itemize basic processes that will put you and your suppliers on the same page. Your ISO QMS then begins with you firming up your own purchasing processes to improve the information suppliers will rely on to meet your requirements. Then, controls are put in place to monitor supplier performance and to take corrective action, if needed. By establishing strong internal procedures for purchasing, you'll more easily exert the influence needed to assure quality coming into the loading dock. MAKING THE RIGHT CHOICE The purchasing requirements begin with a recognition that your company is responsible to: ensure that purchased product conforms to specified requirements. (ref. 7.4.1) To do this you'll establish controls for your suppliers and your purchased product that are appropriate based on how the supplied product might impact your products and/or services delivered to your customer. If a supplied part is critical, you'll exert more control than if a part is less important to the quality of your company's output. This control begins with the selection of suppliers that you'll depend on to meet your own customers' requirements. You'll implement processes for initially qualifying suppliers based on appropriate criteria such as cost, quality and delivery requirements. The criteria you establish should make sense for your business. Once qualified, suppliers must be reassessed to reconfirm their continuing ability to meet your requirements. This re-qualification will be based on data analysis relating to your suppliers' performance. Section 8.4 of the standard itemizes these requirements. Records for the selection, evaluation and reevaluation of your suppliers must be maintained. COMMUNICATION IS KEY How you communicate with your suppliers has a direct impact on their ability to meet your requirements. Your documented purchasing requirements define the target they must hit when delivering their products or services. The accuracy, clarity and level of detail provided in your purchasing documents must be ensured though good internal administrative processes. Your purchasing information should clearly specify what is required, including as appropriate: a) requirements for approval of product, procedures, processes and equipment b) requirements for qualification of personnel, and c) quality management system requirements. (ref. 7.4.2)

On purchase orders or other documentation be sure that the details adequately describe the product or service you require including technical specifications, packaging and delivery requirements and special requirements for your supplier's internal processes. Again, depending upon the type of product or service purchased, the information will include more or less details. Your internal procedure should ensure that all purchasing information is reviewed before being sent to your supplier. MAKING SURE IT'S RIGHT The third purchasing process to address is how you verify that received material and services are what you ordered and that they fully meets your requirements. This verification may be through a simple confirmation when the product is received or may involve formal inspections or testing. If necessary, you may even want to verify the product before it is shipped, or allow your customer to do so, by visiting your supplier's facility for an inspection. If this is required, you'll need to specify this in your purchasing documentation when the order is placed or the contract is signed. A STEP BY STEP APPROACH As you prepare to implement an ISO 9001 compliant purchasing processes, you might want to follow these steps: Step 1: Define Criteria for Suppliers On what basis will you choose your suppliers? What minimum requirements must they meet? Step 2: Evaluate Current Suppliers Which of your current suppliers meet your minimum requirements? Which might need to improve to remain qualified or face being replaced? Step 3: Establish Qualification Process for New Suppliers How will you identify, evaluate and qualify new suppliers? How will these qualifications be recorded? Step 4: Set up Supplier Performance Monitoring Process What is the best way to track supplier performance? Who will review the data? When will action be taken? Step 5: Review Purchasing Communication Process How are your requirements documented for your suppliers? How do you ensure it is accurate, clear and detailed enough to communicate what is ordered? Step 6: Review Purchased Product Verification Process What procedures are needed to confirm that you receive what you ordered? When might a visit to a supplier's facility be needed to verify a shipment? For many organizations, bringing your purchasing processes up to ISO 9001 standards is an investment of time and effort that must fit into an already busy schedule. But this effort will not only support your ISO initiative, it can also be off set by fewer interruptions and unnecessary costs resulting from poor supplier performance.

8.2.2 The Internal Auditor

Selecting the right people for the job
ROLE OF THE INTERNAL AUDITOR: The internal auditor role is normally staffed by a number of experienced employees from throughout the organization. The purpose of the internal audit is to confirm that the companys documentation meets requirements (e.g. ISO 9001, OSHA, etc.) and that day-to-day operations follow the documentation. So, the internal auditor must serve as:

A catalyst An interface between different groups An advisor A reporter of fact

As the auditor serves in this role, he/she must be careful to bring an objective, professional perspective to the job. This means the auditor is not:

An inquisitor A fault finder or rock thrower Biased (for or against) Dishonest A policeman An inspector of products

AUDITOR QUALIFICATIONS: Selection of candidates for the role of internal auditor should be made based on several factors: Personal interest

Desire to take on extra responsibility.

Qualifications

Knowledge, skills, abilities, experience.

Work ethic

Ability to high quality and efficiency without direct supervision.

Specific minimum qualifications that should guide the selection of auditors include: Education

Demonstrated competence in clear and fluent oral communications and in written concepts and ideas.

Experience

Three to four years full-time workplace experience. Understand the role of individual units within the overall organization.

Personal Qualities

Communication skills

Tactfulness Flexibility Persistence Objectivity Integrity

Personal Attributes

Open-minded and mature Sound judgment Analytical skills and tenacity Ability to perceive situations in a realistic way Understand complex operations from a broad perspective

AUDITOR TRAINING: Specific skills for internal auditing are supported by training in:

Knowledge and understanding of the standards used. Assessment techniques of questioning, evaluating and reporting. Audit management and auditing skills such as planning, organizing, communicating and directing.

AUDITOR RESPONSIBILITIES: The tasks of the internal auditor include:

Obtain and assess objective evidence fairly. Remain true to the purpose of the audit without fear or favor. Evaluate constantly the effects of audit observations and personal interactions during an audit. Treat concerned personnel in a way that will best achieve the audit purpose. Perform the audit process without deviating due to distraction. Commit full attention and support to the audit process. React effectively in stressful situations. Arrive at generally acceptable conclusions based on audit observations. Remain true to a conclusion despite pressure to change that is not based on evidence.

AUDITOR SELECTION: The selection of appropriate individuals to invest the training and time commitment should consider matching personal qualifications with an understanding of the role and responsibilities of the auditor. Another important factor to consider is that the audit team must consist of individuals from a variety of functions. This supports the requirement that auditors must not audit their own function or department in order to maintain objectivity: "...selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work." (ref. 8.2.2, ISO 9001). ***

8.5.2 Corrective Action

Correcting a problem means correcting the process

Executive Summary: ISO 9001:2008 Corrective Action

"The secret to an effective approach to correcting and preventing problems through a corrective action process is surprisingly more simple than expected... Once you gain an understanding of what makes things work right, it becomes obvious what makes things go wrong." The centerpiece for driving improvement in an ISO 9001:2008 quality management system is your corrective action process. While some companies appear to miss this critical point and seem to "go through the motions" of root cause and corrective action, many other organizations learn how to use corrective action to its fullest advantage. When problems occur, either once or on a recurring basis, the root cause investigation starts with an understanding that nonconformities originate in a process that has failed. Processes that work well are those that follow four basic rules. When a process fails, then one (or more) of the rules have been broken and this broken rule is called the "root cause" of the problem. An effective root cause and corrective action process for ISO 9001:2008 is then the investigation into the process that failed to determine the process rule that was broken and then determining the correct actions for corrective action. By addressing corrective action from the perspective of the process approach underlying the entire ISO 9001:2008 standard, long term solutions and better overall results are achievable. This article presents a practical approach to root cause and corrective action you can use to transform your corrective action process into an effective tool for improved results for your organization and, ultimately, your customers.

Improved Results are None-Too-Common

In addition to the marketing benefits of an ISO 9001:2008 certification, measureable improvement in results is a promise sought by nearly every company who implements an ISO-compliant quality management system. The ISO 9001:2008 standard itself promotes a "Process Approach" intended to improve "results of process performance and effectiveness" and "continual improvement of processes based on objective measurement" (see 0.2, ISO 9001:2008). The expectation is that ISO 9001:2008 will have a measurable return-on-investment (ROI) in terms of better efficiency and effectiveness, not merely satisfy customer requirements for a certification. Unfortunately, better results are not always realized. Many managers who have "been through ISO" in the past have, through experience, found little payback from the huge effort put into preparing for and maintaining an ISO 9001:2008 certification. Too often, with the inordinate focus on writing endless documentation and scrambling to show auditors what they want to see, ISO is seen as an ancillary routine to the real business. To these realists, the familiar adage "document what you do, and do what you document" represents the sum total of what they expect from an ISO effort. This hardened perspective is reinforced by:

Issues recurring that were supposedly "fixed" in the past Problems escaping to impact the customer that should have been caught Company performance suffering due to mistakes that were "obvious" Hard lessons learned being too often "forgotten" by the organization

... and all of this happening with an ISO certificate proudly hanging in the lobby of the building. Is this the best we can expect?

Those that Do vs. Those that Don't

If you were to visit several companies with similar frustrating experiences as an objective outsider (as I have the privilege to do as an ISO consultant) you would begin to see a general pattern emerge that begins to explain, even predict, such disappointing results. You would find business owners and managers who genuinely care about the company and its customers. You would see leaders who react quickly to problems to minimize the impact on the customer. You would find them in endless meetings trying to understand what went wrong. You would observe them taking actions intended to stop problems from happening again in the future. And, too often, you would see the aggravation on their faces when the same problems recur despite the cost and effort expended to "solve" them in the past. There are, however, a good percentage of ISO 9001:2008 certified companies that have a very different experience. While every company faces problems and challenges, some find ways to quickly learn from their errors and put lasting solutions in place. When they face an issue, they not only resolve the immediate concern and its impact, they have a way of digging into the "root" of the problem and changing things so that it is permanently fixed. Their investigations into problems are not haphazard, but systematic and rational. Measurable progress in improvement is seen in results that matter to the business and its customers. I personally know this to be true because I have had the privilege of working with many of these successful companies. The interesting thing about companies at both extremes of the ISO spectrum is what they have in common:

Both Both Both Both Both

have talented and experienced management have committed and skilled employees experience problems that have to be addressed expend time, effort and money to address problems have the same ISO certification

The difference is not in the problems they face, nor the effort they expend, but in HOW they respond to problems. It is in the way they investigate to find the reasons problems occur. It is in the conclusions they draw from those investigations. It is in the corrections they make to their processes to alleviate the source of the problems. It is in the follow-up actions they take to ensure problems are permanently resolved. Overall, it is in their perspective and understanding of the nature of recurring problems and how to effectively address them. So, what's their secret? The secret to an effective approach to correcting and preventing problems through a corrective action process is surprisingly more simple than expected. It doesn't normally require big expenditures. It doesn't often involve complex statistics and analysis. It doesn't usually need complicated engineering solutions. The secret is found in gaining a simple understanding of what makes a process work well when it does how things run smoothly when they do. Once you gain an understanding of what makes things work right, it becomes obvious what makes things go wrong.

Making a Process Work Right

A process is basically the way in which work gets done. It is a series of steps that have been planned to result, if followed consistently, in what was expected. Manufacturing has processes that result in products. Engineering has processes that result in designs. Purchasing has processes that result in quality products and services received. Sales has processes that result in new orders or contracts. Service companies have their own unique series of processes. All businesses and all parts of an organization have processes designed to produce results; and often individual processes are connected together in bigger processes to produce bigger results. In order for any process to produce its intended results, it must follow a few basic rules: 1. 2. 3. 4. The The The The process process process process must must must must be be be be defined by those who plan the work understood by those who do the work easy to carry out on the job measured to understand its results

No matter what type of process in whatever kind of business, every process must follow these four rules to be effective. Break any of the rules and the process will fail. For example,

If a process isn't defined clearly, it will be up to the individual worker how to get the job done; this means that the process will be done differently by different people. If a process isn't fully understood by each individual worker, it will result in individuals to develop their own understanding of the process based on "educated guesses" and "trial and error". If a process is difficult to follow because of various obstacles (problems with equipment, materials, schedules, instructions, etc.) workers will be forced to work "around the system" to get the job done; this will produce differing results. If a process is not measured with reliable data, no one will really know how well results are being achieved and whether or not changes to the process should be made.

When a process is working well with good, predictable results, the four rules are being followed. Take a look at several well-running processes your organization and see if you can observe the four rules in action.

Finding the "Root Cause" of a Problem

Problems occur when a process goes wrong. A "one time" problem results from a single breakdown of a process. A "recurring" problem comes from a process that consistently breaks one or more of the four rules. In either case, when trying to solve a problem so that it is permanently resolved, a few basic questions will guide you to an understanding of what's wrong with the process that created the problem and, more importantly, what to do to correct it. In quality assurance lingo, this step in an ISO 9001:2008 corrective action process is called investigating the "root cause". Here are some investigative questions you can use to find the root cause of any process-related problem: 1. 2. 3. 4. Where is the process formally defined? Can those doing the work demonstrate complete understanding of the defined process? Are there obstacles in the process that prevent consistent adherence to the defined process? Do the measured results show the process capable of consistently meeting requirements?

These four simple questions are remarkably powerful in diagnosing the root cause of a problem. When using the questions, keep two general guidelines in mind. First, asking the four questions presupposes that you know which process originates the problem. In most problem-solving situations, there is a single process that has failed and has led to the problem. Be aware that because processes are linked, a problem seen "downstream" at the end of a series of processes may have resulted from a breakdown "upstream" at a previous process. Asking "why?" several times will help guide you to the original process that failed. Secondly, the four questions must be asked in order. For example, it is meaningless to ask workers to demonstrate their understanding (question 2) of a process that is not defined (question 1). Any reliable process first must be defined which means that it is documented, at least at a basic level. If then the process is defined and documented, checking understanding is based on specific requirements for the process, rather than the individual experiences and opinions of various workers. Likewise, looking for obstacles in the process that cause people to "work around" the official process (question 3) is futile if they first cannot demonstrate understanding of the process (question 2). This methodology for investigating the real reason behind a problem brings us to a definition of the "root cause": The root cause of a problem is the weakness in the process that originates the problem. There are, therefore, four possible "root causes" to any problem: 1. 2. 3. 4. Inadequate definition of the process. Inadequate understanding of the process. Obstacles in the process leading to "mistakes" or "shortcuts". Incapable process as shown by measurable data.

Accurately identifying the weakness (using the four questions) in the failed process is fundamental to determining the right corrective action to take to prevent the problem from recurring.

Corrective Action is as Easy as 1, 2, 3 ... 4

As critical it is to find the root cause of a problem, it is useless if action is not taken to correct the process. Fortunately, the four questions not only guide the investigation of the cause, they also direct us to the right corrective action. What a waste it is when a problem is well understood and the root cause is identified yet the effectual action is not taken, much like running a 1-mile race and stopping 100 yards from the finish line. Corrective actions become clear based on which of the four questions reveal the root cause: 1. 2. 3. 4. If the process is not defined adequately, create or update necessary documentation. If the process is not fully understood, provide training. If the process has obstacles, identify and remove them. If, after addressing 1-3 above, the process measures show the process incapable of meeting requirements, re-design the process (then ask questions 1-3 again).

The result is that companies that learn how to effectively resolve problems find the investment in ISO 9001 certification provides a foundation for future success. Care and diligence in the process corrective action drives the improvement in business processes that impact their customers and their own bottom line.