Verifying The Effectiveness Of Corrective Action

Verifying the Effectiveness of Corrective Action By Craig Cochran - North Metro Atlanta Region Manager, Georgia Tech Enterprise Innovation Institute When I first got into quality, I really hated verifying the effectiveness of actions taken to correct a problem. After all, I was young and inexperienced. All of the people whose actions I was verifying were older, wiser, and more experienced than I was. Who was I to say that their actions were effective or ineffective? My assumptions were as follows: 

If they said they did something, then they certainly did it.



Whatever they did was directly related to the problem causes, or they wouldn't have done it.



The action must have been effective; they would have told me otherwise.

All of these assumptions had to be correct, because I was working with seasoned professionals, right? Ha! Boy, did I learn a lesson. People just want to get paperwork off their desks or out of their in-boxes as quickly as possible. Taking actions on problems is one of many responsibilities that people have and, unfortunately, it's not always top priority. That's why it's crucial that action be carefully verified. Verification is not an act of suspicion or disrespect; it's simply a necessary part of problem solving. What exactly is being verified? You are seeking evidence that the causes of the problem have been removed or reduced. In a perfect world, each problem cause would be removed. Poof, it's gone. This is not always possible, though. Sometimes the best you can hope for is a reduction of the causes. The cause is still there, but it manifests itself less frequently or less severely. So the best option is to remove the cause, but the next best option is to at least reduce the cause.

Evidence The key to verification is evidence. You are seeking objective, factual evidence that your problem causes have been reduced or removed. This evidence usually takes the form of data or records. Another powerful form of evidence is your own first-hand observations. That’s not to say that you can't accept verbal evidence, but records, data, and first-hand observations are certainly better. The exact amount of evidence depends on the magnitude of the problem. Broader and more severe problems lead to more profound solutions, which in turn require more evidence to verify effectiveness. It is a simple matter of scale. The scale of verification must match the scale of the actions taken.

It's important to note that you're sampling evidence. You're taking a representative subgroup of all the available evidence. A 100-percent investigation of evidence is not necessary or particularly effective. Take what you believe to be a balanced and representative sample of the evidence. Shown in figure 1 are some examples of evidence to sample, all related to a problem with orders being late.

Problem: Late Orders Evidence

Type of Sample

Service records Review 10 service records from last week to see if work was performed on time Customers

Contact three of the customers who reported late orders and see if they have noticed an improvement

Procedures

Review the service procedures to see if they've been revised to include recently implemented improvements

Employees

Interview three employees at random. Make sure they understand what has been done to reduce late orders and their roles in implementing the improvements

Training records

Review the training records of these same three employees to see if they received training in the revised methods and procedures

Figure 1: Examples of evidence The evidence in figure 1 is a broad survey of indicators related to the "late order" problem. If we positively verify this evidence, then we can logically conclude that the actions were effective. Of course, the specific type of evidence and sample sizes will vary, depending on the nature of the problem and the magnitude of actions.

Verification Method You don't just show up in a department and start asking for evidence. That's a formula for frustration and ill will. Instead, give people notice that you're coming. If you show up unannounced, there is a chance that nobody will be available to assist you by providing evidence. Providing some notice also removes the "Gotcha!" aspect that sometimes accompanies verification activities. Surprise verifications are not needed, as a broad-based examination of evidence will always reveal the true state of corrective action effectiveness.

Communication about the verification process will remove roadblocks and smooth your path. The following telephone conversation illustrates the type of communication to engage in prior to verification of effectiveness of corrective actions.

You: "Hello, Jill. Do you mind if I drop by your department today and verify the effectiveness of actions you've taken on the late order problem?" Jill: "Uh, I guess not. How long will it take?" You: "It shouldn’t take long at all. I just need to sample some evidence related to our actions." Jill: "Do you suspect that we didn't take action?" You: "No, of course not. I just can't close-out the issue until we know if our actions have been effective. We're also going to Jim's department tomorrow to do the same thing. You're not being targeted, I can assure you." Jill: "Okay, I understand. Drop by around 10 a.m. and we'll be happy to show you what we've done." You: "Thanks for all your cooperation. I’ll see you about 10." As this discussion indicates, people don't always understand the intent of verifying effectiveness. They may think it's vindictive or personal, and you want to remove this misconception as quickly as possible. Your verification of effectiveness will be objective, factual, and impersonal. Make sure everybody understands that prior to your arrival. Your verification will go much smoother. Once you're in the department, what exactly are you going to verify? Obviously, the evidence will differ on a case by case basis, but here are some of the most common verification points: Did the actions address problem causes, instead of just symptoms? - Taking action on symptoms is akin to putting a band-aid on a serious wound: it does nothing to treat the underlying causes. The actions taken must get beyond the superficial symptoms and address the underlying causes of the problem, removing or significantly reducing them. The single biggest reason for problem-solving failure is action on symptoms instead of true causes. Are the actions fully implemented? - Speak to the people responsible for planning and taking action. Have their plans been fully implemented? Are there steps that are pending? What obstacles exist? You can't verify effectiveness until actions have been fully carried out. Have procedures been revised or developed? - Improvements don't stick unless they are made the new norm. Make sure that all relevant documentation reflects the new methods put in place by the corrective action.

Are employees aware of and knowledgeable about the changes? - If a process has been improved, employees will typically know about it, especially if they are responsible for implementing the change. Speak to employees in the work area and see if they're familiar with the changes and their roles in implementing them. Awareness of improved methods may come from formal training processes or through informal communications. If formal training is used, then records of training would be another type of evidence that could be verified. Are products or outcomes improved?- This is the bottom line: Have the products been improved? An improved process should ultimately lead to improved products. Is there evidence that this has happened? What do records and data indicate? Hearsay and verbal affirmations can't be used to prove that products have been improved. Has measurement or monitoring been established?- The effectiveness of some corrective action can't be known without ongoing measurement or monitoring of the process. In these cases, have the controls been set and put in place? What do the measurements indicate? Does the data indicate the process has improved and stabilized to the new level? What is the customer's perception of an improvement?- Perceptions are everything. Have customers noticed a change in the quality of goods or services? Keep in mind that these could be internal or external customers. Locate the applicable customers and get their opinions. If customers have not noticed an improvement, it can be logically argued that the actions have not been effective. Has the problem reoccurred? - If the problem continues to occur at the same level as before, then the corrective action is not effective. Only data and records can be used to prove a lack of recurrence. Is top management aware of the corrective action?- Top management isn't expected to be aware of every corrective action in the organization, but they should be aware of the large ones and overall trends. Top management awareness would certainly help support a determination of full implementation and communication.

Ineffective Actions It's unfortunate that in reality not everything you verify will be effective for improvement. The most common reasons for this are because solutions didn't work, or the problem-solving actions were never fully implemented, or the corrective actions were aimed at the problem's symptoms instead of its causes. When you determine that actions are ineffective, be diplomatic and forthright. Tell the process owner why you believe the actions are ineffective and describe the evidence that led you to that conclusion. Get the process owner's perspective on the situation. Through an interactive discussion, you usually arrive at an agreement about effectiveness or, in this case, the lack thereof. Once an agreement has been reached and the facts are clear, determine the next steps to take. Usually the next steps involve revisiting the identification of the causes, and planning and

implementing a new plan of action. It's possible that you may need to facilitate the new corrective action. A little bit of coaching can go a long way, especially when the person taking action has hit a roadblock and isn't clear how to proceed. If called upon to facilitate a corrective action that was initially ineffective, here are some principles to reinforce: Planning ensures success. - The better the plan for implementation, the more likely the action is to be successful. Many people will define their plans in broad, sweeping terms without providing adequate details to enable implementation. For example, to say, "Install a new blower above the No. 3 oven," sounds clear, but there is a world of complexity within that single statement. It's often easier to break large actions into bite-sized tasks delegated to employees who can be assigned responsibilities, resources, due dates, and reviews. Communicate early and often.- When planning action, build frequent communication into the plan. This communication can be in many different forms (i.e., meetings, formal reviews, teleconferences, e-mail updates, written reports, etc.). Frequent communication makes it harder for commitments to fall through the cracks. Visibility and transparency are the allies of effective action. Stay focused on the causes. - When entering the later phases of problem solving, actions take center stage and the causes tend to fade in significance. Fight this tendency. It's critically important that everyone remember exactly what causes are being removed or reduced. Examine and reexamine the actions to make sure they're affecting the underlying causes of the problem, not just the symptoms. Get creative. - When actions are ineffective, it's often because what we've chosen to do is tired and stale. They're the same old actions people tried years ago that didn't work then and don't work now. What is needed is a big dose of creativity. One of the easiest ways to trigger creativity is to bring new and more diverse people onto the problem-solving team. An injection of new blood will often make the difference. Another effective creativity technique is doing a second brainstorming session on the causes. Sometimes ineffective actions produce a deeper understanding of what is causing the problem. Make change happen. - Effective solutions will regularly change the way work is done. Ineffective solutions are often the result from re-training on old methods, re-enforcing flawed procedures, and asking people to try harder. None of these actually change anything. Is it any wonder that the problem persists? If we fail to change the work, we usually fail to reduce or remove the problem. Your role is to be a thinking coach. Help the team look at the problem and its causes from a new perspective. Injecting a little fun and humor into the process also helps at this point. After all, team members do become frustrated. Humor and fun are brain lubricants, and brains need all the lubrication they can get during problem solving.

© Copyright 2009 Craig Cochran. Republished with permission. This article first appeared in the June 17, 2009 issue of Quality Digest Daily, available online at

anagement systems are sometimes misunderstood as nothing more than a heavy administrative burden providing limited business benefit. In fact, many organizations with management systems in place haven’t effectively defined the processes they actually employ at all. Perhaps it’s because they think management systems only pertain to standards, and “ISO 9001 is separate from how we run the business.” ADVERTISEMENT

By maintaining these beliefs, organizations are missing out on significant opportunities to improve their existing processes. This also brings the value of the ISO standards in question. How can an international standard unite with a strategic business plan and facilitate process improvement, and thus, efficiency?

Using the process approach The process approach is more than an auditing technique: It’s a philosophy. It means shifting focus away from basic compliance to embrace an “improvement” mindset. When already-established activities and related resources are managed as a process, there’s no need to “invent” unnecessary paperwork just to show compliance. Any paperwork required for an audit is documentation

necessary for quality management anyway; it’s simply documentation of processes currently employed to produce the desired output. • A process is commonly defined as a number of reproducible, interacting activities that together convert an input into an output. • An input is something that drives or starts the process, such as people, resources, or materials. Multiple inputs can, and usually do, exist. • An output is a deliverable resulting from the process, addressing the expectation of a customer (either external or internal). Typically an output is a product, a service, or the input into another process. The process approach is a review of the sequence and interaction of processes and their inputs and outputs. It looks at the management system not just as a document, but also an active system of processes that addresses business risk and customer requirements. A process-based audit would ask questions such as, “Who is the process owner?”, “What are your customer requirements?”, and “How do you demonstrate improvement?” Not, “Show me your procedure.”

The turtle diagram A turtle diagram is just one of the auditing techniques that can be used to evaluate a process. Asking with what, with whom, how, and how many results in evidence of effectiveness, measurement to goal, evaluation of internal and external customers, and a focus on deliverables.

Turtle diagram. Click here for larger image.

• With what names the tools, equipment, and resources needed to perform an activity. This could include software, hardware, and support from other departments. • With whom defines the human resources required for performing a task. This includes a definition of competency requirements such as skills, education, experience, and training. • How identifies all the supporting documentation that may exist to support this process. • How many is process monitoring—i.e., identifying the measurements needed to assess the effectiveness of the process in support of the business plan. There should be evidence of continuous improvement and corrective action in the process. Process analysis with the turtle diagram can encompass many elements, including: • Activities • Resources and inks • Methods and tools • Measurements • Regulatory requirements applicable to the process • Risks associated with the process • Effectiveness and efficiency • Customer requirements, both external and internal The results of the turtle diagram yield many benefits to the business. First and foremost, it provides process measurements that can be linked directly to the organization’s strategic plan. It provides a means to assess both external and internal customer expectations, as well as any business risks associated with the process. It allows for use of the plan, do, check, act (PDCA) cycle as it applies to

the process. And finally, it allows for an important deliverable to the management team: a SWOT analysis.

SWOT analysis SWOT is a business tool that translates “ISO language” into a format that senior management can more easily understand. A SWOT analysis provides feedback on the organization’s strengths, weaknesses, opportunities, and threats to the organization. This approach is widely used to assess risks, benchmark competitive differentiators, and determine new business strategy. A SWOT analysis looks at: • Strengths, present view. Best practices and benchmarks; learn from these and apply them to other processes. • Weaknesses, present view. Areas that comply but are not fully effective, and therefore require correction. • Opportunities, future view. Areas of improvement to consider. • Threats, future view. Areas of high risk and noncompliance. The results of this analysis can be summarized in a SWOT diagram, such as this one:

The effect of the process approach Any organization seeking to certify its management system must still meet the requirements that are presented in the appropriate standard. But the standard by itself doesn’t necessarily add value to the organization, or bring benefit to senior management. By assessing the effectiveness of operational processes in achieving overall company goals and objectives, the concept of risk is now being considered. What’s more, it results in solid feedback that’s presented in a language that the management team can understand.

A process-based management system isn’t an administrative burden. In fact it’s a necessity for a truly competitive business. It’s a critical tool that provides continuity throughout operations, forming the link between policy, requirements, performance, objectives, and targets. David Muil is the director of business development for Intertek’s Business Assurance group, a Quality Digest content partner.

Objective Auditing Meets ISO 9001:2015 How auditors can help organizations understand context and risk Objective auditing has always been a challenge, and this is especially true now for ISO 9001:2015 audits. To better meet customer expectations, fundamental changes have been introduced to the standard to address current business realities and advancements in technology. Much of the responsibility of meeting the new requirements falls on leaders, and a careful, objective audit to the standard can help them. It’s human nature that with knowledge and experience comes a touch of ego, but an auditor with an ego can be a liability. Experienced auditors must guard against a tendency to add subjective opinions to their audit reports and focus instead on providing objective inputs. In this way they can help leaders make rational, objective decisions. This challenge is further compounded for auditors experienced in auditing to ISO 9001:2008, with its emphasis on preventive action. ISO 9001:2015 no longer addresses preventive action but instead focuses on establishing riskbased thinking throughout the management system. What’s the best way to audit this? The starting point for corrective action (CA) is the nonconformance report (NCR). A well-written NCR clearly states the standard’s requirement, the objective evidence for citing the nonconformance, and a description of the failure that occurred. If at this point an auditor allows his experience to bias what he expects should happen instead of sticking to the requirement, management ends up with a subjective input. A closed NCR provides data that management can analyze for possible trends, which can then be addressed by preventive action. For previous editions of ISO 9001, that was the fundamental base of a successful management system: Basically, data drove trends and preventive action. With ISO 9001:2015, preventive action has been replaced by risk-based thinking, which requires a more dynamic role for leaders. They must understand and continuously assess risks at every stage, mitigating them and

considering opportunities for improvement (OFI). This is important to do even before the planning stage of the plan-do-check-act (PDCA) cycle, by first understanding the context of the organization. Leaders’ understanding of the context of the organization, as well as their ability to assess risk and consider opportunities for improvement, need to be audited. Auditors must be especially careful here and not jump in and confuse management by offering their own opinions. ISO 9001:2015 has strengthened the leadership role, not weakened it, and by offering subjective advice, auditors could jeopardize this. They must limit their role to providing objective NCRs and allow management to make the decisions.

Understanding the organization in context Per clause 4 of ISO’s Annex SL, ISO 9001:2015 and other ISO standards require an organization and its leadership to understand the context of the organization when determining key management system elements such as the scope of the system (clause 4.3), processes (clause 4.4), the quality policy (clause 5.2), and planning, objectives, risks, and opportunities (clause 6). For more about this, see also ISO/DTS 9002—“Quality management systems— Guidelines for the application of ISO 9001:2015.” So what, then, is this “context of the organization?” Put simply, leaders must thoroughly understand the relevant internal and external issues, both positive and negative, that can affect their organizations’ ability to achieve intended results. Consequently, they must monitor and review these issues regularly. Leadership also has a tremendous responsibility in being fully aware of the risks to the organization. An understanding and appreciation of the context of the organization can help with this, particularly if it’s undertaken before the planning stage of the PDCA cycle. When fully appreciated, the context will not only promote more robust plans but also highlight inherent risks that can provide opportunities for improvement and innovation. This is vital in the success of the organization. When organizations undergo mergers and acquisitions, relocate, outsource large parts of their business, or change their products, the context of the organization changes. The internal and external factors change. Leadership must understand the implication of these changes in the context of the organization. Doing this will also allow them to see the risks and perhaps opportunities for improvement. It’s like going into battle. A lot of things must happen before troops are deployed. For example, the logistics of deploying troops in harsh terrain surrounded by hostile countries, and the chances that they may fail, must be considered. If the risk is too great, then perhaps the nation’s diplomats should first reach out to surrounding countries to create a safe corridor for supplies or retreat. This diplomacy might uncover opportunities for better relations with these states. The risk might also require intelligence agencies to assess conditions on the ground. Thus prepared, the military leadership can best ensure the mission’s success.

Similarly, business leaders have to understand the context of their organizations clearly when they develop a quality management system and before proceeding to the “act” stage of PDCA. This understanding will provide the foundation for determining key QMS elements. Information about internal and external issues affecting the outcome of the QMS in the context of the organization should be collected from all sources. These may be from internal documents and meetings, national and international press, various websites on the subject, publications from national statistics offices and other government departments, and professional and technical publications, conferences, and meetings. Other resources include think tanks, professional associations, and independent subject matter experts. Many sources are available, and leaders need to consider all relevant ones to make the best assessment of potential organizational risk. Internal issues to consider are resources such as infrastructure, the environment for operations, and organizational knowledge. Competence of employees, organizational culture, and perhaps the relationship with unions should be included. There are also delivery capabilities, customer evaluations, and management issues such as decision making and organizational structure. External issues that might affect the organization include macro-economic factors such as money exchange rates, the economic situation, inflation forecast, and availability of credit. Then there are social factors such as local unemployment rates, safety perception, education levels, work ethics, and political factors. Existing international trade agreements, including sanctions, might affect the outcome of the organization’s performance in meeting objectives. Competition as it relates to market share might require study. Relevant legislation also must be considered. An organization that understands “what it does,” and how various internal and external issues affect how well its QMS meets requirements, is better placed for success. Auditors can best help organizations by establishing, through objective auditing, that these requirements are met.

Organizational knowledge ISO 9001:2015’s clause 7.1.6 has introduced a new requirement: organizational knowledge. When auditing this, auditors must keep in mind not only the existing context of the organization but also the changing context, if relevant. The organization when addressing changing needs and trends must consider its current knowledge and determine how to acquire or access any necessary additional knowledge or required updates. Going forward with changes, mergers, acquisitions, or moving operations globally without assessing the risks introduced by lack of knowledge can mean the difference between success and failure. Both internal and external sources for knowledge as mentioned above are relevant here. Future needs and their relationship to innovation is also mentioned in the standard’s introduction.

Evidence-based decision making

When determining conformity of a management system to ISO 9001:2015, auditors will need to ascertain that all aspects of the management system adopt both the PDCA cycle and risk-based thinking. Per the standard’s introduction, auditing should reveal that the processes have been adequately resourced and managed, and opportunities for improvement are determined and acted on. Auditors must also confirm that the organization’s leadership has considered risks and encouraged risk-based thinking to determine the factors that could cause the system (i.e., processes) to deviate from planned results. The first phase of a system audit, during which the auditor interviews top management with systematic and wellthought-out audit questions, is vital to establish that management clearly acknowledges its role in understanding the context of the organization and how it influences the required customer focus. Employees must also understand the expectations of management. To successfully engage employees in a customer focus, company policies must smoothly flow into measurable objectives. Auditors must prepare well to audit top management and determine its commitment to the process approach and continual improvement. A system that doesn’t require management reviews periodically to establish that the PDCA cycle is in place even at this level means that leaders are at risk of making subjective decisions. During their interview of top management, auditors must be able to establish conformity to evidence-based decision making.

Conclusion There is much more to auditing than looking for nonconformities. Auditors must also understand how the context of an organization relates to quality management principles. If they do, then they will look for conformities in the management system to ISO 9001:2015 requirements. If during this audit they do find nonconformities based on requirements, they must provide well-written NCRs to encourage a process-based management system. An objective audit will enable management to better use the system to consistently meet requirements, and the processes themselves will add value, help mitigate risks, and create opportunities for improvement.

A summary of the key changes ISO 9001:2015 includes a number of significant changes that must be considered by organizations certified to the current version of the standard. Those changes include: • The importance of stakeholders. The revised standard adopts a stakeholder approach to quality management, and focuses on stakeholder relationship management (SRM). As such, organizations are required to identify the issues and requirements of relevant stakeholders when developing their QMS. The concept of SRM can extend beyond customers to include employees, suppliers, partners, and even regulatory authorities.

• Expanded role for leadership. By expanding the scope of what it terms “management responsibilities,” the revised standard clearly places overall responsibility and accountability for an organization’s QMS with senior leadership. While leadership may appoint a representative to manage quality system-related activities, they retain ultimate responsibility for implementation consistent with the standard’s requirements. • A risk-based approach to quality. ISO 9001:2015 adopts a risk-based approach to various requirements throughout the standard. However, it doesn’t require the application of a standardized risk management approach, and contains no clauses that detail specific requirements for preventive measures. • An increased emphasis on process. ISO 9001:2015 strengthens the importance of applying a process approach in developing, implementing, and improving the effectiveness of an organization’s QMS. As such, organizations will now be required to define inputs and expected outputs of each process, and to identify key performance indicators. • Greater documentation flexibility. The terms “documents” and “records” are being replaced with the term “documented information.” This change is intended to provide organizations with greater flexibility in describing their QMS. In addition, the current requirement for documented procedures will no longer be mandatory.

Potential nonconformities and other challenges Organizations currently certified to the 2008 version of ISO 9001 will have up to three years to modify their current QMS to comply with the requirements of the revised standard and to achieve recertification. However, adopting to the changes in the revised standard is likely to pose a number of specific challenges, including the following: • Getting leadership involved. The requirement for increased leadership oversight and accountability for an organization’s quality management system may well represent the biggest challenge. Meeting the threshold of this requirement involves the full engagement of leadership team members, as well as an understanding of the role that a commitment to quality plays in achieving organizational goals, and training on the particulars of an effective QMS. • Addressing root cause issues. The increased emphasis on process requires a significant effort to identify and investigate root cause issues that affect performance and require corrective actions. However, most organizations aren’t sufficiently trained in root cause analysis, and may struggle to develop and implement processes that uncover the underlying basis for nonconformities that are identified.

Here is a summary of records requirements in ISO 9001:2015: • 24 records are required in ISO 9001:2015. This is compared to 21 records required in ISO

9001:2008. Some of the 24 records required by ISO 9001:2015 are actually repeat requirements, listed twice in the current version of the standard. • 20 percent of all the record requirements come from section 8.3—“Design and development of products and services.” That amounts to five records, which is the same number required by ISO 9001:2008. • A completely new record that is required in 9001:2015 is found in section 8.5.6, which concerns retained information on changes, including the review of changes, persons authorizing the change, and necessary actions arising from the change. • ISO 9001 continues its redundant ways. In two separate places ISO 9001:2015 requires records of evidence of processes being carried out effectively, once in section 4.4.2 and again in section 8.1.e.1. • More redundancy: ISO 9001:2015 requires records in two separate places that demonstrate conformity of products and services processes, once in section 8.1.e.2 and again in section 8.6. Why the redundancy? My personal opinion is that this wasn’t intended. Rather, I suspect it was sloppy editing. There’s no compelling reason to declare twice that inspection records must be maintained. • Five of the records in ISO 9001:2015 have qualifiers. These are “to the extent necessary” and “as applicable.” They imply that it’s up to the organization to decide if it truly needs the records to demonstrate conformity. They aren’t absolute requirements. • One item, design outputs, is listed as “retained documented information” (i.e., a record) when it’s actually a document. Design outputs are living information such as specifications, engineering drawings, recipes, formulas, and bills of material. Since they’re living, they’re subject to revision, meaning they are documents. Nonetheless, as long as the organization manages design outputs in a consistent manner (as either a document or a record), it should be fine. • A handful of requirements would be virtually impossible to have evidence of without records, and yet ISO 9001:2015 doesn’t require records for them. These include context of the organization (4.1), interested parties (4.2), planning of changes (6.3), and customer feedback (9.1.2). • One of the strangest record issues of all is the omission of calibration records in ISO 9001:2015. This has been replaced by the requirement to “retain information on fitness of purpose for measuring instruments,” which would include calibration, among other possible activities. I expect many people implementing ISO 9001:2015 will get a bit confused by this. Don’t let anyone tell you that the “correct” terminology is “retained documented information.” If you like that term, then by all means use it. If you prefer the term “records,” you can use that in its place. Always remember that documents and records are two different things. That one fact alone will make any QMS easier to use and understand.

Retained information (i.e., records) required in ISO 9001:2015 Section Category

Requirement

Qualifier

No. 4.4.2

7.1.5.1

QMS and

Retain information on processes

to the

processes

carried out effectively (a blanket

extent

requirement)

necessary

Retain information on fitness of

none

Calibration

purpose for measuring instruments 7.1.5.2

Calibration

Retain information on basis for

none

calibration where no standards exist 7.2. d

Competence

Retain information as evidence

none

of competence 8.1 e 1

Operations

Retain evidence of processes

to the

being carried out as planned

extent necessary

8.1.e 2

8.2.3.2 a

Operations

Sales

Retain information to

to the

demonstrate conformity of

extent

products and services

necessary

Retain information on the results as of review of customer

applicable

requirements 8.2.3.2 b Sales

Retain information on any new

as

requirements for products and

applicable

services 8.3.3

Design

Retain information on design

none

inputs 8.3.4 b

Design

Retain information on design

none

reviews 8.3.4 c

Design

Retain information on design verifications

none

8.3.4 d

Design

Retain information on design

none

validations 8.3.5.

Design

Retain information on design

none

outputs 8.3.6

Design

Retain information on design

none

changes (e.g., reviews, authorization, and actions to prevent adverse impacts) 8.4.1

Purchasing

Retain information on the evaluation, selection, monitoring of performance, and reevaluation of external providers

8.5.2

Traceability

Retain information to necessary

none

to enable traceability 8.5.3

External

Retain information on customer

property

or external provider property

none

that is lost, damaged, or unsuitable 8.5.6

Change

Retain information on changes,

management

i.e., review of changes, persons

none

authorizing, and necessary actions arising 8.6

Product release

Retain documented information

none

on the release of products and services, including evidence of conformity and traceability to person authorizing release 8.7.2

Nonconforming

Retain information on

products

nonconforming products, including description, actions taken, any concessions, and authority deciding on action.

none

9.1.1

Monitor and

Retain evidence of results of

measure

monitoring and measuring (a

none

blanket requirement) 9.2.2 f

Internal audit

Retain evidence of

none

implementation of audit program and audit results 9.3.3

10.2.2

Management

Retain evidence of the results of

review

management review

Corrective action Retain evidence of nature of

none

none

nonconformity, any actions taken, and results

his is a good time to emphasize a few notions about risk. Risk in ISO 9001:2015 and ISO 14001:2015 is general, that is, it is a concept that can be applied anywhere in an organization, including planning (Clause 6.0), i.e., the setting of objectives as it is defined in ISO 31000. Risk can be described as a potential event that can be expressed in terms of consequence, impact, or severity of the impact and its related likelihood of occurrence.

Use of risk in ISO 9001:2015 Risk appears in the normative parts of ISO 9001 eight times, and risk-based thinking appears once. Risk and riskbased thinking appear many times more when we study the informative portions of the standard, e.g., the introductory sections and the appendix.

Clause number

Title

Explanation

No title 4.4.1

Under 4.4—QMS QMS process risk and opportunities and its processes

Risk and opportunities that can affect 5.1.2

Customer focus

conformity of products and services—this, then, is quite broad

Actions to 6.1

address risks and

Appears in title

opportunities

Consider risk and opportunities as they relate to the context of the organization and 6.1.1

No title

interested-party expectations so that the QMS achieves its “intended results,” i.e., its objectives, including improvement. This is the definition that now appears in ISO 31000.

Appears twice: Plan actions to address risk 6.1.2

No title

and opportunities, including their effectiveness; and actions taken shall be proportionate to the potential impact.

9.1.3

9.3.2

Analysis and

Effectiveness of actions taken to address risk

evaluation

and opportunities

Management review inputs

Effectiveness of actions taken to address risk and opportunities as it relates to Planning (6.1)

Table 1: ISO/FDIS 9001:2015 requirements for risk

The table seen above explains the requirements of ISO/FDIS 9001:2015 for risk and opportunity analysis within the organization. The concept of risks and opportunities, which emphasizes identifying potential problems as well as opportunities for improvement, needs to be applied to QMS processes, the conformity of products and services, and planning QMS objectives, including setting out actions for improvement plans and evaluating their effectiveness. Process risk and planning risk—Ref. Clauses 4.1 and 6.1 When the requirements of ISO/FDIS 9001:2015 are studied, these are the relationships indicated as they relate to QMS processes and planning:

Product and Process Risks and Opportunities—Ref. Clause 5.1.1 Risk as it relates to product and process conformance can be quite broad. The following are some areas where risk is usually addressed by organizations:

ISO 9001:2015 mandates ISO/FDIS 9001:2015 requires companies to address risk and opportunities as they relate to QMS processes (Clause 4.4.1), planning (Clause 6.1), and product risks (Clause 5.1.2). The effectiveness of risk management and opportunities for analysis must be evaluated (Clause 9.1.3). Also, the effectiveness of the actions associated with objectives or planning must be included in the management review (Clause 9.3.2).

Omnex suggests that organizations integrate risks and opportunities into their organizational processes (i.e., QMS processes). Risks and opportunities must be integrated into the planning process (Clause 6.1), as shown below for business planning, or for setting organizational goals and objectives. Omnex calls this process the “business

operating system” (BOS). It identifies key processes and conducts risk analysis on them because they affect the organization’s overall objectives.

For managing risk in products and services, we suggest the following methodologies. First, it’s important that a project is evaluated for overall risk, particularly how risk relates to new products, suppliers, and technology. Second, it’s also important to use tools such as failure mode and effects analysis (FMEA), and product and process design risk to evaluate risk within the context of the new-product development process. FMEA, along with control plans, identifying critical and significant characteristics, process capability, and measurement system analysis, are proven techniques that can help organizations reduce risks. Results have shown that customer nonconformances will lower significantly into the range of 10 to 60 parts per million (PPM).

Auditing risk Auditors must be flexible when auditing a QMS for conformity to ISO 9001:2015’s risk-based thinking. There are no requirements in the standard for a risk management process or methodology, so auditors have been concerned that auditing a QMS will be difficult. Let’s examine the standard’s planning process for organizations. Following are some of questions auditors can ask when auditing a QMS: 1. Does the organization identify internal and external issues as they relate to the context of the business? (Clause 4.1)

2. Has the organization identified relevant interested parties as they relate to the context of the business? Has the organization understood the interested-party expectations? (Clause 4.2) 3. Has the organization used the issues developed in the context and in the needs and expectations of the interested parties when planning for the organization? (Clause 4.3) 4. Has the organization identified the risks and opportunities as they relate to the organization achieving its intended results, i.e., goal and objectives? (Clause 6) 5. Has the organization identified the actions to address the risks and opportunities? 6. Is the organization meeting its goals and objectives, i.e., is it improving? For more on risk-based thinking, join Chad Kymal and Dirk Dusharme on Tues., Aug. 25, 2015, at 11 a.m. Pacific for the webinar, “Risk-Based Thinking: Actions to Address and Audit Risk and Opportunities.” Kymal will also be releasing a new book on ISO 9001:2015 auditing, published by ASQ, at the end of 2015. For more information about the ISO 9001 standard, see the Quality Digest knowledge guide, “What Is ISO 9001:2015?”

Where technology fits Let’s look into several of the key components of the initial draft as we map the technology considerations relating to the new standard. Clause 4—“Context of the Organization”: This is essentially the planning for how your organization will manage quality. A lot of it becomes a strategic decision, but where technology fits is in subclause 4.4, which centers on establishing a “... process-based quality management system.” Technology considerations: You want a solution that will be able to focus on the process as it relates to your organization. The QMS provides you with a centralized, common, and collaborative environment to maintain all of your policies and procedures. This is where flexibility becomes an important component: • Flexibility to adapt to the various processes, and match what you’ve outlined for your commitments to quality and your customers • Builds in the functionality that will support your needs and the needs/requirements of the standard Clause 5—“Building Leadership”: There’s no longer a single representative for quality, no single “quality police.” Companies as a whole must establish a focus on quality, customers, and companywide commitment. At the same time, you must look to establishing a quality “policy”—as opposed to a manual— which will more broadly assess and help improve organizational quality.

Technology considerations: How are you effectively collaborating on a commitment to quality? You need a solution that will give the entire company visibility into and control over the quality effort by ensuring that all data related to processes and procedures is kept in a centralized location accessible by all necessary parties: • A centralized system, one holistic place for quality policy that provides transparency of information • Document and communicate your policy—control and disseminate information in a consistent manner Clause 6—“Planning”: The biggest change here involves risk management. The standard is shifting from a preventive action approach to a risk-based approach, not just in the identification of risks, but also in controlling and mitigating them. At the same time, you’re benchmarking those risks against your overall quality objectives, taking actions to ensure you’re meeting them, and instituting methods for management of change. Technology considerations: Building risk into a system is critical; you need a system that is objective, repeatable, and systematic. This takes several elements. First is assessing hazards and identifying and measuring risks (e.g., severity and frequency). Having a way to not only define the measurement of risks, but also to align them with your quality objective and then assess them from an operational perspective, is critical. This is done through a risk matrix, which enables you to calculate risk by quantifying your hazards by plotting them on a graph. The resulting calculation of severity and frequency becomes your risk factor. Once the risk matrix has been vetted by your organization through real-world scenarios to ensure its effectiveness, your organization can apply this tool to the risk management process. • Risk matrixes, built into the operational processes, not only calculate risk but enable immediate remediation of high-risk events. • A solution should have the ability to set up a risk assessment calculation, benchmarked against your requirements/objectives, and provide a way for you to take action on high-risk events. Clause 7—“Supporting your QMS”: This is where you focus not only on the people who support your quality initiatives, but also on the infrastructure to support your QMS.You’re looking at the infrastructure of how you’re going to deliver quality, and by whom. This relies on ensuring that your people are trained and given the right documentation to operate efficiently and effectively. Technology Considerations: • The concept of document control is not just about document repositories; it’s about establishing a process by which documentation is created, reviewed, approved, consumed, trained, audited, and ultimately, revised. It’s far more than just a simple documentation tool—it’s how you have a central location for communicating processes and information to the company. A technology solution will build in functionality around the process of review and approval, integrated with training, change and revision control processes, and periodic reviews. Collaboration on documentation improvement is key to this element.

• Employee training isn’t just about a training tool; it’s more integrated, collaborative, and based on the idea that one process blends into the next. So, from a technology standpoint, you want an integrated document control and training system. The process includes the training of people and communication, by which new information is disseminated and consumed. Being able to automate much of this is key, especially when you’re looking to create a more seamless, collaborative, and companywide perspective on quality. Clause 8—“Operational Processes”: This section provides the framework for how you design, source, produce, and monitor your operations, with respect to products and services. It covers the processes by which you evaluate the design, the “external parties” (a term which replaces “suppliers”), and plans for your product and measurement of controls within your operations. Technology considerations: The processes are the biggest component, and whether you’re building a design plan, a supplier evaluation, or establishing nonconforming material criteria, it’s important to ensure that information is transferred from one process to the next. A technology solution that will take design information, such as a bill of materials, and communicate to production and suppliers, and include potential nonconforming criteria to be assessed, rests in the ability of the system to provide traceability, visibility, and control. Clause 9—“Evaluation”: The concept of evaluation sits on its own in ISO 9001:2015, which certainly highlights the importance of feedback and regular assessment. The key point to take away is, “How do you build a constant feedback loop from your operations to ensure that you are saying what you do, and doing what you say?” This not only includes regular auditing and feedback measures from customers, but also how you’re consuming this information as a management team. One of the key areas is establishing a method for consuming customer feedback. You need to have an established way to build a data set from all customers, and categorize and analyze the type of feedback you’re getting. You also need to build both an internal and an external auditing program. This isn’t different than previous requirements. Finally, you still need to take the QMS data and conduct management reviews, and produce outputs against your core objectives. Technology considerations: It’s important to “close the loop” on your QMS with your most important asset—your customer. A solution that can collect customer data via post-market feedback such as complaints and adverse events, and allow you to take action on that data, is vitally important to understanding if you’re meeting your quality commitment to your customer. Having a centralized and aggregated way to organize the feedback data is essential, and an automated QMS will provide: • Auditing solutions: Most organizations are very familiar with building an auditing plan, but as a company grows more complex, it becomes more difficult to manage how much auditing needs to take place, when to audit, and what to audit. It’s important to have a solution that not only manages and standardizes the auditing process, but

also the scheduling process. Centralization and harmonization are key in keeping things straight; technology helps to achieve this by providing you with a centralized repository where all your data is kept. • Measuring effectiveness with collaborative reporting: Management review is an important step to evaluation. However, without a way to organize and filter the data, it’s very difficult to make informed and strategic decisions. You really not only need a strong reporting tool to gather all this information, you also need to ensure that you are integrating the whole process into the data collection. This is where having a closed-loop QMS solution is most valuable; it provides data from design, production, documentation, training, feedback, audits, and beyond. This provides a larger and more valuable view into the data, and lets management act or react or improve more efficiently. Clause 10—“Improvement”: The key concept and the chief focus of ISO 9001:2015 is around a commitment to customers, to improvement, and to companywide involvement. So when we look at this section, the emphasis must be on fostering overall improvement. You’re building a process by which you’re able to quickly react to nonconformities and take action on correcting these nonconformities. You’re also looking to see if you need to eliminate the cause of these problems. So, you are first looking to correct and control, and then determine if a corrective action is needed. If there’s a systematic cause of a nonconformance, then you need to build a corrective action. Again, this is how you take an adverse event and create steps to reduce the likelihood of recurrence. Finally, you also want to look for ways to improve your overall QMS, find trends, and identify opportunities for improvement. Technology considerations: • Nonconformance management: Being able to record information in a single location is critical. You want to eliminate as much double entry and data as possible, so importing data from other areas (e.g., production, suppliers, customers, etc.) is key. They next key point is that, if you’re going to issue a corrective action, it should be traceable back to the nonconformance. This is where integration comes into play—linking a nonconformity to a corrective and preventive action, and being able to create a seamless closed loop on the process, will ensure that data is not lost or entered incorrectly. • Lastly, you want to build reporting and data collection to look for improvement areas. Having a robust reporting system on the entire QMS is critically important to make informed decisions.

Conclusion The revisions coming forth in ISO 9001:2015 bring a fresh perspective to the standard. Taking full advantage of the opportunities presented by the new standard lies in having a centralized, common, and collaborative environment that not only gives you the visibility into where you are in your QMS, but also makes you active participants and champions of quality. This is where technology, automation, and an integrated QMS take over.

ISO 9001:2015 was built with the acknowledgement of technology today, and the standard embraces concepts that can only be achieved with this in mind. For more on this topic, be sure to join Quality Digest editor in chief Dirk Dusharme and myself for the webinar, “ISO 9001:2015 Compliance—How Automation Can Help,” on March 24 at 2 p.m. Eastern, 11 a.m. Pacific. Clickhere to register. For more information about the ISO 9001 standard, see the Quality Digest knowledge guide, “What Is ISO 9001:2015?”

The ISO 9001:2015 CD costs 38 Swiss francs in PDF format, but that will shoot up to 118 Swiss francs or so, like ISO 9001:2008 did, once it achieves International Standard recognition. So much for the economics. I bought myself the PDF format of the CD, and as a matter of fact, it doesn’t take much longer to go through it than it does to listen to a music CD, which is what I expected. What follows is a very informal summary of my thoughts and feelings as I read the CD, though I’ve tried to give them some sense and context. So let’s start reading the document ISO/TC 176/SC 2/N 1147–ISO/CD 9001, hoping to make some sense out of it. Anything I don’t comment on I consider acceptable enough, or unworthy of notice.

Attachment 1 to SC 2/N 1147 Exclusions: Lines 387 through 391 are quoted, referring to subclause 7.1.4—“Monitoring and measuring devices,” and clause 8—“Operation as permitted exclusions.” Mmmh... Concerning goods and services, there’s not much to say, except that subclause 8.6.4, line 878, requires “preservation of goods and services,” and the Note is clearly hardware-oriented. Now, while it is easy enough to think of preservation services, to preserve something like, say, a health treatment will have to rely on documentation, but the empathy the patient felt toward the nurse who speeds his recovery—how can that be preserved?

Contents The ISO/TC 176/SC 2 reshuffled the sections’ numbering once more. In the most vicious bars, it’s rumored that this was done on purpose to test auditors’ and consultants’ memories. Because, all in all, the requirements have not been changed all that much.

Foreword “...The unifying and agreed high level structure, identical core text, and common terms and core definitions of Annex XL of the ISO Directives” quoted in lines 90–92 are not found in the bibliography on pages 26–27. There is only a short reference in the Introduction, subclause 0.2—“Annex XL.”

Introduction Here is where the word “risk” appears for the first time (line 160), associated with “opportunities” (line 166) and linked to the Annex XL core text “risk-based thinking” and “risk-driven approach” (line 171). What’s not clear, at the moment, is what’s to be understood, and acted on, per lines 173–174: “Although risks have to (be) identified and acted upon, there is no requirement for formal risk management.”

QMS requirements ISO 9001:2015 is different from its predecessors, in that the Requirements section includes clause 1—“Scope”; clause 2—“Normative references”; and clause 3—“Terms and definitions.” Something worth noticing: clause 1 —“Scope” does not mention risk but “improvement,” and clause 2—“Normative references” cites as “indispensable” only ISO 9000:2015—QMS—“Fundamentals and vocabulary.” Clause 3—“Terms and definitions” is an Eldorado for a word-fan like me. Of particular interest, I found subclause 3.05—“Top management”; subclause 3.09—“Risk” (of course); subclause 3.10—“Competence”; subclause 3.11 —“Documented information”; subclause 3.14—“(To) outsource”; subclause 3.15—“Monitoring”; subclause 3.16 —“Measurement”; and subclause 3.17—“Audit.” These all look like revolving definitions to me, rather like “a rose is a rose is a rose.”

Subclause 4.1—“Understanding the organization and its contents” Line 346 says, “The organization shall update such determination when needed.” I see a big risk here. When organizations get their certificate, they post it on the wall and stow the QMS like a suit in the back of the closet. Once that happens, there’s no way to convince them to update a suit that’s become either too large or too tight for them. The high cost of tailoring will keep them wearing it long after it’s gone out of fashion.

Subclause 4.3—“Determining the scope of the QMS” I found an interesting requirement in lines 384–385: “...the main processes to deliver them and the sites of the organization included.” There’s a clear reference to logistical processes here, which prior to ISO 9001:2008 had been quite neglected, save for registering shipping, forwarding, and trucking organizations and their warehouses. But that’s not true logistical processes themselves, which even the most passive TV watcher would see as critical.

Subclause 4.4.2—“Process approach” Specifically planning, developing, monitoring, and improving a QMS are probably the most pedantic activities in the world. It would be difficult to name an organization that did not find them a waste of time. Now, what ISO 9001:2008 took care of with one chart (subclause 0.2) and six requirements (subclause 4.1 a through f), ISO 9001:2015 makes you reflect on with four more requirements. I fear this will prove once again to be consultants’ work because organizations think they already know their processes.

Subclause 5.1—“Leadership and commitment” and Subclause 5.3—“Organizational roles, responsibilities, and authorities” Armageddon is still to come, as these sections demonstrate. How could a third-party auditor argue about such political matters with his boss’s customer? Or a first-party auditor with her boss? Only second-party auditors with enough power in their hands can do this. Prior to ISO 9001:2008, this requirement was a mere formality, and I don’t expect ISO 9001:2015 to change it. So why not leave it out altogether and put it in some other requirement, for example, “quality of management systems’ management?” This implies personal, psychological, social, economical, financial, entrepreneurial, competence, and training skills that the poor checklist-filling auditor is very far from being able to assess. ISO 10015:1999—“Quality management—Guidelines for training—Bibliography” (item No. 13) and “ISO 10018:2012—“Quality management—Guidelines on people competence and involvement—Bibliography” (item No. 15) should be consulted.

Subclause 5.1.2 a—“Leadership and commitment with respect to the needs and expectations of customers” and Subclause 6.1—“Actions to address risks and opportunities” After it disappears for a few pages, the term “risk” appears again on line 446, like Alice’s rabbit, again associated with “opportunities,” whereas on lines 446, 482, 484, 498, and 501, it’s not associated with “opportunities” but with risk avoidance, risk mitigation, and risk acceptance. One would be inclined to think that management is being given sanction to indulge in a risk-management approach. At this point, it seems the cyclical structure of the QMS as configured by ISO 9001:2015 is taking shape: We’ve gone over internal and external constraints, the boss has taken command, and it’s now time to decide where and how to go.

Subclause 6.2—“Quality objectives and planning to achieve them” Here we have perhaps the most pedantic activity of the whole pedantic QMS-development cycle. Because of the objective-based nature of a QMS, quality managers and consultants must resort to endless creativity to fill the gap

between the only objective understandable to top management—i.e., profit—and the performance indicators required by auditors strictly applying ISO 9001’s requirements. And ISO 9001:2015 doesn’t solve this dilemma. If, in the first place, quality objectives shall “...be consistent with the quality policy” (line 505) and the quality policy “...provides a framework for setting quality objectives” (line 458), then the auditor will have to throw into a bin all those generic, obscure, and meaningless quality policies so dear to top managers and their consultants, all wanting to say nothing and its opposite. Line 507 says quality objectives should “be measurable”; the previous edition’s “if practicable” has been deleted. Now, here there’s something that accreditation bodies will have to assign to registrars: ensuring that auditors don’t ignore what’s going on. SPC starts with punctually recording numerical figures until it’s determined that the process is stable enough. So why in the world should QMS objectives always be stated in terms of measurablevariable figures, and not of measurable attribute figures?

Subclause 6.3—“Planning of changes” and Subclause 8.6.6—“Control of changes” These two sections should be read together. Though between the lines, it seems that identifying risk and opportunities should be given more relevance when planning than when implementing and controlling.

Subclause 7.1.2—“Infrastructure” We know how it goes: Mirrors reflect our front, not back, image. Likewise we enter shiny, marble corporate lobbies, and neat and orderly offices, and we are enchanted. The shop floor? Well, we can’t expect much of a metalworking company, which uses much oil, and makes a tremendous amount of noise and shavings. Then the nasty auditor asks to see, just to see, what’s behind the building, outside, bordering the neighbors. Are the tons of rusting metal, the drums containing unknown liquids, to be covered by this requirement? Suddenly the shiny entrance, the big black sedans or sport cars in the front parking lot, vanish: This is the real company. Concerning Note c, line 547, “software”; and line 548, “transportation”: Achilles was lucky to have just one heel that could be lethally wounded. Most organizations have at least two, that is, software, for its user-friendliness and security; and logistics, which covers much more than just transportation and warehousing. Downgrading these two processes to infrastructure issues will not help organizations see them in their true light, as they deserve.

Subclause 7.1.3—“Process environment” The Note on line 555 echoes previous ISO 9001 Notes and requirements, too. That is, if a proper understanding and use of human resources is a relevant part of a QMS, I don’t think that “physical, social, psychological, and environmental factors” can be dissociated from subclause 7.1.5—“Knowledge, subclause 7.2—“Competence,” subclause 7.3—“Awareness,” or subclause 7.4—“Communication.”

A related comment concerns subclause 8.6.1—“Control of production of goods and provision of services.” It’s worth warning that point f on line 835, “personnel qualification,” is not included in Clause 3—“Terms and definitions,” and neither is point i on line 840, which is all too often abused as a justification for more upstream errors.

Subclause 7.1.4—“Monitoring and measuring devices” Here’s another point where ISO 9001:2015 seems to break down: “The organization shall determine, provide, and maintain the monitoring and measuring devices needed to verify conformity to product requirements....” (lines 560–561). Although it was anticipated in Attachment 1 a—“Exclusions” and subclause 4.3—“Determining the scope of QMS,” line 389, the question still seems to be unresolved because many reliable auditors believe that service performance can and should be measured, or assessed, while others, equally as reliable, do not. I think that most of us share the view that customer-satisfaction questionnaires are far from significant in determining any service-performance level. At the same time, how should an organization preparing for ISO 9001:2015 registration go about fulfilling that requirement? Possibly by simply declaring it not applicable? ISO 10012:2003—“Measurement management systems—Requirements for measurement processes and measuring equipment—Bibliography” (item No. 10) should be consulted for further clarification.

Subclause 7.1.5—“Knowledge” Although ISO 9001:2015 defines “competence” in subclause 3.10 as the “ability to apply knowledge and skills to achieve intended results,” both terms “knowledge” and “skills” are not defined. This seems to reveal some kind of uneasiness on the part of ISO/TC 176/SC 2 to tackle personal characteristics. The same reluctance to define can be found in subclause 7.2—“Competence,” subclause 7.3—“Awareness,” and subclause 7.4—“Communication,” as well as subclauses 3.05, 5.1, 5.3, which deal with top management’s profile.

Subclause 7.5—“Documented information” We first come across this term in clause 3, subclause 3.11, line 288. As far as the “documentation required by this standard” is concerned (specified in subclause 7.5.1 a, line 608), we also find the term mentioned in, among other places, clause 3—“Terms and definitions” (subclause 3.07—“Policy”); subclause 4.3—“Exclusions,” line 387; subclause 5.1.1, line 424, “demonstration of leadership and commitment”; and line 426, “quality policies and objectives; subclause 5.1.2—“Leadership and commitment with respect to the needs and expectations of customers,” line 444,“demonstration of leadership and commitment”; subclause 5.2 —“Quality policy”; subclause 5.3—“Organizational roles, responsibilities, and authorities,” line 478, “reporting”; subclause 6.2—“Quality objectives and planning to achieve them,” line a, “quality policy”; and line 513, “documented information on the quality objectives.”

Based on past experience, subclause 7.5.1 b—“The organizations QMS shall include: documented information determined by the organization as being necessary for the effectiveness of the QMS” (lines 609–610), is going to raise discussions between auditors, auditees, and consultants, with each party trying to further their own cause. Subclause 7.5.2 and subclause 7.5.3 are familiar ones in ISO 9001:2015, but the reminders about “loss of confidentiality” (line 630), “access to view and authority to change” (Note), and “disposition” (line 636) may help refresh memories of some of the corrective actions seen in the past but quickly forgotten. The requirement stipulated in subclause 8.1 c—“Operational planning and control,” lines 649–650, “documented information to the extent necessary to have more confidence that the processes have been carried out as planned” seems to refer not to quality objectives and performance, but rather to a quality plan and some kind of sign-off. ISO 10005:2005—“QMS—Guidelines for quality plans—Bibliography” (item No. 6) should be consulted for further clarification.

Subclause 8.2.3—“Review of requirements related to goods and services, and applicable changes” In its simplest form, the requirement stated in line 688 could be satisfied by a review sign-off or a team-feasibility commitment. The real questions arise in obtaining customers’ clear, comprehensive, and consistent “documented statement of their requirements” and, when necessary, its amendment. I often found, and still find, that customers start with detailed descriptions of their requirements or expected goods and services. This soon fades away, leaving the requirements floating and undefined about midway through the document. When the supplier asks the customer to provide more robust information, the customer seems to be annoyed by this petty approach. Subclause 8.6.1 poses the never-ending question of how to differentiate between “documented information that describes the characteristics of the goods and services” (point a, line 829), and “documented information that describes the activities to be performed and the results achieved, as necessary” (point c, line 831). The former is usually reasonably detailed and kept up to date, mainly because it is closely linked to customers’ requirements. The latter, being almost totally in the organization’s hands, gives rise to shortcuts, poor records, and undocumented work instructions of the type, “We do so because we’ve always done it this way.” Subclause 8.3—“Operational planning process” includes references to documented information in point a, line 712, “quality objectives”; and point f, line 719, “performance data” (which is a comment to the Note on lines 728— 729). Quality plans were never a hit during ISO 9001 registration, mainly because organizations found them too cumbersome, and their preparation of no added value. Generally, they were developed and printed for registration purposes only. Point g, line 720, “identifying risks related to achieving conformity of goods and services to requirements,” and “preserving services” were discussed above under Attachment 1.

ISO/TR 10013:2001—“Guidelines for QMS’s documentation—Bibliography” (item No. 11) should be consulted for further clarification.

Subclause 8.4.2—“Type and extent of control of external provision” Here, too, the key concepts are expressed in line 743 as “the risks identified and the potential impacts”; in line 746 as “the capability of potential controls”; and in line 752 as “documented information describing the results of evaluations shall be maintained.” Concerning line 746, I would raise some questions. In today’s business, more and more organizations buy bulk goods from traders—steel coils and plastics are examples—and bulk services, too, like worldwide inspection or registration. Very often the traders, especially those buying in Asia, don’t know where their goods come from, so it’s difficult for them to trace the controls back to their origin and transmit this information to the buyer. On the other hand, the buyer can’t be expected to sample a cargo of 50,000 tons of steel coils or 100,000 plastics bags, which leaves the responsibility of accepting the cargo, or segregating a part of it, in the hands of the organization’s production manager. ISO 37500—“Guidance on outsourcing—Bibliography” (item No. 19) should be consulted for further clarification.

Subclause 8.4.3—“Documented information for external providers” The requirements expressed in lines 757 and 769–770 go hand in hand with what was written above under 8.4.2. For point c, line 759, refer to subclause 7.1.3 and subclause 7.1.5 above.

Subclause 8.5.1—“Development process” Point c, lines 783–788, seems to express more concern with the development process than with the goods and services themselves, especially in the phrase “the determined risks associated with the development activities....” For point g, line 790, refer to subclause 7.1.3 and subclause 7.1.5 above. Point j, line 796, is also going to raise discussions between auditors, auditees, and consultants. Past experience teaches that, although auditees prefer shortcuts, auditors want to see very detailed, painstaking, and comprehensive documentation that auditees often consider superfluous. Consultants try for a balance, but it’s not always easy.

Subclause 8.5.2—“Development controls”

Concerning point c, line 806, “outputs,” the same comments under subclause 7.5.1 b and subclause 8.5.1 j apply here. Concerning point g, “change control and configuration management,” subclauses 6.3 and 8.6.6, and ISO 10007:2003—“QMS—Guidelines for configuration management—Bibliography (item No. 8 to ) should apply.

Subclause 8.6.1—“Control of production of goods and provision of services” Based on the prominence ISO 9001:2015 gives to services, one would have expected point g and its related Note to be more specific and thorough about validation, approval, and periodic revalidation of any process for providing services. Often services can’t be segregated for final control before they are released to a customer, or preserved after their release.

Subclause 8.6.2—“Identification and traceability” It’s interesting to observe that, while in lines 856–857 the organization must demonstrate that it has met this requirement via “documented information,” point g of subclause 8.3—“The operational planning process” does not require the auditee to create and update any documentation. It’s also interesting to read here, though in a tentative Note, a definition of “process outputs.”

Subclause 8.6.3—“Property belonging to customer or external providers” Concerning the Note in this subclause, the European Union has issued rules by which organizations must nominate a manager to take care of the private data of personnel as well as customers’ and suppliers’ information and data, including product and process specifications and performance. Exactly what a caring restaurant owner would do for his head chef and his recipes. It’s therefore a pity that auditors and auditees mainly address this issue by only looking at packages or tooling.

Subclause 8.6.5—“Post-delivery activities” Point a, line 891, requires that “the risks associated with the goods and services” are taken into account when determining the extent of post-delivery activities. Since “post-delivery activities” are not defined in clause 3—“Terms and definitions,” we must assume the organization and its customer will agree on them, even when not required by the latter. I’m thinking, for example, of predictive-maintenance services for a multimillion-dollar machine about which the customer does not specify much, beyond the basic features, or of an inspection-services organization advising its customer about seaports available on the other side of the world.

Subclause 8.7—“Release of goods and services” Lines 909–910, “Evidence of conformity with the acceptance criteria shall be maintained” fall under subclause 7.5.1.a—“Documented information required by this International Standard,” unless a different agreement is made with the customer. An example might be samples or, in the case of services, assessment by the customer himself. Requirements in lines 913–915 are also addressed in subclause 5.3—“Organizational roles, responsibilities, and authorities,” commented on above.

Subclause 8.8—“Nonconforming goods and services” It’s interesting to note how the requirements in lines 922–923 and 925–926 may impact requirements previously expressed in subclause 8.6.5 b, and which we will be reminded of in subclause 9.1.2—Customer satisfaction, points a and b. Concerning lines 938–939, “documented information describing the nature of nonconformities and any subsequent actions taken, including concessions obtained, shall be maintained,” they echo what’s to be read in subclause 0.3 d—“Risk and preventive action,” that is, “...the key purpose of a formal management system is to act as a preventive tool.” Lines 935–936, “demonstration of correction reverification,” was never brilliant in the previous ISO 9001s, especially in terms of instructions or procedures, and records. Organizations were usually content to put the products in inventory and ship them to customers, or store them for future shipment. Some organizations went as far as reworking products by production batches or by kind of nonconformities, to save time. Such practices are quite unfeasible for most services, which function more like unstoppable streams. Sure, if services only require documentation, it could be done, but when “correction reverification” implies moving people, information, and goods, it becomes much more difficult.

Subclause 9.1.2—“Customer satisfaction” ISO 10004:2012—“Quality management—Customer satisfaction—Guidelines for monitoring and measuring— Bibliography” (item No. 5) and its related Guidelines should be consulted for further clarification. Keep in mind that most organizations use a written or electronic questionnaire to obtain customer-satisfaction data, and that the questions are often so generic they can be applied to a wide variety of goods and services as well as organizations. In addition, these questions are seldom directed to the responsible people within the customer organization, and even if they were, there’s no way to ensure the questions were answered by the responsible manager rather than his secretary. Obtaining credible, dependable data is therefore problematic at best.

Subclause 9.1.3—“Analysis and evaluation of data”

Prior to ISO 9001:2008, there was a specific required role for a management representative with “the responsibility and authority for: c) reporting on the performance of the QMS to top management and any need for improvement.” ISO 9001:2015 includes this instead in subclause 5.3—“Organizational roles, responsibilities, and authorities.”

Subclause 9.2—“Internal audit” ISO 19011:2011—“Guidelines for auditing management systems—Bibliography” (item No. 18) should be consulted for further clarification. This subclause summarizes the hefty Guidelines above, and uses more or less the same wording as ISO 9001:2015’s predecessors, although it emphasizes, in line 1002, “the related risks.” One is therefore likely to interpret these as risks related to the processes concerned with product realization or service provision, but not related to what the previous two editions defined as management and supporting processes. Considering subclause 9.2 a and b (lines 994–996 and line 997), one must wonder why the ISO/TC 176/SC 2 didn’t consider the internal audit process a risky process on its own.

Subclause 9.3—“Management review” ISO 9001:2015’s requirements for this subclause are more or less the same as its predecessors’, including the big failure of not requiring, for evidence, that the QMS actually be reviewed by management, and contenting itself with ensuring the manager’s signature appears at the bottom of the management review report. Some sly auditors require managers to recite the report’s contents, which might be a useful exercise for actors, but not for managers.

Subclause 10—“Improvement” After year 2008, when, as a third-party auditor I pushed organizations to pursue (continual) improvement, the most frequent answer I got was, “Hey, mister, we’re lucky enough to survive and keep our gate open to our employees. What more do you want us to do?” So much for points a, b, and c in this subclause. But maybe I’m going too far: Unless required by the customer or planned by the organization, improvement should be an “opportunity,” not a “shall.”

Annex A—“Quality management principles” A.3 QMP 2—“Leadership” and A.4 QMP 3—“Engagement of people” are commented on above, under different headings. For A.6 QMP 5—“Improvement,” see above as well. Concerning A.7 QMP 6—“Evidence-based decision making,” it’s rare that an organization does not make decisions based on facts, information, and data. Therefore,

we can assume that it's a farily common practice for organizations to systematically collect, identify, and trace the facts, information, and data on which they base their decisions. ISO 9001:2015 subclause 4.4.2—Process approach “The organization shall: d) determine the risks to conformity of goods and services and customer satisfaction if unintended outputs are delivered or process interaction is ineffective;” What is the meaning of “unintended output?” Does it mean nonconforming product? Unintended output from a process can be: reprocessed (e.g., chemical industry), scrapped, or sold at a discount. The risk of producing unintended output should theoretically be set at zero or near zero but is rarely achieved; the analogy would be a process operating at 4.5 sigma vs. 5 or higher. The lower the parts per million, the lower the risk of producing unintended output. However, one must not forget that depending on the industry (e.g., medical vs. pencil manufacturers), these risks have different end-user impact and costs. Fortunately this is recognized in the last line of subclause 6.1—Actions to address risks and opportunities. 5.1.2—Leadership and commitment with respect to the needs and expectations of customers “Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that: a) the risks which can affect conformity of goods and services and customer satisfaction are identified and addressed;” This can be achieved by establishing process capabilities for each process from manufacturing and assembly to packaging and product delivery and installation. The computation of a simple indicator of process capability (Cp) or the adjustment of the process capability toward a specification (Cpk) would help managers quantify their process risk. The objective would be to achieve the highest economically feasible capability for each process, thus minimizing the risk of producing so-called unintended output. 6.1—Actions to address risks and opportunities “When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2(4.2 Understanding the needs and expectations of interested parties) and determine the risks and opportunities that need to be addressed to: a) assure the quality management system can achieve its intended outcome(s) b) assure that the organization can consistently achieve conformity of goods and services and customer satisfaction

c) prevent, or reduce, undesired effects, and d) achieve continual improvement.” The context of the word “risks” is difficult to interpret given the requirements stated in a) through d) of subclause 6.1. For example, how does one determine the risks and opportunities to assure the quality management system can achieve its intended outcomes? The intent has always been to ensure that the quality management system is effective, and this is verified via the audit process. The insertion of the word “risk” does not help and confuses things. Nevertheless, these risks can be quantified by simply looking at nonconformance percentages (per process and at final output), but this is already established via the use of process capability measures. “The organization shall plan: a) actions to address these risks and opportunities, and b) how to 1) integrate and implement the actions into its quality management system processes (see 4.4), and 2) evaluate the effectiveness of these actions. Any actions taken to address risks and opportunities shall be proportionate to the potential effects on conformity of goods and services and customer satisfaction.” Good to know and a wise decision, but this could well be seen as an escape clause by many companies. 8.3—Operational planning process “In preparing for the realization of goods and services, the organization shall implement a process to determine the following, as appropriate: b) actions to identify and address risks related to achieving conformity of goods and services to requirements;” This is nothing more than a repeat of what has already been stated. 8.5.1—Development processes “In determining the stages and controls for the development processes, the organization shall take account of: e) the determined risks and opportunities associated with the development activities with respect to 1) the nature of the goods and services to be developed and potential consequences of failure 2) the level of control expected of the development process by customers and other relevant interested parties, and 3) the potential impact on the organization’s ability to consistently meet customer requirements and enhance customer satisfaction.”

This is already done in some industries (e.g., automotive and avionics) but is not likely to be documented for all to see. Who will document these risks for future lawyers to see? If a company acknowledges that there is a small risk (let’s say a one-in-one-million chance) that something wrong could happen, lawyers would say that the company knew that there was a risk and is therefore liable. You can’t have zero risk; no one will want to pay the cost of developing a product with zero risk. This idea to either quantify and/or document risk for all to see is unrealistic from a legal point of view. However, lawyers will love it. 8.6.5—Post delivery activities “The extent of post delivery activities that are required shall take account of: a) the risks associated with the goods and services” This sounds like a rephrasing of warranty-cost analysis; major companies have done this for a long time, but I don’t know about small to medium-size companies. 9.1—Monitoring, measurement, analysis and evaluation “The organization shall take into consideration the determined risks and opportunities and shall:” This is vague, but there are important issues to address relating to inaccurate measurements or insufficient measurements. Gauge repeatability and reproducibility (Gauge R&R) addresses many if not most of these issues and I don’t see how adding the word “risk” brings any value to this paragraph except that now one must think of the missed “opportunities” for measuring (or rather, not measuring) and the associated risk. 9.2—Internal audit “The organization shall: a) plan, establish, implement and maintain an audit program(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit program(s) shall take into consideration the quality objectives, the importance of the processes concerned, the related risks, and the results of previous audits;” Internal auditors would now have to assess the risk of failing to do something or the risk of not following a procedure. This would be challenging to quantify and assess. Potential risks would also have to be assessed, which would be even more challenging. 10.2—Improvement

The Most Important Audit Questions for ISO 9001:2015 By Craig Cochran If you’re preparing to start auditing against ISO 9001:2015, you’ve probably already asked yourself the timeless question: What the heck am I going to ask these people? There’s no worse feeling in the world than being in the middle of an audit and realizing that you don’t have anything to say in the way of questions. Preparation and planning can remedy this, of course, but the fact remains that ISO 9001:2015 includes a lot of new requirements that have never been part of most audits. In order to expedite your thinking, these are what I believe to be the most important audit questions for ISO 9001:2015: 1. What can you tell me about the context of your organization? This question is the starting point of ISO 9001:2015, appearing in section 4.1. The standard uses the clunky term "context," but this could easily be substituted by asking about the organization’s internal and external success factors. Questions about context are usually directed at top management or the person leading the QMS (formerly known as the management representative). As an auditor, you’re looking for a clear examination of forces at work within and around the organization. Does this sound broad and a little vague? It is. Thankfully the standard provides some guidance, saying that context must include internal and external issues that are relevant to your organizations’ purpose, strategy, and goals of the QMS. Many organizations will probably use SWOT analysis (strengths, weaknesses, opportunities, and threats) to help get their arms around context, but it’s not a requirement. What the organization learns with this will be a key input to risk analysis. (NOTE: Not everybody will understand the term ‘context.’ Be prepared to discuss the concept and describe what ISO 9001:2015 is asking for.) 2. Who are your interested parties and what are their requirements? The natural follow-up to context is interested parties, found in section 4.2. The term "interested parties" has a bizarre, stalker-like ring to it, so smart auditors might want to replace it with "stakeholders." Remember, effective auditors try to translate the arcane language of ISO 9001:2015 into understandable terms that auditees can grasp. Typical interested parties are employees, customers, supplier, business owners, debt holders, neighbors, and regulators. As an auditor you’re making sure that a reasonable range of interested parties has been identified, along with their corresponding

requirements. The best way to audit this is as an exploratory discussion. Ask questions about the interested parties, and probe what they’re interested in. If you’ve done some preparation in advance of the audit, then you’ll know whether their examination of interested parties is adequate. That brings up an important planning issue: You will have to do a bit more preparation before an ISO 9001:2015 audit. Why? So you’ll have a grasp of context and interested parties. How can you evaluate their responses if you don’t know what the responses should be? 3. What risks and opportunities have been identified, and what are you doing about them? Risks and opportunities could accurately be called the foundation of ISO 9001:2015. No fewer than 13 other clauses refer directly to risks and opportunities, making them the most “connected” section of the standard. If an organization does a poor job of identifying risks and opportunities, then the QMS cannot be effective, period. Auditors should verify that risks and opportunities include issues that focus on desired outcomes, prevent problems, and drive improvement. Once risks and opportunities are identified, actions must be planned to address them. ISO 9001:2015 does not specifically mention prioritizing risks and opportunities, though it would be wise for organizations to do this. Risks and opportunities are limitless, but resources are not. 4. What plans have been put in place to achieve quality objectives? Measurable quality objectives have long been a part of ISO 9001. What is new is the requirement to plan actions to make them happen. The plans are intended to be specific and actionable, addressing actions, resources, responsibilities, timeframes, and evaluation of results. Auditors should closely examine how the plans have been implemented throughout the organization, and who has knowledge of them. Just as employees should be aware of how they contribute to objectives, they should be familiar with the action plans. 5. How has the QMS been integrated into the organization’s business processes? In other words, how are you using ISO 9001:2015 to help you run the company? This is asked directly of top management (see section 5.1.1c) and is a very revealing question. The point is that ISO 9001 is moving away from being a quality management system standard and becoming a strategic management system. It’s not just about making sure products or services meet requirements anymore. The standard is about managing every aspect of the business. Remember sections 4.1 and 4.2 of ISO 9001:2015? There we examined the key topics of context and interested

parties. These concepts touch every corner of the organization, and this is exactly how ISO 9001:2015 is intended to be used. Top management should be able to describe how the QMS is used to run the company, not just pass an audit. 6. How do you manage change? This topic comes up multiple times in ISO 9001:2015. The first and biggest clause on the topic comes up in section 6.3. Here we identify changes that we know are coming, and develop plan for their implementation. What kind of changes? Nearly anything, but the following changes come to mind as candidates: new or modified products, processes, equipment, tools, employees, regulations. The list is endless. An auditor should review changes that took place, and seek evidence that the change was identified and planned proactively. Change that happens in a less planned manner is addressed in section 8.5.6. Here the auditor will seek records that the changes met requirements, the results of reviewing changes, who authorized them, and subsequent actions that were necessary. 7. How do you capture and use knowledge? ISO 9001:2015 wants organizations to learn from their experiences, both good and bad. This could be handled by a variety of means: project debriefs, job close-outs, staff meetings, customer reviews, examination of data, customer feedback. How the organization captures knowledge is up to them, but the process should be clear and functional. The knowledge should also be maintained and accessible. This almost sounds like it will be “documented” in some way, doesn’t it? That’s exactly right. One way to audit this would be to inquire about recent failures or successes. How did the organization learn from these events in a way that will help make them more successful? It’s the conversion of raw information to true knowledge, and it just happens to be one of the most difficult things an organization can achieve. These are by no means the only questions you’ll want to ask. They’re just the starting point. We didn’t even mention management review, corrective action, or improvement—all of which are crucial to an effective QMS. The seven topics discussed here are the biggest new requirements that auditors will need to probe. About the Author

Craig Cochran has assisted over 5,000 companies since 1999 in QMS implementation, problem solving, auditing, and performance improvement. His most recent book is ISO 9001:2015 in Plain English, available from Paton Professional:http://www.patonprofessional.com/iso-9001-2015-in-plain-english/ Also on Amazon: http://www.amazon.com/ISO-9001-2015-Plain-English/dp/1932828729/ P O S T E D B Y C R A I G C O C H R A N AT 9 : 1 7 P M N O C O M M E N T S :

S A T U R D A Y, D E C E M B E R 1 2 , 2 0 1 5

Thanks to Quality Digest for the interview they did with me on Friday (Dec 10, 2015) during their Quality Digest Live show. What a professional and fun organization to work with. P O S T E D B Y C R A I G C O C H R A N AT 1 0 : 1 8 P M N O C O M M E N T S : LABELS: CONTINUAL IMPROVEMENT, ISO 9001, ISO 9001:2015, ISO 9001:2015 IN PLAIN E N G L I S H , M A N A G E M E N T , Q M S , Q U A L I T Y AS S U R A N C E , Q U A L I T Y M A N A G E M E N T S Y S T E M

F R I D A Y, D E C E M B E R 1 1 , 2 0 1 5

My friends at Quality Digest were kind enough to publish this great article about the new book, "ISO 9001:2015 in Plain English." A big thanks to Mike Richman (QD Publisher) and Dirk Dusharme (QD Editor in Chief). ISO 9001:2015—An Introduction | Quality Digest P O S T E D B Y C R A I G C O C H R A N AT 1 1 : 4 1 AM N O C O M M E N T S : LABELS: CONTINUAL IMPROVEMENT, ISO 9001, ISO 9001:2015, ISO 9001:2015 IN PLAIN E N G L I S H , M A N A G E M E N T , Q M S , Q U A L I T Y AS S U R A N C E , Q U A L I T Y M A N A G E M E N T S Y S T E M

T H U R S D A Y, O C T O B E R 2 2 , 2 0 1 5

Records, Retained Documented Information, and ISO 9001:2015 ISO 9001:2015 does a lot of things right, but using clear language is not one of them. One of the most glaring examples is the transformation of the word “records” into “retained documented information.” That’s right, they took one word and turned it into three. And the three words are not nearly as intuitive as the one word they replaced. Regardless of what you call them, records are the proof of something happening. They are historical, referring to past events. As such, they are not revised. Records might be “corrected” in some cases, but they are never revised. Only documents are revised. (We’ll address documents and their status in ISO 9001:2015 in a future article.) The primary control of records is that of housekeeping: knowing where they are stored, who is responsible, how long they’re kept, etc. Here is a summary of records requirements in ISO 9001:2015:



24 records are required in ISO 9001:2015. This is compared to 21 records required in ISO 9001:2008. Some of the 24 records required by ISO 9001:2015 are actually repeat requirements.



20% of all the record requirements come from section 8.3, Design and development of products and services. That amounts to 5 records, which is the same number required by ISO 9001:2008.



A completely new record that is required in 9001:2015 is retained information on changes: review of changes, persons authorizing the change, and necessary actions arising from change (section 8.5.6)



ISO 9001 continues its redundant ways. ISO 9001:2015 requires records of evidence of processes being carried out effectively TWICE, once in section 4.4.2 and again in section 8.1.e.1.



More redundancy: ISO 9001:2015 requires records that demonstrate conformity of products & services processes TWICE, once in section 8.1.e.2 and again in section 8.6.



5 of the records in ISO 9001:2015 have qualifiers. They are “to the extent necessary” and “as applicable.”



One item listed as “retained documented information” (i.e., record) is actually a document. That is design outputs. Design outputs are living information such as specifications, engineering drawings, recipes, formulas, and bills of material. Since they are living, they are subject to revision, meaning they are documents.



A handful of requirements would be virtually impossible to have evidence of without records, and yet records are not required by ISO 9001:2015. These include context of the organization (4.1), interested parties (4.2), planning of changes (6.3), and customer feedback (9.1.2).



One of the strangest record issues of all is the omission of calibration records in ISO 9001:2015. This has been replaced by the requirement to ‘retain information on fitness of purpose for measuring instruments,’ which would include calibration. I expect many people implementing ISO 9001:2015 will get a bit confused by this.

Do not let anyone tell you that the “correct” terminology is retained documented information. If you like that term, then by all means use it. If you prefer the term ‘records,’ you can use that in its place. Always remember that documents are records are two different things. That one fact alone will make any QMS easier to use and understand. P O S T E D B Y C R A I G C O C H R A N AT 9 : 3 0 P M N O C O M M E N T S : LABELS: CONTINUAL IMPROVEMENT, EXCELLENCE, ISO 9000,ISO 9001, ISO 9 0 0 1 : 2 0 1 5 , Q M S , Q U A L I T Y , Q U A L I T Y M A N A G E M E N T S Y S T E M , R E C O R D S , R E TAI N E D D O C U M E N T E D I N F O R M ATI O N

M O N D A Y, O C T O B E R 1 2 , 2 0 1 5

Nobody believes in communication more than Darryl Keeler. As President of Tech Systems Inc., communication is possibly the single biggest part of his job. After all, Tech Systems Inc.

(www.techsystemsinc.com/) is security systems integrator with employees in over 32 states, Canada, and Puerto Rico. Being a medium-sized company with business across such a wide geographic has its challenges. Darryl Keeler long ago decided that robust and continuous communication needed to be a guiding principle. “Communication is the key factor in maintaining a high level of employee satisfaction,” Darryl assured me. “And satisfied well-informed employees ensure that we have highly satisfied clients.” Darryl personally writes the Friday Finale, a company newsletter summary that ends each week and which goes out to every employee. It maintains a warm touch, covering birthdays, work anniversaries, and anything personal of importance that is happening with teammates. It also addresses business updates from the previous week. TSI Family Emails (TSI stands for Tech Systems Inc) is their way of communicating items that are of high importance to the entire company, sort of “red alert” emails. These include process changes, policy changes, and major customer developments. The TSI Family Emails are one step beyond the Friday Finale’s in terms of business importance. The Tour De Focus is one of the company’s most impressive communication processes. This is where Darryl Keeler travels around the country and meets with every company employee. He simply sits down and asks for comments or opportunities for the company to improve based on individual opinions. These are all captured and recorded, and the leadership team works through all of them and gets back with the folks who suggested the improvements. This entire list is posted on SharePoint for everyone to review, and the ideas always number in the hundreds. The employee portal is the live repository of information that team members use for their jobs. Only the most current versions of documents are available, and it also includes phone lists, updates, tutorials, and training materials. Finally, the leadership team of Tech Systems meets every Monday to go over financials, hot company topics, and opportunities for improvement. The Monday meeting also serves as the primary feeder of information into their monthly management review. Communication is clearly the oil that flows through the engine of Tech Systems Inc. And the president of the company, Darryl Keeler, is head mechanic and communicator. P O S T E D B Y C R A I G C O C H R A N AT 8 : 0 5 AM 2 C O M M E N T S : L A B E L S : C O M M U N I C ATI O N , C O N T I N U A L I M P R O V E M E N T , I S O 9 0 0 0 , I S O 9 0 0 1 , I S O 9 0 0 1 : 2 0 1 5 , L E A D E R S H I P , O R G A N I Z ATI O N A L C U LTU R E , Q U A L I T Y , Q U A L I T Y M A N A G E M E N T S Y S T E M

T U E S D A Y, O C T O B E R 6 , 2 0 1 5

Control of production at I. Technical Services Managing operations can be as simple as ringing a bell. That’s the philosophy that I. Technical Services has taken in Alpharetta, Georgia. I. Technical Services (www.itechserv.com) performs electronic manufacturing services, including PCB assembly, system assembly, test engineering, repair, and logistics. They compete against low-cost companies in Asia and elsewhere, so they have to be as efficient and lean as possible. One of their most efficient processes for managing production is their “bell meeting.” At 9 AM every morning, their production supervisor rings a ship’s bell mounted on the wall. All the managers and supervisors assemble under the bell for a stand-up meeting that lasts about 15 minutes. They discuss what is running that day, what needs to be shipped, and any obstacles or concerns. Important notes are recorded on a white dry-erase board right below the bell. “Everybody leaves that meeting knowing exactly what needs to happen,” Quality Manager, Hector Rivera, stated. “It’s the best investment of 15 minutes you can imagine.” Throughout the day, employees refer to the production notes on the white board, keeping themselves focused on what was agreed to. They ring the bell again at 3 PM every day, and the key players once more gather around the bell. The focus of this later meeting is to get everybody caught up on the current status of production. Where are we right now? What is left to be done? Will we meet all of our commitments today? Resources are re-

arranged, as needed, and last minute roadblocks are removed. The General Manager, Lauren Thompson, summarized the process by saying, “When we come together under the bell, we’re not managers of different departments. We’re a single team working to wow the customer. It reminds us why we’re there in the first place.” I. Technical Services has conducted their bell meeting twice a day for years. It’s a very simple, yet powerful process for controlling production. P O S T E D B Y C R A I G C O C H R A N AT 1 1 : 4 6 AM N O C O M M E N T S : LABELS: CONTINUAL IMPROVEMENT, ISO 9000, ISO 9001, ISO 9001:2008, ISO 9 0 0 1 : 2 0 1 5 , M A N A G E M E N T , M A N A G I N G , Q U A L I T Y AS S U R A N C E , Q U A L I T Y M A N A G E M E N T S Y S T E M

M O N D A Y, S E P T E M B E R 2 8 , 2 0 1 5

Goodbye, Quality Manual Who loves their quality manual? Please give me a show of hands. Hmm, not much enthusiasm. That’s because the quality manual for most companies serves no other purpose than something to give to customers or auditors. Most employees have never seen or heard of their company’s quality manual. And yet it has been a required document of ISO 9001 since the standard was first published. That has changed in ISO 9001:2015. There is no mention of the words “quality manual,” and the only true leftover requirement is that you have to document your quality management system (QMS) scope. I expect that many companies are going to drop their quality manual altogether now that it’s no longer mandated. But wait! Let’s re-imagine the quality manual as a document that actually helps the organization. First of all, let’s get rid of the rehash of ISO 9001 requirements. Most quality manuals feature this, and the rehash constitutes 95% of the words included. If you want to see what ISO 9001 says, get a copy ISO 9001. The quality manual should be completely focused on the company, period. Secondly, let’s think of the quality manual as a sort of “User Guide for the company’s QMS.” What would an employee or interested party need in a user guide? Well, let’s provide the following: 

Structure and contents of the management system



Road map to lower-level documents within the system



Company history and background



Overall process flow of the organization



Company’s products and services described in a clear, practical manner



Organization’s strength and capabilities



What to expect during an audit and how to prepare for one



Responsibilities and authorities of key personnel



The scope of the QMS

Some of these items have always been included in quality manuals, and others are new additions. The point is to assemble all the high-level content that people need to know into one consolidated location. This could be accomplished in 3-4 pages at the most. Since it’s so lean and streamlined, employees might actually see value

in using it. The quality manual could truly become the gateway to your company’s management and business systems. Now we’ve got something useful. But let’s drop the name “quality manual.” Any thoughts for what this information should be called?