Auditing ISO 9001:2000 For Control and Improvement

Use PDCA for control and ACDP for improvement

by J.P. Russell
ISO 9001:2000 4.1c says, "The organization shall determine criteria and methods needed to ensure
that both the operation and control of these processes are effective."
The word "control" is used in the titles of ISO 9001 clauses such as "control of nonconforming
product" and in phrases such as "to carry out processes under controlled conditions."
Other standards contracts, procedures and documents also frequently use the word "control." It is
one of those familiar terms that everyone seems to understand. Each person's understanding may
be a little different, however.
There is no definition of the word "control" in the international vocabulary standard (ISO
9000:2000) either because the dictionary definition is believed to be sufficient or the meaning of
the word is so obvious that it would be silly to try to define it.
Yet understanding of control is central to successful implementation of almost all standards. In
fact, a standard may be thought of as a collection of controls management must implement for
systems such as safety, quality, environment and accounting.
As a manager, I would want to know there is control over the important systems and processes of
the organization. As an auditor, I want to be able to verify sufficient controls exist and report any
shortcomings. Both managers and auditors should agree on the criteria for control.
Cntrol criteria
Some have equated having a procedure with control: no procedure = no control. Unfortunately, it is
not that simple. Having a procedure does not mean there is management control over a process.
I recall interviewing a truck driver for a transportation company. I asked him about the inspection
process for his very expensive cargo. He responded, "Do you want to know what is in the procedure
or what we actually do?" So establishing a method is certainly an important process control tool but
does not guarantee there is management control of the process.
Some standard clauses requiring control include a highly prescriptive list of activities to be
addressed. The control of documents clause in ISO 9001 is a good example of such a prescriptive
list of activities.
There are two problems with relying on the standard to list everything needed for management
control:

It assumes the standard writers could anticipate every situation.

It assumes every clause contains a detailed list of prescriptive requirements.
I don't think standard writers would claim they know everything, and sometimes the requirements
are open-ended, without any specific prescriptive requirements. For example, a standard might
require control of the environment or the conformity of the product without providing a
prescriptive list detailing how to achieve control.
Another place to look for control criteria is ISO 9001:2000, clause 7.5.1: Control of production and
service provision. This is a generic list of things to consider for control of processes and should be
applied as applicable. It is a good list and should be a reference, but it is a list, not a concept. The
list may not be sufficient for all situations and does not address improvement criteria.
A simple, yet powerful, method for testing the existence of controls is to use Walter Shewhart's
plan-do-check-act (PDCA) cycle. The PDCA cycle can be used as a process technique to test for
control (see Table 1).
Process technique to test control
For management to control a process or activity, it must establish a predetermined method.
Without it, there is no basis to adjust or improve the process.
The predetermined method can be in any form and should reflect the level of process risk. Ways a
predetermined method can manifest itself include a procedure, flowchart, outline or series of
pictures.
In one of my first plant management jobs, operators used their knowledge and skills to operate the
process. When we had problems and I attempted to improve the process, I found out each
operator's skills and knowledge were different. I could not improve the operation because the
operating method was a moving target.
So the first thing that had to be done was to establish a consistent method for operating. This is
the plan part of the PDCA cycle.
Now just having a plan does not mean people follow it. There must be some type of assurance
through auditing, monitoring, retrievable records or other means that people follow the plan. This is
the do part of the test cycle.
Just following a plan is not enough to establish management control because every process has at
least two outcomes (good and bad, acceptable and unacceptable). Therefore, management must next
determine the criteria or objectives for success or acceptance. The process must be measured and
monitored against these criteria. As long as the process outputs match the predetermined
acceptance criteria, the process does not need adjustment. This is the check part of the test cycle.

When the results do not match the acceptance criteria (output targets, goals), action must be
taken. This is the act part of the test cycle. The action may be sorting good and bad product or
making adjustments to the process to bring it back in line.
Management control exists when the process or activity is planned, implemented, measured and
acted upon. Based on this article's discussion so far, a possible definition for management control
would be the following:
Management control: when predetermined plans are followed, monitored against acceptance
criteria and adjusted as needed to achieve objectives.
However, ISO 9001:2000 requires more than just effective control. There must be continual
improvement, too.
Continual improvement
A system or process must be changed to improve it. Improvement is not a matter of working
harder or being more careful. If there is no change in some aspect of a system or process, the
outcomes will always be the same.
To test for improvement, we can use PDCA again, only backwards, as the ACDP (analyze-change-doprosper) improvement cycle (see Table 2).
Many of us are familiar with what often happens to all the records and data collected--they are
put into storage never to see the light of day again. For improvement to take place, the data must
be analyzed for trends and identification of weaknesses. This is the analyze step of the ACDP
improvement cycle. By comparing results to goals and objectives, we must analyze process data to
identify risks, inefficiencies, opportunities for improvement and negative trends.
A change could be a change in procedures, but also in other elements of the process, such as the
acceptance criteria or method of monitoring. Changes in equipment or technology may also be
necessary for continual improvement. The merits of any change should be evaluated. This is the
change part of the improvement cycle.
The do step of the cycle is the implementation of the change. Auditors can verify changes actually
took place by reviewing documents and interviewing area personnel.
Continual improvement should enable the organization to prosper in some manner. Improvement may
be quantified as increased profitability, lower costs, lower exposure of the organization to risks,
gain in market share or some other measure of improved effectiveness and efficiency. Sometimes
organizations group changes and assess the effectiveness of several changes to the process. This
assessment represents the prosper step of the improvement cycle.

Auditing for control and improvement

When standards require control and improvement, both management and auditors need to know the
components that must exist. It is management's job to establish and implement controls and ensure
there is continual improvement.
It is the auditor's job to gather audit evidence to verify conformance to requirements. In the
absence of specific guidance in performance standards (required procedures, records or schedules),
it is essential that management be able to demonstrate conformance to requirements.
Thus, the PDCA and ACDP cycles are process tools that can be used as guides to test for control
and continual improvement. The PDCA cycle establishes control of a process. Control is required by
standards and is a good business practice.
The ACDP cycle should be used to test for improvement. ISO 9001:2000 requires continual
improvement. Improvement can only come from change.

Where Does Quality Begin?

It begins with the PDCA cycle and an understanding of variation--not with ISO 9001

by Dale K. Gordon

Every day quality professionals struggle with the eternal question that keeps them employed: How
do we make things better?

At a recent meeting of an organization's quality professionals, I asked, "What do you believe the
sources of your troubles are?"

They all had detailed explanations for individual problems, but my question was about the quality
system. They sat silent for a minute and then agreed they had a quality system certified by an
accredited third party and approved by their customers. "How could the cause of our problems be
the quality system?" they asked.

I then asked what was probably the most difficult question of all: "Can you describe what your
quality system is and how it prevents the troubles you are having?" This, of course, was greeted
with more silence and finally agreement that their quality system was ISO 9001.

And therein lies the problem.

Many people--managers in particular--define the quality system of an enterprise as ISO 9001 or

any identified standard their system is built around. ISO 9000:2000 defines a system as a "set of
interrelated or interacting elements" (clause 3.2.1) and defines a quality management system as "a
management system to direct and control an organization with regard to quality" (3.2.3).

Deming's views

If we go back to W. Edwards Deming's views, we are reminded of his views of a "system of

profound knowledge," which consisted of:
Appreciation for a system.
Knowledge about variation.
Theory of knowledge.
Psychology.

Deming said the various segments of the system of profound knowledge cannot be separated but
interact with each other. Thus, knowledge of psychology is incomplete without knowledge of
variation.

The same can be said of any quality management system. It is a collection of subsystems,
processes, knowledge, variation and people who execute the system, all interrelated and managed by
those charged with that responsibility. It is not ISO 9001 or any other standard. The quality
system is whatever the organization decides it is with all its defined (or undefined) processes,
people, variation and knowledge inherent in the system.

In the same meeting of quality professionals, I next asked this obvious question: "If you related all
of your problems to a paragraph of the standard on which the quality system is built, then added all
the findings from internal and external audits against your system, and then performed a Pareto
analysis of the nonconformances found in the system, what would you conclude is the problem with
your quality system?"

The responses came back almost instantaneously: corrective and preventive action followed by
process control and supplier control. "These are related to more than 80% of the problems we are
having," they answered.

I thought about this for a moment and then asked about design control or, in the new vernacular,
planning of product realization. The heads shook mightily: "No problems there; in fact, we hardly
ever have any findings in that area."

I contend thinking that way is part of the problem.

Shortchanging "plan" and "act"

We tend to be real good at the "D" and "C" (do and check) parts of the PDCA cycle, but plan and
act always seem to get shortchanged. In ISO 9001:1994, clauses 4.4.1 (design planning) and 4.4.4
(design inputs) indicate the design process must consider customer, regulatory and statutory
requirements.

The same holds true for the new version (ISO 9001:2000) under paragraph 7.1 (planning of product
realization) and 7.3.2 (design and development inputs). Both indicate the need for structured
planning and consideration of specification requirements and customer, statutory and regulatory
needs.

Nowhere in these sections is there anything about learning from process and product failures and
then designing or redesigning to eliminate them. The ISO 9001:2000 revision even goes so far as to

include a process/continuous improvement cycle description and reference to the PDCA cycle. But it
does not mention that the design stage is where the planning is most important and where the
acting needs to take place.

So we ask ourselves some of the following questions:

What is it about our quality systems that does not function correctly?
Why do preventive and corrective actions always seem to top the list?
Is it because we lack the fortitude to make the structural changes in our systems that would truly
prevent problems from recurring?
Is the investment in fixing that much less than the investment in preventing the problem to begin
with?
Do we really design for manufacture and use what we learn from our process control failures to
redesign the product?
Do we really listen to our suppliers and understand why they fail to interpret our design
descriptions or process specifications and repeatedly fail to meet specifications?
Do we work with the manufacturing organization and suppliers to match process capabilities to
design needs?
Do we really understand the sources of variation in our processes (both mechanical and human) and
have actions in place to eliminate them or at least eliminate the ones that have the greatest impact
on our ability to meet requirements?

More and more, the answers to these questions are coming from programs or initiatives such as Six
Sigma, lean thinking or the old value engineering or reengineering all the way through the supply
chain.

Many times these activities are seen as being outside and separate from the quality system or as
extra management efforts aimed at improving both customer satisfaction and cost control. The
issue with these programs or activities is they are applied well after the product is designed and
the failures have occurred.

So there are more questions:

How do we measure the design activity?
When the design activity is audited, how knowledgeable are the auditors about the design processes
and their relationships to the manufacturing and customer delivery processes?
How well do activities such as design reviews take into account the ability of the procurement
process to translate design ideas into tangible product?

These questions are not found in the ISO 9000 or spin-off quality system requirements. In fact,
when you look for discussion of corrective action in ISO 9001:1994, you find there is little that
points back to the origin of the product. Clause 14 (in ISO 9001:1994) refers more to the process
of corrective action and to the documentation of the process than to an evaluation of the causes all
the way back to the original design assumptions. It focuses on systems rather than individual
processes.

The same is true of ISO 9001:2000. While the combination of clauses 8.4 and 8.5 does a better
job of indicating the action is more important than the documentation, the standard is still focused
on the generic corrective action process and its execution rather than on the thorough examination
of causes all the way back to the design element.

Rarely do I find Six Sigma, kaizen, value engineering or other similar activities are the documented
preventive action part of a quality system.

Response of automotive and aerospace industries

Automotive and aerospace are among the industries that have addressed this quality system
problem in a strict ISO 9000 world by adding requirements. In the automotive world you find such
additions as advanced product quality planning (APQP), potential failure mode effects analysis
(FMEA) and production part approval process (PPAP), in addition to the ISO 9001 based QS-9000
requirements.

In aerospace you find FMEA, control of key characteristics (AS9103) and strict process change
control, in addition to AS9100, another ISO 9001 based requirement.

Are these requirements considered part of the quality system? Sometimes they are not, because
they are not strictly defined as ISO 9000 requirements. But they are necessary parts of the
system and need to be treated as such.
Two lessons
So where does that leave quality professionals? The lesson here is twofold:
1. ISO 9001 or other standards are not the quality system. The system is a culmination of whatever
the organization says it is through the processes, activities and knowledge it uses to meet product
specifications and customer needs. The documentation and execution may meet ISO 9001, but I
suspect much that is a part of an organization's quality system is not included in the quality system
documentation.
2. The system is only as good as its design and execution. Its design includes the product design. If
we do not design the system so we can learn and incorporate that learning into new processes,
designs and systems, we are doomed to repeat the mistakes of the past. Then we'll go chase some
new thing (such as Six Sigma) while deriding our quality systems, people or processes for being
inadequate for the modern age.
So I take you back to Deming and Walter M. Shewhart (actual creator of the PDCA cycle) and tell
you variation is the enemy and the quality system is more of an internal culture than an actual thing.
You have to understand how all the elements of the system fit together if you want to make an
improvement. The PDCA cycle does work, when accompanied by knowledgeable management and
some good luck.

ISO 14004 To Offer Practical Guidance

More examples and alignment to be among the improvements

by Marilyn Block

The release of ISO 14004 accompanied the publication of ISO 14001, the environmental
management standard, in 1996. ISO 14004 was billed as a general guideline on environmental
management principles, systems and supporting techniques.

That initial guidance effort was limited by an inability to draw on actual experiences--ISO 14004
was written concurrently with ISO 14001 and was published before organizations began
implementing environmental management systems (EMSs) that conformed to ISO 14001
requirements. As a result, ISO 14004 has been viewed by many as having little to offer
organizations with more than the most rudimentary approach to environmental management.

Like its ISO 14001 counterpart, ISO 14004 is now being revised. Unlike ISO 14001, ISO 14004 is
in the process of undergoing significant cosmetic and substantive changes. In fact, readers familiar
with ISO 14004:1996 will find the new committee draft no longer bears a strong resemblance to its
predecessor.

Practical information

A general characteristic of the ISO 14004 revision is far greater emphasis on practical
information based on user experience during the last five years.

Connie Glover Ritzert, chair of the U.S. Technical Advisory Group to ISO Technical Committee
207's subcommittee 1 on environmental management systems and subcommittee 1 working group
expert, explains: "As part of this emphasis, we have added more examples, including some crosscutting ones that tie key parts of the EMS together in illustrations."

One of the major challenges in revising ISO 14004 has been staying consistent with ISO 14001,
which is a moving target at present. The two standards are on the same revision schedule, so it has
been difficult to reach consensus on issues that are strongly influenced by the direction taken in
ISO 14001.

Because ISO 14004 is a guidance document, it can go beyond the concepts in ISO 14001 as long as
it presents the same basic picture of an EMS. Ritzert says, "We are making a concerted effort to
maintain consistency while not portraying ISO 14004 as an interpretation of ISO 14001."

One of the ways ISO 14004 shows consistency between the two standards is by aligning its clauses
more directly with ISO 14001. ISO 14004 also continues to use the definitions presented in ISO
14001 and describes the same continual improvement model.

Specific changes

The most significant changes in the revised draft are:

Elimination of the five principles.
Use of help boxes.
Presentation of five approaches to pollution prevention.
Expansion of the environmental aspects clause.
Agreement on the need for a broader view.
Provision of help on compliance commitment and expansion of emphasis on objectives and targets.

Elimination of the five principles. The current version of ISO 14004 begins with a discussion of five
principles (commitment and policy; planning; implementation; measurement and evaluation; and review
and improvement). It then inserts them into a modified version of the EMS model that appears in
ISO 14001.

ISO 14004 then uses the five principles to group EMS elements. As part of the effort to be more
practical, discussion of these five principles has been removed. Instead, the standard begins with a
discussion of the EMS's PDCA (plan, do, check, act) model. ISO 14004 has been revised so this
model (see Figure 1) is now the same as in ISO 14001

Use of help boxes. ISO 14004 contains a series of practical help boxes with suggestions to assist
readers in conducting activities required by their EMS. For example, one box on prevention of
pollution has been added to support the clause on environmental policy.

Presentation of five approaches to pollution prevention. The proposed text presents a hierarchy of
approaches:

1. Source reduction (including material substitution; process, product or technology changes; and
efficient use and conservation of resources.

2. In-process recycling or reuse.

3. Other recycling or reuse.

4. Treatment and recovery.

5. Control.

The text suggests organizations employ incineration or other forms of disposal only after the
options offered in this hierarchy have been considered.

Expansion of the environmental aspects clause. The clause on environmental aspects has been
greatly expanded to help organizations better understand what is meant by and involved in
identifying environmental aspects and evaluating their impacts.

It has been difficult to revise this clause because there are a variety of understandings and
experiences among practitioners and users of the standard. ISO 14001 defines an environmental
aspect the same way ISO 14001 does: any element of an organization's activities, products or
services that can interact with the environment.

Agreement on the need for a broader view. Although consensus has not been reached on a number
of points around the issues of identifying aspects, evaluating impacts and assigning significance, it
has been agreed a broader view is warranted than was expressed in the 1996 standard. Ritzert
notes, "Working group experts did reach agreement that criteria for 'significance' could include
consideration of environmental and legal concerns and the concerns of interested parties..."
The committee draft document had specifically asked for comments on two proposed methods for
determining aspects, impacts and significance. It also asked whether the final standard should
contain more than one example of methods for determining aspects. It is likely this clause will be
subject to a great deal of debate before final language is established.
The clause on legal and other requirements has been expanded. Proposed language clarifies what is
meant by "access to" these requirements. A new section differentiates between legal and other
requirements by explaining what "other" comprises.
Provision of help on compliance commitment and expansion of emphasis on objectives and targets.
To more clearly establish the link between this clause and the environmental policy (which is
required to commit to compliance with legal and other requirements, per ISO 14001), a practical
help box on commitment to compliance has been added.
Readers of ISO 14001 know environmental objectives and targets must reflect the environmental
policy. Moreover, significant environmental aspects and legal and other requirements are among the
issues that must be considered.
Therefore, more emphasis has been placed on the process of setting objectives and targets, and
the table of examples has been expanded. A new section on the need to evaluate organizational
performance in achieving objectives and targets incorporates concepts from ISO 14031, a guideline
for creating internal management processes and tools to provide ongoing information to determine
whether an organization is meeting established criteria.
Other expansion
Other clauses that have benefited from expanded discussions include:
Communications. This clause has been reformatted to distinguish among general benefits of
communication, internal communication, external communication and processes to enhance
communication.
Operational control. This clause now addresses identifying the need for controls and establishing
and evaluating them.

Monitoring and measurement. This clause clarifies the purposes of monitoring and measuring
activities and offers a table of examples.
Evaluating regulatory compliance. ISO 14001:1996 addresses the need to periodically evaluate
regulatory compliance as part of the clause on monitoring and measurement. The revised ISO 14001
document moves this paragraph out of monitoring and measurement into its own numbered clause.
For consistency, ISO 14004 proposes a new clause on evaluating compliance.
Nonconformance and corrective and preventive action. Considerable text has been added to this
clause, which is only two sentences in the current version of ISO 14004. The revision addresses the
need for a systematic approach in identifying and responding to nonconformances. It also provides
examples of nonconformances.
Continual improvement. This clause has been reformatted into three separate sections: establishing
the purpose of continual improvement, identifying opportunities for improvement and implementing
continual improvement. A new practical help box provides examples of improvements.
Annex A. In the 1996 standard, this annex provided two examples of international guiding
principles: The Rio Declaration on Environment and Development, produced at the United Nations
Conference on Environment and Development in Rio de Janeiro in June 1992 and The Business
Charter for Sustainable Development, created in Paris in 1991 by the International Chamber of
Commerce.
The new Annex A illustrates the implementation of an EMS by presenting three examples--an
activity, product and service--and showing a commitment in the environmental policy, significant
environmental aspect, objective and target arising from the policy and aspect, and method for
monitoring environmental performance for each example.
Although a great deal of wordsmithing is likely to result after comments on the committee draft
are received, it appears the format, tone and focus of ISO 14004 are well-established.
Efforts to enhance the utility of ISO 14004 by aligning it more directly with ISO 14001, clarifying
language and concepts, and incorporating a variety of examples that reflect actual experience
suggest ISO 14004 is well on the way to becoming what it was always intended to be: a guidance
document that assists in implementing an effective environmental management system.
ISO 14004 is expected to be released in early 2003.

Add Value to ISO 9001:2000 Audits

The standard's revision provides the opportunity to help organizations improve the way they do
business

by Sandford Liebesman

Quality auditors have been criticized for not adding value to what they do for clients. The ISO
9001:2000 revision1 provides an opportunity to change this.

The ISO 9001 developers believed the revision should define a universally understood quality
philosophy. The standard's development was then based on eight quality management principles that
form the basis of a superior quality management system (QMS).2, 3, 4

Correspondingly, structuring audits around these principles to improve an organization's processes

should improve customer satisfaction and product/service quality and reliability. These principles
are not requirements of ISO 9001:2000. Organizations just bent on obtaining a certificate may not
concern themselves with this higher view.

Using the principles to audit

Auditors can use the eight principles to create an organizational mind-set that views quality on a
higher plane:

1. Customer focus. ISO 9001:19945 aimed to achieve customer satisfaction by "preventing

nonconformity at all stages from design through to servicing." ISO 9001:2000 broadens this
concept to include management responsibilities to communicate with customers, monitor and
measure customer satisfaction and develop improvements related to customer requirements.

An important role required of top management is to communicate to staff the importance of

meeting customer requirements. Top management must also monitor customer satisfaction
information, tying it to continual improvement.

By auditing the following requirements in the standards related to customer focus, auditors add
value to the process:
Ensure customer requirements are determined and met and customer satisfaction is enhanced
(customer focus, element 5.2).
Promote awareness of customer requirements (management representative, 5.5.2).
Provide resources to enhance customer satisfaction (6.1).
Determine requirements specified and not stated (7.2.1).
Communicate (includes complaint handling) with customers (7.2.3).
Handle customer property (7.5.4).
Monitor, measure and analyze customer satisfaction information (8.2.1, 8.4).
Input customer feedback to management review (5.6.2).
Take actions based on management review related to customer requirements (5.6.3).

2. Leadership. Top management's commitment to the QMS has been greatly expanded by the ISO
9001:2000 requirements. Management's role centers on fulfilling customer requirements,
communicating with customers as described in the previous section, communicating with staff, and
planning and assuring the continual improvement of the QMS.

Auditors should verify the major top management responsibility of assuring objectives are
measurable--an important part of the continual improvement process--and tied to the quality policy.
A framework must be developed for establishing and reviewing objectives.

The following requirements relate to leadership:

Communicate top management commitment (5.1).
Determine customer requirements and enhance customer satisfaction (5.2).
Include commitment to continually improvement in the quality policy (5.3).
Plan and establish measurable quality objectives (5.4).

Assure responsibilities are defined and communicated (5.5.1).

Appoint the management representative (5.5.2).
Communicate the effectiveness of the QMS (5.5.3).
Conduct management review of the QMS (5.6).
Understand top management's role in continual improvement (8.5.1).

3. Continual improvement. A key new requirement is to improve the effectiveness of the QMS using
an improvement loop (8.5.1) consisting of quality policy (5.3), quality objectives (5.4.1), audit results
(8.2.2), analysis of data (8.4), corrective and preventive actions (8.5.2 and 8.5.3) and management
review (5.6).

Continual improvement is at the heart of the auditor's value added activity. Does the organization
use all the tools at its disposal to improve over time? The auditor should carefully review how the
improvement loop is working to improve the products and processes.

The following requirements relate to continual improvement:

Plan to continually improve the QMS effectiveness (4.1, 5.4.2).
Plan and implement the improvement processes (8.1).
Report on the QMS performance and the need for improvement (management representative,
5.5.2).
Provide resources to continually improve the QMS effectiveness (6.1).
Monitor the improvement loop (8.5.1).

4. Involvement of people. Involvement of people revolves around assuring the competency of the
staff. The key requirements focus on the effectiveness of training, awareness of individual
contributions and an effective work environment.

Competence has to do with the long-term capability of the organization to perform effectively.
The auditor should review how the organization determines its needs and fulfills them by increasing
employee capabilities. It can be difficult to assess training effectiveness.

The following requirements relate to involvement of people:

Determine the competency needs of the organization (6.2.2).
Determine individual competencies and qualifications based on education, training, skills and
experience (6.2.1 and 7.5.2).
Evaluate the effectiveness of training and other actions (6.2.2).
Ensure employees are aware of their contributions to the quality objectives (6.2.2).
Determine and manage the work environment (6.4).
Assure awareness of requirement changes (7.2.2).

5. Factual approach to decision making. The use of information in decision making starts with
measurable quality objectives and requires the objectives be consistent with the quality policy.
Data must be gathered, analyzed and assessed against the objectives.

At issue for the auditor are the analysis and use of data. The data should be available and used for
measuring and improving processes, product quality and reliability, and customer satisfaction. Many
organizations gather data but do not use them effectively for improvement. Customer satisfaction
data are especially difficult to gather and use effectively.

The following are requirements relating to a factual approach to decision making:

Document the quality objectives (4.2.1).
Ensure objectives are measurable and consistent with quality policy (5.3, 5.4.1 and 5.4.2).
Assess the need for changes to the quality objectives (5.6.1).
Determine the objectives and requirements for the product (7.1).

Assess improvements in customer satisfaction, product quality, processes, suppliers and the QMS in
general (8.4).

6. Mutually beneficial supplier requirements

ISO 9001:2000 simplifies supplier management requirements. Note, too, that control of
outsourced processes is different from management of suppliers and must be identified in the
QMS.

The following requirements relate to a factual approach to decision making:

Control suppliers and purchased products based on their effect on the final product (7.4.1).
Select, evaluate and re-evaluate suppliers (7.4.1).
Assess requirements prior to communication to suppliers (7.4.2).
Use data analysis to improve suppliers (8.4).
Control outsourced processes (4.1).

7. Process approach. The elements of a process are inputs, outputs, controls and resources. A
process, constrained by the controls, converts the inputs into outputs using the resources. The
major structural change to ISO 9001 is the creation of four superprocesses and the requirement
to identify, monitor, measure, analyze and improve all QMS processes.

A fundamental issue for auditors is to determine the organization's understanding of processes.

Auditors also must identify the methods of managing outsourced processes--a key in today's
contract manufacturing environment.

Six processes must be documented: control of documents, control of records, internal audit,
control of nonconforming product, corrective action and preventive action. How do you audit a
process that is not documented? One solution is to interview some process users and look for
consistency. The auditor can also review the process records.

The following are requirements relating to the process approach:

Identify and control processes needed in the QMS, including outsourced processes (4.1).
Include process performance in management review as an input and actions to improve processes as
an output (5.6.2 and 5.6.3).
Ensure consistent planning of product realization (7.1).
Monitor, measure, analyze and improve processes (4.1, 8.2.3).
Analyze data to provide information on characteristics and trends of processes (8.4).
8. System approach to management. A QMS is a system of processes linked to effectively manage
the quality of products and services. A main requirement is to determine the sequence and
interaction of these processes.
A second major consideration is the issue of exclusions allowed only in section 7. The auditor has a
role in reviewing the exclusions and determining whether or not they are justified.
The following requirements relate to the system approach:
Determine the sequence and interaction of processes (4.1).
Justify exclusions (1.2).
Ensure processes needed for the QMS are established, implemented and maintained (management
representative, 5.5.2).
Plan and develop the processes and records to show the realization processes and products meet
requirements (7.1).
Manage customer related processes (7.2), design and development processes (7.3), purchasing
processes (7.4), production and service provisions (7.5) and monitoring and measuring devices (7.6).
Plan and implement monitoring, measurement, analysis and improvement processes (8.1).
It is clear auditing has grown in complexity. Auditors can no longer simply go through the standard
element by element.
The eight quality management principles transcend the basic elements and must be identified and
continually improved within an organization. While this may add challenge to the job of auditing, it
also leads to many opportunities for auditors to be value added suppliers.

The Whole Truth And Nothing But the Truth

Lying to the FDA will always get you in trouble

by Les Schnoll

It usually starts as a little white lie. The worst case finale is a not so brief vacation at the federal
penitentiary. The philosophy is usually the same: What they don't know won't hurt them. The truth
is what they don't know (or what you don't tell them) will hurt you.

It is sometimes only the misguided beliefs of a single person in an organization; at times it is the
result of the ill-advised values of an entire company. In any event, the action will invariably get you
in trouble. The incident: lying to the Food and Drug Administration (FDA) about a medical device,
pharmaceutical or food product your organization manufactures.

Potential consequences include those with which most of us in the field are familiar, ranging from a
Form 483 to regulatory letters, fines, consent decrees and injunctions. At times, the organization
and its employees can be prosecuted--and the conviction rate is pretty high.

"So what? I won't get caught," you say. Or, "That's why we have lawyers."

Not a good mantra. Those organizations and staff who think they can get away with lying are usually
not aware of a good friend of the FDA, namely the Department of Justice. Let's not forget that
FDA investigators are officers of the government and, as such, can rely on their fellow
representatives to provide assistance. That's where Title 18 of the United States Code comes into
play.

Considered crimes

Title 18 is a broad set of regulations dealing with crimes and criminal procedures that are under the
jurisdiction of the Department of Justice. Part one (crimes) includes chapter 47 on "Fraud and
False Statements." You should keep in mind a couple of sections in chapter 47 if you decide to be
less than honest with a representative of the U.S. government.

Section 1001 (Statement or Entries Generally) applies in any matter within the jurisdiction of the
executive, legislative or judicial branches of the government, which about covers it all. It applies to
anyone or any organization that knowingly and willfully:

Falsifies, conceals or covers up by any trick, scheme or device a material fact (participates in a
cover-up).

Makes any materially false, fictitious or fraudulent statement or representation (doesn't tell the
truth).

Makes or uses any false writing or document knowing the same to contain any materially false,
fictitious or fraudulent statement or entry (falsifies data).

Conviction under section 1001 can lead to pretty steep fines and imprisonment up to five years.

Section 1031 (Major Fraud Against the United States) is an area in which you are best advised not
to get involved. This section applies to anyone who knowingly executes (or attempts to execute) any
scheme or artifice with the intent to defraud the United States or obtain money or property by
means of false or fraudulent pretenses, misrepresentations or promises.

In other words, if an organization has a contract with a federal agency and, for example, falsifies
information to obtain that contract, section 1031 kicks in. Now the government cuts a little slack
here: To be prosecuted under section 1031, the organization must be a prime subcontractor (or
subcontractor to a prime subcontractor) of the United States, and the contract has to be $1 million
or more.

The penalties for conviction for this type of indiscretion can be a fine of up to $1 million and 10
years in prison. Then again, those penalties can be more (including fines up to $10 million) if the loss
to the government or the gross gain to the guilty party is $500,000 or more or if the offense
involves a "conscious or reckless risk" to public safety. The regulations also provide the courts an
opportunity to impose additional sanctions.
Falsifying documentation
Now that we're aware of the Department of Justice, another possible result of lying to the FDA or
falsifying documentation provided to the agency is a process known as AIP, or Application Integrity
Policy. The source of this policy is chapter 10 of the FDA Office of Regulatory Affairs' Regulatory
Procedures Manual.
AIP focuses on the integrity of data and information in applications submitted to the FDA for
review and approval. To put this into perspective, note that the original title of the regulation
published in the Federal Register (56 FR 46191 on Sept. 10, 1991) was "Fraud, Untrue Statements
of Material Facts, Bribery and Illegal Gratuities: Final Policy."
AIP describes the FDA's approach regarding the review of applications that may be affected by
wrongful acts raising significant questions about data reliability. If an organization is placed on AIP
status (and this is a very small fraternity), the FDA will defer scientific review of any applications
submitted by the company until it is satisfied the information provided is reliable.
Generally, AIP is invoked after the observation of a pattern of falsified information (more than one
instance) of material facts (a false statement, misstatement or omission of a fact). These instances
are classified as wrongful acts and defined as "any act that may subvert the integrity of the review
process."
Wrongful acts include (but are not limited to) submitting a fraudulent application, offering or
promising a bribe or illegal gratuity, stating an untrue statement or material fact, submitting data
that are otherwise unreliable due to patterns of errors, whether caused by incompetence,
negligence, practice or systemwide failure to ensure the integrity of data submissions.
Once a company is placed on AIP status, it's not easy to get off. Revocation of AIP is based on the
guilty organization's conducting a credible and adequate internal review to identify all instances of
wrongful acts. The review typically involves a qualified outside consultant approved by the FDA and
submission and execution of a corrective action plan that includes:
A commitment to ensure safety, efficacy and quality.
A description of corporate ethics and compliance programs.

A process for effective communication of the company's ethics, quality and compliance programs to
personnel through written procedures and training.
Steps to address current wrongful acts.
In addition, the organization must withdraw any questionable applications and commit in writing not
to refile or reactivate any application not included in the validity assessment until the FDA is
satisfied with the reliability of the information. The organization is required to submit a new
application when a validity assessment indicates an application contains unreliable data and the
company wishes to replace the data.
It makes good business sense--and it's easier--to be honest. If you say you're following a certain
procedure or process, you'd better not be fudging the truth. George Washington was right when he
supposedly said, "I shall not tell a lie."
Note: If readers have any questions or concerns, they should contact their companies' legal
counsels or member of their compliance hotline (such as compliance officer or ombudsman). This
article is not intended as legal advice but is expected to make readers aware of the law and risks
associated with prevaricating, dissembling or otherwise being less than candid with the FDA.

ISO 9001:2000's Process Approach

A new concept or the same old stuff?

by John E. "Jack" West

With all the guidance on ISO 9001:2000 already published, you would think everyone would
understand the process approach as a basic concept of the revised standard.

Jeffrey H. Hooper discussed this approach in an earlier article in Quality Progress,1 and chapters
two, eight, 11, 12, 20, 30 and 42 in the ASQ ISO 9000:2000 Handbook2 deal extensively with the
topic. In addition, International Organization for Standardization, known as ISO, Technical

Committee 176 provides a guidance document (ISO/TC 176/SC2 N544R) available for free
download.3

Perhaps all this guidance makes people think the process approach concept is more difficult than it
is. I regularly receive questions on it. In fact, most of the questions I get about ISO 9001:2000
relate in some way to the concept. Usually the answers are very simple, and this article will answer a
few of the most common questions.

Q: I understand the definition and concept of process approach, but how the requirements related
to processes differ from the previous standard's requirements is not clear to me. Wasn't the
process approach included in ISO 9001:1994? And if it was, what is different in ISO 9001:2000?
Why is there so much emphasis on the process approach now?

A: First, let's review the underlying principles related to this subject. If you are not familiar with
the eight quality management principles, you can find them in ISO 9000:2000 or ISO 9004:2000. A
brochure related to them is available on the ISO Web site.4 Two of these eight principles are key
to understanding the process approach concept:

"Process approach--A desired result is achieved more efficiently when activities and related
resources are managed as a process." This principle applies to individual processes.

"System approach to management--Identifying, understanding and managing interrelated processes

as a system contributes to the organization's effectiveness and efficiency in achieving its
objectives." This principle applies to the whole quality management system (QMS).

So the QMS may be seen as using both concepts. A more extensive discussion of these concepts
and their relationship to quality management system documentation can be found in chapter 12 of
the ASQ ISO 9000:2000 Handbook.5

The use of processes operated under controlled conditions was required in ISO 9001:1994 for
processes related to making products and delivering services. Clause 4.9 of ISO 9001:1994 required

organizations to "identify and plan the production, installation and servicing processes that directly
affect quality and shall ensure that these processes are carried out under controlled conditions."

The 1987 and 1994 versions of ISO 9001 used a procedural approach, putting procedural
requirements on activities and functions. Except for clause 4.9, the 1994 standard did not directly
address processes of the system, nor did it directly connect the process approach with the systems
approach to management.

ISO 9001:2000 recognizes the entire system is made up of interrelated processes, so in addition to
consideration of the processes for product realization (see clause 7.1), you must identify and
manage the processes for the whole system.

For many organizations this concept will not prove to be a major change. If an organization has used
flowcharts or process maps and has developed a process emphasis, then it is certainly possible the
new standard will require no difference in approach.

Certainly some organizations used this process approach for their whole QMS, even with the '87
and '94 versions, but it was not a requirement.

Q: What are we really expecting from an organization for it to be in compliance with Clause 4.1 of
ISO 9001:2000?

A: The basic requirement of clause 4.1 is that the organization "establish, document, implement and
maintain a QMS and continually improve its effectiveness." Clause 5.4.2 requires the QMS be
planned to meet the requirements of 4.1 and the quality objectives required in 5.4.1.

In planning the system, the organization must take two things into account: meeting ISO 9001:2000
requirements and meeting its own quality objectives. Clause 4.1 gives the minimum requirements for
determining the processes of the system and managing them to meet the objectives and achieve
continual improvement.

The output of this planning process includes the documents required in clause 4.2: the quality
manual (showing the interaction of the processes), the documented procedures required by ISO
9001 and other documentation as needed to ensure effective operation of the system.

Certainly one of the best methods to meet these requirements is the inclusion of process diagrams
in the manual or use of flowcharts of the key processes. While such charts are not specifically
required, they are beneficial. The focus, however, should be on developing a system that
concentrates on meeting the quality objectives while still meeting the requirements of ISO
9001:2000.

Q: The requirement for the quality policy contains some new aspects not included in the 1994
standard. One requires the policy to have a framework for reviewing quality objectives. What is the
intent of this change?

A: The policy should set the organization's direction regarding quality, and the objectives should
flow from that policy. For example, if an organization needs to increase its sales (a business
objective), the quality policy may state that the organization will focus on "enhancing customer
satisfaction to gain loyal and long-term customers."

A specific quality objective within this framework might be: "Improve customer satisfaction survey
scores by 31% over three years." Or "each executive will visit two customers every quarter to
assess the customers' perception of satisfaction."

During management reviews, the top managers would look at progress on meeting the objective. If
conditions change, the organization may need to change either the policy or the objective to meet
those new conditions.

Maintaining this linkage between the policy and the objectives is particularly important when we
consider that clause 5.4.2 requires planning the QMS to meet the organization's objectives as well
as the process approach requirements of clause 4.1. Changes in policy or objectives may well
necessitate changes to the processes of the system.

This requirement encourages a consistent and measured focus on core values throughout the
organization and highlights the need for ensuring resources are available to convert policy
pronouncements into reality.

Q: I understand there is a major change to the way we are required to conduct audits to the new
ISO 9001:2000 because of the process approach. Where is this change described in the new ISO
9000 series?

A: There is no such description because there is no requirement in ISO 9001:2000 to change the
way you audit. On the other hand, the adoption of the process approach does present opportunities
to improve the way you audit. Auditing processes as they flow through the functions of an
organization may prove to be a value added activity.

It has been said that while the old version of ISO 9001 required system audits, ISO 9001:2000
requires process audits. The concept "process audit" is not defined in ISO 9000:2000. I do not see
the term "process audit" in ISO 9001:2000. So, do not be confused. Auditors must still determine
whether the system is effectively implemented, and the system must meet the requirements of
ISO 9001.

But wait a minute! ISO 9001:2000 requires organizations to use the process approach for
developing, managing and improving their QMSs. And should not audits validate the process
approach has indeed been effectively implemented? Of course they should. It is hard to imagine
how the application of the process approach can be audited without looking at the processes of the
system.

Certainly you have interrelated processes as a fundamental part of your QMS, and you should take
them into account in your audit planning.
You should be able to do a more effective audit by taking the processes into account than by not
doing so, even though this is not a requirement of ISO 9001:2000. It can be done by auditing the
processes of the system to ensure they meet the requirements of ISO 9001 and the organization's
objectives.
Auditing of the processes may be done function by function (for example, auditing all the processes
that flow through a department or function) or by cross functional auditing of each process.

Process inputs and outputs should be considered along with the organization's methods for
monitoring and measuring the processes. Process measures and targets for key processes should be
linked to the organization's quality objectives.
To summarize, although the requirements for conducting audits have not changed, I strongly
recommend internal audits focus on outputs, improvement, customer satisfaction and alignment with
other areas of the organization.
Audit planning should consider all the requirements of all the clauses in ISO 9001:2000 that apply
to the process or activity being audited. This approach to internal audit planning and implementation
will yield the best return on the internal auditing investment.

Purchaser and Supplier Quality

Going beyond ISO 9001, QS-9000 and TS 16949

by R. Dan Reid

Hitoshi Kume, who was tutored by Kaoru Ishikawa, contrasted quality control from the viewpoints
of purchasers and suppliers, saying, "Quality control based on existing standards and purchasers'
requirements is quality control from the purchaser's standpoint. On the supplier's side, quality
control can be made into a management tool by building a system for performing quality
improvement methodically, systematically and continuously."1

ISO 9001, QS-9000 and ISO TS 16949 are examples of requirements from the purchaser's
perspective.

"As part of business management, quality control is a management tool with tremendous potential,
and superb results can be obtained if suppliers take the lead and implement it on their own
initiative. Its full potential cannot be realized if it is practiced simply in accordance with
purchaser's requirements," Kume added.2

Time has proven Kume's comments true. Several industry sectors have mandated ISO 9000 based
requirements to their suppliers. Yet purchasers, at least in the automotive industry, have been
somewhat disappointed with the delivered quality.

In a 2001 Associated Press article, an independent supplier survey reported automotive suppliers
were cutting corners on quality in response to automaker demands for price cuts.3 Only 20% of the
261 supplier respondents said they were improving quality.

Proven quality improvement methods have been known for more than 50 years but in most companies
remain only partially deployed at best. Management often views quality as a somewhat discretionary
expense--a candidate for the first thing to go when trouble comes, not something fundamental to
business management.

One more key point from Kume is that living organisms do not evolve from the center of their class
but from the periphery. "Quality control may appear to be positioned somewhat on the fringes of
conventional business management, but it seems to be an effective way of causing business
management to evolve."4

Companies interested in leading the business management evolution can use several strategies going
forward. They will have to go beyond purchaser requirements and the generic fundamental ISO
9001 requirements.

What top management must do

ISO 9001:2000 places accountability for the management of quality with top management. In clause
5.2, it requires top management to ensure customer needs are determined and met. Clause 5.4.2
requires it to plan the quality management system to ensure requirements and quality objectives are
met.

Management is responsible for the system employees' use, so it must understand the processes and
what is necessary to improve them. Instead, as W. Edwards Deming said, management frequently

does not know what must be done. In the meantime, quality practitioners need to implement
strategies from the periphery.

Cost of quality in "management speak"

One proven strategy is to put quality into the language of money. Frank Gryna has said that money is
the basic language of upper management.

In the 1950s, Joseph M. Juran defined a cost of quality approach that has been used by many
organizations. Unfortunately many have focused only on the cost of poor quality because this is
more easily identified.

QS-9000's third edition, clause 4.1.5, lists cost of poor quality as one of the required metrics for
operational performance. ISO Technical Specification (TS) 16949:2002, clause 5.6.1.1, requires
management to regularly review the cost of poor quality. Also, ISO 9004, clause 8.4, lists the
economics of quality among data and information an organization should analyze. Ideally, cost of
quality tracking and reporting should be integrated into an organization's accounting system.

Six Sigma has used this cost of poor quality concept to gain management support, showing why it is
important to go beyond the cost of poor quality in tracking quality costs.

Mikel Harry and Richard Schroeder say some organizations are stuck at three or four sigma
because they believe the costs of going beyond that through defect reduction will exceed the
benefits of reducing poor quality. But, they say, five and six sigma performance levels enable
companies to dramatically reduce the cost of appraisal and prevention.5 Companies that track only
failure costs would not be aware of this.

Strategic auditing

The methodology used for internal auditing is also important. ISO 9001:2000, clause 8.2.2, requires
an organization to conduct internal audits at planned intervals. In many companies, each element of
the quality management system is audited only once a year.

This raises some questions: Who do you want to discover problems? When do you want them to be
discovered in the process? Given that third-party audits are conducted at least annually, yearly
internal audits do not provide an organization much of a chance to find problems and correct them
before a customer or third-party auditor visits.

QS-9000 and ISO TS 16949 require internal audits be planned annually and conducted with varying
frequency depending on whether nonconformances or customer complaints are identified.

Audits of customer oriented and critical product realization processes should be performed more
frequently than those of support operations. When an internal audit identifies a nonconformity,
subsequent audits of that area should be scheduled more often. Effectiveness and promptness of
corrective action should be verified to ensure closure before a nonconformance becomes an
external failure.

Process auditing--the next frontier

ISO TS 16949, clauses 8.2.2.2 and 8.2.3.1, require audits of manufacturing processes. ISO
9001:2000, clause 8.2.3, requires measurement and monitoring of processes to demonstrate the
ability of the processes to meet planned results.

In the automotive industry, the control plan is a required document containing the plan for quality
of the parts and processes. To develop an effective plan, an organization should review the design
and process failure mode effects analysis (FMEA) documents.

A key input for the FMEA development is a review of the design record and any required
specifications. As Juran pointed out years ago, quality starts with characteristics.

Customers will usually identify key or special characteristics, and suppliers will need to designate
other characteristics as key or special, based upon their knowledge of their manufacturing
processes.

For characteristics with a high risk or severity of potential failures or high risk priority numbers,
efforts should be undertaken to error proof the part or process design. If the efforts are
successful, the risk priority should be recalculated on the FMEA. If not, provisions on the control
plan and work instructions at each applicable site should mitigate the effect of the potential
failure. This will require implementation of verification activities at various stages of product
realization.

Organizations should use design records, FMEAs, control plans and operator instructions as
elements of the same process instead of treating them as separate unrelated exercises (see Figure
1, p. 86).

Corrective and preventive actions can be prioritized using the information generated in this
process, along with records such as control charts, logs and cost of quality (such as rejects,
warranty and returns). Error proofing should be revisited at every opportunity.

This approach should also be used in process auditing. Auditors should review process flowcharts,
any RASIC (responsibility, approval, support, inform or consult) charts--good tools for defining
responsibility, support, approval and information flow for steps in any process--and the documents
in Figure 1, and previously mentioned operational records to plan the process audit.

Significant characteristics from the design record should be listed on the FMEAs so risks posed by
potential failures can be assessed and prevented. Linkages between these documents should be
checked at key or special characteristic interfaces. Characteristics with high severity or risk
priority numbers on the FMEAs should be audited for special characteristic designation.

The frequency of verification activities required on the control plan should represent a significant
sample of the total shift or day's production volume:

Gage repeatability and reproducibility for measuring devices called out on the control plan should be
audited for acceptability.

Calibration records should be audited for compliance to any calibration requirements of the devices.

Key process equipment should be identified and included in the preventive maintenance plan.

Records of preventive maintenance and machine capability of equipment should be audited for
compliance to the plan.

Spare parts availability for this equipment should be confirmed.

This information should be linked to the contingency plans, such as those required by QS-9000.
Customer identified special characteristics should be suitably identified on the documentation.
Documents or records specified by the control plan should be audited on the floor to verify they
are being maintained as planned. Not completing these documents with a cross functional approach
can lead to disconnects between the product realization plan and reality.

A competent auditor can effectively complete a process audit as described above in less than one
shift. These auditors must be able to distinguish a good FMEA and control plan from a poor one.
They must know both customer and supplier specified requirements.

Managing human resources

In the aftermath of Sept. 11, 2001, thousands lost their jobs in the United States as the economy
slid into recession. Such rapid changes, whether growth or decline, stress existing management
systems.

As employees are laid off, work has to be redistributed. For the redistribution to work properly,
employees need training. Work instructions need to be updated when jobs are revised. ISO
9001:2000, clause 6.2.1, requires personnel whose work can affect quality be competent on the
basis of education, training, skill and experience.

As organizations downsize, attention needs to be focused on competency. Requirements for

education, training and experience should be documented. When, as often happens, a person without
experience is named to a position affecting quality (quality director, for example) training
requirements should be specified. Effectiveness of training should be periodically evaluated.
Records of training completed should be maintained to document competency.

In addition, ISO TS 16949:2002, clause 6.2.2.3, requires on-the-job training for any personnel,
including contract or temporary workers, in any new or modified job affecting product quality. This
requirement has evolved from postmortem analysis of quality problems from suppliers when the
root cause was lack of competence.

Quality practitioners need to understand fundamental quality management, including statistical

methodology and variation management. Process capability and process control must be understood
throughout the organization.

ASQ has resources that may be of help. Two basic courses, Quality 101 and Quality Basics, are
available in several delivery methods. Quality Basics is actually targeted to personnel not assigned
to product quality but who provide support for the product realization process.

The ASQ Statistics Division offers Improving Performance Through Statistical Thinking through
Quality Press. These concepts are also fundamental for Six Sigma. Quality Press has also just
published Fundamental Concepts of Quality Improvement, a collection of previously published ASQ
papers that can provide a basic understanding to newcomers to quality.

Juran's Quality Handbook should be on every quality practitioners desk for easy reference, and
Deming's Out of the Crisis should be required reading for mid-level to top managers. Both are good
sources for ways to encourage continual learning within small groups or teams.

Regardless of the resources used, an organization needs to routinely offer fundamental quality
curriculum for staff, especially those new to quality. People cannot achieve world-class quality
without first understanding the fundamentals.
While most colleges and universities have generally not responded to this need, some vocational
schools are now working cooperatively with local industry. ASQ sections should also view this as a
local opportunity.
Managing continual change
Events of the past year have forced organizations to manage continual change. For quality to
happen, quality control from the supplier's perspective is necessary. But evidence indicates
suppliers do not always pursue the actions needed for quality improvement.
Perhaps quality practitioners who know what must be done can help the cause through the
implementation of strategies that will improve quality. This will ultimately improve customer
satisfaction, which in turn will provide "jobs and more jobs," as Deming said. Let me know if you
have any ideas on this subject.

Ask the Right Awareness Questions

ISO 9001:2000 says employees understand quality and customer requirements

by J.P. Russell

The new ISO 9001:2000 quality management system (QMS) standard has opened up several new
lines of questioning (interviewing) that will help organizations connect all employees to quality and
customers.

I have been delighted with the standard's new interview opportunities and find them beneficial to
the business management systems of organizations seeking registration or reregistration, adding
real value.

Prior versions of the ISO 9000 series standards required the quality policy be understood by
employees at all levels in an organization. So an auditor would question employees about the policy.

As an auditor myself, I have received an entire spectrum of answers over the years. I recall one
company becoming so frustrated it made employees sign a form declaring they understood the
quality policy as a prerequisite for receiving their paychecks.

Unfortunately, employees are usually good at putting themselves in the customer's shoes and
reacting to crappy products bought--for example, from a department store. But they are not usually
able to think of themselves as providers of quality products and services. Perhaps they are so far
removed from customers it seems meeting requirements is someone else's job. ISO 9001:2000
attempts to correct this.

Four clauses

In support of the quality management principle for the involvement of people, ISO 9001:2000 has
four requirements centered around communicating quality awareness. The four new requirements go
beyond emphasizing the quality policy must also be understood.

These four clauses that provide new audit interview opportunities are:

1. 1.5a--Communicate the importance of meeting requirements.

2. 5.5.2c--Promote awareness of customer requirements throughout the organization.

3. 5.5.3--Establish processes to communicate QMS effectiveness.

4. 6.2.2d--Make personnel aware of the relevance and importance of their jobs and how they
contribute to the quality objectives.

Now auditors will need to interview employees to verify the organization meets the quality
awareness requirements.

Requirement awareness

Asking employees about the importance of meeting customer requirements also provides audit
evidence of management commitment. When you interview top management people, they will explain
how they communicated the importance of meeting requirements to people in the organization. Then
when you interview the employees of the organization, you can test the effectiveness of the
methods used by top management through questions such as:
Are you aware customers have requirements?
What are some customer requirements?
What happens when customer requirements aren't met?

Promoting awareness

Clause 5.5.2c is about responsibilities and authorities for management representatives to promote
awareness of customer requirements throughout an organization. Examples of questions an auditor
might ask to determine whether this requirement is being met include:
How are customer requirements communicated to you?
How are you made aware of customer requirements?

Communication processes

Clause 5.5.3 requires the establishment of processes to communicate QMS effectiveness.

Management should be able to provide evidence of such means as bulletin boards, newsletters and
news on internal company intranets.

This effectiveness requirement creates another opportunity for a contact interview question about
the progress of the QMS. Simply posting the number of customer complaints or defects related to
a particular area is not likely to be sufficient audit evidence to prove people are aware of the
effectiveness of the QMS. A way to meet this requirement is to keep people informed of the
organization's progress toward meeting its quality objectives.

Some possible general interview questions to establish effectiveness could be:

Has your organization established a QMS?
Are you informed about its progress? How is it doing? Is it getting better or worse?

This clause provides an opportunity to link the organizational quality objectives to employees at all
levels. It will be difficult for organizations to comply with the requirements of this clause unless
they establish meaningful and measurable quality objectives.

The quality objectives can be passed down from top management to managers, supervisors and
employees to provide solid linkage between the objectives and the work being performed.

Organizations are trying different techniques to keep employees informed about the effectiveness
of a QMS. They may use communication processes already discussed (newsletters, bulletin boards)
or other processes such as weekly team meetings, e-mail updates or informational letters given out
with paychecks.

Another measure of the effectiveness of a QMS can be found in customer satisfaction ratings.
Everyone can relate to customer satisfaction levels. If you work for a company that has a 99%
customer satisfaction rating, you may feel good about it. If your organization's customer
satisfaction rating is 63%, you know you have a lot of hard work ahead of you.

Relevance and importance

The fourth contact opportunity clause is the most powerful of all. It requires employees to know
the importance and relevance of their jobs and how they contribute to quality objectives. This is a
long overdue requirement. I think of it as demonstrating how everyone fits into the big picture and
is marching to the same drum.
Some possible interview questions to establish this knowledge are:
How does your job contribute to the quality of the product or service?
What do you do to ensure the customer is satisfied?
In one interview with a packer, I asked how he contributed to customer satisfaction. The packer
job was an entry level one with lots of turnover. In fact, it was not unusual for people to quit after
the first paycheck.
The packer's answer to my question was something like, "I just box the stuff coming off the
machine and put this sticker on it." Then it hit me: This person (in perhaps the lowest level job) is
the last person to see the product before the customer does. The packer is the last person to
check for defects or irregularities. He or she can have a significant effect on customer
satisfaction.
Once organizations are able to communicate the importance and relevance of everyone's job, there
will be linkages from top to bottom and bottom to top. You as the auditor will start to see that a
QMS is no longer a separate system from the business management system. Now the business and
quality systems are compatible and working together to achieve common goals. You may feel like
saying, "Eureka! Finally ISO 9001 is going to add measurable value."
You may want to consider keeping a general list of quality awareness questions you can use
throughout the audit. You can highlight questions on your checklist or put the quality awareness
questions on an index card to use on every interview.
Carryover requirements
Other QMS awareness questions have been carried to the new version of the standard from the
1994 version. One such requirement is that top management be responsible for ensuring the quality
policy is communicated and understood throughout the organization. Possible quality awareness
questions for auditors to ask are:
Does the organization have a quality policy (or policy about quality)?
What is the policy?
Can you explain it in your own words?

The ISO 9001:2000 awareness requirements will have a significant effect on how the QMS is
viewed by top management and employees. Now that there is alignment from top to bottom and
bottom to top, organizations should stop asking how much a QMS costs and instead ask how much
ISO 9001:2000 is going to save them.

Quality Management System vs. Quality Improvement

What should we tell the CEO?

by Dale K. Gordon

As a reader of quality related books and periodicals, I have been noting the delicate dance between
two different factions.

On one side of the floor are those whose passions are for a strong and all encompassing quality
management system (QMS), such as ISO 9000:2000 or a derivative. On the other side of the same
floor are those who advocate dedication to a total process improvement or quality improvement
(QI) approach, such as Six Sigma, total quality management (TQM) or lean manufacturing.

All of this is in the name of capturing the hearts and minds of the organization from the top
executives on down to the individual process operators, so the quality function can do what it was
hired to do--lead the transformation of the enterprise.

It struck a chord when I was reading a column by James Harrington, a former company COO. He
began, "All quality programs, whether TQM, Six Sigma or ISO 9000, require an organization to
shift away from the status quo."1

The article was about resistance to change, but the choice of words of a former COO and quality
professional struck me as very typical of the view of many at the top. His view seemed to be there
were no differences between implementing a QMS or developing and implementing the use of a QI
program. In his words, they are just quality "programs." The rest of the article was a good analysis
of dealing with organizational change.

It may seem the view from many executive suites is not much different from Harrington's. What is
the view of the organization's leadership relative to what they are reading and hearing in the
business periodicals and from their staffs?

Strategic decision making

An organization in the Midwest recently blanketed the radio airwaves about its being the only ISO
9001 certified dental health insurance provider. The implication was it should be the first choice
because its competitors were not ISO 9001 certified.

All organizations, regardless of products or services, make strategic decisions relative to how they
operate and plan to use their resources. These decisions typically involve how to better meet
customers' needs, create improvement and run more cost effective and efficient processes.

At some point, it is a matter of resource allocation. How does management employ its precious time,
energy and money? Is ISO 9000 a marketing tool to be administered by the quality function to
show customers the company has a functioning QMS, as opposed to competitors that do not? Is Six
Sigma a program an organization must implement to convince customers and the financial markets
it's fiscally prudent?

Anttila's viewpoint

I had the good fortune many months ago to be on the same program at a conference with JuhaniI
Anttila, vice president of quality integration for Sonera Solutions Ltd., Helsinki, Finland.

Anttila has been well-known in the ISO 9000 world since its inception. He was billed as a speaker on
the implications of using ISO 9000 and the changes in the new standard. I got the impression most
of the conference audience of U.S. government and industry quality professionals were expecting a
dissertation on the specific changes ISO 9000:2000 would bring compared with the 1994 version
and how they would have to change their quality system documentation to meet the new
requirements.
It was interesting to watch as Anttila said anyone can read the standard and what's really
important is how the standard is used. His presentation covered the use of ISO 9001:2000 as a
management tool for running an enterprise.
Anttila's perspective, best stated in his book ISO 9000 for the Creative Leader, is refreshing:
The aim of ISO 9000 standards is not to force uniformity on the QM approaches of different
organizations, but rather to provide innovatively applicable guidelines for the continual improvement
of business performance.2
Anttila puts the standard into the framework of TQM, in that TQM is a holistic approach to looking
at the customer's needs balanced against the business needs to be profitable and provide for
stakeholders. The concepts in both ISO 9001 and ISO 9004 cover the entire leadership of the
company and assurance to customers their needs are addressed.
If taken as the authors of the standard intended, the model of the standard is a simplified
business one with a process focus embedded within the management system itself (see Figure 1).
Anttila continues:

The objectives of ISO 9000 standards are business benefits. Thus the ISO 9000 standards aim at
profitable increase of turnover and market share at decreasing costs. Moreover, the intention is to
increase customer retention, responding to market opportunities, process alignment, competitive
edges, people's goal-awareness and stakeholder confidence as well as to create value to the unit and
its stakeholders.3

Why use other programs?

So why do we users and practitioners of the standards feel the need to employ other quality
programs?

Devotees of Six Sigma and lean have emphasized the need to make their prescriptions for business
management and improvement at an enterprise level all the way to the executive suite.

While there is certainly no denying the successes of companies such as Motorola, General Electric
(GE) and Honeywell in using Six Sigma as a corporate philosophy, the question is, how does it
complement or interact with the QMS?

Jack Welch, former GE CEO, says Six Sigma is a highly disciplined process that helps employees
focus on developing and delivering near perfect products and services.4 Others have defined it as a
management philosophy.

Six Sigma is a customer based approach with a focus on defects. Fewer defects mean lower costs
and improved customer loyalty. The lowest cost, high value producer is the most competitive
provider of goods and services. Six Sigma has been defined as a way to achieve strategic business
results.

Is there a right way?

Is it possible for there to be more than one strategic quality imperative to achieve customer
satisfaction? Does the definition of a quality organization depend on QMS certification or use of
Six Sigma to show management is committed to its customers?

In the August issue of Quality Progress several articles were devoted to quality and top
management. The comments I found insightful were Joseph M. Juran's: "We are at an impasse. We
know quality leadership is attainable. We know which success factors and managerial processes have
led to quality leadership. We have indications of the order of magnitude of the potential gains.
Despite the array of knowledge, the bulk of our companies are not rushing to make use of it."5

This brings us back to Anttila's comments about the ISO 9000 standards as a model for quality
leadership.

Also, in the August QP, my fellow "Standards Outlook" columnist Dan Reid stated:

ISO 9001:2000 places accountability for the management of quality with top management. In clause
5.2, it requires top management to ensure customer needs are determined and met. Clause 5.4.2
requires it (management) to plan the quality management system to ensure requirements and quality
objectives are met. Management is responsible for the systems employees use, so it must
understand the processes and what is necessary to improve them.6

So, in fact, the system must be designed so any improvements make the organization successful and
meet customers' needs.

It should be clear by now that we may not be using the ISO 9000:2000 standard exactly as
intended. A possible indicator is the fact that we are out looking for other ways to motivate and
encourage the organization to improve via other programs to convince the organization's leaders
how to use its resources.
The time proven quality tools are essential in the improvement of the processes of an organization.
Every day we are discovering ways to apply these tools and educate more people in the organization
on the benefits of using quality tools to improve individual processes. Defect free products and
services cannot be anything other than the ideal goal of the organizational output. Any methodology
and structured approach to improvement of processes is expected to be part of a functioning QMS.
I quote again from Anttila:
Reaping benefits from the standards requires that they are implemented into the business in an
integrated manner. ISO 9000 and 9004 provide the real basis for an effective and efficient QMS
as a basis for its continual improvement. Quality assurance forms but a small part of ISO 9000 and
TQM. There is no evidence certification would increase the competitiveness of a company.
Certificates as indicators of quality have significantly hampered the basic utilization of the
standards, and using ISO 9000 only as a checklist for certification has corrupted the whole core
idea of the standards. Sound implementation of ISO 9000 amounts to natural, effective and
efficient customer driven business management.7
Dialogue needed
So where does that leave us? Maybe we need to have some open and honest dialogue at senior
leadership levels about just how well organizations are using the ISO 9000 model.

This requires more than mere reporting on internal audits at management reviews. It goes into an
understanding of how the systems and subsystems of an organization are performing and whether
they are helping achieve the organization's objectives. It also requires the systemic use of quality
tools at all levels to improve individual processes and identify systems that are not meeting internal
and external customer expectations.
There is a place for the complete wisdom that has been written on both the QMS standards and QI
tools. The need now is to get them to dance together and utilize the creativity that can come from
the synergies of that pooling of resources. It's all there in print; doing it is what is hard.

Developing a New ISO 14001 Reporting Standard

Final guidelines expected to encourage external communication

by Marilyn R. Block

Environmental reporting has been a contentious issue since ISO 14001 was drafted during the mid1990s. At that time, the work group charged with writing the standard was characterized by two
distinct positions.

Some participants wanted to include a requirement that organizations regularly share information
about their significant environmental aspects and impacts with interested external parties. Others
opposed to a mandatory reporting requirement argued external reporting fell outside the scope of a
system that purported to assist in internal management of environmental issues.

Ultimately, compromise language was struck. When published in 1996, ISO 14001, clause 4.4.3,
instructed organizations to "consider processes for external communication" on their significant
environmental aspects. As written, this clause requires only that an organization decide whether it
wishes to establish some form of environmental information sharing. It does not require any
communication of significant environmental aspects.

The current ISO 14001 revision effort has provided an opportunity to revisit the issue of voluntary
environmental reporting. Proposed language attempts to clarify the original intent by articulating
two distinct points. The draft revision first instructs organizations to decide whether to
communicate externally about significant environmental aspects. If an organization decides to
communicate externally, the standard requires it to establish a process for its external
communication.

Creating a standard

In a parallel effort to provide guidance concerning environmental communication without imposing

additional auditable requirements on organizations seeking to implement ISO 14001, ISO Technical
Committee 207 created environmental communication working group (WG) 4 in 2001. The United
States serves as convener of WG 4; Sweden serves as secretary.

According to Amy E. Schaffer, federal regulatory affairs manager, Weyerhaeuser, and former U.S.
expert to WG 4, "There was a great deal of interest among developing countries for guidance about
communication. Within the United States, interest was expressed by small and medium-sized
enterprises that did not know how to begin to communicate."

WG 4's objective is to create a standard that provides guidance on general principles, methods and
practices relating to internal and external environmental communication.

The purpose of the standard, says Schaffer, "is to provide guidance for those who are interested in
either beginning or enhancing their current environmental communications program."

The first working draft of ISO 14063, Environmental Management--Environmental Communication-Guidelines and Examples, was distributed for comment in October 2001. Comments submitted in
response were consolidated into a second working draft (WD 2) distributed at the end of April
2002. The U.S. Technical Advisory Group (TAG) to ISO TC 207 reviewed the second round of
comments in preparation for a WG 4 meeting in October 2002.

A third working draft was distributed after the October meeting. Comments submitted to WG 4 in
response to this third draft should be available for review by the U.S. TAG in early 2003.

Framework

Although the document will continue to evolve, a basic framework has been established that allows
ISO 14063 to be used in combination with other standards in the ISO 14000 series or on its own.

To many of the participants who commented on the communication requirement when ISO 14001
was being developed, environmental communication is synonymous with environmental reporting. WG
4 determined it did not want to write a standard limited to environmental reporting. Rather, it
wanted to craft a document that reflected a broader array of communication methods and formats.

As Schaffer describes the group's focus, "WD 14063 is intended to provide information on the
wide range of communication forms--from formal reports to ongoing dialogue with stakeholders."

A concept integral to this standard is that environmental communication has many purposes and
takes many forms. At present, ISO WD 14063 describes environmental communication as a process
for both providing information to and obtaining information from internal and external parties.

The body of the document is organized into seven sections. The first three sections are ubiquitous,
dealing with scope, normative references, and terms and definitions.

Section 4 presents three principles of environmental communication regardless of the nature of a

communication activity: transparency, appropriateness and clarity. Unfortunately, WD 14063 does
not offer any explanation for these terms, but WG 4 discussions suggest the following meanings are
intended:

Transparency: assumptions relating to environmental messages and information about underlying

processes and procedures should be made available to interested parties.

Appropriateness: Selected formats, language and media should present information in a manner
suitable for intended audiences.

Clarity: Information should be presented in a manner that allows it to be understood by interested

parties.

A practical help box attempts to delineate characteristics of the principles by presenting a series
of adjectives associated with interested parties, content of the message and process for conveying
the message. Thus, for the principle of "appropriateness," the help box describes interested
parties as inclusive and relevant; message content as complete, respectful and timely; and process
as continuous, participatory and reliable.

Other descriptors are more puzzling than helpful. For example, appropriate message content is also
described as available and durable. It is doubtful readers will understand what WG 4 is trying to
convey. I hope this particular section is subject to significant revision.

Section 5 focuses on an environmental communications policy. Current language suggests this is a

written policy statement expressing an organization's intentions and principles for communicating
environmental information. WD 14063 says the environmental communications policy should be
integrated into an organization's overall communications policy if one exists. Moreover, the
environmental communications policy should be aligned with an organization's environmental policy.

Incorporating a commitment to environmental communication into an existing environmental policy,

particularly for organizations that are ISO 14001 compliant, would appear to be the most direct
approach, but the document does not suggest this alternative.

A help box lists more than a dozen issues that should be considered when creating an environmental
communications policy. Among them are the public right to know, shareholder expectations and
control, market and brand strategies, and feedback mechanisms.
Section 6 discusses environmental communication strategy as a way to implement an environmental
communication policy. A series of questions is intended to assist in creating the strategy. Examples
are:
Why is the organization engaging in an environmental communication process?
What is the communication timeframe?
Who are the target audiences?
The document falters a bit in this section. Other than encouraging internal and external analyses to
generate information that might be used to answer the questions, the only direction offered is to
write the organization's strategy. No guidance, example or help box suggests what such a strategy
encompasses. Nor is this section successfully separated from the one that follows.
Section on process
The most useful section of the document is likely to be Section 7 on the environmental
communication process. It is divided into three subclauses that address planning, performance, and
evaluation and improvement. These subclauses are further subdivided to discuss issues such as
deciding on the message, choosing appropriate approaches, creating the message and communicating
it.
If there is a flaw in the text, it is the effort to present the communications process as linear, with
one activity following another in a manner that is not always logical. The current draft discusses
establishing environmental communication objectives, then understanding the target audience,
deciding on the message and choosing an appropriate approach.
Four subsections later, a discussion about identifying environmental information appears. It would
seem identifying environmental information is a prerequisite for deciding on a message and choosing
an appropriate approach.
This section also contains help boxes intended to illustrate various points in the text. For example,
Section 7 states an organization should understand the target audience. The related help box
indicates opinion survey research is a method for obtaining information from a target audience and
describes two types of opinion research--focus groups and public opinion surveys--as particularly
useful.
In addition to the help boxes, WD 14063 is supported by an annex. The content of the annex has
not yet been finalized, although it has been the subject of much discussion. WG 4 has yet to

determine whether the annex will contain actual examples of how organizations implement the
various steps in a communications effort or bibliographic references that allow users to obtain
additional guidance and examples from a diverse array of sources.
When published, ISO 14063 should greatly assist organizations deciding whether to voluntarily
provide information to external individuals and groups. Anecdotal data suggest a large number of
ISO 14001 registered companies have chosen not to communicate about their significant aspects
because they feel ill equipped to do so. ISO 14063 addresses this concern and is likely to encourage
increased external environmental communication about the array of environmental issues facing
industry today.