Auditing ISO 9001:2000 For Control and Improvement

Use PDCA for control and ACDP for improvement

by J.P. Russell

ISO 9001:2000 4.1c says, "The organization shall determine criteria and methods needed to ensure that both the operation and control of these processes are effective."

The word "control" is used in the titles of ISO 9001 clauses such as "control of nonconforming product" and in phrases such as "to carry out processes under controlled conditions."

Other standards contracts, procedures and documents also frequently use the word "control." It is one of those familiar terms that everyone seems to understand. Each person's understanding may be a little different, however.

There is no definition of the word "control" in the international vocabulary standard (ISO 9000:2000) either because the dictionary definition is believed to be sufficient or the meaning of the word is so obvious that it would be silly to try to define it.

Yet understanding of control is central to successful implementation of almost all standards. In fact, a standard may be thought of as a collection of controls management must implement for systems such as safety, quality, environment and accounting.

As a manager, I would want to know there is control over the important systems and processes of the organization. As an auditor, I want to be able to verify sufficient controls exist and report any shortcomings. Both managers and auditors should agree on the criteria for control.

Cntrol criteria

Some have equated having a procedure with control: no procedure = no control. Unfortunately, it is not that simple. Having a procedure does not mean there is management control over a process.

I recall interviewing a truck driver for a transportation company. I asked him about the inspection process for his very expensive cargo. He responded, "Do you want to know what is in the procedure or what we actually do?" So establishing a method is certainly an important process control tool but does not guarantee there is management control of the process.

Some standard clauses requiring control include a highly prescriptive list of activities to be addressed. The control of documents clause in ISO 9001 is a good example of such a prescriptive list of activities.

There are two problems with relying on the standard to list everything needed for management control:

It assumes the standard writers could anticipate every situation.

It assumes every clause contains a detailed list of prescriptive requirements.

I don't think standard writers would claim they know everything, and sometimes the requirements are open-ended, without any specific prescriptive requirements. For example, a standard might require control of the environment or the conformity of the product without providing a prescriptive list detailing how to achieve control.

Another place to look for control criteria is ISO 9001:2000, clause 7.5.1: Control of production and service provision. This is a generic list of things to consider for control of processes and should be applied as applicable. It is a good list and should be a reference, but it is a list, not a concept. The list may not be sufficient for all situations and does not address improvement criteria.

A simple, yet powerful, method for testing the existence of controls is to use Walter Shewhart's plan-do-check-act (PDCA) cycle. The PDCA cycle can be used as a process technique to test for control (see Table 1).

Process technique to test control

For management to control a process or activity, it must establish a predetermined method. Without it, there is no basis to adjust or improve the process.

The predetermined method can be in any form and should reflect the level of process risk. Ways a predetermined method can manifest itself include a procedure, flowchart, outline or series of pictures.

In one of my first plant management jobs, operators used their knowledge and skills to operate the process. When we had problems and I attempted to improve the process, I found out each operator's skills and knowledge were different. I could not improve the operation because the operating method was a moving target.

So the first thing that had to be done was to establish a consistent method for operating. This is the plan part of the PDCA cycle.

Now just having a plan does not mean people follow it. There must be some type of assurance through auditing, monitoring, retrievable records or other means that people follow the plan. This is the do part of the test cycle.

Just following a plan is not enough to establish management control because every process has at least two outcomes (good and bad, acceptable and unacceptable). Therefore, management must next determine the criteria or objectives for success or acceptance. The process must be measured and monitored against these criteria. As long as the process outputs match the predetermined acceptance criteria, the process does not need adjustment. This is the check part of the test cycle.

When the results do not match the acceptance criteria (output targets, goals), action must be taken. This is the act part of the test cycle. The action may be sorting good and bad product or making adjustments to the process to bring it back in line.

Management control exists when the process or activity is planned, implemented, measured and acted upon. Based on this article's discussion so far, a possible definition for management control would be the following:

Management control: when predetermined plans are followed, monitored against acceptance criteria and adjusted as needed to achieve objectives.

However, ISO 9001:2000 requires more than just effective control. There must be continual improvement, too.

Continual improvement

A system or process must be changed to improve it. Improvement is not a matter of working harder or being more careful. If there is no change in some aspect of a system or process, the outcomes will always be the same.

To test for improvement, we can use PDCA again, only backwards, as the ACDP (analyze-change-do-prosper) improvement cycle (see Table 2).

Many of us are familiar with what often happens to all the records and data collected--they are put into storage never to see the light of day again. For improvement to take place, the data must be analyzed for trends and identification of weaknesses. This is the analyze step of the ACDP improvement cycle. By comparing results to goals and objectives, we must analyze process data to identify risks, inefficiencies, opportunities for improvement and negative trends.

A change could be a change in procedures, but also in other elements of the process, such as the acceptance criteria or method of monitoring. Changes in equipment or technology may also be necessary for continual improvement. The merits of any change should be evaluated. This is the change part of the improvement cycle.

The do step of the cycle is the implementation of the change. Auditors can verify changes actually took place by reviewing documents and interviewing area personnel.

Continual improvement should enable the organization to prosper in some manner. Improvement may be quantified as increased profitability, lower costs, lower exposure of the organization to risks, gain in market share or some other measure of improved effectiveness and efficiency. Sometimes organizations group changes and assess the effectiveness of several changes to the process. This assessment represents the prosper step of the improvement cycle.

Auditing for control and improvement

When standards require control and improvement, both management and auditors need to know the components that must exist. It is management's job to establish and implement controls and ensure there is continual improvement.

It is the auditor's job to gather audit evidence to verify conformance to requirements. In the absence of specific guidance in performance standards (required procedures, records or schedules), it is essential that management be able to demonstrate conformance to requirements.

Thus, the PDCA and ACDP cycles are process tools that can be used as guides to test for control and continual improvement. The PDCA cycle establishes control of a process. Control is required by standards and is a good business practice.

The ACDP cycle should be used to test for improvement. ISO 9001:2000 requires continual improvement. Improvement can only come from change.Where Does Quality Begin?

It begins with the PDCA cycle and an understanding of variation--not with ISO 9001

by Dale K. Gordon

Every day quality professionals struggle with the eternal question that keeps them employed: How do we make things better?

At a recent meeting of an organization's quality professionals, I asked, "What do you believe the sources of your troubles are?"

They all had detailed explanations for individual problems, but my question was about the quality system. They sat silent for a minute and then agreed they had a quality system certified by an accredited third party and approved by their customers. "How could the cause of our problems be the quality system?" they asked.

I then asked what was probably the most difficult question of all: "Can you describe what your quality system is and how it prevents the troubles you are having?" This, of course, was greeted with more silence and finally agreement that their quality system was ISO 9001.

And therein lies the problem.

Many people--managers in particular--define the quality system of an enterprise as ISO 9001 or any identified standard their system is built around. ISO 9000:2000 defines a system as a "set of interrelated or interacting elements" (clause 3.2.1) and defines a quality management system as "a management system to direct and control an organization with regard to quality" (3.2.3).

Deming's views

If we go back to W. Edwards Deming's views, we are reminded of his views of a "system of profound knowledge," which consisted of:

Appreciation for a system.

Knowledge about variation.

Theory of knowledge.

Psychology.

Deming said the various segments of the system of profound knowledge cannot be separated but interact with each other. Thus, knowledge of psychology is incomplete without knowledge of variation.

The same can be said of any quality management system. It is a collection of subsystems, processes, knowledge, variation and people who execute the system, all interrelated and managed by those charged with that responsibility. It is not ISO 9001 or any other standard. The quality system is whatever the organization decides it is with all its defined (or undefined) processes, people, variation and knowledge inherent in the system.

In the same meeting of quality professionals, I next asked this obvious question: "If you related all of your problems to a paragraph of the standard on which the quality system is built, then added all the findings from internal and external audits against your system, and then performed a Pareto analysis of the nonconformances found in the system, what would you conclude is the problem with your quality system?"

The responses came back almost instantaneously: corrective and preventive action followed by process control and supplier control. "These are related to more than 80% of the problems we are having," they answered.

I thought about this for a moment and then asked about design control or, in the new vernacular, planning of product realization. The heads shook mightily: "No problems there; in fact, we hardly ever have any findings in that area."

I contend thinking that way is part of the problem.

Shortchanging "plan" and "act"

We tend to be real good at the "D" and "C" (do and check) parts of the PDCA cycle, but plan and act always seem to get shortchanged. In ISO 9001:1994, clauses 4.4.1 (design planning) and 4.4.4 (design inputs) indicate the design process must consider customer, regulatory and statutory requirements.

The same holds true for the new version (ISO 9001:2000) under paragraph 7.1 (planning of product realization) and 7.3.2 (design and development inputs). Both indicate the need for structured planning and consideration of specification requirements and customer, statutory and regulatory needs.

Nowhere in these sections is there anything about learning from process and product failures and then designing or redesigning to eliminate them. The ISO 9001:2000 revision even goes so far as to include a process/continuous improvement cycle description and reference to the PDCA cycle. But it does not mention that the design stage is where the planning is most important and where the acting needs to take place.

So we ask ourselves some of the following questions:

What is it about our quality systems that does not function correctly?

Why do preventive and corrective actions always seem to top the list?

Is it because we lack the fortitude to make the structural changes in our systems that would truly prevent problems from recurring?

Is the investment in fixing that much less than the investment in preventing the problem to begin with?

Do we really design for manufacture and use what we learn from our process control failures to redesign the product?

Do we really listen to our suppliers and understand why they fail to interpret our design descriptions or process specifications and repeatedly fail to meet specifications?

Do we work with the manufacturing organization and suppliers to match process capabilities to design needs?

Do we really understand the sources of variation in our processes (both mechanical and human) and have actions in place to eliminate them or at least eliminate the ones that have the greatest impact on our ability to meet requirements?

More and more, the answers to these questions are coming from programs or initiatives such as Six Sigma, lean thinking or the old value engineering or reengineering all the way through the supply chain.

Many times these activities are seen as being outside and separate from the quality system or as extra management efforts aimed at improving both customer satisfaction and cost control. The issue with these programs or activities is they are applied well after the product is designed and the failures have occurred.

So there are more questions:

How do we measure the design activity?

When the design activity is audited, how knowledgeable are the auditors about the design processes and their relationships to the manufacturing and customer delivery processes?

How well do activities such as design reviews take into account the ability of the procurement process to translate design ideas into tangible product?

These questions are not found in the ISO 9000 or spin-off quality system requirements. In fact, when you look for discussion of corrective action in ISO 9001:1994, you find there is little that points back to the origin of the product. Clause 14 (in ISO 9001:1994) refers more to the process of corrective action and to the documentation of the process than to an evaluation of the causes all the way back to the original design assumptions. It focuses on systems rather than individual processes.

The same is true of ISO 9001:2000. While the combination of clauses 8.4 and 8.5 does a better job of indicating the action is more important than the documentation, the standard is still focused on the generic corrective action process and its execution rather than on the thorough examination of causes all the way back to the design element.

Rarely do I find Six Sigma, kaizen, value engineering or other similar activities are the documented preventive action part of a quality system.

Response of automotive and aerospace industries

Automotive and aerospace are among the industries that have addressed this quality system problem in a strict ISO 9000 world by adding requirements. In the automotive world you find such additions as advanced product quality planning (APQP), potential failure mode effects analysis (FMEA) and production part approval process (PPAP), in addition to the ISO 9001 based QS-9000 requirements.

In aerospace you find FMEA, control of key characteristics (AS9103) and strict process change control, in addition to AS9100, another ISO 9001 based requirement.

Are these requirements considered part of the quality system? Sometimes they are not, because they are not strictly defined as ISO 9000 requirements. But they are necessary parts of the system and need to be treated as such. Two lessons So where does that leave quality professionals? The lesson here is twofold: 1. ISO 9001 or other standards are not the quality system. The system is a culmination of whatever the organization says it is through the processes, activities and knowledge it uses to meet product specifications and customer needs. The documentation and execution may meet ISO 9001, but I suspect much that is a part of an organization's quality system is not included in the quality system documentation. 2. The system is only as good as its design and execution. Its design includes the product design. If we do not design the system so we can learn and incorporate that learning into new processes, designs and systems, we are doomed to repeat the mistakes of the past. Then we'll go chase some new thing (such as Six Sigma) while deriding our quality systems, people or processes for being inadequate for the modern age. So I take you back to Deming and Walter M. Shewhart (actual creator of the PDCA cycle) and tell you variation is the enemy and the quality system is more of an internal culture than an actual thing. You have to understand how all the elements of the system fit together if you want to make an improvement. The PDCA cycle does work, when accompanied by knowledgeable management and some good luck.ISO 14004 To Offer Practical Guidance

More examples and alignment to be among the improvements

by Marilyn Block

The release of ISO 14004 accompanied the publication of ISO 14001, the environmental management standard, in 1996. ISO 14004 was billed as a general guideline on environmental management principles, systems and supporting techniques.

That initial guidance effort was limited by an inability to draw on actual experiences--ISO 14004 was written concurrently with ISO 14001 and was published before organizations began implementing environmental management systems (EMSs) that conformed to ISO 14001 requirements. As a result, ISO 14004 has been viewed by many as having little to offer organizations with more than the most rudimentary approach to environmental management.

Like its ISO 14001 counterpart, ISO 14004 is now being revised. Unlike ISO 14001, ISO 14004 is in the process of undergoing significant cosmetic and substantive changes. In fact, readers familiar with ISO 14004:1996 will find the new committee draft no longer bears a strong resemblance to its predecessor.

Practical information

A general characteristic of the ISO 14004 revision is far greater emphasis on practical information based on user experience during the last five years.

Connie Glover Ritzert, chair of the U.S. Technical Advisory Group to ISO Technical Committee 207's subcommittee 1 on environmental management systems and subcommittee 1 working group expert, explains: "As part of this emphasis, we have added more examples, including some cross-cutting ones that tie key parts of the EMS together in illustrations."

One of the major challenges in revising ISO 14004 has been staying consistent with ISO 14001, which is a moving target at present. The two standards are on the same revision schedule, so it has been difficult to reach consensus on issues that are strongly influenced by the direction taken in ISO 14001.

Because ISO 14004 is a guidance document, it can go beyond the concepts in ISO 14001 as long as it presents the same basic picture of an EMS. Ritzert says, "We are making a concerted effort to maintain consistency while not portraying ISO 14004 as an interpretation of ISO 14001."

One of the ways ISO 14004 shows consistency between the two standards is by aligning its clauses more directly with ISO 14001. ISO 14004 also continues to use the definitions presented in ISO 14001 and describes the same continual improvement model.

Specific changes

The most significant changes in the revised draft are:

Elimination of the five principles.

Use of help boxes.

Presentation of five approaches to pollution prevention.

Expansion of the environmental aspects clause.

Agreement on the need for a broader view.

Provision of help on compliance commitment and expansion of emphasis on objectives and targets.

Elimination of the five principles. The current version of ISO 14004 begins with a discussion of five principles (commitment and policy; planning; implementation; measurement and evaluation; and review and improvement). It then inserts them into a modified version of the EMS model that appears in ISO 14001.

ISO 14004 then uses the five principles to group EMS elements. As part of the effort to be more practical, discussion of these five principles has been removed. Instead, the standard begins with a discussion of the EMS's PDCA (plan, do, check, act) model. ISO 14004 has been revised so this model (see Figure 1) is now the same as in ISO 14001

Use of help boxes. ISO 14004 contains a series of practical help boxes with suggestions to assist readers in conducting activities required by their EMS. For example, one box on prevention of pollution has been added to support the clause on environmental policy.

Presentation of five approaches to pollution prevention. The proposed text presents a hierarchy of approaches:

1. Source reduction (including material substitution; process, product or technology changes; and efficient use and conservation of resources.

2. In-process recycling or reuse.

3. Other recycling or reuse.

4. Treatment and recovery.

5. Control.

The text suggests organizations employ incineration or other forms of disposal only after the options offered in this hierarchy have been considered.

Expansion of the environmental aspects clause. The clause on environmental aspects has been greatly expanded to help organizations better understand what is meant by and involved in identifying environmental aspects and evaluating their impacts.

It has been difficult to revise this clause because there are a variety of understandings and experiences among practitioners and users of the standard. ISO 14001 defines an environmental aspect the same way ISO 14001 does: any element of an organization's activities, products or services that can interact with the environment.

Agreement on the need for a broader view. Although consensus has not been reached on a number of points around the issues of identifying aspects, evaluating impacts and assigning significance, it has been agreed a broader view is warranted than was expressed in the 1996 standard. Ritzert notes, "Working group experts did reach agreement that criteria for 'significance' could include consideration of environmental and legal concerns and the concerns of interested parties..." The committee draft document had specifically asked for comments on two proposed methods for determining aspects, impacts and significance. It also asked whether the final standard should contain more than one example of methods for determining aspects. It is likely this clause will be subject to a great deal of debate before final language is established.

The clause on legal and other requirements has been expanded. Proposed language clarifies what is meant by "access to" these requirements. A new section differentiates between legal and other requirements by explaining what "other" comprises. Provision of help on compliance commitment and expansion of emphasis on objectives and targets. To more clearly establish the link between this clause and the environmental policy (which is required to commit to compliance with legal and other requirements, per ISO 14001), a practical help box on commitment to compliance has been added. Readers of ISO 14001 know environmental objectives and targets must reflect the environmental policy. Moreover, significant environmental aspects and legal and other requirements are among the issues that must be considered. Therefore, more emphasis has been placed on the process of setting objectives and targets, and the table of examples has been expanded. A new section on the need to evaluate organizational performance in achieving objectives and targets incorporates concepts from ISO 14031, a guideline for creating internal management processes and tools to provide ongoing information to determine whether an organization is meeting established criteria. Other expansion Other clauses that have benefited from expanded discussions include:

Communications. This clause has been reformatted to distinguish among general benefits of communication, internal communication, external communication and processes to enhance communication.

Operational control. This clause now addresses identifying the need for controls and establishing and evaluating them.

Monitoring and measurement. This clause clarifies the purposes of monitoring and measuring activities and offers a table of examples.

Evaluating regulatory compliance. ISO 14001:1996 addresses the need to periodically evaluate regulatory compliance as part of the clause on monitoring and measurement. The revised ISO 14001 document moves this paragraph out of monitoring and measurement into its own numbered clause. For consistency, ISO 14004 proposes a new clause on evaluating compliance.

Nonconformance and corrective and preventive action. Considerable text has been added to this clause, which is only two sentences in the current version of ISO 14004. The revision addresses the need for a systematic approach in identifying and responding to nonconformances. It also provides examples of nonconformances.

Continual improvement. This clause has been reformatted into three separate sections: establishing the purpose of continual improvement, identifying opportunities for improvement and implementing continual improvement. A new practical help box provides examples of improvements.

Annex A. In the 1996 standard, this annex provided two examples of international guiding principles: The Rio Declaration on Environment and Development, produced at the United Nations Conference on Environment and Development in Rio de Janeiro in June 1992 and The Business Charter for Sustainable Development, created in Paris in 1991 by the International Chamber of Commerce. The new Annex A illustrates the implementation of an EMS by presenting three examples--an activity, product and service--and showing a commitment in the environmental policy, significant environmental aspect, objective and target arising from the policy and aspect, and method for monitoring environmental performance for each example. Although a great deal of wordsmithing is likely to result after comments on the committee draft are received, it appears the format, tone and focus of ISO 14004 are well-established.

Efforts to enhance the utility of ISO 14004 by aligning it more directly with ISO 14001, clarifying language and concepts, and incorporating a variety of examples that reflect actual experience suggest ISO 14004 is well on the way to becoming what it was always intended to be: a guidance document that assists in implementing an effective environmental management system. ISO 14004 is expected to be released in early 2003.Add Value to ISO 9001:2000 Audits

The standard's revision provides the opportunity to help organizations improve the way they do business

by Sandford Liebesman

Quality auditors have been criticized for not adding value to what they do for clients. The ISO 9001:2000 revision1 provides an opportunity to change this.

The ISO 9001 developers believed the revision should define a universally understood quality philosophy. The standard's development was then based on eight quality management principles that form the basis of a superior quality management system (QMS).2, 3, 4

Correspondingly, structuring audits around these principles to improve an organization's processes should improve customer satisfaction and product/service quality and reliability. These principles are not requirements of ISO 9001:2000. Organizations just bent on obtaining a certificate may not concern themselves with this higher view.

Using the principles to audit

Auditors can use the eight principles to create an organizational mind-set that views quality on a higher plane:

1. Customer focus. ISO 9001:19945 aimed to achieve customer satisfaction by "preventing nonconformity at all stages from design through to servicing." ISO 9001:2000 broadens this concept to include management responsibilities to communicate with customers, monitor and measure customer satisfaction and develop improvements related to customer requirements.

An important role required of top management is to communicate to staff the importance of meeting customer requirements. Top management must also monitor customer satisfaction information, tying it to continual improvement.

By auditing the following requirements in the standards related to customer focus, auditors add value to the process:

Ensure customer requirements are determined and met and customer satisfaction is enhanced (customer focus, element 5.2).

Promote awareness of customer requirements (management representative, 5.5.2).

Provide resources to enhance customer satisfaction (6.1).

Determine requirements specified and not stated (7.2.1).

Communicate (includes complaint handling) with customers (7.2.3).

Handle customer property (7.5.4).

Monitor, measure and analyze customer satisfaction information (8.2.1, 8.4).

Input customer feedback to management review (5.6.2).

Take actions based on management review related to customer requirements (5.6.3).

2. Leadership. Top management's commitment to the QMS has been greatly expanded by the ISO 9001:2000 requirements. Management's role centers on fulfilling customer requirements, communicating with customers as described in the previous section, communicating with staff, and planning and assuring the continual improvement of the QMS.

Auditors should verify the major top management responsibility of assuring objectives are measurable--an important part of the continual improvement process--and tied to the quality policy. A framework must be developed for establishing and reviewing objectives.

The following requirements relate to leadership:

Communicate top management commitment (5.1).

Determine customer requirements and enhance customer satisfaction (5.2).

Include commitment to continually improvement in the quality policy (5.3).

Plan and establish measurable quality objectives (5.4).

Assure responsibilities are defined and communicated (5.5.1).

Appoint the management representative (5.5.2).

Communicate the effectiveness of the QMS (5.5.3).

Conduct management review of the QMS (5.6).

Understand top management's role in continual improvement (8.5.1).

3. Continual improvement. A key new requirement is to improve the effectiveness of the QMS using an improvement loop (8.5.1) consisting of quality policy (5.3), quality objectives (5.4.1), audit results (8.2.2), analysis of data (8.4), corrective and preventive actions (8.5.2 and 8.5.3) and management review (5.6).

Continual improvement is at the heart of the auditor's value added activity. Does the organization use all the tools at its disposal to improve over time? The auditor should carefully review how the improvement loop is working to improve the products and processes.

The following requirements relate to continual improvement:

Plan to continually improve the QMS effectiveness (4.1, 5.4.2).

Plan and implement the improvement processes (8.1).

Report on the QMS performance and the need for improvement (management representative, 5.5.2).

Provide resources to continually improve the QMS effectiveness (6.1).

Monitor the improvement loop (8.5.1).

4. Involvement of people. Involvement of people revolves around assuring the competency of the staff. The key requirements focus on the effectiveness of training, awareness of individual contributions and an effective work environment.

Competence has to do with the long-term capability of the organization to perform effectively. The auditor should review how the organization determines its needs and fulfills them by increasing employee capabilities. It can be difficult to assess training effectiveness.

The following requirements relate to involvement of people:

Determine the competency needs of the organization (6.2.2).

Determine individual competencies and qualifications based on education, training, skills and experience (6.2.1 and 7.5.2).

Evaluate the effectiveness of training and other actions (6.2.2).

Ensure employees are aware of their contributions to the quality objectives (6.2.2).

Determine and manage the work environment (6.4).

Assure awareness of requirement changes (7.2.2).

5. Factual approach to decision making. The use of information in decision making starts with measurable quality objectives and requires the objectives be consistent with the quality policy. Data must be gathered, analyzed and assessed against the objectives.

At issue for the auditor are the analysis and use of data. The data should be available and used for measuring and improving processes, product quality and reliability, and customer satisfaction. Many organizations gather data but do not use them effectively for improvement. Customer satisfaction data are especially difficult to gather and use effectively.

The following are requirements relating to a factual approach to decision making:

Document the quality objectives (4.2.1).

Ensure objectives are measurable and consistent with quality policy (5.3, 5.4.1 and 5.4.2).

Assess the need for changes to the quality objectives (5.6.1).

Determine the objectives and requirements for the product (7.1).

Assess improvements in customer satisfaction, product quality, processes, suppliers and the QMS in general (8.4).

6. Mutually beneficial supplier requirements

ISO 9001:2000 simplifies supplier management requirements. Note, too, that control of outsourced processes is different from management of suppliers and must be identified in the QMS.

The following requirements relate to a factual approach to decision making:

Control suppliers and purchased products based on their effect on the final product (7.4.1).

Select, evaluate and re-evaluate suppliers (7.4.1).

Assess requirements prior to communication to suppliers (7.4.2).

Use data analysis to improve suppliers (8.4).

Control outsourced processes (4.1).

7. Process approach. The elements of a process are inputs, outputs, controls and resources. A process, constrained by the controls, converts the inputs into outputs using the resources. The major structural change to ISO 9001 is the creation of four superprocesses and the requirement to identify, monitor, measure, analyze and improve all QMS processes.

A fundamental issue for auditors is to determine the organization's understanding of processes. Auditors also must identify the methods of managing outsourced processes--a key in today's contract manufacturing environment.

Six processes must be documented: control of documents, control of records, internal audit, control of nonconforming product, corrective action and preventive action. How do you audit a process that is not documented? One solution is to interview some process users and look for consistency. The auditor can also review the process records.

The following are requirements relating to the process approach:

Identify and control processes needed in the QMS, including outsourced processes (4.1).

Include process performance in management review as an input and actions to improve processes as an output (5.6.2 and 5.6.3).

Ensure consistent planning of product realization (7.1).

Monitor, measure, analyze and improve processes (4.1, 8.2.3).

Analyze data to provide information on characteristics and trends of processes (8.4). 8. System approach to management. A QMS is a system of processes linked to effectively manage the quality of products and services. A main requirement is to determine the sequence and interaction of these processes. A second major consideration is the issue of exclusions allowed only in section 7. The auditor has a role in reviewing the exclusions and determining whether or not they are justified. The following requirements relate to the system approach:

Determine the sequence and interaction of processes (4.1).

Justify exclusions (1.2).

Ensure processes needed for the QMS are established, implemented and maintained (management representative, 5.5.2).

Plan and develop the processes and records to show the realization processes and products meet requirements (7.1).

Manage customer related processes (7.2), design and development processes (7.3), purchasing processes (7.4), production and service provisions (7.5) and monitoring and measuring devices (7.6).

Plan and implement monitoring, measurement, analysis and improvement processes (8.1). It is clear auditing has grown in complexity. Auditors can no longer simply go through the standard element by element.

The eight quality management principles transcend the basic elements and must be identified and continually improved within an organization. While this may add challenge to the job of auditing, it also leads to many opportunities for auditors to be value added suppliers.The Whole Truth And Nothing But the Truth

Lying to the FDA will always get you in trouble

by Les Schnoll

It usually starts as a little white lie. The worst case finale is a not so brief vacation at the federal penitentiary. The philosophy is usually the same: What they don't know won't hurt them. The truth is what they don't know (or what you don't tell them) will hurt you.

It is sometimes only the misguided beliefs of a single person in an organization; at times it is the result of the ill-advised values of an entire company. In any event, the action will invariably get you in trouble. The incident: lying to the Food and Drug Administration (FDA) about a medical device, pharmaceutical or food product your organization manufactures.

Potential consequences include those with which most of us in the field are familiar, ranging from a Form 483 to regulatory letters, fines, consent decrees and injunctions. At times, the organization and its employees can be prosecuted--and the conviction rate is pretty high.

"So what? I won't get caught," you say. Or, "That's why we have lawyers."

Not a good mantra. Those organizations and staff who think they can get away with lying are usually not aware of a good friend of the FDA, namely the Department of Justice. Let's not forget that FDA investigators are officers of the government and, as such, can rely on their fellow representatives to provide assistance. That's where Title 18 of the United States Code comes into play.

Considered crimes

Title 18 is a broad set of regulations dealing with crimes and criminal procedures that are under the jurisdiction of the Department of Justice. Part one (crimes) includes chapter 47 on "Fraud and False Statements." You should keep in mind a couple of sections in chapter 47 if you decide to be less than honest with a representative of the U.S. government.

Section 1001 (Statement or Entries Generally) applies in any matter within the jurisdiction of the executive, legislative or judicial branches of the government, which about covers it all. It applies to anyone or any organization that knowingly and willfully:

Falsifies, conceals or covers up by any trick, scheme or device a material fact (participates in a cover-up).

Makes any materially false, fictitious or fraudulent statement or representation (doesn't tell the truth).

Makes or uses any false writing or document knowing the same to contain any materially false, fictitious or fraudulent statement or entry (falsifies data).

Conviction under section 1001 can lead to pretty steep fines and imprisonment up to five years.

Section 1031 (Major Fraud Against the United States) is an area in which you are best advised not to get involved. This section applies to anyone who knowingly executes (or attempts to execute) any scheme or artifice with the intent to defraud the United States or obtain money or property by means of false or fraudulent pretenses, misrepresentations or promises.

In other words, if an organization has a contract with a federal agency and, for example, falsifies information to obtain that contract, section 1031 kicks in. Now the government cuts a little slack here: To be prosecuted under section 1031, the organization must be a prime subcontractor (or subcontractor to a prime subcontractor) of the United States, and the contract has to be $1 million or more.

The penalties for conviction for this type of indiscretion can be a fine of up to $1 million and 10 years in prison. Then again, those penalties can be more (including fines up to $10 million) if the loss to the government or the gross gain to the guilty party is $500,000 or more or if the offense involves a "conscious or reckless risk" to public safety. The regulations also provide the courts an opportunity to impose additional sanctions. Falsifying documentation Now that we're aware of the Department of Justice, another possible result of lying to the FDA or falsifying documentation provided to the agency is a process known as AIP, or Application Integrity Policy. The source of this policy is chapter 10 of the FDA Office of Regulatory Affairs' Regulatory Procedures Manual. AIP focuses on the integrity of data and information in applications submitted to the FDA for review and approval. To put this into perspective, note that the original title of the regulation published in the Federal Register (56 FR 46191 on Sept. 10, 1991) was "Fraud, Untrue Statements of Material Facts, Bribery and Illegal Gratuities: Final Policy." AIP describes the FDA's approach regarding the review of applications that may be affected by wrongful acts raising significant questions about data reliability. If an organization is placed on AIP status (and this is a very small fraternity), the FDA will defer scientific review of any applications submitted by the company until it is satisfied the information provided is reliable. Generally, AIP is invoked after the observation of a pattern of falsified information (more than one instance) of material facts (a false statement, misstatement or omission of a fact). These instances are classified as wrongful acts and defined as "any act that may subvert the integrity of the review process." Wrongful acts include (but are not limited to) submitting a fraudulent application, offering or promising a bribe or illegal gratuity, stating an untrue statement or material fact, submitting data that are otherwise unreliable due to patterns of errors, whether caused by incompetence, negligence, practice or systemwide failure to ensure the integrity of data submissions. Once a company is placed on AIP status, it's not easy to get off. Revocation of AIP is based on the guilty organization's conducting a credible and adequate internal review to identify all instances of wrongful acts. The review typically involves a qualified outside consultant approved by the FDA and submission and execution of a corrective action plan that includes:

A commitment to ensure safety, efficacy and quality. A description of corporate ethics and compliance programs. A process for effective communication of the company's ethics, quality and compliance programs to personnel through written procedures and training. Steps to address current wrongful acts. In addition, the organization must withdraw any questionable applications and commit in writing not to refile or reactivate any application not included in the validity assessment until the FDA is satisfied with the reliability of the information. The organization is required to submit a new application when a validity assessment indicates an application contains unreliable data and the company wishes to replace the data.

It makes good business sense--and it's easier--to be honest. If you say you're following a certain procedure or process, you'd better not be fudging the truth. George Washington was right when he supposedly said, "I shall not tell a lie." Note: If readers have any questions or concerns, they should contact their companies' legal counsels or member of their compliance hotline (such as compliance officer or ombudsman). This article is not intended as legal advice but is expected to make readers aware of the law and risks associated with prevaricating, dissembling or otherwise being less than candid with the FDA. ISO 9001:2000's Process Approach

A new concept or the same old stuff?

by John E. "Jack" West

With all the guidance on ISO 9001:2000 already published, you would think everyone would understand the process approach as a basic concept of the revised standard.

Jeffrey H. Hooper discussed this approach in an earlier article in Quality Progress,1 and chapters two, eight, 11, 12, 20, 30 and 42 in the ASQ ISO 9000:2000 Handbook2 deal extensively with the topic. In addition, International Organization for Standardization, known as ISO, Technical Committee 176 provides a guidance document (ISO/TC 176/SC2 N544R) available for free download.3

Perhaps all this guidance makes people think the process approach concept is more difficult than it is. I regularly receive questions on it. In fact, most of the questions I get about ISO 9001:2000 relate in some way to the concept. Usually the answers are very simple, and this article will answer a few of the most common questions.

Q: I understand the definition and concept of process approach, but how the requirements related to processes differ from the previous standard's requirements is not clear to me. Wasn't the process approach included in ISO 9001:1994? And if it was, what is different in ISO 9001:2000? Why is there so much emphasis on the process approach now?

A: First, let's review the underlying principles related to this subject. If you are not familiar with the eight quality management principles, you can find them in ISO 9000:2000 or ISO 9004:2000. A brochure related to them is available on the ISO Web site.4 Two of these eight principles are key to understanding the process approach concept:

"Process approach--A desired result is achieved more efficiently when activities and related resources are managed as a process." This principle applies to individual processes.

"System approach to management--Identifying, understanding and managing interrelated processes as a system contributes to the organization's effectiveness and efficiency in achieving its objectives." This principle applies to the whole quality management system (QMS).

So the QMS may be seen as using both concepts. A more extensive discussion of these concepts and their relationship to quality management system documentation can be found in chapter 12 of the ASQ ISO 9000:2000 Handbook.5

The use of processes operated under controlled conditions was required in ISO 9001:1994 for processes related to making products and delivering services. Clause 4.9 of ISO 9001:1994 required organizations to "identify and plan the production, installation and servicing processes that directly affect quality and shall ensure that these processes are carried out under controlled conditions."

The 1987 and 1994 versions of ISO 9001 used a procedural approach, putting procedural requirements on activities and functions. Except for clause 4.9, the 1994 standard did not directly address processes of the system, nor did it directly connect the process approach with the systems approach to management.

ISO 9001:2000 recognizes the entire system is made up of interrelated processes, so in addition to consideration of the processes for product realization (see clause 7.1), you must identify and manage the processes for the whole system.

For many organizations this concept will not prove to be a major change. If an organization has used flowcharts or process maps and has developed a process emphasis, then it is certainly possible the new standard will require no difference in approach.

Certainly some organizations used this process approach for their whole QMS, even with the '87 and '94 versions, but it was not a requirement.

Q: What are we really expecting from an organization for it to be in compliance with Clause 4.1 of ISO 9001:2000?

A: The basic requirement of clause 4.1 is that the organization "establish, document, implement and maintain a QMS and continually improve its effectiveness." Clause 5.4.2 requires the QMS be planned to meet the requirements of 4.1 and the quality objectives required in 5.4.1.

In planning the system, the organization must take two things into account: meeting ISO 9001:2000 requirements and meeting its own quality objectives. Clause 4.1 gives the minimum requirements for determining the processes of the system and managing them to meet the objectives and achieve continual improvement.

The output of this planning process includes the documents required in clause 4.2: the quality manual (showing the interaction of the processes), the documented procedures required by ISO 9001 and other documentation as needed to ensure effective operation of the system.

Certainly one of the best methods to meet these requirements is the inclusion of process diagrams in the manual or use of flowcharts of the key processes. While such charts are not specifically required, they are beneficial. The focus, however, should be on developing a system that concentrates on meeting the quality objectives while still meeting the requirements of ISO 9001:2000.

Q: The requirement for the quality policy contains some new aspects not included in the 1994 standard. One requires the policy to have a framework for reviewing quality objectives. What is the intent of this change?

A: The policy should set the organization's direction regarding quality, and the objectives should flow from that policy. For example, if an organization needs to increase its sales (a business objective), the quality policy may state that the organization will focus on "enhancing customer satisfaction to gain loyal and long-term customers."

A specific quality objective within this framework might be: "Improve customer satisfaction survey scores by 31% over three years." Or "each executive will visit two customers every quarter to assess the customers' perception of satisfaction."

During management reviews, the top managers would look at progress on meeting the objective. If conditions change, the organization may need to change either the policy or the objective to meet those new conditions.

Maintaining this linkage between the policy and the objectives is particularly important when we consider that clause 5.4.2 requires planning the QMS to meet the organization's objectives as well as the process approach requirements of clause 4.1. Changes in policy or objectives may well necessitate changes to the processes of the system.

This requirement encourages a consistent and measured focus on core values throughout the organization and highlights the need for ensuring resources are available to convert policy pronouncements into reality.

Q: I understand there is a major change to the way we are required to conduct audits to the new ISO 9001:2000 because of the process approach. Where is this change described in the new ISO 9000 series?

A: There is no such description because there is no requirement in ISO 9001:2000 to change the way you audit. On the other hand, the adoption of the process approach does present opportunities to improve the way you audit. Auditing processes as they flow through the functions of an organization may prove to be a value added activity.

It has been said that while the old version of ISO 9001 required system audits, ISO 9001:2000 requires process audits. The concept "process audit" is not defined in ISO 9000:2000. I do not see the term "process audit" in ISO 9001:2000. So, do not be confused. Auditors must still determine whether the system is effectively implemented, and the system must meet the requirements of ISO 9001.

But wait a minute! ISO 9001:2000 requires organizations to use the process approach for developing, managing and improving their QMSs. And should not audits validate the process approach has indeed been effectively implemented? Of course they should. It is hard to imagine how the application of the process approach can be audited without looking at the processes of the system.

Certainly you have interrelated processes as a fundamental part of your QMS, and you should take them into account in your audit planning. You should be able to do a more effective audit by taking the processes into account than by not doing so, even though this is not a requirement of ISO 9001:2000. It can be done by auditing the processes of the system to ensure they meet the requirements of ISO 9001 and the organization's objectives. Auditing of the processes may be done function by function (for example, auditing all the processes that flow through a department or function) or by cross functional auditing of each process. Process inputs and outputs should be considered along with the organization's methods for monitoring and measuring the processes. Process measures and targets for key processes should be linked to the organization's quality objectives.

To summarize, although the requirements for conducting audits have not changed, I strongly recommend internal audits focus on outputs, improvement, customer satisfaction and alignment with other areas of the organization. Audit planning should consider all the requirements of all the clauses in ISO 9001:2000 that apply to the process or activity being audited. This approach to internal audit planning and implementation will yield the best return on the internal auditing investment.Purchaser and Supplier Quality

Going beyond ISO 9001, QS-9000 and TS 16949

by R. Dan Reid

Hitoshi Kume, who was tutored by Kaoru Ishikawa, contrasted quality control from the viewpoints of purchasers and suppliers, saying, "Quality control based on existing standards and purchasers' requirements is quality control from the purchaser's standpoint. On the supplier's side, quality control can be made into a management tool by building a system for performing quality improvement methodically, systematically and continuously."1

ISO 9001, QS-9000 and ISO TS 16949 are examples of requirements from the purchaser's perspective.

"As part of business management, quality control is a management tool with tremendous potential, and superb results can be obtained if suppliers take the lead and implement it on their own initiative. Its full potential cannot be realized if it is practiced simply in accordance with purchaser's requirements," Kume added.2

Time has proven Kume's comments true. Several industry sectors have mandated ISO 9000 based requirements to their suppliers. Yet purchasers, at least in the automotive industry, have been somewhat disappointed with the delivered quality.

In a 2001 Associated Press article, an independent supplier survey reported automotive suppliers were cutting corners on quality in response to automaker demands for price cuts.3 Only 20% of the 261 supplier respondents said they were improving quality.

Proven quality improvement methods have been known for more than 50 years but in most companies remain only partially deployed at best. Management often views quality as a somewhat discretionary expense--a candidate for the first thing to go when trouble comes, not something fundamental to business management.

One more key point from Kume is that living organisms do not evolve from the center of their class but from the periphery. "Quality control may appear to be positioned somewhat on the fringes of conventional business management, but it seems to be an effective way of causing business management to evolve."4

Companies interested in leading the business management evolution can use several strategies going forward. They will have to go beyond purchaser requirements and the generic fundamental ISO 9001 requirements.

What top management must do

ISO 9001:2000 places accountability for the management of quality with top management. In clause 5.2, it requires top management to ensure customer needs are determined and met. Clause 5.4.2 requires it to plan the quality management system to ensure requirements and quality objectives are met.

Management is responsible for the system employees' use, so it must understand the processes and what is necessary to improve them. Instead, as W. Edwards Deming said, management frequently does not know what must be done. In the meantime, quality practitioners need to implement strategies from the periphery.

Cost of quality in "management speak"

One proven strategy is to put quality into the language of money. Frank Gryna has said that money is the basic language of upper management.

In the 1950s, Joseph M. Juran defined a cost of quality approach that has been used by many organizations. Unfortunately many have focused only on the cost of poor quality because this is more easily identified.

QS-9000's third edition, clause 4.1.5, lists cost of poor quality as one of the required metrics for operational performance. ISO Technical Specification (TS) 16949:2002, clause 5.6.1.1, requires management to regularly review the cost of poor quality. Also, ISO 9004, clause 8.4, lists the economics of quality among data and information an organization should analyze. Ideally, cost of quality tracking and reporting should be integrated into an organization's accounting system.

Six Sigma has used this cost of poor quality concept to gain management support, showing why it is important to go beyond the cost of poor quality in tracking quality costs.

Mikel Harry and Richard Schroeder say some organizations are stuck at three or four sigma because they believe the costs of going beyond that through defect reduction will exceed the benefits of reducing poor quality. But, they say, five and six sigma performance levels enable companies to dramatically reduce the cost of appraisal and prevention.5 Companies that track only failure costs would not be aware of this.

Strategic auditing

The methodology used for internal auditing is also important. ISO 9001:2000, clause 8.2.2, requires an organization to conduct internal audits at planned intervals. In many companies, each element of the quality management system is audited only once a year.

This raises some questions: Who do you want to discover problems? When do you want them to be discovered in the process? Given that third-party audits are conducted at least annually, yearly internal audits do not provide an organization much of a chance to find problems and correct them before a customer or third-party auditor visits.

QS-9000 and ISO TS 16949 require internal audits be planned annually and conducted with varying frequency depending on whether nonconformances or customer complaints are identified.

Audits of customer oriented and critical product realization processes should be performed more frequently than those of support operations. When an internal audit identifies a nonconformity, subsequent audits of that area should be scheduled more often. Effectiveness and promptness of corrective action should be verified to ensure closure before a nonconformance becomes an external failure.

Process auditing--the next frontier

ISO TS 16949, clauses 8.2.2.2 and 8.2.3.1, require audits of manufacturing processes. ISO 9001:2000, clause 8.2.3, requires measurement and monitoring of processes to demonstrate the ability of the processes to meet planned results.

In the automotive industry, the control plan is a required document containing the plan for quality of the parts and processes. To develop an effective plan, an organization should review the design and process failure mode effects analysis (FMEA) documents.

A key input for the FMEA development is a review of the design record and any required specifications. As Juran pointed out years ago, quality starts with characteristics.

Customers will usually identify key or special characteristics, and suppliers will need to designate other characteristics as key or special, based upon their knowledge of their manufacturing processes.

For characteristics with a high risk or severity of potential failures or high risk priority numbers, efforts should be undertaken to error proof the part or process design. If the efforts are successful, the risk priority should be recalculated on the FMEA. If not, provisions on the control plan and work instructions at each applicable site should mitigate the effect of the potential failure. This will require implementation of verification activities at various stages of product realization.

Organizations should use design records, FMEAs, control plans and operator instructions as elements of the same process instead of treating them as separate unrelated exercises (see Figure 1, p. 86).

Corrective and preventive actions can be prioritized using the information generated in this process, along with records such as control charts, logs and cost of quality (such as rejects, warranty and returns). Error proofing should be revisited at every opportunity.

This approach should also be used in process auditing. Auditors should review process flowcharts, any RASIC (responsibility, approval, support, inform or consult) charts--good tools for defining responsibility, support, approval and information flow for steps in any process--and the documents in Figure 1, and previously mentioned operational records to plan the process audit.

Significant characteristics from the design record should be listed on the FMEAs so risks posed by potential failures can be assessed and prevented. Linkages between these documents should be checked at key or special characteristic interfaces. Characteristics with high severity or risk priority numbers on the FMEAs should be audited for special characteristic designation.

The frequency of verification activities required on the control plan should represent a significant sample of the total shift or day's production volume:

Gage repeatability and reproducibility for measuring devices called out on the control plan should be audited for acceptability.

Calibration records should be audited for compliance to any calibration requirements of the devices.

Key process equipment should be identified and included in the preventive maintenance plan.

Records of preventive maintenance and machine capability of equipment should be audited for compliance to the plan.

Spare parts availability for this equipment should be confirmed.

This information should be linked to the contingency plans, such as those required by QS-9000. Customer identified special characteristics should be suitably identified on the documentation. Documents or records specified by the control plan should be audited on the floor to verify they are being maintained as planned. Not completing these documents with a cross functional approach can lead to disconnects between the product realization plan and reality.

A competent auditor can effectively complete a process audit as described above in less than one shift. These auditors must be able to distinguish a good FMEA and control plan from a poor one. They must know both customer and supplier specified requirements.

Managing human resources

In the aftermath of Sept. 11, 2001, thousands lost their jobs in the United States as the economy slid into recession. Such rapid changes, whether growth or decline, stress existing management systems.

As employees are laid off, work has to be redistributed. For the redistribution to work properly, employees need training. Work instructions need to be updated when jobs are revised. ISO 9001:2000, clause 6.2.1, requires personnel whose work can affect quality be competent on the basis of education, training, skill and experience.

As organizations downsize, attention needs to be focused on competency. Requirements for education, training and experience should be documented. When, as often happens, a person without experience is named to a position affecting quality (quality director, for example) training requirements should be specified. Effectiveness of training should be periodically evaluated. Records of training completed should be maintained to document competency.

In addition, ISO TS 16949:2002, clause 6.2.2.3, requires on-the-job training for any personnel, including contract or temporary workers, in any new or modified job affecting product quality. This requirement has evolved from postmortem analysis of quality problems from suppliers when the root cause was lack of competence.

Quality practitioners need to understand fundamental quality management, including statistical methodology and variation management. Process capability and process control must be understood throughout the organization.

ASQ has resources that may be of help. Two basic courses, Quality 101 and Quality Basics, are available in several delivery methods. Quality Basics is actually targeted to personnel not assigned to product quality but who provide support for the product realization process.

The ASQ Statistics Division offers Improving Performance Through Statistical Thinking through Quality Press. These concepts are also fundamental for Six Sigma. Quality Press has also just published Fundamental Concepts of Quality Improvement, a collection of previously published ASQ papers that can provide a basic understanding to newcomers to quality.

Juran's Quality Handbook should be on every quality practitioners desk for easy reference, and Deming's Out of the Crisis should be required reading for mid-level to top managers. Both are good sources for ways to encourage continual learning within small groups or teams. Regardless of the resources used, an organization needs to routinely offer fundamental quality curriculum for staff, especially those new to quality. People cannot achieve world-class quality without first understanding the fundamentals. While most colleges and universities have generally not responded to this need, some vocational schools are now working cooperatively with local industry. ASQ sections should also view this as a local opportunity. Managing continual change Events of the past year have forced organizations to manage continual change. For quality to happen, quality control from the supplier's perspective is necessary. But evidence indicates suppliers do not always pursue the actions needed for quality improvement.

Perhaps quality practitioners who know what must be done can help the cause through the implementation of strategies that will improve quality. This will ultimately improve customer satisfaction, which in turn will provide "jobs and more jobs," as Deming said. Let me know if you have any ideas on this subject.Ask the Right Awareness Questions

ISO 9001:2000 says employees understand quality and customer requirements

by J.P. Russell

The new ISO 9001:2000 quality management system (QMS) standard has opened up several new lines of questioning (interviewing) that will help organizations connect all employees to quality and customers.

I have been delighted with the standard's new interview opportunities and find them beneficial to the business management systems of organizations seeking registration or reregistration, adding real value.

Prior versions of the ISO 9000 series standards required the quality policy be understood by employees at all levels in an organization. So an auditor would question employees about the policy.

As an auditor myself, I have received an entire spectrum of answers over the years. I recall one company becoming so frustrated it made employees sign a form declaring they understood the quality policy as a prerequisite for receiving their paychecks.

Unfortunately, employees are usually good at putting themselves in the customer's shoes and reacting to crappy products bought--for example, from a department store. But they are not usually able to think of themselves as providers of quality products and services. Perhaps they are so far removed from customers it seems meeting requirements is someone else's job. ISO 9001:2000 attempts to correct this.

Four clauses

In support of the quality management principle for the involvement of people, ISO 9001:2000 has four requirements centered around communicating quality awareness. The four new requirements go beyond emphasizing the quality policy must also be understood.

These four clauses that provide new audit interview opportunities are:

1. 1.5a--Communicate the importance of meeting requirements.

2. 5.5.2c--Promote awareness of customer requirements throughout the organization.

3. 5.5.3--Establish processes to communicate QMS effectiveness.

4. 6.2.2d--Make personnel aware of the relevance and importance of their jobs and how they contribute to the quality objectives.

Now auditors will need to interview employees to verify the organization meets the quality awareness requirements.

Requirement awareness

Asking employees about the importance of meeting customer requirements also provides audit evidence of management commitment. When you interview top management people, they will explain how they communicated the importance of meeting requirements to people in the organization. Then when you interview the employees of the organization, you can test the effectiveness of the methods used by top management through questions such as:

Are you aware customers have requirements?

What are some customer requirements?

What happens when customer requirements aren't met?

Promoting awareness

Clause 5.5.2c is about responsibilities and authorities for management representatives to promote awareness of customer requirements throughout an organization. Examples of questions an auditor might ask to determine whether this requirement is being met include:

How are customer requirements communicated to you?

How are you made aware of customer requirements?

Communication processes

Clause 5.5.3 requires the establishment of processes to communicate QMS effectiveness. Management should be able to provide evidence of such means as bulletin boards, newsletters and news on internal company intranets.

This effectiveness requirement creates another opportunity for a contact interview question about the progress of the QMS. Simply posting the number of customer complaints or defects related to a particular area is not likely to be sufficient audit evidence to prove people are aware of the effectiveness of the QMS. A way to meet this requirement is to keep people informed of the organization's progress toward meeting its quality objectives.

Some possible general interview questions to establish effectiveness could be:

Has your organization established a QMS?

Are you informed about its progress? How is it doing? Is it getting better or worse?

This clause provides an opportunity to link the organizational quality objectives to employees at all levels. It will be difficult for organizations to comply with the requirements of this clause unless they establish meaningful and measurable quality objectives.

The quality objectives can be passed down from top management to managers, supervisors and employees to provide solid linkage between the objectives and the work being performed.

Organizations are trying different techniques to keep employees informed about the effectiveness of a QMS. They may use communication processes already discussed (newsletters, bulletin boards) or other processes such as weekly team meetings, e-mail updates or informational letters given out with paychecks.

Another measure of the effectiveness of a QMS can be found in customer satisfaction ratings. Everyone can relate to customer satisfaction levels. If you work for a company that has a 99% customer satisfaction rating, you may feel good about it. If your organization's customer satisfaction rating is 63%, you know you have a lot of hard work ahead of you.

Relevance and importance The fourth contact opportunity clause is the most powerful of all. It requires employees to know the importance and relevance of their jobs and how they contribute to quality objectives. This is a long overdue requirement. I think of it as demonstrating how everyone fits into the big picture and is marching to the same drum. Some possible interview questions to establish this knowledge are:

How does your job contribute to the quality of the product or service?

What do you do to ensure the customer is satisfied? In one interview with a packer, I asked how he contributed to customer satisfaction. The packer job was an entry level one with lots of turnover. In fact, it was not unusual for people to quit after the first paycheck. The packer's answer to my question was something like, "I just box the stuff coming off the machine and put this sticker on it." Then it hit me: This person (in perhaps the lowest level job) is the last person to see the product before the customer does. The packer is the last person to check for defects or irregularities. He or she can have a significant effect on customer satisfaction. Once organizations are able to communicate the importance and relevance of everyone's job, there will be linkages from top to bottom and bottom to top. You as the auditor will start to see that a QMS is no longer a separate system from the business management system. Now the business and quality systems are compatible and working together to achieve common goals. You may feel like saying, "Eureka! Finally ISO 9001 is going to add measurable value." You may want to consider keeping a general list of quality awareness questions you can use throughout the audit. You can highlight questions on your checklist or put the quality awareness questions on an index card to use on every interview. Carryover requirements Other QMS awareness questions have been carried to the new version of the standard from the 1994 version. One such requirement is that top management be responsible for ensuring the quality policy is communicated and understood throughout the organization. Possible quality awareness questions for auditors to ask are:

Does the organization have a quality policy (or policy about quality)?

What is the policy?

Can you explain it in your own words? The ISO 9001:2000 awareness requirements will have a significant effect on how the QMS is viewed by top management and employees. Now that there is alignment from top to bottom and bottom to top, organizations should stop asking how much a QMS costs and instead ask how much ISO 9001:2000 is going to save them.Quality Management System vs. Quality Improvement

What should we tell the CEO?

by Dale K. Gordon

As a reader of quality related books and periodicals, I have been noting the delicate dance between two different factions.

On one side of the floor are those whose passions are for a strong and all encompassing quality management system (QMS), such as ISO 9000:2000 or a derivative. On the other side of the same floor are those who advocate dedication to a total process improvement or quality improvement (QI) approach, such as Six Sigma, total quality management (TQM) or lean manufacturing.

All of this is in the name of capturing the hearts and minds of the organization from the top executives on down to the individual process operators, so the quality function can do what it was hired to do--lead the transformation of the enterprise.

It struck a chord when I was reading a column by James Harrington, a former company COO. He began, "All quality programs, whether TQM, Six Sigma or ISO 9000, require an organization to shift away from the status quo."1

The article was about resistance to change, but the choice of words of a former COO and quality professional struck me as very typical of the view of many at the top. His view seemed to be there were no differences between implementing a QMS or developing and implementing the use of a QI program. In his words, they are just quality "programs." The rest of the article was a good analysis of dealing with organizational change.

It may seem the view from many executive suites is not much different from Harrington's. What is the view of the organization's leadership relative to what they are reading and hearing in the business periodicals and from their staffs?

Strategic decision making

An organization in the Midwest recently blanketed the radio airwaves about its being the only ISO 9001 certified dental health insurance provider. The implication was it should be the first choice because its competitors were not ISO 9001 certified.

All organizations, regardless of products or services, make strategic decisions relative to how they operate and plan to use their resources. These decisions typically involve how to better meet customers' needs, create improvement and run more cost effective and efficient processes.

At some point, it is a matter of resource allocation. How does management employ its precious time, energy and money? Is ISO 9000 a marketing tool to be administered by the quality function to show customers the company has a functioning QMS, as opposed to competitors that do not? Is Six Sigma a program an organization must implement to convince customers and the financial markets it's fiscally prudent?

Anttila's viewpoint

I had the good fortune many months ago to be on the same program at a conference with JuhaniI Anttila, vice president of quality integration for Sonera Solutions Ltd., Helsinki, Finland.

Anttila has been well-known in the ISO 9000 world since its inception. He was billed as a speaker on the implications of using ISO 9000 and the changes in the new standard. I got the impression most of the conference audience of U.S. government and industry quality professionals were expecting a dissertation on the specific changes ISO 9000:2000 would bring compared with the 1994 version and how they would have to change their quality system documentation to meet the new requirements. It was interesting to watch as Anttila said anyone can read the standard and what's really important is how the standard is used. His presentation covered the use of ISO 9001:2000 as a management tool for running an enterprise.

Anttila's perspective, best stated in his book ISO 9000 for the Creative Leader, is refreshing: The aim of ISO 9000 standards is not to force uniformity on the QM approaches of different organizations, but rather to provide innovatively applicable guidelines for the continual improvement of business performance.2

Anttila puts the standard into the framework of TQM, in that TQM is a holistic approach to looking at the customer's needs balanced against the business needs to be profitable and provide for stakeholders. The concepts in both ISO 9001 and ISO 9004 cover the entire leadership of the company and assurance to customers their needs are addressed.If taken as the authors of the standard intended, the model of the standard is a simplified business one with a process focus embedded within the management system itself (see Figure 1). Anttila continues:

The objectives of ISO 9000 standards are business benefits. Thus the ISO 9000 standards aim at profitable increase of turnover and market share at decreasing costs. Moreover, the intention is to increase customer retention, responding to market opportunities, process alignment, competitive edges, people's goal-awareness and stakeholder confidence as well as to create value to the unit and its stakeholders.3

Why use other programs?

So why do we users and practitioners of the standards feel the need to employ other quality programs?

Devotees of Six Sigma and lean have emphasized the need to make their prescriptions for business management and improvement at an enterprise level all the way to the executive suite.

While there is certainly no denying the successes of companies such as Motorola, General Electric (GE) and Honeywell in using Six Sigma as a corporate philosophy, the question is, how does it complement or interact with the QMS?

Jack Welch, former GE CEO, says Six Sigma is a highly disciplined process that helps employees focus on developing and delivering near perfect products and services.4 Others have defined it as a management philosophy.

Six Sigma is a customer based approach with a focus on defects. Fewer defects mean lower costs and improved customer loyalty. The lowest cost, high value producer is the most competitive provider of goods and services. Six Sigma has been defined as a way to achieve strategic business results.

Is there a right way?

Is it possible for there to be more than one strategic quality imperative to achieve customer satisfaction? Does the definition of a quality organization depend on QMS certification or use of Six Sigma to show management is committed to its customers?

In the August issue of Quality Progress several articles were devoted to quality and top management. The comments I found insightful were Joseph M. Juran's: "We are at an impasse. We know quality leadership is attainable. We know which success factors and managerial processes have led to quality leadership. We have indications of the order of magnitude of the potential gains. Despite the array of knowledge, the bulk of our companies are not rushing to make use of it."5

This brings us back to Anttila's comments about the ISO 9000 standards as a model for quality leadership.

Also, in the August QP, my fellow "Standards Outlook" columnist Dan Reid stated:

ISO 9001:2000 places accountability for the management of quality with top management. In clause 5.2, it requires top management to ensure customer needs are determined and met. Clause 5.4.2 requires it (management) to plan the quality management system to ensure requirements and quality objectives are met. Management is responsible for the systems employees use, so it must understand the processes and what is necessary to improve them.6

So, in fact, the system must be designed so any improvements make the organization successful and meet customers' needs.

It should be clear by now that we may not be using the ISO 9000:2000 standard exactly as intended. A possible indicator is the fact that we are out looking for other ways to motivate and encourage the organization to improve via other programs to convince the organization's leaders how to use its resources. The time proven quality tools are essential in the improvement of the processes of an organization. Every day we are discovering ways to apply these tools and educate more people in the organization on the benefits of using quality tools to improve individual processes. Defect free products and services cannot be anything other than the ideal goal of the organizational output. Any methodology and structured approach to improvement of processes is expected to be part of a functioning QMS.

I quote again from Anttila: Reaping benefits from the standards requires that they are implemented into the business in an integrated manner. ISO 9000 and 9004 provide the real basis for an effective and efficient QMS as a basis for its continual improvement. Quality assurance forms but a small part of ISO 9000 and TQM. There is no evidence certification would increase the competitiveness of a company. Certificates as indicators of quality have significantly hampered the basic utilization of the standards, and using ISO 9000 only as a checklist for certification has corrupted the whole core idea of the standards. Sound implementation of ISO 9000 amounts to natural, effective and efficient customer driven business management.7 Dialogue needed So where does that leave us? Maybe we need to have some open and honest dialogue at senior leadership levels about just how well organizations are using the ISO 9000 model.

This requires more than mere reporting on internal audits at management reviews. It goes into an understanding of how the systems and subsystems of an organization are performing and whether they are helping achieve the organization's objectives. It also requires the systemic use of quality tools at all levels to improve individual processes and identify systems that are not meeting internal and external customer expectations. There is a place for the complete wisdom that has been written on both the QMS standards and QI tools. The need now is to get them to dance together and utilize the creativity that can come from the synergies of that pooling of resources. It's all there in print; doing it is what is hard.Developing a New ISO 14001 Reporting Standard

Final guidelines expected to encourage external communication

by Marilyn R. Block

Environmental reporting has been a contentious issue since ISO 14001 was drafted during the mid-1990s. At that time, the work group charged with writing the standard was characterized by two distinct positions.

Some participants wanted to include a requirement that organizations regularly share information about their significant environmental aspects and impacts with interested external parties. Others opposed to a mandatory reporting requirement argued external reporting fell outside the scope of a system that purported to assist in internal management of environmental issues.

Ultimately, compromise language was struck. When published in 1996, ISO 14001, clause 4.4.3, instructed organizations to "consider processes for external communication" on their significant environmental aspects. As written, this clause requires only that an organization decide whether it wishes to establish some form of environmental information sharing. It does not require any communication of significant environmental aspects.

The current ISO 14001 revision effort has provided an opportunity to revisit the issue of voluntary environmental reporting. Proposed language attempts to clarify the original intent by articulating two distinct points. The draft revision first instructs organizations to decide whether to communicate externally about significant environmental aspects. If an organization decides to communicate externally, the standard requires it to establish a process for its external communication.

Creating a standard

In a parallel effort to provide guidance concerning environmental communication without imposing additional auditable requirements on organizations seeking to implement ISO 14001, ISO Technical Committee 207 created environmental communication working group (WG) 4 in 2001. The United States serves as convener of WG 4; Sweden serves as secretary.

According to Amy E. Schaffer, federal regulatory affairs manager, Weyerhaeuser, and former U.S. expert to WG 4, "There was a great deal of interest among developing countries for guidance about communication. Within the United States, interest was expressed by small and medium-sized enterprises that did not know how to begin to communicate."

WG 4's object