Why Be Assessed to the
Most Prevalent Standard in Use Today? Robert Vickroy, ABS Quality Evaluations, Inc.
Initially conceived as a common, one-shoe-fits-all quality management system standard, ISO 9001 has developed to become
the baseline concept inherited by many industry sector schemes and models. This article summarizes the several quality system
models and outlines the critical factors that contribute to the successful implementation of an effective, robust, quality system.
ISO 9000 standards started in the late
1980s to promote standardization of
trade. Early use of the ISO 9001
Standard was in the European Union
countries, which influenced international
trade by requiring registration for companies
selling products worth more than
100,000 Euros, the then-evolving
European Union currency. Since that
time, the requirement to be registered has
also been incorporated into many U.S.
companies' bidding requirements. In the
expanding global economy, domestic
companies must now compete with foreign
companies that are achieving ISO
certifications to become more acceptable
as suppliers. As a result, U.S. companies
in foreign markets find ISO certification
useful in assuring their foreign customers
that they have fundamental quality
processes.
Determining whether to be assessed
to ISO 9001 depends a lot on what motivates
a company's management. Typically,
a company becomes ISO 9001 registered
because it (1) is required to do so by the
customer, (2) wishes to reduce customer
audits by becoming registered to ISO
9001, (3) is more aggressive and feels it
would be more competitive, believing customers
would look more favorably on
suppliers that are registered, (4) thinks
producing a quality product would be more
cost effective and that being ISO registered
would improve quality, (5) wishes to
expand the capability of its business by adopting
broader or more in-depth quality
models, (6) incorporates a combination
thereof. As quality improvement is a journey
and not a destination, companies are
likely to evolve through several of these
steps as they mature in the pursuit of
quality.
As a result of reasons like these, there
were 561,747 ISO 9000 certificates at the
end of 2002 distributed throughout 159
countries, according to the International
Organization for Standardization1 in
Switzerland, which owns ISO 9001 and
other ISO-related standards. While the
worldwide distribution of registrations
changes constantly, a breakdown of the
number of registrations by economic
trading block in 2001 shows that approximately
50 percent were in European
countries, 25 percent in Asian countries,
and 9 percent in the United States, with a
rapidly increasing number in smaller
countries who wish to be suppliers to the
larger countries.
I am told during audits, and it is confirmed
in the numerous ISO 9001 surveys
reported, that the benefits of certification
include having documented
processes versus tribal knowledge; being
trained; understanding why things are
done to assist in achieving the company's
goals and objectives; reducing costs due
to scrap, rework, and delay; and overall
buy-in by employees that results in
improved customer focus and participation
in continual improvement.
Companies also find that the registrar's
corrective action process in ISO 9001 is a
valuable addition to their ongoing
improvement program.
Users of the ISO 9001 standard had
goals that were twofold: Reduce the customer's
cost of auditing suppliers, and
reduce the cost of conforming to and
being audited by customers. The maze of
standards significantly added to a company's
cost of business and ability to compete.
For example, a survey in the mid-
90s by members of the ISO/
International Electrotechnical Commission
(IEC) Subcommittee SC7 U.S.
Technical Advisory Group for Software
found more than 500 standards worldwide
for software alone. The numerous
standards resulted in multiple audits of
suppliers to conflicting requirements
resulting in complicated and dissimilar
quality management systems.
While auditing companies in the early
'90s that had complicated quality systems,
I asked how they had developed their
quality management systems. The common
response was that since each auditor
who came through required something
different, they incorporated those
requirements into their quality system
and it simply evolved.
With many governments today retiring
their local standards, ISO 9001 has
served to simplify and standardize the
definition of a quality management system
for both the customer and the supplier.
Through ISO 9001's third-party
auditing process, customer visits are typically
reduced, which reduces costs while
providing confidence that the company
continues to operate in conformance
with a registered quality system.
Companies that aggressively pursue
different industry sectors often obtain
registration to ISO 9001 as a baseline
standard and may then adopt other standards
associated with new business
opportunities. ISO 9001 began as a oneshoe-
fits-all quality system. However,
several industrial sectors have documented
additional specific requirements,
referred to as sector schemes. These
scheme's conform to ISO 9001 yet are
required by the particular industry to
demonstrate conformance to their elaboration
on ISO 9001 requirements within
the context of that industry's unique terminology,
processes, and measurements.
The result is incremental improvement
based on the clauses of ISO 9001.
The software industry in the United
Kingdom was the first to develop additional
requirements documented in its
TickIT Guide2 and reflected by its notations
on certificates: a tick, , (British for
checkmark), followed by the letters IT
(indicating Information Technology).
This individualized sector scheme was
later followed by other industries and
documented in guides such as National
Quality Assurance-1 for nuclear quality
assurance; ISO 13485 for the U.S. Food
and Drug Administration; Quality
System 9000/Technical Specification
16949:2002 for the quality system in the
United States and technical specification
for the international automotive industry;
Telecommunication Leadership 9000 for
telecommunications; Aerospace Society
9000 for the aerospace standard;
International Safety Management for
marine international safety management;
the FAA-iCMM from the U.S. Federal
Aviation Administration; and ISO 9001
models for education, oil and gas, medical,
and more.
Sector schemes are one way to
improve relative to the performance
maturity model in ISO 9004:2000
Appendix A.2. Continually improving by
adding to and going beyond ISO 9001
with more in-depth quality principles in
maturity models such as the Capability
Maturity Model® (CMM®) not only indicates
maturity to those models' paradigms,
but also increases performance
maturity relative to the ISO 9004 performance
model.
Other process improvements include
incorporating additional quality principles,
enhancing metrics to achieve
objectives with Six Sigma, pursuing
broader excellence standards like
Baldrige, or incorporating the new
Space Systems — Risk Management3 ISO
17666:2003 standard. ISO 9001 is flexible
enough to allow a company to blend
sector schemes or maturity model terminology
and process detail that conform
to or exceed ISO 9001 requirements
when creating procedures. Conversely, a
company implementing CMM/CMMI
Level 3 processes finds many generally
similar processes so that they only have
to add relatively few unique clauses from
ISO 9001 to also achieve a blended quality
system. In either case, it is fundamental
to begin with the end in mind in
order to architect the building blocks
(schemes) that will be blended into your
quality management system over time to
facilitate an orderly expansion of its features
to suit the growth strategy of the
company.
Having audited companies in many
industries to ISO 9001 for many years, I
have found that when companies truly
apply ISO 9001, they mature from a
mindset of being forced to do it to wanting
to do it. The result is pride in quality
products and an improved business environment
achieved by truly applying the
process.
Information Needed to Begin
The first thing people in a company need
to know, and the biggest success factor, is
that top management supports and provides
the resources to implement the ISO
9001 quality management system. People
do what top management takes an interest
in, participates in, and can measure.
Companies should gather the information
mentioned in this article, provide
copies of the ISO 9001 standard (at least
to key employees), and provide training
to all employees on the ISO 9001 standard.
They should also obtain the ISO
9000 glossary, ISO 9004 guidance document,
and the free ISO guidance documents
from the ISO/IEC Technical
Committee 176 Subcommittee 2, found
at www.iso.org/iso/en/iso9000-14000/iso9000/transition.html.
Any organization implementing ISO
9001 is encouraged to download this
information so it understands the intention
of the ISO 9001:2000 authors, and it
correctly defines its quality management
system — be skeptical of anyone who
offers contrary advice. The documents
include the following:
- "The Year 2000 Revisions of ISO
9001 and ISO 9004."
- "Transition Planning Guidance for
ISO 9001:2000."
- "Guidance on Outsourced Processes."
- "Guidance on ISO 9001:2000 Clause
1.2 Application."
- "Guidance on the Documentation
Requirements of ISO 9001:2000."
- "Guidance to the Terminology Used
in ISO 9000:2000 Family of
Standards."
Numerous Web sites offer help for
ISO 9001 such as free quality manual
templates found by searching Google.
Such manuals are only a starting point
and must be significantly enhanced to
incorporate the processes, terminology,
and tools used by a particular company.
For example, according to ISO 9001
clause 4.2.2, the quality manual shall
"include or reference procedures and
describe the interaction between the
company's processes."
Be aware that a diagram of the company's
quality management system that
simply copies Figure 1's process diagram
from the ISO 9001:2000 standard instead
of creating an actual process diagram of
your company would not be generally
acceptable to an ISO 9001 registrar. So be
specific as sector schemes are in part the
result of companies failing to voluntarily
create industry-specific versus generic
quality manuals and procedures in the
early years of ISO 9001.
A thorough and honest analysis is a
second success factor. An analysis of
where the company complies with the
standard, and where it needs to take
action to establish compliance must be
done to gain a realistic assessment of
what needs to be accomplished.
A third success factor is to measure
twice for every improvement. Companies
are cautioned to proceed with a step-wise
refinement of their quality system by
establishing and measuring system performance
before making improvements.
Measure, then formalize what conforms,
and add what is missing relative to the
standard, then measure again. Then go on
to reengineer processes and measure
again. This establishes the data for the
analysis required by ISO 9001 and substantiates
the benefits of the quality system.
Do not use ISO 9001 as a club to
force unrelated pet improvement projects
that were not accepted earlier; this is
often a recipe for failure, or at least significant delay in implementation.
Your Starting Contact
A company has to decide how quickly it
wishes to achieve ISO 9001 registration,
and what resources it has to apply to its
effort to become registered. Another critical
success factor is developing in-house
competency by sending key personnel to
an accredited ISO 9001 Lead Auditor
class.
The ISO offers publications for help
in getting started. For small businesses,
the ISO also offers a free publication
"ISO 9001 for Small Businesses4." If a
company wishes to rapidly implement
ISO 9001 and does not immediately have
in-house resources, it may want to contact
a consultant who is independent of
the registrar. The ISO offers a free guide
to selecting a consultant, "How to
Choose a Competent Quality Management
System Consultant5." Remember,
the assessment requires that the company
demonstrate the quality system is suitable
and effective for its business.
The next step is to select a registrar. A
resource to help you make that decision is
"The ISO 9000 Handbook" [1]. Quality
Digest magazine also offers an online list
of registrars at www.qualitydigest.com. When selecting a registrar, begin
with the end in mind. If you know the
company intends to augment its quality
management system with one or more of
the ISO sector quality schemes or the
CMM/CMMI, then consider a registrar
who is also authorized to offer this added
scope of service to ensure consistency.
How Much Time Will It Take?
The time it takes the company to prepare
for the initial audit depends on where it
is in the process of establishing a quality
management system that conforms to
the 31-page ISO 9001:2000 standard,
and the degree of sophistication of its
implementation.
The fundamental framework for estimating
the number of audit days is
defined by the International
Accreditation Forum, Inc.6 (IAF) in
"IAF Guidance on the Application of
ISO/IEC Guide 62:19667." See the
Annex 2 — Auditor Time, "Guide for
Process to Determine Auditor Time For
Initial Audit," and subsequent sections
describing factors that may require more
or less audit time. If a joint assessment is
being performed to multiple standards,
guidelines, or models, ensure that
enough time is allowed to accomplish
both successfully.
The process may start with a preassessment,
which is an optional activity,
preferably done by the person who will
eventually be your auditor. IAF Guide
62 allows value-added assessments that
can identify opportunities for improvement,
but cannot result in recommendations
or advice that would be considered
consulting.
The typical process is an initial audit
that is longer than subsequent surveillances,
as the entire quality system of the
company must be audited. An example
estimate, drawn from IAF Guide 62
Annex 2, would be an audit of 276-425
employees in one location by two auditors
for five days, adjusted per Guide 62.
Subsequent surveillance audits are
semi-annual or annual, depending on the
arrangements and confidence in the
internal audit process of the company,
and incrementally cover different clauses
of the standard. An annual audit is typically
twice as long as a semi-annual audit.
After every audit, the registrar also verifies
the audit report for conformance to
its procedures. Overall, a typical registrar's
contract is for three years, after
which the current requirement is that the
full quality system be re-audited to
assure the overall system's continuing
effectiveness has been maintained.
What Is the Cost?
Each registrar must be contacted separately
as it sets its own day rates, though
market forces tend to make rates somewhat
similar. The cost is typically determined
for the three-year contract, which
can be determined once the audit days
and day rate have been agreed on, plus
any pre-assessments that may be performed
and the number of report
reviews over the three-year period.
Some companies feel that with registration
they have reached their destination
(registration) and seek multi-site
arrangements and bargain for price.
However, remember the audit process is
a journey; the auditor can add value in
identifying opportunities for improvement
as well as nonconformance for
breakdowns or deviant evolution in the
quality system that needs to be pointed
out.
While companies have been known
to perform a detailed cost analysis of
their efforts, surveys of registered companies
have typically shown that when
measurements have been established as
described above, net benefit can be
demonstrated.
Audit Expectations: Before
and After
Going into the audit, the company's
quality personnel need to be sure of top
management's commitment to finding
and fixing any issues that may exist.
Evidence is overwhelming that, if these
issues are ignored or not addressed, they
will resurface as even bigger problems
later. This is a critical factor for now and
the future. Top management must reinforce
that identifying problems and
opportunities for improvement is a fundamental
goal of the quality system.
The company must expect to provide
an escort for each auditor and have
arranged a schedule with each auditor
establishing that all processes and
departments identified for audit can be
accommodated in the time available.
When the audit starts, the overall
process is the following:
- Plan the audit with the lead auditor.
- Hold an opening meeting.
- Allow time for initial document
review.
- Conduct numerous interviews.
- Request documents.
- Convene interim feedback sessions
as appropriate.
- Allow time for the auditors to formulate
results and audit reports.
- Hold a closing meeting to present
the findings and the lead auditor's
decision on whether a certificate can
be granted.
Findings that are observations or
non-systemic nonconformance are handled
after the audit. Occasionally an initial
assessment finds systemic failure to
implement clauses of the ISO 9001
standard or the company's own procedures. This will result in a reassessment
to confirm completion of the missing
clauses and a delay in issuing the certificate
until implementation can be verified.
After the audit, the company must
respond in writing to the audit findings
(which may be nonconformance or
observations), receive an acceptance of
the response from the registrar, receive a
certificate, and continue to take the
committed corrective action to prevent
reoccurrence of each finding.
A cycle of surveillance audits similar
to the initial audit to verify continued
compliance with selected clauses of ISO
9001 as described earlier is performed.
The value-added audits add another
dimension to the improvement process
and help ensure the continued functioning
of the quality system.
It is a natural expectation that the
desire for continual improvement will
cause findings to be resolved.
Occasionally during surveillances, failure
to implement effective corrective action
may result in additional nonconformance;
repeat nonconformance for the
same finding over time may result in
withdrawal of the registration certificate.
All registrars are required to provide
a directory of currently registered companies.
As the directory must be provided
on request, the registered company
will not only be listed in the registrar's
directory but also in several other compilations
of all registrars' directories
available by subscription from publications
such as Quality System Update or
www.qualitydigest.com.
After your company becomes registered
to ISO 9001, you should read
"Publicizing Your ISO 9001:2000 or
ISO 14001 Certification8" so you do not
violate ISO restrictions. The ISO does
not allow registered companies to use
their symbol, often referred to as a mark
in their advertising or literature.
Registrars often offer the Mark of
Accreditors represented on the registration
certificate given to the registered
company and the Registrar's Mark to
their clients for use in advertising or in
their literature. The Registrar's Marks
must be accompanied by the company's
registration number so customers can
verify the registration's validity. After
registration, contact the registrar to
obtain the marks as well as the restrictions
on their use, which per the IAF
Guide 62 prohibits using the mark on
actual products.
Customers often periodically ask for
copies of the current certificates held by
a subcontractor to verify registration
claims and gain confidence that the
company has a quality system that is
being audited by an independent thirdparty
registrar's auditor. While many registered
companies display their ISO
9001 and other certificates on their own
Web site, it is more appropriate to verify
that the certificate is current and represents
the current scope of registration
of the registered company through independent
sources.
Independent verification of certificates
by the customer is also necessary,
as registrars have discovered fraudulent
certificates. With more than 500,000 registered
companies worldwide and with
worldwide subcontracting and e-commerce,
the customer must beware.
The registered company must be
aware of the restrictions or charges its
registrar places on the duplication of
certificates, which can become expensive
if it has several locations it wants to
display the certificate, or if its customers
ask for copies of certificates. Some registrar's
directories are online and may
display the certificate or permit the customer
to print the certificate if the company
is currently registered.
Summary
In summary, being assessed to the most
prevalent standard in use today can
establish the foundation for quality in a
company, achieve more immediate benefits
to the business, establish universal
recognition of a standardized quality
management system, and lay the
groundwork for continued improvement
by expanding to incorporate other quality
techniques, sector schemes, and quality
models.
Reference
- Peach, Robert W. The ISO 9000
Handbook Fourth Edition. QSU
Publishing Company, 11 Oct. 2002.
Notes
- See www.iso.org/iso/en/commcentre/pressreleases/2003/Ref864.html.
- See www.tickit.org/international.htm.
- See www.iso.org/iso/en/isoonline.frontpage.
- See www.iso.org/iso/en/iso9000-14000/basics/basics9000/basics9000_4.html.
- See www.iso.org/iso/en/commcentre/isobulletin/articles/2001/pdf/qmconsultant0112.pdf.
- See www.iaf.nu for documentation.
- See www.accreditationforum.com/guidance.asp under Guidance Documents (GD Series).
- See www.iso.org/iso/en/iso9000-14000/publicizing/index.html.
About the Author
Robert Vickroy is a
senior auditor for ABS
Quality Evaluations, Inc.,
an ISO registrar for ISO
9001 and sector schemes
and for ISO 14001, and a
Software Engineering Institute
Transition Partner. Previously Vickroy
worked for IBM for 25 years developing
systems and automating processes in all
areas of IBM engineering, manufacturing,
and in software development as programmer,
analyst, and manager of software
development organizations. As an
auditor for TickIT, ISO 9001, ISO
14001 and TL9000, and as a SEI authorized
Capability Maturity Model®
(CMM®) Assessor and CMM
IntegrationSM Appraiser, Vickroy has
assessed more than 300 quality management
systems, specializing in assessing
jointly implemented systems.
Additionally, he achieved the following
certifications: ASQ-CQA, ICCP-CDP,
EDPA-ISACA and ISC2 security auditor,
and he is a trained NQA-1 auditor.
Vickroy has a Bachelor of Arts in computer
science, a Bachelor of Arts in
accounting and economics, and a Master
of Science.
ABS Quality Evaluations, Inc. 16855 Northchase DR Houston,TX 77060
Phone: (281) 877-6485
Fax: (281) 877-6001
E-mail: bvickroy@eagle.org
® Capability Maturity Model, CMM, and CMMI are registered
in the U.S. Patent and Trademark Office by
Carnegie Mellon University.
SM CMM Integration is a service mark of Carnegie Mellon
University. |