ISO 9001 Corrective Action Time Window

Schedule, calendar, timeline

Q: We will be audited by a different firm soon to ISO 9001:2008 Quality management systems–Requirements, and I am noticing differences compared to our former auditors.

At the closing of an annual surveillance audit for a three-year certificate if a non-conformance is issued at the closing meeting, what is the expectation of response for:

1. Minor non-conformances

2. Major non-conformances

How many days are expected for the initial response for each?

How many times during the next 12 months should we expect the auditor to come back to the site to verify corrective action for each?

A: Regarding your question about response times for corrective actions, please note the following.

ISO 9001:2008 clause 8.2, Internal audits, does not specify or prescribe any time limits. ISO 9001:2008, clause 8.2.2, only requires the management for the responsible area (process owner) to take corrective action without undue delay. No time limit is identified.

With regard to audit follow up visits — this is strictly dependent upon the registrar or other auditing body. Some auditing bodies will follow up on closed CARs during their next scheduled surveillance audit. This allows enough time to past to evaluate the effectiveness of the corrective action taken.

In most cases, the auditee is required to complete the CAR identifying the root cause and the corrective actions taken to prevent a reoccurrence.

This information is assessed by the auditing body to confirm that a root cause was identified and that action taken match the root cause. This is normally done in the form of a desk review.

Due to the costs involved and other logistics, rarely will any auditing body want to come out to verify each corrective action taken. This is usually something for the internal audit staff to perform as a part of their audit activities.

I hope this helps.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

For more information on this topic, please visit ASQ’s website.

ISO Standard Audit and Confidential Information

Reviewing confidential files, training records, human resources files

Q: During an external audit, what records are we allowed to keep confidential – e.g. human resources records? Certain records pertaining to new business leads or accounting matters? Specifically, my question is related to audits to the ISO 9001:2008 Quality management systems–Requirements and ISO 13485:2003: Medical devices — Quality management systems — Requirements for regulatory purposes standards.

 A: The “scope” of any audit is the quality management system (QMS) as found in the ISO standard for quality management. Areas such as finance, marketing plans, sales goals, and other business related topics are not part of a QMS audit.

It should be understood that during the audit, potential areas of conflict between the auditor and auditee might exist. The most common is when the auditor wants to see training records and the auditee claims them to be a confidential part of HR records. The auditor need to be a diplomat here and explain that only the training record is needed and not the entire HR record.

Also, it is not uncommon for the auditee to require the auditor to sign a non-disclosure agreement stating that the auditor(s) will keep everything observed during the audit confidential between the parties.

Again, the scope of the audit, usually agreed to ahead of time, is the QMS — not any business related matters.

Jim Werner
Voting member to the U.S. TAG to ISO TC 176
Medical Device Quality Compliance (MDQC), LLC.
ASQ Senior Member
ASQ CQE, CQA, RABQSA Lead QMS Assessor

What is ANSI/ISO/ASQ Q9001:2008?

ISO documentation practices, requirements

Question

Is there any difference between ANSI/ISO/ASQ Q9001:2008 and ISO 9001:2008? Is it just semantic, or is it ASQ’s take on ISO 9001:2008 Quality management systems–Requirements?

Answer

The ANSI designation shows it has been adopted as an American National Standard (ANS), and that U.S. experts believe the standard is a good one and should be followed by the U.S. Since ASQ is the administrator of the group (known as a Technical Advisory Group/TAG in the standards development world) that develops ISO 9001, we are the only organization allowed to put its name in the designation. ASQ is a member of ANSI and is accredited by them to be a standards-developing organization.

For more about this topic, please visit ASQ’s website.

Value and Benefits of ISO 9001

Q: My company is struggling with the decision to spend any more money on the ISO 9001:2008 Quality management systems–Requirements registration.  How many of our peers believe that the continuation of this certification is worth the cost? I have been trying to find statistics on the number of revised certifications that have been accomplished since the release of the 2008 version and am finding that there is little to no information available.  This leads me to think that the whole agenda has been identified as not a worthwhile cost effective exercise and companies are dropping out of the program.

Does ASQ have any relevant information regarding the “added value” of certification?  I have proposed to my management that the money spent on certification and all the wasted effort to make some auditor happy is not in the best interest of the company and would like your feedback on this position.  I watch as we struggle for 1.5 months before the dreaded audit to make it look like we are compliant, watch the auditor fumble around looking for some minor discrepancies that will make it look like he was worth having in for tea and crumpets and then watch the organization sigh a big relief when we get away with the lack of compliance or caring about compliance for the next two years, as the real task is making money and not wasting time meeting perceived compliance to perceived “requirements”.

The Toyota debacle makes it hard for me to even stand in front of my peers and preach this as useful.  It is clear that the bottom line is dollars and the need to support compliance to some document is merely wasteful effort that has been passed over like all the other historical (hysterical) quality programs—zero defects, statistical process control, total quality management. What do you say?

A: I would like to answer your questions in three part harmony. First of all, I’ll mention a brief history of ISO. Much of this you will be familiar with but it helps to reaffirm the legitimacy of ISO as an international organization rather than just an abbreviation for a place to throw your money. Second, I will express a few of the many benefits of ISO certification. Finally, I will share my own perceptions. Things I have personally witnessed resulting from ISO certification.

History-benefits-perceptions are a three-part harmony which can improve organizations and strengthen communities.

I would like to share a bit about ISO – What it is, as well as what it is not.

So what is ISO?

First of all, let’s consider the letters “ISO.” Because the “International Organization for Standardization” would have different abbreviations in different languages (Like IOS in English, or OIN in French for Organisation International de Normalization), it was decided at the beginning to use a word derived from the Greek isos, meaning “equal.” Therefore, whatever the country, whatever the language, the short form of the organization’s name is always ISO.

ISO is a network of the international standards institutes of 162 nations with a Central Secretariat in Geneva, Switzerland that coordinates the system. The ISO organization officially began in February 1947. ISO is not a governmental organization. It is not like the United Nations System with delegations of national governments. So, although many of ISO’s members are part of the government structure of their countries the members have their roots in industry and the private sector.

Also, ISO is not a quality standard. That is, ISO isn’t a tolerance level we must make parts to. It is not a high quality standard we must meet just to stay in business.

ISO 9001 refers to a type of ISO standard. ISO 9001 is concerned with “quality management.” This means what the organization does to enhance customer satisfaction by meeting customer and any regulatory requirements and to continually improve its performance in this regard.

ISO implementation in any organization introduces the many values of team work as well. I realize those bits of history can seem a bit lengthy but it is of extreme importance to recognize the time and combined efforts put in by so many individuals from so many nations. It is that dedication which helps to make the ISO Standards as useful and beneficial as they have become.

With regard to benefits, the positive reports are almost endless. I will share just a few of which come from reliable sources such as Dun and Bradstreet, Dallas Business Journal, manufacturingnews.com and others.

Simply noted, ISO certified companies reap:

The effect of ISO 9000 certification on financial perfomance

-Improved consistency of service and product performance
-Higher customer satisfaction levels
-Improved customer perception
-Improved productivity and efficiency
-Cost reductions
-Improved communications, morale and job satisfaction
-Competitive advantage and increased marketing and sales

D&B notes:

-85% of registered firms report external benefits
-Higher perceived quality
-Greater customer demand
-95% report internal benefits
-Greater employee awareness
-Increased operational efficiency
-Reduced scrap expense

Other reports note:

-30% reduction in customer claims
-95% improvement in delivery time
-Reduced defects from 3% to 0.5%
-40% reduction in product cycle time
-International acceptance and recognition
-Estimated return on Investment for companies with consistent compliance have been reported +30% to +600%

I could go on with statistics but I am sure you can research and find many more such positive reports. Therefore I will turn now to third member of the harmony I mentioned. That is perception.

The various feedbacks noted above show all of the remarkable “exterior” perceptions. Increased business, customer satisfaction, less downtime, etc. So I will take a moment to mention some things about “internal” perceptions.

It is said that changing a culture can take from several years. Introducing ISO into an organization is indeed introducing a new culture. Individuals are encouraged to do some things they did not and to change some of the habits they have formed.

It has been my experience, with several companies, that the culture change associated with ISO implementation is multilayered. The first and most obvious benefit is quality awareness. The most experienced machinists, fabricators, administrators, all employees suddenly take acquire an appreciation for quality which they did not have, no matter how good they may have been. This quality awareness does not fade away easily. Even those who offer strong resistance to change learn to respect and very much appreciate all the practical value in a good quality management system.

ISO certification does not ensure success. It does not ensure profit. Nonetheless, I have seen companies with little to no quality system grow to be world class quality organizations with the guidance of a strong ISO based QMS.

If failure is experienced, it can be due to lack of understanding on the part of management. They may have failed to act or provide preventive actions when needed. People are often interested in quick and simple solutions and are not willing to practice even simple self-dicipline. Most often, the greater portion of their interests are in getting a certificate to hang on the wall of their office and an addition to their letter head.

I firmly believe, and have witnessed with my own eyes, that following the ISO Standards in implementing a quality management system results in satisfied customers, repeat business, increased profits, satisfied employees and continual improvement. That three part harmony, history-benefits-perceptions, when joined with top management commitment can lead to another benefit not yet mentioned. That is pride.

Bud Salsbury
ASQ Senior Member, CQT,CQI

For more information on this topic, visit ASQ’s website.

Ask A Librarian

Customer Satisfaction and Loyalty

Suppliers, supplier management

Q: Can you give me more information about how organizations gain, measure, and retain customer satisfaction and loyalty?

A: The Quality Improvement Glossary, by Donald L. Siebels, defines customer loyalty/retention as “the result of an organization’s plans, processes, practice, and efforts designed to deliver their services or products in ways which create customer satisfaction so customers are retained and committed to remain loyal”.

ASQ has published extensively in this area. For more on this topic, please visit ASQ’s website

Lean Six Sigma

Reporting, best practices, non-compliance reporting

Q: Can you explain what Lean Six Sigma is to me?  I’ve heard of both lean and Six Sigma as individual concepts, but I’m not quite sure I understand the term Lean Six Sigma.

A: The following concise definition is taken from the book The Certified Six Sigma Black Belt Handbook, 3rd ed. by T.M. Kubiak and Donald W. Benbow (ASQ Quality Press, 2016): “Lean-Six Sigma is a fact-based, data-driven philosophy of improvement that values defect prevention over defect detection. It drives customer satisfaction and bottom-line results by reducing variation, waste, and cycle time, while promoting the use of work standardization and flow, thereby creating a competitive advantage. It applies anywhere variation and waste exist, and every employee should be involved.”

For more information on this topic, visit ASQ’s website.

ISO Documentation Practices; Difference Between Record and Document

 

ISO documentation practices, requirements

Q: Is there a published ISO standard for good documentation practices (e.g., crossing out an error with a single line and initialing and dating; striking through a blank space)?

Thank you.

A: Your question has two parts:

1) Is there a standard?

2) Does it cover the specific practice you cited?

The answers are “yes” and “no.”   🙂

About a decade ago, the ISO Technical Committee (TC) 176 on Quality Management and Quality Assurance started work on a documentation standard. There was (and still is) much confusion in the world about what kind of documents were expected and what should go into them. Of course, most didn’t want to take the time and energy to understand the purpose of documents, much less describe their practices in a site-specific manual. How sad. The output of the ISO/TC 176 work was a Technical Report: ISO/TR 10013:2001 – Guidelines for quality management system documentation. Frankly, however, I do not think it will address your question.

First of all, documents and records are often confused. Even though the ISO terms and definitions standard (ANSI/ISO/ASQ 9000:2005 Quality management systems — Fundamentals and vocabulary) parks them both under the word document, it is good practice to always think document=before, and record=after.

In other words, a document tells us what to do. A record tells us what was done. Many people, not understanding this principle, have actually tried to place records under configuration control!

The record-keeping practices you cited — crossing out an error and marking in a blank space — have their origin in the early military practices of the 1950s! Back then, there were no computers, internet or even ISO standards. There was also much more falsification of information back then, as we treated the workers with little or no respect.

The practices you cite were attempts to make sure that the data entered on a record wasn’t changed. Those practices just kind of hung on for half a century. In my 40 years in the quality profession, I have never seen these “rules” written down in an external document, like a regulation or standard or policy. Sure, individual organizations have required these practices through their local Standard Operating Procedures, but I am pretty sure they are not published in higher-level documents.

With automation and networking, records are becoming much more virtual. Paper records are becoming a thing of the past. Security and protection of those electronic records is a much bigger problem than when they were all on dead trees.

Follow-up from expert: Doing some further research (for an upcoming class), I discovered that ISO/IEC 17025:2005 General requirements for the competence of testing and calibration laboratories, contains a clause about records correction, 4.13.2.3. In general, the clause says all alterations must be visible (not erased, blacked out, or deleted), and all changes must be signed or initialed by the person making the change. Equivalent measures should be taken in the case of electronic records.

I don’t know why I didn’t think of this standard earlier, however, my earlier remarks about this coming from the 1950s practices B.C. (before computers) still stand.

Dennis Arter
ASQ Fellow
The Audit Guy
Columbia Audit Resources
Kennewick, WA
http://auditguy.net

For more about this topic, please visit ASQ’s website.

ISO 9001 Implementation Guidance

The effect of ISO 9000 certification on financial perfomance

Q: I am directing a ground floor implementation effort to become certified to the ISO 9001:2008 Quality management systems–Requirements. I work for a small manufacturing company (less than 20 employees). Is there a quality management system (QMS) or ISO template product that I could use to help guide this process? Something with generic formats and outlines that I could customize and populate with our information. Or do I need to create from scratch all QMS and ISO supporting documents?  In practice, we currently have no documentation.

A: Please navigate these waters carefully.  There are several “do it yourself” type packages out there. Unfortunately, many of them don’t go far enough to provide a functional system unless the end user already has a thorough working knowledge of quality management systems (QMS). Therefore, as a quality professional, I hesitate to recommend this approach.

In order to establish an ISO 9001:2008 QMS capable of obtaining third-party certification, you will need to prepare a quality manual, a quality policy, define your organizations quality objectives, develop the six required QMS procedures, which as a minimum include:

1.    Control of documents
2.    Control of records
3.    Control of nonconforming product
4.    Internal audits
5.    Corrective actions
6.    Preventive actions

The reference books from ASQ should contain some examples of the documents mentioned.  Once these QMS documents are established, you will need to orient the organization to the requirements of the QMS, explain how each employee contributes to achieving the quality objectives, and ensure that the quality policy is communicated throughout the organization and is understood.  An internal audit will also be required to assess the effectiveness of the QMS once it has been implemented.

A management review will be required to ensure that top management is aware of input items mentioned in ISO 9001:2008, clause 5.6.2 and that they take action as needed to ensure the effectiveness and continual improvement of the QMS. These items should be completed prior to scheduling your registrar’s onsite pre-assessment for certification.  We wish you every success with your QMS project.  Please contact us if you would like to discuss this matter in more detail or require any support.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

For more on this topic, please visit ASQ’s website.

ISO 9001:2008 Impact on ISO 13485:2003

ISO 13485, medical devices, medical device manufacturing

Q: Why does Annex B of ISO 13485:2003: Medical devices — Quality management systems — Requirements for regulatory purposes address ISO 9001:2000?

Shouldn’t it be ISO 9001:2008 Quality management systems–Requirements?

A: ISO 9001 is “controlled” by Technical Committee (TC) 176 while ISO 13485 is “controlled” by TC 210. They are two separate, independent technical committees that write and revise standards.

ISO 13485:2003 is founded on ISO 9001:2000, with additional requirements added for the medical device industry. In other words, ISO 13485:2003 is ISO 9001:2000 (but with the requirement for “continual improvement” removed) and additional requirements for the medical device industry

When TC 176 revised ISO 9001 in 2008,  TC 210 decided not to make a change to ISO 13485 because ISO 9001 requirements didn’t change substantially.   It is important to note that many governments such as Health Canada have adopted ISO 13485:2003 as their law or have their medical device law based on 13485:2003. Many medical device companies today get ISO 13485:2003 registered and have dropped ISO 9001:2008 altogether as not being necessary.

By the way, TC 210 issued a technical corrigendum to ISO 13485:2003 in August of 2009 correcting its reference to “ISO 9001” to “ISO 9001:2000” to make this clear.

Jim Werner
Voting member to the U.S. TAG to ISO TC 176
Medical Device Quality Compliance (MDQC), LLC.
ASQ Senior Member
ASQ CQE, CQA, RABQSA Lead QMS Assessor

For more on this topic, please visit ASQ’s website.

ISO 9001 Quality Manual

ISO documentation practices, requirements

Q: My small company is forcing me in the direction of using flowcharts to specify ISO standards. With their many branch statements, they are convoluted and confusing. I prefer plain, simple English. But my question is: is it ok to use flowcharts to specify ISO 9001 standards?

A: Actually, as long as you do not intend to become registered (also called certified), you can – and probably should – implement the ISO 9001:2008 Quality management systems–Requirements standard any way you want! I happen to like flowcharts, as long as they are limited to one page and fewer than a dozen boxes.

But if you intend to become registered, the registrar you choose will always require you to explain how you are implementing the concepts contained in ISO 9001.  Most firms choose to call this explanation document a quality manual. You do not repeat the words in the ISO 9001, rather you say how you intend to implement the concepts locally. A manual should be site-specific and about 50-60 pages. Some have written them in 20 pages.

Once you have the framework (manual) in place for the system, then you need to write procedures for the processes. Remember, procedures are job performance aids for an already-trained and qualified person. They should be about five to six pages, since the individual already knows how to perform the tasks.

The powers that be in your company want these procedures to be in the form of flowcharts. That’s OK, as long as you have explained this in your manual. The registration company accepts your manual before they ever send an auditor to your site. If they have accepted your description of flowcharts instead of procedures, then the auditor must accept that approach.

The whole point is to provide information to the person doing the job in a way that is useful. Written standard operating procedures (SOPs), or flowcharts, or pictures. It is the implementation that matters.

Dennis Arter
ASQ Fellow
The Audit Guy
Columbia Audit Resources
Kennewick, WA
http://auditguy.net

For more on this topic, please visit ASQ’s website.