Saturday, December 24, 2011

ISO 9001 Standard - ISO 9001:2008 Standards

Friday, October 9, 2009

Quality Management

There are two schools of thought on quality management. One views quality
management as the management of success and the other the elimination of
failure. They are both valid. Each approaches the subject from a different
angle:

The ‘success’ school is characterized by five questions (Hoyle, David and
Thompson, John, 2001)3 :
1 What are you trying to do?
2 How do you make it happen?
3 How do you know it’s right?
4 How do you know it’s the best way of doing it?
5 How do you know it’s the right thing to do?

The ‘failure elimination’ school is characterized by five different questions
1 How do you know what is needed?
2 What could affect your ability to do it right?
3 What checks are made to verify achievement?
4 How do you ensure the integrity of these checks?
5 What action is taken to prevent a recurrence of failure?

In an ideal world, if we could design products, services and processes that
could not fail we would have achieved the ultimate goal. Success means not
only that products, services and processes fulfil their function but also that the
function is what customers’ desire. Failure means not only that products,
services and processes would fail to fulfil their function but also that their
function was not what customers desired. A gold-plated mousetrap that does
not fail is not a success if no one needs a gold-plated mousetrap!
The introductory clause of ISO 9001:1994 contained a statement that the aim
of the requirements is to achieve customer satisfaction by prevention of
nonconformities. (This was indicative of the failure school of thought.) The
introductory clause of ISO 9001:2000 contains a statement that the aim is to
enhance customer satisfaction through the effective application of the quality
management system and the assurance of conformity to customer and
applicable regulatory requirements. (This is indicative of the success school of
thought.)

In reality you cannot be successful unless you know of the risks you are
taking and plan to eliminate, reduce or control them. A unification of these
approaches is what is therefore needed for organizations to achieve, sustain
and improve quality. You therefore need to approach the achievement of
quality from two different angles and answer two questions. What do we need
to do to succeed and what do we need to do to prevent failure?

Quality does not appear by chance, or if it does it may not be repeated. One
has to design quality into the products and services. It has often been said that
one cannot inspect quality into a product. A product remains the same after
inspection as it did before, so no amount of inspection will change the quality
of the product. However, what inspection does is measure quality in a way that
allows us to make decisions on whether or not to release a piece of work. Work
that passes inspection should be quality work but inspection unfortunately is
not 100% reliable. Most inspection relies on human judgement and this can be
affected by many factors, some of which are outside our control (such as the
private life, health or mood of the inspector). We may also fail to predict the
effect that our decisions have on others. Sometimes we go to great lengths in
preparing organization changes and find to our surprise that we neglected
something or underestimated the effect of something. We therefore need other
means to deliver quality products – we have to adopt practices that enable us
to achieve our objectives while preventing failures from occurring.

Quality Management

There are two schools of thought on quality management. One views quality
management as the management of success and the other the elimination of
failure. They are both valid. Each approaches the subject from a different
angle:

The ‘success’ school is characterized by five questions (Hoyle, David and
Thompson, John, 2001)3 :
1 What are you trying to do?
2 How do you make it happen?
3 How do you know it’s right?
4 How do you know it’s the best way of doing it?
5 How do you know it’s the right thing to do?

The ‘failure elimination’ school is characterized by five different questions
1 How do you know what is needed?
2 What could affect your ability to do it right?
3 What checks are made to verify achievement?
4 How do you ensure the integrity of these checks?
5 What action is taken to prevent a recurrence of failure?

In an ideal world, if we could design products, services and processes that
could not fail we would have achieved the ultimate goal. Success means not
only that products, services and processes fulfil their function but also that the
function is what customers’ desire. Failure means not only that products,
services and processes would fail to fulfil their function but also that their
function was not what customers desired. A gold-plated mousetrap that does
not fail is not a success if no one needs a gold-plated mousetrap!
The introductory clause of ISO 9001:1994 contained a statement that the aim
of the requirements is to achieve customer satisfaction by prevention of
nonconformities. (This was indicative of the failure school of thought.) The
introductory clause of ISO 9001:2000 contains a statement that the aim is to
enhance customer satisfaction through the effective application of the quality
management system and the assurance of conformity to customer and
applicable regulatory requirements. (This is indicative of the success school of
thought.)

In reality you cannot be successful unless you know of the risks you are
taking and plan to eliminate, reduce or control them. A unification of these
approaches is what is therefore needed for organizations to achieve, sustain
and improve quality. You therefore need to approach the achievement of
quality from two different angles and answer two questions. What do we need
to do to succeed and what do we need to do to prevent failure?

Quality does not appear by chance, or if it does it may not be repeated. One
has to design quality into the products and services. It has often been said that
one cannot inspect quality into a product. A product remains the same after
inspection as it did before, so no amount of inspection will change the quality
of the product. However, what inspection does is measure quality in a way that
allows us to make decisions on whether or not to release a piece of work. Work
that passes inspection should be quality work but inspection unfortunately is
not 100% reliable. Most inspection relies on human judgement and this can be
affected by many factors, some of which are outside our control (such as the
private life, health or mood of the inspector). We may also fail to predict the
effect that our decisions have on others. Sometimes we go to great lengths in
preparing organization changes and find to our surprise that we neglected
something or underestimated the effect of something. We therefore need other
means to deliver quality products – we have to adopt practices that enable us
to achieve our objectives while preventing failures from occurring.

Establishing a ISO 9001 records procedure

ISO 9001:2008 Documentation Requirements
ISO 9001:2008 clause 4.1 General requirements requires an organization to “establish, document, implement, and maintain a quality management system and continually improve its effectiveness in accordance with the requirements of this International Standard”
ISO 9001:2008 Clause 4.2.1 General explains that the quality management system documentation shall include:
documented statements of a quality policy and quality objectives;
a quality manual
documented procedures required by this International Standard
documents needed by the organization to ensure the effective planning, operation and control of its processes, and
records required by this International Standard;
The notes after Clause 4.2 make it clear that where the standard specifically requires a “documented procedure”, the procedure has to be established, documented, implemented and maintained. It also emphasizes that the extent of the QMS documentation may differ from one organization to another due to:
the size of organization and type of activities;
the complexity of processes and their interactions, and
the competence of personnel.
All the documents that form part of the QMS have to be controlled in accordance with clause 4.2.3 of ISO 9001:2008, or, for the particular case of records, according to clause 4.2.4.
Guidance on Clause 4.2 of ISO 9001:2008
The following comments are intended to assist users of ISO 9001:2008 in understanding the intent of the general documentation requirements of the International Standard.
a) Documented statements of a quality policy and objectives:
Requirements for the quality policy are defined in clause 5.3 of ISO 9001:2008. The documented quality policy has to be controlled according to the requirements of clause 4.2.3.Note: Organizations that are revising their quality policy for the first time, or in order to meet the amended requirements in ISO 9001:2008, should pay particular attention to clause 4.2.3 (c), (d) and (g).
Requirements for quality objectives are defined in clause 5.4.1 of ISO 9001:2008. These documented quality objectives are also subject to the document control requirements of clause 4.2.3.
b) Quality Manual:
Clause 4.2.2 of ISO 9001:2008 specifies the minimum content for a quality manual. The format and structure of the manual is a decision for each organization, and will depend on the organization’s size, culture and complexity. Some organizations may choose to use the quality manual for other purposes besides that of simply documenting the QMS
A small organization may find it appropriate to include the description of its entire QMS within a single manual, including all the documented procedures required by the standard.
Large, multi-national organizations may need several manuals at the global, national or regional level, and a more complex hierarchy of documentation.
The quality manual is a document that has to be controlled in accordance with the requirements of clause 4.2.3.
c) Documented procedures:
ISO 9001:2008 specifically requires the organization to have “documented procedures” for the following six activities:4.2.3 Control of documents4.2.4 Control of records8.2.2 Internal audit8.3 Control of nonconforming product8.5.2 Corrective action8.5.3 Preventive action
These documented procedures have to be controlled in accordance with the requirements of clause 4.2.3
Some organizations may find it convenient to combine the procedure for several activities into a single documented procedure (for example, corrective action and preventive action). Others may choose to document a given activity by using more than one documented procedure (for example, internal audits). Both are acceptable.
Some organizations (particularly larger organizations, or those with more complex processes) may require additional documented procedures (particularly those relating to product realization processes) to implement an effective QMS.
Other organizations may require additional procedures, but the size and/or culture of the organization could enable these to be effectively implemented without necessarily being documented. However, in order to demonstrate compliance with ISO 9001:2008, the organization has to be able to provide objective evidence (not necessarily documented) that its QMS has been effectively implemented.
d) Documents needed by the organization to ensure the effective planning, operation and control of its processes:
In order for an organization to demonstrate the effective implementation of its QMS, it may be necessary to develop documents other than documented procedures. However, the only documents specifically mentioned in ISO 9001:2008 are:- Quality policy (clause 4.2.1.a)- Quality objectives (clause 4.2.1.a)- Quality manual (clause 4.2.1.b)
There are several requirements of ISO 9001:2008 where an organization could add value to its QMS and demonstrate conformity by the preparation of other documents, even though the standard does not specifically require them. Examples may include:- Process maps, process flow charts and/or process descriptions- Organization charts- Specifications- Work and/or test instructions- Documents containing internal communications- Production schedules- Approved supplier lists- Test and inspection plans- Quality plans
All such documents have to be controlled in accordance with the requirements of clause 4.2.3 and/or 4.2.4, as applicable
e) Records:
Examples of records specifically required by ISO 9001:2008 are presented in Annex B.
Organizations are free to develop other records that may be needed to demonstrate conformity of their processes, products and quality management system.
Requirements for the control of records are different from those for other documents, and all records have to be controlled according to those of clause 4.2.4 of ISO 9001:2008.

Establishing a ISO 9001 records procedure

The standard requires records to remain legible, readily
identifiable and retrievable and that a procedure defines
the controls needed for the identification, storage,
protec- tion, retrieval, retention time and disposition of records.
Records have a life cycle. They are generated during
which time they acquire an identity and are then
assigned for storage for a prescribed period. During
use and storage they need to be protected from
inadvertent or malicious destruction and as they
may be required to support current activities or
investigations, they need to be brought out of storage
quickly. When their usefulness has lapsed, a decision is made as to whether to
retain them further or to destroy them.
Readily retrievable means that records can be obtained on demand within a
reasonable period (hours not days or weeks) Readily identifiable means that
the identity can be discerned at a glance.
Although the requirement implies a single procedure, several may be
necessary because there are several unconnected tasks to perform. A procedure
cannot in fact ensure a result. It may prescribe a course of action which if
followed may lead to the correct result, but it is the process that ensures the
result not the procedure.
The revised requirement omits several aspects covered in clause 4.16 of the
1994 version.
Collection of records is now addressed by Analysis of data (clause 8.4)
Indexing of records is a specific form of identification and is therefore
already addressed
Access is now addressed by the requirement for record retrieval
Filing is a specific form of storage and is therefore already addressed
You may only need one procedure which covers all the requirements but this
is not always practical. The provisions you make for specific records should be
included in the documentation for controlling the activity being recorded. For
example, provisions for inspection records should be included in the inspection
procedures; provisions for design review records should be included in the
design review procedure. Within such procedures you should provide the
forms (or content requirement for the records), the identification, collection/
submission provisions, the indexing and filing provisions. It may be more
practical to cover the storage, disposal and retention provisions in separate
procedures because they may not be type-dependent. Where each department
retains their own records, these provisions may vary and therefore warrant
separate procedures.
Unlike prescriptive documents, records may contain handwritten elements and
therefore it is important that the handwriting is legible. If this becomes a
problem, you either improve discipline or consider electronic data capture.
Records also become soiled in a workshop environment so may need to be
protected to remain legible. With electronically captured data, legibility is often
not a problem. However, photographs and other scanned images may not
transfer as well as the original and lose detail so care has to be taken in
selecting appropriate equipment for this task.
Whatever the records, they should carry some
identification in order that you can determine what
they are, what kind of information they record and
what they relate to. A simple way of doing this is to
give each record a reference number and a name or
title in a prominent location on the record.

1994 –2000 Differences

Previously the standard
covered retrieval in four
ways. It required:
(a) that quality records be

made available for
evaluation by the
customer or his
representative for an
agreed period, where
agreed contractually

Records can take various forms – reports contain-

ing narrative, computer data, and forms containing
data in boxes, graphs, tables, lists and many others.
Where forms are used to collect data, they should
carry a form number and name as their identifica-
tion. When completed they should carry a serial
number to give each a separate identity. Records
should also be traceable to the product or service
they represent and this can be achieved either within
the reference number or separately, provided that the
chance of mistaken identity is eliminated. The
standard does not require records to be identifiable
to the product involved but unless you do make such
provision you will not be able to access the pertinent
records or demonstrate conformance to specified
requirements.

Retention of ISO 9001 records

It is important that records are not destroyed before their useful life is over.
There are several factors to consider when determining the retention time for
records.

The duration of the contract – some records are only of value whilst the
contract is in force.

The life of the product – access to the records will probably not be needed for
some considerable time, possibly long after the contract has closed. On
defence contracts the contractor has to keep records for up to 20 years and
for product liability purposes, in the worst-case situation (taking account of
appeals) you could be asked to produce records up to 17 years after you
made the produc
The period between management system assessments – assessors may wish to see
evidence that corrective actions from the last assessment were taken. If the
period of assessment is three years and you dispose of the evidence after 2
years, you will have some difficulty in convincing the assessor that you
corrected the deficiency.
While the ISO 9001 requirement applies only to records, you may also need to
retain tools, jigs, fixtures, test software – in fact anything that is needed to repair
or reproduce equipment in order to honour your long-term commitments.
Should the customer specify a retention period greater than what you
prescribe in your procedures, special provisions will need to be made and this
is a potential area of risk. Customers may choose not to specify a particular
time and require you to seek approval before destruction. Any contract that
requires you to do something different creates a problem in conveying the
requirements to those who are to implement them. The simple solution is to
persuade your customer to accept your policy. You may not want to change
your procedures for one contract. If you can’t change the contract, the only
alternative is to issue special instructions. You may be better off storing the
records in a special contract store away from the normal store or alternatively
attach special labels to the files to alert the people looking after the archives.

Retention of ISO 9001 records

It is important that records are not destroyed before their useful life is over.
There are several factors to consider when determining the retention time for
records.

The duration of the contract – some records are only of value whilst the
contract is in force.

The life of the product – access to the records will probably not be needed for
some considerable time, possibly long after the contract has closed. On
defence contracts the contractor has to keep records for up to 20 years and
for product liability purposes, in the worst-case situation (taking account of
appeals) you could be asked to produce records up to 17 years after you
made the produc
The period between management system assessments – assessors may wish to see
evidence that corrective actions from the last assessment were taken. If the
period of assessment is three years and you dispose of the evidence after 2
years, you will have some difficulty in convincing the assessor that you
corrected the deficiency.
While the ISO 9001 requirement applies only to records, you may also need to
retain tools, jigs, fixtures, test software – in fact anything that is needed to repair
or reproduce equipment in order to honour your long-term commitments.
Should the customer specify a retention period greater than what you
prescribe in your procedures, special provisions will need to be made and this
is a potential area of risk. Customers may choose not to specify a particular
time and require you to seek approval before destruction. Any contract that
requires you to do something different creates a problem in conveying the
requirements to those who are to implement them. The simple solution is to
persuade your customer to accept your policy. You may not want to change
your procedures for one contract. If you can’t change the contract, the only
alternative is to issue special instructions. You may be better off storing the
records in a special contract store away from the normal store or alternatively
attach special labels to the files to alert the people looking after the archives.