Frequently Asked Questions
THE HISTORY OF ISO 9000
- Why ISO 9000?
- Who or what is "ISO"?
- What is the ISO organization, and where are they?
- What is ISO 9003?
- What are ISO 9004 and ISO 8402?
- What are ISO 9000 management systems?
- What does ISO do for my operation?
- What does quality management system documentation look like?
- What is in a quality management system?
- What is third-party registration?
- What happens during an audit?
- What sort of things do audits usually find?
- How much does it cost to become Registered?
- How long does it take to get Registered?
- Why do I need to become Registered?
- Is it better to have training done in-house, or at a public program?
- Where can I find information on Registrars?
Q: Why ISO 9000?
A:The ISO 9000 management system standards were developed during the 1980s. They were derived from many similar individual national standards around the world which had been developed from about 1970 onwards. Neighbors in Canada had their Z299 standards, the Australians had AS3900, and here in the US, the nuclear industry had the NQA-1 standard. The defense industry had been using similar standards for years – many will be familiar with MIL-Q-9858A.
Probably the best recognized nondefense management system initiative was established in the United Kingdom in 1983 when the British government created the National Accreditation Council for Certification Bodies, now the National Accreditation of Certification Bodies (NACB). This was created to monitor the activities of companies like BSi, Lloyds and BVQi performing third-party audits on management systems implemented by British businesses using the British standard for quality management systems, known as BS5750:1979. BS5750 became one of the strongest models reviewed by the international committees of the International Organization for Standardization as they started to develop the ISO 9000 standards.
The ISO 9000 standards were first issued in 1987, reissued in 1994 and again in 2000. They rapidly became very popular, and have now been adopted by over 180 nations worldwide, including every major trading partner of the US and the European Community. For any organization seeking an internationally recognized model for management systems, here is the perfect answer. Not only are the standards already written, but thousands of companies have implemented them successfully, achieving third-party certification to prove it. In addition, many customers are starting to look for ISO certification from those with whom they choose to do business.
Q: Who or what is "ISO"?
A: Actually, no one. The ISO in ISO 9000 comes from the Greek, and means "the same as." It is the same prefix as is found in the word "isobar" meaning a line on a weather map which connects areas where the air pressure is all the same.
Q: What is the ISO organization, and where are they?
A: Many people from many countries all over the world. The ISO standards are published by the International Organization for Standardization, which has its offices in Geneva, Switzerland. It is a small office, with very few permanent staff. Its sole function is to coordinate the activities of a whole lot of committees, called Technical Committees (TCs), and publish their work when it is completed. Individual countries then decide whether or not to use the standards that the International Organization for Standardization publishes.
The ISO 9000 standards were written by TC 176, which has a wide representation from many countries including the US, and they have been adopted by the national standards organizations of countries worldwide. When a national standards body "adopts" an ISO document, it usually gives it a national number – hence, in the UK the ISO 9000 standards are called BS5750, in the European Community they are the EN29000 standards.
Why ISO 9000?
- Developed during the 1980s
- Followed on from many similar quality standards around the world
- Similar to the highly successful BS5750:1979 management system initiative.
- The standard has been around - ISO 9000 standards were first issued in 1987, reissued in 1994.
- Now adopted by over 181 nations
- Every major trading partner of the US and the EC recognizes and is using ISO 9000
- Many customers now prefer ISO 9000 certified suppliers
Q: What is ISO 9003?
A: There are relatively few companies whose customers will be assured of anything from an ISO 9003 system, although the 1994 version of that standard is much more comprehensive than the original 1987 one. ISO 9003 covers those operations where the assurance given to the customer comes only from the company's inspection and test activities. This standard applies to relatively few companies, and in many countries it is hardly used.
Q: What are ISO 9000 and ISO 9004 used for?
A: ISO 9000 has a couple of functions. It starts out with a section which explains what a management system is all about and some of the concepts of management systems. The second part of ISO 9000 consists of a vocabulary used within the quality profession which has certain meanings and interpretations which can be a little different than normal colloquial English. This is a very useful document, as it ensures that the people writing management systems and the people auditing them understand each other. The standard used for the actual management system requirements is ISO 9001. This standard covers everything from initial sales enquiry to post-delivery contractual issues. Companies can exclude certain limited requirements, for example whether or not they perform design activity on that product – in other words their scope of activity includes the design of their products.
The business scope chosen for certification need not embrace all the company's activities, but it should cover the essential core businesses which are associated with one or more deliverables. It is not uncommon for a large organization to undertake its ISO program in a product- or process-specific manner. Remember that the management system which will be audited for certification must cover all of the essentials of the ISO 9001 standard across all of the activities which impact upon the deliverables included in the scope statement.
Q: What are ISO 9000 management systems?
A: A management system is a collection of resources comprising capital, people, processes and procedures which ensures that a customer's requirements for quality are met by the organization supplying the product or service involved. To really make sense of that statement, it is necessary to understand what is meant by "quality" in the ISO 9000 context.
Quality is not goodness, scale or niceness. Quality is more narrowly perceived as conformance to defined specifications in terms of performance, price and delivery. The technique used to achieve that conformance is called quality assurance or quality management – hence, the term "quality management system." The system is a means whereby the organization's management can plan what they are trying to achieve in terms of delivering a quality product to their customers, plan how they should fulfill that intent, and provide everyone involved with the tools, techniques, training and instruction necessary to fulfill their tasks efficiently and effectively.
Some companies have the luxury of their customers telling them precisely what they want, and then they go about the design and build work. Many other companies start on more difficult ground, and one of the first things that they have to do is to figure out what their customer wants – in other words, they have to develop the specification for the deliverable.
This activity embraces the concept sometimes called "the voice of the customer" – listening to end-user feedback – as well as addressing the need to comply with today's regulatory requirements, anticipate what new regulations may be in force when the product is ready for sale, take note of what the competition is doing now and what they may be doing down the road, guess where client taste is likely to be by the time the deliverable hits the streets. For some organizations, all this has to be done on a global scale.
Once the design is determined, the organization then has to create the production process, purchase materials, arrange delivery processes, handle orders and all of the million and one other details which go into the successful development, manufacturing and delivering of a product or service to the customer. A management system is the series of processes and methods whereby all this is done; an ISO 9000 system is one based upon the precepts of the ISO 9000 Series of Standards, and that framework has been found to be extremely effective in improving the operational activities of many companies.
Q: What does ISO do for my operation?
A: From a marketing point of view, achieving ISO 9001 registration makes it easier to access certain markets to obtain or to bid on contracts. It demonstrates that the company has a structured, formal methodology by which it conducts its business, which has been reviewed by an independent third party and found to meet the needs of ISO 9001. At a very practical level, it will help to ensure that any major customer who prefers to deal with ISO 9001 registered companies will look to your company for the fulfillment of their needs. It will send a powerful message about the organization's commitment to excellence.
The company benefits in a number of ways. The opportunity which ISO 9001 implementation provides to reexamine and review operational methods and techniques usually results in increased efficiencies.
The formal documentation of methods and practices leads to much greater consistency in the manner in which any company works, and the documentation which will be required will also result in an enhanced training and awareness process for new staff coming into the company.
The process of ISO 9001 implementation causes an organization to not only reexamine its internal workings as they are documented, but also to review and study its linkages – within the company and outside the company. This frequently results in a better definition of interfaces, with improved communications, less errors and smoother functioning.
Q: What does quality management system documentation look like?
A: The best systems look simple. Clear, concise, well-written documentation is essential if the system is to work properly. Documents should be short – no one reads long ones.
Documents should be accessible – if people can get at them easily, they will be more likely to use them.
Documents should be written to be used by people who have the training, background and experience of the usual person employed to perform the task – they shouldn't be written for the person on the street.
Documents should reflect reality – write about what actually happens, not what could happen in the ideal world.
Documents should be written by the people who are going to use them, not by an external "expert" or a professional writer. He or she may know how to write, but will never know the process as well as the people who do it every day. Also, consultants may assist in the preparation of documentation, they should not dictate the control of the process involved.
Q: What is in a quality management system?
A: The typical system has three tiers of documents and a foundation of records. It is often shown as a triangle, with a quality manual at the top, management operating procedures at the second tier and work instructions on the third. There should be linkage between the tiers to enable readers to navigate their way through the system and find the documents they need and the records associated with those documents.
Very large and complex operations will often have more than one layer of system manuals and procedures. The top level may be a corporate quality manual and procedures, with divisional level manuals and procedures below that, and finally, functional plant level documentation. Each has to link to those above and below it, and should support the overall quality policy of the organization. This should be declared at the highest level.
Q: What is third-party registration?
A: The registration (or certification) process involves an external organization auditing your company's activities and processes against the requirements of ISO 9001 and your documented management system. The audit process is limited to the scope of the business activities being audited, as agreed in advance with the registrar.
One of the most important factors in determining which registrar to use is ensuring that the registrar has properly accredited scope for your business. This is determined by the process whereby a registrar becomes a properly accredited organization. No company should use a registrar which is not part of this system, as the resulting certificate will be next to useless.
Q: What happens during an audit?
A: The audit process is divided into two major activities. The first being the adequacy or desk audit, the second is the compliance audit. During the desk audit, auditors compare the company's documented system with the requirements of the standard. They are looking for the system to meet the fundamentals of the requirements. This initial audit produces an audit report, and as a result of this audit report – assuming all is well – the decision is made to proceed with the second part of the audit.
During the compliance audit, auditors are on site talking to staff, asking questions about what they do and how they do it, what documents they have to use, what records they maintain, and who has all this stuff.
During the course of the audit, questions are asked of staff at all levels in the organization. The auditors will be following a predetermined plan, an advance copy of which will be given to the area's management representative. Each auditor is accompanied by a guide whose job is to escort the individual from place to place, and to help the auditor identify to whom they need to speak about the issues they want to examine. Answer questions honestly, but only answer what is asked.
Lots of notes are taken during the audit – these are the audit findings. Most of what the auditor writes down will be about activities that they have found to be conforming with the standard and the documented system. Some will be things that are not right, and these may become audit nonconformities by the end of the process. Everything that is reported as a nonconformity will be supported by "objective evidence" – in other words, the auditor has to be able to reference a clear requirement of either the standard or the management system which is not being followed in order to write a nonconformance. Findings are witnessed by the guide signing off on them.
At the end of the audit, the audit team will decide what they want to report and what they do not. This results in the audit report and findings which are issued to the company, together with the decision as to whether the system is regarded as acceptable or not.
Every area of the company can expect to receive nonconformities. The site being audited may contain many hundreds, even thousands, of people, documents, instruments needing to be calibrated, stock items and materials and so on. The auditors are likely to find a few things out of place in every facility – and it doesn't matter if they do. A number of minor nonconformities will not impact the ability of any company to achieve certification.
The auditors will assess the overall effectiveness of the system. The key issues which the auditors will be reviewing and seeking objective evidence of comformance for are these:
During the internal audit training, which all companies implementing ISO will need at some stage, the trainee auditors will learn more about what to look for and how to evaluate the significance of an individual finding. That information will be utilized in the operation of the internal audit program and should help resolve a lot of these issues for the staff. The audit is nothing to fear – it is a collaborative, cooperative process... and you are the customer.
- Are all the required elements of ISO 9001 in place?
- Is there clear evidence that staff know their role in operating the system?
- Are records generated as required and stored properly?
- Is the internal audit process robust and effective?
- Is there an adequately resourced and effective corrective and preventive action program in place?
- Is the management review process solid and operating effectively?
Once the main audit is successfully completed, you will encounter surveillance audits on a regular basis – probably about every six months. On a sample basis, auditors will revisit various parts of the company for short follow-up audits to ensure that the system remains fully operational. These surveillance audits will usually encompass a sample of activities, typically one or two elements of the ISO 9001 standard will be addressed in addition to the mainstream elements. There are three subjects which typically get audited every time the auditors come around. These are:
5.6 Management Review
The internal audit activity, and the records it generates, tells the registrar if the system is operating successfully in between surveillance audits and is driving continuous improvement.
The records of this process demonstrate that the system is being properly and effectively maintained;
8.2.1 Customer Satisfaction
This element demonstrates that the organization is taking steps to understand how it is seen by its customers.
8.2.2 Internal Audit
This shows that the system is continually under review by the organization and its' management.
8.5.1 Continual Improvement
Provides evidence that the management system is providing the organization with measureable improvements in products or services, processes and systems.
8.5.2 and 8.5.3 Corrective and Preventive Action
Demonstrates that the organization is reacting to problems and identifies through either product, process or system review activities.
A good corrective and preventive action process means that the system is being highly reactive and proactive to continuously improve.
Probably the biggest change which occurs as a result of the ISO 9001 implementation is the initiation of the internal management system audit process. This is one of the most powerful tools a company can use for driving continuous improvement – it also happens to be the one which costs the least. An effective internal audit process also enables management to measure its own effectiveness in controlling the operation of the company in the manner intended.
Constant review of the workings of the management system reveal opportunities for improvement in the system, in the training of personnel, and in overall process control. Along with management review, the effective maintenance of the internal audit program is a vital part of the system. Both activities should take place at regular intervals if management seriously intends to maintain the system.
The internal audit process will be an ongoing activity, continually auditing different parts of the system and covering all areas of the organization on an established basis. Areas of the company where the audit findings are adverse should receive more frequent audits until such time as the audit results stabilize; particularly important activities should also be audited more frequently.
Q: What sort of things do audits usually find?
A: The typical audit findings tend to center around issues of documentation, calibration, training records, closeout of corrective actions and audit findings, the use of unapproved subcontractors, an absence of work instructions, inadequate planning, poor training records and a lack of management review.
Like all other areas of the company, control of documentation is an important issue, as is ensuring that personnel do not have obsolete documents or controlled documents which are marked up in an inappropriate manner. Document control issues typically account for 70 percent of the findings reported by auditors during certification audits.
Q: How much does it cost to become Registered?
A: This depends on several factors including:
All these factors come into play when a company begins its registration process.
- How much of the work a company is willing to do itself;
- How large the company is;
- How many sites the company has and where they are located;
- How quickly the company wants to get registered; and
- Which standard is the company getting registered to.
The best avenue for a company to take is to have a Gap Analysis performed. All companies have systems in place. A Gap Analysis is a method to determine how your current system matches up with a new ISO-based system.
When properly performed, a Gap Analysis and the Gap Analysis report will provide you with the necessary information to determine costs, and timeframe for registration.
The cost of a Gap Analysis will range from $1,250 - $1,500 per day. When researching a provider for a Gap Analysis, it is important to find someone that will supply you with a detailed report telling you not only that you are deficient in some respect, but how to fix the problem. For a free sample copy of a Gap Analysis report from The Victoria Group, send an e-mail to Rd Goult at rod.goult@Victoriagroup.com.
Regarding cost, ISO can range anywhere from $2,500 to millions of dollars.
Q: How long does it take to get Registered?
A: This depends on your commitment, your company size, standard, and number of locations. Generally, registrars want to have a functioning system for 3 months before the certification audit. The average time for small companies is about 12 months, 18 months for medium sized companies and 24 months for larger companies.
Q: Why do I need to become Registered?
A: Unless your customers are requiring registration, you do not have to become registered. There are thousands of companies that use ISO as a base management system and are compliant to ISO, but choose not to obtain registration. You may then ask yourself; if that is the case, why use ISO at all?
ISO is an internationally recognized management system. There are currently over 800,000 companies registered to ISO worldwide. In the United States alone, over 600 new companies each month achieve registration. ISO based systems have been proven to save money by reducing costs, increasing efficiency, reducing wastes, and providing employees a well structured, and organized process to follow.
Q: Is it better to have training done in-house, or at a public program?
A: This really depends on your situation. Generally, it is more cost effective to have training performed in-house if you have five or more employees that need the same type of training.
Q: Where can I find information on Registrars?
A: Simply go to www.ISORegistered.com for a list of registrars as well as other important information regarding ISO and related standards.