TheISO9001:2015ImplementationHandbook

UsingtheProcessApproachtoBuildaQualityManagementSystem

MiltonP.Dentch

ASQQualityPressMilwaukee,Wisconsin

AmericanSocietyforQuality,QualityPress,Milwaukee53203©2017byASQ.Printedin2016Allrightsreserved.

LibraryofCongressCataloging-in-PublicationDataNames:Dentch,MiltonP.,1942–author.Title:TheISO9001:2015implementationhandbook:usingtheprocessapproachtobuildaqualitymanagementsystem/MiltonP.Dentch.

Description:Milwaukee,Wisconsin:ASQQualityPress,[2016]|Includesbibliographicalreferencesandindex.

Identifiers:LCCN2016023938|ISBN9780873899383(hardcover:alk.paper)Subjects:LCSH:ISO9001Standard—Handbooks,manuals,etc.|Newproducts—Qualitycontrol—Standards—Handbooks,manuals,etc.|Industrialmanagement—Standards—Handbooks,manuals,etc.

Classification:LCCTS156.17.I86D462016|DDC658.5/62--dc23LCrecordavailableathttps://lccn.loc.gov/2016023938

Nopartofthisbookmaybereproducedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,orotherwise,withoutthepriorwrittenpermissionofthepublisher.

Publisher:SeicheSandersAcquisitionsEditor:MattMeinholzManagingEditor:PaulDanielO’MaraProductionAdministrator:RandallBenson

ASQMission:TheAmericanSocietyforQualityadvancesindividual,organizational,andcommunityexcellenceworldwidethroughlearning,qualityimprovement,andknowledgeexchange.

AttentionBookstores,Wholesalers,Schools,andCorporations:ASQQualityPressbooks,video,audio,andsoftwareareavailableatquantitydiscountswithbulkpurchasesforbusiness,educational,orinstructionaluse.Forinformation,pleasecontactASQQualityPressat800-248-1946,orwritetoASQQualityPress,P.O.Box3005,Milwaukee,WI53201–3005.

ToplaceordersortorequestafreecopyoftheASQQualityPressPublicationsCatalog,visitourwebsiteathttp://www.asq.org/quality-press.

Preface

My first experiencewith ISO occurred around 1992. I was employed as the director ofmaterials for worldwide film manufacturing at the Polaroid Corporation in Waltham,Massachusetts. The company was experiencing a big challenge: Polaroid’s instant filmproductswouldnolongerbesoldinEuropeanhospitalsunlessthefilmwasproducedinanISO9001–certifiedplant.Sinceseveralmillionpacksofinstantfilmperyear,plusmanyX-raycameradevices,weresoldtohospitalsinEurope,Polaroidneededtoactquickly—andwedid.Severalengineersandmanagerswerereassignedfromtheirregularjobstoassistthe filmassemblyplants inobtainingcertification to ISO9001.The filmassemblyplantsachieved this goal in about a year, and instant film sales continued uninterrupted at theEuropeanhospitals.OtherthanmaintainingEuropeanfilmsales,whatimpactdidtheISOcertificationhaveon

thequalityofPolaroidfilm?Judgingfrommyobservations,Iwouldsayverylittletonone.The folks assigned to implement the ISO certification were not part of the day-to-dayoperationsintheplants;theyattackedeachofthe20elementsandattendantrequirementsofISO9001asashort-termprojectwithgoalsandmilestones.Employeesattendedawarenesssessions to be trained on how to answer questions from the ISO auditor: “What isPolaroid’squalitypolicy?Wheredoyoufindinstructionsonhowtomakefilm?Whatstepsdoyoutakewhenfilmyoumadedoesnotmeetspecifications?”Theemployeeslearnedtheanswers in a somewhat rote fashion, and the auditors from Denmark were sufficientlyimpressedduringtheirweeklongseriesofinterviewsandinvestigationstorecommendtheplantbecertified to ISO9001.Whilemanynonconformanceswerebroughtupduring theaudit,theISOteamconvincedtheauditorsthatthefilmplanthadaddressedtheissueswithdiligenceand thatPolaroid customers couldbe assured the filmproducedat theseplantswasofconsistentquality.In reality, Polaroid instant film, before and after ISO certification, was plagued with

consistent quality problems stemming from its extremely complex scientific andmanufacturing challenges. Customer experience with Polaroid instant film products overtheirentire75-yearlifecycleindicatedthatoneinfourinstantpictureswasofpoorquality.However, the perceived value of the instant experience was so great that customerspurchasedwell over 100million packs of Polaroid instant film every year until the late1990s,whentheadventofdigitalimagingessentiallyobsoletedit.DuringtheISOauditin1992,managerssuchasmyselfwereinstructedbytheISOteamto

stay out of the way—perhaps take some vacation time—as we had not attended theawareness (indoctrination) training. As materials director, I was responsible forcoordinatingthemanufacturingplanningandschedulingwithPolaroid’ssalesandmarketing

divisions. In ISO terms, this process was referred to as “contract review” or sales-manufacturingforecast.Likemanyotherpubliclytradedconsumerproductcompaniesinthe1990s, Polaroid adjusted its film sales demand to satisfy Wall Street analysts for thequarter,withlittleconnectiontoactualconsumersalesdemand.IftheISOauditorhadaskedme to explain the contract review process, Polaroid might never have been certified toISO9001!TheISOteamselectedlower-levelemployeestoanswertheauditor’squestions,using professionally presented spreadsheets indicating a strong link between sales andmanufacturing.MyopinionofthevalueofISO9001certificationwasshapedbythisfirstexperienceand

continued as I observed suppliers to Polaroid becoming certified to ISO without anyobvious uptick in quality or delivery performance. There was a joke circulating in the1990s that went something like this: An ISO 9001–certified company manufactured lifepreservers to size specifications using precise instructions and tight tolerances.Unfortunately,thetechnicaldepartmenthadselectedcementasthematerialofchoice,sothelife preserverswere useless.The ISO9001 revision in 2000 addressed the “cement lifepreserver”issuebyplacingmoreemphasisonresultsandcustomerrequirements.AfterleavingPolaroidin1996toprovidematerialsconsulting,Ifoundanewentryinto

theISOworldbywayofagraduateprogramIattendedontotalqualitymanagement.OneofthemonthlymodulesintheprogramattheNationalGraduateSchoolofQualityManagementwas “Introduction to ISOAuditing.” To complete the course I had to pass the RegistrarAccreditationBoard (RAB) exam for ISO9001 quality auditors. I passed the exam, andafter a year of trial audits, I became certified as an RAB lead auditor. Over the next20yearsIcompletedover500auditsfor largeandsmallcompanies in theUnitedStates,Mexico,Canada,Europe,andBrazil.Whileconductingtheseauditsandprovidingdozensofauditortrainingclasses,IcontinuedtoobservethemanyflawsintheISOprocessIhadfirstobservedatPolaroid—but Ialsosawhow thedisciplineof the ISOapproachcouldprovidevaluewhenproperlyimplementedandaudited.Throughmyworkwithaverywidespectrum of manufacturing and service organizations, combined with my previous workexperiences,Ihaveaccumulatedareservoirofbestpractices—whatworks,whattoavoid—and an ability to explain the sometimes convoluted requirements and intentions ofstandardsissuedbytheInternationalOrganizationforStandardization(ISO).IwrotetheISO9001:2015ImplementationHandbookwiththefollowinggoalsinmind:

Provideguidancetoorganizations(bothmanufacturingandservice)seekingcertificationtoISO9001:2015AssistcurrentlycertifiedISO9001organizationsinupgradingtoISO9001:2015,whileimprovingtheirpresentqualitymanagementsystem(QMS)ProvideguidanceforinternalauditorsProvideguidanceoninterpretingISO9001:2015requirementsSuggestimprovementsontheformattingoftheISO9001standard

For organizations obtaining ISO 9001 certification for the first time, I suggest you viewISO as a tool to support your business processes—the linchpin for consistency andstandardization.TheHandbookisstructuredtoguideyourorganizationthroughtheprocessnecessary to connect your practices to the requirements of ISO 9001:2015. FororganizationsthatarealreadycertifiedtoISO9001,withavoluminousqualitymanualanddozensofseldom-usedprocedures,IsuggestyouconsidertheupgradetoISO9001:2015asan opportunity to rebuild yourQMS into a helpful asset inmanaging your business. TheHandbook will guide you through the steps in creating a solid QMS in support of yourbusiness.AttheendofeachsectiondescribingtherequirementsfortheclausesofISO9001:2015,

I’veincludedauditquestionsrelatedtothedefinedclauses.Inaddressingthesequestions,thereadercanevaluatetheorganization’sconformancetoISO9001:2015requirements.

ENDNOTEThecontentsofISO9001:2015havebeenparaphrasedinthisbook.Paraphrasedtextbyitsverynaturecanintroducedifferencesinunderstandingandinterpretation.Thisbookshouldbe used in conjunctionwithASQ/ANSI/ISO 9001:2015Quality management systems—Requirements with guidance for use. The interpretations and paraphrasing ofASQ/ANSI/ISO9001:2015intheHandbookarenotauthorizedbyASQ,ANSI,orISO.

1ISO9000HistoryandChronology

TheconceptofaninternationalstandardformanufacturingwasintroducedinEuropeinthe1980s,ledbyinitiativesfromtheUnitedKingdom,namelytheBritishStandard,BS5750,which provided requirements for companies engaged in quality assurance, production,installation, inspection, and testing. The development of the EuropeanUnion encouragedmoretradeamongEuropeancountries,andtheneedforproductstandardsbecameapparent.ISO 9000 essentially replaced BS 5750 in 1987 and became a worldwide, auditablestandardformanufacturingandservice.Initially,ISO9000:1987includedthreesubsets:

ISO9001:1987.Qualityassurancerequirementsforcompaniesengagedindesign,development,production,installation,andserviceISO9002:1987.Qualityassurancerequirementsforcompaniesengagedinproduction,installation,andservice;basicallythesamerequirementsasISO9001butwithoutthedesignofnewproductsISO9003:1987.Qualityassuranceinfinalinspectionandtest;coveredonlythefinalinspectionoffinishedproductwithoutconcernforhowitwasproduced

ThepurposeofISO9002wastoallowcompaniesthatbasedtheirproducts(orservices)oncustomer designs to certify to ISOwithout addressing the design function.Unfortunately,manycompanies thatdidprovidedesign services to their customersdecided to“finesse”the system by not submitting their design process for third-party assessment by the ISOregistrar’s auditors. This issue was resolved with the 2000 revision, which eliminatedISO 9002, requiring all companies to seek certification to ISO 9001—and explain toauditors why their processes did not include design services. The inspection standard,ISO 9003, was also obsoleted in 2000 and is currently included in ISO 9001. (Note:ISO/IEC 17025 provides requirements for the competence of testing and calibrationlaboratories;itisoutsidethescopeoftheHandbook.)The International Organization for Standardization (ISO) has a goal to upgrade its

management standard every seven years. During the 28-year period from 1987 to 2015,ISO 9001 progressed through four revisions: ISO 9001:1994, ISO 9001:2000,ISO 9001:2008, and ISO 9001:2015, the current version released in October 2015.Organizations currently registered to ISO 9001:2008 will need to upgrade toISO9001:2015 beforeOctober 2018. For clarification, ISO9000:2015 covers the basic

conceptsandlanguage;ISO9001:2015setsouttherequirementsofaQMS,thefocusoftheHandbook.AbriefreviewofthepreviousrevisionsofISO9001tracestheevolutionary—sometimes

revolutionary—transformationofISO9001.ForreadersrecentlyengagedinQMS,aswellasthosewhorememberthegenesisofISOin1987,areviewoftheoriginal20elementsofISO 9001 might raise the question of how far QMS has advanced—or maybe how asomewhatsimpleconceptcanbeconfounded.TheoriginalelementsofISO9001were:4.1 ManagementResponsibility

4.2 QualitySystem

4.3 ContractReview

4.4 DesignControl

4.5 DocumentandDataControl

4.6 Purchasing

4.7 ControlofCustomer-SuppliedProduct

4.8 ProductIdentificationandTraceability

4.9 ProcessControl

4.10 InspectionandTesting

4.11 ControlofInspection,MeasuringandTestEquipment

4.12 InspectionandTestStatus

4.13 ControlofNonconformingProduct

4.14 CorrectiveandPreventiveAction

4.15 Handling,Storage,PreservationandDelivery

4.16 ControlofRecords

4.17 InternalQualityAudits

4.18 Training

4.19 Servicing

4.20 StatisticalTechniques

Theseelementsweremaintainedinthe1994revision,which, inasomewhatevolutionarychange, attempted to help third-party auditors by requiringmore clarity in documentationfrom the certified company. Unfortunately, many companies responded by creating evenmoreproceduresanddocumentation—oftenwithlittlevalueaddedtothecompany’squalityperformance.TheessenceofbothISO1987andISO1994was“documentwhatyoudo,dowhat you document,” where procedures were seen to be more important than results orimprovedquality.The ISO9001:2000 revisionwasa somewhat radicalmove in that thefocuswasoncustomersatisfaction,processmanagement,andcontinualimprovement.The

ISO9001:2008revisionhadnonewrequirements—justacontinuedemphasisonprocessmanagementandcustomersatisfaction.The current revision, ISO 9001:2015, strives tomake ISO 9001 amajor driver in the

businessmodeloftheorganization.ISO9001:2015addsrequirementsfortheorganizationtodemonstratetheintegrationoftheQMSrequirementsintoitsbusinessprocessesandalsoto provide risk analysis in support of meeting the quality objectives. Additionally, itrequiresorganizationstoconsiderexternalissuesandinterestedpartiesthatarerelevanttotheQMS,other than traditional customers, suppliers, andemployees.External issues thatcouldimpacttheorganization’sbusinessstrategy,suchasnewtechnology,potentialmarketforces,andcompetition,areopentoauditingintheISO9001:2015scheme.Laterchapterswilldescribehowvariousorganizationsmayaddresstheserequirements.The ISO 9000 concept now has a 29-year history. The original version with its

20prescriptiveelementsprovidedindustriesaroundtheworldwithadisciplinedapproachtomanufacturing products.Over 1million organizationsworldwide are now certified toISO 9001. I believe the discipline of ISO 9001 has been very helpful in improving thequality of most products since 1987. Certainly many other quality initiatives such asstatistical process control have contributed as well, but ISOwas amajor component inestablishingconsistency.The ISO9001:2000 revisiongeneratedquality improvementsbyencouragingcertifiedorganizations to focusoncustomersandprocessmanagement ratherthan procedures and documentation. ISO 9001:2015 adds focus on riskmanagement andencourages the integration of the QMS with the organization’s business as well as theexpansionoftopmanagement’sdirectparticipation.

2TheQMSasaProcess

The internationally recognized standard forqualitymanagement, ISO9001 isbuilt on theplan-do-check-act(PDCA)approach(seeFigure2.1).ThisistheoperatingprincipleofallISOmanagement system standards, including ISO 14001, the standard for environmentalmanagementsystems.Putinthecontextofqualitymanagement,thePDCAapproachworksasfollows:Plan:Topmanagementestablishesthecontext,scope,boundaries,andqualitypolicyoftheQMS.Qualityobjectivesareselectedandprogramsestablishedtoachievetheobjectives.ThecoreprocessesoftheQMSandtheirinteractionsaredetermined.Performanceindicatorsforthecoreprocessesareestablished.Do:Productionandserviceprocessesareimplementedwithcontrolsmaintainedtoensurecustomerrequirementsaremet.Processessupportingthecoreprocessesareimplemented.Check:TheQMSismonitoredandauditedtomeasureperformanceagainsttheorganization’sobjectivesandcustomerrequirements.TheperformanceandresultsoftheQMSarereportedtotopmanagement.Act:ActionsareinitiatedtocorrectdeficienciesandimprovethequalityperformanceasindicatedbythemonitoringandmeasurementoftheQMSresults.ResourcesandemployeetrainingareprovidedasappropriatetoensureimprovementoftheQMS.

WhileestablishingtheplansandactionstosupportaQMS,itishelpfultolookattheQMSas a process with two desired outputs: improvement and customer satisfaction. Theorganization’s management provides the inputs to the QMS process: scope of activities(businessmodel)andthequalitypolicy.Figure2.2representsthecoreprocessofaQMSandisthestartingpointforbuildingthe

QMS.The next step is to define the businessmodel for the organizationwith linkage torelatedISO9001:2015requirements.Chapters4–10provideguidanceonestablishingeachprocessconformingtotherelatedISO9001:2015requirements.

SUMMARY:ISO9001:2015CHANGESFROMISO9001:2008

Organizations currently certified to ISO 9001:2008 will need to address the new (orexpanded)requirementsofISO9001:2015,including:

UnderstandingthecontextoftheorganizationandexpectationsofinterestedpartiesTheintegrationoftheQMSrequirementsintotheorganization’sbusinessprocessesActionstoaddressrisksandopportunitiesExpandedtopmanagementcommitment

Organizationalknowledge

ContextandInterestedPartiesPast revisions of ISO 9001 required organizations to define the scope of theQMS—theactivities, processes, and buildings and property within their QMS. ISO 9001:2015requirestheorganizationtoidentifyandmonitortheinternalandexternalissuesaswellasthe interested parties that are relevant to the organization’s purpose and its strategicdirection.Organizationsarenowrequiredtoconsiderexternalissuesthatcouldimpacttheirbusiness strategy, such as new technology and potential market forces (e.g., social andeconomic environments, international competition). In a similar fashion, the organizationshouldidentifytheinterestedpartiesthatmayberelevanttotheQMS.Examplesincludetheregulatorybodiesadministeringstatutoryandregulatoryrequirementsrelatedtotheproduct.Each organization needs to address these requirements in the context of its business

model.Acompanyproducingconsumerproductsmayhaveseveralareasofopportunityinits business strategy to address relevant external issues and the concerns of interestedparties.Intoday’sintenselycompetitive,globalmarket,mostconsumerproductcompaniesalready have initiatives in place to address product-related regulatory threats aswell asglobalmanufacturingcompetition.ISO9001–certifiedorganizationscompetingasdiscretemanufacturers (e.g., machine shops, metal or plastics formers, electronic and machinerybuilders) have fewer options. Considerations for these types of organizations includereviewing environmentally compatible material options, the latest technical innovations,andalternativemanufacturingtechniques.

IntegrationofQMSRequirementsintoBusinessProcessesManyISO9001–certifiedcompanieshaveintegratedtheQMSintotheirbusinessplanningandstrategy.Companiesofallsizeshavewoventhequalityperformancemetricsintotheirbusiness plan. Key performance indicators (KPIs) are assigned to quality and businessparameters along with safety and environmental metrics. Quality-driven waste reductionprojects include improved environmental performance. Best-in-class organizations haveestablishedabusinessmanagementsystem(BMS)combiningtheirfinancial,quality,safety,and environmental systems into a cohesive operationalmodel. Some ISO 9001–certifiedcompanies, however, operate with their QMS at arm’s length from their business—justdoing the minimum required to maintain certification. The ISO 9001:2015 requirementsshouldnudge thesecompanies intobroadening theirperspectiveoncreatingan integratedbusinessmanagementsystem.

ActionstoAddressRisksandOpportunitiesThe requirement to provide risk analysis in QMS activities is a key difference inISO9001:2015comparedtopreviousrevisions.Theorganizationisnowrequiredtoassesstherisksandopportunitiesrelatedtoitspurpose,itsbusinessstrategy,andtheexpectationsofinterestedpartiestoensuretheQMSmeetsitsobjectives.Qualitytoolscurrentlyusedin

manyorganizationsincludestrategicplanningprocess,strengths-weaknesses-opportunities-threats (SWOT) analysis, Six Sigma, and lean manufacturing programs. Results of theanalysisshouldbeusedinestablishingobjectivesandplanningtomitigatetherisks.Failuremodesandeffectsanalysis (FMEA)couldbeused.WhileorganizationswithaneffectiveQMS certainly understand the risks related to their operations, the new requirements ofISO 9001:2015 may have a positive effect on many organizations by requiring a moreformalizedriskevaluationprocessandsubjectingittoathird-partyaudit.ItshouldbenotedthatISO9001:2015doesnothavearequirementforpreventiveaction.ThereasoningisthattheentireQMSispreventiveinnature,asistheriskanalysisapproach.SeeChapter11forguidance on documentation of risk analysis. Chapter 6 includes suggestions on how anorganizationmightaddresstherequirementsforrisk-basedthinking.

TopManagementCommitmentWhile the previous revisions to ISO 9001 included commitment from management tosupporttheQMS,ISO9001:2015amplifiesthisrequirement.TheISO9001:2015standarddoes not use the title “management representative” as previous ISO 9001 standards did.However, theorganizationcancontinuetousethis title toconveycertainresponsibilities.The intent of ISO9001:2015 is to emphasize topmanagement’s responsibilities as goingbeyonddelegating.Inmypastexperienceswithasmallgroupoforganizations,managementhaddelegated thequalitymanagementcoordination too fardown theorganizationalchart.Thiswasevidentwhen thequalitymanagement representativedidnot attendmanagementreview meetings to present the status of the QMS—not a good sign. Management’sexplanationforthiswasthatfinancialandothersensitiveissuesneededtobediscussedatthe meeting, and the quality coordinator should not be privy to such information.ISO 9001:2015 requirements strive to prevent the overdelegation of QMS support andcoordination.

OrganizationalKnowledgeISO 9001:2015 Annex A, Clarification of new structure, terminology and concepts,addresses:Theneed todetermine andmanage theknowledgemaintainedby theorganization, toensurethatitcanachieveconformityofproductsandservices.Requirementsregardingorganizational knowledge were introduced for the purpose of: safeguarding theorganizationfromlossofknowledge,e.g.throughstaffturnover;failuretocaptureandshare information; encouraging the organization to acquire knowledge, e.g. learningfromexperience;mentoring;benchmarking.

WhileISO9001:2008clause6.2,Humanresources,subclause6.2.1,General—“Personnelperformingwork affecting conformity to product requirements shall be competent on thebasisofappropriateeducation,training,skillsandexperience”—impliedthatorganizationsshould maintain organizational knowledge, ISO 9001:2015 requires organizations toconsider and review the organization’s processes to ensure that operational/process or

product knowledge ismaintainedwhen employees leave the organization, and to reviewprocessesusedbytheorganizationtoremainknowledgeableaboutnewtechnologyrelevanttotheirbusinessmodel.Athird-partyauditorwouldexpecttheorganization,dependingonitsoperations,tohave

some formalized program for succession planning, technology updates, and suppliercontingencies. Many ISO 9001–certified organizations have processes in place formaintaining organizational knowledge by way of their business strategy and contingencyplan.Theorganization’sinternalauditorsandthird-partyauditorswillneedtobesensitiveto possible confidentiality issueswith regard to this information. Additionally, since theclauserequires theorganization to“consider itscurrentknowledgeanddeterminehowtoacquire or access any necessary additional knowledge,” auditors “should not require theorganizationtoimplementactionstoacquireadditionalknowledge,”astheimplementationofabusinessstrategyisconfidentialandoutsidethescopeofISO9001andtheskillsetofthemajorityofISOauditors.

OtherChangesISO9001:2015alsohasterminologyrevisionsandexpansiononpreviousrequirementsthatshouldbeconsidered:

Documentation,terminologychangesProgramstoimplementqualityobjectives

DocumentationAterminologychange(notanewrequirement)inISO9001:2015isthemodificationoftheclause numbering and documentation formatting. This change was made to achievealignment with the formatting of ISO 14001:2015,Environmental management systems.(To help those who are familiar with ISO 9001:2008 make the transition, a table isprovidedatthebeginningofChapters4–10intheHandbook,matchingtheISO9001:2015clausesdiscussedinthatchaptertothecorrespondingclausesinISO9001:2008.)ISO9001:2015AnnexAstates:“There isnorequirement in this InternationalStandard

for its structure and terminology to be applied to the documented information of anorganization’s QMS.” Organizations currently using documents, procedures, and qualityrecordsintheirQMSshouldnotfeelcompelledtoadjusttothenewterminology.Likewise,whilethenewstandarddoesnotexplicitlyrequireaqualitymanual,organizationscurrentlymaintainingaqualitymanualmaywanttocontinueusingitasahigh-levelconsolidationofthe key elements—or road map—of their quality documentation (as was required byISO9001:2008).Organizationswhosequalitymanual paraphrases each ISO9001 clauserequirement—goingback through several ISO9001 revisions—should seriously considerupdatingtheirqualitymanualtoinclude:

Adescriptionoftheorganization’sbusinessmodel,includingthecontextoftheorganizationandtheexpectationsofinterestedpartiesThescope(theactivities,processes,andbuildingsandlocations)oftheQMSAdescriptionofthoseISO9001:2015requirementsthatarenotapplicabletotheQMS,astheydonotaffecttheorganization’sabilityorresponsibilitytoensuretheconformityofitsproductsandservicesThedocumentedprocedures(documentedinformation)establishedfortheQMS,orreferencetothemAdescriptionoftheprocessesintheQMSandhowtheyinteractThequalitypolicyResponsibilities/authorities

Organizations looking to upgrade to ISO 9001:2015 should reviewAnnexA to obtain abetterunderstandingofthenewterminology.Unfortunately,someguidanceintheAnnexisunclear.Chapter11discussesinterpretationconcerns.

ProgramstoImplementQualityObjectivesISO9001:2008clause5.4.1,Qualityobjectives,reads:“Topmanagementshallensurethatqualityobjectives,includingthoseneededtomeetrequirementsforproduct,areestablishedat relevant functions and levels within the organization. The quality objectives shall bemeasurableandconsistentwiththequalitypolicy.”Theplanningrequiredtoimplementthequalityobjectiveswassomewhatvague.ISO 9001:2015 clause 6.2.2, Quality objectives and planning to achieve them, reads:

“When planning how to achieve its quality objectives, the organization shall determine:whatwillbedone;whatresourceswillberequired;whowillberesponsible;whenitwillbecompleted;howtheresultswillbeevaluated.”While past revisions of ISO 9001 gave organizations some flexibility in implementing

their quality objectives, third-party auditors will now expect the organization to have adefined program to achieve each of its quality objectives.This requirement is consistentwith ISO 14001:2015 and should reduce auditing inconsistencies—and enhance qualityimprovements.

AuditingNotesThe evaluation of some of the new ISO 9001:2015 requirements will be somewhatsubjectiveforthird-partyauditors.Whenwillanorganizationbejudgedasnonconformingin addressing the requirements for context/interested parties, risk analysis, and topmanagement commitment? If there are no examples of proactive initiatives related toaddressing the needs of interested parties or external issues, will that be deemed anonconformance?InmyexperiencesauditingtotheISO9001standard,iftheorganizationhadnotmetitsimprovementgoaltheauditordidnotissueanonconformanceaslongasthe

organization either documented the reason the goalwasmissed or established actions tocorrect the situation. I would expect third-party auditors to follow this guideline whenassessing performance against the new ISO 9001:2015 requirements. In the case of therequirementtodeterminetheneedsofinterestedpartiesandexternalissues,theorganizationshould be able to provide documentation indicating that a review process is in placerelative to the context of the organization and its business model. At a minimum, anorganizationwouldbeexpectedtohavesomeformofriskanalysisprocessrelatedto theQMS.With regard toassessing topmanagementcommitment to theQMS,anexperiencedthird-party auditorwill be able todetectwhen resources arenot adequate to support theQMSandwillissuenonconformancesasapplicable.

TransitionalPeriodsofISO9001:2015The ISO 9001:2015 standard was published on October 25, 2015. Companies that arecertified to ISO 9001:2008 have three years to bring their QMS up to date withISO9001:2015.EventuallyallcertificatesinaccordancewithISO9001:2008willbecomeinvalidandwillbewithdrawnasofOctober25,2018.UsuallyitismostefficientforboththeorganizationandtheISOregistrartoconductthe

upgradeaudit to ISO9001:2015during theorganization’s three-year recertificationaudit;however,theupgradecanbedoneduringtheannualsurveillanceaudit.Appendix A, “ISO 9001:2015 Gap Analysis,” summarizes the changes from

ISO9001:2008.ThegapanalysiscanbeusedtomakestaffawareofthenewrequirementsofISO9001:2015.

3ISO9001:2015Requirements

Inits2015revisions,ISOappliedthesamestructuretobothQualitymanagementsystems(ISO9001:2015)andEnvironmentalmanagementsystems(ISO14001:2015):1 Scope

2 Normativereferences

3 Termsanddefinitions

4 Contextoftheorganization

5 Leadership

6 Planning

7 Support

8 Operation

9 Performanceevaluation

10 Improvement

ASQ/ANSI/ISO 9001:2015 Quality management systems—Requirements (as theUS adoption is called) includes the Scope, Normative References, and Terms andDefinitionssectionsasfollows.

1SCOPEThis InternationalStandardspecifies requirements foraqualitymanagement systemwhenanorganization:a)Needstodemonstrateitsabilitytoconsistentlyprovideproductsandservicesthatmeetcustomerandapplicablestatutoryandregulatoryrequirements,and

b)Aimstoenhancecustomersatisfactionthroughtheeffectiveapplicationofthesystem,includingprocessesforimprovementofthesystemandtheassuranceofconformitytocustomerandapplicablestatutoryandregulatoryrequirements

All the requirements of this International Standard are generic and are intended to beapplicabletoanyorganization,regardlessofitstypeorsize,ortheproductsandservicesitprovides.

Note1: In this InternationalStandard, the terms“product” and“service”onlyapply toproductsandservicesintendedfor,orrequiredby,acustomer.Note2:Statutoryandregulatoryrequirementscanbeexpressedaslegalrequirements.

2NORMATIVEREFERENCESThefollowingdocuments,inwholeorinpart,arenormativelyreferencedinthisdocumentand are indispensable for its application. For dated references, only the edition citedapplies.Forundatedreferences,thelatesteditionofthereferenceddocument(includinganyamendments)applies.ISO9000:2015,Qualitymanagementsystems—Fundamentalsandvocabulary

3TERMSANDDEFINITIONSForthepurposesofthisdocument,thetermsanddefinitionsgiveninISO9000:2015apply.

CLAUSES4–10Sections(clauses)4–10providetherequirementsforcertificationtoISO9001:2015.

Note: In Chapters 4–10, the general requirements of each ISO 9001:2015 clause areparaphrased in theshadedboxes.Boldfacetext indicatesachangefromISO9001:2008.FororganizationscurrentlycertifiedtoISO9001:2008,eachofthesechaptersbeginswithatablethatmatchestheISO9001:2015clausesdiscussedinthatchaptertothecorrespondingclausesinISO9001:2008.

4Clause4:ContextoftheOrganization

4.1UNDERSTANDINGTHEORGANIZATIONANDITSCONTEXT

Theorganizationshalldetermineexternalandinternalissuesrelevanttoitspurposeanditsstrategicdirection.The organization shallmonitor and review information about the external and internal issues that affect itsabilitytoachievetheintendedresultsofitsqualitymanagementsystem.

4.2UNDERSTANDINGTHENEEDSANDEXPECTATIONSOFINTERESTEDPARTIES

The organization shall determine the interested parties that are relevant to its qualitymanagement system.Theorganizationshallmonitorandreviewinformationabouttheinterestedpartiesandtheirpotentialeffectonthe organization’s ability to consistently provide products and services that meet customer and applicablestatutoryandregulatoryrequirements.

These two clauses of ISO 9001:2015 have very different requirements than previousversionsofISO9001,whichrequiredtheorganizationtodeterminethescopeoftheQMS.ISO 9001:2015 requires the organization to determine the scope of the organization’sbusiness.This isanattemptby thewritersof ISO9001:2015 toextend theISOapproachbeyondthequalitymanagementoftheorganizationintothebusinessasawhole.Inthepast,ISO9001 required a definitionof the scope: the activities, products, and services of theorganization.ThesubsequentclausesofISO9001thenintroducedrequirementstomanagetheQMS.

In addition to determining scope, organizations are now required to consider externalissuesthatcouldimpacttheirbusinessstrategy,suchasnewtechnologyandpotentialmarketforces (e.g., social and economic environments, international competition). In a similarfashion, theorganization should identify the interestedparties thatmaybe relevant to theQMS. Examples include the regulatory bodies administering statutory and regulatoryrequirementsrelatedtotheproduct.Eachorganizationneedstoaddresstheserequirementsin the context of its businessmodel.A company producing consumer productsmay haveseveralareasofopportunityinitsbusinessstrategytoaddressrelevantexternalissuesandthe concerns of interested parties. In today’s intensely competitive, global market, mostconsumer product companies already have initiatives in place to address product-relatedregulatory threats as well as global manufacturing competition. ISO 9001–certifiedorganizations competing asdiscretemanufacturers (e.g.,machine shops,metal orplasticsformers,electronicandmachinerybuilders)have feweroptions.Considerations for thesetypesoforganizationsincludereviewingenvironmentallycompatiblematerialoptions,thelatesttechnicalinnovations,andalternativemanufacturingtechniques.AppendixG provides checklists the organization can use to assesswho the interested

partiesareandwhatexternalandinternalissuescouldimpacttheorganization.

AuditQuestionsClauses4.1and4.2Whataretheinternalandexternalissuesthatarerelevanttotheorganization’spurposeanditsstrategicdirection?Examples:Legal, technological,competitive,market,cultural,social,andeconomicenvironments,whether international,national,regional,orlocal

Howdoestheorganizationreviewandmonitortherelevantinternalandexternalissues?Example:Businessplanningstrategy

Who/whataretheinterestedpartiesthatarerelevanttotheQMS?Examples:Legalagenciesandregulatorybodies,creatorsofnewtechnology,newcompetitors

Howdoestheorganizationreviewandmonitortherequirementsofrelevantinterestedparties?Example:Businessplanningstrategy

AuditTipOne challenge for organizations and third-party auditors is how to maintain confidentiality when an organization’sbusinessstrategy isbeing reviewed. If confidentiality isan issue, I suggest theorganizationpresent to theauditor theprocess used to establish the business plan,minus the implementation details.While auditors and registrars do signconfidentiality agreementswith client companies, I believe anorganization’s business plans are too sensitive to sharewithpeopleoutsidethecompany.

4.3DETERMININGTHESCOPEOFTHEQUALITYMANAGEMENTSYSTEM

The organization shall determine the boundaries and applicability of the quality management system to establish itsscope.Theorganizationshallconsidertheproductsandservicesoftheorganization,theexternalandinternalissuesandtherequirementsofrelevantinterestedpartieswhendeterminingthescope.

The organization shall apply and document all the applicable requirements of this International Standard within thescopeofitsqualitymanagementsystem.

Thescopeshall state the typesofproductsandservicescovered in thescope.Any requirementof this InternationalStandardthattheorganizationdeterminesisnotapplicabletothescopeofitsqualitymanagementsystemshallbestatedwith justification for exclusion. Conformity to this International Standard may only be claimed if the requirementsdeterminedasnotbeingapplicabledonotaffecttheorganization’sabilityorresponsibilitytoensuretheconformityof itsproductsandservicesandtheenhancementofcustomersatisfaction.

Clause4.3,Determiningthescopeofthequalitymanagementsystem,isessentiallythesameasthe2008requirements,withtheadditionofconsiderationsofinternalandexternalissuesandinterestedparties.Also,inISO9001:2008,theorganizationwasrequiredtodefineandjustifyanyexclusion(clauses).WithISO9001:2015theorganizationneedstoapplyalltherequirements that are applicable within the determined scope. In reality, the scoperequirementshavenotsubstantiallychanged.

AuditQuestionsClause4.3WhatisthescopeoftheQMS?

Scopeisdefinedastheactivities,products,andservicesoftheorganization.

Whataretheboundariesapplicabletotheorganization’sscope?•Multiplebuildings(addresses)•Multiplesites(locations)

Whatmanufacturingprocessesorserviceslocatedatthesitearenotapplicabletotheorganization’sscope?Examples: Design or service? Explain why these processes do not impact the organization’s ability to meet theexpectationsofitscustomers.

How were external and internal issues and the expectations of interested parties, relevant to the organization’srequirements,consideredwhentheorganization’sscopewasestablished?Examples:Multisitemanufacturing,internationalsalesoffices,designcenters

4.4QUALITYMANAGEMENTSYSTEMANDITSPROCESSES

4.4.1: The organization shall establish, implement, maintain and continually improve a quality management system,includingtheprocessesneededandtheirinteractions,inaccordancewiththerequirementsofthisInternationalStandard.

The organization shall determine the inputs and outputs expected from the processes needed for the qualitymanagementsystemandtheirapplicationthroughouttheorganization.

Theorganizationshall:

•Determinethesequenceandinteractionoftheseprocesses;• Determine and apply the criteria and methods to monitor or measure the related performance indicators needed toensuretheeffectiveoperationandcontroloftheseprocesses;

•Determinetheresourcesneededfortheseprocessesandensuretheiravailability;•Assigntheresponsibilitiesandauthoritiesfortheseprocesses;•Addresstherisksandopportunitiesincontrollingtheseprocesses;•Evaluatetheprocessesandimplementanychangesneededtoensurethattheprocessesachievetheirintendedresults.

4.4.2: The organization shall maintain documented information to support the operation of its processes and haveconfidencetheprocessesarebeingcarriedoutasplanned.

1

Clause 4.4, Qualitymanagement system and its processes, has the same requirements asISO 9001:2008 clause 4.1, Quality management system; however, there is a newrequirement in ISO 9001:2015 for the organization to address risks and opportunitieswithintheQMS.RiskanalysiswillbediscussedinChapter6.Determiningthesequenceandinteractionof theorganization’sprocesseshasbeenone

ofthemoreconfusingandmisappliedaspectsofQMSsincetheadditionofthisrequirementin ISO9001:2000.Asa third-partyquality auditor for the last20years, Ihave seen justabout every process flowchart imaginable—some thatwere really great (anduseful), butmany more that were completely useless. For organizations currently certified toISO9001:2008,Isuggestyouconsiderwhethertheprocessflowandinteractionschartthatyouhavebeenusing(withapprovalfromyourregistrar’sauditors)providesanyvalue toyour QMS. There are two parts to determining the sequence and interactions of theprocesseswithin thebusinessmodel: thedescriptionof theprocesses andmanaginghowthey relate to each other. While a flowchart may describe what the processes are andarrowsmayindicatehowtheyconnect, it isnotclearhowthecharthelpsanorganizationmanageitsqualitysystemorbusiness,particularlyifamachineshophasthesameflowchartasacomplexsemiconductormanufacturer.IhaveseentheflowchartsshowninFigures4.1and4.2atvariousISO9001–certifiedcompanies.Themodel of a process-basedQMS shown in Figure 4.1 is from the ISO 9001:2000

standard and represents the interactions of the clauses of ISO 9001. When copied andpasted into an organization’s quality manual, it does not represent the sequence andinteractions of the processes within the organization’s business. Likewise, the genericmanufacturing chart shown in Figure 4.2 is often used and could be the chart for anymanufacturingprocess—butitprovideslittlevalue.

A properly designed process flowchart can be useful in training employees andestablishinganoutlineformonitoringandcontrollingtheprocesses.TheflowchartshowninFigure4.3describestheprocessesinacompanythatproducesinjection-moldedproducts.Theprocessesareconsideredcustomer(orcore)oriented,aseachonehasaconnectiontocustomer requirements. The QMS will also include support oriented processes:documentation, employee training, communication, corrective action, nonconformingproducts, internal audit, management review, and improvement. In addition, there are

support processes related to maintaining the plant facilities and equipment, such ascalibrationandmaintenance.

Contrarytopopularbelief,noneoftheofISO9001revisionshasrequiredorganizationsto prepare a flowchart. Clause 4.1 of ISO 9001:2008 required the organization to“determine theprocessesneeded for thequalitymanagement systemand their applicationthroughouttheorganizationanddeterminethesequenceandinteractionoftheseprocesses.”To satisfy this requirement, an organization could provide a list of its customer-relatedprocessesanddescribehowtheyrelatetoeachother.Forexample,saytheJonesPlasticsCompany produces injection-molded plastic parts. Their documentation identifies thesequenceandinteractionoftheprocessesasfollows:The Jones Plastics Company purchases resins and other materials. We ensure thematerials meet our specifications. Our customers provide us with purchase ordersdefining the product part numbers, quantity and date needed, and other pertinentinformation.We usemoldingmachines tomelt the resins inmolds provided by ourcustomers with operating parameters established to match the customer-provideddesignrequirements.Ourmachineshoppreparesmountingplatesfor theplasticparts

thatareassembledtotheplasticpieces.Weinspectthemoldedproductstoensuretheyconformtocustomerspecificationsandpackageandshiptheproductstothecustomers.

Manythird-partyauditorswouldnotacceptthisdescriptionofthesequenceandinteractionof theprocesses,as it isnotagraphicaldepictionofhow thevariousprocesses interact.Some auditors would issue a nonconformance; others would coach the organization intoaddingagenericflowchartsimilartotheoneshowninFigure4.2.Icontendthatthegenericchart provides less information than the written description. I would accept the JonesPlasticsCompanydescriptionprovidedtheyhadaprocesstocontroltheinteractionofthecustomer-orientedprocesses.Clause 4.1 of ISO 9001:2008 required the organization to “determine criteria and

methods needed to ensure that both the operation and control of these processes areeffective.”NeitherFigure4.2norFigure4.3providesanyevidencethattheprocessesareundercontrol.Thesequenceandinteractionsoftheprocesseswillbecontrolledaspartofthe organization’s change control process. A change control process used by manyorganizations is the engineering change notice (ECN), which manages how processesinteract. In the case of the JonesPlasticsCompany, if the purchasingdepartment found areplacementforthesupplierofresin,anECNwouldbepreparedsoallotherdepartmentsimpacted by the change could review and approve it to ensure customer quality wasmaintained.Chapter8willprovidemoredetailonchangecontrolrequirements.The ECN process controls the interactions among the various processes, which

obviouslyhasmorevalueinmeetingcustomerrequirementsthanaflowchartdepictinghowtheprocesses interact.However,aproperlyconstructedflowchartcanbeauseful tool. Ifthe Jones Plastics Company elected to use the injection molding process chart fromFigure4.3,inadditiontosatisfyingtherequirementsofISO9001:2015,theywouldhaveaneffective way of training new employees on how the various departments connect toproduce the product.Additionally, the flowchart can assist internal auditors in indicatingwherequalityrecordsarerequired.InthechartinFigure4.3,eachcustomerordershouldhavearecordrelatedtocustomerpurchaseorder,orderacknowledgment,andcertificateofconformance.Many organizations use flowcharts as a replacement for written procedures. While

ISO9001:2015doesnotrequiretheuseofflowcharts,itstronglyinfersthatorganizationsshouldunderstandprocessmanagement:Clause4.4.1:Theorganizationshalldeterminetheinputsandoutputsexpectedfromtheprocessesneeded for thequalitymanagement systemand theirapplication throughouttheorganization.

Managementofprocessessuchassales/orderentry,design,purchasing,andproductioncanbenefitwhentheirproceduresaremappedasaflowchart.Chapter8includesflowchartstodescribethedesign,sales,production,andserviceprocesses.Note:Organizationsoftencombinetheinteractionofsupportprocessesandthecustomer

(or core) processes. For example, in Figure 4.4, if the product fails at inspection, the

controlofnonconformingproductcanbeaddedtotheoverallflowchart.

Idon’tfeel that includingsupportprocesses in theoverallcoreprocessflowchartaddsmuchvalue;infact,inmostcaseswherethisisdone,theflowchartbecomesoverlydetailedand difficult to read. Each support process can be flowcharted, aswill be illustrated inChapters7,9,and10.

AuditQuestionsClause4.4WhataretheprocessesneededfortheQMSandtheirapplicationthroughouttheorganization?

Examples: Marketing/sales, design/development, manufacturing, services, purchasing, engineering support, humanresources,facilities,maintenance,qualityassurance

Howdoestheorganizationdescribetheinputsandoutputsoftheprocesseswithintheorganization’sscopeofactivities—includingtheinteractionsbetweentheprocessesoftheQMS?Examples:Flowchart,descriptionofprocesses

Howaretheinteractionsamongthevariousprocessescontrolledtoensurethatcustomerrequirementsaremet?Example:Changecontrolprocess

ENDNOTE1.AnomenclaturechangewithISO9001:2015isdesignating“documentedinformation”tocoverbothdocumentsandrecords,whichweredefinedindependentlyinpriorISO9001revisions.ThisisconsistentwithISO14001:2015andisintendedtoallowforavarietyofmediaindocumentingtheorganization’splans.Chapter7willreviewthisterminologychangefurther.

5Clause5:Leadership

5.1LEADERSHIPANDCOMMITMENT

5.1.1GeneralTop management shall demonstrate leadership and commitment with respect to the quality management system bytakingaccountabilityfortheeffectivenessofthequalitymanagementsystem.Topmanagementshall:

• Ensure the integration of the quality management system requirements into the organization’s businessprocesses;

•Promotetheuseoftheprocessapproachandrisk-basedthinking;•Ensuretheresourcesneededforthequalitymanagementsystemareavailable;•Communicatetheimportanceofconformingtothequalitymanagementsystemrequirements;•Ensurethatthequalitymanagementsystemachievesitsintendedresults;•Engage,directandsupporttheemployeeswhocontributetotheeffectivenessofthequalitymanagementsystem;•Promoteimprovement;•Supportallrelevantmanagementrolesthatapplytotheirareasofresponsibility.

5.1.2CustomerfocusTop management shall demonstrate leadership and commitment with respect to customer focus by ensuring thatcustomerandapplicablestatutoryandregulatoryrequirementsaredeterminedandunderstood.Topmanagementshall:

•Ensure the risks and opportunities that can affect conformity of products and services and the ability toenhancecustomersatisfactionaredeterminedandaddressed;

•Ensurethefocusonenhancingcustomersatisfactionismaintained.

Clause 5.1.1 has the same requirements as ISO 9001:2008 clause 5.1, Managementcommitment, with the exception of the integration of the QMS requirements into theorganization’sbusinessprocessesandthepreviouslymentionedrisk-basedthinking.Many ISO 9001–certified companies have integrated the QMS into their business

planningandstrategy.Companiesofallsizeshavewoventhequalityperformancemetricsinto their business plan. Key performance indicators (KPIs) are assigned to quality and

business parameters along with safety and environmental metrics. Quality-driven wastereduction projects include improved environmental performance. Best-in-classorganizations have established a BMS combining their financial, quality, safety, andenvironmental systems into a cohesive operational model. Some ISO 9001–certifiedcompanies, however, operate with their QMS at arm’s length from their business—justdoing the minimum in ISO management to maintain certification. The ISO 9001:2015requirementsshouldnudgethesecompaniesintobroadeningtheirperspectiveoncreatinganintegratedbusinessmanagementsystem.Clause 5.1.2 is essentially the same as ISO 9001:2008 clause 5.2, Customer focus.

Clause 5.1.2 places the responsibility on top management to ensure that statutory andregulatoryrequirementsapplicabletotheproductandcustomersatisfactionaremet,aswellasthenewrequirementofriskmanagement.

AuditQuestionsClause5.1The third-partyauditorswill interview topmanagementat thesite toassess their leadershipandcommitmentaswellascustomerfocus.Theauditormaycombinetheassessmentofleadershipwiththeauditoftheorganization’smanagementreviewprocess.Somequestionsthatmaybeappropriate:

HowdoestopmanagementintegratetheQMSrequirementsintotheorganization’sbusinessprocesses?

WhatistheevidencetoindicatethattopmanagementprovidesresourcestosupporttheQMS?Examples:Newequipment,resources

Howdoestopmanagementpromotetheuseoftheprocessapproachandrisk-basedthink ing?

How does top management communicate the importance of effective quality management and of conformance to theQMSrequirements?

How does topmanagement demonstrate leadership and commitment with respect to customer focus by ensuring thatcustomerrequirementsandapplicablestatutoryandregulatoryrequirementsaredetermined,understood,andconsistentlymet?

Howdoestopmanagementassesstherisksandopportunitiesthatcanaffectconformityofproductsandservices?

5.2POLICY

5.2.1EstablishingthequalitypolicyTopmanagementshall establish, implementandmaintainaqualitypolicy that isappropriate to thepurposeandcontextoftheorganizationandsupportsitsstrategicdirection.

Thequalitypolicyshall:

•Provideaframeworkforsettingqualityobjectives;•Includeacommitmenttosatisfyapplicablerequirements;•Includeacommitmenttocontinuallyimprovethequalitymanagementsystem.

5.2.2CommunicatingthequalitypolicyThequality policy shall beavailableandmaintainedasdocumented informationandbe communicated, understoodandappliedwithintheorganization.

Thequalitypolicyshallbeavailabletorelevantinterestedparties,asappropriate.

ThequalitypolicyrequirementinISO9001:2015isessentiallythesameasISO9001:2008withtheexceptionoftheadditionof“contextoftheorganizationandsupportsitsstrategicdirection.” The context and strategic direction considerations are overarchingrequirements of ISO 9001:2015. In reference to the quality policy, they present anopportunity for the organization to evaluate how its quality policy relates to the overallbusinessmodelofthecompany.A common area of confusion is how to communicate the quality policy to employees

whenthecompanyalsohasamissionstatementandavision.What’sthedifferencebetweenavision,amission,andaqualitypolicy?Generally,theyaredefinedasfollows:Vision.Whattheorganizationaspirestobe.Howthefuturewilllookiftheorganizationachievesitsmission.Mission.Whattheorganizationisallabout.Whoweare,whoourcustomersare,whatwedo,andhowwedoit.Qualitypolicy.Aguideastohowtheorganizationshouldprovideproductsandservicestocustomers.

In the case of the JonesPlasticsCompany, the company established the following visionstatement,missionstatement,andqualitypolicy:

VisionStatementTheJonesPlasticsCompanywillbetheinjectionmoldingmanufacturerofchoice.

MissionStatementTheJonesPlasticsCompanywill:

Innovativelymanufactureinjection-moldedproductstothehighestqualitystandardsProvidesuperiorserviceandapplicationtechnologytoourcustomersandmaintainacooperativepartnershipwithoursuppliersCreateachallenging,rewarding,andsafeworkingenvironmentforouremployeesBerecognizedasagoodcorporatecitizen,conductingbusinessinaccordancewiththehighestethicalstandardswhileprovidingprofitssatisfactorytoourstockholders

QualityPolicyTheJonesPlasticsCompanywillsatisfytheneedsandexpectationsofourcustomersbyunderstanding their requirements andprovidinghigh-quality products thatmeet orexceedallperformancerequirements,whilepromotingfullemployeeinvolvementandempowerment.

The JonesPlasticsCompanyqualitypolicyappears tobeappropriate to thepurposeandcontextof theorganizationandsupports itsstrategicdirection,as it isconsistentwith themission and vision statements. It includes “a commitment to satisfy applicablerequirements” and a commitment to continual improvement (“exceed all performancerequirements”).Does theJonesPlasticsCompany’sQualityPolicy“providea frameworkforsettingqualityobjectives”?Asa third-partyauditor, IwouldchallengetheJonesPlasticsCompanytoshowmethe

objectives that support “high-quality” and “exceed all performance requirements.” If thecompany’s rateof rejection from their customers approachedzerodefect levels and theircustomers provided very positive testimonials (customer feedback), then I wouldcongratulate them. I would also want to explore examples of how the employees wereempowered and involved. Employee improvement teams, implemented suggestions,employee satisfaction surveys, positive employee interviews—all could demonstrate thattheJonesPlasticsCompanywascommittedtoemployeeempowerment.In this type of objectives review, an experienced auditor would be judicious in

responding to organizations that overcommitted in their quality policy without hardevidence supporting their policy, especially related to exceeding requirements. It isgenerally better for the organization to use expectations rather than requirements, asexpectations are more subjective and can be supported by positive customer feedback.Many organizations want to instill a culture of excellence among their employees—theydon’t want to just meet requirements, as that is only being “good enough.” I would notrecommendthatanorganizationliketheJonesPlasticsCompanyrewritetheirqualitypolicyunless their qualityperformancewaswell belowhighquality. Iwould challenge them tospendsometimeanalyzingoptionstoprovidesomemeasuressupportingtheclaimsintheirpolicy.Oneofthemorechallengingsituationsforanauditorrepresentingaregistrarisauditinga

clientforthefirsttimeandobservingaqualitypolicythatismorelikeabumperstickerorvision statement, with outlandish, unsupported high-quality claims—and realizing it hadbeenapprovedforseveralyearsbyauditorsfromthesameregistrar.Severalyearsago,Iwas auditing with a teammember who chose to push the client (auditee) into changingcertain parts of the company’s documentation. The client threw the quality proceduresmanualacrosstheroom.“Theauditorfromyourcompanyhadmechangethedocumentationlastyear—nowyouwantmetochangeitback?”heexclaimed,ratherloudly.Veryearlyinmyauditingcareer,IchallengedthepresidentofaFortune500fiberoptics

companyontheirqualitypolicy.“Weanticipateourcustomer’sneedsandprovideleading-edgesolutions”—trulyamismatchwiththeconceptofaqualitypolicy.Thepolicyhadbeenapprovedbythepreviousauditorsforseveralyears.Thatwastheonlyclientinmy20yearsofauditingthatrequestedInotbeassignedtothemagain.Afterthatexperience,Idecidedtherearemanyrealissuesthatimpactaclient’squalityperformancethatIshouldfocuson,and that debating semantics on a quality policy is probably not one of them. That fiber

optics companywould deliver the samequality products to their customerswhether theyhada“proper”policyornot.The overarching requirement of ISO 9001:2015 is to integrate the QMS into the

company’s business model. I suggest organizations review their quality policy forconsistency with their business strategy—their vision and mission—and find ways toclearlycommunicatethequalitypolicytoemployees.

AuditQuestionsClause5.2Doesthepolicy:

•Provideaframeworkforsettingqualityobjectives?•Includeacommitmenttosatisfyapplicablerequirements?•IncludeacommitmenttothecontinualimprovementoftheQMS?

Isthequalitypolicyappropriatetothepurposeandcontextoftheorganization,anddoesitsupportitsstrategicdirection?

Howisthequalitypolicycommunicatedtoemployees?Temporaryhelp?Contractors?

Howisthequalitypolicymadeavailabletothepublicorinterestedparties?

5.3ORGANIZATIONALROLES,RESPONSIBILITIESANDAUTHORITIES

Topmanagementshallensure that theresponsibilitiesandauthorities for relevant rolesareassignedandcommunicatedwithintheorganization.Topmanagementshallassigntheresponsibilityandauthorityfor:

•EnsuringthatthequalitymanagementsystemconformstotherequirementsofthisInternationalStandard;•Ensuringtheprocessesaredeliveringtheirintendedoutputs;• Reporting on the performance of the quality management system and on opportunities for improvement to topmanagement;

•Ensuringthepromotionofcustomerfocusthroughouttheorganization;•Ensuring that the integrityof thequalitymanagementsystem ismaintainedwhenchanges to thequalitymanagementsystemareplannedandimplemented.

Top management should assign responsibilities and authorities to ensure the QMS ismaintained. The organization’s documented information should define individualresponsibilityandauthorityformaintainingtheQMS.What’snewcomparedtoISO9001:2008?TheISO9001:2015standarddoesnotusethe

title “management representative” as previous ISO 9001 standards did. However, theorganizationcancontinue touse this title toconveycertain responsibilities.The intentofISO 9001:2015 is to emphasize top management’s responsibilities as going beyonddelegating.Inmypastexperienceswitha smallgroupoforganizations,managementhaddelegated

the quality management coordination too far down the organizational chart. This wasevidentwhenthequalitymanagementrepresentativedidnotattendthemanagementreviewmeetingstopresentthestatusoftheQMS—notagoodsign.Management’sexplanationfor

thiswasthatfinancialandothersensitiveissuesneededtobediscussedatthemeeting,andthe quality coordinator should not be privy to such information.Organizations exhibitingsuch traits usually had a veryweak business plan andQMS. ISO9001:2015 attempts topreventtheoverdelegationofQMSmanagement.It is important to understand thedifferencebetween authority and responsibility. In the

business context, responsibility is the obligation of a subordinate to perform a duty asrequiredbyhisorhersupervisor.Thepersonacceptingresponsibilityisaccountablefortheperformanceof theassignedduties.Authority is thepowerassigned to anexecutiveor amanagerinordertoachievecertainorganizationalobjectives.Clause5.3requiresthattheorganizationbeclearonwhoisauthorizedtoapprovechangestocustomerpurchaseorders,product for shipment to customers, deviations fromapproved specificationsor drawings,thereleaseofreworkedproduct,machineprocessparameters,andnewsuppliers.While the designation of authorities and assignment of responsibilities appears trite,

ISO 9001 auditors often encounter situations where changes in instructions occur ratherhaphazardly, sometimes without any approval. For organizations building a QMS orrebuilding one, I suggest including documented information that clearly defineswhat jobtitleshave theauthoritiesof approval tomanage thebusiness andwhat job titleswillberesponsibleforexecutingthevarioustasks.Chapter6willreviewchangecontrol.

AuditQuestionsClause5.3Howhastheorganizationdetermined:

•Authorities?•Responsibilities?

Whatindividual(title)hastheresponsibilityto:•ReporttotopmanagementontheperformanceoftheQMSandonopportunitiesforimprovement?•Ensurethepromotionofcustomerfocusthroughouttheorganization?•EnsurethattheintegrityoftheQMSismaintainedwhenchangestotheQMSareplannedandimplemented?

Whohastheauthoritytoapprove:•Changestocustomerpurchaseorders?•Productforshipmenttocustomers?•Deviationsfromapprovedspecificationsordrawings?•Releaseofreworkedproduct?•Machineprocessparameters?•Newsuppliers?

6Clause6:Planning

6.1ACTIONSTOADDRESSRISKSANDOPPORTUNITIES

6.1.1:Whenplanning for the qualitymanagement system, the organization shall consider the context of theorganizationandtheneedsofinterestedparties.

Theorganizationshalldetermine the risksandopportunities thatneed tobeaddressed togiveassurancethatthequalitymanagementsystemcan:

•Achieveitsintendedresults;•Enhancedesirableeffects;•Prevent,orreduce,undesiredeffects;•Achieveimprovement.6.1.2:Theorganizationshallplan:

•Actionstoaddresstheserisksandopportunities;•Howtointegrateandimplementtheactionsintoitsqualitymanagementsystemprocesses;•Howtoevaluatetheeffectivenessoftheseactions.Actions taken to address risks and opportunities shall be proportionate to the potential impact on theconformityofproductsandservices.

The requirement to provide risk analysis in QMS activities is a key difference inISO 9001:2015 compared to previous revisions. The organization is now required toassess the risks and opportunities related to its purpose, its business strategy, and theexpectations of interested parties to ensure the QMSmeets its objectives. Quality toolscurrently used inmany organizations include strategic planning process, SWOT analysis,Six Sigma, and lean manufacturing programs. Results of the analysis should be used inestablishing objectives and planning to mitigate the risks. FMEA could be used. Whileorganizations with an effective QMS certainly understand the risks related to theiroperations, the new requirements of ISO 9001:2015may have a positive effect onmanyorganizationsbyrequiringamoreformalizedriskevaluationprocessandsubjectingittoathird-party audit. It shouldbenoted that ISO9001:2015doesnothave a requirement for

preventiveaction.ThereasoningisthattheentireQMSispreventiveinnature,asistheriskanalysisapproach.Organizationsmaybelievethatthepreventiveactionstheyhaveusedforseveralyearsprovideriskanalysisappropriatetotheirbusiness.Icanimagineadiscussionbetweenathird-partyauditorandthequalitymanagerofasmallmachineshop:Auditor:Youarenolongerrequiredtousepreventiveactions.Whatisyourprocessforriskmanagement?Auditee:Forover10years,youhaveharanguedme,giggedme,andcoachedmeonpreventiveactions.NowthatIfinallyunderstandthedifferencebetweencorrectiveandpreventiveactions,yousayIdon’tneedPA!Myriskanalysisprocessisourpreventiveactions.WanttoseeourfivePAsforthisyear?Auditor:Letmecheckwithmyregistrar’soffice.

In this case, Iwould suggest the auditor accept the preventive actions as a risk analysisapproach, provided the actions will reduce or eliminate the probability of specificundesirableevents fromhappening in the future—andnot justpreventacorrectiveactionsituation fromreoccurring.Theorganization shouldbeencouraged toavail itselfofotheroptionsforriskanalysis.Formanyorganizations,theuseofdesignandprocessFMEAscanbeaneffectivetoolto

assure theQMScanachieve its intended results and satisfy ISO9001:2015 requirementsforriskanalysis.TheAmericanSocietyforQuality(ASQ)websiteprovidesguidanceonwhen and how to use the FMEA process (http://asq.org/learn-about-quality/process-analysis-tools/overview/fmea.html).SeeAppendixBforaFMEAsummary.ASQsuggestswhentouseFMEA:

Whenaprocess,product,orserviceisbeingdesignedorredesigned,afterqualityfunctiondeploymentWhenanexistingprocess,product,orserviceisbeingappliedinanewwayBeforedevelopingcontrolplansforanewormodifiedprocessWhenimprovementgoalsareplannedforanexistingprocess,product,orserviceWhenanalyzingfailuresofanexistingprocess,product,orservicePeriodicallythroughoutthelifeoftheprocess,product,orservice

Oneofmymoreinterestingauditingclientswasalargemanufacturerofsemiconductorsandmicroprocessor chips. Semiconductormaterialmanufacturers are quite complex and alsodifficulttoaudit.Theprocessestakeplaceinaclean-roomenvironment,whereallvisitors(includingauditors)have towear the sameuniformsand facemasks as the employees tokeepdirtawayfromtheproduct.Auditorsare required tousespecial fiber-freepaper totakenotes.It takesabouttwotoursofthistypeofsitetostart tounderstandtheprocessesandprovidevaluetotheclient.Onmythirdaudit,thequalitymanageraskedmetofocuson

their change controlprocess as part ofmy audit plan. ISO 9001:2008 had the followingrequirementsrelatedtochanges:4.2.3Controlofdocuments:Adocumentedprocedureshallbeestablishedtodefinethecontrolsneededtoensurethatchangesandthecurrentrevisionstatusofdocumentsareidentified.5.4.2Qualitymanagementsystemplanning:Topmanagementshallensurethat:b)theintegrityofthequalitymanagementsystemismaintainedwhenchangestothequalitymanagementsystemareplannedandimplemented.

When auditing to the requirements of clause 4.2.3, occasionally lapses are found in anorganization’s system that allow some obsolete documents to remain in use. The risksrelatedtochangesintheQMScanbeanissuewhentheorganizationaddsnewequipmenttothe site and fails to include the equipment on the maintenance schedule. These areas,especiallydocumentcontrol,maintenance,andcalibration,areusuallyfertilegroundfortheorganization’sinternalauditors—andfranklydonotpresentamajorrisktothecompany’squalityperformance.Whatthequalitymanagerwaslookingforwerechangesinmaterialsorprocessesthatcouldslipbytheirchangecontrolsystem—resultinginamajorrejectionof very expensive product at various steps in the process. The company had apparentlyexperiencedsuchanevent.Onthisaudit,IdecidedtodigdeeperthanInormallywouldintorawmaterialapproval

andspecificationchanges.Inthepurchasingdepartment,Isampledthepurchaseordersforseveralchemicalsrecentlyusedinmakingthechips.Irecordedthesupplier’sspecificationnumberandrevisionfromthepurchaseorder.Next,thereceivingdepartmentwassampledto match the certificate of analysis (COA) for that material. In 2 cases out of the 10sampled,theCOAincludedspecificationsforthechemical’sparametersthatdidnotmatchthe supplier’s specification on file with the quality department.While the discrepancieswere not a major risk, the quality manager recognized the gap in their raw materialapprovalprocess.AbiggerissuewastheinconsistencyinsigningoffontheCOAs:Sometechnicians would initial and date the COA, and others would not. I suggested threeimprovements:

UpdatetherawmaterialreceivingproceduretorequiretheinitialinganddatingofCOAsRetrainthetechniciansontheupdatedprocedureConductaninternalauditofallcriticalrawmaterials:COAvs.supplierspecifications

Fromthatpointoninmyauditingcareer,Ifoundthatmanycompanieswereatriskrelatedtomaintainingup-to-datespecifications.Often,familiaritybreedscomplacencyinthequalityinspectionworld.Many large chemical suppliersmodify specifications ormanufacturingprocesses without notifying their customers, since they believe the change is an

improvement and will not impact the chemical’s performance. Depending on theorganization’soperations, I suggest thatchanges related tocontrolling rawmaterialsbeapriorityinriskmanagement.Ialsorecommendthatorganizationscarefullyreviewtheprosandconsofestablishinga

risk-basedthinkinginitiativeintheirorganization.Myobservationsonrisk-basedthinkingfollow.

Risk-BasedThinkingThereleaseofISO9001:2015hastriggeredconsiderableinterestintheapplicationofrisk-basedthinkinginthequalitymanagementfield. Acommontoolortechniqueemployedinrisk-basedthinkingistheuseofariskregisterorlog.Whiletherearemanyvariantsonariskregister,thekeyelementsaresimilartothoseofaprocessFMEAandusuallyinclude:

DescriptionoftheriskRisktype(business,quality,design)LikelihoodofoccurrenceSeverityCountermeasuresProcessownerStatus/updates

Thelikelihoodofoccurrenceandseveritycalculationsuserankingcriteriatohelpprioritizethecountermeasuresandactionstomitigatetherisk.Whilerisk-basedthinkingcanbevaluableinassistingtheorganizationinmanagingrisks

andimprovingtheirQMS(andcomplyingtoISO9001:2015requirements),Ihaveconcernsthatrisk-basedthinkingimplementedasaculturalchangefororganizationswillnotbeverysuccessful.Inthepast30years,therehavebeenseveralqualityimprovementinitiativesthatattempted to bring about a change in a company’s culture but did not have a sustainableimpactonthecompany’squalityorbusinessresults.Notedexamplesinclude:

Qualitycirclesinthe1970sTotalqualitymanagement(TQM)inthe1980sBusinessprocessreengineering(BPR)inthe1990s

While each of these programs had successes, a common reason for their lack ofsustainabilitywasthefailureoftheprogramstobecomepartoftheday-to-dayfunctioningofthebusiness.Unfortunately,theprogramswereoftenseenasmanagement’slatestfad.Inmyworklife,Ihavehadtheopportunitytoworkwithallthreeoftheseprograms.

1

Qualitycircleswereoftenunsuccessfulbecausemembersofthegrouplackedthepoweror skills to change the existing companywork structureor procedures.At a circle Iwasinvolved with at the Polaroid Corporation, the manufacturing machine operators wouldgenerateideastoimprovetheprocess,buttheylackedtheskillstoimplementthechanges,whichwereoftenmachineryupgrades.Managementdidnotassignmechanicsorengineerstobepartofthecircle.Inafewmonths,thecirclemembersbecamefrustratedandtheteamsweredisbanded.TQM teams also often failed due to a lack ofmanagement commitment. According to

RosabethMossKanterofHarvardBusinessSchool:WhenTQMefforts fail, it is because they aremounted as programs, unconnected tobusinessstrategy,rigidlyandnarrowlyapplied,andexpectedtobringaboutmiraculoustransformations in the short term without management lifting as much as a finger.(QuotedinBalestracci2009)

AtPolaroidintheearly1990s,afewyearspriortoitsbankruptcy,therewereasmanyas50 total quality ownership (TQO) teams functioning throughout the company. (Polaroidreplaced “management” with “ownership” in support of its employee stock ownershipplan.)WhilePolaroid’smanagementinvestedinemployeetrainingandtimeawayfromtheteammember’sjobs,theoutputoftheTQOteamscontributedlittletoPolaroid’sresults.Asindicated in the quote by Rosabeth Moss Kanter, the TQO initiatives were not closelyconnectedtothecompany’sbusinessstrategy.Totalqualityownership(ormanagement)canimproveproductqualityorefficiency;itcannotinventnewproducts.BPRoftenfailedbecauseofexistingcompanyculture. In theirbookReengineering the

Corporation:AManifestoforBusinessRevolution,JamesChampyandMichaelHammerstate:A company’s prevailing cultural characteristics can inhibit or defeat a reengineeringeffort before it begins.For instance, if a companyoperates by consensus, its peoplewill find the top-down nature of reengineering an affront to their sensibilities.Companieswhoseshort-termorientationskeepthemexclusivelyfocusedonquarterlyresultsmay find it difficult to extend their vision to reengineering’s longer horizons.Organizations with a bias against conflict may be uncomfortable challenging long-established rules. It is executive management’s responsibility to anticipate andovercomesuchbarriers.(ChampyandHammer1993,207)

PolaroidinvestedheavilyinBPRinanattempttoimproveoperatingefficiencyandtime-to-marketfornewproducts.IattendedseminarsconductedbyBPRfounderMichaelHammerandwaspartofacompany-wideprogramtoreengineer thepackagingofPolaroid instantfilmproducts.TheBPRprogramsappeared tohavesupport fromseniormanagement,butmiddlemanagementhadlittlemotivationtochangetheprocessesthathadkeptthemnicelyrewardedformanyyears.

Quality managers planning to establish risk-based thinking as a new culture in theircompany as part of implementing ISO9001:2015maywant to review the failures of the

programs listedabove.Beforeembarkingonrisk-based thinking,qualitymanagersshouldensure that both top management and middle managers are on board and committed tosupporting and implementing this new thought process.Quality initiatives that have beensuccessful in the last several years are Six Sigma and leanmanufacturing (discussed inChapter10).Inmyopinion,thereasontheseprogramshaveachievedsuccessisthatwhiletheydoincludesomelevelofculturechangefortheorganization’semployees—ordifferentthoughtprocesses—theyarealsoresultsdriven.Topmanagementsupportisimportant,butmiddlemanagersandworkstaffcanoperatequiteindependentlyandeffectivelyoncetheyareprovidedacharterbymanagementforaSixSigmaorleaninitiative.I recommend that quality managers seeking to initiate risk-based thinking in their

organizationconsideremployingriskanalysisspecifictotheorganization’sprocesses.TheHandbookpointsoutseveralareaswhereriskanalysisshouldbeemployed:

Processorequipmentchanges:Chapter6.Whenproductionequipmentorprocessesarechanged,theimplementationplanshouldincludethepotentialrisktoproductquality.Testinga“new”materialproductpriortoreleasetocustomersisacommontechniqueemployed,alongwiththeapplicationofFMEA.Rawmaterialspecificationcontrol:Chapter6.Anychangeinmaterialsusedinproductionshouldbetestedbeforereleasetocustomers.Theorganizationshouldensureitssuppliersareawareoftheneedtocommunicateandmaintaincontrolofanychangesintheirspecificationsorprocesses.Documentcontrolandreview:Chapter7.Theorganizationshouldensurethatdocumentsusedbyemployeesaremaintainedandcontrolledtoavoidmistakes.Employeeinstructionsshouldbereviewedatsomefrequencytoensureemployeesarenotbypassingoperatinginstructions.Design:Chapter8.Duringthedesignprocess,arobustverificationandvalidationplanshouldbeemployedtoeliminaterisksrelatedtonewdesigns.Thenewdesignprocessshouldalsoincludeariskanalysisrelatedtotheimpactthenewdesignprocessmayhaveonemployeesafetyandtheenvironment,includingend-of-lifedisposalissues.Regulatoryupdates:Chapter8.Theorganizationshouldmaintainaprocesstostayuptodateonchangestostatutoryandregulatoryobligationsrelatedtoitsproductstoeliminaterisksrelatedtononcompliance.Outsourcedprocesses:Chapter8.Processesperformedbyexternalpartiescancreateariskfortheorganizationinmeetingitscommitment.Externalsupplierselectionshouldincludecontrolsrelatedtotheimpactthesuppliercouldhaveonproducingacceptableproductsorservices.Inspectionofexternallysuppliedproductsshouldbebasedoninspectioncostversusriskrelatedtosuppliererrors.Planningofinternalaudits:Chapter9.Thetimingofinternalauditsforvariousprocessesshouldbebasedontheimpacttheprocesshasonqualityperformanceas

wellasthehistorytheparticularprocesshasofgeneratingnonconformances.Byfocusingonthehistoryandimpactofeachprocess,theorganizationcanallocateauditingresourcestoreducetheriskoferrors.Effectivenessofcorrectiveactions:Chapter10.Animportantconsiderationinthecorrectiveactionprocessishoweffectivelythecorrectionreducestheriskofthesameissuerecurring.Timeandresourcesallocatedtomeasuringtheeffectivenessofthecorrectionshouldbecommensuratewiththeriskofrecurrence.

AuditQuestionsClause6.1How does the organization assess the risks and opportunities related to its purpose, its business strategy, and theexpectationsofinterestedpartiestoensuretheQMSmeetsitsobjectives?

Examples:Strategicplanningprocess,SWOTanalysis,SixSigma,leanmanufacturing

Whataresomeexamplesofhowtheorganizationaddressestheidentifiedrisksandopportunities?Examples:Reportsorrecordsofriskanalysis

6.2QUALITYOBJECTIVESANDPLANNINGTOACHIEVETHEM

6.2.1:Theorganizationshallestablishqualityobjectivesatrelevantfunctions,levelsandprocessesneededforthequalitymanagementsystem.

Thequalityobjectivesshall:

•Beconsistentwiththequalitypolicy;•Bemeasurable;•Takeintoaccountapplicablerequirements;•Berelevanttoconformityofproductsandservicestoenhancementofcustomersatisfaction;•Bemonitored;becommunicated;beupdatedasappropriate.

Theorganizationshallmaintaindocumentedinformationonthequalityobjectives.

6.2.2:Whenplanninghowtoachieveitsqualityobjectives,theorganizationshalldetermine:

•Whatwillbedone;whatresourceswillberequired;•Whowillberesponsible;•Whenitwillbecompleted;howtheresultswillbeevaluated.

NewtoISO9001:2015isthemoredirectstatementrequiringtheorganizationtoestablishprogramstoimplementqualityobjectives.ISO9001:2008clause5.4.1,Qualityobjectives,states:Topmanagement shall ensure that quality objectives, including those needed tomeetrequirements for product, are established at relevant functions and levelswithin theorganization.Thequalityobjectivesshallbemeasurableandconsistentwiththequalitypolicy.

Theplanningrequiredtoimplementthequalityobjectiveswassomewhatvague.Whilepastrevisions of ISO 9001 gave organizations some flexibility in implementing their quality

objectives,third-partyauditorswillnowexpecttheorganizationtohaveadefinedprogramto achieve each of its quality objectives. This requirement is consistent withISO 14001:2015 and should reduce auditing inconsistencies—and enhance qualityimprovements.

AuditQuestionsClause6.2Arethequalityobjectivesconsistentwiththequalitypolicy?

Arethequalityobjectivesmeasurable?

Arethequalityobjectivesrelevanttoproductorserviceconformity?

Howdoestheorganizationcommunicatethequalityobjectivestoemployees?

Inplanningtoachievethequalityobjectives,doestheorganizationestablish:

•Whatwillbedone?•Whatresourceswillberequired?•Whowillberesponsible?•Whenitwillbecompleted?•Howtheresultswillbeevaluated?

Howarethequalityobjectivesmonitored,andwhatactionsaretakenwhentheobjectivesarenotmet?

6.3PLANNINGOFCHANGESWhentheorganizationdeterminestheneedforchangestothequalitymanagementsystem,thechangesshallbecarriedoutinaplannedmanner.Theorganizationshallconsider:

•Thepurposeofthechangesandtheirpotentialconsequences;•Theintegrityofthequalitymanagementsystem;•Theavailabilityofresources;•Theallocationorreallocationofresponsibilitiesandauthorities.

Clause 6.3 is very similar to ISO 9001:2008 clause 5.4.2, Quality management systemplanning,whichstates:Top management shall ensure that the integrity of the quality management system ismaintained when changes to the quality management system are planned andimplemented.

Asdescribedunderclause6.1,Actions toaddressrisksandopportunities,changes in theQMScanrepresentathreattotheorganization’sperformance.Aneffectivechangecontrolprocesswillincludeacross-functionalsign-offonchangesinthemanufacturingorserviceprocesses.TheECNorsimilarsystemwillrequirethattheappropriateindividualsreviewandapprovechangestoensureproductqualityismaintainedwhenchangesoccur.Changesto customer or supplier specifications, deviations from approved specifications ordrawings, changes in machine process parameters, and qualifying new suppliers are allexamplesofwheremultidepartmentsign-offshouldbeemployed.

At Polaroid I witnessed (and survived) several situations where change control wasinadequate,eventhoughthecompanyhadaprocessinplace.Polaroid’sinstantfilmcassetteincluded a six-volt flat battery to power the camera’s flash system and electronics. Thebatteryhadthinaluminumcollectorplates(anodeandcathode)thatrequiredaconductiveadhesive toconnect thecellsof thebattery.Thepurchasingdepartment,underpressure tocutcosts,challengedthealuminumsupplier(aFortune500company)toreducethecostby10%.Toaccomplishthisgoal,thealuminumsupplierreducedthenumberofpassesthroughtherollingmill,whichloweredlaborcosts.Eachpassthroughthemillnowconsumedtoomuchenergy,sothealuminumcompanychangedthetypeoflubricantitused.Thealuminumcompany did not disclose the lubricant change because they felt it would not affect thefinishedcollectorplates.Severalmillion dollars’worth of batteries and film had to be scrapped a fewmonths

later.Thenewlubricantonthealuminuminteractedwiththeconductiveadhesive,causingtheflatbatterytodelaminate—notimmediately,butafewmonthsafterassembly.Polaroid’schange control process had been followed. The key issue was the aluminum supplier’sfailuretodisclosethechangeinlubricant(theylaterclaimeditwasaproprietaryformula).OneofthelearningpointsafterthefiascowastostrengthenPolaroid’ssupplieragreementstorestrictmaterialsubstitutionorprocesschangeswithoutPolaroid’sapproval.Iincludethisexampletoshowthatfailuresinmanufacturingcanbecausedbycultureas

muchasalackofdisciplineandcontrols.InthePolaroidaluminumscenario,themassivefailurecouldhavebeenavoidedifafewwarningsignshadnotbeendismissed.Inthefirstqualification trial of the aluminum, the test and control performed exactly the same—butonly because the test engineer mislabeled the materials, and the test and control wereactuallyfromthesamelotofstandardmaterial.Thepurchasingmanagerwashell-bentonimplementing the cost savings (perhaps his bonus was in play?), so he convinced thetechnicalmanagertobypasstheusualrepeattrialsofnewmaterial.Ayoungengineernotedthat the first run of the new aluminum did not laminate aswell as the standardmaterial(“What does she know?” was the technical manager’s response). I collected all thisinformationtoconvincePolaroid’spresidentthatthebatteryplanthadsufficientlyimprovedourchangecontrolprocesstoavoidarepeatofthealuminumproblem.Heleftmewiththisadvice:“Whenmakingchangesinmaterialsinthefuture,insteadofprovingwhythechangeisgoingtobesuccessful,assumethatitwillnotwork—anddevelopaplantoproveitdoes.Withthatapproachyouwillnotbeasapttomisssignals.”

AuditQuestionClause6.3What process does the organization use to ensure that changes in processes, products, and services do not have anadverseeffectontheintegrityoftheorganization’sQMS?Examplesofareaswhereorganizationsmaybeatriskwhenchangesoccur:

•Materials—suppliers•Productspecifications•Processorequipmentsettings•Customerdesign

•Regulatoryrequirements

ENDNOTE1.Forreadersinterestedinpursuingrisk-basedthinkingasappliedtoISO9001:2015,ASQhasalistoftrainingopportunitiesandbooksathttp://asq.org/training/Risk-Management--Essentials-and-Implementation-strategies_RMEIS.html.

7Clause7:Support

Clause7 groups several clauses of ISO9001:2008 into onemajor clause:Support.ThischangeallowsforalignmentwithISO14001:2015.NewtoISO9001:2015isclause7.1.6,Organizationalknowledge.Figure7.1groupsthesubclausesofclause7.

7.1RESOURCES

7.1.1GeneralTheorganizationshall determineandprovide the resourcesneeded for theestablishment, implementation,maintenanceandcontinual improvementof thequalitymanagementsystem,consideringthecapabilitiesofexisting internalresourcesandwhatneedstobeobtainedfromexternalproviders.

7.1.2PeopleThe organization shall determine and provide the persons necessary for the effective implementation of its qualitymanagementsystemandfortheoperationandcontrolofitsprocesses.

7.1.3InfrastructureTheorganizationshalldetermine,provideandmaintaintheinfrastructurenecessaryfortheoperationofitsprocessesandtoachieveconformityofproductsandservices.

7.1.4EnvironmentfortheoperationofprocessesTheorganizationshalldetermine,provideandmaintaintheenvironmentnecessaryfortheoperationofitsprocessesandtoachieveconformityofproductsandservices.

7.1.5Monitoringandmeasuringresources

7.1.5.1GeneralTheorganizationshalldetermineandprovidetheresourcesneededtoensurevalidandreliableresultswhenmonitoringormeasuringisusedtoverifytheconformityofproductsandservicestorequirements.

7.1.5.2MeasurementtraceabilityWhenmeasurementtraceabilityisarequirement,orisconsideredbytheorganizationtobeanessentialpartofprovidingconfidenceinthevalidityofmeasurementresults,measuringequipmentshallbe:

•Calibratedorverified,orboth,atspecifiedintervals,orpriortouse,againstmeasurementstandards;• Traceable to international or national measurement standards; when no such standards exist, the basis used forcalibrationorverificationshallberetainedasdocumentedinformation;

•Identifiedinordertodetermineitsstatus;• Safeguarded from adjustments, damage or deterioration that would invalidate the calibration status and subsequentmeasurementresults.

The organization shall determine if the validity of previous measurement results has been adversely affected whenmeasuringequipmentisfoundtobeunfitforitsintendedpurpose,andshalltakeappropriateactionasnecessary.

7.1.6OrganizationalknowledgeTheorganizationshalldetermine theknowledgenecessary for theoperationof itsprocessesand toachieveconformity of products and services. When addressing changing needs and trends, the organization shallconsider itscurrentknowledgeanddeterminehowtoacquireoraccessanynecessaryadditionalknowledgeandrequiredupdates.

Clause 7.1 defining the requirements for resources is essentially the same as existingclausesinISO9001:2008,exceptforthenewsubclause,7.1.6.WhileISO9001:2008clause6.2.1,Humanresources—General(“Personnelperforming

work affecting conformity to product requirements shall be competent on the basis ofappropriateeducation, training, skillsandexperience”), implied thatorganizationsshouldmaintainorganizationalknowledge,ISO9001:2015requiresthatorganizationsconsiderandreview their processes to ensure that operational/process or product knowledge ismaintainedwhen employees leave the organization, and to reviewprocesses used by theorganizationtoremainknowledgeableaboutnewtechnologyrelevanttoitsbusinessmodel.The key phrase in the new organizational knowledge clause is “consider its current

knowledge.” A third-party auditor would expect the organization, depending on itsoperations,tohavesomeformalizedprogramforsuccessionplanning,technologyupdates,

andsuppliercontingencies.ManyISO9001–certifiedorganizationshaveprocessesinplaceformaintainingorganizationalknowledgebywayoftheirbusinessstrategyandcontingencyplan.Theorganization’s internal auditors and third-party auditors need to be sensitive topossibleconfidentialityissueswiththisinformation.Additionally,sincetherequirementisfor the organization to consider its current knowledge and determine how to acquire oraccessanynecessaryadditionalknowledge,auditorsshouldnotrequiretheorganizationtoimplement actions to acquire additional knowledge; the implementation of a businessstrategyisconfidentialandoutsidethescopeofISO9001andtheskillsetofthemajorityofISOauditors.Clause7.1.3, Infrastructure, requires theorganization tomaintain facilities and support

processessuchas transport/trucking, informationsystems,accounting,productionmachinemaintenance,andplantequipment suchasair,vacuum,water, andsteamsources. Inmostorganizations,maintenanceofmachineryandfacilitiesequipmenthasthebiggestimpactonthe organization’s quality performance. The older versions of ISO 9001 included theconceptofmaintainingproductionmachineryinordertomaintainprocesscapability—stillagoodidea.Maintenanceofcomputer-basedsupportequipmentcanalsobe important, intheareaofdatabackup.Someorganizationsfindithelpfultomeasuretheeffectivenessofthe preventive maintenance process by monitoring the percentage of time machines areavailableforproduction.Clause 7.1.4, Environment for the operation of processes—formerly clause 6.4,Work

environment—hasbeenasourceofconfusionforbothauditorsandauditees.ThewritersofISO9001:2015didnothelpresolvethesituation.Anoteinclause7.1.4reads:Asuitableenvironmentcanbeacombinationofhumanandphysicalfactors,suchas:a)Social(e.g.non-discriminatory,calm,non-confrontational);b)Psychological(e.g.stress-reducing,burnoutprevention,emotionallyprotective);c)Physical(e.g.temperature,heat,humidity,light,airflow,hygiene,noise).These factors can differ substantially depending on the products and services

provided.Clause7.1.4requirestheorganizationtodetermine,provide,andmaintaintheenvironmentnecessaryfor theoperationof itsprocessesandforachievingconformityofproductsandservices. So, should the organization (and the auditor) be concerned that a nervous orsweatyemployeewillmakeapoorproduct? Ibelieve that the intentofclause7.1.4 is tocover work environment issues (e.g., work area temperature, humidity, electrostaticconditions,dirt)thatcancausenonconformingproduct.Manyproductsneedtobeproduced(andmeasured)inacontrolledtemperature/humidityenvironment.Electroniccircuitboardsoften must be produced in an atmosphere free of electrostatic charge from employees;similarly, many products need to be produced in an atmosphere free of dirt or othercontamination. While organizations should maintain a safe and relatively clean andcomfortable workplace, auditing to those requirements should not be in the scope ofISO9001.

Anauditorcolleagueofmineonceremarkedwhenobservingsomesafetyviolationsinaplant,“Theorganizationwon’tmeetitsshippingcommitmentsifOSHAputsalockonthedoor!”Thisapproachisnothelpful.Qualityauditorsshouldfocusonquality.Clause7.1.5.2,Measurementtraceability,coverswhatwasclause7.6inISO9001:2008,

Controlofmonitoringandmeasuringequipment.Thereisnochangeinrequirements.Mostorganizations refer to thisprocessascalibrationandhavecontrols inplace. Idon’thaveofficial statisticson this, butmy instincts tellme thatwhen it comes tononconformancesissued by auditors, gaps in calibration probably rank at the top of the list. A well-maintainedcalibrationprocessispartofthedisciplineISO9001bringstocompaniesofallsizesandlevelsofcomplexity.

AuditQuestionsClause7.1.3WhatarethesupportingservicesinthescopeoftheQMS?HowaretheymanagedtosupporttheQMS?Examples: Transport/trucking, information systems, accounting, machine maintenance, plant equipment (air, vacuum,water,steam),poweredlifttruckmaintenance

Howistheeffectivenessofthemaintenanceprocessmeasuredormonitored?Examples:Machineefficiency,machinedowntime/uptime

Clause7.1.4Whatarethework environmentconditionsorparametersthatcouldhaveanimpactonproductquality?Examples:Temperature,humidity,electrostaticdischarge,dirt/contamination

Clause7.1.5.2Howdoestheorganizationensurethatitsdevices:

•Identifytheircalibrationstatus?•Arecalibratedorverifiedatspecifiedintervals?•Aremeasuredagainsttraceablestandards?•Areadjustedorreadjustedasnecessary?•Aresafeguardedfromadjustments?•Areprotectedfromdamageanddeterioration?

When the equipment or device is found not to conform to calibration requirements, what action does the organizationtake?

Clause7.1.6What process does the organization use to ensure operational/process or product knowledge is maintained whenemployeesleavetheorganization?

Whatprocessisusedbytheorganizationtoremainknowledgeableaboutnewtechnology?

7.2COMPETENCEThe organization shall determine the necessary competence of persons doing work under its control that affects theperformanceandeffectivenessofthequalitymanagementsystem.

Theorganizationshall:

•Ensurethatthesepersonsarecompetentonthebasisofappropriateeducation,trainingorexperience;•Where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actionstaken;

•Retainappropriatedocumentedinformationasevidenceofcompetence.

7.3AWARENESSTheorganizationshallensurethatpersonsdoingworkundertheorganization’scontrolareawareof:

•Thequalitypolicy;•Relevantqualityobjectives;• Their contribution to the effectiveness of the quality management system, including the benefits of improvedperformance;

•Theimplicationsofnotconformingtothequalitymanagementsystemrequirements.

7.4COMMUNICATIONTheorganization shall determine the internal andexternal communications relevant to thequalitymanagement system,includingwhowillcommunicate,onwhatitwillcommunicate,whentocommunicateandwithwhomtocommunicate.

ISO 9001:2015 has no new requirements for competence, awareness, or communication.Table7.1distinguishestheintentandconformanceevidenceamongthethreeclauses.

There is no change in ISO 9001:2015 related to competence. The organization mustidentifythecompetence,skills,andtrainingneededtosupporttheQMS.Competenceinthecontext of an industrial plant and as defined by ISO 9001:2015 is the “ability to applyknowledgeandskillstoachieveintendedresults.”IprefertheEncartadictionarydefinition:“Theabilitytodosomethingwell,measuredagainstastandard,especiallyabilityacquiredthroughexperienceortraining.”Foreachtask,theorganizationneedstoestablishaprocessto qualify the assigned employees, either by witnessing the employees work or throughtesting.Wherejobdescriptionsareused,theorganizationshouldprovidearecordofhowand why the employee matches the job’s requirements. The competence and training oftemporary workers who perform the same tasks as employees in the plant should beincludedintheorganization’strainingrecords.

AuditQuestionsClause7.2

How does the organization determine the competence of personnel who perform work affecting conformity to productrequirements?

Onwhatbasisarenewemployeeshired?

Howareemployeesmovedtonewassignmentsorcross-trained?

Howarenewemployeesorientedandmadeawareoftheorganization’sQMS?

How does the organization make employees aware of the relevance and importance of their activities and how theycontributetotheachievementofthequalityobjectives?

Howdoestheorganizationdeterminetrainingneeds?

Whenproceduresorwork instructionschange,howareimpactedemployeesupdated?Howaretheseactionsrecorded?

Clause7.3HowdoestheorganizationmakeemployeesawareoftheintentandresultsoftheQMS?

Clause7.4Howdoestheorganizationcommunicatewiththevariouslevelsandfunctionsoftheorganization?

HowarechangesaffectingtheQMScommunicatedtoimpactedemployees?

Howdoestheorganizationreceive,document,andrespondtorelevantcommunicationfromexternalinterestedparties?

Isthequalitypolicyavailabletothepublic?How?

7.5DOCUMENTEDINFORMATION

7.5.1GeneralThe organization’s quality management system shall include documented information required by this InternationalStandard and documented information determined by the organization as being necessary for the effectiveness of thequalitymanagementsystem.

7.5.2CreatingandUpdatingWhencreatingandupdatingdocumentedinformation,theorganizationshallensureappropriate:

•Identificationanddescription(e.g.atitle,date,authororreferencenumber);•Format(e.g.language,softwareversion,graphics)andmedia(e.g.paper,electronic);•Reviewandapprovalforsuitabilityandadequacy.

7.5.3Controlofdocumentedinformation7.5.3.1:DocumentedinformationrequiredbythequalitymanagementsystemandbythisInternationalStandardshallbecontrolledtoensure:

•Itisavailableandsuitableforuse,whereandwhenitisneeded;•Itisadequatelyprotected(e.g.fromlossofconfidentiality,improperuseorlossofintegrity).

7.5.3.2:Forthecontrolofdocumentedinformation,theorganizationshalladdressthefollowingactivities,asapplicable:

•Distribution,access,retrievalanduse;•Storageandpreservation,includingpreservationoflegibility;•Controlofchanges(e.g.versioncontrol);retentionanddisposition.

Documentedinformationofexternalorigindeterminedbytheorganizationtobenecessaryfor theplanningandoperationofthequalitymanagementsystemshallbeidentifiedasappropriateandbecontrolled.

A nomenclature change with ISO 9001:2015 is designating documented information asincludingbothdocumentsandrecords,whichweredefinedindependentlyinpriorISO9001revisions. This is consistentwith ISO 14001:2015 and is intended to allow a variety of

media to document the organization’s plans. ISO 9000:2015 defines documentedinformationas:Information required to be controlled and maintained by an organization and themediumonwhich it is contained.Documented information can be in any format andmedia,andfromanysource.

ISO 9001:2015 clause 7.5.2, Creating and updating, is more prescriptive than priorrevisionsof ISO9001as itdefineshow theorganization should format theirdocumentedinformation.Procedures,workinstructions,andformsneedtoincludeatitle,date,author,orreferencenumber;theformat(e.g.,softwareversion,graphics);andwhetherthemediaispaperorelectronic.Thedocumentedinformationneedstobereviewedandapproved.Withpast revisions, the responsibilities for preparation of documents and approval wereinconsistently interpreted by various organizations. The procedure describing thepreparationofdocumentedinformationshouldclearlydefinewhowillpreparedocuments(e.g., the process owner) and who will approve them (e.g., the quality manager, plantmanager,orotherauthority).Abestpracticewouldbetohaveaminimumoftwoemployeessignoffoneachdocument. Ifa third-partyconsultantassists theorganization inpreparingISO9001documentation,amemberof theorganization’smanagementneeds tobepartoftheapprovalprocess.TheISO9001:2015requirements for reviewandapproval forsuitabilityandadequacy

are somewhat vague, as has been the case with prior ISO 9001 revisions. I suggest theorganizationestablishareviewprocessfordocumentationcommensuratewiththerisksofdeviationfromemployeeinstructions.Theintentofthereviewprocessshouldbetoensurethatthequalitydocumentation(e.g.,

work instructions, standard operating procedures)matches current practices. Operatingpersonnelmayimprovisewhenperformingatasktoimprovetheirefficiencyorsavesteps,but thisshouldnotbedonewithoutmanagementapproval.Theinternalauditprocessmaybe a suitablemethod ofmonitoring documentation vs. practice, provided the audit notesinclude evidence thatwork instructionswere validated. In other cases,work instructionsshouldbe reviewedby theappropriateauthorityatadefined frequency. I suggest that theorganizationestablishapriority list, ranking therisk levelofwork instructionsrelated tothepotentialforqualityupsets(orpriorhistoryoferror-proneactivities).Examplesmightinclude the instructions for final release of sophisticated electronic devices or processconditionsforchemicalmanufacturing.These instructionsshouldbeformallyreviewedatleastannually.Clause7.5.3,Controlofdocumentedinformation,differsfromearlierISO9001revisions

in that documented information now covers what was previously referred to as qualityrecords as well as procedures, instructions, and forms; it is also somewhat moreprescriptive than prior revisions of ISO 9001, requiring the organization to establish aprocess tocontrol thedistribution, access, retrieval,use, storage,preservation (includingpreservationoflegibility),changes(e.g.,versioncontrol),retention,anddispositionofalldocumented information. The majority of the requirements apply to quality records;

however, the organization should also define its process for controlling the distribution,access,andversioncontrolofprocedures,instructions,andforms.Documentsofexternaloriginthattheorganizationdeemsnecessaryfortheplanningand

operationof theQMSneed tobe identified, as appropriate, and controlled.Examples ofexternaldocumentsincludelegalpermits,licenses,laboratoryanalysis,supplierequipmentmanuals, and customer or industry requirements or specifications. A best practice forexternal document controlwould be to have amaster list of all relevant external qualitydocuments that specifies their location, how they are accessed, and how they are keptcurrent,withtherevision-levelcontrolprocessdefined.Qualityrecordsareauniqueformofdocumentedinformation.Thereisnorequirementin

ISO 9001:2015 indicating that organizations cannot use the term “quality record.”ISO9000:2015definesdocumentsandrecordsasfollows:“Document:informationcreatedinorderfortheorganizationtooperate”;“Record:evidenceofresultsachieved.”Qualityrecordsareanimportantpartof theQMS.Inadditiontoprovidingevidenceof

conformance to a specification or requirement, a quality record can be an organization’sbestdefenseagainstacustomerproduct returnorevena lawsuit.AnextremecasewherequalityrecordswerenotproperlymaintainedwastheGeneralMotors(GM)ignitionswitchfailurestartingin2004,describedhereinaCNNMoneyarticle:Theessentialproblem:Thecars’ignitionswitch,wherethekeyisinsertedandturnedto start the car, could easilybebumpedormovedoutof the “Run”position into the“Off” or “Accessory” position.When that happens, power braking and steering, aswellasairbags,canstopworking....WhatmostpeopleatGMdidn’tknowwasthatDelphi,thecompanythatsuppliedthe

switch,hadredesignedthepartin2006tomakeithardertoturn.The problem had been fixed. A GM engineer even signed off on the changes.

Unfortunately, GM didn’t change the part number of the switch. As a result,manufacturingrecordsdidn’tindicatethattheissuehadbeenresolved.(Valdes-Dapena2014)

ThetragicignitionswitchfailureatGMisaprimeexampleofalackofbothchangecontroland quality record keeping. I have audited at companieswhere part number changes andpartnumberdrawingrevisionchangeswerenotproperlymanaged.Whenmakingchanges,anorganizationneedstounderstandthedifferencebetweenanF3(form-fit-function)changeandadrawingrevision.Apartdrawingcanberevisedforclarityoreaseinmanufacturing,since thechangewillnot impact the form, fit,or functionalityof thepart.Vista IndustrialProductsdefinesfit,form,andfunctionasfollows:Fit:referstotheabilityfortheparttointerconnect,matewith,join,orlinktoanotherpartoranassembly.Ifapartrequires“fit”itusuallyreferstohavingtighttolerancesinordertomatchuptootherpartsorassembly.Form:referstodimensions,weight,size,andvisualparametersofapart.Thismainlyrepresentstheoverallvisualcharacteristicsofthepart.

Function:referstothepurposeofthepartbyhowthepartshouldperformandoperate.(VistaIndustrialProducts2012)

Because the ignitionswitchredesignprovided improved functionality,making theswitchharder to turn, the redesign should have resulted in a new part number. In my auditingexperience at large companies with several levels of management, there is oftenbureaucracyinvolvedinobtainingsign-offfornewpartnumbers.Theautomotivesectorinparticularhasarequirementfornewpartapproval:Production Part Approval Process (PPAP) defines requirements for production partapproval, including production and bulk materials. The purpose of PPAP is todetermineifallcustomerengineeringdesignrecordandspecificationrequirementsareproperlyunderstoodby thesupplierand that theprocesshas thepotential toproduceproductconsistentlymeetingtheserequirementsduringanactualproductionrunatthequotedproductionrate.(AIAG2006)

PPAP is a very powerful tool, particularly as it relates to change control and risks inproduct changes; however, the process takes time—and organizations take shortcuts. Adrawing revision change requires fewer approval signatures and can be implementedquickly.OrganizationsusingPPAPwouldbebetter off streamlining the approval processratherthanbypassingit!ISO 9001:2015 (like prior ISO 9001 revisions) does not require the creation and

maintenanceof aquality records list; however, it is ahelpful tool fororganizingvariousrecords. If a records list is not used, then each applicable quality record should bereferencedintherelatedprocedureorworkinstruction.Anexperiencedauditorcanusetheorganization’slistingofrecordstodriveaneffectiveaudit.Eachrecordwillcreateatrail,bothforwardandback,intohowtheorganizationismanagingitsqualitycommitments.Howwas the frequencyof inspectionsor testingestablished:procedure?Why is theemployeeinterviewedcompetenttodoinspections:trainingrecord?Werethediscrepanciesthatwerenotedintheinternalauditsresolved?Whatwaslearnedfromacustomercomplaint:follow-upactions?Thefollowingareexamplesofqualityrecordsfoundinmostorganizations:

ContractreviewsCustomerfeedbackCustomerpropertyReturnedmaterialDesignreviewsEngineeringchangesApprovedsupplierlistSupplierevaluations

PurchaseordersInspectionreportsMaintenanceCalibrationWorkenvironmentEmployeetrainingCorrectiveactionsImprovementreportsAuditreportsManagementreview

AnexampleofhowaqualityrecordslistmightbeformattedisshowninTable7.2.Control of documented information requires theorganization to control procedures and

instructionsthatinformemployeesonhowtocompletetheirassignedtasks.Insimpleterms,anydocumentornotethattellsanemployeehowtodotheirjobshouldbecontrolled.Thisdoesn’tmeanatipsheetorsketchpostedonamachinetoprovideguidanceonoperatingthemachinemusthaveacontrolleddocumentnumberassignedintheorganization’sQMS.Thesupervisorcan“control”thetipsheetorsketchbyinitialinganddatingit.Itisgoodpracticetoplacealimitonhowlongthetipsheetcanstayinuse—say,threemonths—beforeitisreapproved.A similar time limit shouldbe placedondeviated changes to the controlleddocumentsintheQMS(red-linenotations).

I recently visited a former client, a precision welder of high-tech cylinders for thesemiconductor industry.This company had postedwork instructions at eachwork stationproviding detailed manufacturing and test information that was controlled in theirdocumentation system and frequently accessed by the workers. I was surprised (anddisappointed)toseeeachinstructionnowcontaineda“referenceonly”notationinlargeredletters.Thecompanyownerinformedmetheyhadengagedaconsultanttoestablishaleanmanufacturingprogram.Theconsultantsuggestedthatthecompanyaddthe“referenceonly”notationsothatwhenchangesoccurred,theywouldnothavetoworryaboutanISOauditorchallenging their document control. This misapplication of ISO document control ispreached by many consultants and third-party auditors. It is the antithesis of qualitymanagement.Any instructionusedbyemployees tocompletea taskcannotbe“referenceonly”;itshouldreflectthemostaccurateandcurrentinformationpossibletoavoiderrors!

The“referenceonly”tactichasbeenaroundsincetheonsetofISO9000.OrganizationswantingtoestablishasolidQMSshouldavoidtryingtobeatthesystemandinsteademploycommonsensewhencontrollingdocumentedinformation.ManyorganizationsI’veauditedhave been instructed by “experts” to add “This document is valid for three days afterprinting” (indicating that after three days the document is no longer valid, so employeesshouldnotuseit)orasimilarcaveattothefooteroftheirdocuments.Iadvisedtheseclientsthatthiscouldonlycausemoredifficultyandwouldnothelpthemavoidanonconformance.During the audits, I would sample several instructions that were in use, record theirrevisiondate,andverifythedateagainstthemastercontrollist.Ifaninstructionwasoutofdate, then a gap in the organization’s document systemwas evident. A “three days afterprinting”noteonlyelevatedthenonconformances.Ifanorganizationwantstouseacaveat,ahelpfulmessage I’ve seen is: “It is the responsibilityof theuser to ensure the revisionleveliscorrect.”Theauditorstillverifiesthecurrencyoftheinstruction;however,nowtheonus is on the employee using the instruction to take ownership of the accuracy ofinstructionsforhisorherwork.I witnessed a rather comical overuse of “reference only” stamps while auditing a

companythatsuppliedmachinedcomponentstotheautomotivesector.Intouringtheplant,Iobservedalargeposter:“TheDecimal–FractionConversionChart.”Ithadthe“referenceonly”notation.

AuditQuestionsClause7.5Wherearethefollowingdocumented?

•Thequalitypolicy,objectives,andprograms•Descriptionofthescope,boundaries,andcontextoftheQMS

HowdoestheorganizationdescribethemainelementsoftheQMSandtheirrelationshipwithISO9001:2015?

WhatdocumentedinformationoftheQMSisnecessaryfortheorganizationtomaintaintheeffectivenessoftheQMS?

Howdoestheorganizationprovidelinkageorreferencetolower-leveldocumentation?

Howareexternaldocumentsmaintained?Examples: Customer specifications, product or material drawings, regulatory documents, quality standards, suppliermanuals

Howdoestheorganizationdefinetheprocessforapprovingdocumentsforadequacypriortoissue?

Howdoestheorganizationdefinetheprocessforpreparingdocumentstoinclude:•Theidentificationanddescription(e.g.,atitle,date,author,orreferencenumber)?•Theformat(e.g.,language,softwareversion,graphics)andmedia(e.g.,paper,electronic)?

Howdoestheorganizationcontroltheprocessesfor:•Ensuringthatrelevantversionsofapplicabledocumentsareavailableatpointsofuse?• Preventing the unintended use of obsolete documents and ensuring that the documents remain legible and readilyidentifiable?

Howdoestheorganizationcontroltheprocessforreviewingandupdatingproceduresandwork instructionstoensuretheyarebeingusedbyemployeesasdocumented?

How does the organization control the process for changing documents and providing revision control and record ofchange?

Howdoestheorganizationprotectdocumentedinformationretainedasevidenceofconformityfromunintendedalteration?

Howdoestheorganizationidentify,store,andprotectrecordsrequiredtodemonstrateconformitytoitsQMS?•Istheretentiontimeforrecordsdefined?•Whatistheprocessusedtodisposeofrecords?

Wherearethequalityrecordsidentified?Examples:Recordslist,procedure,workinstruction

Howarethequalityrecordsaccessed?

8Clause8:Operation

Clause8includessubclausesfromISO9001:2008clause7,Productrealization,alongwithclause 8.2.4, Monitoring and measurement of product, and clause 8.3, Control ofnonconforming product. Additionally, 4.1, General requirements (outsourcing), is now

includedinclause8ofISO9001:2015.ISO9001:2015doesnotaddanynewrequirementsforoperationalcontrol.“Controlofexternallyprovidedprocesses,productsandservices”is new terminology introduced to define the requirements for purchasing and outsourcedprocesses. This change attempts to ensure that organizations involved in services haveequal footing with organizations that make products. The use of the term “externallyprovidedprocesses”helpsdistinguishpurchasedmaterialsfromoutsourcedactivities.Theprocesschart inFigure8.1providesa roadmap for the subclausesof clause8.Note: InChapter8,servicewillberegardedastheproductoftheorganization.

8.1OPERATIONALPLANNINGANDCONTROLTheorganizationshallimplementandcontroltheprocessesneededtomeettherequirementsfortheprovisionofproductsandservices.Theorganization’splanningshallinclude:

•Determinationoftherequirementsfortheproductsandservices;•Establishingcriteriafortheprocessesandfortheacceptanceofproductsandservices;•Actionstoaddressrisksandopportunities.

Theorganizationshall:

•Determinetheresourcesneededtoachieveconformitytotheproductandservicerequirements;•Implementcontroloftheprocessesinaccordancewiththecriteria;•Determineandkeepdocumented information (records) to theextentnecessary tohaveconfidence that theprocesseshavebeencarriedoutasplannedandtodemonstratetheproductsandservicesconformtotheirrequirements.

Theoutputofthisplanningshallbesuitablefortheorganization’soperations.Theorganizationshallcontrolplannedchangesandreviewtheconsequencesofunintendedchanges,takingactionto

mitigateanyadverseeffects,asnecessary.Theorganizationshallensurethatoutsourcedprocessesarecontrolled.

Clause8.1is the“executivesummary”foroperationalplanningandcontrol.Athird-partyauditor will use this clause to get “calibrated” with the organization’s operations: thequality specifications and requirements for the product or service; the measurement,inspection,andtestactivities;andthecriteriaforproductacceptance.Subsequentclausesdefine the precise requirements related to the organization’s manufacturing or serviceprocesses.

8.2REQUIREMENTSFORPRODUCTSANDSERVICES

8.2.1CustomercommunicationCommunicationswithcustomersshallinclude:

•Providinginformationrelatingtoproductsandservices;•Handlinginquiries,contractsororders,includingchanges;•Obtainingcustomerfeedbackrelatingtoproductsandservices,includingcustomercomplaints;•Handlingorcontrollingcustomerproperty;•Establishingspecificrequirementsforcontingencyactions,whenrelevant.

8.2.2DeterminingtherequirementsrelatedtoproductsandservicesWhendeterminingtherequirementsfortheproductsandservicestobeofferedtocustomers,theorganizationshallensurethat the requirements for the products and services are defined, including any applicable statutory and regulatoryrequirementsandthoseconsiderednecessarybytheorganization.

Theorganizationshallensurethatitcanmeettheclaimsfortheproductsandservicesitoffers.

Clause 8.2.1 requires that the organization establish a process to communicate with itscustomersinrelationto:

ProductinformationSalesinquiriesContractsororderhandlingChangestoordersCustomercomplaintsCustomerfeedback

Under clause 8.2.2, the organization needs to determine how customer requirements areestablished.Whatformatisusedbytheorganizationtorecordcustomerrequirements?Howdoestheorganizationensurethatchangestoproductrequirementsaredefinedandresolved?Howdoes the organization establish specific requirements for contingency actions,whenrelevant to thecustomer’srequirements?Most importantly,does theorganizationhave thecapability to meet customer requirements? In past ISO 9001 revisions, the capability tofulfillacustomerrequirementwasreferredtoascontractreview,whichisnowdefinedinclause8.2.3.

8.2.3Reviewofrequirementsrelatedtoproductsandservices8.2.3.1: The organization shall ensure that it has the ability tomeet the requirements for products and services to beofferedtocustomers.

Theorganizationshallconductareviewbeforecommittingtosupplyproductsandservicestoacustomertoinclude:

•Requirementsspecifiedbythecustomer,includingtherequirementsfordeliveryandpost-deliveryactivities;•Requirementsnotstatedbythecustomer,butnecessaryforthespecifiedorintendeduse,whenknown;•Requirementsspecifiedbytheorganization;•Statutoryandregulatoryrequirementsapplicabletotheproductsandservices;•Contractororderrequirementsdifferingfromthosepreviouslyexpressed.

Theorganizationshallensurethatcontractororderrequirementsdifferingfromthosepreviouslydefinedareresolved.Thecustomer’srequirementsshallbeconfirmedbytheorganizationbeforeacceptancewhenthecustomerdoesnotprovideadocumentedstatementoftheirrequirements.

8.2.3.2:Theorganizationshall retaindocumented informationasapplicableon the resultsof the reviewandonanynewrequirementsfortheproductsandservices.

8.2.4ChangestorequirementsforproductsandservicesThe organization shall ensure that relevant documented information is amended, and that relevant persons are madeawareofthechangedrequirements,whentherequirementsforproductsandservicesarechanged.

Theorganizationneedstoensureithasthecapabilitytoproducetheproductorprovidetheservice as defined by the customer—i.e., does it have the equipment, processes, andresourcesrequiredtomeetthecustomer’sproductdeliverydatesorservicecommitment?

Appropriate requirements from external agencies such as regulations on product safetyandchemicalsormaterialsusedintheproductneedtobefollowed.TheNationalElectricalManufacturersAssociation (NEMA), the associationof electrical equipment andmedicalimaging manufacturers, provides requirements for the standardization of electricalequipment.TheFoodandDrugAdministration(FDA),whichisresponsibleforprotectingandpromotingpublichealthintheUnitedStates,regulatesfoodsafetyinbothmanufacturingprocessesandproducts.Otherexternalagencies,suchastheAmericanNationalStandardsInstitute (ANSI) and the American Society for Testing Materials (ASTM), may haveapplicationsfortheorganizationrelatedtotesting.Arecordoftheorganization’sanalysisandreviewofthecustomer’srequirementsneeds

tobemaintained.Whenchangesoccur,eitherbycustomerrequestorduetointernalissues,the organization must document the changes with approvals or acknowledgment asappropriate.Ametricormonitoringplanshouldbeestablishedforeachcustomer(orcore)processto

measuretheeffectivenessoftheprocessandtoestablishabaselineforimprovementoftheorganization’s planning/sales, design, external (purchasing), and production processes.Table8.1listssomeexamplesofmetricsthatcanbeusedtotrackperformanceinplanningorsalesprocesses.

Onceametricisestablished,agoalshouldbeset.Inmanyprivatelyheldorganizations,sales revenue information iswellguarded. In thosecases, the“salesperformanceagainstsalesplanasapercent”metriccanbeuseful.Formanyorganizations,“bidsuccess rate”(or“hitrate”)canmeasurehowwellthesalesdepartmentisperforming.Alowtrendinbidsuccess ratecanbealarmingforobvious reasons. I’vealsoseencaseswhereacompanyproducingcommodityproductsbecomesconcernedwhenthebidsuccessrate trendshigh,sincethiscouldmeanthecompanyissettingitspricestoolowcomparedtothecompetition.

AuditQuestionsClause8.1Whenplanningtoproduceaproductorprovideaservice,howdoestheorganizationdetermine:

•Thequalityspecificationsandrequirementsfortheproductorservice?•Theneedtoestablishprocesses—documentsandresourcesspecifictotheproductorservice?•Themeasurement,inspection,andtestactivitiesspecifictotheproductorservice?•Thecriteriaforproductacceptance?

Whatrecordsareneededtoprovideevidencethattheproductorservicemeetscustomerrequirements?

Clause8.2.1Howdoestheorganizationcommunicatewithitscustomersinrelationto:

•Productinformation?•Inquiries?•Contractsororders,includingchangestoorders?

Howdoestheorganizationdeterminecustomerrequirements?

Whatformatisusedbytheorganizationtorecordcustomerrequirements?

Howdoestheorganizationensurethatchangestoproductrequirementsaredefinedandresolved?

How does the organization establish specific requirements for contingency actions, when relevant to the customer’srequirements?

Whatistheprocessforhandlingcustomerfeedbackandcustomercomplaints?

Clause8.2.2Howdoestheorganizationensurethatproductrequirementsaredefined?

Howaretheproductrequirementsrecordedintheorganization’sQMS?

Whatstatutoryandregulatoryrequirementsareapplicabletotheorganization’sproductsorservices?

Howdoestheorganizationensuretheapplicableregulatoryrequirementsaremaintained?Examples: Product safety laws, regulations on chemicals or materials used in the product, electrical standards, FDAregulations

Howdoes theorganizationensure it has the capability toproduce theproduct orprovide theserviceasdefinedby thecustomer?Examples:Process/resourcecapability,abilitytomeetcustomerproductdeliverytimeorservicecommitment

Whatmethodisusedtomonitoror,whereapplicable,measurethesalesprocess?(Seealsoclause9.1.)

8.3DESIGNANDDEVELOPMENTOFPRODUCTSANDSERVICES

8.3.1GeneralTheorganizationshallestablish,implementandmaintainadesignanddevelopmentprocessthatisappropriatetoensurethesubsequentprovisionofproductsandservices.

8.3.2DesignanddevelopmentplanningIndeterminingthestagesandcontrolsfordesignanddevelopment,theorganizationshallconsider:

•Thenature,durationandcomplexityofthedesignanddevelopmentactivities;•Therequiredprocessstages,includingapplicablereviews;•Designanddevelopmentverificationandvalidationactivities;•Responsibilitiesandauthorities;•Internalandexternalresourceneeds;•Controlinterfacesbetweenpersonsinvolved;•Theneedforcustomeranduserinvolvement;•Requirementsforsubsequentprovisionofproductsandservices;•Thelevelofcontrolexpectedbycustomersandotherrelevantinterestedparties;•Thedocumentedinformationneededtodemonstraterequirementshavebeenmet.

8.3.3DesignanddevelopmentinputsTheorganizationshalldeterminetherequirementsessentialforthespecifictypesofproductsandservicestobedesignedanddeveloped.

The organization shall consider: functional and performance requirements; information derived from previous similardesign and development activities; statutory and regulatory requirements; standards or codes of practice; potentialconsequencesoffailure.

Inputs shall be adequate for design and development purposes, complete and unambiguous. Conflicting design anddevelopmentinputsshallberesolved.

8.3.4DesignanddevelopmentcontrolsTheorganizationshallapplycontrolstoensure:theresultstobeachievedaredefined;reviewsareconductedtoevaluatethe ability of the results to meet requirements; verification activities are conducted; validation activities are conducted;necessary actions are taken on problems determined during the reviews, or verification and validation activities;documentedinformationoftheseactivitiesisretained.

8.3.5DesignanddevelopmentoutputsThe organization shall ensure that design and development outputs:meet the input requirements; are adequate for thesubsequentprocesses; includeorreferencemonitoringandmeasuringrequirements,acceptancecriteria,characteristicsoftheproductsandservicesthatareessentialfortheirintendedpurposeandtheirsafeandproperprovision.

8.3.6DesignanddevelopmentchangesTheorganizationshallidentify,reviewandcontrolchangesmadeduring,orsubsequentto,thedesignanddevelopmentofproductsandservices,totheextentnecessarytoensurethatthereisnoadverseimpactonconformitytorequirements.The organization shall retain documented information on: design and development changes; the results of reviews; theauthorizationofthechanges;theactionstakentopreventadverseimpacts.

Clause 8.3 has the same requirements as ISO 9001:2008 clause 7.3, Design anddevelopment;however, the2015revisionmoreclearlyrecognizesthat therecanbemajordifferencesincomplexityamongdesignanddevelopmentactivitieswithintheorganization.Thegeneral requirements forclause8.3coverdesignprocesses forprojectswithacycletime of a few years and also for projects completed in days or weeks(enhancements/modifications or minor reconfiguration of mature designs). Organizationswith both complex, lengthy projects and quick-turnaround modifications should developtheirdesignprocesscontrolsaccordingly.Notexplicitlystatedintherequirementsistheneedtohaveatime-boundplan.Thishas

beenadeficiency inprior revisionsof ISO9001aswell.Whenauditinganorganizationwithseveraldesignersandseveralprojectsrunningsimultaneously,Iamoftendisappointedto observe the lack of an integrated plan to assist in scheduling resources. While therequiredstagesoftheprojectaredefined,theplannedcompletiondatesormilestonesarenotestablished(orestimated).ManyorganizationsuseaGanttchart,orsomethingsimilar,to establish estimated completion dates for each design stage—often working backwardfrom the customer’s required completion date. When the timelines of all projects areintegrated,resourcescanbebetterallocated.Insimpleterms,thebasicrequirementforadesignprojectincludes:

Statementofwork—whatis“new”?Time-boundplanInputrequirements—specificationsOutputs—expectationsDesignreviewsasappropriateVerification/validationplan

AnoverviewofthedesignprocessisgiveninFigure8.3.

Dr. Robert G. Cooper, one of the founders of Stage-Gate International, introduced aproductdevelopmentprocesscalledtheStage-Gateinnovationprocessover20yearsago.Manyorganizationshaveusedthisprocessoravariationofittosatisfytherequirementsofthe ISO 9001 design clause. An internet search yields many software product offeringsrelated to Stage-Gate (sometimes referred to as phase-gate). A properly designed andimplemented Stage-Gate process would satisfy the requirements of ISO 9001:2015clause8.3andadd twoenhancementswhile integrating ISO9001with theorganization’sbusinessmodel.Stage1includesascreeningofideasfornewdevelopmentstoanalyzethecostbenefitsoftheprojectalongwithpotentialchallengesandcompetitivefactors.Thelaststage (often Stage 8) includes apost-launch review tomeasure the project’s results andreturnoninvestment,aswellaslessonslearnedtoapplytofutureprojects.Irecommendtheuse of some form of the Stage-Gate process for organizations of any size or level ofcomplexity.SeeAppendixCforasummaryofStage-Gate.AmodelIdevelopedofagenericISO9001Stage-GateprocessisshowninFigure8.4.

In thedesignStage-Gateprocess,acustomer-drivenproject isaprojectrequestedbyacustomer.Adesignproject initiatedby themanagementof theorganization to servemanycustomers, or a general consumer-based project,may requiremore stages, similar to theStage-Gate International process. The customer-driven model can be used forenhancements/modifications or minor reconfiguration of mature designs or for morecomplexdesignswithlongcycletimes.Inthecaseofminorreconfigurationprojectswithshortcycletimes,theformscanbedesignedtoallowfortheconsolidationofseveralsteps,requiringlesspaperworkandfewerapprovals.Table8.2 listssomeof therelateddesignrecordsfromthereferencedforms.

Ametricormonitoringplanshouldbeestablishedforthedesignprocesstomeasuretheeffectivenessoftheprocessandtoestablishabaselineforimprovement.Adesign-orientedorganizationjeopardizesitsabilitytomaintainorincreasesalesrevenueifitdoesnotoffernew products to replace products obsoleted by its customers or market sector. ManyorganizationsI’veauditedestablishagoalforthedesigngrouptocreateincrementalannualsalesgeneratedbynewdesignsat15%–20%ofcurrentsalestooffsetobsoletedorpoor-selling products. Examples of metrics used to track performance in the design processinclude:

SalesrevenuefornewdesignprojectsasapercentageofannualsalesPercentageofdesignprojectsthatcreatesalesrevenueCycletimetocompleteprojectsPercentageofdesignprojectscompletedontimeandonbudget

AuditQuestionsClause8.3

Howdoes theorganizationdetermine thedesignanddevelopmentstagesofanewdesign,andhowdoes itestablishaprocesstoreviewtheprogressofthedesign?

Isthereaprojectplanwithtimelinesdefined?

Howdoestheorganizationdetermine:•Verificationandvalidationprocesses?•Responsibilitiesandauthorities?

Inadesignproject,howdoestheorganizationdetermine:•Functionalandperformancerequirements?•Applicablestatutoryandregulatoryrequirements?•Informationderivedfromprevioussimilardesigns,ifapplicable?•Otherrequirementsessentialfordesignanddevelopment?

Howdothedesignreviewsevaluatetheabilityoftheresults(orprogress)ofthedesigntomeetrequirementsandrecordproblemsidentifiedduringthedesignprocesswithactionsproposedtoresolvethem?

Howdoestheorganizationverifythedesign?(Verification=meetsrequirementsofthedesigninputspecifications.)

Howdoestheorganizationvalidatethedesign?(Validation = satisfies the customer’s intended use of the design or product. In some cases, the customer may takeresponsibilityforthevalidationprocess.)

Howdoestheorganizationmanagechangesduringthedesignsteps?

Whatmethodisusedtomonitoror,whereapplicable,measurethedesignprocess?(Seealsoclause9.1.)

8.4CONTROLOFEXTERNALLYPROVIDEDPROCESSES,PRODUCTSANDSERVICES

8.4.1GeneralTheorganizationshallensurethatexternallyprovidedprocesses,productsandservicesconformtorequirements.

The organization shall determine the controls to be applied to externally provided processes, products and serviceswhen:

•Productsandservicesfromexternalprovidersareincorporatedintotheorganization’sownproductsandservices;•Productsandservicesareprovideddirectlytothecustomersbyexternalprovidersonbehalfoftheorganization;•Aprocess,orpartofaprocess,isprovidedbyanexternalprovider.

Theorganizationshalldetermineandapplycriteriafortheevaluation,selection,monitoringofperformanceandreevaluationofexternalprovidersorproductsandservicesinaccordancewithrequirements.

8.4.2TypeandextentofcontrolThe organization shall ensure that externally provided processes, products and services do not adversely affect theorganization’sabilitytoconsistentlydeliverconformingproductsandservicestoitscustomers.

Theorganization shall ensure that externally providedprocesses remainwithin the control of its qualitymanagementsystemanddefineboth the controls that it intends to apply to anexternal provider and those it intends to apply to theresultingoutput.

Theorganizationshall take intoconsideration thepotential impactof theexternallyprovidedprocesses,productsandservicesontheorganization’sabilitytoconsistentlymeetcustomerandapplicablestatutoryandregulatoryrequirementsandtheeffectivenessofthecontrolsappliedbytheexternalprovider.

The organization shall determine the verification, or other activities, necessary to ensure that the externally providedprocesses,productsandservicesmeetrequirements.

8.4.3InformationforexternalprovidersThe organization shall ensure the adequacy of requirements prior to their communication to the external provider. Theorganizationshallcommunicatetoexternalprovidersitsrequirementsfor:

•Theprocesses,productsandservicestobeprovided;•Theapprovalofproductsandservices,methods,processesandequipment;•Thereleaseofproductsandservices;•Competence,includinganyrequiredqualificationofpersons;•Theexternalproviders’interactionswiththeorganization;•Thecontrolandmonitoringoftheexternalproviders’performancetobeappliedbytheorganization;•Theverificationorvalidationactivitiesthattheorganization,or itscustomer, intendstoperformattheexternalproviders’premises.

Externallyprovidedprocesseswerereferredtoaspurchasingandoutsourcinginpreviousversions of ISO 9001. ISO 9001:2015 does not add any new purchasing processrequirements. Combining outsourcing and purchasing in the same clause may clarify thedifferencesbetweenthetwoexternalprocesses.Aprocesschartforexternalprocesses isdepictedinFigure8.5.

ISO 9001:2015 does not define outsourced processes. ISO 9001:2008 clause 4.1,Generalrequirements,providedthefollowingdefinitionofanoutsourcedprocess:Aprocessthattheorganizationneedsforitsqualitymanagementsystem,andwhichtheorganizationchoosestohaveperformedbyanexternalparty.

Whenanorganizationpurchasesmaterials,products,orservices,itischoosingtohaveanexternalpartyperformaprocess.Outsourcing,inthecontextofISO9001,hasbeenasourceof inconsistent interpretation for several years. ISO 9001:2015 does not provide a cleardefinition.Mypreferreddefinitionofoutsourcingis:Materials,products,orservicesprovidedfortheorganization’scustomersbyexternalprovidersandshippeddirectly fromtheexternalprovider’ssite to theorganization’scustomers.

Thelogicbehindthisdefinitioncentersonriskandcontrol.Forexample,sayanorganizationengagesanexternalsource(asupplier)tochrome-plate

parts.Ifthesupplierreturnsthechrome-platedpartstotheorganization,thatispurchasing.Ifthesupplierdeliversthechrome-platedpartsdirectlytotheorganization’scustomer,thatisoutsourcing.Inthepurchasingscenario,theorganizationcaninspectthepartsbeforereleasingthemto

thecustomer.Intheoutsourcingscenario,theorganizationhastorelyonthechrome-platingsupplier to properly inspect, package, and ship the finished product to the organization’scustomer. This adds the risk that the supplierwill not perform the tasks properly.Whenoutsourcingisusedinthiscontext,theorganizationneedstoestablishcontrols tomonitorthe supplier’squality.Controls foroutsourced sources include awide rangeof activitiesdepending on the quality risk of the outsourced activity. At the high end of risk, theoutsourced provider is required to transmit inspection or functionality results to theorganization requesting the work, before shipping the product to the organization’scustomer. Other high-risk-level outsourced processes are managed by having arepresentativeoftheorganizationreleasetheproductat theprovider’splant.Lower-level

controlsincludecertifyingtheproviderthroughperformancehistoryand/orqualityauditsattheprovider’splant.This outsourcing scenario is related to ISO9001 clause 8,Operation.There are other

outsourced processes related to human resources, information technology (IT), andaccounting that require controls appropriate to the activities and risk. When designactivities are outsourced, the potential impact on customer requirements is normallycontrolledbythehiringorganization’sapprovaloftheoutsourceddesigner’swork.The process and criteria established to evaluate and select new suppliers need to be

commensuratewith the impact thesupplierhason theorganization’squalityperformance.For an original equipment manufacturer (OEM), where the performance of suppliers iscritical, a detailed new supplier review process may be in order. A machine shop thatpurchases standardmaterials from a distributormay have a less detailed process. In allcases, thereshouldbeadocumentedplan thatmatches theorganization’sbusinessmodel.While a potential new supplier holding an ISO 9001 third-party certificate should becongratulated,theystillneedtobeevaluatedusingdefinedcriteria!Theprocessandcriteriausedbytheorganizationtoreevaluateapprovedsuppliersneeds

to be determined, also according to the supplier’s criticality. The OEM might track itssupplier’s performance in quality, delivery, and service; themachine shopmight use thecorrectiveactionprocesstocommunicatethesupplier’sperformance.Goodquality andbusinessmanagement requires theorganization tomaintain a process

forauthorizingpurchaseorderstoexternalproviderswithaclearstatementofwhatistobeprovided.Theverificationorvalidationactivities that theorganizationperformsat thesupplier’spremises(ifapplicable)shouldbeclearlydefined.The organization needs to determine which purchased materials require inspection to

ensure purchased product meets specified purchase requirements. If no inspection isrequired, how did the supplier become certified? Many organizations that purchasechemicals or paper or plastic substrates require that either COAs or certificates ofconformance (COCs) be delivered with the received material. A process should beestablishedforreviewingandapprovingthecertificatesforconformancetorequirements.Ametricormonitoringplanshouldbeestablishedforthepurchasingprocesstomeasure

the effectiveness of the process and to establish a baseline for improvement.A commonmetric is a representation of the delivery and quality performance of suppliers. In largeconsumer-oriented companies or contract manufacturers, a common metric is purchasedprice variance (PPV). PPV connects the purchasing performance to the organization’sbusiness performance by establishing spending reductions in material costs to improveprofits.

AuditQuestionsClause8.4Whatprocessandcriteriaareusedbytheorganizationtoevaluatenewsuppliers?

Whatprocessandcriteriaareusedbytheorganizationtoreevaluateapprovedsuppliers?

Howdoestheorganizationcontrolandmonitortheperformanceofsuppliers?

Howdoestheorganizationmaintainthelistingofapprovedsuppliers?

Howdoestheorganizationmanagethereleaseofpurchaseorderstosuppliers?

Howdoes theorganizationdeterminewhichpurchasedmaterials require inspection toensurepurchasedproductmeetsspecifiedpurchaserequirements?

Describetheverificationorvalidationactivitiesthattheorganizationperformsatthesupplier’spremises(ifapplicable).

Howdoestheorganizationcontroloutsourcedprocesses?Wherearethecontrolsdefined?

Whatmethodisusedtomonitoror,whereapplicable,measurethepurchasingprocess?(Seealsoclause9.1.)

8.5PRODUCTIONANDSERVICEPROVISION8.5.1ControlofproductionandserviceprovisionTheorganizationshallimplementproductionandserviceprovisionundercontrolledconditions.

Controlledconditionsshallinclude,asapplicable:

•Theavailabilityofdocumentedinformationthatdefinesthecharacteristicsoftheproductstobeproduced,theservicestobeprovided,ortheactivitiestobeperformedandtheresultstobeachieved;

•Theavailabilityanduseofsuitablemonitoringandmeasuringresources;•The implementationofmonitoringandmeasurement activitiesat appropriate stages to verify that criteria for control ofprocessesoroutputs,andacceptancecriteriaforproductsandservices,havebeenmet;

•Theuseofsuitableinfrastructureandenvironmentfortheoperationofprocesses;•Theappointmentofcompetentpersons,includinganyrequiredqualification;• The validation, and periodic revalidation, of the ability to achieve planned results of the processes for production andserviceprovision,wheretheresultingoutputcannotbeverifiedbysubsequentmonitoringormeasurement;

•Theimplementationofactionstopreventhumanerror;•Theimplementationofrelease,deliveryandpost-deliveryactivities.

8.5.2IdentificationandtraceabilityTheorganizationshallusesuitablemeans to identifyoutputswhen it isnecessary toensure theconformityofproductsand services. The organization shall identify the status of outputs with respect to monitoring and measurementrequirementsthroughoutproductionandserviceprovision.

Theorganizationshallcontroltheuniqueidentificationoftheoutputswhentraceabilityisarequirement,andshallretainthedocumentedinformationnecessarytoenabletraceability.

8.5.3PropertybelongingtocustomersorexternalprovidersThe organization shall exercise care with property belonging to customers or external providers while it is under theorganization’scontrolorbeingusedbytheorganization.

Theorganizationshall identify,verify,protectandsafeguardcustomers’orexternalproviders’propertyprovidedforuseorincorporationintotheproductsandservices.

Whenthepropertyofacustomerorexternalproviderislost,damagedorotherwisefoundtobeunsuitableforuse,theorganizationshallreportthistothecustomerorexternalprovider.

8.5.4PreservationThe organization shall preserve the outputs during production and service provision, to the extent necessary to ensureconformity to requirements. NOTE: Preservation can include identification, handling, contamination control, packaging,storage,transmissionortransportationandprotection.

8.5.5Post-deliveryactivitiesThe organization shall meet requirements for post-delivery activities associated with the products and services,consideringstatutoryandregulatoryrequirements;thepotentialundesiredconsequencesassociatedwithitsproductsandservices; the nature, use and intended lifetime of its products and services; and customer requirements and customerfeedback.

Post-delivery activities can include actions under warranty provisions, contractual obligations such as maintenanceservices,andsupplementaryservicessuchasrecyclingorfinaldisposal.

8.5.6ControlofchangesTheorganizationshall reviewandcontrolchanges forproductionorserviceprovision, to theextentnecessary toensurecontinuingconformitywithrequirements.

The organization shall retain documented information describing the results of the review of changes, the personsauthorizingthechangeandanynecessaryactionsarisingfromthereview.

8.6RELEASEOFPRODUCTSANDSERVICESThe organization shall implement planned arrangements, at appropriate stages, to verify that the product and servicerequirementshavebeenmet.

The release of products and services to the customer shall not proceed until the planned arrangements have beensatisfactorilycompleted,unlessotherwiseapprovedbyarelevantauthorityand,asapplicable,bythecustomer.

Theorganizationshall includedocumented informationon thereleaseofproductsandservices to includeevidenceofconformitywiththeacceptancecriteriaandtraceabilitytothepersonsauthorizingtherelease.

8.7CONTROLOFNONCONFORMINGOUTPUTS8.7.1:Theorganizationshallensurethatoutputsthatdonotconformtotheirrequirementsareidentifiedandcontrolledtopreventtheirunintendeduseordelivery.

Theorganizationshalltakeappropriateactionbasedonthenatureofthenonconformityanditseffectontheconformityofproductsandservices.Thisshallalsoapplytononconformingproductsandservicesdetectedafterdeliveryofproducts,duringoraftertheprovisionofservices.

Theorganizationshalldealwithnonconformingoutputs inoneormoreof the followingways:correction,segregation,containment,returnorsuspensionofprovisionofproductsandservices.

Theorganizationshallinformthecustomertoobtainauthorizationforacceptanceunderconcession.Conformitytotherequirementsshallbeverifiedwhennonconformingoutputsarecorrected.

8.7.2:Theorganizationshallretaindocumentedinformationthatdescribesthenonconformity;theactionstaken;andanyconcessionsobtained.Theorganizationshallidentifytheauthoritydecidingtheactioninrespectofthenonconformity.

ISO9001:2015doesnotpresentanynewrequirementsforproductionorservice.Clauses8.5,8.6,and8.7consolidatetheISO9001:2008requirementsofclause7.5,Productionandservice provision; clause 8.2.4,Monitoring andmeasurement of product; and clause 8.3,Control of nonconforming product. A process chart for clauses 8.5–8.7 is shown inFigure8.6.(GuidelinesforservicetypeorganizationsareincludedattheendofChapter8).

ISO9001:2015removedamainclausefromISO9001:2008—clause7.5.2,Validationofprocesses—andmovedtherequirementintoclause8.5.1,Controlofproductionandserviceprovision:

ISO9001:2008clause7.5.2,ValidationofprocessesforproductionandserviceprovisionThe organization shall validate any processes for production and service provisionwheretheresultingoutputcannotbeverifiedbysubsequentmonitoringormeasurementand,asaconsequence,deficienciesbecomeapparentonlyaftertheproductisinuseortheservicehasbeendelivered.ISO9001:2015clause8.5.1,ControlofproductionandserviceprovisionControlled conditions shall include the validation, and periodic revalidation, of theability to achieve planned results of the processes for production and serviceprovision,where the resultingoutput cannotbeverifiedby subsequentmonitoringormeasurementandtheimplementationofrelease,deliveryandpost-deliveryactivities.

Thisisunfortunate,inmyopinion,asvalidationofprocessescanbeanimportantfacetofanorganization’s quality performance and is often overlooked by both auditors andorganizations.Under ISO9001:2008, ifanorganizationdidnothavea reason tovalidateprocesses, clause 7.5.2 was excluded with justification as to why validation was notrequired.Ifanorganizationcanmeasureitsproducts,eitherbydimensional,functional,orvisual standards, thevalidation requirementsdonot apply.Exampleswherevalidation isrequired to ensure a product does not have deficiencieswhen delivered to the customerinclude:

Soldering(whereintegrityofjointscannotbeverifiedbymeasurement)WeldingMachineassemblyCleaningLaminationCoatingorpaintingHeattreatingorplating

Inthesecases,themanufacturercannotensurethattheproductmeetsrequirementswithoutdestroying the product (or validating the employees or equipment); thus, a processvalidationisneeded.Inthecaseofsoldering,welding,ormachineassembly,trainingandcertifying the employees doing the work is a way to validate that the process is undercontrol.For cleaningor lamination, a representative samplemayhave tobedestroyedatsome frequency to validate that the process has been cleaning the product or that theequipmentisproducingadequatelamination.Incoating,painting,heattreating,orplating,a

sample or coupon can be exposed to the process and thenmeasured to validate that theentirelothastherequiredthicknessorothercharacteristics.Theotherclausesinthisgrouphavenotchangedfromthe2008revision.Followingare

somesuggestionsonhowanorganizationcanmanageitsproductionorserviceprovisions,quality inspections, preservation of materials, nonconforming outputs, and post-deliveryactivities:

Controlofproductionandserviceprovision:Theorganizationneedstoprovideinformationandcharacteristicsrequiredtoproducetheproductorserviceaswellasthemethodsorinstructionsusedtoensuretheproductorserviceisproducedasplanned.Dependingonthetypeofmanufacturing,theinformationcanbeintheformofa“traveler,”whichiscreatedfromtheworkorderandincludesinstructions,materiallist,drawings,inspectionplans,processsteps,andprocessconditions.Iftherequiredinformationisinthetraveler,theremaynotbeaneedforaworkinstruction.Thequalityinspectionsneedtobeplanned,fromapprovaloftherawmaterialtoin-processinspectionstoinspectionsreleasingmaterialtothenextprocess.Theorganizationneedstoidentifytheproductstatuswithrespecttoinspectionormonitoringrequirementsthroughoutmanufacturing.Changestotheinformationandcharacteristicsrequiredtoproducetheproductorserviceneedtobemanaged,includingauthoritiesanddeviationprocesses.Theauthorizationprocesstoapproveproductsorservicesforreleasetocustomersshouldbedefinedandcontrolled.Theorganizationneedstoensurethatmaterialsandcomponentsarepreservedduringprocessinganddeliverytotheorganization’scustomersandduringprocessingofmaterialstoprotecttheproduct.Adhesives,sealants,coatings,paints,desiccants,andsolder-paste/fluxhaveshelf-lifeconcernsandneedtobemonitored.Controlofnonconformingoutputs:Theorganizationneedstoensurethatproductthatdoesnotconformtorequirementsisproperlyidentifiedandcontrolledtopreventitsunintendeduseordelivery.Howdoestheorganizationtakeactiontoeliminatethedetectednonconformity?Whatactionsaretakenbytheorganizationwhenthenonconformingproductisdetectedafterdeliveryorusehasstarted?Howdoestheorganizationverifythatnonconformingproductthathasbeencorrectedconformstotheintendedrequirements?Howdoestheorganizationanalyzenonconformingproductoccurrencestopreventreoccurrence?Anypost-deliveryactivitiesapplicabletotheorganizationneedtobeplannedandcontrolled.Examplesincludewarrantyprovisions,contractualobligations(e.g.,maintenanceservices),andsupplementaryservices(e.g.,recyclingorfinaldisposal).

Ametricormonitoringplanshouldbeestablishedfortheproductionprocesstomeasurethe effectiveness of the process and to establish a baseline for improvement. Commonmetrics are on-time delivery (OTD), percentage defective at customers, material yield,productivity(employeelaborhours),andinternalwaste.

AuditQuestionsClause8.5.1Howdoestheorganizationprovidetheinformationandcharacteristicsrequiredtoproducetheproductorservice?

Whatmethodsorinstructionsareusedtoensuretheproductisproducedasplanned?

Howarechangestotheinformationandcharacteristicsrequiredtoproducetheproductorservicemanaged?

Whatmethod is used tomonitor or, where applicable,measure the production or service planning process? (See alsoclause9.1)

What are the processes in the organization’s QMS that cannot be verified by inspection, measurement, or visualobservation?Examples:Welding,soldering,painting,heattreating,lamination,plating,cleaning

IftheorganizationdoesnothaveprocessesinitsQMSrequiringvalidation,whereisvalidationlistedasnotapplicable?

Clause8.5.2Howdoes the organization identify the product statuswith respect to inspection ormonitoring requirements throughoutmanufacturing(orservice)?

If the organization is required to provide traceability of materials or components used in manufacturing, what processdoestheorganizationuse?

Clause8.5.3Whatarethematerials,components,orotheritemsprovidedbytheorganization’scustomers?

Examples:Rawmaterial,testequipment,intellectualproperty

Howdoestheorganizationcontrolcustomerproperty?Examples:Identify,verify,protect,safeguard,inventory

Clause8.5.4How does the organization ensure that materials and components are preserved during processing and delivery to itscustomers?

Whatstepsaretakentoprotecttheproductduringprocessing?

Howdoestheorganizationensurethatrawmaterialsarewithinthemanufacturer’sshelf-lifewarrantytime?Examples:Adhesives,sealants,coatings,paints,chemicals,solderpaste/flux,desiccants

Howdoestheorganizationprotecttheproductfromdamageduringstorage?

Clause8.5.5Whatpost-deliveryactivitiesareapplicabletotheorganization?

Examples: Warranty provisions, contractual obligations (e.g., maintenance services), supplementary services (e.g.,recyclingorfinaldisposal)

Clause8.5.6Howdoestheorganizationmanagechangestomanufacturingprocesses?Customerspecifications?Equipment?

Howistheauthoritytoapprovechangesdefined?

Clause8.6Howdoestheorganizationensurethatthecustomer’srequirementsforproductsaremet?

Whataretheprocesses/inspectionsusedtosupportthequalityofproductbeingmanufactured?Examples:Incomingmaterial,in-processmanufacturing,finalreleaseofproduct

Whatistheauthorizationprocesstoapproveproductorservicesforreleasetocustomers?

Clause8.7Howdoestheorganizationensurethatproductthatdoesnotconformtoproductrequirementsisidentifiedandcontrolledtopreventitsunintendeduseordelivery?

Howdoestheorganizationtakeactiontoeliminatethedetectednonconformity?

Howdoestheorganizationpreventtheunintendeduseordeliveryoftheproduct?

How does the organization authorize the use, release, or acceptance of the product or service under concession by arelevantauthorityorthecustomerwhereapplicable?

Whatactionsare takenby theorganizationwhen thenonconformingproduct isdetectedafterdeliveryorafterusehasstarted?

SERVICEPROVISIONSANDISO9001:2015The intent of this section is to outline the applicationof ISO9001:2015 to organizationsengagednotinmanufacturingbutinprovidingservices.Past revisions of ISO 9001 have struggled to apply the product and manufacturing

requirementsofISOtotheserviceindustry.Overthelast15years,Ihaveauditedawiderangeoforganizationswhoseproductwasaservice.TheapplicationofISO9001totheseorganizationswasnotsodifficult.Ibelieveservice-basedcompanieshavebenefitedfromemployingthedisciplineofISO9001totheiractivities.SomeoftheservicecompaniesIhaveauditedinclude:

AdistributorofautomotivecomponentsinCanadaAdistributoroffastenersinSouthCarolinaAtranslationandsoftwarelocalizationserviceinMassachusettsAcontractcustodialprovideratapharmaceuticalplantinConnecticutAninternationalfreightforwarderatPhiladelphiaInternationalAirportAnengineeringarchitecturefirminKentuckyAnelectricalcontractorinPennsylvaniaAprojectmanagementtrainingfirminPennsylvaniaAnISOtrainingproviderinConnecticutAtemporaryhelpagencyinMichiganAspecialmetalimporterinFloridaAnengineering/surveyingcompanyinIreland

OfthehundredsoforganizationsIhaveaudited,Irecallthesecompaniesmosteasily—andmost fondly, perhaps because of the challenge of preparing an audit plan. Many of thelocationswere also quite interesting. The audit at the architecture company in KentuckyincludedasitevisitatChurchillDownsracetracktowitness theapplicationof thefirm’sprojectplanning.ThesitevisitwiththeelectricalcontractorinPennsylvaniawasatanewschoolbeingbuilt.DuringtheauditattheISOtrainingproviderinConnecticut,Iwitnessedaninternalauditortrainingprogrambeingconductedbytheorganization.ThemostinterestingauditwaswiththesurveyorinIreland.Thecompanywascontracted

bytheIrishgovernmenttoverifythattheplotsoflandtelephonecompanieswereusingtoinstall cell phone towers were properly mapped and owned. The government requiredsurveyorstoholdathird-partyqualityregistration,soISO9001wasused.Thiscelltowerland plotwas adjacent to an ancient Irish cemetery. I used the surveyor’s transit tool toverifyhisreadings.After a fewauditsof service typeorganizations, I realized Ineeded todoabetter job

understandingtheclient’sprocessesbeforepreparingtheauditplan,soIwouldusuallycalltheclientandtrytogetagoodunderstandingoftheirbusinessmodel.Idiscoveredtherearefive general categories of service providers: sales, distribution, engineering services,softwareorIT,and“other”services.Table8.3outlinestheISO9001clausesthatmightberelevanttoeachtypeoffirm.

To become certified to ISO 9001:2015, all service organizations need to address thefollowingclauses:4 Contextoftheorganization

5 Leadership

6 Planning

7.1.6 Organizationalknowledge

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documentedinformation

8.2 Requirementsforproductsandservices

8.5.1 Controlofproductionandserviceprovision

8.5.6 Controlofchanges

8.6 Releaseofproductsandservices

8.7 Controlofnonconformingoutputs

9 Performanceevaluation

10 Improvement

Distributors—firmsthatinventoryandsellproductsmadebyothercompanies—oftenhaveprocesses that closely resemble thoseof amanufacturing site, themajor differencebeingthattheydonotmaketheproducts—theysell,purchase,store,andsometimesmeasurethem.Somedistributorsproviderepairormanufacturingservices,sotheywillhaverequirementsin production and service—possibly calibration of measuring equipment. Additionally,distributorshaveawarehouse.Clause7.1.3, Infrastructure,willneed tobeconsidered inrelationtotransportationandinformationsystems.Engineering services may provide design activities such as architecture and building

design, so clause 8.3, Design and development of products and services, is applicable.Softwaredevelopersprovidenewproducts,sotheyalsohaverequirementsinclause8.3;however,softwaredevelopmentisquitedifferentfromhardwaredesign,andinmanycasesonly one individual does 90% of the work on a project. I suggest software developersconsidermodifyingthedesignStage-Gateprocess(Figure8.4inChapter8)tomatchtheirbusinessmodel.WhenconsideringregistrationtoISO9001:2015,allservicetypeorganizationsneedto

carefully review theirprocesses tounderstandhowtheiractivities relate to identificationand traceability, property belonging to customers, preservation, post-delivery activities,controlofchanges,releaseofproductsandservices,andcontrolofnonconformingoutputs.While the jargon of software developers may be different than that of manufacturingorganizations, their bugs are a type of nonconforming product or rejectedmaterial, andtheirsoftwarereleases are similar toahardwaremaker’srevisioncontrol of a drawing.The customers provide the software developer with an electronic data file, which ispropertybelongingtocustomersaswellasintellectualproperty.The service provider seeking certification to ISO 9001:2015 should reviewTable 8.3

withthegoalofturningeach“maybe”intoa“yes”or“no.”To demonstrate how a service organization might approach mapping its process, the

flowchartforasoftwaredeveloperispresentedFigure8.7.

The ISO 9001:2015 clauses thatmay apply to the software developer’s processes arelistedinTable8.4.Forsomesoftwaredevelopers,clause8.5.1,Controlofproductionandservice provision,may bemore applicable than clause 8.3,Design and development, assomesoftwaredevelopmentcanbemoreprocessdevelopmentthanproductdevelopment.The monitoring and measuring requirement related to software development is thecalibrationorstandardizationofthehardwareusedtoloadandreadthenewsoftware.

Among my service-related clients, I would say that some of the software developerseffectively apply ISO 9001 to their business model, particularly companies engaged intranslation or localization software. Software programmers are a unique breed: creativeand often protective of their individuality. The ISO 9001 discipline has helped somesoftwareproviders standardize their developmentprocess,makingproject transfersmoreefficient.TheTickITscheme,acertificationprogramforcompanies in thesoftwaredevelopment

andcomputerindustries,wasbasedontheISO9001framework.Itwassuccessfullyusedby many software companies. TickIT had difficulty finding auditors with sufficient ITbackground and was replaced by TickITplus. For more information on the TickITplusscheme,seehttp://www.tickitplus.org.While several other types of service-related organizations have benefited from the

applicationofISO9001,manycompaniesusingISO9001certificationasamarketingtoolto attract new customers were disappointed that it did not generate more sales anddiscontinuedtheirregistrationafterafewyears.In thespiritofcontinuing improvement, servicecompaniesshouldestablishametric to

setabaselineforimprovement.Somepossibilitiesinclude:Distribution/Sales:On-timedelivery,salesrevenueSoftware:Projectcycletime,firstreleaseacceptancerateEngineering:Performancetocostandcompletiontime

AuditQuestionsClause8.5.1WhataretheserviceprocessesinthescopeoftheQMS?

Examples:Repairofequipment,distributionofproduct,transportation,engineeringservices

Howdoestheorganizationprovidetheinformationandcharacteristicsrequiredtoprovidetheservice?

Clause8.5.2Howdoes theorganization identify the “product”statuswith respect to inspectionormonitoring requirements throughouttheservice(ifapplicable)?

If theorganization is required toprovide traceabilityofmaterialsorcomponentsused in theservice,whatprocessdoestheorganizationuse?

Clause8.5.3Whatarethematerials,components,orotheritemsprovidedbytheorganization’scustomers?

Examples:Rawmaterial,testequipment,intellectualproperty

Howdoestheorganizationcontrolcustomerproperty?Examples:Identify,verify,protect,safeguard,inventory

Clause8.5.4How does the organization ensure that materials and components are preserved during processing and delivery to itscustomers?

Whatstepsaretakentoprotecttheproductduringprocessing?

Howdoestheorganizationensurethatrawmaterialsarewithinthemanufacturer’sshelf-lifewarrantytime?Examples:Adhesives,sealants,coatings,paints,chemicals,solderpaste/flux,desiccants

Howdoestheorganizationprotecttheproductfromdamageduringstorage?

Clause8.5.5Whatpost-deliveryactivitiesareapplicabletotheorganization?

Examples: Warranty provisions, contractual obligations (e.g., maintenance services), supplementary services (e.g.,recyclingorfinaldisposal)

Clause8.5.6Howdoestheorganizationmanagechangestotheserviceprocesses?Customerspecifications?Equipment?

Howistheauthoritytoapprovechangesdefined?

Clause8.6Howdoestheorganizationensurethatthecustomer’srequirementsforproducts(distributed)orservicesaremet?

Whataretheprocesses/inspectionsusedtosupportthequalityofproductbeingserviced?

Whatistheauthorizationprocesstoapproveproductorservicesforreleasetocustomers?

Clause8.7How does the organization ensure that product or service that does not conform to requirements is identified andcontrolledtopreventitsunintendeduseordelivery?

Howdoestheorganizationtakeactiontoeliminatethedetectednonconformity?

Howdoestheorganizationpreventtheunintendeduseordeliveryoftheproduct?

How does the organization authorize the use, release, or acceptance of the product or service under concession by arelevantauthorityorthecustomerwhereapplicable?

Whatactionsaretakenbytheorganizationwhenthenonconformingproductorservice isdetectedafterdeliveryorafterusehasstarted?

9Clause9:PerformanceEvaluation

Clause9,Performanceevaluation,isthe“check”componentinthePDCAprocess:Check: The QMS is monitored and audited to measure performance against theorganization’sobjectives andcustomer requirements.Theperformanceand resultsoftheQMSarereportedtotopmanagement.

Clause10,Improvement,isthe“act”component:Act:Actionsareinitiatedtocorrectdeficienciesandimprovethequalityperformanceas indicated by themonitoring andmeasurement of theQMS results. Resources andemployeetrainingareprovidedasappropriatetoensureimprovementoftheQMS.

Combiningclauses9and10resultsintheflowchartdepictedinFigure9.1.

ISO9001:2015providesnonewrequirements—it just rearranges several requirementsof ISO9001:2008.Anunfortunatechange, inmyopinion, is theeliminationof theclauserelating to themonitoring andmeasurement of processes. This requirementwas initiatedwiththe2000revisionofISO9001andwasamajorstepincausingcertifiedorganizationstoviewtheirQMSasaseriesofprocessesthatshouldbemonitoredormeasuredtosetabaselineforimprovement.ISO9001:2008clause8.2.3stated:Theorganization shall apply suitablemethods formonitoring and,where applicable,measurement of the quality management system processes. These methods shalldemonstrate the ability of the processes to achieve planned results. When plannedresults are not achieved, correction and corrective action shall be taken, asappropriate.

Thiswas generally interpreted by organizations and third-party auditors as requiring theorganization to establish metrics (and goals) for its core processes: sales, design,purchasing,production,orservice.Supportprocessesshouldataminimumbemonitoredaspartoftheorganization’sinternalauditprocess.Iftheorganizationdeterminedametricwasnotpracticalorusefulforacoreprocess,thenthatprocesswouldalsobemonitoredbytheinternalauditprocess.(Chapter8providesmetricoptionsforeachcoreprocess.)TheequivalentrequirementsforprocessmonitoringinISO9001:2015canbefoundinthe

followingclauses:

4.4Qualitymanagementsystemanditsprocesses4.4.1: Determine and apply the criteria and methods (including monitoring,measurements and related performance indicators) needed to ensure the effectiveoperationandcontroloftheseprocesses;Evaluatetheseprocessesandimplementanychangesneededtoensurethattheseprocessesachievetheirintendedresults.

9.1Monitoring,measurement,analysisandevaluation

The organization shall evaluate the performance and the effectiveness of the qualitymanagementsystem.

Under ISO 9001:2015, if the auditee has not establishedmetrics for core processes, theauditor can issue a nonconformance against clause4.4.1 for lackof definedperformanceindicators for sales, design, purchasing, production, or service. The auditee could assertthattheirperformanceindicatorswerethetrendchartsusedtomonitorsales,design,etc.—and that all were “good.” With the ISO 9001:2008 requirement, “good” was not asacceptable.Arguing with auditees (who are also your customers) is never a good thing.

ISO 9001:2008 was fairly clear in its requirement to establish metrics for the coreprocessesofanorganization.Overthelast15years,Ihavebeenquitesuccessfulincoachingclientsintoestablishing

goals for their processes, and those goals have been helpful in measuring improvementactivities. I think the writers of ISO 9001:2015 have done the ISO quality world adisservicebydilutingtherequirementtoestablishmetricsandgoalsforcoreprocesses.Itis particularly disappointing since the spirit of the 2015 standard is to promote theintegration of ISO 9001 into the organization’s business. Well-run businesses know allabout setting hardmetrics andwill continue to establishmetrics and goals in support oftheirimprovementactivities.OrganizationsseekingISO9001certificationforthefirsttimeshouldconsiderestablishingmetricsandgoalsforkeybusinessprocesses.

9.1MONITORING,MEASUREMENT,ANALYSISANDEVALUATION

9.1.1GeneralTheorganizationshalldeterminethemethodsformonitoring,measurement,analysisandevaluationoftheeffectivenessofthequalitymanagementsystemandretainappropriatedocumentedinformationasevidenceoftheresults.

9.1.2CustomersatisfactionTheorganizationshalldeterminethemethodsforobtaining,monitoringandreviewingcustomerperceptionsofthedegreetowhichtheirneedsandexpectationshavebeenfulfilled.

NOTE:Examplesofmonitoringcustomerperceptionscan includecustomersurveys,customer feedbackondeliveredproducts and services, meetings with customers, market-share analysis, compliments, warranty claims and dealerreports.

9.1.3AnalysisandevaluationTheorganizationshallanalyzeandevaluate:

•Conformityofproductsandservices;•Thedegreeofcustomersatisfaction;•Theperformanceandeffectivenessofthequalitymanagementsystem;•Whetherplanninghasbeenimplementedeffectively;•Theeffectivenessofactionstakentoaddressrisksandopportunities;•Theperformanceofexternalproviders;•Theneedforimprovementstothequalitymanagementsystem.

Therequirementforclause9.1.2,Customersatisfaction,hasnotchanged.Awiderangeofoptionscanbeusedtoobtainfeedbackfromcustomers,suchas:

CustomersurveysSupplierratingsbycustomersCustomermeetingreportsRepeatbusinessMarketshareanalysisLostbusinessanalysisCustomercomplimentsDealerreports

Reductionsincustomercomplaints,customerreturns,andwarrantyreturnsarenotsufficientmeasuresofcustomersatisfaction;aproactiveapproachisrequired.Customersurveysaregenerally not useful in the business-to-business context. Surveys have more success(debatably) in the business-to-consumer world. I have witnessed some manufacturingorganizations achieving success using surveys. It is all in the approach used—and thecustomer’sbeliefthatsomethingwillbedonewiththefeedback.Somesmallclientsusethe“adhoc”survey.Whendiscussingasalesortechnicalissuewithacustomer,attheendofthe conversation, the supplierwill conduct a five-minute spot survey consistingof a fewquestions:How’s our quality/delivery/support?What is working well?What’s not working sowell?Thankyouandhaveagreatday!

At a minimum, the organization should have a documented plan for collecting customerfeedbackandafilecontainingarecordoftheresults.Theplanshouldbespecific,definingwhattheorganizationwilldo,notwhat itmaydo.Manycustomerfeedbackplansare toovaguetoallowauditing,asinthefollowingexample:Thecompanycontinuouslymonitorscustomersatisfactionusingavarietyofmonitoringandmeasurementmethods.Theseincludebutarenotlimitedtoon-timedeliveriesandreviewandanalysisofcustomerreturns.Inordertomonitorcustomersatisfactionandperception, sales representatives, customer service representatives, and otherappropriatepersonnelmaycontactcustomerseitherbyphoneorpersonalinterviews.

If I were auditing this customer feedback plan, I would request to see copies of theinterviews and reports from customers. If therewas a reasonable number of notes—andevidence of analysis and follow-up—Iwould consider this organization in conformancewith the requirement for customer feedback, particularly if its reject rate fromcustomerswasquitelow.Iwouldsuggestthatthisorganizationmodifyitsplan(procedure)torecordthepracticeofcollectingandrecordinginterviewswithcustomersandconsideroptionsto

specify the typeof customers interviewed (i.e., key customers) and the quantity of notes.Whilethisapproachmightsuitthescopeandcontextofanorganizationprovidingmachinedparts,moldedparts,orsimilar,anoriginalequipmentmanufactureroracompanyprovidingproductstoconsumersshouldbemorecreativeinsolicitingfeedbackfromcustomers.Inmyopinion,theassessmentofcustomersatisfactionhasbeenasourceofinconsistency

onthepartof ISO9001auditors in thepastseveralyears.Third-partyauditors that issuenonconformances related to this requirement are not adding much value to the auditee’sperformance. The organization’s response to the customer feedback nonconformance isoftentheimplementationofacustomersurvey—asurveywhoseresponserateislessthan15%. In those cases, the ISO9001 customer satisfaction requirement is satisfied, but theorganization’srelationshipwiththecustomermaynotimprove;infact,somecustomersmaybeannoyedbythesurvey!In the spirit of ISO 9001:2015, I suggest that organizations seeking to satisfy the

requirementsofclause9.1.2,Customersatisfaction,considerthecontextof theirbusinessmodel:What’simportanttotheircustomerbase?Howdoessolicitingcustomerfeedbackfittheir business strategy? Best-in-class organizations I’ve encountered in the last severalyears consider customer satisfaction a given for a successful business; they are seekingcustomerloyalty.Clause9.1.3,Analysisandevaluation,requirestheorganizationtoanalyzeandevaluate

theperformanceoftheQMS.NewtoISO9001:2015istheanalysisoftheeffectivenessofactionstakentoaddressrisksandopportunities.Chapter6outlinesriskanalysisapproachesavailable to the organization. I believe the requirement for risk analysis is a valuableadditiontothenewstandard,particularlyforsmallerorganizationswithminimalresources.Theother requirementsofclause9.1.3willbeaddressed in thediscussionofclause9.3,Managementreview,below.

AuditQuestionsClause9.1Whatmethodsareused tomeasure theprocesses in theorganization’sQMS?Whatare themetricsandgoals for thefollowingprocesses?Sales,design,purchasing,infrastructure(maintenance),production,service

If the organization has not established a measurement for a process in the QMS, what method is used by theorganizationtomonitorthatprocess?

Whenplannedresultsorgoalsarenotachieved,whatprocess isusedby theorganization tomakecorrectionsor takecorrectiveactiontosupportimprovementsintheQMS?

Clause9.1.2Whatarethemethodsorprocessesusedbytheorganizationtoobtainfeedbackfromcustomersastotheorganization’sperformance?

Examples:Customersurveys,supplier ratingsbycustomers,customermeeting reports, repeatbusiness,marketshareanalysis,lostbusinessanalysis,customercompliments,dealerreports

Howorwhereistheprocess(plan)tocollecttheperceptionofcustomersatisfactiondocumented?

Whatrecordsareusedtoverifythatthecustomersatisfactionprocessisbeingmaintainedbytheorganization?

Clause9.1.3

Seeclause9.3,Managementreview.

9.2INTERNALAUDIT9.2.1: The organization shall conduct internal audits at planned intervals to provide information on whether the qualitymanagementsystemiseffectively implementedandmaintainedandconformstotheorganization’sownrequirementsforitsqualitymanagementsystemandtherequirementsofthisInternationalStandard.

9.2.2:Theorganizationshallplan,establish,implementandmaintainanauditprogramincludingthefrequency,methods,responsibilities, planning requirements and reporting, taking into consideration the importance of the processesconcerned,changesaffectingtheorganizationandtheresultsofpreviousaudits.Theorganizationshall:

•Definetheauditcriteriaandscopeforeachaudit;•Selectauditorsandconductauditstoensureobjectivityandtheimpartialityoftheauditprocess;•Ensurethattheresultsoftheauditsarereportedtorelevantmanagement;•Takeappropriatecorrectionandcorrectiveactionwithoutunduedelay;•Retaindocumentedinformationasevidenceoftheimplementationoftheauditprogramandtheauditresults.

InestablishinganinternalauditprocessfortheQMS,thecompanyhasseveralrequirementstoaddress:

Whatisthescheduleorauditplan?Howisthescheduleformulated?HaveallQMSprocesses/clausesbeenaudited?Howisauditevidenceobtainedandrecorded?Havetheauditorsbeentrained/qualified?Areauditsoccurringaccordingtoschedule?Arethefollow-upactionsandreportingtomanagementtimely?

For an organization seeking registration to ISO 9001:2015 for the first time, evidenceshould be provided that the organization conducted an internal audit to all clauses inISO 9001:2015. The internal audit results should provide “information on whether thequality management system . . . conforms to . . . the requirements of this InternationalStandard.”Additionally, the organization needs to demonstrate that it “conforms to theorganization’s own requirements for its quality management system.” To satisfy thisrequirement, internal audit evidencemust show that theorganization’spracticesmatch itsinterpretationofISO9001:2015aswellasitsrelateddocumentedinformation(proceduresandinstructions).Table 9.1 shows a process audit plan for the Jones Plastics Company, the injection

molding company from Chapter 4. Jones Co. performs the manufacturing processes ofmolding,machining,andassemblyusingcustomer-provideddesigns.Thisplanisbasedontheprocessauditapproach.Whenauditingacoreprocesssuchas

salesorproduction,therelatedsupportprocessescanalsobesampled.Supportprocessesthatconnecttoallcoreprocessesaredocumentsandrecords,communicationofthequality

policy and quality objectives, and competence and training. Production and serviceprocesses will typically also link to calibration, maintenance, and work environmentfactors. The ISO 9001:2015 clauses at the top of the plan are listed in generic terms tosimplifyexplanationoftheprocessauditconcept.Inpractice,theorganizationwillneedtoconnectthegenericISO9001clausestotheactualtermsofISO9001:2015toensurethatallrequirements are audited. Inplanning internal audits, theorganizationneeds to satisfy therequirementofclause9.2.2:The organization shall plan, establish, implement and maintain an audit programincludingthefrequency,methods,responsibilities,planningrequirementsandreporting,takingintoconsiderationtheimportanceoftheprocessesconcerned,changesaffectingtheorganizationandtheresultsofpreviousaudits.

The organization should establish a priority system for allotting auditor time in order tomaximize information gleaned from the internal audits. Processeswith deficiencies frompast auditsmayneed tobeauditedmore frequently thanauditswithno issues.Processespresentingthegreatestriskto theorganization(e.g.,customerreturns,cost impact)shouldalsoreceivemoreauditingattention.IntheauditplanshowninTable9.1,theJonesPlasticsCompany established a ranking systemwhereby processeswith a high impact should beaudited every 6 months; medium impact, every 12 months; and low impact, every 18months.Oncetheplanisorganizedforimpactandfrequency,theorganizationshouldassignauditorsforthenextyearortwo.

QualificationsandTrainingRequirementsforInternalAuditorsClause9.2doesnotexplicitlydefinearequirementforauditorqualifications.Itdoesstate:“Select auditors andconduct audits to ensureobjectivity and the impartialityof the auditprocess.” This is common practice in auditing for all management systems. An internalauditorfromtheproductionprocessshouldnotbeassignedtoaudithisorherownprocess.Those assigned the responsibility and authority tomanage theQMSneed to be judiciouswhendecidingwhethertheyaretooinvolvedinprovidinginternalauditsfortheclausetheyareresponsibleformanaging.Clause 7.2, Competence, states: “The organization shall ensure that these persons are

competentonthebasisofappropriateeducation,trainingorexperience.”An experienced third-party auditor will challenge the organization on how and why theorganization’s internalauditorsarequalified toconductISO9001:2015internalaudits.Arecommended approach for qualifying internal auditors is to have several employees(dependingon the sizeof organization) trainedby aQMSexpert, either throughapublictraining course or on site if that option is more efficient due to class size. Once a fewemployeesarequalifiedtoconductISO9001internalaudits,theorganizationcanhavethemtrainotheremployeestodothesame.It isimportanttohaveadefinedplanforqualifyingauditors—andtokeeprecordsofhowtheyaretrained.Ifathird-partyconsultantisusedtoconductinternalaudits,theirqualificationsshouldbenotedintheorganization’sfiles,andtheirroleshouldbedocumentedintheorganization’sprocedures.Thereareafewwaysanorganizationmayretaindocumentedinformationasevidence

oftheimplementationoftheauditprogramandtheauditresults.Preparedchecksheetsorcustomizedquestionlistsarecommonlyusedtodrivetheauditfactfinding.Oneoptionusedbyboth internalandexternalauditors is theprocessdiagramor“turtlediagram,”anexampleofwhichisshowninFigure9.2.Theauditorusesthistypeofdiagramtocollectandrecordinputandoutputdataforaprocessinthe“head”and“tail,”whilethefour“legs”capture the related equipment,machines, andmeasuringdevices; the employees involved(training); the process metrics or measures; and the methods or procedures defining theprocessandcontrols.

While theprocessdiagramcanbeusedeffectively tocollect evidenceduringanaudit,this techniqueispronetoerror if theauditor isnotproperly trainedandthepersonbeingintervieweddoesnotunderstandthetermsandthequestionsbeingasked.Ithinktheprocessdiagram is best used in preparing for an audit—and should be supplemented withconventional check sheets during the actual audit and interviews. Figure 9.3 shows aprocessdiagramfortheauditofaninjectionmoldingprocess.

Prior to interviewing the operating personnel, the auditor should meet with variouspersonnel involved in the process planning and collect information on the inputs, rawmaterials, etc. The support documentation to control the process, the specific equipmentinvolved,andtheparameterstomeasuretheeffectivenessoftheprocessareresearchedandrecordedby theauditor.Theemployees involved in supporting theprocessbeingauditedareidentifiedaswell.Thisinformationassiststheauditorinverifyingthetrainingrequiredfor operations, quality, and maintenance personnel. Finally, the output of the processprovidestheauditorwithinformationonqualityacceptancecriteriaandlotquantities.An audit check sheet can then be used to control the interviews during the audit. In a

production or service operation, the check sheet can be organized as process based tocombineseveralclausesofISO9001:2015.AnexampleofachecksheetforaproductionprocessisshowninFigure9.4.

InternalAuditReportsandFollow-UpActionsTheorganizationneedstomaintainareportoftheresultsoftheinternalaudit,includingasummaryreportdefininghowtheauditwasconducted,issuesraised(nonconformancesandopportunitiesforimprovement[OFIs]),andfollow-upactivitiesdefined.Nonconformancesshouldbeenteredintheorganization’scorrectiveactionprocess.OFIsshouldbeaddressedbytheorganization,withfollow-upresponsedocumented.AnOFIisgenerallydefinedasanobservation,whichisnotanonconformancebutasuggestiontoimprovetheefficiency,clarity,orsomeotheraspectoftheprocess.Theseopportunitiesshouldberecordedinthefinalauditreportforthebenefitoftheorganization.

AuditQuestionsClause9.2.1

HowdoestheorganizationplanandscheduleinternalauditsoftheQMS?

Howdoestheorganizationrecorddiscrepanciesornonconformities(findings)discoveredwhenconductinginternalauditsoftheQMS?

HowdoestheorganizationusethestatusandimportanceoftheprocessesintheQMSinestablishingauditfrequency?

HowdoestheorganizationusetheresultsofpreviousauditsoftheQMSinestablishingauditfrequency?

Howaretheinternalauditorstrainedandqualifiedtoperforminternalaudits?

Howdoestheorganizationensurethatinternalauditsareconductedwithobjectivityandimpartiality?

Ifinternalauditsareconductedbyathird-partyauditor,istheauditorqualifiedtoperformauditstoISO9001:2015?

If internalauditsareconductedbya third-partyauditor,has theorganization’smanagementapproved theauditplanandtheprocessforfollow-upactivities?

9.3MANAGEMENTREVIEW

9.3.1GeneralTopmanagementshallreviewtheorganization’squalitymanagementsystem,atplannedintervals,toensureitscontinuingsuitability,adequacy,effectivenessandalignmentwiththestrategicdirectionoftheorganization.

9.3.2ManagementreviewinputsThemanagementreviewshallbeplannedandcarriedouttakingintoconsideration:

•Thestatusofactionsfrompreviousmanagementreviews;•Changesinexternalandinternalissuesthatarerelevanttothequalitymanagementsystem;•Theadequacyofresources;•Theeffectivenessofactionstakentoaddressrisksandopportunities;•Opportunitiesforimprovement.

The management review shall contain information on the performance and effectiveness of the quality managementsystem,includingtrendsin:

•Customersatisfactionandfeedbackfromrelevantinterestedparties;•Theextenttowhichqualityobjectiveshavebeenmet;•Processperformanceandconformityofproductsandservices;•Nonconformitiesandcorrectiveactions;•Monitoringandmeasurementresults;•Auditresults;•Theperformanceofexternalproviders.

9.3.3ManagementreviewoutputsTheoutputsofthemanagementreviewshallincludedecisionsandactionsrelatedto:

•Opportunitiesforimprovement;•Anyneedforchangestothequalitymanagementsystem;•Resourceneeds.

Theorganizationshallretaindocumentedinformationasevidenceoftheresultsofmanagementreviews.

The organization has several options related to reporting the status of the QMS. Themanagement review meeting can be incorporated into the organization’s businessmanagement meetings. Whatever the format, the agenda of the QMS review meeting isstraightforward and prescriptive—each agenda topic needs to be addressed during thefrequencycycleestablishedintheorganization’splanning.Ataminimum,theQMSshouldbereviewedannuallybytheorganization’sseniorstaff.

Consistent with the requirement of ISO 9001:2015 clause 5.1, Leadership andcommitment(“ensuringtheintegrationof thequalitymanagementsystemrequirements intothe organization’s business processes”), top management should both attend and fullyparticipateinthequalitymanagementmeetings.Theemphasisontopmanagement’sstrongerinvolvementintheQMSisnewtoISO9001:2015.ManyISO9001–certifiedorganizationshavealready integratedqualitymanagement into theirbusinessmodelandstrategy. Ihaveaudited companies of all sizes whose quality performancemetrics were woven into thebusiness plan: the KPIs assigned to quality and business parameters also included theenvironmental metrics of hazardous waste reduction, material recycling, and utility use.Qualitywastereductionprojectsincludedimprovedenvironmentalperformance.In my observations, best-in-class organizations have established a BMS incorporating

their financial, quality, safety, and environmental systems into a cohesive operationalmodel. A natural byproduct of a successful BMS is improved employee, supplier, andcommunity relationships.Unfortunately, I have also audited toomany ISO9001–certifiedorganizations where top management treats their ISO 9001 certificate as “just anotherprogram,”with responsibilities delegated andmanagedwith the least drain on resourcesand costs. ISO 9001:2015 is attempting to address this apparent gap by providing theregistrar’s third-partyauditorswithclearrequirementsrelatedtotopmanagement’sdirectinvolvementintheorganization’squalityperformanceandconnectiontotheorganization’sbusinessstrategy.“Suitability”meanstheQMSmustbeappropriatetotheorganization’scurrentprocesses

—what the organization does. If the organization adds new manufacturing or serviceactivities, the organization needs to consider whether the QMS is still appropriate.“Adequacy”referstowhethertheQMSmeetstherequirementsoftheInternationalStandardand is implemented appropriately. “Effectiveness” refers to whether it is achieving thedesiredresults(i.e.,meetingitsobjectives).WhenreviewingtheQMS,managementshouldprovideasummarystatementaddressingthesuitability,adequacy,andeffectivenessoftheQMS,highlightingwheregapsmayexistandwheremanagementactions(andresources)arerequiredtoputthequalitycommitmentsbackontrack.

AuditQuestionsClause9.3.1What is the frequency for conducting management reviews of the QMS?What are the dates of the two most recentmeetings?

Howdoestheorganizationreviewtheperformanceoftheproducts(orservices)providedbytheorganization?

HowdoestheorganizationreviewtheperformanceoftheprocessesintheQMS?Examples: Sales/order entry, design, external providers (purchasing), manufacturing, services, engineering support,qualityassurance,facilities/maintenance,shipping/warehouse,humanresources

Domanagementreviewnotescontaininformationon:•Resultsofaudits?•Customerfeedback?•Statusofcorrectiveactions?•Follow-upactionsfrompreviousmanagementreviews?

•ChangesthatcouldaffecttheQMS?

Howdoestheorganizationsummarizethesuitability,adequacy,andeffectivenessofitsQMS?

10Clause10:Improvement

10.1GENERALTheorganization shall determineand select opportunities for improving the performanceandeffectiveness of the qualitymanagementsystemandimplementanynecessaryactionstoenhancecustomersatisfactiontoinclude:

•Improvingproductsandservicestomeetrequirementsaswellastoaddressfutureneedsandexpectations;•Correcting,preventingorreducingundesiredeffect.

Clause10 requires theorganization to establish andmaintainprocesses to correct errorsandmakeimprovementsintheQMS.Inadditiontoensuringthattheorganizationcomplieswith its customer commitments, the ISO 9001:2015 standard requires the organization toanalyze and improve its performance. Prior versions of ISO9001 included clause 8.5.3,Preventiveaction:The organization shall determine action to eliminate the causes of potentialnonconformities in order to prevent their occurrence. Preventive actions shall beappropriatetotheeffectsofthepotentialproblems.

TheriskanalysisclausesofISO9001:2015outlineaformofpreventiveaction;theentireQMS is preventive in nature. The removal of the preventive action requirement is longoverdue.ReaderswithmanyyearsofexperiencewithISO9001auditingwillberelievedtono longer hear an auditor say “You don’t have any preventive actions” or “That’s acorrectiveaction,notapreventiveaction.”TheadventofSixSigmaandleanmanufacturinginthelastseveralyearshasprovidedorganizationsofallsizeswithtechniquestoeliminatethe causes of potential nonconformities. Proper application of risk analysis is a goodadditiontoISO9001,inmyopinion.

10.2NONCONFORMITYANDCORRECTIVEACTION

10.2.1: When nonconformity occurs, including any arising from complaints, the organization shall react to thenonconformityand,asapplicable,takeactiontocontrolandcorrectanddealwiththeconsequences.

Theorganizationshallevaluatetheneedforactiontoeliminatethecauseofthenonconformity,inorderthatitdoesnotrecuroroccurelsewhere,by:

•Reviewingandanalyzingthenonconformity;•Determiningthecausesofthenonconformity;•Determiningifsimilarnonconformitiesexist,orcouldpotentiallyoccur;•Implementinganyactionneeded;•Reviewingtheeffectivenessofanycorrectiveactiontaken;•Updatingtherisksandopportunitiesdeterminedduringplanning,ifnecessary;•MakingchangestotheQMS,ifnecessary.

Correctiveactionsshallbeappropriatetotheeffectsofthenonconformitiesencountered.

10.2.2: The organization shall retain documented information as evidence of the nature of the nonconformities and anysubsequentactionstakenandtheresultsofanycorrectiveaction.

Mostcompanies,whethertheyhaveaformalQMSornot,haveacorrectiveactionprocess.Forover25years, ISO9001haspromulgatedcorrective action initiatives,which, inmyopinion, hasmade a great contribution to improvements inmanufacturing product qualityandservices.Some situations call for a formal,multifunction corrective actionwith cause analysis,

effectivenessmonitoring,andsoforth,butafind-and-fixapproachcanoftenbeeffectiveaswell.Duringaplanttour,severalminordeficienciesmightbeobserved.Inthatcase,ratherthan entering the items in the corrective action program, the issues could be fixed orresolvedandrecordedinalogsuchastheoneshowninTable10.1.

Thelogwouldbereviewedbythequalitymanager(orteam)toensureproperfollow-up.Iftheissuesrecurred,aformalnonconformance/correctiveactionmightbenecessary.Ifthesituationrequirestheissuanceofacorrectiveaction,theactionshouldnotonlyfix

theproblembutalsomaximizeanalysistopreventrecurrenceoftheissue.Inacorrectiveaction the actions should correct the situation, provide analysis of cause, and providecorrectionforcause.Thefollowingisanexampleofacorrectiveaction:

DescriptionofNonconformityScalesatloadingdocknotcalibrated

CorrectiveActionCalibratescales

RootCauseThemanualMasterCalibrationlistisnotbeingmaintained

CorrectionforCauseQualitymanagerwillpurchasenewsoftwaresystemwithschedulecapability

Diligenceinbothrootcauseanalysisanddeterminingthecorrectionforcauseisessentialinmaintaininganeffectivecorrectiveactionprocess.Acommonrootcauseanalysistechniquereferred to as FiveWhys involves questioning what caused a problem until you can nolongeranswerwhysomethinghappened.SeeAppendixDforanexampleofFiveWhys.Forexample:Acarcrashesintoastore.Why?Thegaspedalstuck.Why?Somethinggotintheway.Why?The floormatmoved.Why? Itwasn’t properly secured.Why?The attachmentdesigndidnotwork.Why?Itwaseitherincorrectlyinstalledorpoorlydesigned.Why?Igiveup!Askthecarmanufacturer.

Oneofmycolleaguesinthequalityworldclaimsthereareonlytworootcausesforeverydefect inmanufacturing: incompetentworkers and arrogantmanagement.And actually, hewouldsay,“theworkersareincompetentbecausemanagementisarrogant!”Inrealitythereareseveralgeneralcategoriesofreasonsforfailuresinmanufacturingandservices:

MisunderstandingofcustomerrequirementsPoordesignLackofclearinstructionsSuppliererrorHumanerror(training)

When the root cause is determined to be human error, or lack of training, the risk of theproblemreoccurringisusuallyhigh.Iftheorganizationdoesnotmakeamajorupgradetoitstrainingprogram,thenthecorrectionforcausewasnoteffective.Mostthird-partyauditorsare reluctant to accept human error or lack of training as a root cause. There is almostalways an attendant cause when human error occurs, such as unclear or complicatedinstructions.To ensure that corrections resolve the issues, and thus avoid repeating the corrective

action reviewandchangesteps, theorganizationshouldestablisheffectivenessmeasures.Using the above scale calibration example, theorganizationwould increase the samplingfrequencyforcalibrationchecks—orbetteryet,asktheusersofcalibrateddevicestotakeownership of the status of devices in their area. Most third-party auditors spendconsiderabletimereviewingtheorganization’scorrectiveactionsandfollow-upactivitiesto evaluate whether corrections are completed in a timely fashion and the fixes areeffective.

AuditQuestionsClause10.2Howdoestheorganizationrespondto:

•Customercomplaints?•Returnedproductsfromcustomers?•Defectiveproductormaterialfromsuppliers?•Defectivematerialorproductduringmanufacturing?•Nonconformancesnotedduringinternalaudits?•Nonconformancesnotedduringcustomerorthird-partyaudits?

Doesthecorrectiveactionprocessinclude:•Correctingthenonconformance?•Determiningthecauseofthenonconformance?•Providingacorrectionforthecausetopreventreoccurrence?•Reviewingtheeffectivenessofthecorrectiveactiontaken?•Closingcorrectiveactionsasplanned?

10.3CONTINUALIMPROVEMENTTheorganizationshallcontinuallyimprovethesuitability,adequacyandeffectivenessofthequalitymanagementsystem.

The organization shall consider the results of analysis and evaluation, and the outputs frommanagement review, todetermineifthereareneedsoropportunitiesthatshallbeaddressedaspartofcontinualimprovement.

The trends in causes of corrective actions in an organization can indicate the need forimprovements. If there are continual or systemic issues related to weak or poorlyimplemented design projects, the organization could establish an improvement team toimprovethedesignprocess.ManyorganizationsareusingqualitytoolssuchasSixSigmatobringaboutimprovements.SixSigmais:Amethodthatprovidesorganizationstoolstoimprovethecapabilityoftheirbusinessprocesses. This increase in performance and decrease in process variation lead todefectreductionandimprovementinprofits,employeemorale,andqualityofproductsor services.SixSigmaquality isa termgenerallyused to indicateaprocess iswellcontrolled (within process limits ±3s from the center line in a control chart, andrequirements/tolerancelimits±6sfromthecenterline).(KubiakandBenbow2009,6–7)

ASQ’swebsite(www.asq.org)hasmanyresourcesfororganizationsinterestedinlearningmoreaboutSixSigma.AppendixEsummarizesSixSigma.Ascaled-downversionofSixSigmausedbymanycompaniestosupporttheirimprovementeffortsistheDMAICprocess.ThefollowingisasummaryoftheDMAICprocess:DMAIC isadata-drivenquality strategyused to improveprocesses. It is an integralpartofaSixSigmainitiative,butingeneralcanbeimplementedasastandalonequalityimprovement procedure or as part of other process improvement initiatives such aslean.DMAICisanacronymforthefivephasesthatmakeuptheprocess:

Definetheproblem,improvementactivity,opportunityforimprovement,theprojectgoals,andcustomer(internalandexternal)requirements.Measureprocessperformance.Analyzetheprocesstodeterminerootcausesofvariation,poorperformance(defects).Improveprocessperformancebyaddressingandeliminatingtherootcauses.Controltheimprovedprocessandfutureprocessperformance.

The DMAIC process easily lends itself to the project approach to qualityimprovementencouragedandpromotedbyJuran.(Borror2009,333)

I’ve seenmany small organizationsbecomeproficient in utilizing theDMAICprocess tobringabout improvements inmany facetsof theirbusiness. Increasedmaterialutilization,reduction of product defects, and reduction of cycle time in software development areexamples of where the DMAIC process can be effective. The discipline of ISO 9001controls is quite consistentwithDMAIC steps and the improvements obtained should bemaintainedaselementsoftheQMS.Otherqualitytoolssuchasleanmanufacturingcanbeutilizedtoimprovetheefficiencyof

processesandproductivity.AccordingtoASQ:Leanmanufacturingisasystemoftechniquesandactivitiesforrunningamanufacturingorserviceoperation.Thetechniquesandactivitiesdifferaccordingtotheapplicationathandbuttheyhavethesameunderlyingprinciple: theeliminationofallnon-value-addingactivitiesandwastefromthebusiness.

Leantechniquescanbeveryhelpfulinreducingsetuptime,reorganizingtheplantfloor,andremoving waste. Employees generally appreciate the lean process as the improvementsoccurratherquicklyandmaketheirjobseasier.AppendixFsummarizesLean.DMAICandleanmanufacturingprograms,implementedinconjunctionwithanISO9001

certification,provideanorganizationwithterrifictoolstoimprovetheirbusinessresults.

AuditQuestionsClause10.3Howdoestheorganizationimprovetheperformanceoftheorganization’sQMS:

•Improvementteams?•Projects?•Trendcharts?

Whatexamplesindicateimprovement?

11InterpretationGuidance:ISO9001:2015

Standard

SeveralclausesofISO9001:2015containrequirementsthat,inmyopinion,aredifficulttointerpret,andAnnexA,Clarificationofnewstructure,terminologyandconcepts,doesnoteffectivelyclarifythem.ThischapterdiscussessomeoftheclausesthatIbelievecouldbeclearerindefiningauditablerequirements.

CLAUSE6.1,ACTIONSTOADDRESSRISKSANDOPPORTUNITIES

Clause 6.1 includes references to previous clause requirements using the clause numberonly,withoutclarifyingthelinkage.Organizationsorauditorsshouldnothavetoreturntoclauses4.1,4.2,and4.4tounderstandtheissuesorrequirementsconnectedtoclause6.1,orwhytheseclausesareimportantinthecontextofplanningforrisks.

6.1Actionstoaddressrisksandopportunities(ASQ/ANSI/ISO9001:2015,asreleasedOctober2015)6.1.1Whenplanningforthequalitymanagementsystem,theorganizationshallconsidertheissuesreferredtoin4.1andtherequirementsreferredtoin4.2anddeterminetherisksandopportunitiesthatneedtobeaddressedto:a)giveassurancethatthequalitymanagementsystemcanachieveitsintendedresult(s);b)enhancedesirableeffects;c)prevent,orreduce,undesiredeffects;d)achieveimprovement6.1.2Theorganizationshallplan:a)actionstoaddresstheserisksandopportunities;b)howto:1)integrateandimplementtheactionsintoitsqualitymanagementsystemprocesses(see4.4);

2)evaluatetheeffectivenessoftheseactions

Actions taken to address risks and opportunities shall be proportionate to thepotentialimpactontheconformityofproductsandservices.NOTE1Optionstoaddressriskscanincludeavoidingrisk, takingriskinorderto

pursue an opportunity, eliminating the risk source, changing the likelihood orconsequences,sharingtherisk,orretainingriskbyinformeddecision.NOTE 2 Opportunities can lead to the adoption of new practices, launching new

products, opening newmarkets, addressing new clients, building partnerships, usingnew technology and other desirable and viable possibilities to address theorganization’soritscustomers’needs.

In Chapter 6, I paraphrased this clause to directly describe the linkagewith clause 4.1,Understanding the organization and its context; clause 4.2, Understanding the needs andexpectations of interested parties; and clause 4.4, Quality management system and itsprocesses.Ibelievetheparaphrasedclause6.1moreclearlydefinestheactionsrequiredtoaddressrisksandopportunities:

6.1Actionstoaddressrisksandopportunities(Author’sparaphrase)6.1.1Whenplanningforthequalitymanagementsystem,theorganizationshallconsiderthecontextoftheorganizationandtheneedsofinterestedparties.The organization shall determine the risks and opportunities that need to be

addressedtogiveassurancethatthequalitymanagementsystemcan:•Achieveitsintendedresults;•Enhancedesirableeffects;•Prevent,orreduce,undesiredeffects;•Achieveimprovement.6.1.2Theorganizationshallplan:•Actionstoaddresstheserisksandopportunities;•Howtointegrateandimplementtheactionsintoitsqualitymanagementsystemprocesses;

•Howtoevaluatetheeffectivenessoftheseactions.Actions taken to address risks and opportunities shall be proportionate to the

potentialimpactontheconformityofproductsandservices.Clause 6.1 includes five levels of indexing (6.1.2.a, 1). Why is this necessary? Theparaphrasedclause6.1 in theHandbook eliminates the fifth level—and could have beenjustasclearwiththreelevels.ThepreviousrevisionofISO9001in2008usedamaximumof three levels and ismuchmore readable and easier to interpret than the 2015version.Other clauses in ISO 9001:2015 that use excessive indexing include clauses 8.1Operational planning and control, 8.5 Production and service provision, and 9.2 Internalaudit.

Writers of the 2015 standard may defend the need to provide multiple levels for arequirement to facilitate the clear presentation of gaps or nonconformances in anorganization’sactionsrelatedtotherequirement.Thisiscontradictedbythemajorityoftheclauses in ISO 9001:2015. For example, clause 8.5.2, Identification and traceability,containsfourrequirements(“shall”s)buthasnoindexing:

8.5.2IdentificationandtraceabilityTheorganization shall use suitablemeans to identify outputswhen it is necessary toensuretheconformityofproductsandservices.Theorganization shall identify the statusofoutputswith respect tomonitoringand

measurementrequirementsthroughoutproductionandserviceprovision.The organization shall control the unique identification of the outputs when

traceabilityisarequirement,andshallretainthedocumentedinformationnecessarytoenabletraceability.

Clause 8.5.3, Property belonging to customers or external providers, and clause 8.5.4,Preservation,arealsonotexcessively indexed.Ironically, inmymind, theseclauseshavemorepotentialfordiscrepanciesandnonconformancesthantheoverindexedclause6.1.SectionA4,Clarification of new structure, terminology and concepts, is intended to

clarify the requirements of clause 6.1, Actions to address risks and opportunities. Theclarification provides a path for organizations to essentially ignore the new requirementrelatedtoanalyzingandaddressingrisk,asitindicatesthatriskplanningdocumentationisnotrequired:

A4Risk-basedthinkingAlthough(6.1)specifiesthattheorganizationshallplanactionstoaddressrisks,thereisnorequirementforformalmethodsforriskmanagementoradocumentedriskmanagement process. Organizations can decide whether or not to develop a moreextensiveriskmanagementmethodologythanisrequiredbythisInternationalStandard,e.g.throughtheapplicationofotherguidanceorstandards.Notalltheprocessesofaqualitymanagementsystemrepresentthesamelevelofrisk

in terms of the organization’s ability to meet its objectives, and the effects ofuncertainty are not the same for all organizations.Under the requirements of 6.1 theorganizationisresponsibleforitsapplicationofrisk-basedthinkingandtheactionsittakes to address risk, including whether or not to retain documented information asevidenceofitsdeterminationofrisks.

The paraphrased interpretation in theHandbook indicates there is a requirement for theorganization to “determine the risks and opportunities that need to be addressed to giveassurance that thequalitymanagement systemcan achieve its intended results.” I believemanythird-partyauditorswillagreewiththisinterpretationofclause6.1.1andwillexpectsomeformofdocumentationshowing that risk-based thinking ispartof theorganization’sQMS.Again,A4,Risk-basedthinking,states:

Undertherequirementsof6.1theorganizationisresponsibleforitsapplicationofrisk-basedthinkingandtheactionsittakestoaddressrisk,includingwhetherornottoretaindocumentedinformationasevidenceofitsdeterminationofrisks.

AguidelineIuseintraininginternalauditorsis,“Ifitisnotdocumented,itdidn’thappen.”Anauditorhaving todetermine if anorganization is applying risk-based thinkingwithoutobjectiveevidence(documentation)iscontrarytotheconceptofauditing.SincethegenesisofISO9000in1987,anecdotalorverbalevidencehasneverbeenacceptableverificationforsatisfyingarequirement.Providingevidencethattheorganizationassessestherisksandopportunitiesrelatedtoits

purpose, business strategy, and expectations of interested parties to ensure that theQMSmeets itsobjectives shouldbea requirement,unlessafterconsideration the organizationcanconvince themselves (and theauditor) that the riskanalysisprocessaddsnovalue totheir business—which is unlikely, in my opinion. Even very small organizations havereasontobeconcernedaboutthechallengesandrisksfacingtheirbusiness.Inmyopinion, theeliminationof thepreventiveaction requirement isagoodstep.The

adventof theSixSigmaand leanmanufacturingquality tools in the lastseveralyearshasprovided organizations of all sizes with techniques to eliminate the causes of potentialnonconformances. Quality tools currently used in many organizations include strategicplanning process, SWOT analysis, Six Sigma, and lean manufacturing programs. FMEAcouldbeapplied.WhileorganizationswithaneffectiveQMScertainlyunderstandtherisksrelated to their operations, the new requirements of ISO9001:2015mayhave a positiveeffect on organizations by requiring a more formalized risk evaluation process andsubjectingittoathird-partyaudit.IencourageorganizationscertifyingtoISO9001:2015toinclude some form of documentation explaining their risk planning process. It is a goodbusinesspractice—andmayhelptheorganizationavoidadisagreementwithanauditorwhodidnotreadAnnex4!

A1STRUCTUREANDTERMINOLOGYISO9001:2015 includes several changes in terminology. “Documented information” nowincludesdocuments,procedures,andworkinstructionsaswellasqualityrecords.AnnexAsectionA1explains:

A1StructureandterminologyTheclausestructure(i.e.clausesequence)andsomeoftheterminologyofthiseditionof this International Standard, in comparison with the previous edition(ISO 9001:2008), have been changed to improve alignment with other managementsystemsstandards.There is no requirement in this International Standard for its structure and

terminology tobeapplied to thedocumented informationof anorganization’squalitymanagementsystem.

The structure of clauses is intended to provide a coherent presentation ofrequirements, rather than a model for documenting an organization’s policies,objectivesandprocesses.Thestructureandcontentofdocumentedinformationrelatedtoaqualitymanagementsystemcanoftenbemorerelevanttoitsusersif itrelatestoboth theprocessesoperatedby theorganizationand informationmaintained forotherpurposes.Thereisnorequirementforthetermsusedbyanorganizationtobereplacedbythe

terms used in this International Standard to specify quality management systemrequirements.Organizationscanchoose touse termswhichsuit theiroperations (e.g.using “records,” “documentation” or “protocols” rather than “documentedinformation”; or “supplier,” “partner” or “vendor” rather than “external provider”).Table A.1 [Table 11.1] shows the major differences in terminology between thiseditionofthisInternationalStandardandthepreviousedition.

According to A1, Structure and terminology, the clause structure was changed fromISO9001:2008toimprovealignmentwithothermanagementsystemstandards.Iamquitefamiliarwith the environmentalmanagement standard ISO14001:2015; that standard hasthe same changes in structure and terminology. It also has the same caveat as ISO9001:there is no need to adopt the new terminology. The justification for this change is quiteweak,particularlywith thedilutionof theconceptofrecords.Asdescribedearlier in theHandbook, quality records are an important part of the QMS. In addition to providingevidenceofconformancetoaspecificationorrequirement,aqualityrecordcanoftenbeanorganization’sbestdefenseagainstacustomerproductreturnorevenalawsuit.Chapter7providesinformationontherecommendedapproachtomanagingqualityrecords.TheAnnexprovidesfurtherguidanceondocumentedinformation:

A6DocumentedinformationAspartofthealignmentwithothermanagementsystemstandards,acommonclauseon“documentedinformation”hasbeenadoptedwithoutsignificantchangeoraddition(see7.5.).Whereappropriate,textelsewhereinthisInternationalStandardhasbeenaligned

with its requirements. Consequently, “documented information” is used for alldocumentrequirements.Where ISO 9001:2008 used specific terminology such as “document” or

“documented procedures,” “quality manual” or “quality plan,” this edition of thisInternationalStandarddefinesrequirementsto“maintaindocumentedinformation.”Where ISO 9001:2008 used the term “records” to denote documents needed to

provide evidence of conformity with requirements, this is now expressed as arequirement to “retain documented information.” The organization is responsible fordeterminingwhatdocumentedinformationneedstoberetained,theperiodoftimeforwhichitistoberetainedandthemediatobeusedforitsretention.Arequirementto“maintain”documentedinformationdoesnotexcludethepossibility

thattheorganizationmightalsoneedto“retain”thatsamedocumentedinformationforaparticularpurpose,e.g.toretainpreviousversionsofit.Where this International Standard refers to “information” rather than “documented

information”(e.g. in4.1:“Theorganizationshallmonitorandreviewthe informationabouttheseexternalandinternalissues”),thereisnorequirementthatthisinformationistobedocumented.Insuchsituations,theorganizationcandecidewhetherornotitisnecessaryorappropriatetomaintaindocumentedinformation.

ISO9001:2015doesnotexplicitlyrefertotherequirementforaqualitymanual;infact,A6guidance allowsorganizationsmore latitude in determiningwhat requires documentation.An experienced third-party auditor, when assessing how management reviewed theinformation about external and internal issues,will expect to see some form of writtenreport—not “controlled,” but documented and dated. As stated previously, a verbaldiscussionwillnotsufficeformostauditors.MyrecommendationsintheHandbooksuggestthatorganizationscurrentlymaintaininga

qualitymanualshouldcontinueusingitasahigh-levelconsolidationofthekeyelements—or road map—of their quality documentation (as was required by ISO 9001:2008).OrganizationswhosequalitymanualparaphraseseachISO9001clauserequirement—goingbackthroughseveralISO9001revisions—shouldseriouslyconsiderupdatingtheirqualitymanualtoinclude:

Adescriptionoftheorganization’sbusinessmodel,includingthecontextoftheorganizationandtheexpectationsofinterestedpartiesThescope(theactivities,processes,andbuildingsandlocations)oftheQMSAdescriptionofthoseISO9001:2015requirementsthatarenotapplicabletotheQMS,astheydonotaffecttheorganization’sabilityorresponsibilitytoensuretheconformityofitsproductsandservicesThedocumentedprocedures(documentedinformation)establishedfortheQMS,orreferencetothemAdescriptionoftheQMSprocessesandhowtheyinteract

ThequalitypolicyResponsibilities/authorities

As an RABQSA (Exemplar Global) qualified lead auditor (QMS, EMS) for almost20 years and having conducted hundreds of audits for companies ranging from a fewemployees to thousands of employees, I cannot understandwhat the authors ofAnnexAwere trying to promulgate with the “new” documented information concept. The thirdparagraphinA1Structureandterminologystates:Thestructureofclausesisintendedtoprovideacoherentpresentationofrequirements,rather than a model for documenting an organization’s policies, objectives andprocesses. The structure and content of documented information related to a qualitymanagement system can often be more relevant to its users if it relates to both theprocessesoperatedbytheorganizationandinformationmaintainedforotherpurposes.

Itisnotcleartomehowanorganizationwouldfindwaystoapplythe“advice”givenintheabovestatement.Isuggestorganizationscontinueto“documentwhatyoudo—dowhatyoudocument.”ThedocumentationoftheQMSshouldbesuitabletotheorganization’sbusinessandprovidevalue inmanagingtheorganization’sprocesses.Theoverarchingprinciple indocumentation should be to formalize what is needed to ensure that users of thedocumentation have a source for information and instructions that is accurate and timely,providingconsistencyinmanagingthebusiness.

AppendixAISO9001:2015GapAnalysis

SummaryofChangesfromISO9001:2008

ISO9001CHRONOLOGY1987 ISO9001initialissue1994 ISO9001revision2000 ISO9001revision2008 ISO9001amendment2015 ISO9001revision

ISO9001:2015ASAPROCESS

TRANSITIONALPERIODSOFISO9001:2015•TheISO9001:2015standardwaspublishedonOctober25,2015

•CompaniesthatarecertifiedtoISO9001:2008havethreeyearstobringtheirQMSuptodatewithISO9001:2015

•EventuallyallcertificatesinaccordancewithISO9001:2008willbecomeinvalidandwillbewithdrawnasofOctober25,2018

CONTEXTOFTHEORGANIZATIONANDEXPECTATIONSOFINTERESTEDPARTIES

ISO9001:2015Requirement4.1UnderstandingtheorganizationanditscontextTheorganizationshalldetermineexternalandinternalissuesthatarerelevanttoitspurposeanditsstrategicdirectionandthataffect itsability toachieve the intended result(s) of its qualitymanagement system.Theorganization shallmonitorandreviewinformationabouttheseexternalandinternalissues.

NOTE1:Issuescanincludepositiveandnegativefactorsorconditionsforconsideration.NOTE2:Understandingtheexternalcontextcanbefacilitatedbyconsideringissuesarisingfromlegal,technological,

competitive,market,cultural,socialandeconomicenvironments,whetherinternational,national,regionalorlocal.NOTE 3: Understanding the internal context can be facilitated by considering issues related to values, culture,

knowledgeandperformanceoftheorganization.

ISO9001:2015Requirement4.2UnderstandingtheneedsandexpectationsofinterestedpartiesDuetotheireffectorpotentialeffectontheorganization’sability toconsistentlyprovideproductsandservicesthatmeetcustomerandapplicablestatutoryandregulatoryrequirements,theorganizationshalldetermine:

a)theinterestedpartiesthatarerelevanttothequalitymanagementsystem;b)therequirementsoftheseinterestedpartiesthatarerelevanttothequalitymanagementsystem

Theorganizationshallmonitorandreviewinformationabouttheseinterestedpartiesandtheirrelevantrequirements.

ConsiderationsforContextandInterestedParties•Whataretheinternalandexternalissuesthatarerelevanttotheorganization’spurposeanditsstrategicdirection?Examples:Legal,technological,competitive,market,cultural,social,andeconomicenvironments,whetherinternational,national,regional,orlocal

•Howdoestheorganizationreviewandmonitortherelevantinternalandexternalissues?Example:Businessplanningstrategy

•Who/whataretheinterestedpartiesthatarerelevanttotheQMS?Examples:Legalagenciesandregulatorybodies,creatorsofnewtechnology,newcompetitors

•Howdoestheorganizationreviewandmonitortherequirementsofrelevantinterestedparties?Example:Businessplanningstrategy

Thefollowingchecklistscanbeusedtoexplorethecontextoftheorganization.Reviewthepossibleexternalissues,internalissues,andinterestedpartiesonthechecklistsandcheckoff those that could impact the organization. For each item checked, the organization candevelopaplantomanagetherisksandopportunitiesspecifictothatarea.

INTEGRATIONOFTHEQMSINTOTHEBUSINESSPROCESSES

ISO9001:2015Requirement5.1.1LeadershipandcommitmentTopmanagementshalldemonstrateleadershipandcommitmentwithrespecttothequalitymanagementsystemby:

a)ensuringtheintegrationofthequalitymanagementsystemrequirementsintotheorganization’sbusinessprocesses

Summary:LeadershipandCommitmentHow does the organization’s top management integrate the QMS requirements into theorganization’sbusinessprocesses?

AnorganizationwithanintegratedbusinesssystemisonewhoseQMSincludescontrol,monitoring,andperformancemeasurementsforallrelevantbusinessprocesses.Anexample is how theorganizationmeasuresKPIs.TheKPIs forqualityperformance

typicallyincludeinternalqualityorwaste,deliveryperformance,supplierperformance,anddesignperformance.AnintegratedbusinesssystemwillincludeKPIs(asappropriate)forfinancialresultsand

environmentalandsafetyperformance.

ACTIONSTOADDRESSRISKSANDOPPORTUNITIES

ISO9001:2015Requirement6.1.1:Whenplanningforthequalitymanagementsystem,theorganizationshallconsiderthecontextoftheorganizationandtheneedsofinterestedparties.

The organization shall determine the risks and opportunities that need to be addressed to give assurance that thequalitymanagementsystemcan:

a)achieveitsintendedresults;b)enhancedesirableeffects;c)prevent,orreduce,undesiredeffects;d)achieveimprovement

Note: ISO 9001:2015 does not have a requirement for “preventive action.” The thought is the entire qualitymanagementsystemispreventiveinnatureandtheriskanalysisapproachisalsopreventive.

Summary:RiskAssessment•Howdoestheorganizationassesstherisksandopportunitiesrelatedtoitspurpose,itsbusinessstrategy,andtheexpectationsofinterestedpartiestoensuretheQMSmeetsitsobjectives?Examples:Strategicplanningprocess,SWOTanalysis,SixSigma,leanmanufacturing,FMEA

•Whataresomeexamplesofhowtheorganizationaddressestheidentifiedrisksandopportunities?Examples:Reportsorrecordsofriskanalysis

Specificareaswhereriskanalysiscanbeappliedinclude:•Processorequipmentchanges:Whenproductionequipmentorprocessesarechanged,theimplementationplanshouldincludethepotentialrisktoproductquality.Testinga“new”productmaterialpriortoreleasetocustomersisacommontechniqueemployed,alongwiththeapplicationofFMEA.

•Rawmaterialspecificationcontrol:Anychangeinmaterialsusedinproductionshouldbetestedbeforereleasetocustomers.Theorganizationshouldensureitssuppliersareawareoftheneedtocommunicateandmaintaincontrolofanychangesintheirspecificationsorprocesses.

•Documentcontrolandreview:Theorganizationshouldensurethatdocumentsusedbyemployeesaremaintainedandcontrolledtoavoidmistakes.Employeeinstructionsshould

bereviewedatsomefrequencytoensureemployeesarenotbypassingoperatinginstructions.

•Design:Duringthedesignprocess,arobustverificationandvalidationplanshouldbeemployedtoeliminaterisksrelatedtonewdesigns.Thenewdesignprocessshouldalsoincludeariskanalysisrelatedtotheimpactthenewdesignprocessmayhaveonemployeesafetyandtheenvironment,includingend-of-lifedisposalissues.

•Regulatoryupdates:Theorganizationshouldmaintainaprocesstostayuptodateonchangestostatutoryandregulatoryobligationsrelatedtoitsproductstoeliminaterisksrelatedtononcompliance.

•Outsourcedprocesses:Processesperformedbyexternalpartiescancreateariskfortheorganizationinmeetingitscommitment.Externalsupplierselectionshouldincludecontrolsrelatedtotheimpactthesuppliercouldhaveonproducingacceptableproductsorservices.Inspectionofexternallysuppliedproductsshouldbebasedoninspectioncostversusriskrelatedtosuppliererrors.

•Planningofinternalaudits:Thetimingofinternalauditsforvariousprocessesshouldbebasedontheimpacttheprocesshasonqualityperformanceaswellasthehistorytheparticularprocesshasofgeneratingnonconformances.Byfocusingonthehistoryandimpactofeachprocess,theorganizationcanallocateauditingresourcestoreducetheriskoferrors.

•Effectivenessofcorrectiveactions:Animportantconsiderationinthecorrectiveactionprocessishoweffectivelythecorrectionreducestheriskofthesameissuerecurring.Timeandresourcesallocatedtomeasuringtheeffectivenessofthecorrectionshouldbecommensuratewiththeriskofrecurrence.

TOPMANAGEMENTCOMMITMENT

ISO9001:2015Requirement5.3Organizationalroles,responsibilitiesandauthoritiesTopmanagementshallensurethattheresponsibilitiesandauthoritiesforrelevantrolesareassigned,communicatedandunderstoodwithintheorganization.

Top management shall assign the responsibility and authority for: ensuring that the quality management systemconformstotherequirementsofthisInternationalStandard;

a)ensuringthattheprocessesaredeliveringtheirintendedoutputs;b) reportingon theperformanceof thequalitymanagementsystemandonopportunities for improvement inparticular to

topmanagement;c)ensuringthepromotionofcustomerfocusthroughouttheorganization;d)ensuringthattheintegrityofthequalitymanagementsystemismaintainedwhenchangestothequalitymanagement

systemareplannedandimplemented

TopManagementChangeswithISO9001:2015•TheISO9001:2015standarddoesnotusethetitle“managementrepresentative”aspreviousISO9001standardsdid

•Theorganizationcancontinuetousethe“managementrepresentative”titletoconveycertainresponsibilities

•TheintentofISO9001:2015istoemphasizetopmanagement’sresponsibilitiesasgoingbeyonddelegating

Summary:TopManagement’sRole•HowdoestopmanagementintegratetheQMSrequirementsintotheorganization’sbusinessprocesses?

•WhatistheevidencetoindicatethattopmanagementprovidesresourcestosupporttheQMS?Examples:Newequipment,resources

•Howdoestopmanagementpromotetheuseoftheprocessapproachandrisk-basedthinking?

•HowdoestopmanagementcommunicatetheimportanceofeffectivequalitymanagementandofconformancetotheQMSrequirements?

•Howdoestopmanagementdemonstrateleadershipandcommitmentwithrespecttocustomerfocusbyensuringthatcustomerrequirementsandapplicablestatutoryandregulatoryrequirementsaredetermined,understood,andconsistentlymet?

•Howdoestopmanagementassesstherisksandopportunitiesthatcanaffectconformityofproductsandservices?

ExamplesofTopManagementCommitment•Domembersoftopmanagementattendqualitymanagementreviews?•Isthemanagementrepresentativeamemberoftheseniorstaff?•DoesmanagementprovidesupportforresourcesnecessarytomaintainandimprovetheQMS?

ORGANIZATIONALKNOWLEDGE

ISO9001:2015Requirement7.1.6OrganizationalknowledgeTheorganizationshalldeterminetheknowledgenecessaryfortheoperationofitsprocessesandtoachieveconformityofproductsandservices.

Thisknowledgeshallbemaintainedandbemadeavailabletotheextentnecessary.Whenaddressingchangingneedsandtrends,theorganizationshallconsideritscurrentknowledgeanddeterminehow

toacquireoraccessanynecessaryadditionalknowledgeandrequiredupdates.NOTE1:Organizationalknowledgeisknowledgespecifictotheorganization;itisgenerallygainedbyexperience.Itis

informationthatisusedandsharedtoachievetheorganization’sobjectives.NOTE2:Organizationalknowledgecanbebasedon:

a) internal sources (e.g. intellectual property; knowledge gained from experience; lessons learned from failures andsuccessfulprojects;capturingandsharingundocumentedknowledgeandexperience; the resultsof improvements inprocesses,productsandservices);

b)externalsources(e.g.standards;academia;conferences;gatheringknowledgefromcustomersorexternalproviders)

OrganizationalKnowledgeConsiderationsISO 9001:2015 requires that organizations consider and review the organization’sprocessestoensurethat

Operational/processorproductknowledgeismaintainedwhenemployeesleavetheorganizationTheorganizationremainsknowledgeableaboutnewtechnologyrelevanttoitsbusinessmodel

Theorganization, dependingon its operations, should have some formalizedprogram forsuccession planning, technology updates, and supplier contingencies.Many organizationsmaintainorganizationalknowledgethroughtheirbusinessstrategyandcontingencyplan.Thisinformationmaybeconfidential,soauditorsmaynotbeallowedtoseethedetails—

onlythattheorganizationhasaprocessformaintainingorganizationalknowledge.

DOCUMENTATIONDocumentationChangeswithISO9001:2015

•AnomenclaturechangewithISO9001:2015isdesignatingdocumentedinformationasincludingbothdocumentsandrecords,whichweredefinedindependentlyinpriorISO9001revisions

•ThereisnorequirementinISO9001:2015indicatingthatorganizationscannotusetheterm“qualityrecord”

•ISO9000:2015definesdocumentedinformationas“informationrequiredtobecontrolledandmaintainedbyanorganizationandthemediumonwhichitiscontained”

•AccordingtoISO9000:2015,“documentedinformationcanbeinanyformatandmedia,andfromanysource”

•ISO9000:2015definesdocumentsas“informationcreatedinorderfortheorganizationtooperate”

•ISO9000:2015definesrecordsas“evidenceofresultsachieved”

ISO9001:2015Requirement7.5.2CreatingandUpdatingWhencreatingandupdatingdocumentedinformation,theorganizationshallensureappropriate:

a)Identificationanddescription(e.g.atitle,date,author,orreferencenumber);b)Format(e.g.language,softwareversion,graphics)andmedia(e.g.paper,electronic);c)Reviewandapprovalforsuitabilityandadequacy

Note:ISO9001:2015ismoreprescriptiveontheformattingofdocumentation.

PROGRAMSTOACHIEVEQUALITYOBJECTIVESDocumentationChangeswithISO9001:2015

•ISO9001:2015doesnotexplicitlyrefertotherequirementforaqualitymanual•Organizationsthatcurrentlymaintainaqualitymanualmaywanttocontinueusingitasahigh-levelconsolidationofthekeyelements—orroadmap—oftheirqualitydocumentation

SuggestedQualityManualContents•Adescriptionoftheorganization’sbusinessmodel,includingthecontextoftheorganizationandtheexpectationsofinterestedparties

•Thescope(theactivities,processes,andbuildingsandlocations)oftheQMS•AdescriptionofthoseISO9001:2015requirementsthatarenotapplicabletotheQMS,astheydonotaffecttheorganization’sabilityorresponsibilitytoensuretheconformityofitsproductsandservices

•Thedocumentedprocedures(documentedinformation)establishedfortheQMS,orreferencetothem

•AdescriptionoftheprocessesintheQMSandhowtheyinteract•Thequalitypolicy•Responsibilities/authorities

ISO9001:2015Requirement6.2.2:Whenplanninghowtoachieveitsqualityobjectives,theorganizationshalldetermine:

a)Whatwillbedone;whatresourceswillberequired;b)Whowillberesponsible;c)Whenitwillbecompleted;howtheresultswillbeevaluated

Summary:QualityObjectives•Arethequalityobjectivesconsistentwiththequalitypolicy?•Arethequalityobjectivesmeasurable?•Arethequalityobjectivesrelevanttoproductorserviceconformity?•Howdoestheorganizationcommunicatethequalityobjectivestoemployees?•Inplanningtoachievethequalityobjectives,doestheorganizationestablish:–Whatwillbedone?–Whatresourceswillberequired?–Whowillberesponsible?–Whenitwillbecompleted?

–Howtheresultswillbeevaluated?•Howarethequalityobjectivesmonitored,andwhatactionsaretakenwhentheobjectivesarenotmet?

PREPARINGFORUPGRADEAUDITTOISO9001:2015•ReviewandrevisescopeofQMS:–Contextofbusiness,internal/externalissues–Interestedparties

•Updatequalitymanual•Developriskanalysisprocess•Developorganizationalknowledgeprocess•Formalizeplanningtoachievequalityobjectives•Managementreview:–DemonstrateintegrationofQMSwithbusiness–Reviewriskanalysisandorganizationalknowledge–Reviewqualityobjectivesprograms

•ConductinternalaudittoISO9001:2015•Implementcorrectionsfrominternalaudit

AppendixBFailureModesandEffectsAnalysis

(FMEA)

Failuremodesandeffectsanalysis (FMEA) isastep-by-stepapproachfor identifyingallpossiblefailuresinadesign,amanufacturingorassemblyprocess,oraproductorservice.“Failuremodes”meanstheways,ormodes,inwhichsomethingmightfail.Failuresare

any errors or defects, especially ones that affect the customer, and can be potential oractual.“Effectsanalysis”referstostudyingtheconsequencesofthosefailures.Failuresareprioritizedaccordingtohowserioustheirconsequencesare,howfrequently

theyoccurandhoweasilytheycanbedetected.ThepurposeoftheFMEAistotakeactionstoeliminateorreducefailures,startingwiththehighest-priorityones.Failuremodesandeffectsanalysisalsodocumentscurrentknowledgeandactionsabout

the risks of failures, for use in continuous improvement. FMEA is used during design toprevent failures. Later it’s used for control, before and during ongoing operation of theprocess.Ideally,FMEAbeginsduringtheearliestconceptualstagesofdesignandcontinuesthroughoutthelifeoftheproductorservice.Beguninthe1940sbytheU.S.military,FMEAwasfurtherdevelopedbytheaerospace

andautomotiveindustries.SeveralindustriesmaintainformalFMEAstandards.Whatfollowsisanoverviewandreference.BeforeundertakinganFMEAprocess,learn

moreaboutstandardsandspecificmethodsinyourorganizationandindustrythroughotherreferencesandtraining.WhentoUseFMEA•Whenaprocess,productorserviceisbeingdesignedorredesigned,afterqualityfunctiondeployment.

•Whenanexistingprocess,productorserviceisbeingappliedinanewway.•Beforedevelopingcontrolplansforanewormodifiedprocess.•Whenimprovementgoalsareplannedforanexistingprocess,productorservice.•Whenanalyzingfailuresofanexistingprocess,productorservice.•Periodicallythroughoutthelifeoftheprocess,productorservice.FMEAProcedure

(Again, this is a general procedure. Specific details may vary with standards of yourorganizationorindustry.)

1. Assembleacross-functionalteamofpeoplewithdiverseknowledgeabouttheprocess,productorserviceandcustomerneeds.Functionsoftenincludedare:design,manufacturing,quality,testing,reliability,maintenance,purchasing(andsuppliers),sales,marketing(andcustomers)andcustomerservice.

2. IdentifythescopeoftheFMEA.Isitforconcept,system,design,processorservice?Whataretheboundaries?Howdetailedshouldwebe?Useflowchartstoidentifythescopeandtomakesureeveryteammemberunderstandsitindetail.(Fromhereon,we’llusetheword“scope”tomeanthesystem,design,processorservicethatisthesubjectofyourFMEA.)

3. FillintheidentifyinginformationatthetopofyourFMEAform.FigureB.1showsatypicalformat.Theremainingstepsaskforinformationthatwillgointothecolumnsoftheform.

4. Identifythefunctionsofyourscope.Ask,“Whatisthepurposeofthissystem,design,processorservice?Whatdoourcustomersexpectittodo?”Nameitwithaverbfollowedbyanoun.Usuallyyouwillbreakthescopeintoseparatesubsystems,items,parts,assembliesorprocessstepsandidentifythefunctionofeach.

5. Foreachfunction,identifyallthewaysfailurecouldhappen.Thesearepotentialfailuremodes.Ifnecessary,gobackandrewritethefunctionwithmoredetailtobesurethefailuremodesshowalossofthatfunction.

6. Foreachfailuremode,identifyalltheconsequencesonthesystem,relatedsystems,process,relatedprocesses,product,service,customerorregulations.Thesearepotentialeffectsoffailure.Ask,“Whatdoesthecustomerexperiencebecauseofthisfailure?Whathappenswhenthisfailureoccurs?”

7. Determinehowseriouseacheffectis.Thisistheseverityrating,orS.Severityisusuallyratedonascalefrom1to10,where1isinsignificantand10iscatastrophic.Ifafailuremodehasmorethanoneeffect,writeontheFMEAtableonlythehighestseverityratingforthatfailuremode.

8. Foreachfailuremode,determineallthepotentialrootcauses.Usetoolsclassifiedascauseanalysistool,aswellasthebestknowledgeandexperienceoftheteam.ListallpossiblecausesforeachfailuremodeontheFMEAform.

9. Foreachcause,determinetheoccurrencerating,orO.Thisratingestimatestheprobabilityoffailureoccurringforthatreasonduringthelifetimeofyourscope.Occurrenceisusuallyratedonascalefrom1to10,where1isextremelyunlikelyand10isinevitable.OntheFMEAtable,listtheoccurrenceratingforeachcause.

10. Foreachcause,identifycurrentprocesscontrols.Thesearetests,proceduresormechanismsthatyounowhaveinplacetokeepfailuresfromreachingthecustomer.Thesecontrolsmightpreventthecausefromhappening,reducethelikelihoodthatitwillhappenordetectfailureafterthecausehasalreadyhappenedbutbeforethecustomerisaffected.

11. Foreachcontrol,determinethedetectionrating,orD.Thisratingestimateshowwellthecontrolscandetecteitherthecauseoritsfailuremodeaftertheyhavehappenedbutbeforethecustomerisaffected.Detectionisusuallyratedonascalefrom1to10,where1meansthecontrolisabsolutelycertaintodetecttheproblemand10meansthecontroliscertainnottodetecttheproblem(ornocontrolexists).OntheFMEAtable,listthedetectionratingforeachcause.

12. (Optionalformostindustries)Isthisfailuremodeassociatedwithacriticalcharacteristic?(Criticalcharacteristicsaremeasurementsorindicatorsthatreflectsafetyorcompliancewithgovernmentregulationsandneedspecialcontrols.)Ifso,acolumnlabeled“Classification”receivesaYorNtoshowwhetherspecialcontrolsareneeded.Usually,criticalcharacteristicshaveaseverityof9or10andoccurrenceanddetectionratingsabove3.

13. Calculatetheriskprioritynumber,orRPN,whichequalsS×O×D.AlsocalculateCriticalitybymultiplyingseveritybyoccurrence,S×O.Thesenumbersprovideguidanceforrankingpotentialfailuresintheordertheyshouldbeaddressed.

14. Identifyrecommendedactions.Theseactionsmaybedesignorprocesschangestolowerseverityoroccurrence.Theymaybeadditionalcontrolstoimprovedetection.Alsonotewhoisresponsiblefortheactionsandtargetcompletiondates.

15. Asactionsarecompleted,noteresultsandthedateontheFMEAform.Also,notenewS,OorDratingsandnewRPNs.

FMEAEXAMPLE

AbankperformedaprocessFMEAontheirATMsystem.FigureB.1showspartofit—thefunction “dispense cash” and a few of the failure modes for that function. The optional“Classification” column was not used. Only the headings are shown for the rightmost(action)columns.Notice that RPN and criticality prioritize causes differently. According to the RPN,

“machinejams”and“heavycomputernetworktraffic”arethefirstandsecondhighestrisks.Onehighvalueforseverityoroccurrencetimesadetectionratingof10generatesahigh

RPN.Criticalitydoesnotincludethedetectionrating,soitrateshighesttheonlycausewithmediumtohighvaluesforbothseverityandoccurrence:“outofcash.”Theteamshouldusetheirexperienceandjudgmenttodetermineappropriateprioritiesforaction.

ENDNOTEExcerpted from Nancy R. Tague, The Quality Toolbox, 2nd ed. (Milwaukee, WI: ASQQualityPress,2004),236–40.

AppendixCStage-Gate®Idea-to-LaunchModel

Stage-Gate® isavalue-creatingbusinessprocessandriskmodeldesignedtoquicklyandprofitably transform an organization’s best new ideas into winning new products.Whenembracedbyorganizations,itcreatesacultureofproductinnovationexcellence—productleadership, accountability, high-performance teams, customer and market focus, robustsolutions,alignment,discipline,speedandquality.Inadditiontothebenefitsthatarewell-documentedbyresearchandbenchmarkingfirms,

many companies that have implemented and adopted an authentic Stage-Gate processrealize:

Acceleratedspeed-to-marketIncreasednewproductsuccessratesDecreasednewproductfailuresIncreasedorganizationaldisciplineandfocusontherightprojectsFewererrors,wasteandre-workwithinprojectsImprovedalignmentacrossbusinessleadersEfficientandeffectiveallocationofscarceresourcesImprovedvisibilityofallprojectsinthepipelineImprovedcross-functionalengagementandcollaborationImprovedcommunicationandcoordinationwithexternalstakeholders.

HOWDOESASTAGE-GATE®PROCESSWORK?

TheStage-Gatemodelisbasedonthebeliefthatproductinnovationbeginswithideasandendsonceaproductissuccessfullylaunchedintothemarket.Thishasalottodowiththebenchmarking research that the Stage-Gate model design is premised on, and is a muchbroaderandmorecross-functionalviewofaproductdevelopmentprocess.TheStage-Gatemodeltakestheoftencomplexandchaoticprocessoftakinganideafrom

inception to launch, and breaks it down into smaller stages (where project activities areconducted)andgates(wherebusinessevaluationsandGo/Killdecisionsaremade).Initsentirety, Stage-Gate incorporates Pre-development Activities (business justification andpreliminary feasibilities), Development Activities (technical, marketing, and operationsdevelopment) andCommercializationActivities (market launch andpost launch learning)intoonecomplete,robustprocess.

THESTAGESEachstageisdesignedtocollectspecificinformationtohelpmovetheprojecttothenextstageordecisionpoint.Each stage is defined by the activities within it. Activities are completed in parallel

(allowingforprojects toquicklymovetowardscompletion)andarecross-functional (notdominated by any single functional area). These activities are designed to gatherinformationandprogressivelyreduceuncertaintyandrisk.Eachstageisincreasinglymorecostlyandemphasizescollectionofadditionalinformationtoreduceuncertainty.In the typical Stage-Gatemodel, there are 5 stages, in addition to the IdeaDiscovery

Stage:Stage0:IdeaDiscovery.Pre-workdesignedtodiscoveranduncoverbusinessopportunitiesandgeneratenewideas.Stage1:Scoping.Quick,inexpensivepreliminaryinvestigationandscopingoftheproject—largelydeskresearch.Stage2:BuildtheBusinessCase.Detailedinvestigationinvolvingprimaryresearch—bothmarketandtechnical—leadingtoaBusinessCase,includingproductandprojectdefinition,projectjustification,andtheproposedplanfordevelopment.Stage3:Development.Theactualdetaileddesignanddevelopmentofthenewproductandthedesignoftheoperationsorproductionprocessrequiredforeventualfull-scaleproduction.Stage4:TestingandValidation.Testsortrialsinthemarketplace,lab,andplanttoverifyandvalidatetheproposednewproduct,brand/marketingplanandproduction/operations.Stage5:Launch.Commercialization—beginningoffull-scaleoperationsorproduction,marketing,andselling.

THEGATESPrecedingeachstage,aprojectpassesthroughagatewhereadecisionismadewhetherornottocontinueinvestingintheproject(aGo/Killdecision).Theseserveasquality-controlcheckpointswiththreegoals:ensurequalityofexecution,evaluatebusinessrationale,andapprovetheprojectplanandresources.Eachgateisstructuredinasimilarway:Deliverables.TheprojectleaderandteamprovideGatekeeperswiththehigh-levelresultsoftheactivitiescompletedduringthepreviousstage.Criteria.Theprojectismeasuredagainstadefinedsetofsuccesscriteriathateverynewproductprojectismeasuredagainst.Criteriashouldberobusttohelpscreenoutwinningproducts,sooner.TheauthenticStage-Gateprocessincorporates6provencriteria:StrategicFit,ProductandCompetitiveAdvantage,MarketAttractiveness,TechnicalFeasibility,Synergies/CoreCompetencies,FinancialReward/Risk.Outputs.Adecisionismade(Go/Kill/Hold/Recycle).Newproductdevelopmentresourcesarecommittedtocontinuingtheproject.Theactionplanforthenextstageisapproved.Alistofdeliverablesanddateforthenextgateisset.

TheStage-Gatemodel is designed to improve the speed andqualityof executionofnewproduct development activities. The process helps project teams prepare the rightinformation, with the right level of detail, at the right gate to support the best decisionpossible,andallocatecapitalandoperatingresources.Theprocessempowerstheprojectteambyprovidingthemwitharoadmap,withcleardecisions,priorities,anddeliverablesat each gate. Higher quality deliverables submitted to Gatekeepers enables timelydecisions.

FLEXIBLEIMPLEMENTATIONINTOANORGANIZATION

Manytopperformingorganizationsreportthat“makingStage-Gatestickandsustainingit”requires good change management. The authentic Stage-Gate design is sophisticatedbecause it has evolved and benefitted from 25+ years of business and industrybenchmarking research and learnings frommore company implementations than anyotherinnovation process in theworld. Formost organizations, the authentic Stage-Gate designrepresentsagoaltoworktowards:adoptingcorebasicprinciplesinitiallyandcontinuouslyembracingmoreandmoreofitsdesignasthecompany’sinnovationcapabilityimproves.Inaddition to tailoring the Stage-Gate model to accommodate an organization’s innovationcapability, consider also tailoring it to fit and support the unique needs of your businessculture,globalstrategies,customertypes(B2BandB2C),newproductstrategies,andtypesofinnovationprojects.

ENDNOTEReprinted with permission from Stage-Gate International, “Innovation Process,”http://www.stage-gate.com/resources_stage-gate_full.php.

AppendixDQualityinHealthcare:FiveWhysandFive

Hows

WhatItIs

Thefivewhysandfivehowsconstituteaquestioningprocessdesignedtodrilldownintothedetailsofaproblemorasolutionandpeelawaythelayersofsymptoms.ThetechniquewasoriginallydevelopedbySakichiToyoda.Hestates“thatbyrepeatingwhyfivetimes,thenatureoftheproblemaswellasitssolutionbecomesclear.”Thefivewhysareusedfordrillingdownintoaproblemandthefivehowsareusedtodevelopthedetailsofasolutiontoaproblem.Botharedesignedtobringclarityandrefinementtoaproblemstatementorapotentialsolutionandgettotherootcauseorrootsolution.EdwardHodnet,aBritishpoet,observed,“Ifyoudon’tasktherightquestions,youdon’tgettherightanswers.Aquestionaskedintherightwayoftenpointstoitsownanswer.AskingquestionsistheABCofdiagnosis.Onlytheinquiringmindsolvesproblems.”

WhentoUseIt

Whenwewanttopushateaminvestigatingaproblemtodelveintomoredetailsoftherootcauses,thefivewhyscanbeusedwithbrainstormingorthecause-and-effectdiagram.Thefivehowscanbeusedwithbrainstormingandthesolution-and-effectdiagramtodevelopmoredetailsofasolutiontoaproblemunderconsideration.Bothmethodsaretechniquestoexpandthehorizonofateamsearchingforanswers.Thesetwotechniquesforceateamtodevelopabetterandmoredetailedunderstandingofaproblemorsolution.

HowtoUseIt

Drawaboxatthetopofapieceofflipchartpaperandclearlywritedowntheproblemorsolutiontobeexplored.Belowthestatementboxdrawfivelinesindescendingorder.Askthe“Why”or“How”questionfivetimesandwritetheanswersonthelinesdrawnfromnumberonetofive.Itmaytakelessormorethanfivetimestoreachtherootcauseorsolution.

Examplesoffivewhysandfivehowsarebelow.

Fivewhysoflessvigorousexercise:ToomuchTVandvideogames Why?Fewcommunity-sponsoredrecreationprogramsWhy?Nofamilyrecreationalactivities Why?Nosafeplayarea Why?Lackofresources Why?

Fivehowsofmorevigorousexercise:LessTVandvideogames How?Morecommunity-sponsoredrecreationprogramsHow?Morefamilyrecreationalactivities How?Safeplayareas How?Additionalresources How?

ENDNOTEExcerpted from Ron Bialek, Grace L. Duffy, and John W. Moran, The Public HealthQualityImprovementHandbook(Milwaukee,WI:ASQQualityPress,2009),168–70.

AppendixEWhatIsSixSigma?

QualityGlossaryDefinition:SixSigmaA method that provides organizations tools to improve the capability of theirbusiness processes. This increase in performance and decrease in processvariationleadtodefectreductionandimprovementinprofits,employeemorale,andqualityofproductsorservices.SixSigmaqualityisatermgenerallyusedtoindicateaprocessiswellcontrolled(withinprocesslimits±3sfromthecenterline in a control chart, and requirements/tolerance limits ±6s from the centerline).

Differentdefinitionshavebeenproposed forSixSigma,but theyall share somecommonthreads:

Useofteamsthatareassignedwell-definedprojectsthathavedirectimpactontheorganization’sbottomline.Trainingin“statisticalthinking”atalllevelsandprovidingkeypeoplewithextensivetraininginadvancedstatisticsandprojectmanagement.Thesekeypeoplearedesignated“BlackBelts.”EmphasisontheDMAICapproachtoproblemsolving:Define,measure,analyze,improve,andcontrol.Amanagementenvironmentthatsupportstheseinitiativesasabusinessstrategy.

DifferingopinionsonthedefinitionofSixSigma:Philosophy.Thephilosophicalperspectiveviewsallworkasprocessesthatcanbedefined,measured,analyzed,improvedandcontrolled.Processesrequireinputs(x)andproduceoutputs(y).Ifyoucontroltheinputs,youwillcontroltheoutputs.Thisisgenerallyexpressedasy=f(x).Setoftools.TheSixSigmaexpertusesqualitativeandquantitativetechniquestodriveprocessimprovement.Afewsuchtoolsincludestatisticalprocesscontrol(SPC),controlcharts,failuremodeandeffectsanalysis,andprocessmapping.SixSigmaprofessionalsdonottotallyagreeastoexactlywhichtoolsconstitutetheset.Methodology.ThisviewofSixSigmarecognizestheunderlyingandrigorousapproachknownasDMAIC(define,measure,analyze,improveandcontrol).DMAICdefinesthe

stepsaSixSigmapractitionerisexpectedtofollow,startingwithidentifyingtheproblemandendingwiththeimplementationoflong-lastingsolutions.WhileDMAICisnottheonlySixSigmamethodologyinuse,itiscertainlythemostwidelyadoptedandrecognized.Metrics.Insimpleterms,SixSigmaqualityperformancemeans3.4defectspermillionopportunities(accountingfora1.5-sigmashiftinthemean).

ENDNOTEExcerptedfromT.M.KubiakandDonaldW.Benbow,TheCertifiedSixSigmaBlackBeltHandbook,2nded.(Milwaukee,WI:ASQQualityPress,2009),6–7.

AppendixFWhatIsLean?

Henry Ford defined the lean concept in one sentence: “We will not put into ourestablishmentanythingthatisuseless.”Leanmanufacturingisasystemoftechniquesandactivitiesforrunningamanufacturingor

serviceoperation.Thetechniquesandactivitiesdifferaccordingtotheapplicationathandbut they have the same underlying principle: the elimination of all non-value-addingactivitiesandwastefromthebusiness.Leanenterpriseextendsthisconceptthroughtheentirevaluestreamorsupplychain:The

leanestfactorycannotachieveitsfullpotentialifithastoworkwithnon-leansuppliersandsubcontractors.TypesofWaste1.Overproduction2.Waiting,timeinqueue3.Transportation4.Non-value-addingprocesses5.Inventory6.Motion7.Costsofquality:scrap,reworkandinspection

ENDNOTEExcerpted from William A. Levinson and Raymond A. Rerick, Lean Enterprise: ASynergisticApproach toMinimizingWaste (Milwaukee,WI:ASQQualityPress, 2002),xiii–xiv,38.

AppendixGContextoftheOrganization:ChecklistsforExternalandInternalIssuesand

InterestedParties

Considerwhichofthefollowingexternalissuescouldimpacttheorganization:

Considerwhichofthefollowinginternalissuescouldimpacttheorganization:

Considerwhatoutsidegroupscouldimpacttheorganization:

References

Automotive Industry Action Group (AIAG). 2006. Production Part Approval Process(PPAP).4thed.

Balestracci, Davis. 2009. “Why Did Total Quality Management Fail?”Quality Digest,August6.http://www.qualitydigest.com/read/content_by_author/11300?page=9.

Borror, Connie M., ed. 2009. The Certified Quality Engineer Handbook. 3rd ed.Milwaukee,WI:ASQQualityPress.

Champy,James,andMichaelHammer.1993.ReengineeringtheCorporation:AManifestoforBusinessRevolution.NewYork:HarperBusiness.

Kubiak, T. M., and Donald W. Benbow. 2009. The Certified Six Sigma Black BeltHandbook.2nded.Milwaukee,WI:ASQQualityPress.

Valdes-Dapena,Peter.2014.“GMRecallWasDelayedbyInternalMiscues.”CNNMoney,February28.http://money.cnn.com/2014/02/28/autos/gm-recall-timeline.

Vista Industrial Products. 2012. “Fit, Form, Function Explained.” March 23.http://www.vista-industrial.com/blog/fit-form-function-explained.

AbouttheAuthor

MiltonDentchwasbornandraisedintheWorcester,Massachusetts,area.HehasaBSinmechanical engineering from Worcester Polytechnic Institute and an MS in qualitymanagement systems from the National Graduate School of QualityManagement (NGS).After college,heworkedas anengineer in thepaper industry for fiveyears, and thenheworkedasanengineerandmanageratthePolaroidCorporationinWaltham,Massachusetts,for27years.Hewasalsoplantmanager for theCustomCoatingandLaminatingplant inWorcesterfortheFuronCorporation.Milthasover40years’experienceinawidevarietyof industries, including pulp and paper, chemical, plastic and rubber processing, batterymanufacturing,converting,electronicsassembly,andmachinebuilding.Milt currently provides consulting, training, and auditing related to the International

Organization for Standardization requirements for quality, environmental, and safetymanagement systems. He has conducted over 500 audits worldwide for large and smallcompanies.HisclientshavebeenasdiverseasafloatingoilrigintheGulfofMexicotoanelectronics manufacturer in the Ukraine with 4000 employees. Milt is an RABQSAqualifiedLeadAuditorforQualityandEnvironmentalManagementSystemsandaRegistrarapprovedOHSAS18001LeadAuditor.In 2012, Milt wrote Fall of an Icon—Polaroid after Edwin H. Land (Riverhaven

Books), an insider’shistoryof thePolaroidCorporation.HisbookThe ISO14001:2015ImplementationHandbookwaspublishedbyASQQualityPressin2016.