In many companies, the ISO9001 auditor is seen as someone to hide away from. Someone there to trap you and punish you with a disheartening list of non compliances (when you thought you were doing your best!) which you have to deal while to maintain certification.
This means that for too many companies, maintaining ISO 9001 certification is seen as a bureaucratic game which must be played to the rules set by the auditor.
My first contact with quality standards was with MoD quality standard 05/21. As an electronics test engineer working on military communications systems, the company I worked for had to be certified to the requirements of this standard. This meant regular internal and external audits to ensure that only approved procedures and unmarked circuit diagrams were being used.
A circuit diagram is a map that can be interpreted to tell you how a piece of electronics works. Test engineers will typically annotate these diagrams with additional information such as voltages, frequencies and interlocks. When we knew an audit was going to take place, our marked up circuit diagrams would be hidden away and we would be issued with fresh versions to be used during the audit. The auditor would examine what we were doing to ensure we were following procedures to the letter and sequence (even when this was not logical) and that we were only referring to an marked, official documentation. It was a game that had to be played to keep the auditor happy and to ensure the company retained its lucrative MoD contracts.
In the late 1980s, the standard MoD 05/21 became the foundation of the civilian quality standard BS5750. Typically, a factory floor inspector would be trained to become an auditor. They brought with them a mindset of testing for compliance and some of them went on to join the growing industry of BS5750 training and auditing that followed publication of the standard. Conforming to a standard was typically seen as more important than what was being produced and many small companies complained about the resulting burden of irrelevant bureaucracy. As an example, I remember working at a manufacturing company where the stores man used a 6” steel rule as a tool to rule straight lines in his record book. The external auditor demanded that this ruler was added into the calibration control system and remeasured annually!
That this madness developed is more a comment on the lack of understanding, knowledge and imagination shown by auditors than on the standard itself. In reality, ISO 9001 has developed over the years and, with its current version ISO 9001:2015, it is an increasingly effective framework for the review and development of business processes and practices needed to support business operations.
In my own experience as a quality manager responsible for ISO 9001 management, I would both look for evidence that key business processes had been defined and were effectively managed and for examples of best practice that could be used in other parts of the organisation. My audits were a opportunity for people to show and share excellence, not a trap.
But I have recently seen some excellent examples of business process management where I have been told ‘ we’re proud of this, but we daren’t show it the auditor’. This is because the companies external auditor focuses on low risk, high bureaucracy issues such as document issued dates and consistent use of fonts.
If you are in control of your business processes, they will be repeatable and predictable in terms of cost, quality and delivery/production time. If you have process performance measures that you then analyse and use for continuous improvement, the majority of ISO9001 will be met.
Always get the business processes and the handovers between them under control first. Then check these against these records required by ISO9001:2015:
These records marked with* are only mandatory when their associated clause is part of an organisations business activities.
- Scope of the QMS (clause 4.3)
- Quality policy (clause 5.2)
- Quality objectives (clause 6.2)
- Criteria for evaluation and selection of suppliers (clause 8.4.1)
- Monitoring and measuring equipment calibration records* (clause 126.96.36.199)
- Records of training, skills, experience and qualifications (clause 7.2)
- Product/service requirements review records (clause 188.8.131.52)
- Record about design and development outputs review* (clause 8.3.2)
- Records about design and development inputs* (clause 8.3.3)
- Records of design and development controls* (clause 8.3.4)
- Records of design and development outputs *(clause 8.3.5)
- Design and development changes records* (clause 8.3.6)
- Characteristics of product to be produced and service to be provided (clause 8.5.1)
- Records about customer property (clause 8.5.3)
- Production/service provision change control records (clause 8.5.6)
- Record of conformity of product/service with acceptance criteria (clause 8.6)
- Record of nonconforming outputs (clause 8.7.2)
- Monitoring and measurement results (clause 9.1.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
These procedures are optional under ISO9001:2015
- Procedure for determining context of the organisation and interested parties (clauses 4.1 and 4.2)
- Procedure for addressing risks and opportunities (clause 6.1)
- Procedure for competence, training and awareness (clauses 7.1.2, 7.2 and 7.3)
- Procedure for equipment maintenance and measuring equipment (clause 7.1.5)
- Procedure for document and record control (clause 7.5)
- Sales procedure (clause 8.2)
- Procedure for design and development (clause 8.3)
- Procedure for production and service provision (clause 8.5)
- Warehousing procedure (clause 8.5.4)
- Procedure for management of nonconformities and corrective actions (clauses 8.7 and 10.2)
- Procedure for monitoring customer satisfaction (clause 9.1.2)
- Procedure for internal audit (clause 9.2)
- Procedure for management review (clause 9.3)
All of the mandatory records and optional procedures make good business sense. The cliche that ‘Quality gets in the way of business’ is only true when a quality management system is poorly designed and managed. This tends to happen when management take a compliance first, and not a process centric approach to business process management.