FAQ

What is ISO, and what do the numbers mean in the ISO standard name?

What is ISO 9001? Why do I need it?

What is ISO 14001? Why do I need it?

What is ISO 13485? Why do I need it?

I need to become ISO certified. How do I pick a certifying body or registrar?

We are ISO compliant – do we really need to be certified?

How do I get management to care about Quality?

How do I make audits useful and not just a compliance tool?

Do I need a consultant if we’re just starting a QMS?

Why prioritize collecting and analyzing data?

What’s the difference between a Correction and a Corrective Action?

What is the purpose of Quality Objectives?

Nonconformities vs. Corrective Actions

Why and When should we do root cause analysis?

Who needs a Documented Quality Management System?

When should I use external consultants to perform internal audits?

Why do I need Internal Auditors as part of my Quality Management System staff?

What is Risk-Based Thinking & How do we implement it?

What is ISO, and what do the numbers mean in the ISO standard name?

The International Organization for Standardization (ISO) was founded in 1946, and is based in Switzerland. Its primary purpose is to provide information that can be used around the world to promote international understanding of common requirements. There are over 21,000 ISO standards, some are requirements for good manufacturing practices, some provide guidance for implementation and sustainability of other management systems. For each ISO standard there are 2 numbers. The first is the name or reference number of the standard, the second is the year that document was released for publication. Each document also has a descriptive name which indicates the purpose and application of the document.

What is ISO 9001? Why do I need it?

ISO 9001 is the most basic guidance for quality management systems. It is really just good business practices written down. All it asks is that you follow a few basic guidelines to ensure that your company’s product or service is consistent.

The process doesn’t have to be big, complicated, expensive, or time-consuming: ”The extent of documented information for a the quality management system can differ from one organization to another due to a) the size of organization and its type of activities, processes, products, and services b) the complexity of processes and their interactions, and c) the competence of persons.” (Section 7.5.1 of ISO 9001:2015).

For those who want to prove their system is working well, they can become certified by a 3rd party certifying body or registrar to validate that their QMS meets the requirements of this international quality standard.

It’s as easy as: Say what you do, do what you say, check your results, and act on the difference.

What is ISO 14001? Why do I need it?

SO 14001 is an international environmental management standard that companies use to certify that their businesses have made a commitment to reducing the company’s impact on the environment. Not only is being “green” a significant marketing advantage, but it is also a very popular commitment to employees and your neighbors.

This standard is a considered a voluntary standard. You identify:

    • The significant aspects for your company.
    • What legal and regulatory controls apply to your industry.
    • The priority of your projects.
    • How you will address them.

Philosophically this standard is more driven by management commitment and focus, and less by specific rules. It asks you to measure the effect of your controls and how well you meet the legal and regulatory requirements applicable to your industry and location.

What is ISO 13485? Why do I need it?

If you design, manufacture, or distribute medical devices or their components, this standard is worth your consideration and attention. Those who pursue ISO 13485 certification will be well positioned to meet the requirements of a variety of medical device regulatory bodies.

ISO 13485 lists the International Standards Organization requirements for quality management systems for medical devices. Like many of ISO’s 21,000 different standards, ISO 13485 takes the core quality management concepts of ISO 9001 and adapts them to the medical device industry.

If you already have ISO 9001 certification, fulfilling this more advanced set of requirements is fairly easy. Like ISO 9001, if a specific area doesn’t apply to the activities that occur at your company, you can identify it as not applicable within your QMS.

I need to become ISO certified. How do I pick a certifying body or registrar?

While ISO uses the term “certifying body” (because they certify the management systems of companies), many organizations in the USA use the term “registrar” (because they maintain a register of certified companies).

First, always look for an accredited organization. Accreditation means that the organization is audited and monitored and meets the stringent requirements of both the ISO requirements for certifying and the requirements of their accrediting body. This ensures that you are being certified by an organization worth trusting.

Second, find an organization with experience in your industry, with companies of your size, and when possible with auditors in your area so that you don’t pay travel and per diem expenses in addition to audit fees. That information should be available upon request.

Third, interview the certifying body, and their references. Learn about their philosophy and processes. You’re forming a long-term relationship and trusting them with confidential information about your company’s strengths and weaknesses. While they must remain impartial and objective as auditors, they should care about providing value to the company as part of their services.

We are ISO compliant – do we really need to be certified?

Being compliant means that you are aware of and believe you meet the requirements of the specific ISO standard in question.

Being certified means that not only do you think you meet the rules, but you’re willing to prove it by having an outside certifying body audit you to verify that you really do meet the requirements.

Being compliant, but not certified, is like going through college but never taking the exams to prove you learned anything. All the work, but none of the credit. Depending on your client base, that may be all you need.

Certification increases customer trust because they know what it takes to get there. For those who know the difference, certification sets you apart from the crowd.

How do I get management to care about Quality?

For top managers or small business owners without a background in quality management, “quality” can mean products that customers don’t reject. After all, Quality Control’s job is to make sure that only good products go out the door.

There’s a huge difference between QC (quality control of products) and a QMS (a quality management system that identifies, controls, and improves the processes that produce those products).

You can get management to pay attention to quality by showing them the cost of NOT having a well-functioning QMS. Present hard “cost of quality” data—facts, figures, graphs—whatever they typically pay attention to. Then compare the present data to a vision of what could be.

Here are a few suggestions:

  • Sales – document contracts lost because of no ISO certification vs. contracts available to ISO certified companies.
  • QC – calculate labor and material costs for replacement parts, percentage of product returned for rework, and labor spent in rework, instead of money-making production.
  • Planning – document the additional material and labor costs incurred as a result of incomplete specifications at job inception, or use of wrong product specifications.
  • Training – calculate time spent in retraining and additional inspections due to lack of controlled processes and employee awareness.

If that doesn’t work, look at overall job cost vs. competitor quotes for the same task. Are you competitive? If not, why not?

Whatever the issue, a documented quality management system like that defined in ISO 9001, will help you identify the issues or risks, and set measurable objectives for addressing them.

How do I make audits useful and not just a compliance tool?

It’s all about your corporate culture. If top management and supervisors do not routinely address audit findings and drive improvement projects, it is all too easy for the QMS to have insufficient support and be mere compliance busywork.

ISO 9001:2015 says in the section for internal audits (9.2.1) that the purpose for audits is to provide information on whether the management system “is effectively implemented and maintained”, and in 9.2.2 it requires that you “take appropriate correction and corrective actions without undue delay.”

That sentence emphasizes several potential weaknesses in any audit program:

  • Management attention to audit findings.
  • The difference between “Correction” (a quick fix) and “Corrective Action” (a long-term solution that addresses the weakness in the quality system to prevent similar repeat issues).
  • The speed with which audit findings are addressed. The inclusion of the term “without undue delay” is telling of a trend to ignore or postpone addressing audit findings.
  • The potential for any nonconformity to have more than one contributing cause.

How do you make internal audits useful?

Reward those who find opportunities for improvement. Don’t call them nitpicky whiners!

Hold supervisors and department managers accountable for addressing audit findings. They need to own the implementation and measurement of any resulting changes.

Make corrective actions a positive team experience to ensure ownership of the new process – recognize the teams who improved efficiency by adopting effective corrective actions.

Ensure that findings are addressed in a 3-step process (immediate fix, cause analysis, then long-term solution based on underlying cause).

Set time limits and accountability for closing audit findings. Certifying bodies have a mandatory reply time to ensure that findings have been addressed and closed. Do it for internal findings, too!

Reassess, reassess, reassess! If the first corrective action didn’t prevent recurrence of similar problems, find the second cause, implement a corrective action for that cause, and assess its effectiveness.

Collect trend data by types of QMS nonconformities, types of product issues, types of corrective actions, etc., to evaluate the effectiveness of your improvement activities.

If you have no audit findings, encourage auditors to dig deeper and recognize the teams improved efficiencies as a result of prior corrective actions.

In the end, it’s all about what you do with what you found. Do nothing and your audits are a waste of time. Use them to help you drive a culture of continuous improvement and they’ll be of great value.

Do I need a consultant if we’re just starting a QMS?

When putting a quality management system in place for the first time, you need guidance through the concepts, terms, and requirements. How you achieve that depends on the size and previous experience within your company. Books, classes or consultants are all viable options.

While a consultant can provide valuable training, it is a mistake to assume that a consultant will “do it all for us”. The QMS is, after all, your company’s system—not the consultant’s—and at the end of the day, you are responsible for its implementation and maintenance.

As an alternative to hiring a consultant, start your implementation by studying and learning together as a management team. That way, everyone is on the same page when making strategic decisions later. After all, ISO requires top management to provide evidence of their commitment by being involved in key strategic activities to direct your QMS.

Why prioritize collecting and analyzing data?

Many small company owners have a hard time seeing the return on investment in data collection. Those who collect even simple information about how their company is doing, and identify where they are losing time or money, can stop those invisible leaks:

  • Are your people busy all the time without increasing production?
  • Do you know how much time you spend in rework?
  • Do you know if actual job costs match your estimate?
  • Do you know why you’re reworking product? What if the cause could be eliminated?
  • How much do you spend on replacement costs (in material and labor)?
  • Do you know what your first-pass ratio is? (How much gets finished with NO rework?)
  • Do you know where the bottlenecks are within the process and why?
  • Do you track your scrap rate?
  • Do you know which suppliers are costing you money in delays and errors?
  • Do you know how satisfied your customers are? (No news is not necessarily good news!)

What would change for your company if it were easy to collect this information?

What’s the difference between a Correction and a Corrective Action?

A Correction is the immediate action you take to fix a non-conformity (repair or replace the product, amend incorrect documented information, etc).

A corrective action stems from an analysis of the cause of a non-conformity, and it’s goal is to prevent Recurrence. If the analysis was adequate, once the corrective action has been implemented, you shouldn’t see repeat corrective actions for the same type of cause elsewhere.

While the term preventive action is not used in the new ISO 9001:2015, it is still a common concept. In many cases the term actually refers to a long-term action to prevent recurrence (see Corrective action above). The new term Improvement is clearer – improvements are evidence of management and staff focus on improvement. Sadly, many companies implement improvements but forget to document them, leaving a hole in your Organizational Knowledge (7.1.6), which has the risk of dropping an improvement because we forget why it was implemented.

What is the purpose of Quality Objectives?

Set by top management at relevant levels within the company, quality objectives are an expression of how the company intends to achieve its quality policy, by addressing known risks and opportunities. The goal is to create continual improvement within the QMS by identifying objectives, a plan to achieve them, and measure performance to the objective.

Quality objectives should be measurable, specific, and communicated, since employees need to understand how they contribute to them. They should not be limited to product quality, but be goals designed to help drive continual improvement of the entire Quality Management System (including resources, staffing, sales & marketing, production, measurement, analysis and improvement).

Nonconformities vs. Corrective Actions?

ISO defines a nonconformity (NC) as “non-fulfillment of a requirement.” For most of us, it breaks down to:

  • Product failure – it looked right, you delivered it, but it’s not working right and you are asked to rework, or replace it. A hard $$ loss.
  • Rework – something needs fixing during/after production. Its internal so a soft $$ loss.
  • Audit finding – your documentation says you do things one way, but the auditor found something different. No immediate visible impact…or is there?

If your job is crisis management – always running around fixing complaints and reworks (ISO calls these fixes “Correction”) – then your Quality Management System is not working for you. The problem with the “fireman” approach to quality management is you’re stuck fixing problems in categories 1& 2, instead of limiting them by addressing “why” they occurred and why you didn’t find them in an internal audit.

Effective Corrective Actions (CA) of a Non-Conformity takes a few steps:

  1. Issue identification (Segregate the product, Record what was wrong & why it happened).
  2. Correction (fix the issue) through rework/replace/UseAsIs/document revision etc. Having records of rework allow you to learn from and address your problems. Once you know the most common types of errors (NC trends), you can address their causes one-by-one and cut down the time and $$ lost in rework.
  3. Corrective action begins when NC Trends are identified. A Corrective action is a long-term solution to ensure that that type of NC does not recur. The purpose of this process is not to assign blame, but to help you discover the weakness in your QMS controls that allowed the NC's to occur. Once you know what’s wrong with your system, as a team, you can decide what needs to change in your process. Be sure to involve those who will carry out the new process: they have to own it, and will know what won’t work.

The Corrective Action process should always include four steps:

  • NC trend (identify issue and correction trends).
  • Cause analysis (identify the system weakness).
  • Corrective Action (what we do to prevent this recurring or happening elsewhere).
  • Follow-up to evaluate if the corrective action was completed and was effective.

Why and When should we do root cause analysis?

Performing a root cause analysis helps you make lasting corrective actions to prevent recurrence. The outcome is dramatically different from an immediate correction.

Whether the failure is related to a product or service, fixing the surface cause of the individual occurrence (e.g., rework the part, replace the document, or call and clarify the miscommunication) may relieve the pressure temporarily, but it doesn’t really find out why it happened. The problem with quick fixes is they often turn out to be short-term, which leaves you open to repeat failures. Quick fixes may seem harmless but they eat away at precious time, efficiency, and often materials in the long run.

Consider the alternative. If you spend the time to find out what within your current overall management system was the root cause of the issue, you can correct that weakness (in a specific procedure or process) to ensure that the same type of problem does not recur.

Root cause analysis requires a willingness to challenge assumptions with data. It is a brainstorming activity that is then validated by data analysis. Whether you ask why five times, or you use a Fishbone tool that looks at potential contributions from Material, Manpower, Machinery, Method, Measurement, or Environment, asking the tough questions helps you dig past the surface reason (and its associated quick fix) to the missing or unclear information within your QMS which led to the failure.

Data analysis can be a great help evaluating if your assumption was correct. Tracking internal rework or product rejects provides trend information which can point to root cause. In a service environment, consider tracking how many times you have to follow up with a customer or supplier because you didn’t get or give complete information the first time.

Who needs a Documented Quality Management System?

A documented Quality Management System or QMS is like a company-wide memory aid. A QMS is a set of frequently updated controlled documents that define what you do and how you do it, so that no one has to guess or reinvent the wheel.

Documenting your systems helps you:

  • Make information easily available, where it is needed, on the best way to do a job.
  • Make sure that critical activities are done consistently, saving rework or repair time.
  • Predict your output, both in terms of quality and how long it should take.
  • Prevent repeat errors by learning from them and updating your process for next time.
  • Keep improving your methods and processes to improve efficiency.

When hould I use external consultants to perform internal audits?

While auditor objectivity is indeed enhanced by using external auditors, someone inside the company must be responsible for ensuring complete follow-through of any findings. The level of long-term effectiveness is dependent on company culture and management commitment to improve the QMS. I have rarely seen it work for small companies over the long term, for a couple of reasons:

Firstly, the company should evaluate why existing in-house staff cannot complete the audits. Some companies view internal audits as “only beneficial to obtain a certificate,” believing the purpose is conformity, not improvement. Such an organization does not allocate time for internal staff to perform the audits. The impact of external auditors will be minimal at such a company, because of limited buy-in.

Secondly, responsibility and effectiveness of activities following any external audit must be evaluated. If it’s easy (as is common in smaller companies) for everyone to go back to business as usual after the external auditor leaves the premises, the typical long-term result is a repeat of findings during each subsequent visit. Such behavior is a prime indicator of lack of internal ownership for the findings.

The ideal company ensures that managers are responsible for implementing corrections and corrective actions for findings in their area. Management evaluates the effectiveness of those actions (a critical element to closing out audit findings). Where this commitment is present, the expertise of external auditors to drive improvement of your QMS will be beneficial although not optimal.

Why do I need Internal Auditors as part of my Quality Management System staff?

Part of any quality management system (QMS) or environmental management system (EMS) is checking to see if you are really doing what you claim. Accountants do that for your finance department. Quality Control does that for your product. Internal auditors do that for your management system.

For small companies without internal people trained on the requirements of your QMS, operations slide out of control much faster and process issues rarely get permanently resolved. It is much more effective if someone on-site can spot things on a daily basis.

Part of Management’s commitment to a quality management system involves making the investment in time and training to keep the QMS on track. The payoff is a change in company culture where attention to detail and continual improvement are everyone’s job, and necessary changes are identified while still small.

What is Risk-Based Thinking & How do we implement it?

In reality we evaluate risks to make decisions every day (crossing the street, touching the stove, wearing a helmet, when to speak out or remain silent). In business we make decisions about whether to bid on opportunities based on the risk (impact of variables on an outcome), and when to implement additional safeguards to protect staff from workplace hazards.

The new language in ISO 9001:2015 is designed to make this activity part of your strategic planning instead of an after-the fact remediation of a problem. Risk-based thinking is throughout the standard. If you have done the following items you have evidence of risk-based thinking:

  1. You could see evidence of risk-based thinking in the records of management reviews, such as decisions and actions being taken with regard to opportunities for improvement, changes needed in a QMS and resource needs. If these decisions and actions demonstrate they were based on an evaluation of risk of uncertainty, risk-based thinking was implemented.
  2. If an organization plans its internal audit program while considering "the importance of processes concerned, changes affecting the organization, and the results of previous audits," it could demonstrate risk-based thinking was used while planning for the audit program.
  3. If you’re planning to change a QMS, your organization is required to consider the potential consequences of the proposed changes, as well as the integrity of the QMS. If there was an evaluation of the severity of potential consequences in making these changes, the organization implemented risk-based thinking.
  4. In controlling changes for production and service provisions, an organization could demonstrate changes were effectively controlled through an evaluation of potential impacts on other processes. In some cases, a simple evaluation could be sufficient. For other situations, a more formal evaluation—such as installation qualification, operational qualification and performance qualification—might be more appropriate. If potential impacts were considered, risk-based thinking was used.
  5. In determining whether an organization has "the ability to meet the requirements for products and services to be offered to customers," it could be using risk-based thinking to decide whether to pursue a particular business opportunity. In most organizations, a managerial decision to pursue business opportunities is based on potential consequences related to how additional resources will be dedicated. This demonstrates risk-based thinking.
  6. To determine whether to start designing and developing a new product or service, most organizations base the decision on an evaluation of variables, such as the potential for a non-marketable product or service, or an inability to produce or design it at a sellable price. This evaluation is evidence of implementing risk-based thinking.
  7. Later in the design and development process, after considering changes to the design characteristics, an organization is required to control the changes to "ensure that there is no adverse impact on conformity to requirements." In doing this, the organization has demonstrated risk-based thinking.