Standard Vs. Specification and Guidance Documents

 

ISO documentation practices, requirements, records

Question

What is the difference between a standard and a specification?

Answer

There is no single or simple answer to your question. The answer depends upon the context of the question. Relative to the ANSI/ISO/ASQ Q9000 Series: Quality management standards, I direct you to ANSI/ISO/ASQ Q9000:2005 Quality management systems – Fundamentals and vocabulary.

ISO 9000:2005 defines specification as a document that states requirements. A specification can be related to activities (e.g. procedure document, process specification and test specification), or products (e.g. product specification, performance specification and drawing).

ISO 9000:2005 does not define “standard”. The first part of the ISO 9000:2005 introduction reads:

“The ISO 9000 family of standards listed below has been developed to assist organizations, of all types and sizes, to implement and operate effective quality management systems.

ISO 9000 describes fundamentals of quality management systems and specifies the terminology for quality management systems.

ISO 9001 specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide products that fulfill customer and applicable regulatory requirements and aims to enhance customer satisfaction.

ISO 9004 provides guidelines that consider both the effectiveness and efficiency of the quality management system. The aim of this standard is improvement of the performance of the organization and satisfaction of customers and other interested parties.

ISO 19011 provides guidance on auditing quality and environmental management systems.

Together they form a coherent set of quality management system standards facilitating mutual understanding in national and international trade.”

In other words…

ISO 9000 is a standard that describes fundamentals and specifies the terminology.

ISO 9001 is a standard that specifies requirements.

ISO 9004 is a standard that provides guidelines.

ISO 19011 is a standard that provides guidance.

This implies that a standard is a formal document that establishes uniform criteria, methods, processes and practices — which may or may not be requirements.

ISO 9000:2005 also makes a distinction between quality management system requirements and requirements for products using the terms “specifications” and “standards.” It states:

“The ISO 9000 family distinguishes between requirements for quality management systems and requirements for products.

Requirements for quality management systems are specified in ISO 9001. Requirements for quality management systems are generic and applicable to organizations in any industry or economic sector regardless of the offered product category. ISO 9001 itself does not establish requirements for products.

Requirements for products can be specified by customers or by the organization in anticipation of customer requirements, or by regulation. The requirements for products and in some cases associated processes can be contained in, for example, technical specifications, product standards, process standards, contractual agreements and regulatory requirements.”

Joe Tsiakals
Voting member of the U.S. TAG to ISO/TC 176 (ASQ)
Voting member of the U.S. TAG to ISO/TC 210 (AAMI)

ISO 9001 SOPs for HR and IT Departments

Mr. Pareto Head and IT

Q: My company wants to become certified to ISO 9001:2008 Quality management systems–Requirements by the end of this year. We have nearly all of our common standard operating procedures (SOPs) identified and written. But some of our departments—HR and IT in particular—are proving to be a little more difficult as far as identifying activities we might need to document.

Could you provide a few examples of procedures that might be available for  an IT and HR department? More specifically, I’m looking for examples of what others may have done with ISO 9001:2008 in conjunction with corresponding SOPs.

A: ISO 9001:2008 specifically requires the organization to have documented procedures for the following six activities:

4.2.3 Control of documents.
4.2.4 Control of records.
8.2.2 Internal audit.
8.3 Control of nonconforming product.
8.5.2 Corrective action.
8.5.3 Preventive action.

From an ISO 9001:2008 perspective, there are no mandatory procedures required for HR or IT departments as supporting functions for an organization. It is recommended, however, that you have your processes documented to ensure accountability for actions, consistency and standardization.

When there are many employees involved in various organizational functions, the hand-offs between the functions and employees can blur, with little to no accountability for the final outcome. In addition, having processes undocumented is not scalable, repeatable and reproducible as the organization grows larger.

The ISO 9001 website guideline further clarifies that the extent of the quality management system’s documentation can differ from one organization to another based on:

The size of organization and type of activities.
The complexity of processes and their interactions.
The competence of personnel.

While this may not be the right forum to share examples of SOPs, I can provide a typical list of ISO 9001:2008 procedures that may be applicable to HR and IT functions.

A better way to develop procedures for the listed processes is to bring the stakeholders and experts together, map the process in its current state, brainstorm, identify and remove nonvalue-added activities, and then reissue a new value-added procedure.

Typical SOPs in HR

  •     HR planning process.
  •     New employee orientation process, including mandatory training and certifications.
  •     Training needs analysis.
  •     Employee training and development process, which also includes training, skill competency assessments, periodic evaluations and certifications.

Typical SOPs in IT

  •     IT resource planning process.
  •     Data archival, retention, backup and disaster recovery process.
  •     IT hardware and software maintenance and information security management process.
  •     Quality information systems, including infrastructure planning, implementation and improvement.

Govind Ramu
Senior manager, quality systems
SunPower Corp.
San Jose, CA

Ask A Librarian

ISO 9001 Clause 7.5.1 Work Instructions

Mr. Pareto Head and standard work

Q: Within my organization there has been much debate on what a work instruction is. The term work instruction is not defined in the ISO 9001-2008 Quality management systems—Requirements standard (appears in clause 7.5.1).

Our question is that if the organization is providing services such as maintenance and repair of the customer’s equipment, and the customer provides maintenance and repair manuals and publications for this equipment to the organization, would this literature satisfy the requirements of ISO 9001:2008 as work instructions? Any assistance provided would be greatly appreciated.

A: You are correct when you state that “work instructions” is not defined in ISO 9001:2008, nor is it in ISO 9000:2005 Quality management systems–Fundamentals and vocabulary.

Terms are not defined by the Technical Advisory Group (the standard developers)  when it is felt that the general accepted usage is clear and unambiguous. Such is the case with this term. A work instruction is simply what the name implies, instructions to do work. Written instructions might not be necessary and so the phrase “as necessary” is in the text of the standard. It depends on your specific situation.

The challenge to comply with the requirements of clause 7.5.1 is not in the definition (or lack of definition) of work instructions. It is planning and carrying out production and service work under controlled conditions.

Are your work processes controlled? This clause identifies six elements that need to be considered. Work instructions are one of the six elements. Do your operators know what to do? Are they trained? Do they need written instructions? In general, you must make this call, not an auditor. If you are challenged by an auditor, you need to be able to defend you position. But there is no hard and fast rule here.

Let me note that telltale signs of lack of control are frequent errors, defects and rejects. This indicates to an auditor that you don’t have a controlled process. You need to tighten things down including addressing those of the six elements that are at the root cause of your process failures. You might need work instructions or improved work instructions based on process performance.

You mention that your organization maintains customer equipment and that the customer provides manuals. These manuals might be adequate. They might not. Let’s say that part of your maintenance is changing the oil on a gasoline engine. The manual, hopefully, states when this needs to occur. It might not. You probably need to establish a maintenance schedule for changing the oil and lubricating the machine, recording when this is done. Do you need a detailed work instruction on how to change the oil? Probably not. However, the machine might be complicated and have many lubrication points, a number of them not at all obvious. In such a case, a simple work instruction might be useful.

The key is to control your process and use whatever is needed to do so.

Joe Tsiakals
Voting member of the U.S. TAG to ISO/TC 176 (ASQ)
Voting member of the U.S. TAG to ISO/TC 210 (AAMI)

Ask A Librarian

ISO 9001 Clause 8.2.3 and 8.4

Checklist, Conformity, Go/No Go, Inspection, ISO 9001

Question

Our quality management department, of which I am the lead internal auditor, has a question that we have been debating for some time:

How do we apply ISO 9001:2008 Quality Management systems-Requirements, clause 8.2.3 Monitoring and measurement of processes and 8.4 Analysis of data, in a non manufacturing organization?

Our organization is primarily software, software modification of COTS that is implemented into our products, and applications modified for our business unit’s use.

My specific questions are:

1. How is the effectiveness of process improvements measured.

2. What methods of measurement do we use to capture the effectiveness?

3. Is there a check sheet or report form available that would guide us on how to apply these two requirements?

Thank you for your assistance in this matter. We want to implement a methodology for capturing measurement and effectiveness of process improvement data, but are at a loss as to how and where to start.

Answer

You posed several questions about ISO 9001 compliance.

1. How is the effectiveness of process improvements measured?

In a service environment there are typically many process characteristics that can be monitored or measured to assess whether the process has been planned and is being carried out under controlled conditions. Without knowing details of your service offering, it is difficult to comment explicitly.

Possible examples of metrics that may be appropriate include on time completion of a project, after-release detected “bugs,” time required to maintain “released” software modules, and etc.

Also, such metrics can be graphed and cost can be tied to each metric so that when process improvements are made, the benefits can be presented to management in management review in terms of the financial benefits of aggressive measuring and monitoring initiatives.

2. What methods of measurement do we use to capture the effectiveness?

See #1 above.

3. Is there a check sheet or report form available that would guide us on how to apply these two requirements?

Any check sheet or form would have to be developed by you to suit your processes.

A few references that would be helpful to you are ISO 9001:2008 Explained, Third Edition and How to Audit the Process-Based QMS.

Charlie Cianfrani
Consulting Engineer
Green Lane Quality Management Services
Green Lane, PA
ASQ Fellow; ASQ CQE, CRE, CQA, RABQSA Certified QMS-Auditor (Q3558)
ASQ Quality Press Author

Here’s more information about ISO 9001.

ISO 9001 Corrective Action Time Window

Schedule, calendar, timeline

Q: We will be audited by a different firm soon to ISO 9001:2008 Quality management systems–Requirements, and I am noticing differences compared to our former auditors.

At the closing of an annual surveillance audit for a three-year certificate if a non-conformance is issued at the closing meeting, what is the expectation of response for:

1. Minor non-conformances

2. Major non-conformances

How many days are expected for the initial response for each?

How many times during the next 12 months should we expect the auditor to come back to the site to verify corrective action for each?

A: Regarding your question about response times for corrective actions, please note the following.

ISO 9001:2008 clause 8.2, Internal audits, does not specify or prescribe any time limits. ISO 9001:2008, clause 8.2.2, only requires the management for the responsible area (process owner) to take corrective action without undue delay. No time limit is identified.

With regard to audit follow up visits — this is strictly dependent upon the registrar or other auditing body. Some auditing bodies will follow up on closed CARs during their next scheduled surveillance audit. This allows enough time to past to evaluate the effectiveness of the corrective action taken.

In most cases, the auditee is required to complete the CAR identifying the root cause and the corrective actions taken to prevent a reoccurrence.

This information is assessed by the auditing body to confirm that a root cause was identified and that action taken match the root cause. This is normally done in the form of a desk review.

Due to the costs involved and other logistics, rarely will any auditing body want to come out to verify each corrective action taken. This is usually something for the internal audit staff to perform as a part of their audit activities.

I hope this helps.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

ISO Standard Audit and Confidential Information

Reviewing confidential files, training records, human resources files

Q: During an external audit, what records are we allowed to keep confidential – e.g. human resources records? Certain records pertaining to new business leads or accounting matters? Specifically, my question is related to audits to the ISO 9001:2008 Quality management systems–Requirements and ISO 13485:2003: Medical devices — Quality management systems — Requirements for regulatory purposes standards.

 A: The “scope” of any audit is the quality management system (QMS) as found in the ISO standard for quality management. Areas such as finance, marketing plans, sales goals, and other business related topics are not part of a QMS audit.

It should be understood that during the audit, potential areas of conflict between the auditor and auditee might exist. The most common is when the auditor wants to see training records and the auditee claims them to be a confidential part of HR records. The auditor need to be a diplomat here and explain that only the training record is needed and not the entire HR record.

Also, it is not uncommon for the auditee to require the auditor to sign a non-disclosure agreement stating that the auditor(s) will keep everything observed during the audit confidential between the parties.

Again, the scope of the audit, usually agreed to ahead of time, is the QMS — not any business related matters.

Jim Werner
Voting member to the U.S. TAG to ISO TC 176
Medical Device Quality Compliance (MDQC), LLC.
ASQ Senior Member
ASQ CQE, CQA, RABQSA Lead QMS Assessor

What is ANSI/ISO/ASQ Q9001:2008?

ISO documentation practices, requirements

Q: Is there any difference between ANSI/ISO/ASQ Q9001:2008 and ISO 9001:2008? Is it just semantic, or is it ASQ’s take on ISO 9001:2008 Quality management systems–Requirements?

A: They are exactly the same and can be referred to interchangeably. Because of our involvement in developing the standard, we are able to sell it to our ASQ members at a discounted price —

ASQ: $97 members, $121 list

ANSI: $142

ISO: $134 [(or 122 Swiss Franc) e-version]

*prices as of 3/29/2012

ASQ is the only place to get this discounted, identical American national adoption of the international standard.

The ANSI designation shows it has been adopted as an American National Standard (ANS), and that U.S. experts believe the standard is a good one and should be followed by the U.S. Since ASQ is the administrator of the group (known as a Technical Advisory Group/TAG in the standards development world) that develops ISO 9001, we are the only organization allowed to put its name in the designation. ASQ is a member of ANSI and is accredited by them to be a standards-developing organization.

ASQ Standards Development Team

Those interested in purchasing the current standard revision may do so here.

Value and Benefits of ISO 9001

Q: My company is struggling with the decision to spend any more money on the ISO 9001:2008 Quality management systems–Requirements registration.  How many of our peers believe that the continuation of this certification is worth the cost? I have been trying to find statistics on the number of revised certifications that have been accomplished since the release of the 2008 version and am finding that there is little to no information available.  This leads me to think that the whole agenda has been identified as not a worthwhile cost effective exercise and companies are dropping out of the program.

Does ASQ have any relevant information regarding the “added value” of certification?  I have proposed to my management that the money spent on certification and all the wasted effort to make some auditor happy is not in the best interest of the company and would like your feedback on this position.  I watch as we struggle for 1.5 months before the dreaded audit to make it look like we are compliant, watch the auditor fumble around looking for some minor discrepancies that will make it look like he was worth having in for tea and crumpets and then watch the organization sigh a big relief when we get away with the lack of compliance or caring about compliance for the next two years, as the real task is making money and not wasting time meeting perceived compliance to perceived “requirements”.

The Toyota debacle makes it hard for me to even stand in front of my peers and preach this as useful.  It is clear that the bottom line is dollars and the need to support compliance to some document is merely wasteful effort that has been passed over like all the other historical (hysterical) quality programs—zero defects, statistical process control, total quality management. What do you say?

A: I would like to answer your questions in three part harmony. First of all, I’ll mention a brief history of ISO. Much of this you will be familiar with but it helps to reaffirm the legitimacy of ISO as an international organization rather than just an abbreviation for a place to throw your money. Second, I will express a few of the many benefits of ISO certification. Finally, I will share my own perceptions. Things I have personally witnessed resulting from ISO certification.

History-benefits-perceptions are a three-part harmony which can improve organizations and strengthen communities.

I would like to share a bit about ISO – What it is, as well as what it is not.

So what is ISO?

First of all, let’s consider the letters “ISO.” Because the “International Organization for Standardization” would have different abbreviations in different languages (Like IOS in English, or OIN in French for Organisation International de Normalization), it was decided at the beginning to use a word derived from the Greek isos, meaning “equal.” Therefore, whatever the country, whatever the language, the short form of the organization’s name is always ISO.

ISO is a network of the international standards institutes of 162 nations with a Central Secretariat in Geneva, Switzerland that coordinates the system. The ISO organization officially began in February 1947. ISO is not a governmental organization. It is not like the United Nations System with delegations of national governments. So, although many of ISO’s members are part of the government structure of their countries the members have their roots in industry and the private sector.

Also, ISO is not a quality standard. That is, ISO isn’t a tolerance level we must make parts to. It is not a high quality standard we must meet just to stay in business.

ISO 9001 refers to a type of ISO standard. ISO 9001 is concerned with “quality management.” This means what the organization does to enhance customer satisfaction by meeting customer and any regulatory requirements and to continually improve its performance in this regard.

ISO implementation in any organization introduces the many values of team work as well. I realize those bits of history can seem a bit lengthy but it is of extreme importance to recognize the time and combined efforts put in by so many individuals from so many nations. It is that dedication which helps to make the ISO Standards as useful and beneficial as they have become.

With regard to benefits, the positive reports are almost endless. I will share just a few of which come from reliable sources such as Dun and Bradstreet, Dallas Business Journal, manufacturingnews.com and others.

Simply noted, ISO certified companies reap:

The effect of ISO 9000 certification on financial perfomance

-Improved consistency of service and product performance
-Higher customer satisfaction levels
-Improved customer perception
-Improved productivity and efficiency
-Cost reductions
-Improved communications, morale and job satisfaction
-Competitive advantage and increased marketing and sales

D&B notes:

-85% of registered firms report external benefits
-Higher perceived quality
-Greater customer demand
-95% report internal benefits
-Greater employee awareness
-Increased operational efficiency
-Reduced scrap expense

Other reports note:

-30% reduction in customer claims
-95% improvement in delivery time
-Reduced defects from 3% to 0.5%
-40% reduction in product cycle time
-International acceptance and recognition
-Estimated return on Investment for companies with consistent compliance have been reported +30% to +600%

I could go on with statistics but I am sure you can research and find many more such positive reports. Therefore I will turn now to third member of the harmony I mentioned. That is perception.

The various feedbacks noted above show all of the remarkable “exterior” perceptions. Increased business, customer satisfaction, less downtime, etc. So I will take a moment to mention some things about “internal” perceptions.

It is said that changing a culture can take from several years. Introducing ISO into an organization is indeed introducing a new culture. Individuals are encouraged to do some things they did not and to change some of the habits they have formed.

It has been my experience, with several companies, that the culture change associated with ISO implementation is multilayered. The first and most obvious benefit is quality awareness. The most experienced machinists, fabricators, administrators, all employees suddenly take acquire an appreciation for quality which they did not have, no matter how good they may have been. This quality awareness does not fade away easily. Even those who offer strong resistance to change learn to respect and very much appreciate all the practical value in a good quality management system.

ISO certification does not ensure success. It does not ensure profit. Nonetheless, I have seen companies with little to no quality system grow to be world class quality organizations with the guidance of a strong ISO based QMS.

If failure is experienced, it can be due to lack of understanding on the part of management. They may have failed to act or provide preventive actions when needed. People are often interested in quick and simple solutions and are not willing to practice even simple self-dicipline. Most often, the greater portion of their interests are in getting a certificate to hang on the wall of their office and an addition to their letter head.

I firmly believe, and have witnessed with my own eyes, that following the ISO Standards in implementing a quality management system results in satisfied customers, repeat business, increased profits, satisfied employees and continual improvement. That three part harmony, history-benefits-perceptions, when joined with top management commitment can lead to another benefit not yet mentioned. That is pride.

Bud Salsbury
ASQ Senior Member, CQT,CQI

Related Content: 

No Joking Matter, Quality Progress
Research analyzes management systems standards and the implications for managers and auditing bodies.  Read more.

Ask A Librarian

 

ISO Documentation Practices; Difference Between Record and Document

 

ISO documentation practices, requirements

Q: Is there a published ISO standard for good documentation practices (e.g., crossing out an error with a single line and initialing and dating; striking through a blank space)?

Thank you.

A: Your question has two parts:

1) Is there a standard?

2) Does it cover the specific practice you cited?

The answers are “yes” and “no.”   🙂

About a decade ago, the ISO Technical Committee (TC) 176 on Quality Management and Quality Assurance started work on a documentation standard. There was (and still is) much confusion in the world about what kind of documents were expected and what should go into them. Of course, most didn’t want to take the time and energy to understand the purpose of documents, much less describe their practices in a site-specific manual. How sad. The output of the ISO/TC 176 work was a Technical Report: ISO/TR 10013:2001 – Guidelines for quality management system documentation. Frankly, however, I do not think it will address your question.

First of all, documents and records are often confused. Even though the ISO terms and definitions standard (ANSI/ISO/ASQ 9000:2005 Quality management systems — Fundamentals and vocabulary) parks them both under the word document, it is good practice to always think document=before, and record=after.

In other words, a document tells us what to do. A record tells us what was done. Many people, not understanding this principle, have actually tried to place records under configuration control!

The record-keeping practices you cited — crossing out an error and marking in a blank space — have their origin in the early military practices of the 1950s! Back then, there were no computers, internet or even ISO standards. There was also much more falsification of information back then, as we treated the workers with little or no respect.

The practices you cite were attempts to make sure that the data entered on a record wasn’t changed. Those practices just kind of hung on for half a century. In my 40 years in the quality profession, I have never seen these “rules” written down in an external document, like a regulation or standard or policy. Sure, individual organizations have required these practices through their local Standard Operating Procedures, but I am pretty sure they are not published in higher-level documents.

With automation and networking, records are becoming much more virtual. Paper records are becoming a thing of the past. Security and protection of those electronic records is a much bigger problem than when they were all on dead trees.

Follow-up from expert: Doing some further research (for an upcoming class), I discovered that ISO/IEC 17025:2005 General requirements for the competence of testing and calibration laboratories, contains a clause about records correction, 4.13.2.3. In general, the clause says all alterations must be visible (not erased, blacked out, or deleted), and all changes must be signed or initialed by the person making the change. Equivalent measures should be taken in the case of electronic records.

I don’t know why I didn’t think of this standard earlier, however, my earlier remarks about this coming from the 1950s practices B.C. (before computers) still stand.

Dennis Arter
ASQ Fellow
The Audit Guy
Columbia Audit Resources
Kennewick, WA
http://auditguy.net

ISO 9001 Implementation Guidance

The effect of ISO 9000 certification on financial perfomance

Q: I am directing a ground floor implementation effort to become certified to the ISO 9001:2008 Quality management systems–Requirements. I work for a small manufacturing company (less than 20 employees). Is there a quality management system (QMS) or ISO template product that I could use to help guide this process? Something with generic formats and outlines that I could customize and populate with our information. Or do I need to create from scratch all QMS and ISO supporting documents?  In practice, we currently have no documentation. I have ordered some resources from ASQ (see below). Is this a good start or can you recommend some other resources?

A: Please navigate these waters carefully.  There are several “do it yourself” type packages out there. Unfortunately, many of them don’t go far enough to provide a functional system unless the end user already has a thorough working knowledge of quality management systems (QMS). Therefore, as a quality professional, I hesitate to recommend this approach.

In order to establish an ISO 9001:2008 QMS capable of obtaining third-party certification, you will need to prepare a quality manual, a quality policy, define your organizations quality objectives, develop the six required QMS procedures, which as a minimum include:

1.    Control of documents
2.    Control of records
3.    Control of nonconforming product
4.    Internal audits
5.    Corrective actions
6.    Preventive actions

The reference books that you have already ordered from ASQ should contain some examples of the documents mentioned.  Once these QMS documents are established, you will need to orientate the organization to the requirements of the QMS, explain how each employee contributes to achieving the quality objectives, and ensure that the quality policy is communicated throughout the organization and is understood.  An internal audit will also be required to assess the effectiveness of the QMS once it has been implemented.

A management review will be required to ensure that top management is aware of input items mentioned in ISO 9001:2008, clause 5.6.2 and that they take action as needed to ensure the effectiveness and continual improvement of the QMS. These items should be completed prior to scheduling your registrar’s onsite pre-assessment for certification.  We wish you every success with your QMS project.  Please contact us if you would like to discuss this matter in more detail or require any support.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com