ISO 9001 25 Years

Richard Hadfield Progressive Certification Ltd.

On 15th March 2012, ISO celebrated the 25th anniversary of the publication of ISO 9001. ISO 9001 has been a great success for the International Standards Organisation (ISO) and has spawned a whole industry of consultants, certification bodies and accreditation. At the last count, over 1.1m organisations are registered to ISO 9001 with the leading countries being China, followed by Russia and Italy; in all, certifications to ISO 9001 exist in 178 countries. Since the publication of ISO 9001 in 1987, a cluster of management systems has been developed with ISO 14001 (environment) being published in 1996 and closely followed by sectors such as aerospace (AS 9000), automotive (QS 9000), medical devices (ISO 13483), health and safety (OHSAS 18001), information security (ISO 27001), food safety (ISO 22000) and, most recently, energy management (ISO 50001). The use of ISO 9001 as a base for sector standards has proliferated and models based on Demings Plan-Do-Check-Act (PDCA) improvement cycle have become the norm. Not surprisingly, a top level standard (ISO Guide 83) will be

published in 2012 to establish a template for management standards which should allow better integration and speed-up the publication of standards1. Some have described ISO 9001 as a monster that has got out of control. In many countries (mostly in Europe and Australasia), even before the economic recession, the number of registrations has been decreasing. Many of those leaving ISO 9001 have stated that their systems slow them down, are no longer relevant, give no value and are an additional overhead. As the ISO Technical Committee Working Group 24 begins on the revision of ISO 90012 (to be published in 2015), it is time to look at the history of this standard and where it might be going in the future. ISO 9001 History Before ISO 9001 was published in 1987, there were several national standards in the continuum of transitioning from Quality Control (mainly in the military US Mil Q 9858a:1959, UK AQAP:1968) to Quality Assurance (Canada: CSA Z 299 Parts 1 to 5, UK: BS 9000:1971, BS 5179:1974 and BS 5750:1979 Parts 1 to 3). Quality Control is often referred to as inspecting in quality whereas Quality Assurance is planning for quality. Although there was resistance from Japan and Germany, ISO 9001, ISO 9002 and ISO 9003 became international standards in 1987. The three standards referred to organisations responsible for design, manufacturing and test (the lower numbered standard incorporating the requirements of higher numbered). ISO 9004 was published as a guidance document for effective implementation. The rationale for publishing the quality standard originated from a wish to facilitate free trade and real concerns about the quality of goods (BS 9000:1971 was published to improve standards in the electronics industry). ISO 9001:1987 aimed to address the quality of physical materials and the reduction of production waste, out of box failure and early mortality. The success of introducing a systematic way of organising the manufacturing processes and making organisations aware to quality tools (from Deming, Juran, Crosby, Cooper and others), made ISO 9001 a key tool of management to improve their performance. Much of this improvement was low hanging fruit the organisation of the workplace and less dependence on the individual (what CMMI (Capability Maturity Model Integration) enthusiast would identify as moving from Level 1 Maverick). Even though quite basic, eliminating the low hanging fruit gave good financial returns.

Often a standard takes 5 years to develop with various drafts, translations, consultation etc.; ISO has just launched its fast track system which will allow standards to be published in about a single year. ISO 17582 - ISO 9001 for the Electoral Process will be published at the end of 2012 after 14 months of gestation and is the first fast track standard).
2

Working Group 24 meets in Bilbao on 18 June 2012 to finalise the proposal for the development of the next revision to ISO 9001.

th

The initial implementers on ISO 9001 were able to find documents, adopt and standardise best practices, control inventory, identify the status of products, control design launches etc. Now, we take many of these for granted but, at the time, these were huge improvements and the results got attention from management; ISO 9001 was seen as a marketing bonus and, on achievement of registration, banners were draped on buildings and there were celebrations. The next stage in the development was, in 1994, the consolidation of the three standards (ISO 9001, 9002 and 9003) into a single standard and the development of the ISO 9000 family (by the addition of ISO 9000 which was formerly ISO 8402). This simplified structure eliminated the perception that ISO 9001 was better than ISO 9002 or ISO 9003 and emphasised the importance of quality assurance (as ISO 9003 concerned quality control). The 1990s can be seen as the heyday of ISO 9001 with major growth of certified companies, quality consultants and certification bodies. Certification bodies were initially national bodies and recognised agencies who were already conducting inspections (e.g. Lloyds Register, RINA, Bureau Veritas, SGS, Det Norske Veritas etc.). Accreditation bodies now provided a way for private companies to establish themselves as certification bodies and accreditation became a requirement for all certification bodies. ISO 9001 was seen as a way of making money. One of the drivers for this growth in ISO 9001 certification came from the opening up of the Far East and Eastern Europe to provide more cost effective manufacturing, Multi-nationals led the way in opening manufacturing sites worldwide and subcontracting non-proprietary manufacturing. ISO 9001 became the ticket to join in this growth area. ISO 9001 was next revised in 2000 with a change from the menu approach to the process approach; this emphasised the PDCA improvement cycle, quality management and acknowledged that the new market for ISO 9001 was in the services sector. The transition to the new standard was the first major challenge to ISO 9001. Three years were allowed to make the transition and on 15 December 2003, the stress of the transition caused some organisations to retire, others scraped through (certification bodies were not keen to lose their customers) and others embraced process management as it was closely aligned to their other programmes (including Lean and Six Sigma). The changes in 2008 were minimal (mainly to facilitate translation) and PDCA was heralded to stand for Please Dont Change Anything. Where can ISO 9001 go in the 2015 version? ISO 9001 Where to now? There have been many inputs to the ISO 9001:2015 design brief including a customer survey, a review of the quality principles, the drafting of ISO Guide 83 and brainstorming sessions within the Technical Committee (including an analysis of

concepts). There is still resistance to change (the PDCA group which is supported by multi-national sector groups) and it will be interesting to see whether there will be any strategic changes or whether the ISO working group will just move the furniture about to present a fresh appearance Some of the current challenges are: 1. ISO 9001 Fatigue Some companies perceive they get few benefits from ISO 9001. Faced with cost reductions, they question the costs associated with ISO 9001 (internal audits, external audits, QMS maintenance etc.). They find the system rigid and overly documented. They have no appetite for improving the system as this will absorb more resources. Changes implemented through ISO 9001 have addressed the easily fixed and obvious problems; ISO 9001 is recognised for its past relevance. It can be argued that the fatigue is largely due to the certification regime and the impact of poor consultants and the relationship with certification bodies. 2. ISO 9001 as the Business Improvement Standard As interest in ISO 9001 has declined in some markets, ISO 9001 has been sold as a standard for business improvement. However, ISO 9001 is designed to ensure that product meets customer requirements and expectations; therefore improvement is targeted at meeting these requirements and expectations and reducing variation where variation impacts on the customer. ISO 13485 (Medical Devices) has addressed this by eliminating continuous improvement. Many organisations have introduced objectives that primarily benefit the organisation (not the customer), for example, increasing inventory turns. As a customer, increased inventory turns may impact on lead time so the key must be to look at these internal improvements to eliminate the downside impacts that could affect the customer; In other words, improvements (e.g. lean) can increase risk of customer dissatisfaction. 3. Resistance to Change As seen in 2000, significant changes are a turn-off for a proportion of the ISO 9001 client base. ISO 9001:2015 will obviously introduce changes and, after the small degree of change in ISO 9001:2008, there are more changes in the pipeline. It has been suggested, in some quarters, that ISO 9001:2008 continue to exist after the publication of ISO 9001:2015 as a two tier approach. Let the market decide.

4. Relationship to other TC176 standards At present, ISO 9001 is the only standard published by TC 176 for certification. Although the ISO 10000 series and ISO 9004 are published by TC 176, sales would suggest that they are not widely appreciated or used. How should the family of Quality standards be managed within the context of certification? 5. Consultants Responsibility Consultants provide a valuable service. However, some consultants rate their services on their success in achieving first time certification for their clients. This results in a certain amount of system over-design (to ensure compliance with ISO 9001), the cloning of previously successful solutions (that may lead to one size fits all approach) and the partnering with Certification Bodies (that can lead to erosion of objectivity in the food chain). 6. Certification Bodies Responsibility Certification Bodies need to grow their businesses. This leads to a risk that some organisations will be certified when they are not fully ready or committed . Organisations who do not maintain their systems can be tolerated beyond the point when they should be de-certified. Its business. How is the quality of certification controlled so that it means what it was intended to mean? In the US, they refer to drive-by certification; how does the industry police poor standards and raise customer awareness of what ISO 9001 is really about? 7. Accreditation Body Responsibility There is variation in the approach of certification bodies from country to country (despite the efforts of the IAF (International Accreditation Forum)). Audits tend to look at system issues and can easily overlook auditor specific issues and poor audit performance (e.g. the absence and/or poor grading of findings). How can the certification process be made more robust through the revision to the standard? Is there a role in the revision of the standard for improving the whole process? 8. Product Standards v. Management System Standards ISO 9001 is a management system standard to ensure that the customer expectations for quality are met. There are very clear guidelines on how

the ISO 9001 certification declaration can be used (e.g. not on the product or primary packaging). From the perception of customers, this is a difficult concept; surely, if a companys management system assures that customer expectations are met, this includes the physical product and its performance? What can ISO do to align these customer expectations? Possible Areas of Improvement On the eve of the first meeting of Working Group 24, one can speculate on the outcome. Given the nature of the proposed changes to the quality principles (drafted after the last meeting in Beijing, China in October 2011), one should not expect major changes. The PDCA will remain the core of the standard which means the structure will be similar; if anything changes, there will be movement to align more closely with the ISO Guide 83 structure. New requirements have been suggested but the current concern for ISO 9001 being used ultra vires will filter any proposals that are not fully aligned with the satisfying the customer; new requirements aimed at the sustainability of the organisation will be focussed on ISO 9004. Some changes will be aimed at recognising new media opportunities and technology and it will be hoped that the new Quality EcoSystem will link to provide tools and apps to provide practical application. ISO has already started on a project to cross-reference and hyperlink popular ISO standards and present them suitable for eReaders, portable devices and cloud applications (e.g. iTunes). ISO 9001:2015 will be included in this programme. On a personal basis, I would like to see changes in the following areas: 1. Management Commitment It has long been realised that most management systems fail when they do not get the support of management. At present, few (if any) findings are ever raised in the areas of management commitment which is strange as this is one of the areas of breakdown. There are many reasons for this including auditor competence, intimidation, availability of management, lack of auditable requirements. 2. Use for non-Tangible Products Although product is described as tangible and service based, there is still a difficulty in understanding the word product as also meaning a service. Somehow, the standard needs to have equal appeal to all organisations whether the work in services, manufacturing, profit or not-for-profit etc. It is

possible that publishing the standard in interactive electronic format may morph the standard into a more empathetic. 3. Value of Networks Organisations rely heavily of networks that include logistics, sales, service centres, distributors, procurement, sub-contracting, outsourcing, partnerships and consortia, contract staff, employees, business associations, owners, investors and other stakeholders. The implementation of a quality system needs to recognise the relationships with each relevant group and understand their relationship with the product provided to the customer. 4. Process Approach The process approach is not well implemented and clause 4.1 is still regarded as an extension of the introduction (as it is ISO 14001). The process approach is the starting point for the standard and should be covered in detail in the Stage 1 assessment. I would like to see this clause being made more important in the architecture of the standard. Because of the transition to ISO 9001:2000, many organisations have renamed their procedures as processes without due consideration. I have always believed that a process has a certain anatomy and this needs to be clearly stated. 5. Clause 7 Realisation This clause still has the last fragments of the shopping list that was in the 1994 version of the standard. There needs to be more of a link between the process mapping in clause 4.1 and the realisation processes in Clause 7. There are essentially only a few generic realisation processes: understanding what the customer wants / expects designing solutions where these requirements are performance based, providing outputs once the customer requirements have been translated into the required string of activities and intermediate outputs and handling the outputs so that they can be provided to the client without deterioration and in a timely manner. 6. Measurement Measurement is synonymous with Check. It does not imply that Check directly follows Act but that checking occurs throughout the realisation processes, before delivery to the customer and on the records (post-delivery). These stages, ironically, were clearer in ISO 9001:1994.

I believe that the measurement equipment should be part of Measurement (rather than Realisation). The organisation needs to look at how it makes measurement and ensure that this measurement process is stable, accurate and consistent. This would include validating software and checking human interfaces. The human interfaces overlap with Resources, Clause 6 but this is the check phase whereas Clause 6 emphasises the plan phase. Performance analysis should be part of Measurement. 7. Risk Management The approach taken in ISO 14001 and OHSAS 18001 (where significant aspects and impacts are identified) has found resonance in the management system community. With the publication of ISO 31000 (Risk Management), many have queried whether risk should not be at the heart of all management system standards; in ISO 9001, the risk of product not meeting customer requirements and expectations. There is also a belief that focus on risk will achieve better value through auditing and investment in management systems. This could easily be included within the process approach clause and linked to preventive action. 8. Succession Planning and Knowledge Management Many organisations could manage their businesses more robustly so that knowledge is shared, compounded and made readily available. A recent report stated that 80% of all knowledge in an organisation is not recorded in any way. Companies need to ensure that, beyond ensuring that staff are competent, they bank their knowledge and shadow key positions so that they become more robust. 9. Quality Management Guidance and Tools With the change of ISO 9004 from a guidance document to ISO 9001 (consistent pair), there is an absence of guidance to ISO 9001. This guidance should point to other standards (such as the ISO 10000 series) as well as popular quality tools (such as Five S, Five Whys, Six Sigma, Lean, FMEA etc.). 10. Change Management There is a line in the 2008 standard which states the the integrity of the quality management system is maintained when changes to the QMS are planned and implemented. This is a key aspect of management which is often overlooked and needs more focus. A separate clause on change management would support the Act part of PDCA and draw attention to the

fact that effective change management is often a weak area (particularly in the context of time, speed and agility). 11. Media Although most standards are published as paper documents, there is an opportunity to publish a version of ISO 9001 which uses electronic techniques to present the standard in a way which aids implementation and use. It might be possible, for instance, for the standard requirements to be directly linked to the organisations quality system, procedures, internal audits and results; a quality continuum. Of course, a revised standard does not remove the effort necessary to implement and maintain a QMS. Corrective action (including complaints management) is a vital area which is often not well implemented and yet a revised standard will not, of itself, improve this. The 9001:2015 standard will not remove the need to implement an effective quality management system; at best, it can provide a sharper model which will be more beneficial for users and, through better fit, support effective implementation. Please contact Richard Hadfield (at richard.hadfield@progressive-cert.com) with your views on the revision to ISO 9001.
Richard Hadfield is Director of Progressive Certification and a member of ISO TC 176. Co-convenor of the TC 176 Quality EcoSystem WG and member of ISO 9001 Revision WG and Quality Principles WG. Website: www.progressive-cert.com.