It isn’t Beethoven’s Fifth Symphony. I wish it was.
It’s the Committee Draft (CD) of ISO 9001 model no. 5 if you like, instead.
No connection whatsoever to a lady-loved scent, ISO even lost that opportunity, too (i.e. Chanel 5).
The ISO committee draft PDF format still costs swiss francs 38.00 apiece, but its price will blow up to the 118.00 swiss francs or so of the ISO 9001 4 (or 2008) version as soon as it will get the International Standard recognition.
So far for the economics.
I bought myself the PDF format CD and, as a matter of fact, it doesn’t take much longer to go through it than listening to a music CD, which is what I expected.
What follows records, in a very informal way, the feelings and the thoughts I had reading the CD, though I tried to give them some sense and context. ISO 9001 was never a good example for kids on how to build up a speech, its no. 5 is still where it started from.
So, let’s start reading the document ISO/TC 176/SC 2/N 1147 – ISO/CD 9001, hoping to make a clue out of it. What is not commented is considered to be acceptable enough, or unworthy noticing.
ATTACHMENT 1 TO SC2N1147
a) Exclusions: Lines 387 through 391 are quoted, referring 7.1.4 / monitoring & measuring devices and 8 / operation as permitted exclusions. Mmmh …
b) Goods & Services: Not much to say, except that point 8.6.4 / line 878 require “preservation of goods and services”; and the Note is clearly hardware-goods-oriented. Now, while it is easy enough to think of preservation services, to preserve a service like – say – a health treatment, it will have to rely on documentation, but the empathy the patient felt towards the nurse that makes him or her recovering more quickly, how can it be preserved?
CONTENTS
The ISO/TC 176/SC 2 re-shuffled the sections’ numbering once more. In the most vicious bars, it is rumored that it is done on purpose, to test auditors’s and consultants’ memory. Because, all in all, the requirements have not been changed, basically.
FOREWARD
“(…) the unifying and agreed high level structure, identical core text and common terms and core definitions of Annex XL of the ISO Directives (…)” quoted on lines 90 – 92 are not to be found in Bibliography, pages 26 -27. There is only a short reference in Introduction, section 0.2 Annex XL.
INTRODUCTION
Here is where the word “risk” appears for the first time – line 160 – associated with “opportunities” – line 166 – and linked to the Annex XL core text “risk based thinking” and “risk driven approach” – line 171. What is not clear, at the moment, is what’s to be understood (and acted upon …) on lines 173 – 174: “Although risks have to (be) identified and acted upon there is no requirement for formal risk management.”
QMS REQUIREMENTS
ISO 9001 (5) is different from its predecessors, in that Requirements include 1. Scope , 2. Normative references, 3. Terms & Definitions. Something is worth noticing: section 1 Scope does not mention risk but “improvement”, section 2. Normative references quotes as “indispensable” ISO 9000:2015, QMS – Fundamentals & vocabulary only.
Section 3. Terms & Definitions is an Eldorado for a word-fan like me. Of particular interest, I found: 3.05 / top management; 3.09 / risk (of course …); 3.10 / competence; 3.11 / documented information; 3.14 / (to) outsource; 3.15 / monitoring; 3.16 / measurement; 3.17 / audit looks to me a revolving definition, rather like a rose is a rose is a rose.
4.1 UNDERSTANDING THE ORGANIZATION AND ITS CONTENTS
Line 346 / “The organization shall update such determination when needed.” I see a big risk here; when organizations get the certificate, they nail it to walls and freeze the QMS down. And there’s no way to convince them to change a suit that’s become either too large or tight for them, they maintain refusal due to costly changes.
4.3 DETERMINING THE SCOPE OF THE QMS
I found an interesting requirement on lines 384 – 385: “ (…) the main processes to deliver them and the sites of the organization included.” There’s a clear reference to Logistics processes, here, that until ISO 9001 (4) have been quite neglected, save for registering shipping / forwarding / trucking organizations and their warehousing, but not the true Logistics processes themselves, that even by a TV onlooker can be assessed as very critical.
4.4.2 PROCESS APPROACH
It has probably been one of the more pedantic activities in the world specifically planning and developing QMSs. It would be very difficult to name an organization that did not find this a waste of time. Now, what ISO 9001 (4) got rid of with one chart (section 0.2) and six requirements (a through f, section 4.1), ISO 9001 (5) makes you to reflect upon with four more requirements. I fear it will be once more consultants’ work, because organizations think they know their processes.
5.1 LEADERSHIP & COMMITMENT – 5.3 ORGANIZATIONAL ROLES, RESPONSIBILITIES & AUTHORITIES
The Armageddon is still here to come. How could a third party auditor argue on such political matters with his boss’s customer? And a first party auditor with his boss? Only second party auditors with enough power in their hands can do it. Until ISO 9001 (4) this requirement was a mere formality, and I don’t expect ISO 9001 (5) to change it. So why not leave it out altogether and put it in some other standard, for instance quality of management systems management? This implies personal, psychological, social, economical, financial, entrepreneurial skills, competence, training that the poor check-list-filling auditor is very far from being capable to assess.
ISO 10015:1999, Quality management – Guidelines for training (Bibliography’s entry # 13) and ISO 10018:2012, Quality management – Guidelines on people competence and involvement (Bibliography’s entry # 15) should be consulted.
5.1.2 A) LEADERSHIP & COMMITMENT WITH RESPECT TO THE NEEDS & EXPECTATIONS OF CUSTOMERS – 6.1 ACTIONS TO ADDRESS RISKS & OPPORTUNITIES
After it disappeared for a few pages, the term “risk” here appears again, like Alice’s Rabbit, and again associated with “opportunities”, on lines 446 (not associated with “opportunities”), 482, 484, 498, 501 – risk avoidance, risk mitigation, risk acceptance. One would be induced in thinking that management would be allowed to indulge in risk management approach.
At this point, it seems the cyclical structure of the QMS envisaged by ISO 9001 (5) is taking shape: we’ve gone over internal and external constraints, the boss has taken command, it is now time to decide where to go and how.
6.2 QUALITY OBJECTIVES & PLANNING TO ACHIEVE THEM
Again, one of the more pedantic, when not the most pedantic, activities in planning, developing, monitoring, improving QMSs; it would be very difficult to name a company that did not find this a waste of time. Since the objective-based QMSs introduction, quality managers’ and consultants’ creativity has gone almost brake-less to fill the gap between the only objective understandable to and understood by top management, that is, turnover, and the performance indicators required by auditors strictly applying the ISO 9001 requirements.
And ISO 9001 (5) doesn’t solve the catch. If in the first place, quality objectives shall “a) be consistent with the quality policy” (line 505) and the quality policy “b) provides a framework for setting quality objectives” (line 458), then the auditor will have to throw into a bin all those generic, smoky, meaningless quality policies so dear to top managers wanting to say nothing and the contrary of it, and to their consultants.
The scar still burns: “c) be measurable” (line 507); the previous “if practicable” has been barred. Now, here there’s something that the accreditation bodies have to deploy to registrars not to let auditors ignore what’s going on. SPC (Statistical Process Control) starts with punctually recording numerical figures until it is found out that the process is stable enough. Any parent watches every step of the kid until confidence is obtained that his or her nose does not run the risk of being broken; then, the parent takes occasional looks. Why in the world QMS objectives should always be stated in terms of measurable variable figures and not of measurable attribute figures?
6.3 PLANNING OF CHANGES – 8.6.6 CONTROL OF CHANGES
These two sections should be read together. Though between the lines, it seems that risk & opportunities identification should be given more relevance when planning than when implementing and controlling.
7.1.2 INFRASTRUCTURE
We know how it goes, mirrors reflect our front, not back image. We enter shiny glassy marble halls, very tidy, neat, orderly office rooms, we are enchanted. The shop floor? Well, we can’t expect much of a metal working company, using much oil, making much noise and shavings. Then, the nasty auditor asks to see, just to see, what’s behind the building, outside, bordering the neighbors. Are the tons of rusting metal, the drums containing unknown liquids to be covered by this requirement? The shiny entrance, the big black or sport cars in the front have vanished: this is the real company.
Note c), lines 547 and 548, software, transportation: Achilles was very lucky to have just one heel that could be lethally wound. Most organizations have at least two, that is, software (user-friendliness and security) and logistics (which is much more comprehensive than just transportation and warehousing). Being these two processes downgraded to infrastructure process will not help organizations see them in full light, as they deserve, instead.
7.1.3 PROCESS ENVIRONMENT
The Note (line 555) echoes previous ISO 9001 Notes, and requirements, too. That is, I don’t think that “physical, social, psychological and environmental factors” cannot be dissociated from “Knowledge (7.1.5), Competence (7.2), Awareness (7.3), Communication (7.4)”, if a proper understanding and use of human resources is a relevant part of a QMS.
Ref. Requirement 8.6.1, it is worth warning the requirement f), line 835, that require for “personnel qualification”, which is not included in section 3 terms & definitions, and the requirement i), line 840, that is all too often abused as a justification for more upstream errors.
7.1.4 MONITORING & MEASURING DEVICES
Here is another point where ISO 9001 (5) seems to crack down: “The organization shall determine, provide and maintain the monitoring and measuring devices needed to verify conformity to product requirements (…)” (lines 560 -561). Though it was anticipated – Attachment 1 / a) Exclusions and 4.3 Determining the scope of QMS line 389 – the question still seems to be unresolved, because many – reliable – auditors believe that service performance can and should be measured, or assessed, while others, at least as reliable, do not.
I think that most of us share the view that customer satisfaction questionnaires are far from being significant in determining any service performance level; at the same time, as an organization preparing for ISO 9001 (201 5) registration, how would I go about this requirement? Possibly simply declaring its non applicability?
ISO 10012:2003, Measurement management systems – Requirements for measurement processes and measuring equipment (Bibliography’s entry # 10) should be consulted for further clarification.
7.1.5 KNOWLEDGE
While ISO 9001 (5) defines Competence (3.10) as the “ability to apply knowledge and skills to achieve intended results”, both terms knowledge and skills are not defined. This seems to reveal some kind of uneasiness of ISO/TC 176/SC 2 to tackle personal characteristics: the same reluctance can be found in the following three requirements, that is Competence (7.2), Awareness (7.3), Communication (7.4.), that all hit but the bull’s eye, and in top management’s profile (3.05, 5.1, 5.3).
7.5 DOCUMENTED INFORMATION
We first come across this term in section 3, entry 3.11 – line 288.
Then, as far as the “documentation required by this standard” is concerned (section 7.5.1 a) – line 608) we find it – among others – mentioned in: section 3 terms & definitions, 3.07 policy; section 4.3 – line 387 (exclusions); section 5.1.1 (line 424) demonstration of leadership & commitment, (line 426) quality policies & objectives; section 5.1.2 leadership & commitment with respect to the needs & expectations of customers (line 444) demonstration of leadership & commitment; section 5.2 quality policy; section 5.3 organizational roles, responsibilities & authorities c) reporting (line 478); 6.2 quality objectives & planning to achieve them: line a) quality policy, line 513 “documented information on the quality objectives”.
Based on past experience, the requirement 7.5.1 b) “The organizations QMS shall include: documented information determined by the organization as being necessary for the effectiveness of the QMS.” (lines 609-610) is going to raise discussions between auditors, auditees and consultants with each party trying to further one’s own cause.
Requirements 7.5.2 and 7.5.3 are deja’ vu in ISO 9001, yet, the reminders to “loss of confidentiality” (line 630), “access to view and authority to change” (Note) and “disposition” (line 636) may help refresh some of the corrective actions seen in the past and soon forgotten.
And the “documented information to the extent necessary to have more confidence that the processes have been carried out as planned” required under 8.1 c) operational planning & control (lines 649 – 650) seems not to mean quality objectives and quality performance but quality plan and some kind of sign-off, instead.
ISO 10005:2005, QMS – Guidelines for quality plans (Bibliography’s entry # 6) should be consulted for further clarification.
8.2.3 review of requirements related to goods and services, and applicable changes:
In its simplest form, the requirement of line 688 could be satisfied by a review sign-off or a team feasibility commitment. The true questions arise in obtaining customers’ clear, comprehensive, consistent “documented statement of their requirements” and, in case, of its amendment. I often found, and still find, that customers start with an afflatus when describing the required or expected goods & services. The afflatus soon fades away, leaving definition midway or floating in the air. And when the supplier wants his customer to provide himself with more robust information, the customer seems to be annoyed at this petty approach.
Requirement 8.6.1 poses the never-ending question, as it differentiates between “documented information that describes the characteristics of the goods & services” – point a), line 829, and “documented information that describes the activities to be performed and the results achieved, as necessary” – point c), line 831. The former is usually reasonably detailed and kept up to date, mainly because it is closely linked to customer’s requirements. The latter, being almost totally in the organization’s hands, gives origin to shortcuts, to not documented work instructions of the type we do so because we’ve always done this way, and to poor records.
Section 8.3 operational planning process includes references to: documented information – quality objectives, point a) line 712, performance data, point f) line 719 (comments to Note, lines 728 – 729. Quality plans were never a hit in ISO 9001 registration, based on the fact that organizations felt they are too cumbersome and their preparation is of no added value, to the point they were developed and printed for registration purposes only).
Risk – identification and (action) of risks related to achieving conformity of goods & services to requirements, point b), lines 713 – 714; and again preservation of services – point g), line 720 were discussed above under point b) of Attachment 1.
ISO/TR 10013:2001, Guidelines for QMS’s documentation (Bibliography’s entry # 11) should be consulted for further clarification.
8.4.2 TYPE AND EXTENT OF CONTROL OF EXTERNAL PROVISION
Here, too, the key concepts are expressed as: a) “the risks identified and the potential impacts”, line743; c) “the capability of potential controls”, line 746; “documented information describing the results of evaluations shall be maintained”, line 752.
To the above point c), I would raise some questions. In today’s business, more and more organizations buy bulk goods from traders – steel coils and plastics are examples – and bulk services, too, like worldwide inspection or registration services. Very often the traders, especially those buying in the Far East do not know where the goods they buy come from, so it’s difficult for them to trace the controls back to their origin, and transmit them to the buying organization. On the other hand, the latter cannot sample a 50,000 tons steel coils cargo, or a 100,000 plastics big bags cargo, which leaves the entire charge to accept the cargo, or segregate a part of it, in the hands of the organization’s production manager.
ISO 37500, Guidance on outsourcing (Bibliography’s entry # 19) should be consulted for further clarification.
8.4.3 DOCUMENTED INFORMATION FOR EXTERNAL PROVIDERS
The requirements expressed in lines 757 and 769 / 770 go hand in hand with what was written above under 8.4.2.
For requirement c), line 759, please refer to 7.1.3 and 7.1.5 above.
8.5.1 DEVELOPMENT PROCESS
Requirement c) – lines 783 through 788 – seems to express more concern with the development process than with the goods & services themselves, especially in the overture “the determined risks associated with the development activities (…)”
For requirement g), line 790, please refer 7.1.3 and 7.1.5 above.
Requirement j), line 796 is also going to raise discussions between auditors, auditees and consultants with each trying to further one’s own cause. Past experience teaches that, while auditees prefer shortcuts, auditors want to see very detailed, painstaking, comprehensive documentation, that auditees often consider superfluous. Consultants try for a balance, but is not always easy.
8.5.2 DEVELOPMENT CONTROLS
Requirement c) outputs – line 806: the same comments under 7.5.1 b) and 8.5.1 j) apply.
Requirement g) change control & configuration management: requirements 6.3, 8.6.6 and ISO 10007:2003, QMS – Guidelines for configuration management (entry # 8 to Bibliography) should apply.
8.6.1 CONTROL OF PRODUCTION OF GOODS AND PROVISION OF SERVICES
Ref. Requirement g) and its related Note, based on ISO 9001 (5) prominence given to services, one would have expected it to be more specific and thorough on validation, approval, periodic revalidation of any process for provision of services. Often services cannot be segregated before final control for release to customer, or preserved after release, making services some kind of water stream that has to continually flow, unless trapped behind a dam.
8.6.2 IDENTIFICATION & TRACEABILITY
It is interesting to observe that, while here (lines 856 – 857) the organization has to demonstrate to meet this requirement via “documented information”, point g) of requirement 8.3, the operational planning process does not require the auditee to create and update any documentation.
It’s also interesting to read here, though in a tentative Note, a definition of process outputs.
8.6.3 PROPERTY BELONGING TO CUSTOMER OR EXTERNAL PROVIDERS
Ref. Note, the EU has issued rules by which organizations have to nominate a manager to take care of personnel private data and of customers’ and suppliers’ information and data, too, including product and process specifications and performance. Exactly like a caring restaurant owner would do with his chief cook and his or her recipes.
It’s therefore a pity that auditors and auditees mainly address this issue looking at packages or tooling only.
8.6.5 POST DELIVERY ACTIVITIES
Point a), line 891, requires that “the risks associated with the goods and services” have to be taken into account when determining the extent of post delivery activities.
Since post delivery activities are not defined in section 3 terms & definitions, it is expected to see them agreed between the organization and its customer, even when not required by the latter. I’m thinking, for example, of predictive maintenance services for a multi-million dollar costing machine of which, beyond the basic features, the customer does not specify much or of an inspection-services supplying organization advising its customer of the sea-port facilities available on the other side of the world.
8.7 RELEASE OF GOOD & SERVICES
One (lines 909 – 910): “Evidence of conformity with the acceptance criteria shall be maintained” falls under the requirement 7.5.1.a) “documented information required by this International Standard”, unless differently agreed with the customer, for example, samples or sensorial assessment by the customer itself in case of services.
Two (lines 913 – 915) items fall under the requirement 5.3 organizational roles, responsibilities & authorities, commented above.
8.8 NONCONFORMING GOODS & SERVICES
It’s interesting to note how the requirements under lines 922 – 923 and 925 – 926 may impact the requirements previously expressed under 8.6.5 b) and which we will be reminded of under Requirements 9.1.2 Customer satisfaction points a) and b).
As far the “documented information describing the nature of nonconformities and any subsequent actions taken, including concessions obtained, shall be maintained” (lines 938 – 939) cannot but echo what’s to be read in 0.3 d) risk and preventive action: that is, “(…) the key purpose of a formal management system is to act as a preventive tool.”
Demonstration of correction re-verification (lines 935 – 936) was never brilliant under the previous ISO 9001’s, both for instructions, or procedures, and records. Organizations were usually content to put the products in inventory and ship them to customers or store them for future shipment. Some organizations went as far as re-working products by production batches or by kind of nonconformities, to save on time. Such practices are quite unfeasible with the majority of services, that, as we saw, run line unstoppable streams. Sure, when services require the issue of documents only it could be done, but when they imply movement of people, information, goods, it becomes much more difficult.
9.1.2 CUSTOMER SATISFACTION
ISO10004:2012, Quality management – Customer satisfaction – Guidelines for monitoring and measuring (Bibliography’s entry # 5) and their related Guidelines should be consulted for further clarification. It has to be borne in mind that most organizations use a written or e-questionnaire as a method for obtaining customer satisfaction data, and that the questions are often so generic that can be applied to a wide variety of goods & services, and of organizations, too. In addition, these questions are very seldom addressed to the responsible people within the customer organization and, even if it were so, there is no evidence that the questions were answered by the responsible manager rather that his or her secretary, so vanishing all efforts to obtain credible, dependable data.
9.1.3 ANALYSIS & EVALUATION OF DATA
Until ISO 9001 (4) there was a specific required role for a management representative with “the responsibility and authority for: c) reporting on the performance of the QMS to top management and any need for improvement (…)”, which ISO 9001 (5) includes instead in requirement 5.3 organizational roles, responsibilities & authorities.
9.2 INTERNAL AUDIT
ISO 19011:2011, Guidelines for auditing management systems (Bibliography’s entry # 18) should be consulted for further clarification.
This Requirement summarizes the hefty Guidelines above, and uses more or less the same wording as ISO 9001 (5) predecessors: though it emphasizes “the related risks” (line 1002). One is brought to interpret them as risks related to the processes concerned with product realization or service provision, but not related to what ISO 9001 (4) and (3) defined as management and supporting processes.
Considering 9.2 requirement’s a) and b) points (lines 994 – 996 and line 997), it has to be wondered how the ISO/TC 176/SC 2 did not consider the internal audit process a risky process on its own.
9.3 MANAGEMENT REVIEW
ISO 9001 (5) requirements are more or less still the same as its predecessors’, including the big failure of not requiring for evidence that the QMS be ACTUALLY reviewed by management, and contenting itself that the management signature appears at the bottom of the management review report. Some sly auditors require the management to recite the report’s contents, which is good for actors, not for managers.
10 IMPROVEMENT
After year 2008, when, as a third party auditor I pushed organizations to pursue (continual) improvement, the most frequent answer I got was: “Hey Mister, we are lucky enough to survive and keep our gate open to our employees, what do you want us to do more?” This as far as points a), b) and c) are concerned; may be I’m going a bridge too far: unless required by the customer or planned by the organization, improvement should be an “opportunity”, not a “shall”.
ANNEX A – QUALITY MANAGEMENT PRINCIPLES
A.3 QMP 2 – Leadership and A.4 QMP 3 Engagement of People were commented above, under different headings. A.6 QMP 5 – Improvement: see above. A.7 QMP 6 – Evidence-based Decision Making. It is rare that an organization does not make decisions based on facts, information, and data. It is surely less rare that an organization does not systematically collect, identifies, traces, the facts, information, data on which its bases its decisions
Note: Parts of ISO 9001 CD are quoted under Fair Use for the purpose of a review.
BILBIOGRAPHY