ISO 9000

From Wikipedia, the free encyclopedia

ISO 9000 is a family of standards for quality management systems. ISO 9000 is maintained by ISO, the International Organization for Standardization and is administered by accreditation and certification bodies. For a manufacturer, some of the requirements in ISO 9001 (which is one of the standards in the ISO 9000 family) would include:

• a set of procedures that cover all key processes in the business;
• monitoring manufacturing processes to ensure they are producing quality product;
• keeping proper records;
• checking outgoing product for defects, with appropriate corrective action where necessary; and
• regularly reviewing individual processes and the quality system itself for effectiveness.

A company or organization that has been independently audited and certified to be in conformance with ISO 9001 may publicly state that it is "ISO 9001 certified" or "ISO 9001 registered." Certification to an ISO 9000 standard does not guarantee the compliance (and therefore the quality) of end products and services; rather, it certifies that consistent business processes are being applied.

Although the standards originated in manufacturing, they are now employed across a wide range of other types of organizations. A "product", in ISO vocabulary, can mean a physical object, or services, or software. In fact, according to ISO in 2004, "service sectors now account by far for the highest number of ISO 9001:2000 certificates - about 31% of the total" - source: the ISO Survey 2004

Contents 1 ISO 9000 family 2 Contents of ISO 9001 3 Summary of ISO 9001:2000 in informal language 4 History of ISO 9000 4.1 Pre ISO 9000 4.2 1987 version 4.3 1994 version 4.4 2000 version 5 Certification 6 Auditing 7 Industry-specific interpretations 8 Debate on the effectiveness of ISO 9000 9 See also 10 External links 11 References

[edit] ISO 9000 family

ISO 9000 includes the following standards:

• ISO 9000:2005, Quality management systems - Fundamentals and vocabulary. covers the basics of what quality management systems are and also contains the core language of the ISO 9000 series of standards.
• ISO 9001:2000 Quality management systems - Requirements is intended for use in any organization which designs, develops, manufactures, installs and/or services any product or provides any form of service. It provides a number of requirements which an organization needs to fulfill if it is to achieve customer satisfaction through consistent products and services which meet customer expectations. This is the only implementation for which third-party auditors may grant certifications.
• ISO 9004:2000 Quality management systems - Guidelines for performance improvements. covers continual improvement. This gives you advice on what you could do to enhance a mature system. This standard very specifically states that it is not intended as a guide to implementation.

There are many more standards in the ISO 9001 family (see "List of ISO 9000 standards" from ISO), many of them not even carryng "ISO 900x" numbers. For example, some standards in the 10,000 range are considered part of the 9000 family: ISO 10007:1995 discusses Configuration management, which for most organizations is just one element of a complete management system. ISO notes: "The emphasis on certification tends to overshadow the fact that there is an entire family of ISO 9000 standards ... Organizations stand to obtain the greatest value when the standards in the new core series are used in an integrated manner, both with each other and with the other standards making up the ISO 9000 family as a whole".

Note that the previous members of the ISO 9000 family, 9001, 9002and 9003, have all been integrated into 9001. In most cases, an organization claiming to be "ISO 9000 registered" is referring to ISO 9001.

[edit] Contents of ISO 9001

ISO 9001:2000 Quality management systems — Requirements is a document of approximately 30 pages which is available from the national quality organization in each country. Outline contents are as follows:

• Page iv: Foreword
• Pages v to vii: Introduction
• Pages 1 to 14: Requirements
  • Section 4: General Requirements
  • Section 5: Management Responsibility
  • Section 6: Resource Management
  • Section 7: Product Realization
  • Section 8: Measurement, analysis and improvement
• Pages 15 to 22: Tables of Correspondence between ISO 9001 and other standards
• Page 23: Bibliography

The standard specifies six compulsory documents:

• Control of Documents (4.2.3)
• Control of Records (4.2.4)
• Internal Audits (8.2.2)
• Control of Nonconforming Product / Service (8.3)
• Corrective Action (8.5.2)
• Preventive Action (8.5.3)

In addition to these, ISO 9001:2000 requires a Quality Policy and Quality Manual (which may or may not include the above documents).

[edit] Summary of ISO 9001:2000 in informal language

• The quality manual is a formal statement from management, closely linked to the business and marketing plan and to customer needs. The quality manual is understood and followed at all levels and by all employees. Each employee needs measurable objectives to work towards.
• Decisions about the quality system are made based on recorded data and the system is regularly audited and evaluated for conformance and effectiveness.
• You need a documented procedure to control quality documents in your company. Everyone must have access to up-to-date documents and be aware of how to use them.
• To maintain the quality system and produce conforming product, you need to provide suitable infrastructure, resources, information, equipment, measuring and monitoring devices, and environmental conditions.
• You need to map out all key processes in your company; control them by monitoring, measurementand analysis; and ensure that product quality objectives are met. If you can’t monitor a process by measurement, then make sure the process is well enough defined that you can make adjustments if the product does not meet user needs.
• For each product your company makes, you need to establish quality objectives; plan processes; and document and measure results to use as a tool for improvement. For each process, determine what kind of procedural documentation is required. (Note: a “product” is hardware, software, services, processed materials, or a combination of these.)
• You need to determine key points where each process requires monitoring and measurement, and ensure that all monitoring and measuring devices are properly maintained and calibrated.
• You need to have clear requirements for purchased product. Select suppliers appropriately and check that incoming product meets requirements.
• You need to determine the skills required for each job in your company, suitably train employees and evaluate the effectiveness of the training.
• You need to determine customer requirements and create systems for communicating with customers about product information, inquiries, contracts, orders, feedback and complaints.
• When developing new products, you need to plan the stages of development, with appropriate testing at each stage. You need to test and document whether the product meets design requirements, regulatory requirementsand user needs.
• You need to regularly review performance through internal audits and meetings. Determine whether the quality system is working and what improvements can be made. Deal with past problems and potential problems. Keep records of these activities and the resulting decisions, and monitor their effectiveness. (Note: you need a documented procedure for internal audits.)
• You need documented procedures for dealing with actual and potential nonconformances (problems involving suppliers or customers, or internal problems). Make sure no one uses bad product, determine what to do with bad product, deal with the root cause of the problem and keep records to use as a tool to improve the system.

[edit] History of ISO 9000

[edit] Pre ISO 9000

During WWII, there were quality problems in many British high-tech industries such as munitions, where bombs were going off in factories. The adopted solution was to require factories to document their manufacturing procedures and to prove by record-keeping that the procedures were being followed. The name of the standard was BS 5750, and it was known as a management standard because it did not specify what to manufacture, but how to manage the manufacturing process. According to Seddon, "In 1987, the British Government persuaded the International Standards Organisation to adopt BS 5750 as an international standard. BS 5750 became ISO 9000." ^{[1] [2]}

[edit] 1987 version

ISO 9000:1987 had the same structure as the UK Standard BS 5750, with three 'models' for quality management systems, the selection of which was based on the scope of activities of the organization:

• ISO 9001:1987 Model for quality assurance in design, development, production, installation, and servicing was for companies and organizations whose activities included the creation of new products.
• ISO 9002:1987 Model for quality assurance in production, installation, and servicing had basically the same material as ISO 9001 but without covering the creation of new products.
• ISO 9003:1987 Model for quality assurance in final inspection and test covered only the final inspection of finished product, with no concern for how the product was produced.

ISO 9000:1987 was also influenced by existing US and other Defence Military Standards ("MIL SPECS"), and so was well-suited to manufacturing.The emphasis tended to be placed on conformance with procedures rather than the overall process of management — which was likely the actual intent.

[edit] 1994 version

ISO 9000:1994 emphasized quality assurance via preventive actions, instead of just checking final product, and continued to require evidence of compliance with documented procedures. As with the first edition, the down-side was that companies tended to implement its requirements by creating shelf-loads of procedure manuals, and becoming burdened with an ISO bureaucracy. In some companies, adapting and improving processes could actually be impeded by the quality system.

[edit] 2000 version

ISO 9000:2000 combines the three standards 9001, 9002, and 9003 into one, now called 9001. Design and development procedures are required only if a company does in fact engage in the creation of new products. The 2000 version sought to make a radical change in thinking by actually placing the concept of process management front and centre. ("Process management" was the monitoring and optimizing of a company's tasks and activities, instead of just inspecting the final product.) The 2000 version also demands involvement by upper executives, in order to integrate quality into the business system and avoid delegation of quality functions to junior administrators. Another goal is to improve effectiveness via process performance metrics — numerical measurement of the effectiveness of tasks and activities. Expectations of continual process improvement and tracking customer satisfaction were made explicit.

[edit] Certification

ISO does not itself certify organizations. Many countries have formed accreditation bodies to authorize certification bodies, which audit organizations applying for ISO 9001 compliance certification. It is important to note that it is not possible to be certified to ISO 9000. Although commonly referred to as ISO 9000:2000 certification, the actual standard to which an organization's quality management can be certified is ISO 9001:2000. Both the accreditation bodies and the certification bodies charge fees for their services. The various accreditation bodies have mutual agreements with each other to ensure that certificates issued by one of the Accredited Certification Bodies (CB) are accepted world-wide.

The applying organization is assessed based on an extensive sample of its sites, functions, products, services and processes; a list of problems ("action requests" or "non-compliances") is made known to the management. If there are no major problems on this list, the certification body will issue an ISO 9001 certificate for each geographical site it has visited, once it receives a satisfactory improvement plan from the management showing how any problems will be resolved.

An ISO certificate is not a once-and-for-all award, but must be renewed at regular intervals recommended by the certification body, usually around three years. In contrast to the Capability Maturity Model there are no grades of competence within ISO 9001.

[edit] Auditing

Two types of auditing are required to become registered to the standard: auditing by an external certification body (external audit) and audits by internal staff trained for this process (internal audits). The aim is a continual process of review and assessment, to verify that the system is working as it's supposed to, find out where it can improve and to correct or prevent problems identified. It is considered healthier for internal auditors to audit outside their usual management line, so as to bring a degree of independence to their judgements.

Under the 1994 standard, the auditing process could be adequately addressed by performing "compliance auditing":

• Tell me what you do (describe the business process)
• Show me where it says that (reference the procedure manuals)
• Prove that that is what happened (exhibit evidence in documented records)

How this led to preventive actions was not clear.

The 2000 standard uses the process approach. While auditors perform similar functions, they are expected to go beyond mere auditing for rote "compliance" by focusing on risk, status and importance. This means they are expected to make more judgements on what is effective, rather than merely adhering to what is formally prescribed. The difference from the previous standard can be explained thus:

Under the 1994 version, the question was broadly "Are you doing what the manual says you should be doing?", whereas under the 2000 version, the question is more "Will this process help you achieve your stated objectives? Is it a good process or is there a way to do it better?".

The ISO 19011 standard for auditing applies to ISO 9000.

[edit] Industry-specific interpretations

The ISO 9001 standard is generalized and abstract. Its parts must be carefully interpreted, to make sense within a particular organization. Developing software is not like making cheese or offering counseling services; yet the ISO 9001 guidelines, because they are business management guidelines, can be applied to each of these. Diverse organizations—police departments (US), professional soccer teams (Mexico) and city councils (UK)—have successfully implemented ISO 9001:2000 systems.

Over time, various industry sectors have wanted to standardize their interpretations of the guidelines within their own marketplace. This is partly to ensure that their versions of ISO 9000 have their specific requirements, but also to try and ensure that more appropriately trained and experienced auditors are sent to assess them.

• The TickIT guidelines are an interpretation of ISO 9000 produced by the UK Board of Trade to suit the processes of the information technology industry, especially software development.
• AS 9000 is the Aerospace Basic Quality System Standard, an interpretation developed by major aerospace manufacturers. The current version is AS 9100.
• PS 9000 is an application of the standard for Pharmaceutical Packaging Materials.
• QS 9000 is an interpretation agreed upon by major automotive manufacturers (GM, Ford, Chrysler). It includes techniques such as FMEA and APQP. QS 9000 is now replaced by ISO/TS 16949.
• ISO/TS 16949:2002 is an interpretation agreed upon by major automotive manufacturers (American and European manufacturers); the latest version is based on ISO 9001:2000. The emphasis on a process approach is stronger than in ISO 9001:2000. ISO/TS 16949:2002 contains the full text of ISO 9001:2000 and automotive industry-specific requirements.
• TL 9000 is the Telecom Quality Management and Measurement System Standard, an interpretation developed by the telecom consortium, QuEST Forum. The current version is 4.0 and unlike ISO 9001 or the above sector standards, TL 9000 includes standardized product measurements that can be benchmarked.
• ISO 13485:2003 is the medical industry's equivalent of ISO 9001:2000. Whereas the standards it replaces were interpretations of how to apply ISO 9001 and ISO 9002 to medical devices, ISO 13485:2003 is a stand-alone standard. Compliance with ISO 13485 does not necessarily mean compliance with IS0 9001:2000.

[edit] Debate on the effectiveness of ISO 9000

The debate on the effectiveness of ISO 9000 commonly centres on the following questions:

1. Are the quality principles in ISO 9000:2000 of value? (Note that the version date is important: in the 2000 version ISO attempted to address many concerns and criticisms of ISO 9000:1994.)
2. Does it help to implement ISO 9000:2000?
3. Does it help to obtain ISO 9000:2000 certification?

It is widely acknowledged that proper quality management can improve business.

• "Referenced studies found that quality has a positive effect on return on investment, market share, sales growth, better sales margins, and competitive advantage." — Scott Dalgleish, Quality Magazine ^[3]
• "With extensive quality systems in place and operating properly, failures and defective product litigation is minimized." — Frank Barnes, Review of Business. ^[4]

The basic quality principles in ISO 9000 are generally acknowledged to be sound.

• "Let’s put much more emphasis on the eight quality management principles and other basics in ISO 9000:2000." — Jim Wade, ISO Management Systems ^[5]
• "Even without certification, companies should utilize the ISO 9000 model as a benchmark..." — Frank Barnes. Review of Business, Spring 2000. ^[4]

The actual requirements in ISO 9000, however, are often criticized.

• "ISO certification ... requires codifying nearly every aspect of business operations -- something that runs counter to the style of a fast-moving entrepreneurial organization." — Stephanie Clifford. Inc Magazine ^[6]
• "Underlying [ISO 9000] are concepts of specification and control, rather than those of understanding and improvement... ISO 9000 has led our organisations to focus on procedures rather than service." ^[1] "[The standard] was... a method for the control of output... Would it not have been better to promote understanding rather than control?"^[2] — John Seddon. (Note that the quotes from John Seddon are from the year 2000 and may be based on ISO 9000:1994.)
• "Promoting ISO 9000 as a standard is unhelpful. It focuses us too narrowly and incorrectly on the requirements clauses, it helps to mislead companies into thinking that certification means better quality, and it undermines the need for an organization to set its own quality standards." — Jim Wade, ISO Management Systems ^[5]

Implementing ISO 9000 may help an organization.

• "Of the many reasons why companies should consider ISO, companies that have achieved certification repeatedly describe six
  1. Create a more efficient, effective operation
  2. Increase customer satisfaction and retention
  3. Reduce audits
  4. Enhance marketing
  5. Improve employee motivation, awareness, and morale
  6. Promote international trade"

— Providence Business News, August 28, 2000. ^[7]

Certification is often seen as a problem, especially when the motivation is skewed:

• "Getting an ISO certification is expensive and time-consuming." — Stephanie Clifford. Inc Magazine ^[6]
• "If you just want the certificate on the wall, chances are, you will create a paper system that doesn't have much to do with the way you actually run your business." — ISO's Roger Frost ^[8]
• "Managers point to the excessive bureaucracy and work whose only purpose is to satisfy the ISO 9000 assessor." — John Seddon, The Observer. ^[1]
• "The main reason small firms consider ISO 9000 certification is because customers demand it. However, many decide it isn't worth the cost, paperwork, time and bureaucracy. It costs a company with 26 to 29 employees $9,600 to register, says Edward Baclawski, president of Quality Systems Innovations Inc... Becoming compliant can cost anywhere from $3,000 to more than $100,000, he says." ^[8]
• ISO itself acknowledges that "the standards themselves ... can be implemented without certification for the benefits that they help user organizations to achieve for themselves and for their customers." — The ISO Survey, 2005 ^[9] (emphasis added)

A broad statistical study of 800 Spanish companies ^[10] found that ISO registration in itself creates little improvement because companies interested in ISO have usually already made some type of committment to quality:

• "It is widely documented and clearly proven that ISO 9000-registered companies outperform non-ISO 9000 registered companies... The study clearly finds that ISO 9000 registration had no effect on sales and profitablity performance. Registered companies performed better than nonregistered companies, but they were performing at the same higher level before their ISO 9000 registration... Quality pays off, but taking a quality approach is unrelated to ISO 9000 registration." — Scott Dalgleish Quality Magazine ^[3]

A balanced summary of the advantages and pitfalls of ISO 9000 is provided by Barnes: ^[4]

• "ISO 9000 guidelines provide a comprehensive model for quality management systems that can make any company competitive."
• "A survey by Lloyd's Register Quality Assurance indicated ISO 9000 increased net profit... Another Deloitte-Touche survey reported that the costs of registration were recovered in three years."
• "Good business judgment is needed to determine its proper role for a company."
• "The ISO registration process has become a mountain of paperwork. Opponents claim that it is only for documentation. Proponents believe that if a company has documented its quality systems, then most of the paperwork has already been completed."
• "Registration... unfortunately has become a vehicle to increase consulting services... Studies show that the majority of certifications derive from customer demands, such as a vendor qualification checklist, instead of internal needs to improve quality."
• "Is certification itself important to the marketing plans of the company? If not, do not rush to certification."
• "Even without certification, companies should utilize the ISO 9000 model as a benchmark to assess the adequacy of its quality programs."

[edit] See also

• ISO 10006 Quality management; Guidelines to quality in project managements
• ISO 14000 - Environmental management standards
• ISO 19011 - Guidelines for quality management systems auditing and environmental management systems auditing
• ISO/TS 16949 - Quality management system requirements for automotive-related products suppliers

[edit] External links

• ISO (International Organization for Standardization)
  • Introduction to ISO 9000 and ISO 14000
  • List of ISO registrars by country
  • List of national ISO member organizations.
  • ISO Management Systems magazine, on ISO 9000 and ISO 14000 standards.
• ISO's Technical Committee 176 on Quality Management and Quality Assurance
  • Basic info on ISO 9000 development
  • ISO 9000 FAQs
• Technical Committee No. 176, Sub-committee No. 2, which is responsible for developing ISO 9000 standards.
• Introduction to ISO 9000:2000 from The British Standards Institution

[edit] References

1. ^ ^{a b c} "The 'quality' you can't feel", John Seddon, The Observer, Sunday November 19, 2000
2. ^ ^{a b} "A Brief History of ISO 9000: Where did we go wrong?". John Seddon. Chapter one of "The Case Against ISO 9000", 2nd ed., Oak Tree Press. November 2000. ISBN 1-86076-173-9
3. ^ ^{a b} "Probing the Limits: ISO 9001 Proves Ineffective". Scott Dalgleish. Quality Magazine April 1, 2005.
4. ^ ^{a b c} "Good Business Sense Is the Key to Confronting ISO 9000" Frank Barnes in Review of Business, Spring 2000.
5. ^ ^{a b} "Is ISO 9000 really a standard?". Jim Wade, ISO Management Systems, May-June 2002.
6. ^ ^{a b} "So many standards to follow, so little payoff". Stephanie Clifford. Inc Magazine, May 2005.
7. ^ "Reasons Why Companies Should Have ISO Certification", Providence Business News, August 28, 2000.
8. ^ ^{a b} "ISO a GO-Go." Mark Henricks. Entrepreneur Magazine Dec 2001.
9. ^ The ISO Survey – 2005 (abridged version, PDF, 3 MB), ISO, 2005
10. ^ "ISO 9000 registration's impact on sales and profitability: A longitudinal analysis of performance before and after accreditation." Iñaki Heras, Gavin P.M. Dick, and Martí Casadesús. International Journal of Quality and Reliability Management Vol 19, No. 6, 2002.