Saturday, July 12, 2008

ISO 9001:2000 - The Myths (part 1)

As I was researching topics to write about, I realized that I had several quality manuals (and related procedures) on my desk that I had been asked to review. The systems that these documents described were failures; their development had been contracted out to various individuals by management, with less-than-usable results.

While a few of these systems did initially achieve ISO 9001:2000 certification, they weren't sustainable over the long term. For the most part, what I found were "templates"; the same documents obviously had been used over and over, with just a global name change to match each company they had been sold to (in some cases, even the name change wasn't done very well). These were poorly written; their content ranged from banal to clueless and back to obtuse.

While the content of these documents didn't impress me (at times, I was actually concerned), it did give me an idea for a new topic. With so much misconception and misinformation regarding ISO 9001:2000, I figured I'd take this opportunity address a few common "myths" surrounding the ISO 9001:2000 standard and its requirements:

1. ISO 9001:2000 is for Manufacturing - Any type of organization can benefit from the process-based approach that's defined in the ISO 9001:2000 standard. Equally suited to services as it is to manufacturing, ISO 9001 can be applied to a wide variety of industries and firms, from education to architects, to medical practices, law offices and more.

2. Document Everything - The "Do What You Document, Document What You Do" approach was a cornerstone of ISO 9001:1994, which was all about following procedures. This has since been replaced by a process-based approach in ISO 9001:2000, which emphasizes effectiveness and focusing on the output - the result. The 1994 version of the standard required that 20 elements had to be addressed; the 2000 version requires a minimum of six documented procedures. Anything beyond these six is left to the discretion of the organization, as necessary for the effective control of the organization's processes.

3. Write Exhaustive Procedures - There really are no rules on how to write a procedure. Your procedures don't need to have a section for definitions, normative references, responsibilities, process maps, blah, blah, blah. What they need to do is to be appropriate to the organization and its operational needs. Don't write your procedures solely to satisfy an auditor, but rather consider how to achieve consistency and uniformity of the process under consideration.

4. Record Everything - There are a total of 19 different types of records that are specifically addressed within the ISO 9001 standard. Needless to say, these aren't all of the records that could be generated during the operation of a quality management system, however these particular records are considered essential to its effective operation. If the record of a result or activity isn't required to manage the organization effectively and/or satisfy interested parties, it doesn't need to be maintained.

5. Make a Form for Everything - We've seen forms used in the review other forms, forms that document the fact that a form is needed and even forms used to log and/or track other forms. While certain forms are common to almost every system (calibration forms, audit checklists, NCRs, CARs, etc.), it's important to limit the number of forms used to those that actually add value. Just a hint: there's a direct correlation here with records you need to maintain (see above).

6. Memorize your Quality Policy - This is another example of what I'll call 1994 thinking. Employees need to be trained, to ensure they aware and familiar with the organization's quality policy, and they should be able to locate where it is posted. One of the main reasons it's a written policy that's posted, is so it can referred to as needed.

7. You Need a Quality Manager - ISO 9001:2000 requires the appointment of a Management Representative by management of the organization; it doesn't mention anywhere the need for the position of Quality Manager. There's no reason that the responsibilities for your program can't be delegated between various functions within your organization.

8. A Web-Based QMS is better - I've seen companies that can benefit from such systems, but usually they're large and/or have business units that are geographically separated. Smaller organizations can usually do without such systems. Software solutions can be quite complex, and come with a variety of issues including extensive training requirements, costly hardware updates, constant IT support, and changes to existing work practices. The downside of this approach often negates the benefits of the technology.

9. We can get certified in one month (or even a week!) - The whole purpose of keeping records is to provide evidence of conformity to requirements and the effective operation of the quality management system. Without this history, there's no way that you can demonstrate that your system meets the requirements of the ISO 9001 standard. Regardless of how long your system takes to write, you will need several months of records; walk away from anyone that tells you otherwise.

10. Keep Statistics on Everything - Many organizations go overboard on the data they collect, or think they have to collect. Data is only important if it's actually relevant to the organization, and the effective operation of the quality management system. Don't collect data solely to satisfy an auditor; the organization needs to determine what's important, and measure and collect data accordingly. We've seen extensive SPC programs utilizing the latest computer software, when all the organization really needed was a checklist and a histogram.

The first step in properly documenting a management system is separating myth from fact, with regards to the requirements and the intent of the ISO 9001:2000 standard. There are a lot more myths around than I've been able to list above, but that's an article for another day. Now it's back to my review...

No comments: