Colin Gray gave the attached presentation to the Northern Colorado ASQ in September of 2009.

Northern Colorado ASQ Presentation Fix your QMS to ISO 9001:2008

The content included:

• A review of the changes to the standard (no real changes)
• A review of the corrigulum fixing errors with the new standard (no real errors – only in appendices)
• The implementation timescale – no ISO 9001:2000 certificates to be issued after November 15, 2009.  No ISO 9001:2000 certificates in existence after November 15, 2010.
• Example of a poor nonconformance issued against the changes (withdrawn by the auditor after a complaint – but beware)
• Key implementation activities

Diana Lough gave this presentation to Pikes Peak ASQ in September 2009.

Pikes Peak ASQ Presentation. Regulatory and Statutory Compliance: Its Everybody”s Business

09 Sep 2009 ASQ Presentation by Diana Lough

TITLE: Regulatory and Statutory Compliance:It’s Everybody’s Business

Regulatory and statutory compliance has long played a part in business. Traditionally the emphasis has focused on the safety and efficacy for raw materials, components, sub-assemblies and finished products sold. It often included third-party testing resulting in a listing or mark on the product and for finished products and/or it may have required a registration or license with a government agency. Where there are regulatory and statutory requirements, compliance is mandatory and enforceable. Failure to comply can result in product confiscation, lost future sales, fines, and in severe cases, plant closures and legal prosecution. No matter the scale, failure to comply requires time and resources (and therefore money) to resolve the issue along with interruption to the business and failure to meet customer needs.

In today’s global marketplace, more governments are increasing “protection” for their citizens. More countries are following in the footsteps of Europe, Japan and Australia by requiring product registrations and in-country representation. Medical device exports have more stringent requirements.In some countries, medical and consumer product labeling and/or instructions for use must be translated in their official language.

And with the changing emphasis on the environment, the impact has broadened and more statutory requirements are coming into play. Local laws and ordinances may govern your organization’s waste stream, nuisance control and other negative impacts on the environment. Depending on the destination market for your product (national or international), there may be statutory laws regarding the product’s packaging (content and disposal) and the end of product life disposal. Legislation for banned chemicals is more commonplace, particularly in Europe and Canada. And transportation of goods even has country-specific restrictions.

So what business processes are impacted? New product development and design changes are still a primary focus. But regulatory and statutory requirements also impact marketing, sales, manufacturing, shipping and transportation, disposition of nonconforming material, facilities management, complaint handling, documentation, record keeping, and management. A brief overview of process controls for each of these will be covered.

The sky isn’t falling by any means. By ensuring your business processes are defined and implemented with adequate controls, your organization will maintain compliance and keep up with our changing world.

People have been making mistakes for tens of thousands of years. Since the industrial revolution, the impact of certain mistakes has grown immensely. Before the industrial revolution, a dull tool used in machining a part would likely only impact one part—since parts were made one at a time. With the advent of mass production, a dull tool used in machining could impact hundreds of parts.

ISO 9000 is written by quality professionals all over the world, professionals who have had a lot of experience with industrial mistakes and problems caused by poor control over processing. So, ISO 9000 can be viewed as a collection of situations that need to be controlled in order to avoid well-known sources of quality problems. In fact, each and every requirement of ISO 9001 is intended to promote adequate control over organizations’ operations and improvement of organizations’ processes.

Taking the requirements of ISO 9001 in order and treating them very generally, let’s incorporate each of the requirements into the phrase: “If you don’t x, you can expect quality problems.” (For comedic relief, you might imagine the following list as being akin to Jeff Foxworthy’s, “If you x, you might be a redneck.”)

• If you don’t have a system to manage quality, you can expect quality problems. In other words, if you have no systems in place to ensure quality in processing, processes will become idiosyncratic and dysfunctional. This will cause quality problems.
• If you don’t have any documented methods of operations, you can expect quality problems. Word of mouth might work for a while but as time passes, so do memories of what was agreed to be the right way to do it; as product requirements become more plentiful and complicated, processes used to realize such products need to be clearly defined and process documentation (e.g., drawings) is necessary—or else you will have quality problems. Can you imagine a (legal) organization that uses no documentation whatsoever?
• If you don’t control your process documentation and records, you can expect quality problems. If you have no controls over your documentation—which almost hard to imagine—people will make mistakes. Imagine no dates or revision levels on drawings or specifications; imagine random part numbers or order numbers; imagine people finding their work instructions blowing around in the parking lot. No control over records would mean that you could not retrieve any evidence of contractual agreements, no evidence of work completed, no evidence of inspection or test results, etc. Without adequate control over documents and records, you are going to have quality problems.
• If you don’t have top managements’ interest in quality, you can expect quality problems. If top management doesn’t drive it, don’t expect autopilot to take over. If management does not provide some mechanism for communicating the importance of quality, the importance of quality will not be communicated; if management does not plan quality assurance, management is effectively planning for quality problems; if management does not periodically review performance and establish goals for improvement, performance will not improve. Without management commitment, you are going to have quality problems.
• If you don’t determine and provide resources necessary to assure quality, you can expect quality problems. If incompetent human resources are involved, you will have problems. If the provided work spaces and equipment are inadequate or unreliable, you will have problems. If the work environment is such that it hinders processing or degrades product somehow, you will have problems.
• If you don’t plan product realization, you can expect quality problems. Without some idea of what to make, how to make it, how to check it, and how much to produce, you can expect problems.
• If you don’t understand what your customers want, you can expect quality problems. Failure to understand customer requirements will not fix itself internally during subsequent order processing. If you make promises to customers that you do not have the ability to fulfill, you will have problems—not just quality problems, but business problems.
• If you don’t control the process for designing products, you can expect quality problems. If inputs to the process are ill-defined and criteria for success are equally ill-defined, you will have design problems. If the outputs of design are not reviewed to determine their acceptability, i.e, they are not verified or validated to meet customer needs, you can expect quality problems. If you have no controls over design changes, you will have problems.
• If you don’t exert some control over suppliers or supplied product, you can expect quality problems. If you use unreliable suppliers and/or you don’t properly qualify and quantify product to be purchased and/or you do nothing to verify supplied product, you will have quality problems.
• If you don’t plan how each order will be processed, you can expect quality problems. If you don’t provide information describing the product or instructions to make the product, you will have problems. If suitable equipment is not provided to process work, you will have problems. If you don’t have inspection devices and you need them to determine conformity, you are going to have problems.
• If you don’t control processes resulting in product that cannot be verified to conform to requirements, you can expect quality problems. If you are building bombs or packing parachutes for a living, and you let just anyone off the street process work using whatever equipment they might be carrying, you are going to have problems. If you have no specified method for processing, you are going to have problems.
• If you don’t or can’t identify product you are working with, you can expect quality problems. If traceability is required and you cannot maintain it, you are going to have problems.
• If you don’t notify the customer that you smashed, lost, or otherwise ruined product they supplied to you, you can expect quality problems—at the very least dissatisfied customers.
• If you don’t make efforts to preserve product during processing, storage, and transport, you can expect quality problems. If you ruin product while working with it, allow it to spoil during storage, or fail to package it properly for shipment, you are going to have problems.
• If you don’t establish a par for processing performance, you can expect quality problems. Without measures revealing how well you are performing, you will not know how well you are performing. If you don’t know how satisfied your customers are, you don’t know how well you are performing; if you don’t know the degree to which working practice complies with established methods, you don’t know how well you are performing; if you don’t establish a par for processing and analyze actual performance against par, you don’t know how well you are performing; if you don’t measure or monitor your product to determine if it meets requirements, you don’t know how well you are performing. In this latter case, you don’t know if your product conforms to requirements, which will cause quality problems every time.
• If you don’t control nonconforming product, you can expect quality problems. If you continue to add value to product that doesn’t conform to requirement in the first place, or if you ship nonconforming product to customers, you can expect big problems.
• If you don’t analyze the measurement data you are collecting, you can expect quality problems. Unanalyzed data is not worth collecting.
• If you don’t improve upon what you do, you can expect quality problems. As tolerances become tighter and competition grows stiffer, improvement must be a permanent objective of any process—or else you will have problems.
• If you don’t take actions to eliminate the root causes of your problems, you can expect quality problems. If you simply correct errors and go on, you can expect the same errors to repeat themselves—resulting in the same old problems.
• If you don’t take actions to address potential problems, you can expect quality problems. If you don’t avoid them, you will experience them.

Such a broad question might best be answered, “It depends upon the circumstances.” It’s a bit like asking, “What does the law require?” The answer depends upon the situation in which it is being applied.

Let’s take part of ISO 9001:2008, 7.2.2 as an example:

“The organization shall review the requirements related to the product. This review shall be conducted prior to the organization”s commitment to supply a product to the customer (e.g. submission of tenders, acceptance of contracts or orders, acceptance of changes to contracts or orders) and shall ensure that:

a) product requirements are defined,

b) contract or order requirements differing from those previously expressed are resolved, and

c) the organization has the ability to meet the defined requirements.

Records of the results of the review and actions arising from the review shall be maintained (see 4.2.4).”

One organization might generate sales orders as evidence of successful review and acceptance of customer purchase orders. In this case, the above ISO 9001 requirements apply directly to that organization’s sales orders and to their respective customer purchase orders. Review activities resulting in accepted sales orders are also subject to these requirements. Since order review and acceptance is evidenced by the generation of sales orders, sales orders are regarded as quality records and must be maintained accordingly. In this case, the above ISO 9001 requirements may be construed as follows:

Before sales orders are generated, customer purchase orders must be reviewed to ensure that product requirements are defined, that any requirements differing from those previously expressed are resolved, and that the organization has the ability to meet those requirements. Records of sales orders must be maintained according to the requirements of ISO 9001:2008, 4.2.4.

Meanwhile in another organization, the evidence of successful review and acceptance of a customer’s purchase order might be order entry in “the PO Log.” In this case, ISO 9001 applies to the log and to the activities resulting in each log entry. So, in this case, the standard’s requirements might be construed as:

Before orders are recorded in the PO Log, customer purchase orders must be reviewed to ensure that product requirements are defined, that any requirements differing from those previously expressed are resolved, and that the organization has the ability to meet those requirements. The PO Log must be maintained according to the requirements of ISO 9001:2008, 4.2.4.

Par is a recognized standard for golf performance. It is applied at the end of every hole and at the end of every round. It is used to measure performance in terms of strokes. Golfers compare their performance against a standard to determine how well they golf relative to the established standard. Because other golfers use the same standard, golfers’ scores allow them to assess their performance not only relative to a standard, but also relative to other golfers.

A ruler represents a standard for linear measurement. This standard is applied to any linear object to discern its length in terms of defined (standard) units. In America, these standard units are inches.

A standard exists for each type of purebred dog breed, e.g., a standard poodle. Such standards describe established criteria pertaining to height, weight, color, coat, stop, etc. Using this standard, any purebred dog can be compared to its standard. One can conclude that her dog is heavier than standard or taller than standard, etc.

So a standard is an established set of criteria or a frame of reference against which individual cases can be assessed or measured.

ISO 9001 is an international standard for quality assurance. If par as a standard measures golf performance, and a ruler as a standard measures length, what does ISO 9001 as a standard measure? Answer: quality management systems. The standard is applied to organizations’ quality management systems to determine the degree to which these systems satisfy a given set of established criteria.

Any organization staying in business has some kind of system to keep afloat. The question here is whether or not the system is consistently applied and whether or not the system is robust enough to meet the established requirements of ISO 9001.

ISO 9001 requires that a system be in place to promote consistent control over processing, a system that continually improves process performance. Because it is a standard for quality assurance, its criteria pertain to processes affecting the quality of products or services offered to customers. An organization pursuing certification to ISO 9001 needs to demonstrate that its processes affecting quality are systemically managed. It requires a system of assuring quality, meaning that the processes involved are defined and operation of these processes is controlled to an appropriate degree to assure quality.

If an organization re-invents itself and its processes with the acceptance of each customer order, this inconstancy in processing will result in inconsistent performance, inconsistent product or service quality, and inconsistent customer satisfaction. Organizations operating such systems do not receive ISO 9001 certification.

ISO 9001 requires a system of processes to be defined, through with each customer order consistently flows, thus promoting consistency of processing, thereby promoting consistency in resulting product or service offerings. This results in consistently satisfied customers—which of course is good for business.

If a person told you that he was a better golfer than Tiger Woods, you would expect the person to prove it. If this person’s proof consisted of, “Because I say so,” you might not find this evidence compelling. Before believing this person, you would most likely want to know the person’s handicap—which is ultimately derived from the standard we know as par. Absent such objective evidence, how would we be able to tell how good Tiger is in the first place?

If a person told you that their organization would be an excellent supplier to your organization, you might want more than “Because I say so” as evidence. You might want to know if they are a fly-by-the-seat-of-their-pants type of organization, or if they actually have systems in place to assure quality. If a potential supplier can prove a system is in place, and that this system has been assessed and registered to ISO 9001, now you have some evidence of systemic quality management. This imparts confidence that your orders will be processed in a manner known to produce successful results.