Have you made any changes that might affect the capability of your quality management system? Did you inform your certification body in advance of their next surveillance audit?

In clause 8.6.3 of ISO 17021, the requirements standard for registrars, it states a certification body must have legally enforceable arrangements to ensure certified clients inform them, without delay, of any matters that may affect the capability of the management system to continue to meet the requirements of the standard used for certification.

Using examples from ISO 17021, you are to contact your certification body for any changes related to:

• legal, commercial, or organizational status or ownership
• organization and management, e.g., key managerial, decision-making, or technical staff
• contact address and sites, e.g., any relocations or new locations
• scope of operations under the certified management system
• management system and its processes, e.g. loss or addition of a process

Why notify the registrar? Audits are carried out based on sampling, which introduces an element of uncertainty in the audit results. The sampling should be increased in the areas of greatest change. The certification body must be told about the changes so their audit plan can be adjusted.

In clause 5.2.1.h of ISO 19011, the auditing guidelines standard, it states the audit objectives should consider risks to the organization. Clause 5.2.2.i says that audit programs should take into account any significant changes to an organization and its operation.

More examples could be changes related to:

• employee counts and shift work
• new products and requirements
• loss or addition of key suppliers
• customer sanctions or special status conditions
• new statutory or regulatory requirements
• work quantity from customers
• major new customers
• newly outsourced processes

ISO 9001, 5.4.2, requires top management to maintain the integrity of the system when changes to the quality management system are planned and implemented. One way of doing that is to ensure the need for changes is assessed at management review meetings per ISO 9001, 5.6.1. And, clause 5.6.2.f states changes that might affect the quality management system must be included as an input at management review.

When planning and reviewing these changes, remember to alert the certification body and your own audit program so the appropriate adjustments can be made to the external and internal audit plans.

ISO 22006:2009, Quality Management Systems - Guidelines for the Application of ISO 9001:2008 to Crop Production, has been published. It gives guidelines to assist crop producers in the adoption of ISO 9001:2008 for crop production processes.

The term "crop" includes seasonal crops (such as grains, pulses, oilseeds, spices, fruits, and vegetables), row-planted crops that are cultivated, perennial crops that are managed over a period of time, and wild crops that are not formally planted or managed. Horticultural crops provide an even broader range of types from annual and perennial fruits, vegetables, and ornamental flowering plants to perennial shrubs and trees, and root crops.

These diverse crops require a broad range of planting, cultivating, pest control, and harvesting methods and practices. Decisions regarding planting, growing, and harvesting activities can be similar, although specific steps can be quite different when considering the range of crops.

ISO 22006:2009 gives guidelines on the use and application of ISO 9001:2008 for the establishment and management of a quality management system by an organization involved in crop production. It is not intended to change, add, or reduce the requirements of ISO 9001:2008, nor is it intended for certification.

Further down the supply chain, in manufacturing processes, the language of ISO 9001:2008, ISO 15161 (Guidelines on the Application of ISO 9001:2000 for the Food and Drink Industry), or ISO 22000 (Food Safety Management Systems - Requirements for any Organization in the Food Chain ) is considered more appropriate.

The need for an ISO 9001:2008-based system containing agricultural terminology became apparent due to difficulties in the interpretation of the language of ISO 9001:2008 for crop production applications.

ISO 22006:2009 can be ordered at the ANSI Web Store.

If you are faced with implementing ISO 9001, or anticipate it may soon become a requirement for your organization, keep reading. This article identifies reasons to implement the standard, summarizes its requirements, explains the certification process, identifies implementation steps, describes a typical schedule, estimates the costs, and lists expected benefits.

REASONS

There are a number of reasons why an organization might pursue ISO 9001 certification. Most often, it is because a client requests it, or a contract requires it. Why would a client impose the standard? Because ISO 9001 certification demonstrates your ability to consistently provide products and services that meet customer and legal requirements.

Use of ISO 9001 also addresses customer satisfaction through a quality management system that is focused on preventing nonconformities and achieving defined objectives. More and more companies are requiring ISO 9001 certification as a prerequisite for doing business around the world. In fact, more than one million organizations now hold ISO 9001 certificates.

The ISO 9001 standard is applicable to all industry sectors and organizations, regardless of their type, size, product, or service. The standard is interpretative, not prescriptive. It specifies control requirements that must be addressed. It does not specify what methods to use.

Organizations seeking certification must demonstrate that they have documented and implemented an effective system. And, it is the system that will be being evaluated, not product quality, service quality, or the performance of individuals. With certification, along with improved quality, your organization will hopefully gain a competitive advantage.

Without satisfied customers, an organization is in peril. To keep customers satisfied, the organization needs to meet their requirements. The ISO 9001 standard provides a tried and tested framework for managing your processes so they consistently deliver products and services that satisfy your customers.

REQUIREMENTS

ISO 9001 provides a set of standardized requirements for a quality management system, regardless of what an organization does, its size, or whether it is in the private or public sector.

There are five requirement groupings in the standard that specify activities to be considered when you implement your system:

• Overall requirements for the quality management system and documentation
• Management responsibility, focus, policy, planning, and objectives
• Resource management and allocation
• Product realization and process management, and
• Measurement, monitoring, analysis, and improvement.

Quality Management System

ISO 9001 begins with a set of general requirements for the system, and then identifies the need for a quality policy, quality objectives, and a quality manual. The standard continues with requirements to control documents and records.

Management Responsibility

This section requires top management to demonstrate their commitment to the system, ensure the organization is customer-focused, and verify employees understand the quality policy. The standard requires top management to also establish measurable performance targets, define and communicate responsibilities, and regularly meet to review the effectiveness of the system.

Resource Management

ISO 9001 requires the organization to provide resources for implementing and maintaining the system, continually improving its effectiveness, meeting customer requirements, and enhancing customer satisfaction. The standard also requires everyone working within the system to be competent to perform their assigned duties. The organization must provide the infrastructure, work environment, and supporting services needed to produce conforming products and services.

Product Realization

This section contains the largest set of requirements. It ranges from planning and gathering requirements, to producing and delivering products and services to the customer.

The processes for product realization must be planned and implemented. Then, the organization can capture and review customer requirements, as well as, establish effective customer communication.

Next, the requirements are transformed into a product specification by following a well-defined design and development process. These activities include reviews, verification, validation, and change control.

With a product design in place, the organization must now evaluate and select suppliers that can provide the necessary parts and services. These requirements include sending suppliers the correct purchasing information and verifying the purchased product upon receipt.

Now, the organization is ready to produce their product. The standard requires production be carried out under controlled conditions. Products must be clearly identified, customer property protected, and products properly handled, stored, packaged, and protected. Any monitoring and measuring equipment used for production or testing purposes must be calibrated to ensure accurate, reliable results.

Measurement, Analysis, and Improvement

The standard requires processes within the system to be planned, measured, analyzed, and improved. An organization must also monitor how well it is meeting customer requirements.

Organizations must establish an internal audit program to determine conformity to requirements, to evaluate system effectiveness, and to identify opportunities for improvement.

Processes must be monitored to ensure they are achieving the planned results. Likewise, products must be measured to verify they meet the acceptance criteria. Product that does not meet the criteria must be controlled as nonconforming product to prevent its delivery.

A lot of process and product data will be available for analysis to identify improvement areas. Corrective actions are taken to eliminate the causes of any detected process or product nonconformities in order to prevent their recurrence. Preventive actions are taken to eliminate the causes for any potential process or product nonconformities to prevent their occurrence.

And, the organization is required to continually look for ways to improve the effectiveness of the quality management system.

CERTIFICATION

The standard requires the organization to conduct internal audits of its ISO 9001-based quality system to verify the processes are being managed effectively, in other words, to confirm the organization is fully in control of its activities.

The organization may also invite its clients to audit the quality system in order to give them confidence that the organization is capable of delivering products and services that will meet their requirements.

Lastly, the organization may engage the services of an independent certification body, also called a registrar, to obtain an ISO 9001 certificate of conformity. This option has proved extremely popular because of the perceived credibility of an independent assessment.

Stage 1 Audit

After your system is implemented, the certification body conducts a stage 1 audit to assess your documentation and verify key practices are in place, e.g., internal audits, management reviews, and performance tracking. Stage 1 audits are typically a day in duration. If you pass this audit without any major issues, the certification body will deem your system ready for the full system audit.

Stage 2 Audit

About one or two months after a successful stage 1 audit, the certification body will return to assess the entire system. They will look for conformity to customer, legal, and organizational requirements, as well as, to the requirements of the standard. The audit duration will depend on the size of the organization, the number of sites, and the functions included in the system.

For example, a small organization with 10 or fewer employees might receive an audit of only two days. For an organization of 20 employees, the duration would increase to three days. For 30 employees, the audit would be four days; for 50 employees, the audit would be five days.

The number of audit days continues to grow as the size of the organization increases. For a size of 100 employees, the audit would be seven days; for 200 employees, the audit would be nine days. If the organization has 500 employees, the duration would be 11 days.

If the organization receives no major nonconformities during the audit, the audit team can recommend certification based on your submission of an acceptable corrective action plan for any reported minor nonconformities. The certificate will be issued a few days or weeks later, and describe the scope of the certified quality management system.

If one or more major nonconformities are found, the certification body either conducts a special visit in a month or two to verify the major issues have been resolved, or it conducts another full certification audit when the organization says the major nonconformities have been corrected.

Surveillance Visits

Depending on the size of the organization, the certification body will establish an annual or semi-annual surveillance program. The total surveillance days each year will be about one-third the duration of the stage 2 certification audit. Each visit will always assess certain key elements of the system, for example, internal audit, management review, customer satisfaction, and corrective action. A sample of the other areas of the system will be examined during the visit, with all the areas being assessed over the three year life of the certificate.

Recertification Audit

Every three years, the entire system will be assessed again. The recertification audit duration will be about two-thirds as long as the stage 2 audit. Assuming the assessment doesn't find any major nonconformities, the audit team can recommend the organization for continued certification. And, after receipt of an acceptable corrective plan for any minor nonconformities, the certification body will reissue the ISO 9001 certificate.

IMPLEMENTATION

The implementation process is important in achieving the full benefits of the quality management system. Most new users obtain measurable payback early in the process.

First, you need to fully engage top management to define why they want to implement an ISO 9001-based quality management system. Next, review the mission, vision, and values of your organization. Then, you are ready to define your quality policy and quality objectives, and identify the key processes and interactions needed to meet your quality objectives.

To build your ISO 9001-based system, you'll need to train top management and key staff on the ISO 9001 requirements. Map these requirements to your system and identify management owners for each process. Perform a gap analysis of the current system to determine where the requirements are fulfilled and where they are not. Then, use the results of the gap analysis to develop an implementation plan that describes the activities, deliverables, responsibilities, and due dates.

Some of the implementation steps are:

• Appoint a management representative
• Define your quality policy and objectives
• Identify the processes and responsibilities
• Assign each process to a manager
• Establish your implementation team
• Collect procedures, instructions, and forms
• Define your project plan and schedule
• Conduct employee awareness sessions
• Inform customers and suppliers of the plan
• Arrange for public and onsite training
• Begin writing the needed documents
• Monitor the progress against your plan
• Evaluate and select the certification body
• Implement the documents and practices
• Operate the system and collect evidence
• Initiate the management review meetings
• Begin conducting the internal audits
• Undergo the certification audits
• Take the necessary corrective actions
• Receive the ISO 9001 certificate
• Begin the ongoing surveillance audits

SCHEDULE

The implementation schedule for an ISO 9001-based system may range from 6 months to 12 months, or longer, depending on the work to be done and the resources that can be devoted by the organization.

The first month or two are typically spent organizing, training, planning, and then performing a gap analysis. The next couple of months are allocated to correcting any nonconforming practices, creating the necessary documents, and selecting the certification body.

After three to six months, the system is usually ready to be implemented and operated. Records are kept as evidence of conformity. After a month of operation, the stage 1 audit can be held, followed by corrective actions, then the stage 2 audit, and submission of an action plan to the certification body.

COSTS

There are costs associated with training classes, consultants (if used), the certification body, and your organization's own time involvement.

Training

Public courses are available with titles like Implementing ISO 9001, Quality System Documentation, and Internal Auditing. The fees for these two and three-day courses range from $800 to $1200 per student. You can also have the courses taught on-site if you have sufficient students to justify the flat rate fees. The individual on-site class fees may range from $4000 to $7500, plus instructor travel expenses. Some of this training may not be necessary if you use the services of a consultant.

Consultants

Choosing a qualified consultant is no easy task. The importance of taking the time to make a thoughtful selection should not be underestimated. Your choice could end up affecting the effectiveness of your business operations.

Qualified consultants are usually certified auditors that have experience assessing systems for ISO 9001 certification. To remain impartial, the consultant can't be assigned to perform your certification audit. They can, however, provide guidance and conduct internal audits to confirm the system is ready for the certification audit.

The daily rate for consultants may vary from $800 to $2000, depending on their experience, reputation, and success. The more experienced consultant may be needed for fewer days due to their effectiveness. The consultant's goal should be to make the organization self-sufficient as soon as possible.

The consultant's initial visit usually involves training, a gap analysis, and implementation planning. This visit may require two to four days, depending on the size of the organization. You may ask the consultant to return for one or two days a month over the life of the project to check on progress, review documents, and consult on the remaining tasks.

A big variable with consultant costs is whether you have the consultant interview people and write your documents, or if you write the documents and have the consultant review them. If thoughtfully selected and wisely used, a consultant can be a valuable partner in helping to set up your quality management system. However, remember that the system is owned by your organization.

Certification Body

The daily rates for certification bodies seem to vary from $1200 to $1600, plus auditor travel expenses. The number of auditor days is based on the size of the organization, the number of sites, and the functions included in the system scope. See the earlier discussion in this article for duration estimates.

You'll know the actual cost when you request quotes from several certification bodies. See the ANSI-ASQ National Accreditation Board web site for a list of certification bodies.

Organization

Most organizations have a few selected managers and employees implement ISO 9001 in addition to their regular activities. A few duties may be offloaded to give these people more time on the project, but more costs aren't usually incurred, unless overtime pay is involved.

BENEFITS

Most new users of ISO 9001 obtain measurable benefits early in the process of implementing the requirements. These initial benefits are usually due to the improved measurements and controls.

Employee Benefits

For a successful implementation of a quality management system, employees need to understand its value for them. The better they understand what is in it for them, and how the organization benefits, the more receptive they will be to the changes and the work involved to make it happen.

Employees usually benefit from the improved internal communication and top management support. And, conformity to the standard will mean suitable and well-maintained equipment, along with the training necessary to perform their jobs.

Work instructions, where necessary, will be available to guide them in their activities. They'll have a better understanding of their role in the system and their contributions to meeting objectives.

The sense of order and control should carry over into clean and well-organized work areas. Since the organization wants to continually improve its system, employees will be encouraged to report problems and suggest improvements. Employees should become more satisfied and committed to the business.

Organization Benefits

One of the results of a conforming quality management system will be better planned and coordinated activities. Any problems affecting product quality will be identified and effective solutions implemented.

The plan-do-check-act approach of ISO 9001 will lead to more efficient and effective processes and more productive employees. Higher quality products will be delivered to increasingly satisfied customers.

And, the story only gets better, because your organization and its quality management system will be continually improving. As a result of your ISO 9001-based system and its policies, procedures, tools, and information, the organization will be better managed for success.

Certification Benefits

ISO 9001 is the international language of quality. Certification will help your organization gain expanded access to world markets. And, potential customers may require certification as a prerequisite to bid on contracts. With the certificate in place, your organization will be ready.

In addition, the ISO 9001 certificate may differentiate your organization from others in the marketplace and provide a competitive advantage. The certification mark recognizes a quality accomplishment that you continue to earn through successful surveillance audits. You will be able to display it with pride.

Due to its prevention focus, disciplined approach, and better controls, your organization may see an extra benefit of improved housekeeping and fewer accidents. As a result, you may qualify for lower insurance premiums. And, don't underestimate the value of independent system assessments by well-qualified professional auditors.

For more information on how to implement an ISO 9001-based quality management system, consider enrolling in our 2-day Implementing ISO 9001:2008 course.

You might also consider buying a book on ISO 9001 at this Amazon web site.

An article in the HR Daily Advisor titled, "Disney World: It's Not Magic, It's Work" caught my attention. Lee Cockerell, former Executive Vice President of Operations at Disney World, outlines in his book, "Creating Magic", the principles that make Disney World a model for management.

1. Remember, Everyone Is Important

Inclusion is important at Disney World, and it is more than just hiring diversely and respecting differences. It is about engaging and involving your employees and showing them that each one is important.

Disney uses the acronym RAVE for Respect, Appreciate, and Value Everyone. Know your team and let your team get to know you: what moves you, what excites you, what you struggle with.

Greet people sincerely, reach out to everyone, and be available.

2. Break the Mold

Disney's structural changes have opened many opportunities for the company and its employees. In the beginning, hotel operations were separate from the parks' operations. After they combined the two organizationally, they realized great gains.

Before that change, the hotels were always busy for breakfast, and the parks were busy for lunch. Once the two combined, workers could float from one area to the other as needed. If it rained and people flocked back to the hotels for lunch, park food service workers could flock along with them.

3. Make Your People Your Brand

When hiring, start out by defining the perfect candidate. What qualities and skills do you need?

• Don't settle for a clone of the incumbent.
• Don't settle for "best available."
• Look for people in unlikely places.
• Involve the team in the selection process.
• Select by talent, not resume.
• Keep in touch with people who leave.

4. Create Magic Through Training

Training and development permeate every level of the company and they are the primary reason that the Disney brand is synonymous with service excellence. All new cast members begin with a course called "Traditions." Only after they "begin to feel the pixie dust" do they start learning how to do their particular jobs.

• Give people a purpose, not just a job.
• Take your role as a teacher seriously, and teach by example.
• Become a COACH (Care, Observe, Act, Communicate, Help).
• Teach people where to be (when ballroom doors open, be in the ballroom, not in your office; when the restaurant opens, be in the dining room, not the wine cellar).
• Train for Take 5 (how to do something special for a customer that just takes a few seconds or minutes, but that makes a lasting impression).

5. Eliminate Hassles

One responsibility of leaders is to identify problems in the way things are done and act quickly to fix them.

• Ask "what", not "who" (before blaming someone, see if it is a process problem).
• Listen to customers (their complaints often reveal process problems).
• Learn firsthand what is working and what is not.
• Ask employees for solutions.
• Try an audit exchange plan (have your managers audit each other's operations). They provide fresh ideas and they learn something they can take back.
• Keep up with technology; it can remove a lot of hassles.

6. Learn the Truth

Great leaders are always in the learning mode. Get out and about routinely.

• Ask your managers to take the customers' role. Use the guest parking lot, wait in lines, etc., to see what your customers' experience is like.
• Do a thorough tour of your facilities. Make sure managers know that you expect problems to be fixed before you tour again.
• Meet with your direct reports regularly to go over the four P's-people, processes, projects, profits.

7. Burn the Free Fuel

Think of ARE: Appreciation, Recognition, and Encouragement. Together they are a cost-free, fully sustainable fuel. You can give out ARE all day, and the bonus is that the people you give it to are likely to pass it on to their subordinates.

Make ARE a natural part of your routine by recognizing employees by name in public. Include families when appropriate.

8. Stay Ahead of the Pack

Be a knowledge sponge. When you hear a great idea, ask yourself, can I tweak this a little bit and use it in my life? (Cockerell noticed wireless devices being used to check in car rentals at the airport and wondered, could hotel guests check in on the Disney bus bringing them from the airport?)

Learn from your competitors. (Cockerell went to a banquet at a competitor's hotel, saw how the servers, instead of waiting in the kitchen until serving time, were stationed at the ballroom doors, asking guests what special meal requirements they had, and escorting them to their tables. He soon implemented the same approach at his hotels.)

Study your customer base. What do they really want? There are four "compass points" for understanding customers: needs, wants, stereotypes, and emotions. Make sure your people stay ahead of the pack. Give them the training and the tools to stay abreast of developments.

9. Be Careful What You Say and Do

Demonstrate a passionate commitment to your role. Be careful with word choice-it makes a difference (not "subordinate", for example, but "associate"). Disney uses "cast member" to refer to its associates, and makes sure everyone knows they are "on stage."

10. Develop Character

Spend time anticipating ethical dilemmas and deciding how to deal with them according to your values. Disney's seven core values are:

1. Honesty
2. Integrity
3. Respect
4. Courage
5. Openness
6. Diversity
7. Balance

These give you moral authority. People will trust you and believe in you, and "you can accomplish anything you dream of."

To see the two-part article written by Steve Bruce at HR Daily Advisor, go to Part 1 and Part 2.

Auditors want to conduct value-added audits, but they have to be careful not to offer advice that would result in consulting and thereby contaminate their independence.

A "value-added" audit adds value by providing useful information that helps an organization improve its management system and achieve its business objectives. However, this useful information should be limited to reporting nonconformities, evaluating process effectiveness, and identifying opportunities for improvement, not by providing specific solutions.

Auditors certified through RABQSA or IRCA must abide by codes of conduct that require them to act in an unbiased manner. If consulting advice is given, they may not be able to impartially assess their proposed solutions during later audits. You can see the codes of conduct at these RABQSA and IRCA web pages.

ISO 17021 provides requirements for certification bodies. Clause 4.2.4.b of that standard refers to a "self-review" threat to an auditor's impartiality when an auditor reviews the work either done by the auditor or work resulting from consulting by the auditor.

The correct approach for handling nonconformities is to encourage the auditee to implement their own solutions. The auditor can help by reminding the auditee of the problem solving process used to uncover the root causes and determine the best corrective action.

Organizations may ask auditors for quick solutions to resolve the reported nonconformities. While this might please the auditee, it doesn't result in long-lasting, substantial improvements. And, if you are a third-party auditor, you might inadvertently share proprietary methods from other audited organizations as you propose a solution.

Auditors add value by looking at more than just conformity to requirements. They need to evaluate effectiveness by analyzing the extent to which planned activities are taking place and planned results are being achieved. They need to find out if the organization is receiving real benefits from the management system, including the level of customer satisfaction with the delivered products and services.

Auditors also add value by adjusting their audit plans to focus on the critical areas of the business, including those areas with significant change and increased risk. Auditors must understand the technical and managerial issues faced by the industry sector in which the audited organization operates.

For more information on this subject, see the "Added value audits versus consultancy" paper at the ISO 9001 Auditing Practices Group web site. You may want to also read "How to add value during the audit process" paper at the same web site.

Larry Whittington will be a speaker at the International Conference on ISO 9000 to be held March 15-16 in Orlando, FL. View these web pages to see the conference description and download the conference brochure.

Root Cause Analysis

ISO 9001:2008
Understanding ISO 9001:2008 (1 Day)
ISO 9001:2008 Requirements (2 Days)
Implementing ISO 9001:2008 (2 Days)
Quality System Documentation (2 Days)
ISO 9001:2008 Internal Auditor (3 Days)
ISO 9001:2008 Lead Auditor (4 Days)

ISO 9001:2008 Internal Auditor (2 Days - Onsite Only)

ISO 14001:2004
ISO 14001:2004 Requirements
Implementing an EMS
ISO 14001:2004 Internal Auditor
ISO 14001:2004 Lead Auditor

ISO/TS 16949:2002
ISO/TS 16949:2002 Internal Auditor
ISO/TS 16949:2002 Lead Auditor
Understanding and Implementing ISO/TS 16949:2002

Core Tools
Advanced Product Quality Planning
Design Failure Modes Effects Analysis
Process Failure Modes Effects Analysis
Production Part Approval Process
Statistical Process Control
Measurement System Analysis

AS9100B:2004
AS9100 Internal Auditor
Implementing AS9100
AS9100 Lead Auditor

ISO 27001:2005
ISO 27001 - Understanding an ISMS
ISO 27001 - ISMS Implementation
ISO 27001 - ISMS Internal Auditor
ISO 27001 - ISMS Lead Auditor

ISO 20000-1:2005
Understanding ISO 20000
Implementing ISO 20000
ISO 20000 Internal Auditor

ISO 13485:2003
Understanding ISO 13485:2003
ISO 13485:2003 Internal Auditor
Implementing ISO 13485:2003
ISO 9001 Lead Auditor - ISO 13485 Emphasis

Capability Maturity Model Integration
Introduction to CMMI v1.2

Six Sigma
Introduction to Statistics
Green Belt Certification
Black Belt Certification

© 2000-2010 Whittington & Associates, LLC

You can view the selected quality, environmental, and six sigma book abstracts by clicking on one of the categories below:

• ISO 9001
• AS9100
• ISO/TS 16949
• ISO 14001
• Documentation
• Improvement
• Customer Satisfaction
• Internal Auditing
• Six Sigma

The books can be ordered online via Amazon if you decide to buy a copy.

email: larry@whittingtonassociates.com

phone: 770-517-7944

web: http://www.whittingtonassociates.com