Migration To ISO 9001:2008
The International Accreditation Forum (IAF) and the International Organization for
Standardization (ISO) have agreed on an implementation plan to ensure a smooth transition of
accredited certification to ISO 9001:2008, the latest version of the world’s most widely used
standard for quality management systems (QMS). The details of the plan are given in the joint
communiqué by the two organizations which appears below.
Like all of ISO’s more than 17 000 standards, ISO 9001 is periodically reviewed to ensure that it
is maintained at the state of the art and a decision taken to confirm, withdraw or revise the
document.
ISO 9001:2008, which is due to be published before the end of the year, will replace the year
2000 version of the standard which is implemented by both business and public sector
organizations in 170 countries. Although certification is not a requirement of the standard, the
QMS of about one million organizations have been audited and certified by independent
certification bodies (also known in some countries as registration bodies) to ISO 9001:2000.
ISO 9001 certification is frequently used in both private and public sectors to increase
confidence in the products and services provided by certified organizations, between partners
in business-to-business relations, in the selection of suppliers in supply chains and in the right
to tender for procurement contracts.
ISO is the developer and publisher of ISO 9001, but does not itself carry out auditing and
certification. These services are performed independently of ISO by certification bodies. ISO
does not control such bodies, but does develop voluntary International Standards to
encourage good practice in their activities on a worldwide basis. For example, ISO/IEC
17021:2006 specifies the requirements for bodies providing auditing and certification of
management systems.
Certification bodies that wish to provide further confidence in their services may apply to be
“accredited” as competent by an IAF recognized national accreditation body. ISO/IEC
17011:2004 specifies the requirements for carrying out such accreditation. IAF is an
international association whose membership includes the national accreditation bodies of 49
economies.
ISO technical committee ISO/TC 176, Quality management and quality assurance, which is
responsible for the ISO 9000 family of standards, is preparing a number of support documents
explaining what the differences are between ISO 9001:2008 and the year 2000 version, why
and what they mean for users. Once approved, these documents will be posted on the ISO
Web site – probably in October 2008.

ISO (International Organization for Standardization) and the IAF (International Accreditation
Forum) have agreed an implementation plan to ensure a smooth migration of accredited
certification to ISO 9001:2008, after consultation with international groupings representing
quality system or auditor certification bodies, and industry users of ISO 9001 certification
services.
ISO 9001:2008 does not contain any new requirements
They have recognized that ISO 9001:2008 introduces no new requirements. ISO 9001:2008
only introduces clarifications to the existing requirements of ISO 9001:2000 based on eight
years of experience of implementing the standard world wide with about one million
certificates issued in 170 countries to date. It also introduces changes intended to improve
consistency with ISO14001:2004
The agreed implementation plan in relation to accredited certification is therefore the
following:
Accredited certification to the ISO 9001:2008 shall not be granted until the publication of ISO
9001:2008 as an International Standard.
Certification of conformity to ISO 9001:2008 and/or national equivalents shall only be issued
after official publication of ISO 9001:2008 (which should take place before the end of 2008)
and after a routine surveillance or recertification audit against ISO 9001:2008.
Validity of certifications to ISO 9001:2000
One year after publication of ISO 9001:2008 all accredited certifications issued (new
certifications or recertifications) shall be to ISO 9001:2008.
Twenty four months after publication by ISO of ISO 9001:2008, any existing certification issued
to ISO 9001:2000 shall not be valid.

The intent of §4.5.3 is that the organization put in place procedures for 1) identifying actual and potential nonconformities to EMS requirements, 2) taking appropriate corrective or preventive action, and 3) reviewing the effectiveness of corrective or preventive actions taken.
The nonconformity requirement of ISO 14001:1996 was a passive requirement in that it was only triggered when a nonconformity came to the attention of the organization through one of the other EMS procedures, such as the EMS audit or management review. ISO 14001:2004, however, requires that the organization establish and maintain procedures to identify actual or potential nonconformities, determine their causes, take action to avoid recurrence or occurrence, record results, and review effectiveness of corrective or preventive actions.

How the organization goes about identifying actual or potential nonconformities is up to it to determine. From the standpoint of registration auditors, it would seem that they would want to see a specific procedure requiring members of the organization to conduct some kind of periodic checklist driven, walk-through inspection for nonconformities. In addition, the procedure should allow for submission of nonconformities by any member of the organization. Actual nonconformities are usually fairly evident and relatively easy to investigate because there is a tangible occurrence with which to deal. The organization should also want to evaluate minor instances of nonconformity that, while not significant in and of themselves, if they occurred under different circumstances, could lead to a significant deviation from the EMS. Such “near misses” could be identified by the occurrence of a sudden, unexpected event, a failure to achieve an objective or target, or a deviation from the Environmental Policy.
Potential nonconformities are more difficult to identify and correct. Here, application of Failure Mode and Effects Analysis would be appropriate for organizations having that capability.

When investigating nonconformities, organizations should focus on identifying underlying root causes, not just the immediate manifestation of the problem. If a chemical storage drum leaks, the organization should take action, first, to mitigate the damage and, then, to determine why the leak occurred; e.g., improper or negligent handling, mechanical failure, or lack of a leak detection system. Corrective or preventive actions should then focus on eliminating the cause through training, communication of procedures, use of leak-resistant drums, or installation of a leak detection system.

Other ISO 14001 sections, principally Emergency Preparedness and Response, Internal Audit, and Management Review, are tools that the organization implements in order to help identify instances of actual or potential nonconformity. The underlying principle of these sections is that the identification of nonconformities should be made by the organization through diligent application of these tools, not from the occurrence of an environmental event, a customer or community complaint, or investigation by a regulatory authority. While §4.5.3 does not specifically mention disciplinary action, in many cases disciplinary action or the threat of disciplinary action is appropriate to prevention of future nonconformities. Many organizations have written codes of conduct that give employees notice that deviations from the codes will not be tolerated and that prescribed penalties can result for infractions. These codes can be expanded to include penalties for deviations from the EMS. If so, penalties should be commensurate with the violation itself and should acknowledge the nature of the environmental damage, the degree of negligence, prior conduct, and the forthrightness of the employee being disciplined. Any such code and its remedies should be administered fairly and consistently and should have as its objective correction and prevention of EMS nonconformities, not punishment of employees.
Finally, identification, investigation, and correction of nonconformities leads to the need to revise documented procedures.

The requirement to establish a procedure for periodically evaluating compliance with applicable legal and other requirements falls short of specifically requiring regulatory compliance audits but, in fact, a system of regular regulatory compliance audits may be the most practical means for meeting this requirement of the standard. In the U.S., determination of whether to conduct a compliance audit will be governed in part by the particular jurisdiction’s approach to allowing a legal privilege for the self-assessment audit.

Evaluation vs. Audit – The difference between an evaluation and audit can only be determined by looking outside of ISO 14001. Consulting a dictionary reveals that an evaluation involves a determination of value or worth and that an audit is an examination of accounts done by persons appointed for the purpose. A better definition `is the more specific ISO 19011:2002, Guidelines for Quality and/or Environmental Management Systems Auditing, which defines an audit as a “systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.” Many organizations do not have a system for evaluating regulatory compliance other than their own records and the inspections of regulatory officials. This lack of a verification system can be a risky way to operate. Reports of enforcement actions and consent agreements show that many organizations are blindsided by rogue employees who violate rules and falsify documents to cover up environmental misdeeds. Although ISO 14001 does not prescribe a specific approach to evaluation of regulatory compliance, organizations should consider methods for going beyond verification of records by collecting and evaluating physical evidence.

Continual improvement in the quality management system and its processes In ISO 9001

The standard requires the organization to continually improve the effectiveness of the quality management system in accordance with the requirements of ISO 9001 and to implement action necessary to achieve planned results andcontinual improvement of the identified processes.

ISO 9000 defines continual improvement as a recurring activity to increase the ability to fulfil requirements. As the organization’s objectives are its requirements, continually improving the effectiveness of the management system means continually increasing the ability of the organization to fulfil its objectives.

This requirement responds to the Continual Improvement principle. If the management system is enabling the organization to accomplish its objectives when that is its purpose, why improve? The need for improvement arises out of a need to become more effective at what you do, more efficient in the utilization of resources so that the organization becomes best in its class. The purpose of measuring process performance is to establish whether or not the objectives are being achieved and if not to take action on the difference. If the performance targets are being achieved, opportunities may well exist to raise standards and increase efficiency and effectiveness.

If the performance of a process parameter is currently meeting the standard that has been established, there are several improvement actions you can take:
Raise the standard e.g. if the norm for the sales ratio of orders won to all orders bid is 60%, an improvement programme could be developed for raising the standard to 75% or higher
Increase efficiency e.g. if the time to process an order is within limits, identify and eliminate wasted resources Increase effectiveness e.g. if you bid against all customer requests, by only bidding for those you know you can win you improve your hit rate

You can call all these actions improvement actions because they clearly improve performance. However, we need to distinguish between being better at what we do now and doing new things. Some may argue that improving efficiency is being better at what we do now, and so it is – but if in order to improve efficiency we have to be innovative we are truly reaching new standards. Forty years ago, supervisors in industry would cut an eraser in half in the name of efficiency rather than hand out two erasers. Clearly this was a lack of trust disguised as efficiency improvement and it had quite the opposite effect. In fact they were not only increasing waste but also creating a hostile environment.

Each of the improvement actions is dealt with later in the book and the subject of continual improvement addressed again under Quality planning in Chapter 5. There are several steps to undertaking continual improvement (Juran, J. M., 1995)12 .
1 Determine current performance
2 Establish the need for change
3 Obtain commitment and define the improvement objectives
4 Organize diagnostic resources
5 Carry out research and analysis to discover the cause of current
performance
6 Define and test solutions that will accomplish the improvement
objectives
7 Product improvement plans which specify how and by whom the changes
will be implemented
8 Identify and overcome any resistance to change
9 Implement the change10 Put in place controls to hold new levels of performance and repeat step one.

The standard requires a quality manual to be established and maintained that includes the scope of the quality
management system, the documented procedures or reference to them and a description of the sequence and
interaction of processes included in the quality management system.

ISO 9000 defines a quality manual as a document specifying the quality management system of an organization. It is therefore not intended that the manual be a response to the requirements of ISO 9001. As the top-level document describing the management system it is a system description describing how the organization is managed.
Countless quality manuals produced to satisfy ISO 9000 :2008, were no more than 20 sections that paraphrased the requirements of the standard.
Such documentation adds no value. They are of no use to managers, staff or auditors. Often thought to be useful to customers, organizations would gain no more confidence from customers than would be obtained from their
registration certificate.

This requirement responds to the System Approach Principle.
A description of the management system is necessary as a means of showing how all the processes are interconnected and how they collectively deliver the business outputs. It has several uses as :
a means to communicate the vision, values, mission, policies and objectives of the organization
a means of showing how the system has been designed
a means of showing linkages between processes
a means of showing who does what
an aid to training new people
a tool in the analysis of potential improvements
a means of demonstrating compliance with external standards and regulations

When formulating the policies, objectives and identifying the processes to achieve them, the manual provides a convenient vehicle for containing such information. If left as separate pieces of information, it may be more difficult to
see the linkages.
The requirement provides the framework for the manual. Its content may therefore include the following:
1 Introduction
(a) Purpose (of the manual)
(b) Scope (of the manual)
(c) Applicability (of the manual)
(d) Definitions (of terms used in the manual)
2 Business overview
(a) Nature of the business/organization – its scope of activity, its products and services
(b) The organization’s interested parties (customers, employees, regulators, shareholders, suppliers, owners etc.)
(c) The context diagram showing the organization relative to its external environment
(d) Vision, values
(e) Mission
3 Organization
(a) Function descriptions
(b) Organization chart
(c) Locations with scope of activity
4 Business processes
(a) The system model showing the key business processes and how they are interconnected
(b) System performance indicators and method of measurement
(c) Business planning process description
(d) Resource management process description
(e) Marketing process description
(f) Product/service generation processes description
(g) Sales process description
(h) Order fulfilment process description
5 Function matrix (Relationship of functions to processes)
6 Location matrix (Relationship of locations to processes)
7 Requirement deployment matrices
(a) ISO 9001 compliance matrix
(b) ISO 14001 compliance matrix
(c) Regulation compliance matrices (FDA, Environment, Health, Safety, CAA etc.)
8 Approvals (List of current product, process and system approvals)

The standard requires the quality manual to include the scope of the quality management system including details of justification for any exclusion.

The standard addresses activities that may not be relevant or applicable to an organization. The permissible exclusions are explained in section 1.2 of ISO 9001. Here it states that the organization may only exclude requirements that neither affect the organization’s ability, nor its responsibility to provide product that meets customer and applicable regulatory requirements. The requirements for which exclusion is permitted are limited to those in section 7 of the standard.

Under ISO 9000 :2008, it was possible for organizations to exclude functions and processes of their organization that may have been difficult to control or were not part of the order fulfilment cycle. Organizations that designed their own products but not for specific customers could escape bringing these operations into the management system. Marketing was omitted because it
operated before placement of order. Accounting, Administration, Maintenance, Publicity, Public Relations and After Sales Support functions were often omitted because there were no requirements in the standard that specifically dealt with such activities. As there is no function in an organization that does not directly or indirectly serve the satisfaction of interested parties, it is unlikely that any function or process will now be excluded from the management system.

This requirement responds to the System Approach Principle.
It is sensible to describe the scope of the management system so as to ensure effective communication. The scope of the management system is one area that generates a lot of misunderstanding particularly when dealing with auditors, consultants and customers. When you claim you have a management system that meets ISO 9001 it could imply that you design, develop, install and service the products you supply, when in fact you may only be a distributor.

Why you need to justify specific exclusions is uncertain because it is more practical to
justify inclusions.

The scope of the management system is the scope of the organization. There is no longer any reason to exclude locations, activities, functions or processes for which there is no requirement in the standard. The reason is because the ISO 9000 family now serves customer satisfaction and is not limited to quality assurance as were the 1994 versions of ISO 9001, ISO 9002 and ISO 9003.

It is not appropriate to address exclusions by inserting pages in the manual corresponding to the sections of the standard and adding justification if not within the scope of the management system – such as ‘We don’t do this!’. It is much more appropriate to use an appendix as indicated previously in the manual contents list. By describing the nature of the business, you are establishing boundary conditions. If in doing so you do not mention that you design products, it will be interpreted that design is not applicable. For exclusions relative to detail requirements, the Compliance Matrix may suffice but for an unambiguous solution, it is preferable to produce an exposition that addresses each requirement of the standard.

The standard requires the organization to manage the identified processes in accordance with the requirements of ISO 9001. The first stage in managing a process is to establish what it is you are trying to achieve, what requirements you need to satisfy, what goals you are aiming at; then establish how you will measure your achievements. The next stage is to define the process you will employ to deliver the results. Managing the process then involves managing all the inherent
characteristics of the process in such a manner that the requirements of customers and interested parties are fulfilled by the process outcomes. This means:
Managing the process inputs
Managing the work
Managing the physical resources
Managing the financial resources
Managing the human resources
Managing the constraints
Managing the outputs

Process management is therefore much more than managing activities and therefore when describing processes, one needs more than a flow chart of activities. The chart is a diagrammatical representation of a process but only one aspect. One can also add numerical data to the charts to indicate resources, cycle times, delays, costs etc. but the intangible factors of the human environment cannot be reduced to numerical data to add to the charts.

The notes to clause 4.1 of ISO 9001 need some explanation. It is stated that the processes needed for the management system include management activities, provision of resources, product realization and measurement. This note could cause confusion because it suggests that these are the processes that are needed for the management system. It would be unwise to use this as the model and far better to identify the processes from observing how the business operates. The term provision of resources should be Resource Management, which is the
collection of processes covering financial, human and physical resources.

Product realization is also a collection of processes such as design, production, service delivery, etc. Measurement is not a single process but a sub-process within each process. Grouping all the measurement processes together serves no useful purpose except it matches the standard – a purpose of little value in managing the organization.

The second note refers to outsourcing processes although it is difficult to imagine that management activities, product realization or measurement would be outsourced in its entirety. It is likely that market research; design, product verification, equipment calibration and other specialized services may be outsourced. While outsourcing comes under purchasing, it is correct to point out that the organization should control any outsourced processes. The supplier of the process is usually referred to as a subcontractor because they provide services to the organization’s requirements not their own. Control of subcontractors is covered by clause 7.4 but in meeting clause 7.4.3, you need to treat suppliers and subcontractors differently.

The standard is based around the principles of customer satisfaction, continual improvement and the development of a process based quality management system. Although not referenced in the standard itself the ISO 9001:2008 document is underpinned by eight key quality management principles;

• a customer focused organisation
• leadership
• the involvement of people
• ensuring a process approach
• a systematic approach to management
• a factual approach to decision making
• mutually beneficial supplier relations
• continuous improvement

ISO 9001:2008 has been written to ensure that its guiding principles are equally relevant to all sectors of industry and to all types of organisation. Although containing requirements to control the key processes within an organisation, it only requires six documented procedures. The standard emphasises the need for an organisation to continually monitor their own processes and systems, with many clauses making reference to self monitoring or measurement or both. This emphasis aims for an integrated approach to business processes. Instead of operating to a business plan on one hand and a quality management system on the other, the standard aims to integrate both of these functions into one system.

What is a quality management system?
ISO 9001:2008 is a standard that specifies criteria for a quality management system (QMS). A QMS incorporates those elements of an organisations management system that direct and control it with regard to quality. Such a system will need to be supported by top management who will need to be able to demonstrate management commitment.

How do you demonstrate management commitment?
Management commitment is one of the cornerstones of ISO 9001:2008, requiring top management to develop and improve the QMS throughout the organisation. This commitment can be demonstrated by a number of methods including creating a quality policy, conducting management reviews and establishing quality objectives.

What is a quality policy?
ISO 9001:2008 specifies that an organisation must have a quality policy that documents the organisations overall intentions and direction related to quality as formally expressed by top management. Such a policy will include a commitment to comply with ISO 9001:2008, to continuously improve the QMS and to set and monitor measurable quality objectives.

What are quality objectives?
The quality objectives are those targets sought or aimed for by the organisation that are related to quality. These quality objectives must be SMART (suitable, measurable, achievable, reviewed and timely). Examples of quality objectives might be; to reduce machine down time by 20% or to reduce rework costs by ?00 p/m. Whatever quality objectives are chosen they must be meaningful and adequately resourced by the organisation.

What is a management review?
A management review is a key element of how the top management of an organisation can assess its performance in terms of the objectives it sets itself, the requirements set by the standard and how its systems are operating. Normally, a management review is a regular meeting of the top management team and uses the information that the organisation? systems have derived. It is a useful forum to review and revise quality objectives.

What are internal audits and why do I need to carry them out?
Internal audit is one of the key monitoring processes required by the standard and functions as a check on the organisation? systems. It is the opportunity for an organisation to determine compliance to the systems it has established and maintained to meet the needs of its customers and identify opportunities for improvement. Internal audit can be seen as a ealth check?for an organisation.

The ore?of ISO 9001:2008, Product realisation
Clause 7 of ISO 9001:2008 contains the core processes that most organisations carry out. Any clause or sub-clause in section 7 can be excluded from an organisations quality management system if it can be justifiably excluded. Examples of common exclusions are clause 7.3 design and development, clause 7.5.3 traceability and clause 7.6 the control of monitoring and measuring devices. Clauses can only be excluded if their exclusion does not affect the company? ability to provide a product or service that meets customer requirements.

These core processes should be managed and controlled via the quality management system, and are evaluated for effectiveness and suitability by the internal audits with feed back into the management review.

This is a clear demonstration of one of the key principles of ISO 9001:2008, continuous improvement by critical self-evaluation. The output from the self-evaluation is fed into a planning stage to determine actions needed to improve the system. Following the planning and consultation comes the action phase where the proposed changes are implemented. Then the cycle starts again by checking that the changes are effective and meaningful by self-evaluation.

Other requirements of section 7 are;
Product planning to ascertain and then implement the necessary controls and resources to ensure product realisation.

Purchasing control to verify purchased product against comprehensive purchasing information and the selection and evaluation of suppliers.

Production and service provision to ensure that this activity is carried out in controlled conditions and that any processes that cannot be verified during production are validated to ensure capability. Where appropriate the product must be identified, and if required, traceable at all stages of production. Any customer property must be identified and protected from harm and all products must be stored and handled in such a way to preserve product conformity.

Any monitoring and measuring devices needed to provide evidence of product conformity must be identified and if necessary calibrated.

But what about the customer?
All of the clauses in ISO 9001:2008 are in some way focused towards meeting and exceeding the customer? expectations. For example the requirement of management to determine and communicate the importance of customer requirements throughout the organisation, and the review of customer orders to ensure that they can be met. Companies are required to implement methods for effective communication with the client at all stages of the business including ascertaining customer satisfaction after the product or service has been delivered as well as resolving customer complaints.

Finally?
ISO 9001:2008 is widely acclaimed as being the pre-eminent specification for quality management systems, it requires a company to look at itself and ask the question, ‘how can we improve?’ An ISO 9001:2008 management system should be an essential part of any business process, requiring continual improvement by self-evaluation with a goal of ensuring that current and future customer expectation can be met and exceeded.

If you have any queries concerning ISO 9001:2008 please visit http://www.iso-consults.com/