Well, this is it, folks!

Thank you to everyone for your participation for the past 52 weeks.  Your comments have been thought provoking and helpful to many.  And with so many companies beginning to seriously consider their strategy for conversion to ISO9001:2015, these weekly posts will be there to look back upon as we move forward.

With the New Year upon us, it’s so fitting that we end our 52 Week Challenge with a positive topic to get us moving in 2016!

“10 Improvement

10.1 General

The organization shall determine and select opportunities for improvement and implement any necessary actions to meet customer requirements and enhance customer satisfaction.”  Our previous weeks’ discussions have focused on the core management system, its components and processes and establishing objectives and achieving them.  Now what?  Improvement, of course.

“These shall include:

a)  improving products and services to meet requirements as well as to address future needs and expectations.”  This is just one example of many where all areas of the organization should be involved in the management system.  Areas such as engineering and sales have many opportunities to address, and effectively do address them throughout the year.  But by forgetting to include this in the management system, the work gets done, but the leaders of the management system may forget to connect the dots and realize this.

“b)  correcting, preventing or reducing undesired effects;”  This is a rather significant change from ISO9001:2008 in that corrective and preventive action have been discussed in a different way.  The traditional preventive action is now linked to risk based thinking.  But the requirements for improvement include correcting, preventing or reducing undesired effects.

“c)  improving the performance and effectiveness of the quality management system.”  This is mainly referring to the objectives of the management system and whether or not the organization is meeting them.  Action is expected to continually improve the management system.  But there are also opportunities to improve the effectiveness of the management system such as improving the internal audit process, for example.

“NOTE:  Examples of improvement can include correction, corrective action, continual improvement, breakthrough changes, innovation and re-organization.”  This is a nice clarification because demonstrable continual improvement can sometimes be elusive.  This list provides the user with some examples to help them define their own improvement.

“10.1  Nonconformity and corrective action

10.2.1 When a nonconformity occurs, including any arising from complaints, the organization shall:

a)  react to the nonconformity and, as applicable:

1)  take action to control and correct it;

2)  deal with the consequences;”

This is a nice restructuring of the corrective action requirements in my opinion, because it clearly states the allowance that not every single nonconformance necessarily requires a root cause analysis and elaborate investigation and action plan.  Many organizations have struggled with this and have wasted resources maintaining a burdensome corrective action process because they are fully employing all resources to every problem, without consideration of importance, significance or impact.

“b)  evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, by:

1)  reviewing and anlysing the nonconformity;

2)  determining the causes of the nonconformity;

3)  determining if similar nonconformities exist, or could potentially occur;”

Following the logic discussed above, the organization should evaluate how far to take each of its corrective action investigations.  This allows the organization to more effectively execute their corrective action process.  If we can weed through the significant issues and dedicate some serious time and resources to them, we can have a meaningful impact on our overall quality.  But if we spend our time running each and every problem through a full root cause analysis, we lose the ability to distinguish between the levels of significance, and also are likely to lose the engagement of the people required to work on corrective actions as well.

“c)  implement any action needed;

d)  review the effectiveness of any corrective action taken;”

These are two distinctly different concepts and in many cases, this can be the weak link in an effective corrective action process.  Not only must the organization identify a cause and ensure that the prescribed actions are taken, but that the actions actually worked.  Many corrective actions’ closure process includes confirmation that all the action items were completed, but miss the critical step of confirming that the action items actually solved the problem.

“e)  update risks and opportunities determined during planning, if necessary;

f)  make changes to the quality management system, if necessary;”

These two areas take time to evolve within the management system.  These are learnings from our management system – where we are successful and where we fail.  We should learn from our failings and implement changes to our management system so that it can mature and improve.

“Corrective actions shall be appropriate to the effects of the nonconformities encountered.”  This is, of course, self explanatory.

“10.3  Continual improvement

The organization shall continually improve the suitability, adequacy and effectiveness of the quality management system.

The organization shall consider the results of analysis and evaluation, and the outputs from management review, to determine if there are needs or opportunities that shall be addressed as part of continual improvement.”

This is where we stretch to when all else is going well.  As the management system matures and stabilizes, we are required to continually reach higher and higher to improve.

I am grateful for your participation in this full year’s discussion and wish you all the very best in 2016!  Keep improving!

9.2 Internal audit (9.2.1, 9.2.2)

This week is a double feature to include the entire 9.2 Internal audit clause.  Internal audits are one of the most underutilized tools in management systems.  The whole notion of internal audits can invoke fear for the auditees, and nuisance work for auditors.  This is one of the most important issues to address with the implementation of internal audits.  Creating a system which is easy to use for the auditors, and an audit team style of encouragement and cooperation for the auditees is key.

Let’s review the first part of the requirements.

“9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system:”  Stopping right here, this is a question I see a lot.  “How often do we have to do audits?”  The first hint is in this sentence, where it includes “at planned intervals”.  The organization must plan it’s internal audit program.  Moving on:

“a) conforms to:

1. the organization’s own requirements for its quality management system;”  The first thing to review with internal audits is the organization’s performance with regard to its own management system.  This is very important so that the internal audit process is not a simple do-over of the third-party registration or surveillance audits.

“2. the requirements of this International Standard;”  This is where the standard comes in.  In addition to the organization’s own requirements, the system should be assessed to its conformance to the ISO9001 standard.

“b) is effectively implemented and maintained.”  This is an important bullet point.  Many internal audits omit the addition of effective implementation.  I like to include three areas for consideration for each area audited – where is it described in the quality system (documentation), what is the evidence (records) and how is it working (assessment of effectiveness).

“9.2.2 The organization shall:

a) plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;”  The frequency of audits is at the discretion of the organization and should include the items listed above.  One notable area is “changes affecting the organization”.  Where there are changes to the management system, a follow up internal audit is a great way to validate the change as well as verify implementation of the change.

“a) define the audit criteria and scope for each audit;”  Many organizations use a checklist to meet this requirement.  It may be a master checklist or subset checklists to make the audit program more manageable.

“b) select auditors and conduct audits to ensure objectivity and the impartiality of the audit programme;”  This should be specifically described in the audit process.  Tools such as job descriptions, training and competence assessments and audit feedback surveys can be used to ensure objectivity is maintained.

“c) ensure that the results of the audits are reported to relevant management;”  This is a required input to Management Review, so there is a second requirement in the standard that these be tied together.  Reporting audit results to management is key to ensure the continued effectiveness and continual improvement of the management system.  It is the whole purpose for having the internal audit program.

“d) take appropriate correction and corrective actions without undue delay;”  Many companies issue “corrective actions” for significant findings from internal audits.  It is very important to ensure the corrective actions are completed (and the actions verified!) in a timely manner.  They should receive the same scrutiny that a product nonconformance corrective action and should be dealt with in an appropriate manner and timeline.

“f) retain documented information as evidence of the implementation of the audit programme and the audit results.”  This is another area where records or documented information is required.  Lack of internal audit records will result in noncompliance.

NOTE: See ISO19011 for guidance

THIS WEEK’S HOMEWORK

Take a look at your internal audit process and documentation.  Is the audit plan adequate?  Does your audit ask “where is it described in the quality system (documentation), what is the evidence (records) and how is it working (assessment of effectiveness)”?  When changes are made, is there an audit to assess the implementation and effectiveness of the change?  Review your previous audit results for clues about where you might be able to make improvements to get the most from your internal audit program.  Good luck!

8.7 Control of nonconforming outputs

This week’s topic is one that is very clearly defined and universally applicable.  There is very little subjectivity in the requirements and they are listed in a logical and easy to understand way.

“8.7.1 The organization shall ensure that outputs that do not conform to their requirements are identified and controlled to prevent their unintended use or delivery.” Most companies operate with a quarantine area for tangible goods or a positive or confirmed interruption in processing for services or other outputs.  When something isn’t right, there must be a sure way to contain the output until the problem can be corrected.

“The organization shall take appropriate action based on the nature of the nonconformity and its effect on the conformity of products and services.  This shall also apply to nonconforming products and services detected after delivery of products, during or after the provision of services.”  It is clear that if there is to be any quality system at all, taking action when a nonconformity is discovered is bedrock.

“The organization shall deal with nonconforming outputs in one or more of the following ways:

a)  correction;

b)  segregation, containment, return or suspension of provision of products and services;

c)  informing the customer;

d)  obtaining authorization for acceptance under concession.”

These are the simple actions that should be taken when dealing with a nonconformity.  One or all of them may be appropriate to employ.  Moving onto the next thought creates a closed-loop system for dealing with and putting to rest any nonconforming outputs.

“Conformity to the requirements shall be verified when nonconforming outputs are corrected.”  This is such a common breakdown of an effective nonconformity process.  Even when teams are successful at containing an issue and even tracking down the cause, the verification step is often incomplete.  Action items are assigned and completed and the issue is thought to have been solved.  But many times, the problem may reappear immediately, because the action item, however well intended may not actually solve the problem.  This should always be verified.

“8.7.2 The organization shall retain documented information that:

a)  describes the nonconformity;

b)  describes the actions taken;

c)  describes any concessions obtained;

d)  identifies authority deciding the action in respect of the nonconformity.”

Retaining documented information on nonconformities is practical and makes sense, of course.  But it will also come into play later in the requirements for 9 Performance evaluation and 10 Improvement.  Most organizations retain a database of some sort which contains much more than the requirements listed here, making it easy to maintain, easy to extract information and trends, and finally, very easy to audit from a compliance standpoint.

THIS WEEK’S HOMEWORK

Take a moment to review your system for nonconformances.  Is it complete?  Is it effective in steering improvement efforts?  Do nonconformities recur frequently?  Is there room for improvement of the system (including a robust verification activity)?  A good process for dealing with nonconformities can be extremely valuable to get the real improvement we all look for.  After all, it’s the whole purpose of having a quality system at all – to actually IMPROVE the QUALITY of our output.

8.6 Release of products and services

This week’s topic, “release of products and services” is a nuts and bolts component of most quality systems.  As products and services are manufactured or created, there are typically repetitive steps used to fulfill the manufacture or creation of the product/service.  And it is very typical for there to be verification activities at each step, prior to it progressing to the next, to ensure each step is done correctly and the output of that step meets requirements.  This is typically done through some type of inspection or verification.  “Inspection” doesn’t necessarily mean the old notion of an inspector actually giving the product a onceover.  It may certainly be something internal to the process, error proofing, automated verification, etc.

But the standard is very clear on the requirement that steps be put in place to ensure all products/services meet expectation prior to release.

“The organization shall implement planned arrangements, at appropriate stages, to verify that the product and service requirements have been met.”  This planning will almost certainly have been included as the product realization processes are/were defined.  The “requirements” of the product/service must defined, and then methods to ensure they have been met must be defined at appropriate stages.

“The release of products and services to the customer shall not proceed until the planned arrangements have been satisfactorily completed, unless otherwise approved by a relevant authority, and as applicable, by the customer.”  In the planning process, the requirements are defined and this statement requires that the requirements must be checked and met prior to release to the customer.  There are caveats that parties other than the actual producer may perform the verification, but the producer is still responsible for ensuring the steps are taken.

“The organization shall retain documented information on the release of products and services.  The documented information shall include:

a)  evidence of conformity with the acceptance criteria;

b)  traceability to the person(s) authorizing the release.”

This used to be interpreted as requiring a final inspection document of some sort which specifically states “pass/fail” or “approved” and a signature.  Technology and automation, in the absence of a piece of paper, can certainly suffice so long as the evidence of conformity and traceability to an authorized person can be established.

THIS WEEK’S HOMEWORK

Start with a consideration of the products/services your organization produces.  Next, take a look at the steps used to create them.  In each case, are they defined?  Are the requirements for acceptability defined?  Are methods in place to confirm acceptability?  Is documented information available as evidence of each?  Next week, we’ll roll right into “nonconforming product/service” so be sure to give this topic a good look before we get there!

8.5.6 Control of changes

This clause is critical and essential and, excluding the clear definition of requirements in the first place, the biggest risk, in my opinion to the stability of the QMS.  Changes which are not clearly communicated create confusion.  Changes which have not been adequately reviewed and vetted may be implemented and result in an undesired outcome.  Changes, in general, create instability and a robust change management process is critical to ensure changes are fully reviewed, approved, communicated, understood and validated when they are implemented.

ISO9001:2015 describes the following requirements:

“The organization shall review and control changes for production or service provision, to the extent necessary to ensure continuing conformity with requirements.”  The organization is required to review and control changes for all of the previously discussed “production and service provision” topics including 8.5.1 Control of production and service provision (all of the controls established in the first place), 8.5.2 Identification and traceability, 8.5.3 Property belonging to customers or external providers, 8.5.4 Preservation and 8.5.5 Post-delivery activities.  So, just as the QMS must have defined each of these items, any changes to them must be controlled.

“The organization shall retain documented information describing the results of the review of changes, the person(s) authorizing the change, and any necessary actions arising from the review.”  The interesting point here is that while this clause requires the above listed components of the QMS be protected during changes, and the changes be documented, only 8.5.2 and 8.5.3 have the requirement to have been documented in the first place.  Therefore, the organization must determine the most effective way to retain documented information of changes, whether the issue was initially documented or not.

THIS WEEK’S HOMEWORK

Review your QMS and determine where each of the bullets in this clause is determined.  Then, follow the trail to determine whether you have “documented information” regarding changes to any of those areas.  Review your change management process to ensure it includes the requirements of ” results of the review of changes”, “the person(s) authorizing the change” and “any necessary actions arising from the review”.

8.5.5 Post-delivery activities

This requirement is not new, but it is a little different.  Whereas previously, the requirements were sprinkled in other clauses and pretty unclear, they are now more cohesively defined and placed as one coherent thought.

As with many other clauses, there is also the very welcome addition of beginning with the determination of applicability in the first place.  Previous versions of ISO9001 have started with an assumption that requirements are applicable to every organization in every case, without the opportunity to consider how and under what conditions the requirement might apply.  ISO9001:2015 begins with the declaration that an organization shall meet requirements, but follows up immediately with “determining the extent of [] activities that are required”.

The standard reads as follows:

“The organization shall meet requirements for post-delivery activities associated with the products and services.

In determining the extent of post-delivery activities that are required, the organization shall consider:”  As noted above, this is a nice revision in plain language that reminds both the organization and anyone evaluating compliance with the standard that there must first be a consideration of the extend of what is required.  Here are the points of consideration to determine whether post-delivery activities are required:

“a)  statutory and regulatory requirements;”  This, of course, is an easy one.  If statutory or regulatory requirements dictate post-delivery activities or warranties, they must be addressed.

“b)  the potential undesired consequences associated with its products and services;”  The organization must consider potential consequences (which will also inspire discussions about risk, to be sure), and how they intend to respond, the scope of their reaction plan, etc

“c)  the nature, use and intended lifetime of its products and services;”  This is very commonly stated in the organization’s return policy or statement of liability.  Some organizations clearly state that there are no warranties (or post-delivery activities) offered, expressed or implied.  If this is the case (and in the absence of any other requirements in this list), this section can be addressed simply by acknowledging that there are no post-delivery activities.

“d)  customer requirements;”  If the customer requires post-delivery, support, warranty, protection through delivery and receipt, etc, the post-delivery activities should be clearly described.

“e)  customer feedback.”  This is an interesting point which requires the organization to consider customer feedback.  My impression of this is that an organization may choose a “no warranty” posture, but in the spirit of continual improvement and customer-centric processes, customer feedback should be considered when determining the scope of post-delivery activities.  This may also imply that the scope of those activities may change over time in response to customer feedback.

“NOTE:  Post-delivery activities can include actions under warranty provisions, contractual obligations such as maintenance services, and supplementary services such as recycling or final disposal.”  This note brings recycling, reusable packaging, returnable containers, etc into the requirements.  This isn’t really a new requirement, but the addition of “recycling” or “final disposal” catches us up with industry trends toward full supply chain management, sustainable strategies, etc.

THIS WEEK’S HOMEWORK

Review your quality management system for these requirements.  They are likely addressed piecemeal in more than one location.  Take the opportunity to address all of the requirements in a cohesive and easily understood way.  Ensure that your post-delivery activities in practice actually align with what you’ve described in your QMS.

Stay involved and engaged – SUBSCRIBE!