You are on page 1of 94

Quality Management Systems Training for SMEs Leonardo da Vinci Project


This book was produced in the framework of Leonardo da Vinci project Small Business Quality Management Systems. This project was carried out with the support of the Commission of the European Community.

The content of this book does not necessarily reflect the position of the European Community or the National Agency, nor does it invoke any responsibility on their part.


CHAPTER 1.INTRODUCTION.........................................................................................................................7 1.1. CONTEXT.........................................................................................................................................................7 CHAPTER 2.GENERAL....................................................................................................................................9 2.1. THE SENSE OF THE WORD QUALITY .................................................................................................................9 2.2.THE DEVELOPMENT PHASES OF QUALITY: CULTURE, PRINCIPLES AND METHODS..........................................................10 2.3.QUALITY MANAGEMENT SYSTEM.......................................................................................................................13 2.4.WHY THE IMPLEMENTATION OF A QUALITY MANAGEMENT SYSTEM? .....................................................................14 2.5.THE ISO 9000:2008 STANDARD......................................................................................................................14 CHAPTER 3.APPLICATION OF THE STANDARD ISO 9001 IN SMES....................................................16 3.1.SME.............................................................................................................................................................16 3.1.1.EU DEFINITION.............................................................................................................................................16 3.1.2.THE HIDDEN GIANTS......................................................................................................................................17 3.2.IMPLEMENTING THE ISO STANDARD...................................................................................................................21 3.2.1.WHAT SHOULD ISO (NOT) BE ABOUT..............................................................................................................21 3.2.2.MANAGEMENT PRINCIPLES..............................................................................................................................21 3.2.3.ISO IN SMES - SOME CHARACTERISTICS HAVING IMPACT...................................................................................25 3.2.4.REALIZATION OF ISO REQUIREMENTS AND DIFFERENCES BETWEEN SMES AND LARGE ENTERPRISES........................27 CHAPTER 4.THE STANDARD ISO 9001:2008 ............................................................................................38 4.1. INTRODUCTION ..............................................................................................................................................38 4.2.CHARACTERISTICS AND CONTENTS OF ISO 9001:2008 STANDARD.........................................................................38 4.3.OTHER RELATED STANDARDS ............................................................................................................................40 4.4.QUALITY MANAGEMENT SYSTEM (CLAUSE 4)......................................................................................................40 4.4.1.GENERAL REQUIREMENTS (CLAUSE 4.1)..........................................................................................................41 4.4.2. DOCUMENTATION REQUIREMENTS (CLAUSE 4.2)..............................................................................................45 MANAGEMENT RESPONSIBILITY (CLAUSE 5)...............................................................................................................49 4.5.1. MANAGEMENT COMMITMENT (CLAUSE 5.1) ....................................................................................................49 4.5.2. CUSTOMER FOCUS (CLAUSE 5.2)....................................................................................................................50 4.5.3. QUALITY POLICY (CLAUSE 5.3).....................................................................................................................51 4.5.4. PLANNING (CLAUSE 5.4) ..............................................................................................................................51 4.5.5. RESPONSIBILITY , AUTHORITY AND COMMUNICATION (CLAUSE 5.5).....................................................................51 4.5.6. MANAGEMENT REVIEW (CLAUSE 5.6).............................................................................................................52 4.5.RESOURCE MANAGEMENT (CLAUSE 6)................................................................................................................53 4.6.PRODUCT REALISATION (CLAUSE 7)....................................................................................................................54 4.7.1. PLANNING OF PRODUCT REALIZATION (CLAUSE 7.1).........................................................................................56 4.7.2. CUSTOMER-RELATED PROCESSES (CLAUSE 7.2)................................................................................................57 4.7.3. DESIGN AND DEVELOPMENT (CLAUSE 7.3)......................................................................................................58 4.7.4. PURCHASING (CLAUSE 7.4)...........................................................................................................................59 4.7.5. PRODUCTION AND SERVICE PROVISION (CLAUSE 7.5)........................................................................................60 4.7.6. CONTROL OF MONITORING AND MEASURING DEVICES (CLAUSE 7.6)..................................................................62 4.7.MEASUREMENT, ANALYSIS AND IMPROVEMENT (CLAUSE 8)...................................................................................63 4.8.MINIMUM REQUIREMENTS ACCORDING TO ISO...................................................................................................67 4.9.PERMISSIBLE EXCLUSIONS ................................................................................................................................68 CHAPTER 5.STEPS TO IMPLEMENT A QMS ............................................................................................69 5.1.STEPS TO DECIDE ............................................................................................................................................69 5.1.1.DECISION TO IMPLEMENT A QMS...................................................................................................................69 5.1.2.FIRST PLANNING OF RESOURCES ......................................................................................................................70 5.1.3.EXTERNAL CONSULTANTS ..............................................................................................................................70 5.2.FIRST SELF ASSESSMENT....................................................................................................................................71 5.3.DETAILED IMPLEMENTATION PLAN......................................................................................................................73 5.4 DEVELOPMENT OF QM HANDBOOK ...................................................................................................................75 5.5 DESIGN OR CHECK UP OF PROCESSES ..................................................................................................................76 5.6 FINAL IMPLEMENTATION QMS KICK OFF..........................................................................................................78 5.6.1.TRAINING....................................................................................................................................................78 5.7 INTERNAL AUDIT ............................................................................................................................................79 5.8 EXTERNAL AUDIT ............................................................................................................................................81 5.8.1.CERTIFICATION BODY ...................................................................................................................................81 5.8.2.THE CERTIFICATION PROCESS ..........................................................................................................................82 5.9 CONTINUAL IMPROVEMENT ...............................................................................................................................83 CHAPTER 6.ADDITIONAL REQUIREMENTS ...........................................................................................85 6.1. MANAGEMENT SYSTEM STANDARDS...................................................................................................................85 6.2.EUROPEAN DIRECTIVES AND TECHNICAL STANDARDS ...........................................................................................88 4

CHAPTER 7.GLOSSARY................................................................................................................................89 BIBLIOGRAPHY.............................................................................................................................................93

INDEX OF TABLES Table 3.1 Recent development in SME perception in EU Table 3.2 Table 4.1 Table The ISO-related differences between SMEs and large 27 43 56 4.2 Audit list (abridged and artificial version) INDEX OF FIGURES Figure 3.1 European enterprises by size Figure 3.2 Issued ISO 9000 certificates, world total Figure 3.3 Distribution of issued certificates among world regions (2007) 17 Figure 3.4 Share of certificates of conformity to ISO 9001:2008 on ISO 9000 total Figure 3.5 processes according to the eight ISO 9000 principles Figure 4.1 Process map of a construction company (artificial) Figure 4.2 chart Figure 4.3 Some of the 7 quality tools Figure 4.4 Typical QMS Processes Figure Figure Example of a strengths and weaknesses analysis 5.1 Example of a first assessment checklist 62 5.2 63


enterprises in a nutshell Records required by ISO 9001:2008

16 17

18 M 21 37

Artificial example of process flow 38 39 49

Figure Force Field Analysis Figure

5.3 63 5.4 Example of an implementation plan with milestones 64 QM 66 67 68

Figure 5.5 Handbook Hierarchies Figure 5.6 SIPOC method Figure 5.7 Example of a process map

1.1. Context


During the last decades enterprises made an effort to achieve quality as a measure to increase their competitiveness. This quality goal was usually achieved by trial and error, costing, to enterprises, a great deal in terms of time and money, not to mention the effect on clients, in the cases of error. To organise the procedure of obtaining and maintaining quality, a series of international standards were created in the form of ISO model. This way the improvement of quality could be obtained through standard procedures already tried and tested in many other enterprises. The whole procedure very often includes reengineering of the company and, in every case, training of the personnel. The revision of the standard in 2008 version imposes more obligations.

The achievement of quality

The power of SMEs in Yet SMEs, which represent an important percentage of the total Europe

enterprises power in Europe, have complained that implementing the ISO 9000 was expensive, as it required additional staff and paperwork. They also complained that its demands were irrelevant to SMEs operational dimensions.

Companies are facing new challenges due to the more dynamic economic situation. Markets appear and vanish within short periods of time and customers show growing expectations about the quality of delivered goods and services. Responding to these facts, many industrial sectors, principally the automotive industry, have decided to implement generally accepted quality management tools which lead, finally, to the establishment of quality management systems (QMS) after e.g. ISO, VDA or QS standards. An undoubted advantage of such a procedure is not only a support function for the systematic way of managing quality relevant issues within their own organisation but also the knowledge that a supplier who fulfils the criteria of such an accepted QMS i.e. the organisation is certified to such a standard - stands for high quality products and services. The supplier selection process was massively supported by the emerging certification activities and in some areas it has even become a minimum criterion for it. Large companies, especially, began to get certified to ISO 9000 standards whereas more and more small and medium sized enterprises have decided to choose this way within the last few years. Therefore a lot of enterprises require from their suppliers and their subcontractors certification at ISO-9001 and application of quality processes, while in certain sectors the certification is imposed by the national legislation. Furthermore clients are becoming active participants in requiring certified products and providers.

The lack of educational material and tools for SMEs

Consideration of branche specific situations / Internal and external reasons for implementing a QMS

Criteria, if for implementing a QMS, can be subdivided mainly into two different groups: internal aspects e.g. internal quality improvements like reduction of rework or cost savings and external aspects e.g. lower reclamation rate, better image, differentiation via long term quality strategy. Another reason for implementing a QMS is that it can be required by the customer (but it must not be the only reason!). Educational programs and educational materials are then necessary. The majority of them address large enterprises and there is a lack of educational material and tools specially designed for small enterprises with practical guidelines that can help on the implementation of ISO-9000 without bureaucratic procedures. Moreover, even if the requirements of ISO-9001 are single, their way of application varies between the enterprises with different objectives, sectors and methods of operation. Some professional organizations have already proposed guidelines to explain how to adapt the general requirements of ISO-9001 to their own case; but, in general, those tools do not address the specific needs of small enterprises.



The sense of the word Quality

The many different definitions of word quality

The word "Quality", being an abstract concept, can have many different definitions, such as "essential and distinguishable attribute of someone or something " or "feature defining the individual nature of something"; these are just some of the many definitions of the entry "Quality" that one can find in the dictionary.

A traditional meaning - but nowadays quite old fashioned - is "conformity to specific requirements". This acceptation matches Quality as the concept of quality directly to the features of the feature product/service itself (Quality as feature), emphasizing its fulfilment. In this sense, the quality implies that the requirements of the production process are clearly specified and entirely respected, without any guarantee that these requirements will respond to customer expectations, who is not necessarily taken into consideration. On the contrary, the current concept of quality of any Quality as product/service implies the skills to understand the users need, value and through the precise determination of the requirements, its fulfilment. This acceptation underlining the adequacy to usage (Quality as value) focuses on users needs. With the acceptation of Quality as value, many definitions of the word quality have been elaborated, and two of these are particularly important: Quality means 1. Quality intended as the features of the products meeting customer needs and determining his satisfaction. In this sense, the meaning of quality is oriented to profit. The goal of a better quality is to enhance customer satisfaction, and finally, to increase the profit. As increasing or improving quality involves money investments, we have also an increase on costs. In this sense, Quality means higher Quality means lower costs costs. 2. Quality intended as absence of flaws and errors which require repairing activities which usually bring to market The ISO shares loss, customer discontent and so on. In this sense 9000:2000 the word quality is oriented to costs and better quality definition means lower costs. Finally, ISO 9000:2008 defines the word quality as: "degree to which a set of inherent characteristics fulfils requirements. It must be specified that (explanatory notes in the regulations): - "the term quality can be used with adjectives such as poor, good or excellent; while the term inherent means existing in something, especially as a permanent characteristic.

higher costs


The development phases of Quality: culture, principles and methods

The origin of the problems related to Quality can be associated to the beginning of trade activities. It is a very old concept, strictly related to the establishment of the market itself with its main characters: the buyer-user and the seller-producer. In time, the meaning of quality has undergone different relevant evolutions, which have often changed its common meaning. Let us concentrate on the main acceptations of quality developed during the 20th century.

In the years preceding the First World War there was a strong difference between quantity and quality, the former considered as belonging to production, the latter to the product final testing. Quantity is the main goal while quality is considered as one of many possible factors for success. Sometimes the buyer himself follows the production process and Between 1935 and 1945 performs the final tests. Between 1935 and 1945 the so-called Quality Control activities (QC) are generated. They are the set of actions which permits to point out and measure the product features, comparing them to formerly specified parameters. In these years the perspective changes, but the idea to intervene in the production process in order to guarantee the conformity of the product to the project itself, remains unchanged; actually, the production is deeply analysed and checking phases are included to guarantee the quality of the final product. In the 50s Servicing companies are still not included in this Quality management method, because the service is not considered a measurable and valuable result. In the 50s the approach to Quality is greatly modified and gradually the idea is spread that no business activity can be totally separated from the other ones. Consequentially, successful results can be obtained only thanks to the integration and coordination of the many different company departments. In In the 60s these years the Total Quality (TQM) approach is born in the USA. The QC is still bound to each single activity and it doesnt control the entire structure yet: however, the trend extends Quality control concepts to the organization and planning phases. In the 60s the concept of Quality is newly modified and systematically operates on both production process and product itself, the so-called Quality Guarantee (QG). QG is a management system which considers the integration of several activities, whose strong connections contribute to determine the quality of the product itself. Activities such as action planning, staff training, records filing and management,

After the First World War


adjustment actions, etc. The most relevant innovations of the QG method, compared to the older approaches, are: - integrated approach to Quality management, considered as part of the system, controlled by the entire organization, and most of all by the management; - immediate applicability to services; - attention to planning and activity recording; - widening of planning and production to designing. testing concepts, from

The difference between Quality Guarantee and Quality Total Management systems is basically on their different approaches: the former is static, the latter is dynamic. The Total Quality system puts Quality at the very first place among the business values and its goal is to improve its In the 70-80s relationship with its customers. The active orientation to Quality implies the introduction of innovative attitudes and differs from traditional approaches in three points: 1. improvement of quality as a continuing process; 2. improvement through fixed policies and goals; 3. education of the whole organization to Quality as a rule.

In the 70-80s the concept of Quality is also extended to servicing companies. In Quality in Services we can distinguish two different approaches. The traditional approach is based on the identification of customer needs and expectations and the subsequent product design, the activation of Quality process (in terms of mistake reductions), control planning and its improvement. The other approach - the so-called staff-oriented approach asserts that a quality program should be based on a change of culture, values, attitudes of the whole personnel; its most important points are basically staff management and customer feedback. The starting point is the identification of the product offered by the servicing company and its features -in comparison with any manufactured product - such as: the product does not exist before purchasing; the product cannot be stocked; production and consumption happens in the same time;


the customer is involved in the production phase; the product cannot be touched; mobility of the service supply system.

The attention paid to services helps to change the perspective when facing problems regarding quality: the organization starts considering not only the product, but also all management and technical activities implied in the product, that is the business process. The process includes all the activities oriented to a final result, performed by different business units. Each of them adds a new value to the product, directly proportional to its integration skills and ability to work for targets. Managing for processes means highly supervising all the connections among different activities, identifying customer needs aiming to his satisfaction, and exploiting business outputs as the common target. Whoever is responsible for Quality starts investing in the Quality System concept, i.e. running the business aiming for Quality. The structure of a Quality system can be summarized as: 1. definition of the business and its goals 2. assignment of tasks and responsibilities 3. identification of means and staff 4. implementation and management of operative modalities through monitoring and checking According to Quality policy, the business is more and more oriented towards customer satisfaction and his needs become the organization target, at the lower organizational costs. Creating Quality means providing internal quality and external quality. External quality refers to the customer relationship modalities, and above all, the awareness of his needs, attitudes, expectations, how carefully his request is considered, how much care is given to the communication process (welcome, service and farewell), problem solving skills, and easiness in anticipating if needed his needs and wishes, offering services not explicitly requested. External quality also means the establishment of good relationships with suppliers, media, etc. as the corporate image contributes, in large measure, to the perception and determination of external quality. Internal quality refers to all that is related to workers

satisfaction and parameters such as: shifts, information circulation, time management, accomplished tasks feedback, and so on. Therefore, quality can be defined as conformity of the service to internal and external customer satisfaction. The 1990-2009 period is characterized by the increasing The 1990demand of social quality aiming to consumers, citizens and 2009 period users satisfaction. The main goal is now the improvement of life quality, and all companies develop more integrated systems to manage quality, environment and safety. In this contest is set the SA 8000 standard (Social Accountability). The origin and development of this first standard on social responsibility is a world-wide recognized reference point. Its main goal is to eliminate unfair and cruel work conditions in all kind of business.


Quality Management System

The quality management system is a wide concept and it can Definition be defined as a systemic set of management procedures used to monitor, check and improve the organization operative and financial performances, aiming to offer the best product/service at lower costs. The management procedures constituting the quality management system include some activity subsets, respectively indicated as: Quality assurance, Quality control and Quality improvement. Quality Quality assurance (QA) activities aim to guarantee that all changes in the process are clearly identified and valuated. It also guarantees that all product/service specifications - necessary to satisfy both customer and product/service producers Quality requirements - are clearly fixed. control

Quality control (QC) is a process also known as quality statistical control which permits to valuate the performance of the current organization processes, individuating and performing the actions necessary to eliminate undesired performances. Thanks to this process QI standards can be fully respected. The activities to correct irregular products can be or not be included Quality improvement in QC environment. Quality improvement is a systematic and continuing activity, which involves all business processes, aiming at high performances. Anyway, a quality management system must be based on policies aiming to reach high quality goals. Actually, all business actions reflect the management policy on fields such as finance, product/service typology, social problems, personnel safety and so on. Finally, a quality management system must be accompanied by a good quality technology system: technologies able to obtain, monitor, control and improve the quality of the product/service itself.


Why the implementation of a Quality Management System?

The creation of a quality management system can help the organization to enhance customer satisfaction as well as of the other interested parties. Moreover, a well implemented quality management system provides the business with the structure to activate continual improvement actions.

The increasing of customer satisfaction (CS) - as well as of satisfaction the other interested parties involved in production - and the and Continual activation of continual improvement (CI) are strictly linked to improvement each other. Actually, considering the continuously changing customer needs and expectations, as well as competition and technical progress, the continual improvement of products and processes is an essential condition to remain in the market. The increasing of peoples satisfaction and the activation of continual improvement can be obtained only if the organization considers some important principles, such as: Principle Principle Principle Principle Principle Principle Principle Principle 1 2 3 4 5 6 7 8 Customer focus Leadership Involvement of people Process approach System approach to management Continual improvement Factual approach to decision making Mutually beneficial supplier approach


The principles of CS and CI


The ISO 9000:2008 standard

ISO 9000 is a set of international standards published for the first The origin of time in 1987 by Geneva International Organization for the ISO 9000 Standardization (ISO). Firms can use these standards to individuate requirements necessary to maintain an efficient quality management system. For example, the standards indicate the requirements needed for the right calibration of measurement and testing equipment (e.g. of scales and weights) or to maintain an adequate registration system. The ISO 9000 standards are the result of an international agreement of good management practice, in order to guarantee products/services in line with customer quality expectations, through processes, management and control. ISO 9000 standards is a set of guidelines and requirements to implement and maintain a quality management system, The ISO 9000 applicable to any kind of public or private organization, series regardless of its activity and size. The ISO 9000 includes three main documents:







Fundamentals and vocabulary.

ISO 9001:2008, Requirements.




ISO 9004:2000- under revision, Quality management systems Guidelines for performance improvements.

As the set of ISO 9000 - 2000 edition and up- includes only one model for quality management system (ISO 9001), the organization intending to implement a quality management system should determine which items of the standard they want to use for management actions and should develop its own system with those requirements. The organization can get an exclusion from the implementation of some clauses of the 7th The current paragraph of the standard, if not applicable due to the nature of ISO 9000 the company. Design and development must be controlled and edition (2008) documented if applied by the company. The current ISO 9001:2008 edition being active from February 2009 on and the undergoing revision of ISO 9004 introduce minor only changes to the previous edition. The main ones have to do with: Rephrasing to improve consistency between the ISO 9000 series standards and those of ISO 22000 and ISO 14000. Adding the concept of business environment and risk Better definition of the control over outsourced processes Upgrading statutory and regulatory requirements Including the goal of managing the work environment needed to achieve conformity to requirements, this meaning physical, environmental and other factors Definition of personal data as a key example of type of customer property that have to be protected. Information systems as a key example of the type of support services that may impact conformity to product requirements, as an example of calibration (verification and configuration)) Making explicit reference to post delivery activities such as warranty provisions, maintenance services and supplementary services such as recycling of final disposal

A third independent part, the certification body certifies the conformity of the quality management system according to ISO 9001 standards. The certification will show the business processes area, which the certification has been requested for, as well as any other management actions foreseen in ISO 9001 regulations not considered by the organization under certification.



The aim of this chapter is firstly to introduce briefly the SME chapter 3 phenomenon and its specifics and secondly to outline how these specifics affect the implementation of quality management system in a SME

Objective of



Micro, small and medium-sized enterprises (SMEs) are socially and economically important, they represent 99 % of all enterprises in the EU and provide around 651 million jobs. Besides that, they are an essential source for entrepreneurial spirit and innovation. Since SMEs play a key role in the economies, the term SME is a frequently used one. However, there is not one single definition used by all, on the contrary: the criteria for a small and mediumsized enterprise can vary not only between different European countries, but even within one country, depending for example on the field of activity of the enterprise. Selective approach to SMEs (different criteria for being considered a SME depending on field of activity) can for example be applied as one of criteria for obtaining entrepreneurship support in various aid programs.

3.1.1. EU definition To introduce one definition, we have chosen the SME definition of The EU, used apart from statistical purposes also to handle this EU definition economic phenomenon with respect to support schemes (especially state aid, Structural Funds and the Research and Development Framework Programme). In addition, the European definition gives us the opportunity to demonstrate, that the content of the term SME also undergoes changes in time. Since 1996 the following European description of a SME was used based on Recommendation 96/280/EC: to the group of SMEs count all enterprises with less than 250 employees, with the balance sum lower than 27 mil. EUR/year or the turnover per year max. 40 mil. EUR. At the same time the independency requirement has to be fulfilled (not 25% or more of capital or votes may be owned by one enterprise or a group of enterprises, not matching with the SME definition).

Compare (


Since the economic development has been considered as relevant for the position of SMEs, the criteria have been revised and a new definition published by Recommendation 2003/361/EC in May 2003. It will be applied as of 1 January 2005.2 While the headcount requirement remains the same, there are changes regarding the turnover an balance sheet sums:

Table 3.1

Recent development in SME perception in EU Mediumsized enterprise

96-04 05< 250 50 43

Enterprise category

Small enterprise
96-0 4 < 50 7 5 05< 50 10 10

Micro enterprise
96-0 4 < 10 05< 10 2 2

Headcount Turnover max. (mil. EUR) Balance sheet total (mil. EUR)

< 250 40 27

According to EC, the main aim of the increase of the financial ceilings is to avoid penalizing enterprises that invest. While the increase is significant in percentage terms, it should not affect the number of SMEs on the market. From an economic point of view, it is neutral since it takes account of subsequent price and productivity increases while maintaining the staff ceilings.

3.1.2. The hidden giants As stated in the introduction to this chapter, SMEs play a key role SMEs in our economy. Sometimes they are even called the hidden hidden giants or the real giants of the European economy, since large giants enterprises form only 1 % of the total number of enterprises. More than that, 93 % of all enterprises are micro enterprises (0-9 employees)3.

On 6 May 2003 the Commission adopted a new Recommendation 2003/361/EC regarding its SME definition (replacing Recommendation 96/280/EC). For more information please see: 3 SMEs in focus. Observatory of European SMEs 2002, European Communities, 2002


small 6,0%

medium-sized 0,8% large 0,2%

micro 93,0%

Figure 3.1 European enterprises by size (Source: SMEs in focus. Observatory of European SMEs 2002; EC, 2002)

Two thirds of all jobs (private non-primary sector) are in SMEs, split up roughly equally between micro enterprises, small and medium sized. The size-class distribution of employment, ISO however, differs, between countries. Very important is also, that certification SMEs create - unlike large enterprises - a net increase of job opportunities. The strong position of SMEs, especially micro enterprises can be considered specific for Europe: an average European enterprise employs 6 people, while a Japanese 10 and an American 19 people. Therefore SMEs account only for 33 % of employment in Japan and 46 % in USA whereas in EU for 66 %.4

Europes private sector jobs are in: Employment by firm size

When linking the important market position of SMEs in Europe to the importance of ISO implementation three figures might be interesting: world total of ISO 9000 certificates which shows a constant increase,



Figure 3.2 Issued ISO 9000 certificates, world total (Source:

distribution of issued certificates among world regions, which proves the strong emphasis laid on ISO certification in European countries,


Figure 3.3 Distribution of issued certificates among world regions (2007) (Source:

number of certificates issued to the revised standard ISO 9001:2000 (which replaces the 1994 versions of ISO 9001, ISO 9002 and ISO 9003), which more than tripled in 2002 in comparison to 2001 and represented nearly 30 % of the overall ISO 9000 total at the end of 2002

ISO 9001:2000 167 210 29,8%

ISO 9000 (1994 + 2000versions) 561 747 70,2%

Figure 3.4 Share of certificates of conformity to ISO 9001:2000 on ISO 9000 total (2002) (Source:

Even if the extent of this manual does not allow us to go deeper


in on the issue, the high share of Europe in issued ISO certificates together with the overwhelming majority of European enterprises being SMEs and the high acceptance of the new standard let us expect a high potential of QMS implementation according to ISO 9001:2000 in SMEs in Europe.

3.2. Implementing the ISO standard 3.2.1. What should ISO (not) be about Depending on the size of the enterprise, the implemented quality management system should not draw up something, that would be totally different from how the organization conducted its business until now. Please notice, that all enterprises already have a form of management system and possibly already fulfill some of the standards requirements, even if they have not, as yet, necessarily defined and documented how they do it. The aim of the ISO standard is definitely not to impose a totally new management system or to force the owner to change existing management activities. On the contrary, implementing a quality management system according to ISO 9000+ should be understood as a strategic mean to control the business, monitor what is going on and which areas should be focused on. All requirements of the standard should be applied with insight and commitment. The quality management system should, to a maximal extent, implement modes already existing in the enterprise and in addition proved, known and used by employees. Only then can the enterprise fully benefit from implementation of the quality management system it can improve internal processes and serve as a tool for excellent market performance. 3.2.2. Management principles In an SME as well as in a large enterprise the company management consists of several mutually dependant factors, such as management of human resources, supplier - purchaser relationship, financial management, marketing, production/services management, safety management, environmental management etc. The eight The ISO 9001:2008 standard covers in different clauses the whole management management diversity outlined above. Before implementing the principles of ISO 9001:2008 standard even in small and medium-sized enterprises the top management should first of all get acquainted with the eight management principles, the standard builds on, namely: Principle 1 Customer focus Principle 2 Leadership Principle 3 Involvement of people Principle 4 Process approach Principle 5 System approach to management Principle 6 Continual improvement Principle 7 Factual approach to decision making
21 The sense of QMS implementatio n in a SMEs

Principle 8

Mutually beneficial supplier approach

Despite the fact, that these eight principles are not explicit mentioned in the ISO 9001:2008 standard, they provide a framework for implementation of good management practice. To make you aware of that we have linked the principles with different fields of management activities, discussed in individual clauses of the standard. It regards e.g.:

ensuring resources for human resources development, development and maintenance of infrastructure and improvement of the work environment, effective involvement of employees in processes (principle 2 and 3), ensuring credible information, so that top management can define the basic long-term orientation of the company quality policy, setting concrete short-term measurable tasks annual quality objectives for lower management (coming out of principles 1, 2 and 3), concluding commercially and technically clear contracts for products/services (principles 1 and 4), ensuring economically convenient, high-quality inputs for the main activity (principle 8), controlling own activity concerning main processes of production or providing services the ISO 9001 methodology ensures an adequate level of documentation of relevant production and control procedures and instructions, compliance with operational practice, proper way to handle controlled documentation, identification and retrospective traceability (principle 4), ensuring outputs of main processes, thus products or services of such a quality, that meet customers requirements (principle 1); the level of customers satisfaction is proved by gathering and evaluating information and by implementing measures, resulting from the evaluation (principles 4 a 7), development of continual improvement program, being at the same time an effective management tool and a means to activate employees; it includes internal quality controls and transparent, consequent corrective and preventive actions (principle 6). The two main

The principles of process and system approach (4 and 5) areas illustrate two aspects: firstly the importance of links between single processes and secondly the importance of links between processes, resources (financial, qualified employees, infrastructure, work environment, information) and conditions (framework outlined through requirements of interested parties). At the same time active participation of the organization is required while executing changes and improving the knowledge level of employees, both being pre-requisites for continual improvement (principle 6). Decisions are based on facts results of tests and analyses (principle 7). Other key factors - attitudes,

motivation and competence of employees are more or less included in all eight principles. Summarizing, the eight principles for quality management outlined above can be divided into two main management areas:

1. process management - applying process and system

principles, implementing tools and attitudes of companys management (principle 4 and 5, further 1, 6, 7 and 8), 2. human resources management implementing tools in order to form attitudes systematically, to increase work ability and to create an environment supporting effective and efficient functioning of human factor (principle 2 and 3, but also 1, 6 and 7). While providing management in both these fields, the new ISO 9000:2008 standard stresses evidential care for compliance with superior laws and standards, related to the main product.




4 2 proces ses -resources condit ions leaders hip and m anagem ent com m it m en t at t it udes abilit y of m anagers , em ploy ees 1-8 1-8









of s y s t em , proces ses , res ources

inform at ion, dat a, know ledge

Figure 3.5 QM processes according to the eight ISO 9000 principles: 1 Customer focus, 2 Leadership, 3 Involvement of people, 4 Process approach, 5 System approach to management, 6 Continual improvement, 7 Factual approach to decision making, 8 Mutually beneficial supplier approach


3.2.3. ISO in SMEs - some characteristics having impact Even if there is a single ISO 9001:2008 standard and so is the set of requirements on quality management system, there are some differences in the character of SMEs and large enterprises having influence on the implementation. Some of the differences bring about an easier start for SMEs, generally they ask for special attention. Within the group of SMEs micro and small enterprises have an even more specific position. Therefore the two groups will be dealt with separately. Medium-sized enterprises (50 to 250 employees) When implementing a QMS each member of the company must be aware of the importance of this step and must be motivated to contribute. Because of their smaller size, it is less difficult for the quality manager of a medium-sized enterprise to involve everyone than it is in large enterprises. Furthermore, compared to large enterprises medium-sized enterprises may have a more plain organizational structure, run a lower number of processes liable to QMS and can manage with more simple communication tools. This might lead to a significant reduction of system documentation. On the other hand, the number of employees and the level of complexity of the enterprise usually result (different than in micro and small enterprises) in an - at least partly - documented system of conducting business, so that there is a certain base to build on when working out the quality documentation. Another specific resulting from the companys character is a usually emphasized customer focus. Since market potential of medium sized enterprises is limited compared to the possibilities of large enterprises or chains, they can be considered rather dependent on certain customers (big, important, regionally present), but in some aspects also strong supplier-dependent. The specifics Therefore these enterprises mostly care for good supplier of micro and purchaser relationship. small
enterprises related to ISO implementatio The obvious advantage of micro and small enterprises is that n The specifics of medium sized enterprises related to ISO implementatio n

Micro and small enterprises (up to 50 employees)

they are quite often family-related businesses with a director at the head, who usually is the owner as well. Consequently, he/she is directly motivated to lead the company towards prosperity, to satisfy old and to attract new customers. The customer focus is in general additionally strengthened since micro and small enterprises operate usually in regional markets and are in contact with an often limited number of customers and suppliers. A consequent care for good supplier purchaser relationship is thus a precondition to survive. The informality of the management brings a further advantage: the director/owner gives oral indications on who does what and

how and thus gives constant guidance, checks and controls the quality of the product/service, the others follow the instructions. The small size and informal management make it easier to motivate everybody within the company for the QMS. In general, all enterprises have an established way or system of conducting business. As explained above, in micro and small enterprises informality is quite effective, however, it is rarely documented. In connection with lack of documented procedures and processes the quality documentation usually has to be worked out from scratch. Micro and small enterprises have a very plain organizational structure and can manage with few, simple communication tools. This results in a significant reduction of system documentation. On the other hand, the unavoidable accumulation of functions requires multi skilled employees together with a well-advised definition of authorities and responsibilities, not forgetting a focus on communication, its content and the way of documenting it. Another difference between micro and small enterprises on one hand and medium sized enterprises and on the other can consist (but not necessarily) in the number of management processes, where all management effectiveness requirements are consequently applied, including stated measurable indicators helping to follow the effectiveness trends.


3.2.4. Realization of ISO requirements and differences between SMEs and Large Enterprises In the previous chapter some characteristic aspects have been appointed, having impact on ISO implementation in SMEs. Please find here an overview of areas which are considered specific, enriched by the findings resulting from the Correspondence table, enclosed further on in this chapter. First of all some specifics of the ISO implementation result enterprises directly from the very nature of SMEs, such as the character of: management - informal, directly motivated, plain organizational structure, requires good definition of responsibilities/authorities personnel - few, multi skilled, cumulated functions, not responsible exclusively for QMS documentation - lack of documented procedures communication - simple form and tools supplier-purchaser relations, customer focus - more depending on certain subjects, regionally limited processes lower number, structure rather simple
SMEs vs. large

Further, from the correspondence table some additional trends emerge as significant for the implementation of individual clauses and specific requirements in SMEs. To summarize the Group vs. most obvious ones: Group vs. individual Where in a large enterprise a management meeting and group decision is needed, in an SME the responsibility often lies with the owner/managing director - clauses 5.1 Management responsibility and 5.6 Management review mirror clearly this aspect. Long-term vs. short-term


Dealing clauses 5.4 Planning, 6.1 Provision of resources, 6.3 Long-term vs. Infrastructure, 7.1 Planning and product realization etc. there short-term has been stated a strong emphasis on short-term planning by SMEs respecting the cash-flow development. This can be partly explained by the dependence on individual orders. Shifting outside

While in a large enterprise some activities and inputs are outside provided internally, in the case of a SME they are substituted by activities/inputs delivered from outside. Consider e.g. clause 7.4 Purchasing where input control tests are often replaced by output control results and certificates from supplier. Similar by 7.3 Design and development carried out by customer or 7.5


Production and service provision often based on customers documentation. Last but not least, sometimes 8.2.2 internal audits cannot be provided by trained employees internal auditors, because of their low number and thus possible conflict of interests. Cumulated responsibilities
Cumulated responsibilitie s

Where in a large enterprise selected employees are appointed and trained to carry responsibility for a certain activity, in SMEs this task has often to be executed by somebody with other cumulated functions consider e.g. 5.5 Responsibility, authority, communication with no quality manager being a member of top management such as in large enterprises but with the managing director being usually responsible for the implementation or 7.6. Control of monitoring and measuring devices with responsibility for compliance of the devices with laws on metrology automatically lying with the managing director when there is no other management member appointed. (It must be added; that the extent of the accumulation depends on the sector the company is operating in and by production companies even on the type of production and quality controls required.) Flexible

Flexible extent Another new thing about ISO 9001:2008 standard is, that it enables the enterprise to fulfill a requirement in an adequate way (to a certain extent), which was not possible by e.g. standards in automotive industry. This approach means that e.g. by 4.2 Documentation requirements the complexity of quality documentation will be lower in SMEs as well as its quantity, that extent and amount of information gathered in the frame 8.2.1 Customers satisfaction will differ in SMEs and large enterprises or that in the frame of 8.5 Improvement there might not be a separate Continual improvement program but concrete tasks resulting from periodic evaluation based on quality objectives. Alternatively, it has to be stressed that the ISO 9001:2008 standard will not forgive the SME anything simply because it is small. Exceptions in the sense of letting out are possible only by requirements, discussed in clause 7. Product realization. And even then possible exceptions are available to all kinds of enterprises (not depending on size), the eligibility of every exception has, however, to be justified. Hereby a simple rule can be applied: no requirements affecting quality of the product/service may be excluded. Correspondence table The requirements of the ISO 9001:2008 standard are defined in clauses 4 till 8. In this chapter and in the previous one (3.2.3 ISO in SMEs - some characteristics having impact) we have outlined some differences between SMEs and large enterprises, which can affect the implementation of the quality management system. The table below links these differences together with the requirements of the standard (clauses 4-8) and gives you an
28 The differences between SMEs and large enterprises related to the ISO requirements

easy to use overview of those requirements, which may require a particular approach when implementing the standard in a SME. The correspondence table is drawn up according to clauses and requirements of the ISO 9001:2008 standard.


Table 3.2 The ISO related differences between SMEs and large enterprises in a nutshell ISO 9001:2008 standard Correspondence table Clause
4. 4.1

Large enterprise



Quality Management System General requirement s If an organization will claim or imply conformity to ISO 9001:2008, then it may not exclude from its QMS requirements that do not meet the criteria stated in clause 1.2 Application of the standard. Documented statements of quality Documented statements of quality Quality policy is the basic unifying Documentati policy and quality objectives. Threepolicy and quality objectives document declaring the needs of the on enterprise and its customers; it should requirement level documentation (quality manual, Two-level documentation (Quality regulations, work instructions). include a long-term vision s manual and work instructions). High number of users = high number Obligatory regulations broadly Quality objectives have to set up of copies, partial documentation discussed in the Quality manual concrete milestones on the way to fulfill centres, voluminous system the vision Low number of users = low number of documentation, usually electronic copies, one documentation centre. Quality manual by SMEs the most version (intranet), hypertext links, suitable way to describe the interaction Form more simple, e.g. Quality manual links to related documents, forms etc. in form of one file folder with all related between processes of the QMS may be Documents and records have to be the graphical one; in some cases process documents including example forms controlled. cards or hyperlinks in electronic used for records etc. documents may be advised Documents and records have to be controlled. The ISO 9001:2008 edition previews that a single document may include the requirements for one or more procedures. Management responsibility Managemen Management usually consists of t several responsible employees commitment (managing director, directors specialists). The companys owner may stay outside QMS (stock corporation). Owners as managing directors directly control the company. A specific case is a one-owner-company, where the management is executed directly by the owner, who does not need a management meeting to make strategic decisions. By SMEs this field is quite often left out. But even in their case, the management has to specify its vision and long-term intentions related to the business subject, own optimal product and its presentation on the market. The intention of a SME can be e.g. to become partner of a certain client (supplier of an automotive industry or electroengineering subject), in the case of commerce or services e.g. to be Quality management system has to be established, documented, implemented, maintained and continually improved in accordance with requirements of ISO 9001:2000.


5. 5.1


authorized partner (dealer or service provider) etc. The management shows personal involvement and activity while improving the QMS and stimulating continual improvement through internal message about the importance of meeting customers requirements and requirements imposed by related superior laws and standards. 5.2 Customer focus Usually, information source for the companys orientation is own marketing. Customers needs are to be understood as market potential having identified it prevents wrong decisions regarding future orientation. Information for companys future orientation mostly won due to membership in associations, internet etc. Own marketing limited, possibly due to relative high costs. Both managers and employees of SMEs usually are more directly motivated to lead the company towards prosperity and thus to satisfy old and to attract new customers. Even in the case of SMEs, the management has to specify its vision and long-term intentions related to the business subject, own optimal product and its presentation on the market. The intention of a SME can be e.g. to become partner of a certain client (supplier of an automotive industry or electroengineering subject), in the case of commerce or services e.g. to be authorized partner (dealer or service provider) etc. Planning is an integral part of any enterprise management. In the case of SMEs, however, some of the plans (e. g. investment plan, training plan etc.) might be understood only as a framework and may be controlled operatively according to actual cash-flow development. Appointing a member of management responsible for the QMS is essential. It has to be a strong leader provided with authority to coordinate the whole system. While there is usually a new position established in large enterprises, in micro enterprises the task is often taken over by one of the managing 31


Quality policy

Basic unifying document declaring the results desired by the enterprise. It should be appropriate to the purpose of the organization and include a longterm vision. It should include the commitment to comply with requirements and continually improve the QMS. The quality policy provides a framework for establishing and reviewing quality objectives. All employees should be aware of the declared quality policy of the organization.



Detailed financial plan and exact calculation of development expenses. Factual production plan Establishing measurable quality objectives consistent with quality policy. Branched organizational structure, easier defining of authorities and responsibilities, executive and control functions. Management representative is usually a member of top management, can be helped in QMS administrative tasks

Annual plan in financial indicators, cash-flow depending on development expenses, main activity often controlled by operative plan. Establishing measurable quality objectives consistent with quality policy. Simple organizational structure, often cumulated functions. When distributing responsibilities and authorities, specifics of the SME and characteristics of individual managers have to be taken into account. Management representative for QMS


Responsibili ty, authority, communicat ion

by an employee. Sophisticated means of communication (e.g. intranet) 5.6 Managemen Complex report on given period as t review input for management review. Review during a management meeting, documented in minutes, formulated remarks and actions resulting from the evaluation. New challenges for Quality objectives or continual improvement program.

usually has other cumulated functions. directors or by the owner himself. Elementary communication means (e.g. joint management and production meetings) Complex report on given period as input for management review. Documented owners standpoint to the report (by companies, where the influence of management meeting members on the owner is only advisory), including specification of actions if necessary. Review of quality objectives. Management review means a recapitulation of the whole QMS in regular periods (annual, biannual). Unlike other system requirements, applied by SMEs already before the implementation of QMS, it is not common in SMEs to execute management review in an extent requested by the standard. In the context of strategic management such a standstill and recapitulation is very useful. The standard requires decisions to be made based on facts, not opinions. In the context of management review original intentions, objectives and resulting tasks can be modified.

6. 6.1

Resource management Provision of resources Detailed financial plan and exact calculation of development expenses. Even an SME should determine resources needed to implement and maintain the QMS and to meet quality objectives and should specify how the resources will be provided. In the case of SME, distribution of resources during the year might be controlled operatively according to cash-flow development. Good personnel work can be done even in Human resources department/section Cumulated personnel work and training an SME. It is necessary to evaluate the with divided personnel and educational management. performance and reserves of every activities. employee and to plan the use of it in a Map of companys qualification Map of companys qualification structure, specification of work positions. broader context, in new fields or at least structure, specification of work by conserving the actual state. Employees, positions, personal development plans. however, have to feel that they are followed and evaluated and that the company counts on them. The most Evaluation of employees through suitable form of applying the requirement interview. Annual training plan. Annual training plan. is a simple evaluation of ability and planning personal development of every Evaluation of training quality and Training evaluation. single employee (regular detecting of effectiveness. training needs, training plans, evaluation). Use of experience and ability of employees is typical for SMEs-service providers, where the quality of the service often Planned resources respecting the cashflow oscillation in the course of the year.


Human resources


depends on experience of single employees. 6.3 Infrastructur Demanding, large infrastructure. e Infrastructure development planning based on long-term strategic plans, making use of different investment studies and scenarios. Annual maintenance plan. 6.4 Work The organization determines and environment manages the work environment needed to achieve conformity to product requirements. Besides control of compliance to obligatory requirements of related laws and standards (according to sector and field of activity) additional surveys are carried out on the impact of work environment on the quality of the product (especially in production companies). Product realization Planning and Main activity (production) usually product planned in an annual or quarterly realization detailed factual plan. Planning quality, detecting risks. If the production cannot be long-term factual planned (company satisfies direct demand of individual customers), than a planning in e.g. financial indicators is necessary. Products as well as production Products as well as production processes have to meet requirements processes have to meet requirements defined by laws and superior defined by laws and superior standards. standards. During the decision process regarding order acceptance all managers influencing the order have to make their comments. The standpoint has to be documented (recommended - in information system). Negotiations with customer Even in an SME it is useful to set requirements for the product. Consequently, there should be records providing evidence that the realization process and the product meet set requirements. Rather simple infrastructure. Infrastructure development realized under conditions of more simple decision making processes (owner makes shortterm decisions based on actual resources). Annual maintenance plan. The organization determines and manages the work environment needed to achieve conformity to product requirements. SMEs often develop their infrastructure more dynamically than large enterprises. Continual detecting of the means needed to ensure conformity of the products involves technology, measuring devices, information system, car park, communication technologies, work tools for employees. It is to be recommended to improve the infrastructure development plan in relation to quality objectives. As an SME: do not forget to fulfill requirements of related laws and standards, as well as obligatory revision of state authorities! The ISO9001:2008 edition pays special attention to the management of the work environment needed in order to achieve conformity to sales requirements.

7. 7.1


Customerrelated processes

Review of order acceptance has always Records on order acceptance review to be documented (at least simplified), make part of controlled documentation. even if the owner decides.


specifying the contract are documented. 7.3 Design and The company usually disposes of own Cases appear, that companies ensure development capacity for product/processes development mainly utilizing codevelopment. operating experts. This demands proper documentation reflecting requirements of clause 7.3. of the standard. Purchasing List of suppliers for a limited period derives by running companies from repeated evaluation. Members of production and technical control department should be involved in the evaluation. The company has an own test room, where input control of purchased material is executed and its release into production approved. It is used to execute customer audits by supplier. Production or providing services is usually operated according to own documentation and procedures. Processes being verified. All material in production is properly signed, marking enables backward tracing of all relevant information. Procedures for providing service of own products exist, service realization documented. In the frame of QMS laws on metrology usually count as superior standard. Member of metrology department participates in management. Calibration of measuring devices often provided internally. If the company uses to do calibration of measuring devices itself, calibration procedures have to be defined. Evaluation of suppliers for a limited period and documenting of the list of approved suppliers has to be done even if a strong accumulation of information and responsibilities exists. Acquiring output control results and certificates from the supplier can replace the input control tests. By SMEs the development of the product often happens by the customer, which can be qualified as not fulfilling of the requirement and may be even reason for exclusion. Even by SMEs evaluation of suppliers forms an important input for preventive actions and negotiations with partners. In the organization a permanent drive for evaluation has to be evident.



Production and service provision

Production or providing services often carried out according to documentation or procedures delivered by the customer. Documentation verified and released before use. Processes verified. Procedures for providing service of own products doe not always exist.

If there is no service for own products provided and there is a co-operation with a service provider assigned instead. This co-operation has to be exactly specified (especially quality requirements).


Control of monitoring and measuring devices

If there is no management member appointed as responsible for compliance with laws on metrology, than this responsibility lies automatically on the managing director of the company. Calibration of measuring devices is usually provided by an external competent center.

Even if calibration of measuring devices is carried out externally, in the company there has to be kept documentation that meets requirements of clause. 7.6 of the standard.


8. 8.1.

Measurement, analysis and improvement General The organization shall plan and implement processes needed to demonstrate conformity of the product, ensure conformity of the QMS and its continually improvement. Used methods should be defined, including statistical methods (if applied). In SMEs the use of analyses and statistical methods is rather restricted. However, also in SMEs there are certain monitoring, measurement and improvement outputs and processes such as management review report (owners documented standpoint), records of nonconformity, corrective and preventive actions records etc., which should be analyzed and used for improvement. Relevant information on customers satisfaction can usually be collected only by top management members or by the owner. Structure of the information needed (checklist) and strategy of its acquisition have to be worked out beforehand. Obtained information is evaluated, necessary actions defined. External auditors can be accepted for carrying out internal audits only if because of a low number of employees - own auditors cannot ensure internal audits without facing conflict of interests. Audit plan for one year worked out in advance, compliance with requirements of the standard as well as extent and content of audits are monitored thoroughly. Audit findings have to be reflected and if necessary the QMS improved. Even in SMEs the collected information on customers satisfaction should be documented in written form even in case of a strong accumulation of information by one person.

8.2 8.2.1

Monitoring and measurement Customer satisfaction Besides top management also members of other departments have the possibility to obtain information on customers satisfaction directly from customers, e.g. members of the marketing or service department. Collected information is processed, selected, and based on evaluation necessary actions are defined. Internal audit plan guarantees that all departments and all clauses of the standard will be checked up in the course of current year. There is a team of own auditors ensuring the realization of internal audits. Members of this team are regularly retrained, their work evaluated. Summary of through internal audits acquired information forms an essential part of the management review report.


Internal audit

Even if the audit is ensured by external auditors, the audit procedure has to be described and documented According to requirements of clause 8.2.2 of the standard.


Monitoring All management and production activities are, to an adequate extent, and monitored and evaluated. By specific production processes (e.g. welding, measuremen surface treatment) may the data, acquired as a result of control, be further

By SMEs the number of processes liable to monitoring and measurement will be considerably lower than by large 35

t of processes 8.2.4 Monitoring and measuremen t of product

used in the system of product monitoring and measuring. Control between individual operations as well as output control is carried out by professional inspectors, members of independent technical control department. All types of controls are specified in controlling and testing procedures. Control documents archived as quality records.


Control between individual operations Thanks to the controls nonconformities and sometimes also output control can be detected. carried out by production workers in form of self-test. In that case, workers are extra trained for control activity and based on training they are entrusted with control. Evidence of conformity/authorization of release should be documented.



Control of Nonconforming (half-finished) product must be separated and protected from nonconformi (even unintended) use, assessed and handled in one of the by the standard ng product accepted ways. Analysis of data Adequate analyses are a non-excludable instrument for decision making and management.

Even by SMEs, monitoring and analysis of nonconformities is one of the inputs to be considered for decision on a corrective/preventive action. The standard requires decisions to be made based on facts, not opinions. Monitoring of processes/products and analysis of acquired data is thus unavoidable even by SMEs (in appropriate extent). Overview of actions undertaken to improve the QMS forms a part of the complex report on given period (being input for management review).



Improvemen t

The company usually has a separate document to deal with improvement, the Continual improvement program. It expands on declared quality objectives specifying minor important tasks.

Annual quality objectives include usually also minor concrete tasks ensuring development of the enterprise. Thanks to a frequent actualization and completion in the course of the year an up-to-date state and effectiveness is guaranteed.


Corrective action Preventive action

The corrective action control system guarantees in both, a large enterprise as Every corrective action has to be well as a SME, that suggestions for preventing insufficiencies will be proportional to consequences of evaluated, a procedure for a corrective action will be established and executed nonconformity stated. and result of the action controlled. The preventive action control system guarantees in both, a large enterprise as Every preventive action has to be well as a SME, that suggestions for preventing insufficiencies will be proportional to consequences of possible evaluated, a procedure for a preventive action will be established and nonconformity. executed and result of the action controlled.




4.1. Introduction

The objective of the chapter 4 of these guidelines is to present the Objective of requirements as stated in ISO 9001:2008 international standard, the chapter in an easy to understand way and to give examples of their 4 fulfilment. A new requirement of the 2000 version standard is the Outsourced documentation of the control methods of potential outsourced processes processes of the company (TC 176, ISO 9000 Introduction and Support Package: Guidance on "Outsourced processes"). This element refers only to outsourced processes that may affect product conformity with specific requirements. For example, if an apparel industry outsources the clothes sewing or processing, the control methods over the external supplier must be documented, as well as their results. Structure of Chapters 4.2 presents the main characteristics of ISO 9001:2008 4 standard that differentiates it from the version ISO 9001:1994 Chapter 4.3 presents the standards ISO 9000 and ISO 9004 that are related to ISO 9001. Chapters 4.4-4.8 include the respective clauses 4-8 of the standard and their interpretation. In this way it is easy for the beginner as well as for the advanced reader to study this guidelines in relation to the standard, so as to understand it better and fulfil the requirements.
the chapter


Characteristics and contents of ISO 9001:2008 standard

ISO 9001:2008 is a quality management system international Introduction standard, issued by ISO. It was first issued in 1987, based on the to ISO British standard BS 5750. It was first time revised in 1994 (series 9001:2008 ISO 9000:1994), second time in 2000 (series ISO 9000:2000) and the last revision is that of 2008. This new version contains no new requirements. It contains only a few changes and clarifications in Notes. The points of clarification focus on outsourcing, documentation, management representative, employee competence, design verification and validation, process monitoring, control of nonconforming product and corrective and preventive action.
Main characterist ics of the current version of ISO 9000

The international standard ISO 9001:2008 maintains the process Process approach of the previous version. As process is defined any approach activity that receives inputs and converts them to outputs. The processes of the company are linked together and outputs from one process can be input to another. The systematic identification and management of the processes employed within an organization and the interactions between such processes may be referred to as the process approach.

The company has to identify and analyse its processes and their interactions and document them in the extent that it is needed to ensure their good performance. The standard categorises company processes in 4 categories:

Management Resources management Product realisation Measurement, analysis and improvement

ISO 9001:2008 pays special attention to the fulfilment of customer Customer needs and expectations. One of the main responsibilities of top oriented management is to ensure that customer needs and expectations are determined, converted into requirements and fulfilled with the aim of achieving customer satisfaction as stated in paragraph 5.2. Chapter 7.2 of the standard describes in detail the way, with which management shall identify and review customer requirements. According to paragraph 7.2.1 regulatory and legal requirements should also be taken into consideration. In addition paragraph 8.2.1 states that the company shall establish a way to monitor and measure customer satisfaction. Introduction 0.1 General 0.2 Process approach 0.3 Relationship with ISO 9004 0.4 Compatibility with other management systems Scope 0.5 General 0.6 Application Normative reference Terms and definitions Quality management system 0.7 General requirements 0.8 Documentation requirements Management responsibility 0.9 Management commitment 0.10 Customer focus 0.11 Quality policy 0.12 Planning 0.13 Responsibility, authority and communication 0.14 Management review Resource management 0.15 Provision of resources 0.16 Human resources 0.17 Infrastructure 0.18 Work environment
Contents of the standard


Product realization 0.19 Planning of product realization 0.20 Customer-related processes 0.21 Design and development 0.22 Purchasing 0.23 Production and service provision 0.24 Control of monitoring and measuring devices Measurement, analysis and improvement 0.25 General 0.26 Monitoring and measurement 0.27 Control of nonconforming product 0.28 Analysis of data 0.29 Improvement 4.3. Other related standards

Directly related to ISO 9001:2008 are the standards ISO 9000:2000 and ISO 9004:2000. These two standards do not have a certification value. ISO 9000:2000 Quality management systems - Fundamentals and ISO vocabulary has double scope. At first it provides the fundamental 9000:2000 concepts for quality management systems in an informative way. Secondly it provides the terminology used in the ISO 9001 international standard. This second part has a normative character. ISO 9004:2000 Quality management system Guidelines for ISO performance improvement is an independent standard that may be 9004:2000 used in relation to ISO 9001:2000 standard. ISO 9004 has similar structure with ISO 9001, so that the two standards can be easily used together. ISO 9004 is wider in scope than ISO 9001, focusing on companys overall performance improvement. ISO 9004:2000 are not guidelines for implementing ISO 9001:2000 and is not intended for certification or contractual use. The two International Standards are designed to be used together, but can also be used independently. 4.4. Quality Management System (clause 4)

This chapter follows the structure and content of ISO 9001:2008 standard in order to facilitate its interpretation. When appropriate, there are citations of the ISO 9000:2000 and ISO 9001:2008 standards and applications of standard requirements in practice.

Words or sentences marked with apostrophe and italic (italic) are direct citations from ISO 9000:2000 and ISO 9001:2000 standards.

Reference of each chapter to the ISO 9001:2000 standard is presented after titles (e.g. clause 4.1). Documented procedures and records required by ISO 9001:2000 are marked with a picture of book.

4.4.1.General Requirements (clause 4.1)

Managemen Establish, document, implement and maintain` should not be t system

The organization shall establish, document, implement and maintain a quality management system and continually improve its effectiveness in accordance with the requirements of this International Standard.

interpreted as separate words. Instead, it is expected to see a functioning management system to direct and control an organization with regard to quality, e.g. encouraging organizations to analyse customer requirements and defining the processes that contribute to the achievement of a product5. The focus should be on continually improving the systems ability to produce conforming6 products in an effective and efficient manner. Improvement refers to the actions taken to enhance the features and characteristics of products and/or to increase the effectiveness and efficiency of processes. The term continual recognises that improvements may be made in a step-like manner and not necessarily as a smooth, joined-together flowing process. The only part that ISO 9001:2008 standard requires to be documented concerns here the chapter 4.4.2. Documentation Requirements. Otherwise organizations can by themselves determine the necessary level of documentation. Also, it is completely within their rights to manipulate order of the standard to suit own needs, e.g. by rearranging the standards clauses into a more practical sequences. Although documentation requirement concerns only one chapter, our recommendation is to document also the processes (discussed below), because by

Product: result of a process i.e. result of a set of interrelated or interacting activities which transforms inputs into outputs (process: set of interrelated or interacting activities which transforms inputs into outputs) 6 Conformity: fulfilment of a requirement. Requirement: need or expectation that is stated, generally implied or obligatory. Nonconformity: non-fulfilment of a requirement.


documenting them many of the standard requirements will be rather easily met, such as control methods, which as a separate matter are otherwise difficult to prove to the auditor. ISO 9001:2008 states that the top management in an organization shall ensure the planning of the Quality Management System, including following six (af) clauses: a) Identify the processes and their application:
Identification of processes means that activities that are needed to produce the products services (or both) should be identified, including activities, provision of resources and measurement. discussed in detail in chapter 4.7. all essential or supply the management Processes are

Identification of processes and their application can be documented (e.g. process map), but also an obvious knowledge base shared by all practitioners might suffice. Although documentation is not specifically required, it is recommended since it is an illustrative and useful communication tool about organizations mission. Process map

b) Determine the sequence and interaction of processes:

This is a follow-up to a) above. A useful and demonstrative tool showing sequence of processes and linkages between them is a process map. Since it presents all essential activities, it actually clarifies the whole meaning of an organization, a reason for its existence (mission). Usually a process map is a one-page illustration showing the sequence and interaction of top-level processes and including indicators for lower level processes and additional information.

Process map is not a requirement of ISO 9001:2008, and sometimes a text-only description might be more suitable in some organizations. Example of a process map is presented in the figure below. The map is an artificial example of the process map in a construction company:
Management Information management Measurement of processes

Figure 4.1 Process map of a construction company (artificial) In this process map there are three core processes which serve the external customers and bring money to the company (the outputs of core processes are those that a customer buys 42


- Shipment Order entry Production


Technical support an Maintenance


Design and Development


Cleaning andSecurity

from the company; that is why the customer is presented in the map). At the top there are three boxes including management, information management and measurement of processes. There Process are activities applied to all processes in the company e.g. where flow chart management includes strategic decision, quality policy, management reviews etc. Below the core processes there are supporting activities finance, ADP and cleaning and securing to support the performance of core processes. When seeing this one page map, it easily presents the purpose of the company i.e. what products and services it sells to customers and what activities and resources are needed to produce them and to support them. In addition to a process map, many organization use second-level models displaying one box of the process map in a more detailed way. The most popular model is a process flow chart (see figure 6 as an example of a process flow chart). They identify inputs, resources, process owner, control methods, outputs, records and other necessary information concerning the process. The third-level models are usually too detailed to be displayed in a model, and thus they are usually defined in work instructions.
Name of the process: Order ent ry-P r oduct ion-S hipm e nt Owner: General manager/production manager Objectives: To process orders from order entry to a finished product in less than five days


- Customers order - Drawings etc.

R ev iew -Do we have enough or raw material? -Are we able to produce in time?


Transport arrangements

Order entry to computenzed system -Instructions and drawings to production -Acknowledgement to customer


Shipment to customer Production or take out from inventory NO Inspection END


Figure 4.2 Artificial example of process flow chart According to Oxebridge Quality Resources, Inc. (2003) 43

graphical process models provide a number of benefits, including: providing employees with an understanding of how the processes they perform affect subsequent processes, departments and employees providing a means for employees to understand what their internal customers (the subsequent processes shown on the diagrams) need from them providing a quick and easy snapshot of a process that can Statistical link to subsequent, and more detailed, instructions or tools (e.g. 7 documents quality providing a single place to summarize all important aspects of tools) a process, including its objectives and owners.

c) Determine criteria and methods needed to ensure that both the operation and control of processes are effective: This involves a set of policies, procedures, requirements and methods, that are needed to ensure a smooth operation of processes. Usually they are self-evident matters such as previews if all necessary information is included, procedures completed and parameters met, and other practical things to be checked out about activity in question. This clause addresses the use of statistical tools in the control of processes. The tools and methodology of Statistical Process Control (SPC) and Six Sigma can be too difficult for small enterprises, but some of them e.g. histogram, scatter diagram, fishbone chart and control chart, which all belong to Seven Quality Tools, are rather easy-to-use tools. The use of statistical tools is recommended by ISO 9001:2008, but they are not compulsory.

To summarize data from a process that has been collected over time, and graphically present its frequency distribution in bar form (Brassard & Ritter 1994).

To study and identify the possible relationship between the changes observed in two different sets of variables (Brassard & Ritter 1994).


To identify, explore, and graphically display, in increasing detail, all of the possible causes related to a problem or condition to discover its root causes (Brassard & Ritter 1994).

To monitor, control, and improve process performance over time by studying variation and its source (Brassard & Ritter 1994).

Figure 4.3

Some of the 7 quality tools

d) Ensure the availability of resources and information necessary to support the operation and monitoring of processes: Resources include human resources, infrastructure and work environment. They are discussed in chapter 4.6. e) Monitor, measure and analyse processes:

Usually monitoring and measuring are done as an integral part of the operation. It means that the performance of processes should be evaluated and rated somehow, in order to analyze whether they perform well and produce expected results. Many times the terms inspection and test are used synonymously with monitoring and measurement.

Example of a metric in order processing-productionshipment process (a process starting from order entry, then proceeding to production, shipment to the customer and finally ending to the point when customer receives the delivery) is the number of shipments delivered in time. Its sub-processes, e.g. production, might have their own metrics such as raw material consumption and machining time. Some of the metrics equal to quality objectives, which are discussed in chapter 4.4.2. f) Implement actions necessary to achieve planned results and continual improvement of processes: This is a claim that the processes must perform as indicated in clauses a)e) and continually improve their ability to do so. It is up to every organisation whether it chooses to document these clauses or not.

4.4.2. Documentation Requirements (clause 4.2)

ISO 9000:2008 defines document as information and its Document supporting medium7. It can be a record8, specification9, procedure document, drawing, report or standard.

Documentation shall include: a) Statements objectives: of quality policy and quality


Quality policy: Overall intentions and direction of an policy organization related to quality as formally expressed by top management. There is no specific description of the structure and the contents of quality policy, but there are some principles to follow: Firstly, it is the uppermost document to address the commitment of top management to continually improve systems ability to comply with requirements (incl. description of what is meant by continual improvement). Furthermore, it has to be aligned with any other policy and aims of the organization, be communicated, understood and found meaningful, and be used as a framework for setting various objectives. It is important to show dedication to improve competence and empower personnel, and to meet statutory and regulatory requirements and interests of stakeholders. Usually quality policy is a one page statement signed by the top manager. It doesnt need to be contained in the quality manual, nor to be signed. Since quality policy is a formal part of the QMS, it is usually included to the manual and signed by top management to show evidence of its endorsement. Example of quality policy (abridged and artificial version):
Our mission is to be a leading supplier of high quality products (name of the products) in Scandinavia and Northern Europe. This vision will be met by: Providing goods which consistently exceed the expectations of our external customers. Involving all our employees and partners in an effort to continually improve the value of our products, services and processes. Ensuring that when complaints are received, they will be responded

in a timely manner with a view to eliminate the root cause and Quality prevent recurrence. objectives In order to achieve these objectives, it is important that all our employees understand this quality policy and associated quality objectives. We will continuously make an effort to comply with the requirements of ISO 9001:2008 and improve the effectiveness of our Quality Management System.

Medium: paper, magnetic, electronic or optical computer disc, photograph or master sample, or a combination thereof. 8 Record: document stating results achieved or providing evidence of activities performed 9 Specification: document stating requirements, e.g. procedure document, process specification and test specification, product specification, performance specification and drawing


Quality objectives: Something sought, or aimed for, related to quality...Top management shall ensure that quality objectives, including those needed to meet requirements for product, are established at relevant functions and levels within the organization. The quality objectives shall be measurable and consistent with the quality policy. Quality objectives are realistic objectives converted from the quality policy and focused on all critical activities in the organization. It is advisable to link objectives to quality policy, because it makes the policy more understandable and concrete, and it is easier for personnel to see what is their contribution to achieve objectives and finally, how the objectives support intentions of quality policy. Of course, not all the objectives and associated metrics have a visible link to quality policy, but at least they align with the general direction. According to ISO 9001:2008, the objectives shall be measurable, which usually means a comparison with some fixed unit of a known size and capacity. An example of converting objectives and metrics from the quality policy is presented below. Not all objectives are measurable, and for them there should be some other measuring system to suit particular purposes of the organization. Example: See the previous chapter of quality policy: ... Ensuring that when
complaints are received, they will be responded in a timely manner.. OBJECTIVE: a quick response time to customer complaints METRIC: database of complaints (If a written form is used for processing of customer complaints, it is easy to see how many complaints have been responded to and at what response time)

Same sentence continues with:

...with a view to eliminate the root cause and prevent recurrence. OBJECTIVE: Elimination of causes and prevention of recurrence METRIC: Number of corrective and preventive actions Quality manual

Objectives can even be expanded to each process, because every process has an objective and it exists to accomplish something, whether it is known and written down or not. As presented earlier, a metric of order processing-production-shipment process could be the number of shipments delivered in time to the customer. Management can keep specific numeric goals for objectives (e.g. 90 % of complaints responded within one day; 0 % corrective action rate). Usually it is advisable to keep them separate at management use only, because updating of numeric figures would require too frequent revision of quality policy, and also less than 100 % figures may be offensive to the customer. b) A quality manual

Table 4.1

Records required by ISO 9001:2008

Clause 5.6.1

Record required Records from management reviews Example: Table of minutes, memo or equivalent document presenting the results and actions made in a management review.

6.2.2 (e)

Records of education, training skills and experience Example: An Excel-table including information of employees education and work history, training during current employment, specific skills etc. => All in one database; easier to predict future training needs. Alternative records are copies of curriculum vitae, certificates and attendance sheets from training.

7.1 (d)

Evidence that the realization processes and resulting product fulfil requirements Example: Usually these are normal delivery documents, such as work orders or equivalent documents.


Results of the review of requirements related to the product and actions arising from the review Example: The record of the review can be e.g. a signature on a quotation or an order-entry into a computerized system. The idea is to check if all customer requirements can be met by checking e.g. raw material availability and delivery time.


Design and development (inputs for R & D, review and verification of results against the input requirements, validation prior to delivery or implementation) Example: A memo, drawing or equivalent document to present all needed information, including product parameters, possible amendments, accomplished results and authorized validation of the product prior to delivery or implementation. The use of planning tools or organizations own models of conducting design and development is advisable.


Results of supplier evaluations and any necessary actions arising from the evaluations Example: This can be discussed during internal auditing and be reported in the table of minutes.

7.5.2 (d)

Demonstration of the validation of processes where the resulting output cannot be verified by subsequent monitoring or measurement Example: A document showing acceptance of tolerances parameters. and


Record of the identification of the product, where traceability is a requirement Example: Usually a work order includes information for traceability.


Reports on customer property that is lost, damaged or otherwise found to be unsuitable for use. ISO 9001:2008 previews that customer data are also considered as customer property and have to be protected. Example: The use of internal complaint form.

7.6 a)

Records on calibration and verification (basis for calibration or verification of measuring equipment where no international or national


measurement standards exist; results) Example: Memo of calibration. 8.2.2 Internal audit results and follow-up actions Example: Documented audit report. 8.2.4 Indication of the person(s) authorizing release of product Example: Usually stated on a work order. 8.3 Nature of the product nonconformities and any subsequent actions taken, including concessions obtained Example: The use of internal complaint form. 8.5.2 Results of corrective action Example: Nonconformities are documented using an internal complaint form or a written complaint sent by the customer. Nonconformities are discussed and corrective actions composed (useful tools: fishbone, brainstorming). Results are documented on table of minutes and relevant instructions and information distributed to personnel. 8.5.3 Results of preventive action Example: The use of different methods (such as Failure Mode and Effect Analysis, FMEA) to detect root causes i.e. factors that can, at some point in the future, cause conformities such as customer complaints or deficiencies in products.

Management Responsibility (clause 5)

4.5.1. Management Commitment (clause 5.1)

Top management10 shall provide evidence of its commitment to the development and implementation of the quality management system and continually improving its effectiveness by a) communicating to the organization the importance of meeting customer as well as statutory and regulatory


requirements, b) establishing the quality policy, c) ensuring that quality objectives are established, d) conducting management reviews, and e) ensuring the availability of resources. All the above mentioned 5 ways (ae) are mandatory options for the top management to prove its consistent support to the development, implementation and continual improvement of the Quality Management System. Options be are discussed as own subsequent chapters. Option a) is discussed in the next chapter and chapter 4.7.2. In addition to customer requirements, the management should also ensure that all statutory and regulatory requirements are identified, communicated in the organization and updated for the latest version. Statutory and regulatory requirements can be in written or electronic form, since many of the requirements are available within public databases on the internet. 4.5.2. Customer Focus (clause 5.2)

Top management shall ensure that customer requirements are determined and are met with the aim of enhancing customer satisfaction. This sentence is quite superfluous, because its requirements are discussed in several references in the standard. For example, during the management reviews customer requirements and priorities and process performance can be discussed and necessary actions taken. The sentence itself emphasizes the obligation that top management takes an active and leading role in ensuring all of the customer requirements. Many times though this is achieved in normal checking and other practical procedures accompanied with good customer and internal communications. It is something that every organization should know: what are those properties in our products and operations (e.g. product properties, maintenance availability, means of delivery, quick response time) that the customer appreciates the most? By writing these down in the quality manual many of the standard requirements will be met.

4.5.3. Quality Policy (clause 5.3)

Quality policy is the premier document to address the commitment of top management to continually improve systems ability to comply with requirements. It is strongly emphasized in the standard that quality policy must be issued by the top management. Quality policy was earlier discussed in detail in chapter 4.4.2. a). 4.5.4. Planning (clause 5.4)

Planning includes the establishment of quality objectives and planning of the Quality Management System, both being responsibilities of top management. The establishment of quality objectives was earlier discussed in chapter 4.4.2 a). Likewise, the planning of QMS was discussed in chapter 4.4.1 a)f). When there are changes to QMS (e.g. because of corrective and preventive actions or because of adaptations to specific market, customer preferences or to statutory/regulatory requirements), their effect on present procedures and conflicts with the system has to be considered. 4.5.5. Responsibility, Authority and Communication (clause 5.5)

Top management shall ensure that responsibilities


and authorities are defined and communicated within the organization. Each person in charge of some critical activity must have a precise conception of their assignments. Typically the responsibilities and authorities appear as part of several documents, such as assignment contracts, organisational charts and process maps. When responsibilities and authorities are not documented, they have to be communicated otherwise, for Management example during classroom training. representativ

ISO 9001:2008 also requires that top management has to appoint a management representative to look after QMS affairs and to report about them to the top management. Usually the representative organizes internal audits, reports on performance to management, monitors customer complaints and effects of corrective and preventive actions etc. It is intended that the representative is a regular member of the management team. His authority and responsibility has to be defined and communicated as any other assignment. Internal communication within the organization must be effective to ensure, that correct information is transmitted from one function, process or individual to another. 4.5.6. Management Review (clause 5.6)

Top management shall review the organizations quality management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the quality management system, including the quality policy and quality objectives. The idea of the reviews is that the top management review of the performance of the system at certain intervals laid out beforehand. There is no maximum interval specified in the standard, but a common practice is to have them once per year or more frequently if needed. The idea of the reviews is to analyse the information of audit findings (including corrective and preventive actions), customer complaints, process capabilities, performance indicators, product

conformance, improvement activities, needs for a change and any other relevant issues in order to see where we are now and how we have operated, and where we want to go. A common practice is that the management representative collects the information from relevant persons and forwards the report for a management review. Decisions from previous management reviews should also be included, which could be a separate page attached to a minutes of the review. The results of the review can lead to updates of QMS, policies and objectives, actions to increase customer satisfaction or overall effectiveness, allocation of necessary resources and to some other actions needed to improve the performance of QMS. The ISO 9001:2008 standard specifically requires a documented record from management reviews. The format of the record is informal, it can be e.g. a conventional minutes of meeting. The way of conducting reviews is up to an organisation to decide: they can be dedicated reviews or combined with any other relevant management activity.


Resource Management (clause 6)

The standard ISO 9001:2008 requires that the organization should identify the resources needed to support and improve the quality systems processes, and to achieve customer satisfaction. Resources include human resources, infrastructure and work environment. Concerning human resources, the standard requires that before organizations assign personnel to an activity they will first have to define a minimum competence requirement for the activity in terms of education, training, skills and experience. This may be handled by e.g. job descriptions, although specific documentation requirement doesnt exist. Furthermore, the standard requires that if there are competence gaps, the organization has to provide training or take other actions to fill the gap. It is stated in the standard that the personnel has to be aware of the relevance and importance of their activities and how they contribute to the achievement of quality objectives. High priority is given to knowing the customer needs. Training and meetings are some possible ways to ensure this awareness. The effectiveness of actions taken has to be evaluated

somehow, e.g. by monitoring the process performance. There is one documentation requirement concerning human resources management: the organization has to maintain appropriate records of the individuals education, training, skills and experience. Some examples of records are curriculum vitae, copies of certificates and attendance sheets from training. Alternatively, some organizations may choose to fill in a separate form for each employee, including their education, work and training history and extension studies during current employment. Concerning infrastructure, the organization has to identify facility needs, provide needed facilities and maintain them, and perform these actions on two levels: as a part of top managements consideration and on a individual contract basis. The ISO 9000:2008 standard defines infrastructure as a system of facilities, equipment and services needed for the operation of an organization. Infrastructure includes, as applicable, buildings, workspace and associated utilities, process equipment (hardware and software) and supporting services such as transport and communication. Correspondingly, the same standard defines work environment as a set of conditions under which work is performed (conditions include physical, social, psychological and environmental factors; physical conditions including factors such as temperature, humidity, vibration, air quality, lighting and cleanliness). The organization has to determine what effect the human and physical factors have on quality and ensure that the right conditions exist. 4.6. Product Realisation (clause 7)

This chapter of product realisation includes planning of product realization, customer-related processes, design and development, purchasing, production and service provision, and control of monitoring and measuring devices (chapters Usually all these activities are part of the processes, i.e. jobs and activities within an organization with an effort to produce something for the internal or external customers, and therefore, will be naturally handled when identifying the processes. When the standard presents them Typical QMS separately, they seem a little bit illogical.

In order to better understand product realization and the Quality Management Systems as a whole, we present here the typical processes that constitute the QMS. In figure 7 there are four typical process groups: 1) management processes including strategic decisions, determination of quality policy and quality objectives and other management tasks, 2) product realization processes which describe the sector which the organization is in,

including the activities that are needed to produce the products and services to internal and external customers, 3) processes of resource management including determination and allocation of human resources, infrastructure and work environment, and 4) measurement, analysis and improvement processes which ensure that the product and QMS meet the requirements and the system is continually improved.
Managem ent proces s es - establishing the quality policy and quality objectives - conducting management reviews - communicating customer, statutory and other requirements within the organization - ensuring the availability of resources, etc R esource m anagem ent Determination and allocation of - human resources - infrastructure - work environment Measurem ent , analy sis and im prov em ent proces ses

QMS process es

- to demonstrate conformity of the product and QMS - to continually improve the effectiveness of QMS

P roduct realiz at ion proces s es - planning of product realization - customer-related processes - design and development - purchasing, and production and service provision - control of monitoring and measuring devices

Figure 4.4 Typical QMS Processes

Management processes are specifically required by ISO 9001:2008 standard, all used by the top management and applied to the entire company. Resource management is put in separate in the figure, but it can also be understood to be part of management processes, since ensuring the resources is one of the duties of top management. Product realization processes are different for every company, although some processes generally exist in any company: for production operations they typically involve activities like order entry, purchasing and production, and for service companies service provision e.g. customer greeting and events coordination. Note that this chapter is the only part where exclusions can be made. This refers to ISO 9001:2008 clause: Where any requirement(s)...cannot be applied due to the nature of an organization and its product, this can be considered for exclusion...unless such exclusions do not affect the organizations ability, or responsibility, to provide product that meets customer and applicable regulatory requirements. Sometimes an organization might decide to exclude design and development activities or outsourced processes, if they are not an integral part of organizations core business and do not affect product conformity. For example some raw material can be so critical that

its purchase from suppliers and delivery at a right time is essential to their own production and delivery processes and thus, it should be controlled and included to the QMS. Measurement, analysis and improvement processes include activities such as control and inspection during production, criteria of nonconforming product and metrics to measure process performance (e.g. raw material consumption, amount of customer complaints, in-time deliveries). These activities are typically done as a part of processes, so in this respect they are more like the tools and methods rather than processes. They are used as tools to improve process performance and assure their smooth operations.

4.7.1. Planning of Product Realization (clause 7.1)

Planning of product realization means that the organization should plan and develop processes for the realization of the product. To clarify this, it means that the organization should prove that it has the correct operations, documents and resources in order to produce the required product, starting with the enquiry process and leading through to the delivery process. In its simplest form the proof of this is nothing more than the processes of the QMS. When at least the most important and critical processes and procedures (e.g. quality plan, project) are documented in written or graphically (e.g. process flow chart), they easily prove to the auditor both the existence of product realization plans and many control and acceptance criteria required by the standard. The outset for planning product realization are quality objectives, including customer and statutory requirements. They determine what the product should be. Next step is to ensure that all activities (i.e. processes), documents and resources needed for a product realization are available. This is particularly relevant when a new product is to be introduced. Furthermore, the standard requires that there are adequate acceptance methods and criteria on both the product and the processes. There is one documentation requirement here: identification of what records are to be generated by the processes and required to provide evidence of product conformance. Usually these are normal delivery documents, such as work order or an equivalent document (which will be naturally presented when describing the performance of processes).

Right operations, documents, controls, inspections and resources


4.7.2. Customer-related Processes (clause 7.2)

Concerning the requirements related to the product, the ISO 9001:2008 standard states that the organization shall determine requirements specified by the customer, including requirements for delivery and post-delivery activities the

requirements not stated by the customer but necessary for specified or intended use, where known, statutory and regulatory requirements related to the product, and any additional requirements determined by the organization.

Customer needs The first clause means that the organization has to know what recognized customer requirements in terms of product characteristics and and silent delivery and post-delivery activities such as after-sales service and needs

technical support, it should comply with. Usually these requirements are mentioned in purchasing document. Equally important is to identify hidden and silent needs of the customer, the needs that even the customer itself is not conscious of. By deeply analyzing customer satisfaction questionnaires some of these needs can be detected, but it requires much more than just summarizing the findings a deep speculation and retrieving of ground reasons and root causes is needed. Other means to get insight of customer requirements are interviewing them, participating in joint development projects with customers, etc. The second clause includes the requirements that are not known by the customer but are necessary for the intended use of the product. Examples of these might be some regulatory rules and standards. The third clause of statutory and regulatory requirements is quite unambiguous: statutory and regulatory requirements have to be addressed during the design, manufacture, delivery and servicing of the product. The information needed should be available to every relevant person in the organization. The last clause of additional requirements refers to the product properties which are developed as a response to the customers unstated expectations. These are the expectations that are hidden and not mentioned by the customer, but based on the idea of the organization of what the customer appreciates. The ISO 9001:2008 further requires that the review of requirements related to the product should be made before committing to supply

the product. This review should involve all relevant activities affected by an order, for example before quotation and upon receipt of a contract or order. For example when receiving an order, the raw material availability, delivery time, possible amendments compared to previous quotation and other things have to be checked in order to meet the defined requirements. The standard specifically requires that there should be a documented record of the review, which can be a signature on a quotation or an order-entry into a computerized system. Customer-related processes also include customer communication, which has to provide the customer with correct product information (using e.g. brochures and datasheets), and effective handling of enquiries, orders, customer complaints and other feedback. All the requirements of this clause 4.7.2 are naturally included in the normal order handling process. Again, we recommend here the documentation of the process to prove its existence. 4.7.3. Design and Development (clause 7.3)

The ISO 9001:2008 standard states that the organization shall A systematic and determine the design and development stages,

each design and development stage, and the responsibilities development. and

identified process of design and the review, verification and validation that are appropriate to development





Following records are imposed by the standard in order to ensure that design and development activities are carried out systematically, including, that all relevant information is available all the time and it is reviewed regularly: Records of inputs relating to product requirements; including functional and performance requirements, statutory and regulatory requirements, information on previous similar designs when applicable, and other essential requirements. Example: a technical drawing accompanied with all necessary details. Records of the review of design and development; the idea is to check design outputs (drawings, specifications, calculation etc) against the specified inputs, assess how good the design is, identify any problems and to propose necessary actions.


Example. Authorized signature on a drawing after review. Records of verification; Verification means that theres objective evidence that specified requirements have been fulfilled. Example: authorized signature on a drawing. Records of validation; Validation confirms that the actual product performs as it should under specified conditions. Validation should be completed, when applicable, prior to the delivery or implementation of the product. Example: prototypes. Records of changes in design and development; the changes should be reviewed, verified, validated and approved before implementation. Example: authorized signature on a drawing.

When the design and development activities are rather simple, it is convenient to combine for example review and verification into a single activity. In small organizations the responsibility and authority of design and development very often rest with only a few people, perhaps only with the owner. Also, many time the new ideas for design and development come from the customer, either from the final end-user or from a subcontractor. When design and development is a central part of organizations business, it is advisable to document it as a graphical process. This helps to establish a more logical and systematic way to produce new products or applications. 4.7.4. Purchasing (clause 7.4)

According to ISO 9001:2008, the organization shall ensure that purchased product conforms to specified purchase requirements. The type and extent of control applied to the supplier and the purchased product shall be dependent upon the effect of the purchased product on subsequent product realization or the final product. Control of All the purchased products and services are not critical to the items achievement of quality of the final product and therefore may not require same control as some other more critical item. Sometimes it is enough to check the quantities and possible transit damages of the dispatch, but when the purchased item is more critical, its inspection at suppliers premises prior to the delivery might be appropriate. Other ways to control the outsourced processes are


by carrying out periodic audits of the supplier, by close monitoring customer satisfaction or by providing a full specification of the Evaluation process parameters that have to be met (ISO/TC 176/SC 2: and approval of suppliers Guidance on Outsourced processes). The standard requires that the organization should evaluate and select suppliers in order to ensure that suppliers meet the requirements. The criteria for selection and evaluation have to exist. One criterion can be a good historical performance of the supplier in the past or the existence of certified quality management system by the supplier. Evaluation can be done by reviewing the records of historical performance, visiting suppliers premises, evaluating product samples or conducting a survey (a written questionnaire with a few critical issues sent to suppliers). The suppliers have to be re-evaluated in order to ensure that they are constantly able to meet the requirements. According to the standard, there should be records of the results of evaluations and any necessary actions, like records of historical performance of the suppliers, a list of approved suppliers, etc. Successful purchasing calls for a clear definition of the purchased item (product characteristics, quantity, required delivery date, possible testing or inspection, etc). If there are any requirements for review, approval or other qualifications, they should be stated clearly. Verification of purchased product means that the products are inspected or otherwise verified in order to ensure that they meet specified purchase requirements. The standard does not say that all incoming goods must be inspected. Instead, the organization can freely decide methods of verification. Sometimes it can be a review of purchase documents against delivery note or at the other end, an extensive inspection of the goods before their dispatch. Person responsible for purchases should possess relevant knowledge and skills to make a complaint to supplier when necessary, since this is the way to improve both their own and the suppliers operation. 4.7.5. Production and Service Provision (clause 7.5)


The ISO 9001:2008 standard states that the organization shall plan and carry out production and service provision under

controlled conditions. This is a standard requirement to make sure that production and servicing processes are effective and that the focus is on the prevention of nonconformities rather than on inspection and testing to detect them. Controlled conditions include, when applicable, that there is adequate product information available (specifications, drawings, work orders etc), suitable equipment and preventive maintenance are used, products and processes are monitored and measured with applicable devices, and that there are suitable methods and procedures for a product release and service delivery. These requirements may sound artificial, since in practice many of them are already in use order processing surely has adequate documentation, suitable production equipment, exact product parameters to meet the qualification, and specific procedures to be done before the dispatch or service delivery. The language of standard sounds artificial, but it refers to practical everyday procedures that have to be effective. Great emphasis is on preventive actions: on preventive maintenance to ensure that machines and equipment are working, on preventive identification of root causes that might emerge in a form of nonconformities, errors, lack of information, customer complaints etc. If there are special processes where the resulting output cannot be verified by monitoring and measuring and where deficiencies become apparent only after the product is in use or service has been delivered, it has to be proved that these processes as themselves are qualified along with the personnel. This is called a validation of processes. Examples of these special processes are food preparation and air traffic control services. Referring to the previous chapter, there should be records verifying that the special processes are qualified and able to produce planned outputs. Example: a document showing acceptance of tolerances and parameters or a memo of calibration. Concerning the product identification and traceability, the ISO 9001:2008 standard states that where appropriate, the organization shall identify the product by suitable means throughout product realization. Identification means that when the products cannot be identified inherently, they should be marked, labelled and located in a way that connects the product to a particular batch, work order, raw material and any other source of origin, and shows the status of the product (e.g. tested, inspected or not). If traceability is specifically required for example by the customer, the organization shall control and record the unique identification of the product. Example: Usually this information is recorded on a work order. Sometimes even a work number suffices to track each process step.

Effective processes

Prevention of nonconformities


Furthermore, the ISO 9001:2008 states that the organization shall identify, verify, protect and safeguard customer property provided for use or incorporation into the product. Customer property is any material or supplies provided by the customer to the organization, e.g. material and components, tooling, packaging material and drawings. If any customer property is lost, damaged or otherwise found to be unsuitable for use, this shall be reported to the customer and records maintained. Example: an internal complaint form. Generally, the organization should preserve the products, materials and components from receipt through processing to delivery in a way that damages and deterioration wont occur. Preservation includes identification, handling, packaging, storage and protection. Storage and handling are especially important for time and moisture sensitive material (e.g. foodstuffs), components that can deteriorate because of electrostatic discharge and for other equivalent material.

4.7.6. Control of Monitoring and Measuring Devices (clause 7.6)

This clause of monitoring and measuring devices concerns the fact that the organization should, when necessary, measure the product and monitor process performance with applicable devices in order to be convinced that the product will meet all its requirements. In order to understand this better, in practice monitoring and measuring usually means inspection and test during relevant points e.g. during production. Monitoring and measuring device can be a measuring instrument, software, measurement standard, reference material or auxiliary apparatus or combination thereof necessary to realize a measurement process (ISO 9000:2008). When it is necessary to ensure valid results, measuring equipment should be calibrated or otherwise verified, against measurement standards traceable to international or national measurement standards; where no such standards exist, the basis used for calibration or verification shall be recorded (ISO 9001:2008). There should be records of calibration and verification results.


Example: The organization may wish to keep a list of devices to be calibrated at certain time intervals. This can be a simple Excel-table. Results of each calibration can be attached to the list. 4.7. Measurement, Analysis and Improvement (clause 8)

This clause includes four main chapters: monitoring and measurement, control of nonconforming product, analysis of data and continual improvement. Monitoring and measurement The clause of monitoring and measurement requires that the provide organization has to show that it has established a system which information produces information of 1) customer satisfaction, 2) internal audits, 3) process performance and 4) product conformance, in order to demonstrate conformity of the product, to ensure conformity of the quality management system, and to continually improve the effectiveness of the quality management system. The idea is to prove that there is systematic way to monitor processes and products (e.g. by inspection and test), analyse customer-, product- and process-related information, and based on this information take relevant improvement actions. When the standard puts it as a requirement it might sound complicated and difficult, but in practice they are usually normal information flows, inspection and checking against tolerances during the production, and other so called self-evident back-up things in everyday operations. When processes are documented, it proves the existence of all relevant requirements. The standard emphasizes the meaning of customer satisfaction. The ISO 9001:2008 standard states: As one of the measurements of the performance of the quality management system, the organization shall monitor information relating to customer perception as to whether the organization has met customer requirements. It is essential that everybody in the organization know what is meant by customer satisfaction and dissatisfaction. Information should be gathered on both. The ways to get feedback from the customers are e.g. visits to customers premises or vice versa, direct communication with them, complaint handling, customer satisfaction questionnaires and news in the media.
A system to


The ISO 9001:2008 standard requires that the organization shall conduct internal audits at planned intervals... Internal audit is a systematic evaluation performed within an organization to ensure that the organization employs the principles of standard requirements and the processes perform according to standard and the organizations own requirements. Auditing should be done at planned intervals, but at least annually during twelve months and covering all the units of the organization. At first, the management and/or management representative has to plan an audit programme to decide what activities and areas of the system are the most critical ones and therefore to be audited at that time. The activities and areas of quality management systems where problems, nonconformities and changes have been more frequent are subject to be included. Also, the findings of previous audits should be considered if they reveal the areas of nonconformities. During the auditing all deficiencies should be identified. In a following page theres an example of a simple audit list including areas to be audited and their time schedule (Table 1). In this example, the matters that are checked and have no deficiencies are marked with a cross. If deficiencies are noticed they are written down under the list. The idea is to check matters in any month during one year.
Table 4.2. Audit list (abridged and artificial version) Area / activity to be audited
Acceptance criteria for the most important suppliers are defined and in use. There is a record of approved suppliers. The performance of suppliers is monitored and evaluated regularly. Feedback is given to suppliers. Purchasing and sales orders include all relevant information and there is no possibility for false interpretation. Methods to check incoming goods are defined and in use. There are predefined areas to be used for the storage of goods. Condition of goods in storage is evaluated at relevant intervals. To prevent the damage and deterioration a proper storage is applied. Means to identify products, parts, components, raw material etc is used (e.g. marking with a stamp, a part number on a work order). X X X
Jan Feb Marc h April May June


When traceability is required, all the material and parts used can be identified from a written document. The criteria for nonconforming products exist and are applied.

The ISO 9001:2008 standard requires a documented procedure for internal audits: The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records shall be defined in a documented procedure. Documented procedure can be mentioned in a quality manual, defining the scope, frequency, methods of auditing and records (such as list presented here) to be generated. The organization should have at least two internal auditors since the one performing audit should not audit his own work. Usually auditors are organizations own employees but when necessary, they can be outside consultants too. In a small organization where there are only few employees, the one auditor usually is the owner and another is some manager or person with required knowledge of an audited matter. The auditors report the results of auditing to the management who is responsible to ensure that corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. There should be some evidence that corrective actions are taken and they are effective. The ISO 9001:2008 standard clause of monitoring and measurement of processes, the organization shall apply suitable methods for monitoring and, where applicable, measurement of the quality management system processes, means that once the organization has determined suitable methods it should implement them. This clause is actually a restatement for what has been mentioned earlier about monitoring and measuring processes. Similarly, the clause of monitoring and measurement of product, the organization shall monitor and measure the characteristics of the product to verify that product requirements have been met, is a restatement to implement the methods. Methods can be e.g. inspection and test by the person performing the task, or taking of testing samples at certain time intervals. Furthermore, evidence of conformity with the acceptance criteria shall be maintained. Records shall indicate the person(s) authorizing release of product. In practice this requirement is met as a consequence of normal checking and inspection procedures and using relevant documents. For example concerning the production process, if the product has no deficiencies it proceeds to the next stage e.g. to packaging and further to shipment. Examples of the records that indicate acceptance criteria and authorized persons usually are work orders or records in operations management programme. They also track the order to the correct raw material, components, machines and employees.

Control of nonconforming product The ISO 9001:2008 standard states: The organization shall ensure that product which does not conform to product Continual requirements is identified and controlled to prevent its improvement unintended use or delivery... ...The controls and related responsibilities and authorities for dealing with nonconforming product shall be defined in a documented procedureRecords of the nature of nonconformities and any subsequent actions taken, including concessions obtained, shall be maintained. When nonconforming product is corrected, the standard requires that it should be subject to re-verification by a relevant authority or, where applicable, by the customer. Analysis of data This clause concerns the organizations requirement to determine, collect and analyse appropriate data relating to customer satisfaction, product conformity, characteristics and trends of processes and products including opportunities for preventive action, and suppliers, to demonstrate the suitability and effectiveness of the quality management system and to evaluate where continual improvement of the effectiveness of the quality management system can be made. Improvement This clause is, by and large, a restatement of the above: The organization shall continually improve the effectiveness of the quality management system through the use of the quality policy, quality objectives, audit results, analysis of data, corrective and preventive actions and management review. In order to simplify this circle of continual improvement it can be described as follows: Quality policy and quality objectives (derived from the quality policy) steer the organization towards the targets, as they tell the employees where to aim at and what kind of performance is needed from everyone in order to reach the targets. Audits are conducted to find out whether processes perform according to the principles of standard and targets set by the organization. They also address the possible opportunities for improvements. If any deficiencies are noticed, they are handled during management reviews along with any other relevant information relating to customers, suppliers, own products and processes etc. As a result, corrective and preventive actions are taken for the improvement. Naturally, improvement actions are implemented when there is a need for them, not only as a result of audits and management reviews. It is essential to empower and commit personnel to make improvement actions in relation to

everyday operations. The ISO 9001:2008 standard puts a great emphasis on the elimination of root causes. It is not enough to solve the symptom of the problem, but the root cause of it in order to prevent it recurring. Typical root causes are lack of information and training. The ISO 9000:2008 standard explains, that corrective action is taken to prevent recurrence whereas preventive action is taken to prevent occurrence. In other words, preventive actions try to eliminate the root cause of the problem in order to prevent its occurrence in the first place. When concerning corrective action, the problem has already happened and actions are taken to prevent its recurrence again in the future. It has to be noted that corrective and preventive actions do not have to be implemented for every nonconforming situations, but a cost-value consideration has to be made to decide whether actions are worth for implementation or not. The standard requires that there should be a documented procedure both to corrective action and preventive action, including reviewing of nonconformities preventive action) (not concerning

determining the causes of nonconformities evaluating the need recurrence/occurrence for action to prevent

determining and implementing action needed records of the results of action taken reviewing corrective/preventive action taken.


Minimum Requirements According to ISO

The only part what ISO 9001:2008 standard requires to be documented concerns chapter 4.4.2 Documentation Requirements. Otherwise organizations can by themselves determine the necessary level of documentation. In many parts documentation is advisable, although not specifically required as a mandatory requirement by the standard. At least the product realization processes are recommended, since documentation proves the existence of meeting many standard requirements rather easily. Also, it provides employees with an understanding of how their performance affects other processes and employees and how the process as a whole has to perform smoothly in order to produce required products and services.



Permissible Exclusions

Permissible exclusions were discussed in chapter 4.7 Product realization. To make a restatement, such exclusions shall not affect the organizations ability, or responsibility, to provide product that meets customer and applicable regulatory requirements. The fact that a specific process (e.g. manufacturing, design & development) is outsourced is not a justification for the exclusion. Instead, the organization must be able to demonstrate that it has sufficient control to ensure such processes. In chapter 4.4.2 b) there were some examples of possible exclusions.




Steps to decide
Some preparation work is necessary

Every decision making process in a company is accompanied by a more or less detailed research of data or at least discussion of experience and personal opinion of business leaders. Implementation of a quality management system, which could be quite a challenging task especially for smaller sized companies, also needs a certain amount of preparation and planning.

5.1.1. Decision to implement a QMS If a company wants to decide if it should implement a QMS it has to take a lot of different facts into consideration, which could be worked out in an internal management meeting. Main players in this meeting are the general manager who has to decide from a more strategic viewpoint, and the existing quality representative (quality manager) who should be aware of more QMS details (necessary resources, costs, etc.) and its business impact. The marketing/sales manager or a technical officer may support the decision making process by daily business experience. Some companies start their own research but most of the time the decision is made after a deep discussion of the topic with a chances and risk analysis, which is strongly connected with the later first planning of resources (5.1.3). In addition to that, a person who will take the responsibility for the next steps has to be named of course the quality manager (QM) is the bestqualified person. If there is no quality manager available who has the necessary knowledge about this topic, it might be a worthwhile investment to send the management representative to an external training on QMS. Quality managers should be able to build and improve the management system but also bring in as well an excellent level of social competence. Once the decision is made by the top management as another early step the whole management level should be informed and committed to the QMS because full management support is a crucial factor for a successful implementation process. Lack of information about what a QMS stands for and which changes will occur might create misunderstandings and restrictions against the implementation process. The top management has the task to create a positive awareness for this new quality initiative by providing the necessary information and participative leadership. Another important decision the management has to take is the level of outsourcing during the implementation process, which means the scope of consultant involvement.
Definition of quality manager / First information to the management level


5.1.2. First planning of resources Implementing a QMS could be quite a challenge for a company because the elements of a QMS are interdependent with most of the vital parts of the organisation. For this reason a first rough projects plan with the most important milestones and the corresponding resources should be sketched. Many QMS implementations are divided into phases like:
Rough projects plan including main phases assessment phase: identification of actual strengths and and resources for implemenweaknesses tation

Start-up phase: collection of information about QMS, decision making process, training on QM, support of consultants, benchmarking

system building phase: management handbook, creation of documents, identification and description of key processes and quality relevant issues training phase: training of staff in all areas of the organisation improvement phase: first review of the system (internal audit) and improvement activities auditing phase: external certification audit

Each of these phases should be roughly estimated concerning time plus money and in addition to that clear responsibilities should be defined. During the next step the self assessment this plan should be reviewed and revised.

5.1.3. External consultants Organisations choose different ways how to implement a QMS regarding the scope of external involvement. The range runs from a totally home made system to a complete outsourcing of all implementation activities. An advantage of the first case is that deep knowledge about the system is built up in the company whereas the danger of creating only a sub optimal QMS is higher because of the fact that a consultant will encompass high implementation experience often in the same branch. The decision which grade of outsourcing has to be taken is depended on certain factors. Some of the most important are:
Outsourcing factors: internal knowledge, available internal human resources, financial resources

Level of internal knowledge: if there is already an expert in the company, the planning and implementation can easily be done in house. Perhaps external help could be worthwhile during the internal audit phase. Furthermore the role of consultants is to adjust the requirements of the standard to each company, since the standard is quite general and open, so an inexperienced person could omit things. Available internal human resources: some companies are so lean in their organisational structures that it is not


possible to transfer enough staff capacity to a new implementation project and work for this reason intensively with external consultants. Furthermore external consultants can stimulate the staff in the implementation of the quality process. Financial resources: of course external consultants cost money but in most cases the payback time of this investment is very short because of an efficient project management system and high knowledge about how to design a QMS could save a lot of money in the longer run. In addition to that many companies hire consultants with high reputation and use this fact as a first marketing instrument for their customers.

Either way the top management of the company has to take care that the QMS is strictly result oriented, which means it has to be aligned with the companys success factors and its strategy. QMS that are focused only on achieving the certificate are not strictly result oriented and are often perceived as red tape and a topic, which is for the QM department or the quality manager himself only. For the two following phases, it is a great advantage to work with an external consultant because he has a new and neutral look on the enterprise and on its organization. 5.2. First self assessment
Check lists / Strenghts and weaknesses analysis / Force field analysis

The first self assessment or horizontal assessment (some or all aspects of the ISO standard) has the goal to figure out which actual level of QMS maturity the organisation has and where the fields of highest potentials are as every organisation that is seeking certification is required to: Formalize the way things are done Demonstrate assurance that things are done in the right way Monitor the effectiveness of what is done and Improve

For this reason using some tools could be very helpful. Beside some software products which are provided by many different companies and are designed to help identifying unknown land in the ISO world, check lists, strengths-weaknesses analysis and forced field analysis are often used tools for the first assessment. Normally the first self-assessment is a mixture of analysis and workshops, respectively in small companies one single assessment workshop. The output of all these methods and tools is to measure and assess the actual state of the

organisation against the elements of the ISO standard. Checklists are the most frequent tools, which are used in this phase and can easily be found in ISO literature. In long lists there are detailed questions about every single element of the ISO but for smaller sized companies a certain amount of simplification work is often necessary because in this case the organisational structures and documentations are less complex. The best way to conduct checklists is an individual interview with key persons of the company.
Chapter 5: Management responsibility 5.1.1

Question: Does a exist? quality policy

Yes X

No Remarks


Do management reviews exist and do they include all essential aspects? ?

There is no systematic customer satisfaction analysis


Figure 5.1 Example of a first assessment checklist.

In the workshop itself the concentrated results should be presented and discussed. One of the most common supportive tools is the so called strengths and weaknesses analysis, whereby the areas of high ISO maturity are highlighted against the areas of extraordinary low maturity in a kind of balance sheet.
Figure 5.2 Example of a strengths and weaknesses analysis

In put Out put Beside this comparison of the organisational state in relation to Level of L e v el of m at u rit y Level of maturity maturity Visualization of Definition of ISO elements ISO elements, human aspects and the organisational change strengths and In columns. Elements of ISO Elem en t s of IS O Elements of ISO Weak Average Strong Weak Average Strong Average Strong process should be taken intoWeakconsideration. A very simple weaknesses. Assessm ent of maturity method to do this is the so called force field analysis (FFA). The levels of the elements. Definition of Processes Processes Processes improvement actions. underlying model of the FFA states that during a change process Identification of critical Continual elements (low level). Continual Continual Improvement Improvement Improvement there will always be enforcing and constraining forces in an Supplier organisation such as Supplier the Development mind set of specific employees (e.g. Supplier Development Supplier Developm ent Development members of works council), experience with former changes, .. motivational aspects, incentive systems, etc. As well as in the strength and weaknesses analysis both kinds of forces are listed and discussed. As the major result enforcing aspects should be supported by actions and constraining aspects should be weakened or eliminated.


The goal has to be defined (e.g. efficient implementation process). Identification of reinforcing and constraining forces (brainstorming) Results in form of a balance sheet Support reinforcing aspects and eliminate constraining aspects
Reinforcing aspects Constraining aspects Which Which forces forces are are effecting effecting the the goal? goal?

Visualization of project forces Determination of improvement activities

Figure 5.3 Force Field Analysis

With the collected, discussed and committed knowledge of the actual ISO maturity and change aspects, a more detailed implementation plan can be developed. 5.3. Detailed implementation plan The implementation plan is strongly interrelated with all afore mentioned contents and draws a general picture of what should be done and when it should be done until the certification audit has been successfully passed and encompasses the system building phase, the training phase, the improvement phase and the audit phase of the implementation project. are in most cases points for top management reports or workshops. For example the milestone after the system building phase could be a completed QM handbook plus ready designed and described processes. After the training phase all learning and training activities should be completed whereas the milestone for the improvement phase could be a successfully passed internal audit with a timetable for the elimination of minor and major nonconformities. And finally the audit phase could be completed by the certification of the company whereas the last phase (improvement) shouldnt find an end at all.

Project organisation / Goal description / Early planning of trainings / Definition of Between each of these phases milestones should be defined which quality policy


P has e1

P has e2

P has e3

S elf As s es s m ent
S t art 09/03
Data analysis Strenghts weaknesses Force field analysis

S y s t em B uilding
10/03 Com plet ed firs t s elf as s es s m en t

Im prov em ent

Generation of Q M Handbook Identification of Processes Definition of Documentation

01/04 Com plet ed s y s t em draft

Design of records Managem ent Commitment and responsibilities .

Figure 5.4 Example of an implementation plan with milestones details are shown in this graph)


Besides phases and milestones the project organisation should be clearly defined. Even in small companies it doesnt make sense that one single person is in charge of every activity during the whole implementation project. For this reason it is common to create a multi layer project organisation. This means that different employees of various departments are responsible for smaller tasks; the quality manger or the external consultant does the coordination and the main decisions and directives are given by a steering group which consists of top management members. As mentioned above, the steering group is only active in milestone workshops or if there are exceptional decisions to make. All subprojects and tasks have to have at least a very short form of goal description: What is to be done (if necessary in form of a detailed description)? Until when should it be done (check the correlation with the master plan)? Who should do it? Which resources infrastructure)? are available (staff, money and

One of the core elements of systems engineering a widely used philosophical approach on how to build a QMS states that it is crucial to establish a model or system from the top perspective and on this basis continue step by step towards more detailed levels. This low to high detail dogma is as applicable in the implementation plan: start with the master plan (phases) and develop top down until the most detailed level is reached. Feedback and results are reported bottom up and are collected and condensed until the top level (steering group meeting) is reached. Only under these conditions can a permanent flow of information be guaranteed.

Of course many software solutions are available to support these planning issues (e.g. MS Project) but for small enterprises, in particular, where the knowledge of project management tools is often not very well established it sometimes makes more sense to sketch the plan simply on a flip chart and pin it on a wall. The earlier training activities can be done the better for the QMS because the more employees that are aware of the new system and are involved in the implementation process, the easier the information will flow. Especially in the first phases as it may be necessary to train selected groups of employees in the basics of ISO standards and in the tools they will have to use during the following phases (process orientation, documentation of quality relevant issues, etc.). Training and quality education of employees is one of the most important and regarding the duration of the corresponding activities, one of the most underestimated aspects. One of the first steps in the implementation plan is the discussion and definition of the quality policy and quality objectives wherein the top management draws a picture of strategic quality issues. As a rule the quality policy describes how the company is aiming at permanent improvement via the QMS, the importance of quality for every single member of the organisation and the relationship with customers and suppliers. Of course it has to be aligned with the companys general strategy, it should be known and understood by all employees and should be much more than only a lip-service by the companys leaders. 5.4 Development of QM Handbook The Din ISO 9000:ff, also known as process-oriented standard, requires a process-oriented composition within the company but also of the QM system. The standards demand the development and the introduction of a documented quality system, which can consist of different elements. One of these elements is the QM handbook, where the structure of the documentation is set down; usually the content is oriented to the original structure of the DIN ISO 9001:2000 (guidelines on creating the handbook ISO/DIS 100 13 "Guidelines for developing handbooks") using in most cases the following chapters. Quality Management System Management Responsibility Resource Management Product Realization Requirements Remedial Requirements-Measurement, Improvement Analyses and
Structure of documentation / Customer benefit


In addition, it must contain, or refer to, the instructions on procedure that are an integral part of the QM system. By the figure of the process architecture of the company using a systemic process model, varying levels are visualised. These levels correspond with the different documents within the QM system. Typical examples are: in level 1 - statements of the quality policy and quality objectives, in level 2 - process instructions, introduction on procedures (describing responsibilities, purviews, and relationships with the staff and stating how different activities must be performed), in level 3 work instructions (descriptions of activities related to the workplace) and other quality relevant documents.
Figure 5.5 QM Handbook Hierarchies
Black Box B lackB ox From the customer's view, the QM handbook offers the possibility V is ion to verify the supplier has adhered to the specifications and guidelines of the customer and is making every effort to fulfil the QMHan d b ook L e v e l2 Q-P olicyan dOb je ct iv e s quality requirements. So the QM handbook documents the P r oces sM od e l operative installation and further development of the whole P r oce s sIn s t r u ct ion s , L ev e l3 Quality Management System. W or kF low s
W or kp roce d u re s ,F or m u lar ie s ,F u n ct ion a l d e s cr ip t ion s L e v e l4 L e v e l1

5.5 Design or check up of processes Processes are the core element of the new (2008) revision of the ISO 9000 standard (available from the 1st January 2004). In almost every element there can be found one or more statements how processes should be monitored, measured and improved whereas a closer description of the way that processes should be identified is not provided. First of all it is necessary to define what is understood by processes. In general a process is a logical and sequential flow of activities which are repeatable and fulfil the following criteria: Clear starting point and end (process boarders) Well defined input factors (material, information, human resources, etc.) and a clear output (result) Suppliers and customers
SIPOC method / Process map / Levels of processes / Performance indicators

A tool, which encompasses theses elements, is the so called SIPOC method. SIPOC stands for Supplier Input Process Output Customer and helps to identify the main aspects of processes. As the first step the process is sketched as a black box (top down procedure) and the starting point and the end are determined. Then continue to develop on the right side of the process and proceed with the output and the customers. A

critical point is the correct identification of customers needs and later the continuous improvement in fulfilling these needs. As a last step the input is specified and the suppliers are named. It is important to understand that suppliers are not only external companies but also internal departments or processes (internal supplier-customer relationships).

Name the process. Define start and end. Specify the output and the customers

O utput
Consistent understanding of process. Clear boundary of process.

of the process.



Identify the necessary input factors. Name the supplier of the process. Supplier Supplier


Process Process

O utput

Customer Customer

Figure 5.6 SIPOC method

As mentioned in the preceding chapter, in most companies processes are seen in different levels. The highest level of process visualisation is called a process map and shows the interaction between the main processes of the organisation. In these process maps, there can be found, as a rule, three different types of processes: Core or key processes: these are value adding processes where the start is normally defined by a certain customer need and the end is the delivered good or service this means core processes are so called customer-to- customer processes. Support processes: core processes are normally not able to work properly without a certain amount of support. For example: a production process needs the support of a maintenance process customers are not willing to pay for the maintenance, but it is necessary for a continuous performance of the value adding process. Management processes: these processes are mainly planning, steering and development activities, like strategic planning or controlling. Again, customers do not pay for them but they are necessary for the long term survival of the company

Normally, the definition of a specific process map is the first step in this project phase: main processes are identified, interactions are visualised and process owners are named. The latter is one of the most important functions in a process oriented organisation.

Process owners (PROs) are responsible for the detailed definition and sufficient resource supply of the process. In addition to that, they have to care for the right measurement tools (performance indicators) and continual improvement.
Figure 5.7: Example of a process map
Management processes Man age m e n t proces s e s Support processes S u p port p roce s s e s

Once this process and approved by top MP 1: S t rat egic map is sketched S P 2: S P 1: R P 3: Hum an MP1: Strategic SP1: RP3: Human SP2: t en ance P r ocu r em en t R Con t ollin g management every process hasMain to be defined inesources more detail by process owners until in level two or three a clear structure is achieved which can be displayed in a flow chart. In these flow oce s s e s K e y pr charts step after step of the processes are defined and adjusted together with some additional information: KP 2: K P 1: K P 3 KP3: KP1: KP2: Cu s t om e rs
R e s earch an d Dev elopm en t Research and Development P r od uct ion Production

Responsibilities Corresponding documents and records Interfaces with other processes Flow of information

Mar et in g Marketing :k

Cu s t om e rs

A process owner also to find the right performance indicators because the ISO standard demands monitoring and improvement of processes. Most of the time output indicators (customer satisfaction, productivity, yield, etc.) are defined but in many cases input or process indicators could be of great help (e.g. cost, time, quality). Of course this detailed definition of processes needs to be coordinated by the quality manager or/and the external experts. At the end of this phase the company has a well defined process map or model where different levels lead to detailed descriptions of procedures which have to be linked to the QM handbook as described in the preceding chapter. 5.6 Final implementation QMS kick off Now, as the formal aspects of the QMS are established the official release of the system should be the next step. Management and the management representative have to ensure that every process and procedure, which is followed together with every document and form, which is used in the organisation has to be part of the QMS from now on. On the one hand the new tools have to be provided by the system and on the other hand the users have to have the capability to work with them. Normally employees are informed about the system in advance but now they have to be trained in procedures and tool handling in quality relevant areas, which could be an extensive task especially in larger companies. 5.6.1. Training Planning and deploying QMS training is a critical factor in many Customized ways. First: numerous organisations fail in the certification audit training /

because employees do not know the relevant quality documents and procedures as individually they do not operate with them. Second: training costs a lot of time and a lot of money this is why management tries to keep the training efforts low and third: customized training is required for every class of employees. For all of these reasons companies create training plans wherein classes of employees are defined and connected with training contents inclusive dates in form of a matrix. These training plans should be finished before the official start or release of the QMS is done. Of course not only blue collar workers have to be trained, a high percentage of employees of all departments and hierarchies will have to take part in different training initiatives. In general there are four types of trainings used during an QMS implementation: Management training: provides upper and middle management with an overview of the ISO standard, the requirements and what they look like at the own location (changes in processes or responsibilities) are discussed, and maybe it is told about the benefits of certification explained. Start-up training: provides all employees with an introduction to the QMS and how the management intends to implement it. Especially what the next steps will be and how individuals will be affected by the QMS. Point training: provides all or most employees with information regarding specific procedures and working instructions such as design & development, production processes, equipment handling or corrective actions. Work instruction training: trains all employees on the documentation describing their jobs. This training can be minimal if the employee is already doing the job, but helps ensure that everyone is doing the job correctly and in the same way. As mentioned above, an effective and efficient training process is absolutely crucial for the future success of the QMS and must be defined quite soon in the project so that everyone will be ready to use the QMS from the end of its implementation. 5.7 Internal Audit Internal Audits also known as First Party Audits - are normally used before the first official certification and in addition during two following independent audits. The organisation should conduct internal audits at planned intervals to determine two different characteristics of the quality system. Firstly it should prove the conformity to the planned arrangements, to the requirements of the international standard and to their own quality management system requirements and secondly the

Training plans

First party audit / Preparation and behaviour / Audit report


effective implementation and maintenance. The flow of the internal Audit consists of three major steps and is defined in a documented procedure: Prearrangement, information and scheduling: all involved persons should be informed on time when and how long they should be prepared for the internal audit. Controlling QM documents: these documents could be QM handbook, process descriptions, quality reports, procedures, working instructions, etc. An experienced auditor will recognize the critical areas and elements and will focus his interview on these fields. Internal audit: (introduction, analysing and testing, variation description, final report, and documentation) most internal auditors use a predefined checklist which is the output of the preceding document controlling phase for interviews and make additional site inspections. Audit checklists ensure that nothing is missed, highlight critical areas and provide a record of the acceptable and unacceptable evidences. All unacceptable evidences must be recorded in detail for future tracing and for non compliance reporting. Every action during the audit should follow the circle: ask look check record. An audit program should be planned, taking into consideration the status and importance of the different processes running in the company. The criteria for the audit, scopes, frequencies and methods should be defined. Especially in smaller companies the management representative is also the auditor. This person is responsible for the audit, should be objective and impartial, the only restriction is to audit the own work. To sum up, there are 8 major points which describe the behaviour of an internal auditor during the auditing process: Act goal oriented Determinate employee motivation Define your minimum standards of acceptance Consider benefit and work relationship Count only facts and no assumptions If a nonconformity is found do not criticise, look for the reasons, record all details, try to assess if the nonconformity is a single case of if it is normal Understand yourself as a partner of the auditees Communicate honestly (explanations, open ended questions, good listening)


As a result an audit report with all nonconformities is generated and presented to the management. Such a report should include:

Scope and target of the audit Date and signature of auditor Members of the audit team Referring documents (ISO 9000:2008, QM handbook, etc.) Detected Nonconformities Assessment of ISO standard conformance Capability of QMS achieving the defined quality objectives

The management who are responsible for the organisation being audited should ensure that identified problems (corrective and preventive improvement activities) are solved without delay. The objective is to detect and eliminate the reasons for nonconformities and their causes. Following activities should include the verification of these actions and the reporting and documentation of the results. Only when the results of the internal audit shows a high conformance to the ISO 9000 standards should a company apply for an external audit, which is the next logical step. If many major nonconformities are detected during the internal audit, the company should really think about postponing the external audit and work on the elimination of nonconformities. This is particularly so when problems emerge among employees and new/further training is required which often costs more time than fixing documentation or system problems. 5.8 External audit External audits, certification audits or third party audits are the highlights of all ISO 9000:2008 implementation processes. Many problems and surprises could be avoided with a professional choice and management of the certification process because a lot of companies underestimate the importance of this part.

5.8.1. Certification Body When choosing a certification body to carry out ISO 9000:2008 Choosing a certification, there are some aspects an organization needs to certifcation take into account. The first point is that an organization can body implement ISO without seeking certification, but many reasons speak for an independent audit: for example if it is a contractual or regulatory requirement, if it is a market requirement or to meet customer preferences or if the management thinks it will motivate staff by setting a clear goal for the development of the management system.

If the decision has been made to apply for a certificate some criteria for the choice of the certification body should be taken into account: It has to be clarified whether or not the certification body has been accredited and, if so, by whom. Accreditation means that a certification body has been officially approved as competent to carry out certification in specified business sectors by a national accreditation body. The cheapest certification body might prove to be the most costly if its auditing is below standard, or if its certificate is not recognized by the companys customers. It should be evaluated whether the certification body has auditors with experience in the organisations business sector.

Maybe most of all harmony between auditor and auditee should be taken into consideration because both sides have to cooperate for a long period of time.

5.8.2. The certification process The certification process is never a one day activity. It takes some preparation and cooperation with the external auditors because they need to be informed about the formal aspects of the companys QMS, like the handbook and procedures plus some basic data of the company itself (size, branch, etc.). For this reason the cooperation with the certification body will occur in some steps, like a first information meeting, maybe a pre-audit, the certification audit and periodical surveillance audits. An information meeting will be the first opportunity for the company representatives to meet the so called registrar (external auditor) who will perform the ISO 9000 quality audit. In this meeting the timetable of the certification phase is adjusted and the form of cooperation is discussed. Although a pre-audit is not a formal requirement for certification, it could be a highly beneficial step for many organisations because documentation is reviewed according to the requirements of the appropriate standard. A pre-audit will help to educate management and staff on third party auditing. It will also eliminate many possible surprises and it will help assure those people who are implementing the quality system that the process is on track for successful certification. Certification audit: in addition to assessing whether or not the organisation is in compliance with the applicable ISO 9000 standard, the final audit also assesses whether the system is implemented effectively and is capable of achieving the quality
82 Information meeting / Preaudit / Certification audit / Surveillance audit

and objectives of the companys product or service. The size of the business will determine the number of auditors needed to perform the formal certification audit. Many small businesses or offices may be audited by a single auditor in a day, while very large organizations may be audited by several auditors over several days. The auditor(s) will evaluate the elements of the quality management system according to the requirements of the appropriate ISO 9000 standard. Audits are typically performed by: Touring the facilities and observing ongoing operations Interviewing employees Reviewing documentation and evaluating quality-related records.

In most cases at the conclusion of the audit, a closing meeting is conducted during which any identified problems are reviewed. If all goes well, the organisation will be recommended for certification and will be issued an ISO 9000 certificate. If nonconformities are identified required follow-up actions are defined by the auditor. Certification is generally not considered a pass / fail activity but an eventual certainty, unless the company decides not to proceed or is simply unable to correct its problems. Once certification is achieved, the auditors will return periodically for routine surveillance visits. These follow-up examinations ensure that the management system continues to operate effectively and continual improvement activities are implemented. Finally for the enterprises: if the organization is certified to ISO 9001:2008, the full designation should be used, not just ISO 9001 because latter one might concern either the 2008, or 2000 or 1994 version. 5.9 Continual improvement Continual Improvement is one of the cornerstones of the ISO 9000 standard and can be found in almost every single element. Every company selects its own approach on how to achieve this target because the right way of improvement actions is determined by several factors like speed of change, knowledge level of employees, application of tools, number of hierarchies and leadership style. Independent from this, the ISO 9000 standard demands that every single individual has to know the quality goals and how he or she may contribute to them. For this reason continual improvement has to be established on every level of processes and in every element of the QM handbook whereby three main levels of improvement can be subdivided:
Management review / Process management / Continuous improvement process


Top management improvement: this organisational level has to take care that the framework for a QMS in working order (effectiveness and efficiency) is permanently improved, products fulfil customer requirements and use mainly the instrument of management reviews which is described in the ISO 9000 standard (audit results, customer feedback, Process performance, product conformity, preventive and corrective actions, recommendations for improvement, etc.). Process owner improvement: as already mentioned, process owners have to take care of the optimum performance of their processes and have to monitor, measure and improve them continuously. The main instrument is the use of process oriented performance indicators. Employee improvement: every employee is responsible for producing the best possible quality (zero waste and zero defects) and for this reason continuous improvement process (CIP) activities like proposal systems or quality circles are established.

Many companies face the problem that after a successful certification audit everybody returns to normal business where continual improvement actions are reduced to a minimum. As mentioned above, the ISO standard demands permanent activities for continual improvement, which should animate companies to keep up their efforts for high customer satisfaction and efficient internal processes. It can easily be seen that both elements are definitely success factors of almost every company. Companies which use the QMS as their improvement driver develop success oriented QMS structures; in contrast to that so called certification QMS fulfil the minimum requirements but do not boost their company towards a quality leader on the markets. As a lesson learned many companies use internal audits (system audits, process audits, etc.) as a regular tool and discuss the results in the form of corrective and preventive improvement actions standardised in several management meetings. Companies that have achieved such an integrated improvement where the QMS is the main instrument for standardisation, measurement and improvement have reached one of the highest levels in QM.




As stated in chapter 4.2 of the present guidelines, ISO 9001 does not only consider customer requirements but also regulatory and legal requirement. In this framework sometimes a company in order to obtain an ISO 9001 certification must meet other requirements as well. These other requirements can be other management systems standards, European directives, technical standards or national laws, presidential degrees and directives.


Management system standards

ISO 14001: Environment al managemen t system

ISO 14001: Environmental management system belongs to the ISO 14000 series of international standards on environmental management. ISO 14001 is the standard that specifies the requirements for the certification of an organisation that has implemented an environmental management system. ISO 14001 is meant to develop a systematic management approach to the environmental concerns of an organization. The goal of this approach is continual improvement in environmental management. Requirements of ISO 14001 standard described in chapter 4 of the standard are categorised in: General requirements Environmental policy Planning Implementation and operation Checking and corrective actions Management review

ISO 9001 gives in Annex 1 the correspondence between the two standards.

EMAS: Eco Management and Audit Scheme is a voluntary standard designed by European Commission and intended to be used by both private and public organisations throughout European Union and European Economic Area. Since 2001 EMAS has integrated ISO 14001 as the environmental standard required by EMAS. EMAS aims at organisations that want to evaluate, report and improve their environmental performance.

EMAS: Eco Managemen t and Audit Scheme

HACCP: Hazardous analysis of Critical Control Points is a standard HACCP:


applying in the food industry. It aims at eliminating risks for health analysis of and hygiene related to all stages of the food industry: supplies, Critical Control manufacturing, storage and distribution.


HACCP involves seven principles: Analyse hazards. Identify critical control points. Establish preventive measures with critical limits for each control point. Establish procedures to monitor the critical control points. Establish corrective actions to be taken when monitoring shows that a critical limit has not been met Establish procedures to verify that the system is working properly Establish effective record keeping to document the HACCP system.

Although an American system, HACCP has been adapted by many European organisations and in some countries it is legally required. HACCP applies to all companies that produce, store and distribute food products.

OHSAS 18001 Health and Safety Management System is intended to help an organisation to control occupational health and safety risks. OHSAS 18001 was created by a number of the worlds leading national standards bodies, certification bodies, and specialist consultancies. OHSAS 18001 has been developed to be compatible with the ISO 9001 and ISO 14001 management systems standards, in order to facilitate the integration of quality, environmental and occupational health and safety management systems by organizations, should they wish to do so. OHSAS 18001 can be applied to all types of companies and organisations The OHSAS specification gives requirements for an occupational health and safety management system, to enable an organisation to control its risks and improve its performance. It does not state specific occupational health and safety performance criteria, nor does it give detailed specifications for the design of a management system.

OHSAS 18001: Health and Safety Managemen t System

ISO 17799: Information Security Management System is a comprehensive set of controls comprising best practices in

ISO 17799: Information

information security. It was published in December of 2000, based on the British standard BS7799 and since then it gained worldwide recognition in the information security industry. The ISO 17799 standard comprises ten prime sections: Security Policy System Access Control Computer & Operations Management System Development and Maintenance Physical and Environmental Security Compliance Personnel Security Security Organisation Asset Classification and Control Business Continuity Management (BCM)

Security Managemen t System

Within these sections are the detailed statements and clauses that comprise the standard itself. A company that operates in the construction industry, undertaking Example: public or private works that want to be certified with ISO Construction 9001:2000 standard in the framework of its quality management industry system should take measures for the occupational health and safety of its employees and for the protection of the environment. In this case the adoption of ISO 14001 and OHSAS 18001 standards are recommended. An enterprise that wants to implement a management system in the 3 domains (quality, security, environment) cannot do it separately: the two or three management systems must be connected and integrated. Frequently in SMEs, the same person is the manager of all the management systems implemented, for example quality and security. Norms in quality, security and environment are built on the same principles: processes approach, continual improvement this gives rules but also facilitates the building of an integrated system. ISO 9001 doesnt explicitly require other standards to be applied, However, the implementation and certification with the globally recognised international standards give the company a

competitive advantage.


European Directives and Technical Standards


European Directives and technical standards regulate European companies, products, processes and services. The new approach standardisation in the European internal market is a recent initiative that aims at bringing together the expertise of European Standards Organisation with that of the European Commission and EFTA. All directives and standards can be found In a single web site at This is a first step in promoting awareness of the role that standards can play in developing the single European market. European Directives and the associated standards regulate a number of different types of companies. For example we can refer to companies that produce, sell or use medical devices, construction materials, personal protective equipment, pressure equipment, toys, etc. Information on mandatory directives and standards can be found in the New Approach web site, National Organisations of Standardisation, Certification Authorities, Chambers of Commerce and in the relevant Ministries. Production, distribution and use of medical devices are regulated by the European Directive 93/42/EEC. The directive specifies the requirements that medical devices should conform with, the obligation for CE marking and the obligation for the company to have implemented a quality management system as well as a quality control system. In addition for special medical devices other standards apply such as: EN 1642:1996: Dentistry - Medical devices for dentistry Dental implants EN 50323:1999: General requirements for hearing aids EN 13503-8:2000 Ophtalmic implants - Intraocular lences

Example: Medical devices




audit: systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled. audit criteria: set of rules, objectives and/or principles used as a reference for inspection actions (such as policies, procedures, requirements, etc.). audit program: set of audits planned for a specific time frame and directed towards a specific purpose. auditor: person with the competence to conduct an audit. availability: capability to realize a function in a specified time.

capability: ability of an organization, process or system to realize a product that will fulfil the customer and other interested parties requirements. characteristic: distinctive feature. competence: ability to apply knowledge and skills. concession: permission to release or use a product that does not conform to specified requirements. conformity: fulfilment of a requirement. continual improvement: recurring activity to obtain better results with harder objectives. control and inspection: set of operations required to evaluate nonconformity through observations and measurements. corrective action: action to correct a detected nonconformity, eliminating the causes which generated it. correction: action to eliminate a detected nonconformity (such as rework or repair). customer: organization or person that receives a product.

defect: non-fulfilment of a requirement related to an intended use (generally deduced by the customer according to the information communicated by the supplier), or specified by the customer. The distinction between the concepts nonconformity and defect is important as it has legal connotations particularly those associated with product liability issues. dependability: collective term used to describe the organization availability and its influencing factors. design and development: set of processes that transform requirements into the specifications of a product,

process or system. development: see Design. deviation permit: permission to depart from the originally specified requirements of a product prior to realization. document: supporting medium stating information.

effectiveness: extent to which planned activities are achieved. efficiency: relationship between the result achieved and the resources used.

information: meaningful data. infrastructure: system of facilities and equipment needed for the operation of an organization. inspection: see Control and inspection. interested party: person or group having an interest in the performance or success of an organization.

management: coordinate activities to direct and control an organization and/or part of it. measurement: activity to measure a quantity. measurement control system: system necessary to achieve metrological confirmation and control of measurement processes. measurement equipment: tools needed to operate the measurement process. measurement process: set of operations to determine the value of a quantity. metrological characteristic: distinguishing feature of measurement equipment. metrological confirmation: set of operations required to ensure that measurement equipment conforms to the requirements for its intended use. metrological function: function for defining and implementing the measurement control system.

nonconformity: non-fulfilment of a requirement.

objective evidence: date supporting the existence or verity of something. organization: group of people and facilities with an arrangement of responsibility, authorities and relationships.

organizational structure: arrangement of responsibilities, authorities and relationships between people in an organization.

preventive action: action to correct a potential nonconformity, eliminating the causes which generated it. procedures: specified way to carry out an activity or a process. process: set of interrelated activities which transforms inputs into outputs, producing added value. product: the result of a process. project: process consisting of a set of activities with start and finish dates undertaken to achieve an objective conforming to specific requirements, including time, cost and resources.

quality: degree to which a set of inherent characteristics fulfils customer requirements and of the other interested parties. quality assurance: set of correlated activities, part of the quality management system, capable to guarantee the observance of the requirements. quality characteristic: inherent characteristic of a product, process or system related to a requirement. quality control: set of related operations part of quality management, required to monitor results to quality and control requirement fulfilment. quality improvement: part of quality management focused on increasing the capability of the organization itself. quality management: coordinated activities to direct and control an organization with regard to quality. quality management system: management system to direct and control an organization with regard to quality. quality manual: complex document describing the whole quality management system of an organization. quality objective: objective related to quality. quality plan: document specifying which procedures and associated resources shall be applied to a specific process, product or project. quality planning: part of quality management focused on setting quality objectives and process definition. quality policy: overall objectives of an organization related to quality, as formally expressed by top management.

record: document stating results achieved or providing evidence of activities performed (for example, a control). release: permission to proceed to the next stage of a process. repair: action on a nonconforming product to make it acceptable for the intended use. Unlike reworking, repairing can involve specific parts of a product. requirement: need or expectation that is stated, generally implied or obligatory. review: activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives. rework: action on a nonconforming product to make it conform to the requirements.

scrap: action on a nonconforming product to preclude its originally intended use, such as destruction, recycling, etc. specification: document stating requirements. supplier: person or organization that provides a product. system: set of interrelated elements. T top management: leaders - a person or a group of people - managing an organization who establish objectives and try to achieve them. traceability: ability to trace history, application or location of that which is under consideration.

validation: confirmation, through the provision of objective evidence, that the requirements for a specific intended use or application have been fulfilled. verification: confirmation, through the provision of objective evidence, that the specified requirements have been fulfilled. W work environment: set of interacting variables constitute the contest where people work.



Standards ISO 9001:2008 ISO 9001:2000 ISO 9000:1994

Literature Joseph M. Juran. Jurans Quality Handbook 5th ed. Mac Grew Hill Brassard, Michael & Diane Ritter (1994). The Memory JoggerTM II. A Pocket Guide of Tools for Continuous Improvement & Effective Planning. First Edition. Salem, the United Sates of America: GOAL/QPC. European Committee for Standardization CEN (2000). Quality management systems Fundamentals and vocabulary (ISO 9000:2000). Management Centre: rue de Stassart, 36 B-1050 Brussels. European Committee for Standardization CEN (2000). Quality management systems Requirements (ISO 9001:2000). Management Centre: rue de Stassart, 36 B-1050 Brussels. ISOs Technical Committee ISO/TC 176/SC 2 (2001). ISO 9000 Introduction and Support Package: Guidance on the Documentation Requirements of ISO 9001:2000. Available at: Paris, Christopher (2003). The Complete Guide to Understanding & Implementing ISO 9001s Process Management Requirements. Part Two: Defining & Mapping Your Companys Processes. Available at: Secretariat of ISO/TC 176/SC 2 (2003): (Draft) ISO 9000 Introduction and Support Package: Guidance on Outsourced processes. Available at: Web references m_2002_en.pdf ndex_en.htm (SMEs in focus. Observatory of European SMEs 2002, European Communities, 2002)