History and Evolution of ISO 9000 Standards

Pre ISO 9000
During World War II, there were quality problems in many British industries such as munitions, where bombs were exploding in factories during assembly. The solution adopted to address these quality problems required factories to document their manufacturing procedures and to prove by record-keeping that the procedures were being followed. The standard was BS 5750, and it was known as a management standard because it specified not what to manufacture, but how the manufacturing process was to be managed. In 1987, the British Government persuaded the International Organization for Standardization (ISO) to adopt BS 5750 as an international standard. The international standard was named ISO 9000.

ISO 9000: 1987 Version
ISO 9000:1987 had the same structure as the British Standard BS 5750, with three ‘models’ for quality management systems, the selection of which was based on the scope of activities of the organisation:
• ISO 9001:1987 Model for quality assurance in design, development, production, installation, and servicing was for companies and organisations whose activities included the creation of new products
• ISO 9002:1987 Model for quality assurance in production, installation, and servicing had basically the same material as ISO 9001 but without covering the creation of new products.
• ISO 9003:1987 Model for quality assurance in final inspection and test covered only the final inspection of finished product, with no concern for how the product was produced.
ISO 9000:1987 was also influenced by existing U.S. and other Defense Standards (MIL SPECS), and so was well-suited to manufacturing. The emphasis tended to be placed on conformance with procedures rather than the overall process of management—which was likely the actual intent.

ISO 9000:1994 (Year 1994 Revision)
ISO 9000:1994 emphasised quality assurance via preventive actions, instead of just checking final product, and continued to require evidence of compliance with documented procedures. As with the first edition, the down-side was that companies tended to implement its requirements by creating shelf-loads of procedure manuals, and becoming burdened with an ISO bureaucracy. In some companies, adapting and improving processes could actually be impeded by the quality system.

ISO 9000:2000 (Year 2000 Revision)
ISO 9001:2000 combines the three standards 9001, 9002, and 9003 into one, called 9001. Design and development procedures are required only if a company engages in the creation of new products. The 2000 version sought to make a radical change in thinking by placing the concept of process management front and centre (”Process management” was the monitoring and optimising of a company’s tasks and activities, instead of just inspecting the final product). The Year 2000 version also demands involvement by upper executives, in order to integrate quality into the business system and avoid delegation of quality functions to junior administrators. Another goal is to improve effectiveness via process performance metrics — numerical measurement of the effectiveness of tasks and activities. Expectations of continual process improvement and tracking customer satisfaction were made explicit.

ISO 9000:2008 (Year 2008 Revision)
The new ISO 9001:2008 was published on 15 November 2008. ISO 9001:2008 uses the same numbering system as ISO 9001:2000 to organise the standard. As a result, the new ISO 9001:2008 standard looks very much like the old standard. No new requirements have been added. However, some important clarifications and modifications have been made.

As with the release of previous versions, organisations registered to ISO 9001:2000 will be given a period to transition to the ISO 9001:2008 standard, assuming changes are needed.

ISO 9000 — a way of managing for conformance
Quality assurance, according to the Standard, is a way of managing that prevents non-conformance and thus “assures quality”. This is what makes ISO 9000 different from other standards: it is a management standard, not a product standard. It goes beyond product standardisation: it is standardising not what is made but how it is made. To use standards to dictate and control how organisations work was to extend the role of standards to new territory. To take such a step we might have firstly established that any such requirements worked — that they resulted in ways of working which improved performance.
Yet the plausibility of this Standard, and the fact that those who had an interest in maintaining it were (and still are) leading opinion, prevented such enquiries. In simple terms the Standard asks managers to say what they do, do what they say and prove it to a third party.
ISO 9000 (1994) paragraph 1: “The requirements specified are aimed primarily at achieving customer satisfaction by preventing non-conformity at all stages from design through servicing.”
To put it another way, the Standard asserts that preventing non-conformance achieves customer satisfaction. But does it? Of course it matters to customers that a product works. But there is no guarantee that the Standard will ensure even that. Furthermore, customers take a total view of an organisation — how easy it is to do business with — in respect of all things of importance to each and every customer.
ISO 9000 requires managers to “establish and maintain a documented quality system as a means of ensuring that product conforms to specified requirements”. Loosely translated this is “say what you do”. Management is supposed to “define and document its policy for quality . . . including its commitment to quality”.
What management would not declare its commitment to quality? But would they know what it means? Would they argue (as they should) that quality management is a different and better way to do business, or would they believe that ISO 9000 will take care of quality? The Standard encourages managers to think of “quality” and “business as usual” as separate and distinct. It helps managers avoid the revelation that quality means a wholly different view of management. Instead, the organisation “shall appoint a management representative who, irrespective of other responsibilities, shall have defined authority and responsibility” [for ISO 9000]. At a practical level this means only one executive might decide he or she had better learn a thing or two about quality. However, would being responsible for ISO 9000 lead to learning about quality or simply enforcing the ISO 9000 regime in an organisation?
Key to the regime is auditing. The Standard requires organisations to conduct internal quality audits to “verify whether quality activities comply with planned arrangements”. This can be loosely translated as “do you do as you say?” and the purpose of the audit is to see that you do. It was not until the 1994 review that the words were changed to “quality activities and related results”. It was a Standard which was rooted in the philosophy of inspection: fifteen years after its initial promulgation the promoters sought to extend the focus to results. But results or improvements assessed by what means? Inspection. By the time the Standard was adopted world-wide, quality thinking had moved a long way from the philosophy of inspection. It is now understood, at least by a few, that quality is achieved through managing the organisation as a system and using measures which enable managers to improve flow and reduce variation (which we explore in chapters 5 and 7). The defenders argue that there is nothing stopping a company having ISO 9000 and implementing methods for managing flow and reducing variation, but where are such companies? Few of the companies we researched, formally and informally, knew anything about this thinking. The Standard does not talk about it; moreover, the Standard effectively discourages managers from learning about it by representing quality in a different way.
According to ISO 8402 (quality vocabulary), quality is:
“The totality of features and characteristics of a product or service that bear on its ability to satisfy stated or implied needs.”
Everything we have learned about ISO 9000 suggests that the people who created this definition were thinking about the things which need to be controlled, those things which “bear on its ability . . .”. The builders of the Standard assumed that customer needs would be listed in contractual agreements between the supplier and customer. ISO 9000 has a “make” logic — procedures for “how you do what you do” — and a “control” logic — check to see that it is done. It is a relic of the era when contractual agreements were perceived to be an important device for regulating the behaviour of suppliers. In these ways, ISO 9000 encouraged “planning for quality”.
Planning for quality sounds plausible, but it assumes many things: that the plan is the right plan, that it is feasible, that people will “do it”, that performance will improve. It is an approach which, paradoxically, leads to poor decisions. Planners of quality systems, guided by ISO 9000, start with a view of how the world should be as framed by the Standard. Understanding how an organisation is working, rather than how someone thinks it should, is a far better place from which to start change of any kind.

ISO 9000 Standards – Design and development

ISO 9000 Standards – Design and development

Planning the design and development of a product means determining the design objectives and the design strategy, the design stages, timescales, costs, resources and responsibilities needed to accomplish
them. Sometimes the activity of design itself is considered to be a planning activity but what is being planned is not the design but the product.

The purpose of planning is to determine the provisions needed to achieve an objective. In most cases, these objectives include not only a requirement for a new or modified product but also requirements governing the costs and product introduction timescales (Quality, Cost and Delivery or QCD). Remove these constraints and planning becomes less important but there are few situations when cost and time is not a constraint. It is therefore necessary to work out in advance whether the objective can be achieved within the budget and timescale. One problem with design is that it is often a journey into the unknown and the cost and time it will take cannot always be predicted. It may
in fact result in disaster and either a complete reassessment of the design objective or the technology of the design solution. This has been proven time and again with major international projects such as Concorde, the Channel Tunnel and the International Space Station. Without a best guess these projects would not get off (or under!) the ground and so planning is vital firstly to get the funding and secondly to define the known and unknown so that risks can be assessed and quantified.

Design and development plans need to identify the activities to be performed, by whom they will be perform and when they should commence and be complete. One good technique is to use a network chart (often called a PERT chart), which links all the activities together. Alternatively a bar chart may be adequate. There does need to be some narrative in addition as charts in isolation rarely conveys everything required.

Design and development is not complete until the design has been proven as meeting the design requirements, so in drawing up a design and development plan you will need to cover the planning of design verification and validation activities. The plans should identify as a minimum:
- The design requirements
- The design and development programme showing activities against time
- The work packages and names of those who will execute them (Work
packages are the parcels of work that are to be handed out either internally or to suppliers)
- The work breakdown structure showing the relationship between all the parcels of work
- The reviews to be held for authorizing work to proceed from stage to
stage
- The resources in terms of finance, manpower and facilities
- The risks to success and the plans to minimize them
- The controls that will be exercised to keep the design on course
Planning for all phases at once can be difficult as information for subsequent phases will not be available until earlier phases have been completed. So, your design and development plans may consist of separate documents, one for each phase and each containing some detail of the plans you have made for subsequent phases.
Your design and development plans may also need to be subdivided into
plans for special aspects of the design such as reliability plans, safety plans, electromagnetic compatibility plans, configuration management plans. With simple designs there may be only one person carrying out the design activities. As the design and development plan needs to identify all design and development activities, even in this situation you will need to identify who carries out the design, who will review the design and who will verify the design. The same person may perform both the design and the design verification activities, however, it is good practice to allocate design verification to another person or organization because it will reveal problems overlooked by the designer. On larger design projects you may need to employ staff of various disciplines such as mechanical engineers, electronic engineers, reliability engineers etc. The responsibilities of all these people or groups need to be identified and a useful way of parcelling up the work is to use work packages that list all the activities to be performed by a particular group. If you subcontract any of the design activities, the supplier’s plans need to be integrated with your plans and your plan should identify which activities are the supplier’s responsibility. While purchasing is dealt with in clause 7.4 of the standard, the requirements also apply to design activities.

ISO 14001 Standards Audit

ISO 14001:2004 emphasizes the continuous improvement of an environmental management system (EMS). The standard specifies requirements for an environmental management system to enable an organization to develop and implement a policy and objectives which take into account legal requirements and information about significant environmental aspects. The certification process ensures the conformance of your EMS against the international standard, as well as any organizational specific requirements that have been identified.

The ISO 14001 Standards audit consist of 2 stage registration audit process followed by surveillanceaudits, and ultimately a recertification audit. ISO 14001 Audits include on-site assessments of documents, data, records, activity and personnel. Process audit trails are followed by interviews of personnel responsible for the tasks and reviewing associated activity and records of occurrence. The audit trail will follow interactions between processes as well as the details of the process itself. Following are the stages of the audit process.

Pre-assessmentRegistration Audit – Stage 2Audit Findings• A review of action taken on nonconformities identified during the previous audit• A review of the continued effectiveness of the management system in its entiretyThe continued applicability to the scope of registration

The pre-assessment audit is an optional activity, outside of the registration process, it is highly encourages that any organization to undertake to evaluate the readiness to undergo the two stage registration process. That would optimally occur prior to the stage 1 and 2 audits.

Unlike the Stage 1 and Stage 2 activities you have full discretion as to which areas the preassessment should focus on and for the length of the pre-assessment. This activity allows your organization to become familiar with the audit process and helps prepare your employees for the registration assessment.

The auditor conducting the pre-assessment will typically return to the organization for the assessment. Similar to a ‘true’ audit, the end result of the pre-assessment will be a documented report identifying findings observed during the audit and a closing meeting to discuss the issues.

The pre-assessment activity allows you to correct any issues prior to beginning the registration process.

Assessment

New requirements for certification bodies have changed the registration process. Registration is now conducted in two distinct visits- Stage One and Stage Two- each of which has defined requirements that are outlined below.

Registration Audit – Stage 1

The stage 1 audit, conducted at your facility, is primarily performed for planning and determining the readiness of an organization to undergo a stage 2 registration audit. It also facilitates communicating any needs and expectations to the organization. Activities performed at a stage 1 audit include:

• Conducting a documentation review – This review determines if the organization’s EMS documentation adequately covers all the requirements of the ISO standard

• A review of the aspects and impacts and their significance and an evaluation of the facility(s) site specific conditions

• A review of your organizations non-conformance, preventive and corrective action system • An overview of applicable regulations

• Interviewing your organization’s personnel to assess their general readiness to undertake a stage 2 audit

• Confirming the applicability of the scope of the organization’s EMS

• Obtaining evidence that internal audits and management reviews are being planned and performed

• Providing focus for the planning of the stage 2 audit

If during the stage 1 audit any nonconformities are identified, the auditor will request a corrective action response (see Corrective Action Response).

The objective of the Stage 2 on-site audit is to assess your organizations’ adherence to your own policies, objectives, and procedures and to ascertain conformance to the requirements of the ISO 14001 standard. To accomplish this, the audit will address the implementation of all the elements of the standard. Review of documentation and records to support the implementation is an expected part of the assessment process. If non-conformances or opportunities for improvement are identified they will be documented in a report which will be presented to the organization during the closing meeting. The report will include the auditor’s recommendation regarding registration.

Any deviation from procedures or requirements of the standard will be identified as an audit finding, which will be documented in the audit report. The auditor will draw your attention to non-conformities as they arise so there will be no “surprises” at the closing meeting. Findings are categorized into three categories defined as follows:

• A major non-conformity relates to the absence or total breakdown of a required process or a number of minor non-conformities listed against similar areas. A major non-conformity at the Registration Audit – Stage 2 would defer recommendation for registration until that major has been closed.

• A minor non-conformity is an observed lapse in your systems ability to meet the requirements of the standard or your internal systems, while the overall process remains in tact.

• An observation or opportunity for improvement relates to a matter about which the Auditor is concerned but which cannot be clearly stated as a non-conformity. Observations also indicate trends which may result in a future non-conformity.

Corrective Action Response

ISO 14001 Standards requires corrective action responses from all Registration Audits. Once certification is achieved, dependant upon the extent and nature of the findings, your organization may be required to submit a corrective action plan, detailing your intent to correct the non conformity.

The auditor may also recommend that your organization submit objective evidence to support the to verify closure may be required.

It is recommended that all non-conformities are addressed within your internal corrective action system. Typically, opportunities for improvement would be addressed as preventive actions by your organization.

closure of the finding. In certain circumstances such as a major non conformity an on site activity

Surveillance Audits

Company shall conduct Surveillance Audits on an annual or semi-annual basis. The purpose of the Surveillance Audit is to ensure that the EMS continues to conform to both the organizations’ and the ISO 14001 requirements. Certain processes will be reviewed at each surveillance including:

• Internal audits and management review

• Customer and interested parties communications

• Effectiveness of the management system in achieving defined objectives

• The progress of planned continual improvement activities

• Continuing operational control

• A review of any changes made by the organization which may have impact on the registration

• Use of accreditation and certification body logos provided to the organization upon registration

• objectives, targets and programs

• evaluation of compliance

Re-assessment Audits

The accreditation body requires that a recertification audit be carried out every three years. The purpose of the recertification audit is to confirm the continued conformity and effectiveness of the management system as a whole, and its continued relevance and applicability for the scope of activity.

Recertification audits review the performance of the EMS over the registration period, and include a review of previous surveillance audit records. The recertification audit includes the following:

• The continued relevancy of the organization’s policy and objectives

• The continued effective interaction between the processes of the management system

• A review of internal audits, management reviews, document changes during this certification period