Verifying the Effectiveness of Corrective Action

By Craig Cochran - North Metro Atlanta Region Manager, Georgia Tech Enterprise Innovation
Institute
When I first got into quality, I really hated verifying the effectiveness of actions taken to correct a
problem. After all, I was young and inexperienced. All of the people whose actions I was verifying
were older, wiser, and more experienced than I was. Who was I to say that their actions were
effective or ineffective? My assumptions were as follows:

If they said they did something, then they certainly did it.

Whatever they did was directly related to the problem causes, or they wouldn't have done it.

The action must have been effective; they would have told me otherwise.

All of these assumptions had to be correct, because I was working with seasoned professionals,
right? Ha! Boy, did I learn a lesson.
People just want to get paperwork off their desks or out of their in-boxes as quickly as possible.
Taking actions on problems is one of many responsibilities that people have and, unfortunately, it's
not always top priority. That's why it's crucial that action be carefully verified. Verification is not an
act of suspicion or disrespect; it's simply a necessary part of problem solving.
What exactly is being verified? You are seeking evidence that the causes of the problem have been
removed or reduced. In a perfect world, each problem cause would be removed. Poof, it's gone.
This is not always possible, though. Sometimes the best you can hope for is a reduction of the
causes. The cause is still there, but it manifests itself less frequently or less severely. So the best
option is to remove the cause, but the next best option is to at least reduce the cause.

Evidence
The key to verification is evidence. You are seeking objective, factual evidence that your problem
causes have been reduced or removed. This evidence usually takes the form of data or records.
Another powerful form of evidence is your own first-hand observations. Thats not to say that you
can't accept verbal evidence, but records, data, and first-hand observations are certainly better.
The exact amount of evidence depends on the magnitude of the problem. Broader and more severe
problems lead to more profound solutions, which in turn require more evidence to verify
effectiveness. It is a simple matter of scale. The scale of verification must match the scale of the
actions taken.

It's important to note that you're sampling evidence. You're taking a representative subgroup of all
the available evidence. A 100-percent investigation of evidence is not necessary or particularly
effective. Take what you believe to be a balanced and representative sample of the evidence.
Shown in figure 1 are some examples of evidence to sample, all related to a problem with orders
being late.

Problem: Late Orders

Evidence

Type of Sample

Service records Review 10 service records from last week to see if work was performed on time
Customers

Contact three of the customers who reported late orders and see if they have
noticed an improvement

Procedures

Review the service procedures to see if they've been revised to include recently
implemented improvements

Employees

Interview three employees at random. Make sure they understand what has
been done to reduce late orders and their roles in implementing the
improvements

Training
records

Review the training records of these same three employees to see if they
received training in the revised methods and procedures

Figure 1: Examples of evidence

The evidence in figure 1 is a broad survey of indicators related to the "late order" problem. If we
positively verify this evidence, then we can logically conclude that the actions were effective. Of
course, the specific type of evidence and sample sizes will vary, depending on the nature of the
problem and the magnitude of actions.

Verification Method
You don't just show up in a department and start asking for evidence. That's a formula for frustration
and ill will. Instead, give people notice that you're coming. If you show up unannounced, there is a
chance that nobody will be available to assist you by providing evidence. Providing some notice also
removes the "Gotcha!" aspect that sometimes accompanies verification activities. Surprise
verifications are not needed, as a broad-based examination of evidence will always reveal the true
state of corrective action effectiveness.

Communication about the verification process will remove roadblocks and smooth your path. The
following telephone conversation illustrates the type of communication to engage in prior to
verification of effectiveness of corrective actions.

You: "Hello, Jill. Do you mind if I drop by your department today and verify the effectiveness
of actions you've taken on the late order problem?"
Jill: "Uh, I guess not. How long will it take?"
You: "It shouldnt take long at all. I just need to sample some evidence related to our
actions."
Jill: "Do you suspect that we didn't take action?"
You: "No, of course not. I just can't close-out the issue until we know if our actions have
been effective. We're also going to Jim's department tomorrow to do the same thing. You're
not being targeted, I can assure you."
Jill: "Okay, I understand. Drop by around 10 a.m. and we'll be happy to show you what
we've done."
You: "Thanks for all your cooperation. Ill see you about 10."
As this discussion indicates, people don't always understand the intent of verifying effectiveness.
They may think it's vindictive or personal, and you want to remove this misconception as quickly as
possible. Your verification of effectiveness will be objective, factual, and impersonal. Make sure
everybody understands that prior to your arrival. Your verification will go much smoother.
Once you're in the department, what exactly are you going to verify? Obviously, the evidence
will differ on a case by case basis, but here are some of the most common verification points:
Did the actions address problem causes, instead of just symptoms? - Taking action on
symptoms is akin to putting a band-aid on a serious wound: it does nothing to treat the underlying
causes. The actions taken must get beyond the superficial symptoms and address the underlying
causes of the problem, removing or significantly reducing them. The single biggest reason for
problem-solving failure is action on symptoms instead of true causes.
Are the actions fully implemented? - Speak to the people responsible for planning and taking
action. Have their plans been fully implemented? Are there steps that are pending? What obstacles
exist? You can't verify effectiveness until actions have been fully carried out.
Have procedures been revised or developed? - Improvements don't stick unless they are made
the new norm. Make sure that all relevant documentation reflects the new methods put in place by
the corrective action.

Are employees aware of and knowledgeable about the changes? - If a process has been
improved, employees will typically know about it, especially if they are responsible for implementing
the change. Speak to employees in the work area and see if they're familiar with the changes and
their roles in implementing them. Awareness of improved methods may come from formal training
processes or through informal communications. If formal training is used, then records of training
would be another type of evidence that could be verified.
Are products or outcomes improved?- This is the bottom line: Have the products been improved?
An improved process should ultimately lead to improved products. Is there evidence that this has
happened? What do records and data indicate? Hearsay and verbal affirmations can't be used to
prove that products have been improved.
Has measurement or monitoring been established?- The effectiveness of some corrective action
can't be known without ongoing measurement or monitoring of the process. In these cases, have the
controls been set and put in place? What do the measurements indicate? Does the data indicate the
process has improved and stabilized to the new level?
What is the customer's perception of an improvement?- Perceptions are everything. Have
customers noticed a change in the quality of goods or services? Keep in mind that these could be
internal or external customers. Locate the applicable customers and get their opinions. If customers
have not noticed an improvement, it can be logically argued that the actions have not been effective.
Has the problem reoccurred? - If the problem continues to occur at the same level as before, then
the corrective action is not effective. Only data and records can be used to prove a lack of
recurrence.
Is top management aware of the corrective action?- Top management isn't expected to be aware
of every corrective action in the organization, but they should be aware of the large ones and overall
trends. Top management awareness would certainly help support a determination of full
implementation and communication.

Ineffective Actions
It's unfortunate that in reality not everything you verify will be effective for improvement. The most
common reasons for this are because solutions didn't work, or the problem-solving actions were
never fully implemented, or the corrective actions were aimed at the problem's symptoms instead of
its causes. When you determine that actions are ineffective, be diplomatic and forthright. Tell the
process owner why you believe the actions are ineffective and describe the evidence that led you to
that conclusion. Get the process owner's perspective on the situation. Through an interactive
discussion, you usually arrive at an agreement about effectiveness or, in this case, the lack thereof.
Once an agreement has been reached and the facts are clear, determine the next steps to take.
Usually the next steps involve revisiting the identification of the causes, and planning and

implementing a new plan of action. It's possible that you may need to facilitate the new corrective
action. A little bit of coaching can go a long way, especially when the person taking action has hit a
roadblock and isn't clear how to proceed.
If called upon to facilitate a corrective action that was initially ineffective, here are some principles to
reinforce:
Planning ensures success. - The better the plan for implementation, the more likely the action is to
be successful. Many people will define their plans in broad, sweeping terms without providing
adequate details to enable implementation. For example, to say, "Install a new blower above the No.
3 oven," sounds clear, but there is a world of complexity within that single statement. It's often easier
to break large actions into bite-sized tasks delegated to employees who can be assigned
responsibilities, resources, due dates, and reviews.
Communicate early and often.- When planning action, build frequent communication into the plan.
This communication can be in many different forms (i.e., meetings, formal reviews, teleconferences,
e-mail updates, written reports, etc.). Frequent communication makes it harder for commitments to
fall through the cracks. Visibility and transparency are the allies of effective action.
Stay focused on the causes. - When entering the later phases of problem solving, actions take
center stage and the causes tend to fade in significance. Fight this tendency. It's critically important
that everyone remember exactly what causes are being removed or reduced. Examine and reexamine the actions to make sure they're affecting the underlying causes of the problem, not just the
symptoms.
Get creative. - When actions are ineffective, it's often because what we've chosen to do is tired and
stale. They're the same old actions people tried years ago that didn't work then and don't work now.
What is needed is a big dose of creativity. One of the easiest ways to trigger creativity is to bring
new and more diverse people onto the problem-solving team. An injection of new blood will often
make the difference. Another effective creativity technique is doing a second brainstorming session
on the causes. Sometimes ineffective actions produce a deeper understanding of what is causing
the problem.
Make change happen. - Effective solutions will regularly change the way work is done. Ineffective
solutions are often the result from re-training on old methods, re-enforcing flawed procedures, and
asking people to try harder. None of these actually change anything. Is it any wonder that the
problem persists? If we fail to change the work, we usually fail to reduce or remove the problem.
Your role is to be a thinking coach. Help the team look at the problem and its causes from a new
perspective. Injecting a little fun and humor into the process also helps at this point. After all, team
members do become frustrated. Humor and fun are brain lubricants, and brains need all the
lubrication they can get during problem solving.

 Copyright 2009 Craig Cochran. Republished with permission.

This article first appeared in the June 17, 2009 issue of Quality Digest Daily, available online at

anagement systems are sometimes misunderstood as nothing more than a heavy administrative
burden providing limited business benefit. In fact, many organizations with management systems
in place havent effectively defined the processes they actually employ at all. Perhaps its because
they think management systems only pertain to standards, and ISO 9001 is separate from how we
run the business.
ADVERTISEMENT

By maintaining these beliefs, organizations are missing out on significant opportunities to improve
their existing processes. This also brings the value of the ISO standards in question. How can an
international standard unite with a strategic business plan and facilitate process improvement, and
thus, efficiency?

Using the process approach

The process approach is more than an auditing technique: Its a philosophy. It means shifting focus
away from basic compliance to embrace an improvement mindset. When already-established
activities and related resources are managed as a process, theres no need to invent unnecessary
paperwork just to show compliance. Any paperwork required for an audit is documentation

necessary for quality management anyway; its simply documentation of processes currently
employed to produce the desired output.
A process is commonly defined as a number of reproducible, interacting activities that together
convert an input into an output.
An input is something that drives or starts the process, such as people, resources, or materials.
Multiple inputs can, and usually do, exist.
An output is a deliverable resulting from the process, addressing the expectation of a customer
(either external or internal). Typically an output is a product, a service, or the input into another
process.
The process approach is a review of the sequence and interaction of processes and their inputs and
outputs. It looks at the management system not just as a document, but also an active system of
processes that addresses business risk and customer requirements. A process-based audit would
ask questions such as, Who is the process owner?, What are your customer requirements?, and
How do you demonstrate improvement? Not, Show me your procedure.

The turtle diagram

A turtle diagram is just one of the auditing techniques that can be used to evaluate a process.
Asking with what, with whom, how, and how many results in evidence of effectiveness,
measurement to goal, evaluation of internal and external customers, and a focus on deliverables.

Turtle diagram. Click here for larger image.

With what names the tools, equipment, and resources needed to perform an activity. This could
include software, hardware, and support from other departments.
With whom defines the human resources required for performing a task. This includes a
definition of competency requirements such as skills, education, experience, and training.
How identifies all the supporting documentation that may exist to support this process.
How many is process monitoringi.e., identifying the measurements needed to assess the
effectiveness of the process in support of the business plan. There should be evidence of continuous
improvement and corrective action in the process.
Process analysis with the turtle diagram can encompass many elements, including:
Activities
Resources and inks
Methods and tools
Measurements
Regulatory requirements applicable to the process
Risks associated with the process
Effectiveness and efficiency
Customer requirements, both external and internal
The results of the turtle diagram yield many benefits to the business. First and foremost, it provides
process measurements that can be linked directly to the organizations strategic plan. It provides a
means to assess both external and internal customer expectations, as well as any business risks
associated with the process. It allows for use of the plan, do, check, act (PDCA) cycle as it applies to

the process. And finally, it allows for an important deliverable to the management team: a SWOT
analysis.

SWOT analysis
SWOT is a business tool that translates ISO language into a format that senior management can
more easily understand. A SWOT analysis provides feedback on the organizations strengths,
weaknesses, opportunities, and threats to the organization. This approach is widely used to assess
risks, benchmark competitive differentiators, and determine new business strategy.
A SWOT analysis looks at:
Strengths, present view. Best practices and benchmarks; learn from these and apply them to other
processes.
Weaknesses, present view. Areas that comply but are not fully effective, and therefore require
correction.
Opportunities, future view. Areas of improvement to consider.
Threats, future view. Areas of high risk and noncompliance.
The results of this analysis can be summarized in a SWOT diagram, such as this one:

The effect of the process approach

Any organization seeking to certify its management system must still meet the requirements that
are presented in the appropriate standard. But the standard by itself doesnt necessarily add value
to the organization, or bring benefit to senior management. By assessing the effectiveness of
operational processes in achieving overall company goals and objectives, the concept of risk is now
being considered.
Whats more, it results in solid feedback thats presented in a language that the management team
can understand.

A process-based management system isnt an administrative burden. In fact its a necessity for a
truly competitive business. Its a critical tool that provides continuity throughout operations,
forming the link between policy, requirements, performance, objectives, and targets.
David Muil is the director of business development for Interteks Business Assurance group, a
Quality Digest content partner.

Objective Auditing Meets ISO 9001:2015

How auditors can help organizations understand context and risk
Objective auditing has always been a challenge, and this is especially true now for ISO 9001:2015 audits. To better
meet customer expectations, fundamental changes have been introduced to the standard to address current
business realities and advancements in technology. Much of the responsibility of meeting the new requirements
falls on leaders, and a careful, objective audit to the standard can help them.
Its human nature that with knowledge and experience comes a touch of ego, but an auditor with an ego can be a
liability. Experienced auditors must guard against a tendency to add subjective opinions to their audit reports and
focus instead on providing objective inputs. In this way they can help leaders make rational, objective decisions.
This challenge is further compounded for auditors experienced in auditing to ISO 9001:2008, with its emphasis on
preventive action. ISO 9001:2015 no longer addresses preventive action but instead focuses on establishing riskbased thinking throughout the management system. Whats the best way to audit this?
The starting point for corrective action (CA) is the nonconformance report (NCR). A well-written NCR clearly
states the standards requirement, the objective evidence for citing the nonconformance, and a description of the
failure that occurred. If at this point an auditor allows his experience to bias what he expects should happen
instead of sticking to the requirement, management ends up with a subjective input.
A closed NCR provides data that management can analyze for possible trends, which can then be addressed by
preventive action. For previous editions of ISO 9001, that was the fundamental base of a successful management
system: Basically, data drove trends and preventive action.
With ISO 9001:2015, preventive action has been replaced by risk-based thinking, which requires a more dynamic
role for leaders. They must understand and continuously assess risks at every stage, mitigating them and

considering opportunities for improvement (OFI). This is important to do even before the planning stage of the
plan-do-check-act (PDCA) cycle, by first understanding the context of the organization.
Leaders understanding of the context of the organization, as well as their ability to assess risk and consider
opportunities for improvement, need to be audited. Auditors must be especially careful here and not jump in and
confuse management by offering their own opinions. ISO 9001:2015 has strengthened the leadership role, not
weakened it, and by offering subjective advice, auditors could jeopardize this. They must limit their role to
providing objective NCRs and allow management to make the decisions.

Understanding the organization in context

Per clause 4 of ISOs Annex SL, ISO 9001:2015 and other ISO standards require an organization and its leadership
to understand the context of the organization when determining key management system elements such as the
scope of the system (clause 4.3), processes (clause 4.4), the quality policy (clause 5.2), and planning, objectives,
risks, and opportunities (clause 6). For more about this, see also ISO/DTS 9002Quality management systems
Guidelines for the application of ISO 9001:2015.
So what, then, is this context of the organization? Put simply, leaders must thoroughly understand the relevant
internal and external issues, both positive and negative, that can affect their organizations ability to achieve
intended results. Consequently, they must monitor and review these issues regularly.
Leadership also has a tremendous responsibility in being fully aware of the risks to the organization. An
understanding and appreciation of the context of the organization can help with this, particularly if its undertaken
before the planning stage of the PDCA cycle. When fully appreciated, the context will not only promote more
robust plans but also highlight inherent risks that can provide opportunities for improvement and innovation. This
is vital in the success of the organization.
When organizations undergo mergers and acquisitions, relocate, outsource large parts of their business, or change
their products, the context of the organization changes. The internal and external factors change. Leadership must
understand the implication of these changes in the context of the organization. Doing this will also allow them to
see the risks and perhaps opportunities for improvement.
Its like going into battle. A lot of things must happen before troops are deployed. For example, the logistics of
deploying troops in harsh terrain surrounded by hostile countries, and the chances that they may fail, must be
considered. If the risk is too great, then perhaps the nations diplomats should first reach out to surrounding
countries to create a safe corridor for supplies or retreat. This diplomacy might uncover opportunities for better
relations with these states. The risk might also require intelligence agencies to assess conditions on the ground.
Thus prepared, the military leadership can best ensure the missions success.

Similarly, business leaders have to understand the context of their organizations clearly when they develop a
quality management system and before proceeding to the act stage of PDCA. This understanding will provide the
foundation for determining key QMS elements.
Information about internal and external issues affecting the outcome of the QMS in the context of the organization
should be collected from all sources. These may be from internal documents and meetings, national and
international press, various websites on the subject, publications from national statistics offices and other
government departments, and professional and technical publications, conferences, and meetings. Other resources
include think tanks, professional associations, and independent subject matter experts. Many sources are available,
and leaders need to consider all relevant ones to make the best assessment of potential organizational risk.
Internal issues to consider are resources such as infrastructure, the environment for operations, and organizational
knowledge. Competence of employees, organizational culture, and perhaps the relationship with unions should be
included. There are also delivery capabilities, customer evaluations, and management issues such as decision
making and organizational structure.
External issues that might affect the organization include macro-economic factors such as money exchange rates,
the economic situation, inflation forecast, and availability of credit. Then there are social factors such as local
unemployment rates, safety perception, education levels, work ethics, and political factors. Existing international
trade agreements, including sanctions, might affect the outcome of the organizations performance in meeting
objectives. Competition as it relates to market share might require study. Relevant legislation also must be
considered.
An organization that understands what it does, and how various internal and external issues affect how well its
QMS meets requirements, is better placed for success. Auditors can best help organizations by establishing,
through objective auditing, that these requirements are met.

Organizational knowledge
ISO 9001:2015s clause 7.1.6 has introduced a new requirement: organizational knowledge. When auditing this,
auditors must keep in mind not only the existing context of the organization but also the changing context, if
relevant. The organization when addressing changing needs and trends must consider its current knowledge and
determine how to acquire or access any necessary additional knowledge or required updates. Going forward with
changes, mergers, acquisitions, or moving operations globally without assessing the risks introduced by lack of
knowledge can mean the difference between success and failure. Both internal and external sources for knowledge
as mentioned above are relevant here. Future needs and their relationship to innovation is also mentioned in the
standards introduction.

Evidence-based decision making

When determining conformity of a management system to ISO 9001:2015, auditors will need to ascertain that all
aspects of the management system adopt both the PDCA cycle and risk-based thinking. Per the standards
introduction, auditing should reveal that the processes have been adequately resourced and managed, and
opportunities for improvement are determined and acted on. Auditors must also confirm that the organizations
leadership has considered risks and encouraged risk-based thinking to determine the factors that could cause the
system (i.e., processes) to deviate from planned results.
The first phase of a system audit, during which the auditor interviews top management with systematic and wellthought-out audit questions, is vital to establish that management clearly acknowledges its role in understanding
the context of the organization and how it influences the required customer focus. Employees must also
understand the expectations of management. To successfully engage employees in a customer focus, company
policies must smoothly flow into measurable objectives. Auditors must prepare well to audit top management and
determine its commitment to the process approach and continual improvement. A system that doesnt require
management reviews periodically to establish that the PDCA cycle is in place even at this level means that leaders
are at risk of making subjective decisions. During their interview of top management, auditors must be able to
establish conformity to evidence-based decision making.

Conclusion
There is much more to auditing than looking for nonconformities. Auditors must also understand how the context
of an organization relates to quality management principles. If they do, then they will look for conformities in the
management system to ISO 9001:2015 requirements. If during this audit they do find nonconformities based on
requirements, they must provide well-written NCRs to encourage a process-based management system. An
objective audit will enable management to better use the system to consistently meet requirements, and the
processes themselves will add value, help mitigate risks, and create opportunities for improvement.

A summary of the key changes

ISO 9001:2015 includes a number of significant changes that must be considered by organizations certified to the
current version of the standard. Those changes include:
The importance of stakeholders. The revised standard adopts a stakeholder approach to quality
management, and focuses on stakeholder relationship management (SRM). As such, organizations are required to
identify the issues and requirements of relevant stakeholders when developing their QMS. The concept of SRM can
extend beyond customers to include employees, suppliers, partners, and even regulatory authorities.

 Expanded role for leadership. By expanding the scope of what it terms management responsibilities, the
revised standard clearly places overall responsibility and accountability for an organizations QMS with senior
leadership. While leadership may appoint a representative to manage quality system-related activities, they retain
ultimate responsibility for implementation consistent with the standards requirements.
A risk-based approach to quality. ISO 9001:2015 adopts a risk-based approach to various requirements
throughout the standard. However, it doesnt require the application of a standardized risk management approach,
and contains no clauses that detail specific requirements for preventive measures.
An increased emphasis on process. ISO 9001:2015 strengthens the importance of applying a process
approach in developing, implementing, and improving the effectiveness of an organizations QMS. As such,
organizations will now be required to define inputs and expected outputs of each process, and to identify key
performance indicators.
Greater documentation flexibility. The terms documents and records are being replaced with the term
documented information. This change is intended to provide organizations with greater flexibility in describing
their QMS. In addition, the current requirement for documented procedures will no longer be mandatory.

Potential nonconformities and other challenges

Organizations currently certified to the 2008 version of ISO 9001 will have up to three years to modify their
current QMS to comply with the requirements of the revised standard and to achieve recertification. However,
adopting to the changes in the revised standard is likely to pose a number of specific challenges, including the
following:
Getting leadership involved. The requirement for increased leadership oversight and accountability for an
organizations quality management system may well represent the biggest challenge. Meeting the threshold of this
requirement involves the full engagement of leadership team members, as well as an understanding of the role that
a commitment to quality plays in achieving organizational goals, and training on the particulars of an effective
QMS.
Addressing root cause issues. The increased emphasis on process requires a significant effort to identify and
investigate root cause issues that affect performance and require corrective actions. However, most organizations
arent sufficiently trained in root cause analysis, and may struggle to develop and implement processes that
uncover the underlying basis for nonconformities that are identified.

Here is a summary of records requirements in ISO 9001:2015:

24 records are required in ISO 9001:2015. This is compared to 21 records required in ISO

9001:2008. Some of the 24 records required by ISO 9001:2015 are actually repeat requirements,
listed twice in the current version of the standard.
20 percent of all the record requirements come from section 8.3Design and development of
products and services. That amounts to five records, which is the same number required by ISO
9001:2008.
A completely new record that is required in 9001:2015 is found in section 8.5.6, which concerns
retained information on changes, including the review of changes, persons authorizing the change,
and necessary actions arising from the change.
ISO 9001 continues its redundant ways. In two separate places ISO 9001:2015 requires records of
evidence of processes being carried out effectively, once in section 4.4.2 and again in section 8.1.e.1.
More redundancy: ISO 9001:2015 requires records in two separate places that demonstrate
conformity of products and services processes, once in section 8.1.e.2 and again in section 8.6. Why
the redundancy? My personal opinion is that this wasnt intended. Rather, I suspect it was sloppy
editing. Theres no compelling reason to declare twice that inspection records must be maintained.
Five of the records in ISO 9001:2015 have qualifiers. These are to the extent necessary and as
applicable. They imply that its up to the organization to decide if it truly needs the records to
demonstrate conformity. They arent absolute requirements.
One item, design outputs, is listed as retained documented information (i.e., a record) when its
actually a document. Design outputs are living information such as specifications, engineering
drawings, recipes, formulas, and bills of material. Since theyre living, theyre subject to revision,
meaning they are documents. Nonetheless, as long as the organization manages design outputs in a
consistent manner (as either a document or a record), it should be fine.
A handful of requirements would be virtually impossible to have evidence of without records, and
yet ISO 9001:2015 doesnt require records for them. These include context of the organization (4.1),
interested parties (4.2), planning of changes (6.3), and customer feedback (9.1.2).
One of the strangest record issues of all is the omission of calibration records in ISO 9001:2015.
This has been replaced by the requirement to retain information on fitness of purpose for
measuring instruments, which would include calibration, among other possible activities. I expect
many people implementing ISO 9001:2015 will get a bit confused by this.
Dont let anyone tell you that the correct terminology is retained documented information. If
you like that term, then by all means use it. If you prefer the term records, you can use that in its
place. Always remember that documents and records are two different things. That one fact alone
will make any QMS easier to use and understand.

Retained information (i.e., records) required in ISO 9001:2015

Section Category

Requirement

Qualifier

No.
4.4.2

7.1.5.1

QMS and

Retain information on processes

to the

processes

carried out effectively (a blanket

extent

requirement)

necessary

Retain information on fitness of

none

Calibration

purpose for measuring

instruments
7.1.5.2

Calibration

Retain information on basis for

none

calibration where no standards

exist
7.2. d

Competence

Retain information as evidence

none

of competence
8.1 e 1

Operations

Retain evidence of processes

to the

being carried out as planned

extent
necessary

8.1.e 2

8.2.3.2 a

Operations

Sales

Retain information to

to the

demonstrate conformity of

extent

products and services

necessary

Retain information on the results as

of review of customer

applicable

requirements
8.2.3.2 b Sales

Retain information on any new

as

requirements for products and

applicable

services
8.3.3

Design

Retain information on design

none

inputs
8.3.4 b

Design

Retain information on design

none

reviews
8.3.4 c

Design

Retain information on design

verifications

none

8.3.4 d

Design

Retain information on design

none

validations
8.3.5.

Design

Retain information on design

none

outputs
8.3.6

Design

Retain information on design

none

changes (e.g., reviews,

authorization, and actions to
prevent adverse impacts)
8.4.1

Purchasing

Retain information on the

evaluation, selection, monitoring
of performance, and reevaluation
of external providers

8.5.2

Traceability

Retain information to necessary

none

to enable traceability
8.5.3

External

Retain information on customer

property

or external provider property

none

that is lost, damaged, or

unsuitable
8.5.6

Change

Retain information on changes,

management

i.e., review of changes, persons

none

authorizing, and necessary

actions arising
8.6

Product release

Retain documented information

none

on the release of products and

services, including evidence of
conformity and traceability to
person authorizing release
8.7.2

Nonconforming

Retain information on

products

nonconforming products,
including description, actions
taken, any concessions, and
authority deciding on action.

none

9.1.1

Monitor and

Retain evidence of results of

measure

monitoring and measuring (a

none

blanket requirement)
9.2.2 f

Internal audit

Retain evidence of

none

implementation of audit
program and audit results
9.3.3

10.2.2

Management

Retain evidence of the results of

review

management review

Corrective action Retain evidence of nature of

none

none

nonconformity, any actions

taken, and results

his is a good time to emphasize a few notions about risk. Risk in ISO 9001:2015 and ISO 14001:2015 is general,
that is, it is a concept that can be applied anywhere in an organization, including planning (Clause 6.0), i.e., the
setting of objectives as it is defined in ISO 31000. Risk can be described as a potential event that can be expressed
in terms of consequence, impact, or severity of the impact and its related likelihood of occurrence.

Use of risk in ISO 9001:2015

Risk appears in the normative parts of ISO 9001 eight times, and risk-based thinking appears once. Risk and riskbased thinking appear many times more when we study the informative portions of the standard, e.g., the
introductory sections and the appendix.

Clause
number

Title

Explanation

No title
4.4.1

Under 4.4QMS QMS process risk and opportunities

and its processes

Risk and opportunities that can affect

5.1.2

Customer focus

conformity of products and servicesthis,

then, is quite broad

Actions to
6.1

address risks
and

Appears in title

opportunities

Consider risk and opportunities as they relate

to the context of the organization and
6.1.1

No title

interested-party expectations so that the

QMS achieves its intended results, i.e., its
objectives, including improvement. This is
the definition that now appears in ISO 31000.

Appears twice: Plan actions to address risk

6.1.2

No title

and opportunities, including their

effectiveness; and actions taken shall be
proportionate to the potential impact.

9.1.3

9.3.2

Analysis and

Effectiveness of actions taken to address risk

evaluation

and opportunities

Management
review inputs

Effectiveness of actions taken to address risk

and opportunities as it relates to Planning
(6.1)

Table 1: ISO/FDIS 9001:2015 requirements for risk

The table seen above explains the requirements of ISO/FDIS 9001:2015 for risk and opportunity analysis within
the organization. The concept of risks and opportunities, which emphasizes identifying potential problems as well
as opportunities for improvement, needs to be applied to QMS processes, the conformity of products and services,
and planning QMS objectives, including setting out actions for improvement plans and evaluating their
effectiveness.
Process risk and planning riskRef. Clauses 4.1 and 6.1
When the requirements of ISO/FDIS 9001:2015 are studied, these are the relationships indicated as they relate to
QMS processes and planning:

Product and Process Risks and OpportunitiesRef. Clause 5.1.1

Risk as it relates to product and process conformance can be quite broad. The following are some areas where risk
is usually addressed by organizations:

ISO 9001:2015 mandates

ISO/FDIS 9001:2015 requires companies to address risk and opportunities as they relate to QMS processes
(Clause 4.4.1), planning (Clause 6.1), and product risks (Clause 5.1.2). The effectiveness of risk management and
opportunities for analysis must be evaluated (Clause 9.1.3). Also, the effectiveness of the actions associated with
objectives or planning must be included in the management review (Clause 9.3.2).

Omnex suggests that organizations integrate risks and opportunities into their organizational processes (i.e., QMS
processes). Risks and opportunities must be integrated into the planning process (Clause 6.1), as shown below for
business planning, or for setting organizational goals and objectives. Omnex calls this process the business

operating system (BOS). It identifies key processes and conducts risk analysis on them because they affect the
organizations overall objectives.

For managing risk in products and services, we suggest the following methodologies. First, its important that a
project is evaluated for overall risk, particularly how risk relates to new products, suppliers, and technology.
Second, its also important to use tools such as failure mode and effects analysis (FMEA), and product and process
design risk to evaluate risk within the context of the new-product development process. FMEA, along with control
plans, identifying critical and significant characteristics, process capability, and measurement system analysis, are
proven techniques that can help organizations reduce risks. Results have shown that customer nonconformances
will lower significantly into the range of 10 to 60 parts per million (PPM).

Auditing risk
Auditors must be flexible when auditing a QMS for conformity to ISO 9001:2015s risk-based thinking. There are
no requirements in the standard for a risk management process or methodology, so auditors have been concerned
that auditing a QMS will be difficult. Lets examine the standards planning process for organizations. Following
are some of questions auditors can ask when auditing a QMS:
1. Does the organization identify internal and external issues as they relate to the context of the business? (Clause
4.1)

2. Has the organization identified relevant interested parties as they relate to the context of the business? Has the
organization understood the interested-party expectations? (Clause 4.2)
3. Has the organization used the issues developed in the context and in the needs and expectations of the interested
parties when planning for the organization? (Clause 4.3)
4. Has the organization identified the risks and opportunities as they relate to the organization achieving its
intended results, i.e., goal and objectives? (Clause 6)
5. Has the organization identified the actions to address the risks and opportunities?
6. Is the organization meeting its goals and objectives, i.e., is it improving?
For more on risk-based thinking, join Chad Kymal and Dirk Dusharme on Tues., Aug. 25, 2015, at 11 a.m. Pacific
for the webinar, Risk-Based Thinking: Actions to Address and Audit Risk and Opportunities. Kymal
will also be releasing a new book on ISO 9001:2015 auditing, published by ASQ, at the end of 2015.
For more information about the ISO 9001 standard, see the Quality Digest knowledge guide, What Is ISO
9001:2015?

Where technology fits

Lets look into several of the key components of the initial draft as we map the technology considerations relating
to the new standard.
Clause 4Context of the Organization: This is essentially the planning for how your organization will
manage quality. A lot of it becomes a strategic decision, but where technology fits is in subclause 4.4, which centers
on establishing a ... process-based quality management system.
Technology considerations: You want a solution that will be able to focus on the process as it relates to your
organization. The QMS provides you with a centralized, common, and collaborative environment to maintain all of
your policies and procedures. This is where flexibility becomes an important component:
Flexibility to adapt to the various processes, and match what youve outlined for your commitments to quality and
your customers
Builds in the functionality that will support your needs and the needs/requirements of the standard
Clause 5Building Leadership: Theres no longer a single representative for quality, no single quality
police. Companies as a whole must establish a focus on quality, customers, and companywide commitment. At the
same time, you must look to establishing a quality policyas opposed to a manual which will more
broadly assess and help improve organizational quality.

Technology considerations: How are you effectively collaborating on a commitment to quality? You need a
solution that will give the entire company visibility into and control over the quality effort by ensuring that all data
related to processes and procedures is kept in a centralized location accessible by all necessary parties:
A centralized system, one holistic place for quality policy that provides transparency of information
Document and communicate your policycontrol and disseminate information in a consistent manner
Clause 6Planning: The biggest change here involves risk management. The standard is shifting from a
preventive action approach to a risk-based approach, not just in the identification of risks, but also in controlling
and mitigating them. At the same time, youre benchmarking those risks against your overall quality objectives,
taking actions to ensure youre meeting them, and instituting methods for management of change.
Technology considerations: Building risk into a system is critical; you need a system that is objective, repeatable,
and systematic. This takes several elements. First is assessing hazards and identifying and measuring risks (e.g.,
severity and frequency). Having a way to not only define the measurement of risks, but also to align them with your
quality objective and then assess them from an operational perspective, is critical. This is done through a risk
matrix, which enables you to calculate risk by quantifying your hazards by plotting them on a graph. The resulting
calculation of severity and frequency becomes your risk factor. Once the risk matrix has been vetted by your
organization through real-world scenarios to ensure its effectiveness, your organization can apply this tool to the
risk management process.
Risk matrixes, built into the operational processes, not only calculate risk but enable immediate remediation of
high-risk events.
A solution should have the ability to set up a risk assessment calculation, benchmarked against your
requirements/objectives, and provide a way for you to take action on high-risk events.
Clause 7Supporting your QMS: This is where you focus not only on the people who support your quality
initiatives, but also on the infrastructure to support your QMS.Youre looking at the infrastructure of how youre
going to deliver quality, and by whom. This relies on ensuring that your people are trained and given the right
documentation to operate efficiently and effectively.
Technology Considerations:
The concept of document control is not just about document repositories; its about establishing a process by
which documentation is created, reviewed, approved, consumed, trained, audited, and ultimately, revised. Its far
more than just a simple documentation toolits how you have a central location for communicating processes and
information to the company. A technology solution will build in functionality around the process of review and
approval, integrated with training, change and revision control processes, and periodic reviews. Collaboration on
documentation improvement is key to this element.

 Employee training isnt just about a training tool; its more integrated, collaborative, and based on the idea that
one process blends into the next. So, from a technology standpoint, you want an integrated document control and
training system. The process includes the training of people and communication, by which new information is
disseminated and consumed. Being able to automate much of this is key, especially when youre looking to create a
more seamless, collaborative, and companywide perspective on quality.
Clause 8Operational Processes: This section provides the framework for how you design, source,
produce, and monitor your operations, with respect to products and services. It covers the processes by which you
evaluate the design, the external parties (a term which replaces suppliers), and plans for your product and
measurement of controls within your operations.
Technology considerations: The processes are the biggest component, and whether youre building a design plan, a
supplier evaluation, or establishing nonconforming material criteria, its important to ensure that information is
transferred from one process to the next. A technology solution that will take design information, such as a bill of
materials, and communicate to production and suppliers, and include potential nonconforming criteria to be
assessed, rests in the ability of the system to provide traceability, visibility, and control.
Clause 9Evaluation: The concept of evaluation sits on its own in ISO 9001:2015, which certainly highlights
the importance of feedback and regular assessment. The key point to take away is, How do you build a constant
feedback loop from your operations to ensure that you are saying what you do, and doing what you say? This not
only includes regular auditing and feedback measures from customers, but also how youre consuming this
information as a management team.
One of the key areas is establishing a method for consuming customer feedback. You need to have an established
way to build a data set from all customers, and categorize and analyze the type of feedback youre getting. You also
need to build both an internal and an external auditing program. This isnt different than previous requirements.
Finally, you still need to take the QMS data and conduct management reviews, and produce outputs against your
core objectives.
Technology considerations: Its important to close the loop on your QMS with your most important assetyour
customer. A solution that can collect customer data via post-market feedback such as complaints and adverse
events, and allow you to take action on that data, is vitally important to understanding if youre meeting your
quality commitment to your customer. Having a centralized and aggregated way to organize the feedback data is
essential, and an automated QMS will provide:
Auditing solutions: Most organizations are very familiar with building an auditing plan, but as a company grows
more complex, it becomes more difficult to manage how much auditing needs to take place, when to audit, and
what to audit. Its important to have a solution that not only manages and standardizes the auditing process, but

also the scheduling process. Centralization and harmonization are key in keeping things straight; technology helps
to achieve this by providing you with a centralized repository where all your data is kept.
Measuring effectiveness with collaborative reporting: Management review is an important step to evaluation.
However, without a way to organize and filter the data, its very difficult to make informed and strategic decisions.
You really not only need a strong reporting tool to gather all this information, you also need to ensure that you are
integrating the whole process into the data collection. This is where having a closed-loop QMS solution is most
valuable; it provides data from design, production, documentation, training, feedback, audits, and beyond. This
provides a larger and more valuable view into the data, and lets management act or react or improve more
efficiently.
Clause 10Improvement: The key concept and the chief focus of ISO 9001:2015 is around a commitment to
customers, to improvement, and to companywide involvement. So when we look at this section, the emphasis must
be on fostering overall improvement.
Youre building a process by which youre able to quickly react to nonconformities and take action on correcting
these nonconformities. Youre also looking to see if you need to eliminate the cause of these problems. So, you are
first looking to correct and control, and then determine if a corrective action is needed.
If theres a systematic cause of a nonconformance, then you need to build a corrective action. Again, this is how you
take an adverse event and create steps to reduce the likelihood of recurrence. Finally, you also want to look for
ways to improve your overall QMS, find trends, and identify opportunities for improvement.
Technology considerations:
Nonconformance management: Being able to record information in a single location is critical. You want to
eliminate as much double entry and data as possible, so importing data from other areas (e.g., production,
suppliers, customers, etc.) is key. They next key point is that, if youre going to issue a corrective action, it should
be traceable back to the nonconformance. This is where integration comes into playlinking a nonconformity to a
corrective and preventive action, and being able to create a seamless closed loop on the process, will ensure that
data is not lost or entered incorrectly.
Lastly, you want to build reporting and data collection to look for improvement areas. Having a robust reporting
system on the entire QMS is critically important to make informed decisions.

Conclusion
The revisions coming forth in ISO 9001:2015 bring a fresh perspective to the standard. Taking full advantage of the
opportunities presented by the new standard lies in having a centralized, common, and collaborative environment
that not only gives you the visibility into where you are in your QMS, but also makes you active participants and
champions of quality. This is where technology, automation, and an integrated QMS take over.

ISO 9001:2015 was built with the acknowledgement of technology today, and the standard embraces concepts that
can only be achieved with this in mind.
For more on this topic, be sure to join Quality Digest editor in chief Dirk Dusharme and myself for the webinar,
ISO 9001:2015 ComplianceHow Automation Can Help, on March 24 at 2 p.m. Eastern, 11 a.m. Pacific.
Clickhere to register.
For more information about the ISO 9001 standard, see the Quality Digest knowledge guide, What Is ISO
9001:2015?

The ISO 9001:2015 CD costs 38 Swiss francs in PDF format, but that will shoot up to 118 Swiss francs or so, like
ISO 9001:2008 did, once it achieves International Standard recognition.
So much for the economics.
I bought myself the PDF format of the CD, and as a matter of fact, it doesnt take much longer to go through it than
it does to listen to a music CD, which is what I expected.
What follows is a very informal summary of my thoughts and feelings as I read the CD, though Ive tried to give
them some sense and context. So lets start reading the document ISO/TC 176/SC 2/N 1147ISO/CD 9001, hoping
to make some sense out of it. Anything I dont comment on I consider acceptable enough, or unworthy of notice.

Attachment 1 to SC 2/N 1147

Exclusions: Lines 387 through 391 are quoted, referring to subclause 7.1.4Monitoring and measuring devices,
and clause 8Operation as permitted exclusions. Mmmh...
Concerning goods and services, theres not much to say, except that subclause 8.6.4, line 878, requires
preservation of goods and services, and the Note is clearly hardware-oriented. Now, while it is easy enough to
think of preservation services, to preserve something like, say, a health treatment will have to rely on
documentation, but the empathy the patient felt toward the nurse who speeds his recoveryhow can that be
preserved?

Contents
The ISO/TC 176/SC 2 reshuffled the sections numbering once more. In the most vicious bars, its rumored that
this was done on purpose to test auditors and consultants memories. Because, all in all, the requirements have not
been changed all that much.

Foreword
...The unifying and agreed high level structure, identical core text, and common terms and core definitions of
Annex XL of the ISO Directives quoted in lines 9092 are not found in the bibliography on pages 2627. There is
only a short reference in the Introduction, subclause 0.2Annex XL.

Introduction
Here is where the word risk appears for the first time (line 160), associated with opportunities (line 166) and
linked to the Annex XL core text risk-based thinking and risk-driven approach (line 171). Whats not clear, at
the moment, is whats to be understood, and acted on, per lines 173174: Although risks have to (be) identified
and acted upon, there is no requirement for formal risk management.

QMS requirements
ISO 9001:2015 is different from its predecessors, in that the Requirements section includes clause 1Scope;
clause 2Normative references; and clause 3Terms and definitions. Something worth noticing: clause 1
Scope does not mention risk but improvement, and clause 2Normative references cites as indispensable
only ISO 9000:2015QMSFundamentals and vocabulary.
Clause 3Terms and definitions is an Eldorado for a word-fan like me. Of particular interest, I found subclause
3.05Top management; subclause 3.09Risk (of course); subclause 3.10Competence; subclause 3.11
Documented information; subclause 3.14(To) outsource; subclause 3.15Monitoring; subclause 3.16
Measurement; and subclause 3.17Audit. These all look like revolving definitions to me, rather like a rose is
a rose is a rose.

Subclause 4.1Understanding the organization and its contents

Line 346 says, The organization shall update such determination when needed. I see a big risk here. When
organizations get their certificate, they post it on the wall and stow the QMS like a suit in the back of the closet.
Once that happens, theres no way to convince them to update a suit thats become either too large or too tight for
them. The high cost of tailoring will keep them wearing it long after its gone out of fashion.

Subclause 4.3Determining the scope of the QMS

I found an interesting requirement in lines 384385: ...the main processes to deliver them and the sites of the
organization included. Theres a clear reference to logistical processes here, which prior to ISO 9001:2008 had
been quite neglected, save for registering shipping, forwarding, and trucking organizations and their warehouses.
But thats not true logistical processes themselves, which even the most passive TV watcher would see as critical.

Subclause 4.4.2Process approach

Specifically planning, developing, monitoring, and improving a QMS are probably the most pedantic activities in
the world. It would be difficult to name an organization that did not find them a waste of time. Now, what ISO
9001:2008 took care of with one chart (subclause 0.2) and six requirements (subclause 4.1 a through f), ISO
9001:2015 makes you reflect on with four more requirements. I fear this will prove once again to be consultants
work because organizations think they already know their processes.

Subclause 5.1Leadership and commitment and Subclause 5.3Organizational roles, responsibilities,

and authorities
Armageddon is still to come, as these sections demonstrate. How could a third-party auditor argue about such
political matters with his bosss customer? Or a first-party auditor with her boss? Only second-party auditors with
enough power in their hands can do this. Prior to ISO 9001:2008, this requirement was a mere formality, and I
dont expect ISO 9001:2015 to change it. So why not leave it out altogether and put it in some other requirement,
for example, quality of management systems management? This implies personal, psychological, social,
economical, financial, entrepreneurial, competence, and training skills that the poor checklist-filling auditor is very
far from being able to assess.
ISO 10015:1999Quality managementGuidelines for trainingBibliography (item No. 13) and ISO
10018:2012Quality managementGuidelines on people competence and involvementBibliography (item No.
15) should be consulted.

Subclause 5.1.2 aLeadership and commitment with respect to the needs and expectations of customers
and Subclause 6.1Actions to address risks and opportunities
After it disappears for a few pages, the term risk appears again on line 446, like Alices rabbit, again associated
with opportunities, whereas on lines 446, 482, 484, 498, and 501, its not associated with opportunities but
with risk avoidance, risk mitigation, and risk acceptance. One would be inclined to think that management is being
given sanction to indulge in a risk-management approach.
At this point, it seems the cyclical structure of the QMS as configured by ISO 9001:2015 is taking shape: Weve
gone over internal and external constraints, the boss has taken command, and its now time to decide where and
how to go.

Subclause 6.2Quality objectives and planning to achieve them

Here we have perhaps the most pedantic activity of the whole pedantic QMS-development cycle. Because of the
objective-based nature of a QMS, quality managers and consultants must resort to endless creativity to fill the gap

between the only objective understandable to top managementi.e., profitand the performance indicators
required by auditors strictly applying ISO 9001s requirements.
And ISO 9001:2015 doesnt solve this dilemma. If, in the first place, quality objectives shall ...be consistent with
the quality policy (line 505) and the quality policy ...provides a framework for setting quality objectives (line
458), then the auditor will have to throw into a bin all those generic, obscure, and meaningless quality policies so
dear to top managers and their consultants, all wanting to say nothing and its opposite.
Line 507 says quality objectives should be measurable; the previous editions if practicable has been deleted.
Now, here theres something that accreditation bodies will have to assign to registrars: ensuring that auditors dont
ignore whats going on. SPC starts with punctually recording numerical figures until its determined that the
process is stable enough. So why in the world should QMS objectives always be stated in terms of
measurablevariable figures, and not of measurable attribute figures?

Subclause 6.3Planning of changes and Subclause 8.6.6Control of changes

These two sections should be read together. Though between the lines, it seems that identifying risk and
opportunities should be given more relevance when planning than when implementing and controlling.

Subclause 7.1.2Infrastructure
We know how it goes: Mirrors reflect our front, not back, image. Likewise we enter shiny, marble corporate
lobbies, and neat and orderly offices, and we are enchanted. The shop floor? Well, we cant expect much of a metalworking company, which uses much oil, and makes a tremendous amount of noise and shavings. Then the nasty
auditor asks to see, just to see, whats behind the building, outside, bordering the neighbors. Are the tons of rusting
metal, the drums containing unknown liquids, to be covered by this requirement? Suddenly the shiny entrance, the
big black sedans or sport cars in the front parking lot, vanish: This is the real company.
Concerning Note c, line 547, software; and line 548, transportation: Achilles was lucky to have just one heel
that could be lethally wounded. Most organizations have at least two, that is, software, for its user-friendliness and
security; and logistics, which covers much more than just transportation and warehousing. Downgrading these two
processes to infrastructure issues will not help organizations see them in their true light, as they deserve.

Subclause 7.1.3Process environment

The Note on line 555 echoes previous ISO 9001 Notes and requirements, too. That is, if a proper understanding
and use of human resources is a relevant part of a QMS, I dont think that physical, social, psychological, and
environmental factors can be dissociated from subclause 7.1.5Knowledge, subclause 7.2Competence,
subclause 7.3Awareness, or subclause 7.4Communication.

A related comment concerns subclause 8.6.1Control of production of goods and provision of services. Its worth
warning that point f on line 835, personnel qualification, is not included in Clause 3Terms and definitions,
and neither is point i on line 840, which is all too often abused as a justification for more upstream errors.

Subclause 7.1.4Monitoring and measuring devices

Heres another point where ISO 9001:2015 seems to break down: The organization shall determine, provide, and
maintain the monitoring and measuring devices needed to verify conformity to product requirements.... (lines
560561). Although it was anticipated in Attachment 1 aExclusions and subclause 4.3Determining the scope
of QMS, line 389, the question still seems to be unresolved because many reliable auditors believe that service
performance can and should be measured, or assessed, while others, equally as reliable, do not.
I think that most of us share the view that customer-satisfaction questionnaires are far from significant in
determining any service-performance level. At the same time, how should an organization preparing for ISO
9001:2015 registration go about fulfilling that requirement? Possibly by simply declaring it not applicable?
ISO 10012:2003Measurement management systemsRequirements for measurement processes and measuring
equipmentBibliography (item No. 10) should be consulted for further clarification.

Subclause 7.1.5Knowledge
Although ISO 9001:2015 defines competence in subclause 3.10 as the ability to apply knowledge and skills to
achieve intended results, both terms knowledge and skills are not defined. This seems to reveal some kind of
uneasiness on the part of ISO/TC 176/SC 2 to tackle personal characteristics. The same reluctance to define can be
found in subclause 7.2Competence, subclause 7.3Awareness, and subclause 7.4Communication, as well
as subclauses 3.05, 5.1, 5.3, which deal with top managements profile.

Subclause 7.5Documented information

We first come across this term in clause 3, subclause 3.11, line 288.
As far as the documentation required by this standard is concerned (specified in subclause 7.5.1 a, line 608), we
also find the term mentioned in, among other places, clause 3Terms and definitions (subclause 3.07Policy);
subclause 4.3Exclusions, line 387; subclause 5.1.1, line 424, demonstration of leadership and commitment;
and line 426, quality policies and objectives; subclause 5.1.2Leadership and commitment with respect to the
needs and expectations of customers, line 444,demonstration of leadership and commitment; subclause 5.2
Quality policy; subclause 5.3Organizational roles, responsibilities, and authorities, line 478, reporting;
subclause 6.2Quality objectives and planning to achieve them, line a, quality policy; and line 513,
documented information on the quality objectives.

Based on past experience, subclause 7.5.1 bThe organizations QMS shall include: documented information
determined by the organization as being necessary for the effectiveness of the QMS (lines 609610), is going to
raise discussions between auditors, auditees, and consultants, with each party trying to further their own cause.
Subclause 7.5.2 and subclause 7.5.3 are familiar ones in ISO 9001:2015, but the reminders about loss of
confidentiality (line 630), access to view and authority to change (Note), and disposition (line 636) may help
refresh memories of some of the corrective actions seen in the past but quickly forgotten.
The requirement stipulated in subclause 8.1 cOperational planning and control, lines 649650, documented
information to the extent necessary to have more confidence that the processes have been carried out as planned
seems to refer not to quality objectives and performance, but rather to a quality plan and some kind of sign-off.
ISO 10005:2005QMSGuidelines for quality plansBibliography (item No. 6) should be consulted for further
clarification.

Subclause 8.2.3Review of requirements related to goods and services, and applicable changes
In its simplest form, the requirement stated in line 688 could be satisfied by a review sign-off or a team-feasibility
commitment. The real questions arise in obtaining customers clear, comprehensive, and consistent documented
statement of their requirements and, when necessary, its amendment. I often found, and still find, that customers
start with detailed descriptions of their requirements or expected goods and services. This soon fades away, leaving
the requirements floating and undefined about midway through the document. When the supplier asks the
customer to provide more robust information, the customer seems to be annoyed by this petty approach.
Subclause 8.6.1 poses the never-ending question of how to differentiate between documented information that
describes the characteristics of the goods and services (point a, line 829), and documented information that
describes the activities to be performed and the results achieved, as necessary (point c, line 831). The former is
usually reasonably detailed and kept up to date, mainly because it is closely linked to customers requirements. The
latter, being almost totally in the organizations hands, gives rise to shortcuts, poor records, and undocumented
work instructions of the type, We do so because weve always done it this way.
Subclause 8.3Operational planning process includes references to documented information in point a, line
712, quality objectives; and point f, line 719, performance data (which is a comment to the Note on lines 728
729). Quality plans were never a hit during ISO 9001 registration, mainly because organizations found them too
cumbersome, and their preparation of no added value. Generally, they were developed and printed for registration
purposes only.
Point g, line 720, identifying risks related to achieving conformity of goods and services to requirements, and
preserving services were discussed above under Attachment 1.

ISO/TR 10013:2001Guidelines for QMSs documentationBibliography (item No. 11) should be consulted for
further clarification.

Subclause 8.4.2Type and extent of control of external provision

Here, too, the key concepts are expressed in line 743 as the risks identified and the potential impacts; in line 746
as the capability of potential controls; and in line 752 as documented information describing the results of
evaluations shall be maintained.
Concerning line 746, I would raise some questions. In todays business, more and more organizations buy bulk
goods from traderssteel coils and plastics are examplesand bulk services, too, like worldwide inspection or
registration. Very often the traders, especially those buying in Asia, dont know where their goods come from, so
its difficult for them to trace the controls back to their origin and transmit this information to the buyer. On the
other hand, the buyer cant be expected to sample a cargo of 50,000 tons of steel coils or 100,000 plastics bags,
which leaves the responsibility of accepting the cargo, or segregating a part of it, in the hands of the organizations
production manager.
ISO 37500Guidance on outsourcingBibliography (item No. 19) should be consulted for further clarification.

Subclause 8.4.3Documented information for external providers

The requirements expressed in lines 757 and 769770 go hand in hand with what was written above under 8.4.2.
For point c, line 759, refer to subclause 7.1.3 and subclause 7.1.5 above.

Subclause 8.5.1Development process

Point c, lines 783788, seems to express more concern with the development process than with the goods and
services themselves, especially in the phrase the determined risks associated with the development activities....
For point g, line 790, refer to subclause 7.1.3 and subclause 7.1.5 above.
Point j, line 796, is also going to raise discussions between auditors, auditees, and consultants. Past experience
teaches that, although auditees prefer shortcuts, auditors want to see very detailed, painstaking, and
comprehensive documentation that auditees often consider superfluous. Consultants try for a balance, but its not
always easy.

Subclause 8.5.2Development controls

Concerning point c, line 806, outputs, the same comments under subclause 7.5.1 b and subclause 8.5.1 j apply
here.
Concerning point g, change control and configuration management, subclauses 6.3 and 8.6.6, and ISO
10007:2003QMSGuidelines for configuration managementBibliography (item No. 8 to ) should apply.

Subclause 8.6.1Control of production of goods and provision of services

Based on the prominence ISO 9001:2015 gives to services, one would have expected point g and its related Note to
be more specific and thorough about validation, approval, and periodic revalidation of any process for providing
services. Often services cant be segregated for final control before they are released to a customer, or preserved
after their release.

Subclause 8.6.2Identification and traceability

Its interesting to observe that, while in lines 856857 the organization must demonstrate that it has met this
requirement via documented information, point g of subclause 8.3The operational planning process does not
require the auditee to create and update any documentation.
Its also interesting to read here, though in a tentative Note, a definition of process outputs.

Subclause 8.6.3Property belonging to customer or external providers

Concerning the Note in this subclause, the European Union has issued rules by which organizations must
nominate a manager to take care of the private data of personnel as well as customers and suppliers information
and data, including product and process specifications and performance. Exactly what a caring restaurant owner
would do for his head chef and his recipes.
Its therefore a pity that auditors and auditees mainly address this issue by only looking at packages or tooling.

Subclause 8.6.5Post-delivery activities

Point a, line 891, requires that the risks associated with the goods and services are taken into account when
determining the extent of post-delivery activities.
Since post-delivery activities are not defined in clause 3Terms and definitions, we must assume the
organization and its customer will agree on them, even when not required by the latter. Im thinking, for example,
of predictive-maintenance services for a multimillion-dollar machine about which the customer does not specify
much, beyond the basic features, or of an inspection-services organization advising its customer about seaports
available on the other side of the world.

Subclause 8.7Release of goods and services

Lines 909910, Evidence of conformity with the acceptance criteria shall be maintained fall under subclause
7.5.1.aDocumented information required by this International Standard, unless a different agreement is made
with the customer. An example might be samples or, in the case of services, assessment by the customer himself.
Requirements in lines 913915 are also addressed in subclause 5.3Organizational roles, responsibilities, and
authorities, commented on above.

Subclause 8.8Nonconforming goods and services

Its interesting to note how the requirements in lines 922923 and 925926 may impact requirements previously
expressed in subclause 8.6.5 b, and which we will be reminded of in subclause 9.1.2Customer satisfaction, points
a and b.
Concerning lines 938939, documented information describing the nature of nonconformities and any
subsequent actions taken, including concessions obtained, shall be maintained, they echo whats to be read in
subclause 0.3 dRisk and preventive action, that is, ...the key purpose of a formal management system is to act
as a preventive tool.
Lines 935936, demonstration of correction reverification, was never brilliant in the previous ISO 9001s,
especially in terms of instructions or procedures, and records. Organizations were usually content to put the
products in inventory and ship them to customers, or store them for future shipment. Some organizations went as
far as reworking products by production batches or by kind of nonconformities, to save time. Such practices are
quite unfeasible for most services, which function more like unstoppable streams. Sure, if services only require
documentation, it could be done, but when correction reverification implies moving people, information, and
goods, it becomes much more difficult.

Subclause 9.1.2Customer satisfaction

ISO 10004:2012Quality managementCustomer satisfactionGuidelines for monitoring and measuring
Bibliography (item No. 5) and its related Guidelines should be consulted for further clarification. Keep in mind
that most organizations use a written or electronic questionnaire to obtain customer-satisfaction data, and that the
questions are often so generic they can be applied to a wide variety of goods and services as well as organizations.
In addition, these questions are seldom directed to the responsible people within the customer organization, and
even if they were, theres no way to ensure the questions were answered by the responsible manager rather than his
secretary. Obtaining credible, dependable data is therefore problematic at best.

Subclause 9.1.3Analysis and evaluation of data

Prior to ISO 9001:2008, there was a specific required role for a management representative with the
responsibility and authority for: c) reporting on the performance of the QMS to top management and any need for
improvement. ISO 9001:2015 includes this instead in subclause 5.3Organizational roles, responsibilities, and
authorities.

Subclause 9.2Internal audit

ISO 19011:2011Guidelines for auditing management systemsBibliography (item No. 18) should be consulted
for further clarification.
This subclause summarizes the hefty Guidelines above, and uses more or less the same wording as ISO 9001:2015s
predecessors, although it emphasizes, in line 1002, the related risks. One is therefore likely to interpret these as
risks related to the processes concerned with product realization or service provision, but not related to what the
previous two editions defined as management and supporting processes.
Considering subclause 9.2 a and b (lines 994996 and line 997), one must wonder why the ISO/TC 176/SC 2 didnt
consider the internal audit process a risky process on its own.

Subclause 9.3Management review

ISO 9001:2015s requirements for this subclause are more or less the same as its predecessors, including the big
failure of not requiring, for evidence, that the QMS actually be reviewed by management, and contenting itself
with ensuring the managers signature appears at the bottom of the management review report. Some sly auditors
require managers to recite the reports contents, which might be a useful exercise for actors, but not for managers.

Subclause 10Improvement
After year 2008, when, as a third-party auditor I pushed organizations to pursue (continual) improvement, the
most frequent answer I got was, Hey, mister, were lucky enough to survive and keep our gate open to our
employees. What more do you want us to do? So much for points a, b, and c in this subclause.
But maybe Im going too far: Unless required by the customer or planned by the organization, improvement should
be an opportunity, not a shall.

Annex AQuality management principles

A.3 QMP 2Leadership and A.4 QMP 3Engagement of people are commented on above, under different
headings. For A.6 QMP 5Improvement, see above as well. Concerning A.7 QMP 6Evidence-based decision
making, its rare that an organization does not make decisions based on facts, information, and data. Therefore,

we can assume that it's a farily common practice for organizations to systematically collect, identify, and trace the
facts, information, and data on which they base their decisions.
ISO 9001:2015 subclause 4.4.2Process approach
The organization shall:
d) determine the risks to conformity of goods and services and customer satisfaction if unintended outputs are
delivered or process interaction is ineffective;
What is the meaning of unintended output? Does it mean nonconforming product? Unintended output from a
process can be: reprocessed (e.g., chemical industry), scrapped, or sold at a discount. The risk of producing
unintended output should theoretically be set at zero or near zero but is rarely achieved; the analogy would be a
process operating at 4.5 sigma vs. 5 or higher. The lower the parts per million, the lower the risk of producing
unintended output. However, one must not forget that depending on the industry (e.g., medical vs. pencil
manufacturers), these risks have different end-user impact and costs. Fortunately this is recognized in the last line
of subclause 6.1Actions to address risks and opportunities.
5.1.2Leadership and commitment with respect to the needs and expectations of customers
Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring
that:
a) the risks which can affect conformity of goods and services and customer satisfaction are identified and
addressed;
This can be achieved by establishing process capabilities for each process from manufacturing and assembly to
packaging and product delivery and installation. The computation of a simple indicator of process capability (Cp)
or the adjustment of the process capability toward a specification (Cpk) would help managers quantify their
process risk. The objective would be to achieve the highest economically feasible capability for each process, thus
minimizing the risk of producing so-called unintended output.
6.1Actions to address risks and opportunities
When planning for the quality management system, the organization shall consider the issues referred to in 4.1
and the requirements referred to in 4.2(4.2 Understanding the needs and expectations of interested
parties) and determine the risks and opportunities that need to be addressed to:
a) assure the quality management system can achieve its intended outcome(s)
b) assure that the organization can consistently achieve conformity of goods and services and customer
satisfaction

c) prevent, or reduce, undesired effects, and

d) achieve continual improvement.
The context of the word risks is difficult to interpret given the requirements stated in a) through d) of subclause
6.1. For example, how does one determine the risks and opportunities to assure the quality management system
can achieve its intended outcomes? The intent has always been to ensure that the quality management system is
effective, and this is verified via the audit process. The insertion of the word risk does not help and confuses
things. Nevertheless, these risks can be quantified by simply looking at nonconformance percentages (per process
and at final output), but this is already established via the use of process capability measures.
The organization shall plan:
a) actions to address these risks and opportunities, and
b) how to
1) integrate and implement the actions into its quality management system processes (see 4.4), and
2) evaluate the effectiveness of these actions.
Any actions taken to address risks and opportunities shall be proportionate to the potential effects on conformity
of goods and services and customer satisfaction.
Good to know and a wise decision, but this could well be seen as an escape clause by many companies.
8.3Operational planning process
In preparing for the realization of goods and services, the organization shall implement a process to determine
the following, as appropriate:
b) actions to identify and address risks related to achieving conformity of goods and services to requirements;
This is nothing more than a repeat of what has already been stated.
8.5.1Development processes
In determining the stages and controls for the development processes, the organization shall take account of:
e) the determined risks and opportunities associated with the development activities with respect to
1) the nature of the goods and services to be developed and potential consequences of failure
2) the level of control expected of the development process by customers and other relevant interested parties,
and
3) the potential impact on the organizations ability to consistently meet customer requirements and enhance
customer satisfaction.

This is already done in some industries (e.g., automotive and avionics) but is not likely to be documented for all to
see. Who will document these risks for future lawyers to see? If a company acknowledges that there is a small risk
(lets say a one-in-one-million chance) that something wrong could happen, lawyers would say that the company
knew that there was a risk and is therefore liable. You cant have zero risk; no one will want to pay the cost of
developing a product with zero risk. This idea to either quantify and/or document risk for all to see is unrealistic
from a legal point of view. However, lawyers will love it.
8.6.5Post delivery activities
The extent of post delivery activities that are required shall take account of:
a) the risks associated with the goods and services
This sounds like a rephrasing of warranty-cost analysis; major companies have done this for a long time, but I
dont know about small to medium-size companies.
9.1Monitoring, measurement, analysis and evaluation
The organization shall take into consideration the determined risks and opportunities and shall:
This is vague, but there are important issues to address relating to inaccurate measurements or insufficient
measurements. Gauge repeatability and reproducibility (Gauge R&R) addresses many if not most of these issues
and I dont see how adding the word risk brings any value to this paragraph except that now one must think of
the missed opportunities for measuring (or rather, not measuring) and the associated risk.
9.2Internal audit
The organization shall:
a) plan, establish, implement and maintain an audit program(s), including the frequency, methods,
responsibilities, planning requirements and reporting. The audit program(s) shall take into consideration the
quality objectives, the importance of the processes concerned, the related risks, and the results of previous
audits;
Internal auditors would now have to assess the risk of failing to do something or the risk of not following a
procedure. This would be challenging to quantify and assess. Potential risks would also have to be assessed, which
would be even more challenging.
10.2Improvement

The Most Important Audit Questions for ISO 9001:2015

By Craig Cochran
If youre preparing to start auditing against ISO 9001:2015, youve probably already
asked yourself the timeless question: What the heck am I going to ask these people?
Theres no worse feeling in the world than being in the middle of an audit and
realizing that you dont have anything to say in the way of questions. Preparation and
planning can remedy this, of course, but the fact remains that ISO 9001:2015 includes
a lot of new requirements that have never been part of most audits. In order to
expedite your thinking, these are what I believe to be the most important audit
questions for ISO 9001:2015:
1. What can you tell me about the context of your organization? This
question is the starting point of ISO 9001:2015, appearing in section 4.1. The standard
uses the clunky term "context," but this could easily be substituted by asking about the
organizations internal and external success factors. Questions about context are
usually directed at top management or the person leading the QMS (formerly known
as the management representative). As an auditor, youre looking for a clear
examination of forces at work within and around the organization. Does this sound
broad and a little vague? It is. Thankfully the standard provides some guidance,
saying that context must include internal and external issues that are relevant to your
organizations purpose, strategy, and goals of the QMS. Many organizations will
probably use SWOT analysis (strengths, weaknesses, opportunities, and threats) to
help get their arms around context, but its not a requirement. What the organization
learns with this will be a key input to risk analysis. (NOTE: Not everybody will
understand the term context. Be prepared to discuss the concept and describe what
ISO 9001:2015 is asking for.)
2. Who are your interested parties and what are their requirements? The
natural follow-up to context is interested parties, found in section 4.2. The term
"interested parties" has a bizarre, stalker-like ring to it, so smart auditors might want
to replace it with "stakeholders." Remember, effective auditors try to translate the
arcane language of ISO 9001:2015 into understandable terms that auditees can grasp.
Typical interested parties are employees, customers, supplier, business owners, debt
holders, neighbors, and regulators. As an auditor youre making sure that a reasonable
range of interested parties has been identified, along with their corresponding

requirements. The best way to audit this is as an exploratory discussion. Ask questions
about the interested parties, and probe what theyre interested in. If youve done some
preparation in advance of the audit, then youll know whether their examination of
interested parties is adequate. That brings up an important planning issue: You will
have to do a bit more preparation before an ISO 9001:2015 audit. Why? So youll have
a grasp of context and interested parties. How can you evaluate their responses if you
dont know what the responses should be?
3. What risks and opportunities have been identified, and what are you
doing about them? Risks and opportunities could accurately be called the
foundation of ISO 9001:2015. No fewer than 13 other clauses refer directly to risks
and opportunities, making them the most connected section of the standard. If an
organization does a poor job of identifying risks and opportunities, then the QMS
cannot be effective, period. Auditors should verify that risks and opportunities include
issues that focus on desired outcomes, prevent problems, and drive improvement.
Once risks and opportunities are identified, actions must be planned to address them.
ISO 9001:2015 does not specifically mention prioritizing risks and opportunities,
though it would be wise for organizations to do this. Risks and opportunities are
limitless, but resources are not.
4. What plans have been put in place to achieve quality
objectives? Measurable quality objectives have long been a part of ISO 9001. What is
new is the requirement to plan actions to make them happen. The plans are intended
to be specific and actionable, addressing actions, resources, responsibilities,
timeframes, and evaluation of results. Auditors should closely examine how the plans
have been implemented throughout the organization, and who has knowledge of
them. Just as employees should be aware of how they contribute to objectives, they
should be familiar with the action plans.
5. How has the QMS been integrated into the organizations business
processes? In other words, how are you using ISO 9001:2015 to help you run the
company? This is asked directly of top management (see section 5.1.1c) and is a very
revealing question. The point is that ISO 9001 is moving away from being a quality
management system standard and becoming a strategic management system. Its not
just about making sure products or services meet requirements anymore. The
standard is about managing every aspect of the business. Remember sections 4.1 and
4.2 of ISO 9001:2015? There we examined the key topics of context and interested

parties. These concepts touch every corner of the organization, and this is exactly how
ISO 9001:2015 is intended to be used. Top management should be able to describe
how the QMS is used to run the company, not just pass an audit.
6. How do you manage change? This topic comes up multiple times in ISO
9001:2015. The first and biggest clause on the topic comes up in section 6.3. Here we
identify changes that we know are coming, and develop plan for their implementation.
What kind of changes? Nearly anything, but the following changes come to mind as
candidates: new or modified products, processes, equipment, tools, employees,
regulations. The list is endless. An auditor should review changes that took place, and
seek evidence that the change was identified and planned proactively. Change that
happens in a less planned manner is addressed in section 8.5.6. Here the auditor will
seek records that the changes met requirements, the results of reviewing changes, who
authorized them, and subsequent actions that were necessary.
7. How do you capture and use knowledge? ISO 9001:2015 wants organizations
to learn from their experiences, both good and bad. This could be handled by a variety
of means: project debriefs, job close-outs, staff meetings, customer reviews,
examination of data, customer feedback. How the organization captures knowledge is
up to them, but the process should be clear and functional. The knowledge should also
be maintained and accessible. This almost sounds like it will be documented in some
way, doesnt it? Thats exactly right. One way to audit this would be to inquire about
recent failures or successes. How did the organization learn from these events in a way
that will help make them more successful? Its the conversion of raw information to
true knowledge, and it just happens to be one of the most difficult things an
organization can achieve.
These are by no means the only questions youll want to ask. Theyre just the starting
point. We didnt even mention management review, corrective action, or
improvementall of which are crucial to an effective QMS. The seven topics
discussed here are the biggest new requirements that auditors will need to probe.
About the Author

Craig Cochran has assisted over 5,000 companies since 1999 in QMS implementation,
problem solving, auditing, and performance improvement. His most recent book is
ISO 9001:2015 in Plain English, available from Paton
Professional:http://www.patonprofessional.com/iso-9001-2015-in-plain-english/
Also on Amazon:
http://www.amazon.com/ISO-9001-2015-Plain-English/dp/1932828729/
P O S T E D B Y C R A I G C O C H R A N AT 9 : 1 7 P M N O C O M M E N T S :

S A T U R D A Y, D E C E M B E R 1 2 , 2 0 1 5

Thanks to Quality Digest for the interview they did with me on Friday (Dec 10, 2015) during their Quality Digest
Live show. What a professional and fun organization to work with.
P O S T E D B Y C R A I G C O C H R A N AT 1 0 : 1 8 P M N O C O M M E N T S :
LABELS: CONTINUAL IMPROVEMENT, ISO 9001, ISO 9001:2015, ISO 9001:2015 IN PLAIN
E N G L I S H , M A N A G E M E N T , Q M S , Q U A L I T Y AS S U R A N C E , Q U A L I T Y M A N A G E M E N T S Y S T E M

F R I D A Y, D E C E M B E R 1 1 , 2 0 1 5

My friends at Quality Digest were kind enough to publish this great article about the new book, "ISO 9001:2015 in
Plain English." A big thanks to Mike Richman (QD Publisher) and Dirk Dusharme (QD Editor in Chief). ISO
9001:2015An Introduction | Quality Digest
P O S T E D B Y C R A I G C O C H R A N AT 1 1 : 4 1 AM N O C O M M E N T S :
LABELS: CONTINUAL IMPROVEMENT, ISO 9001, ISO 9001:2015, ISO 9001:2015 IN PLAIN
E N G L I S H , M A N A G E M E N T , Q M S , Q U A L I T Y AS S U R A N C E , Q U A L I T Y M A N A G E M E N T S Y S T E M

T H U R S D A Y, O C T O B E R 2 2 , 2 0 1 5

Records, Retained Documented Information, and ISO 9001:2015

ISO 9001:2015 does a lot of things right, but using clear language is not one of them. One of the most glaring
examples is the transformation of the word records into retained documented information. Thats right,
they took one word and turned it into three. And the three words are not nearly as intuitive as the one word
they replaced. Regardless of what you call them, records are the proof of something happening. They are
historical, referring to past events. As such, they are not revised. Records might be corrected in some cases,
but they are never revised. Only documents are revised. (Well address documents and their status in ISO
9001:2015 in a future article.) The primary control of records is that of housekeeping: knowing where they are
stored, who is responsible, how long theyre kept, etc.
Here is a summary of records requirements in ISO 9001:2015:

24 records are required in ISO 9001:2015. This is compared to 21 records required in ISO 9001:2008. Some
of the 24 records required by ISO 9001:2015 are actually repeat requirements.

20% of all the record requirements come from section 8.3, Design and development of products and
services. That amounts to 5 records, which is the same number required by ISO 9001:2008.

A completely new record that is required in 9001:2015 is retained information on changes: review of
changes, persons authorizing the change, and necessary actions arising from change (section 8.5.6)

ISO 9001 continues its redundant ways. ISO 9001:2015 requires records of evidence of processes being
carried out effectively TWICE, once in section 4.4.2 and again in section 8.1.e.1.

More redundancy: ISO 9001:2015 requires records that demonstrate conformity of products & services
processes TWICE, once in section 8.1.e.2 and again in section 8.6.

5 of the records in ISO 9001:2015 have qualifiers. They are to the extent necessary and as applicable.

One item listed as retained documented information (i.e., record) is actually a document. That is design
outputs. Design outputs are living information such as specifications, engineering drawings, recipes,
formulas, and bills of material. Since they are living, they are subject to revision, meaning they are
documents.

A handful of requirements would be virtually impossible to have evidence of without records, and yet
records are not required by ISO 9001:2015. These include context of the organization (4.1), interested parties
(4.2), planning of changes (6.3), and customer feedback (9.1.2).

One of the strangest record issues of all is the omission of calibration records in ISO 9001:2015. This has
been replaced by the requirement to retain information on fitness of purpose for measuring instruments,
which would include calibration. I expect many people implementing ISO 9001:2015 will get a bit confused by
this.

Do not let anyone tell you that the correct terminology is retained documented information. If you like that
term, then by all means use it. If you prefer the term records, you can use that in its place. Always remember
that documents are records are two different things. That one fact alone will make any QMS easier to use and
understand.
P O S T E D B Y C R A I G C O C H R A N AT 9 : 3 0 P M N O C O M M E N T S :
LABELS: CONTINUAL IMPROVEMENT, EXCELLENCE, ISO 9000,ISO 9001, ISO
9 0 0 1 : 2 0 1 5 , Q M S , Q U A L I T Y , Q U A L I T Y M A N A G E M E N T S Y S T E M , R E C O R D S , R E TAI N E D D O C U M E N T E D
I N F O R M ATI O N

M O N D A Y, O C T O B E R 1 2 , 2 0 1 5

Nobody believes in communication more than Darryl Keeler. As President of Tech Systems Inc.,
communication is possibly the single biggest part of his job. After all, Tech Systems Inc.

(www.techsystemsinc.com/) is security systems integrator with employees in over 32 states, Canada, and
Puerto Rico. Being a medium-sized company with business across such a wide geographic has its challenges.
Darryl Keeler long ago decided that robust and continuous communication needed to be a guiding principle.
Communication is the key factor in maintaining a high level of employee satisfaction, Darryl assured me.
And satisfied well-informed employees ensure that we have highly satisfied clients. Darryl personally writes
the Friday Finale, a company newsletter summary that ends each week and which goes out to every employee.
It maintains a warm touch, covering birthdays, work anniversaries, and anything personal of importance that
is happening with teammates. It also addresses business updates from the previous week. TSI Family Emails
(TSI stands for Tech Systems Inc) is their way of communicating items that are of high importance to the
entire company, sort of red alert emails. These include process changes, policy changes, and major
customer developments. The TSI Family Emails are one step beyond the Friday Finales in terms of business
importance. The Tour De Focus is one of the companys most impressive communication processes. This is
where Darryl Keeler travels around the country and meets with every company employee. He simply sits
down and asks for comments or opportunities for the company to improve based on individual opinions.
These are all captured and recorded, and the leadership team works through all of them and gets back with
the folks who suggested the improvements. This entire list is posted on SharePoint for everyone to review,
and the ideas always number in the hundreds. The employee portal is the live repository of information that
team members use for their jobs. Only the most current versions of documents are available, and it also
includes phone lists, updates, tutorials, and training materials. Finally, the leadership team of Tech Systems
meets every Monday to go over financials, hot company topics, and opportunities for improvement. The
Monday meeting also serves as the primary feeder of information into their monthly management review.
Communication is clearly the oil that flows through the engine of Tech Systems Inc. And the president of the
company, Darryl Keeler, is head mechanic and communicator.
P O S T E D B Y C R A I G C O C H R A N AT 8 : 0 5 AM 2 C O M M E N T S :
L A B E L S : C O M M U N I C ATI O N , C O N T I N U A L I M P R O V E M E N T , I S O 9 0 0 0 , I S O 9 0 0 1 , I S O
9 0 0 1 : 2 0 1 5 , L E A D E R S H I P , O R G A N I Z ATI O N A L C U LTU R E , Q U A L I T Y , Q U A L I T Y M A N A G E M E N T S Y S T E M

T U E S D A Y, O C T O B E R 6 , 2 0 1 5

Control of production at I. Technical Services

Managing operations can be as simple as ringing a bell. Thats the philosophy that I. Technical Services has
taken in Alpharetta, Georgia. I. Technical Services (www.itechserv.com) performs electronic manufacturing
services, including PCB assembly, system assembly, test engineering, repair, and logistics. They compete
against low-cost companies in Asia and elsewhere, so they have to be as efficient and lean as possible. One of
their most efficient processes for managing production is their bell meeting. At 9 AM every morning, their
production supervisor rings a ships bell mounted on the wall. All the managers and supervisors assemble
under the bell for a stand-up meeting that lasts about 15 minutes. They discuss what is running that day, what
needs to be shipped, and any obstacles or concerns. Important notes are recorded on a white dry-erase board
right below the bell. Everybody leaves that meeting knowing exactly what needs to happen, Quality
Manager, Hector Rivera, stated. Its the best investment of 15 minutes you can imagine. Throughout the
day, employees refer to the production notes on the white board, keeping themselves focused on what was
agreed to. They ring the bell again at 3 PM every day, and the key players once more gather around the bell.
The focus of this later meeting is to get everybody caught up on the current status of production. Where are
we right now? What is left to be done? Will we meet all of our commitments today? Resources are re-

arranged, as needed, and last minute roadblocks are removed. The General Manager, Lauren Thompson,
summarized the process by saying, When we come together under the bell, were not managers of different
departments. Were a single team working to wow the customer. It reminds us why were there in the first
place. I. Technical Services has conducted their bell meeting twice a day for years. Its a very simple, yet
powerful process for controlling production.
P O S T E D B Y C R A I G C O C H R A N AT 1 1 : 4 6 AM N O C O M M E N T S :
LABELS: CONTINUAL IMPROVEMENT, ISO 9000, ISO 9001, ISO 9001:2008, ISO
9 0 0 1 : 2 0 1 5 , M A N A G E M E N T , M A N A G I N G , Q U A L I T Y AS S U R A N C E , Q U A L I T Y M A N A G E M E N T S Y S T E M

M O N D A Y, S E P T E M B E R 2 8 , 2 0 1 5

Goodbye, Quality Manual

Who loves their quality manual? Please give me a show of hands. Hmm, not much enthusiasm. Thats because
the quality manual for most companies serves no other purpose than something to give to customers or
auditors. Most employees have never seen or heard of their companys quality manual. And yet it has been a
required document of ISO 9001 since the standard was first published. That has changed in ISO 9001:2015.
There is no mention of the words quality manual, and the only true leftover requirement is that you have to
document your quality management system (QMS) scope. I expect that many companies are going to drop
their quality manual altogether now that its no longer mandated. But wait! Lets re-imagine the quality
manual as a document that actually helps the organization. First of all, lets get rid of the rehash of ISO 9001
requirements. Most quality manuals feature this, and the rehash constitutes 95% of the words included. If you
want to see what ISO 9001 says, get a copy ISO 9001. The quality manual should be completely focused on the
company, period. Secondly, lets think of the quality manual as a sort of User Guide for the companys QMS.
What would an employee or interested party need in a user guide? Well, lets provide the following:

Structure and contents of the management system

Road map to lower-level documents within the system

Company history and background

Overall process flow of the organization

Companys products and services described in a clear, practical manner

Organizations strength and capabilities

What to expect during an audit and how to prepare for one

Responsibilities and authorities of key personnel

The scope of the QMS

Some of these items have always been included in quality manuals, and others are new additions. The point is
to assemble all the high-level content that people need to know into one consolidated location. This could be
accomplished in 3-4 pages at the most. Since its so lean and streamlined, employees might actually see value

in using it. The quality manual could truly become the gateway to your companys management and business
systems. Now weve got something useful. But lets drop the name quality manual. Any thoughts for what
this information should be called?