Monday 8 April 2013

Article: So, you want ISO 9001

Many companies want to provide good quality products and services but you don’t have to be certified to ISO 9001 for this.  However, having third-party assessment of your QA practices, which is what you get with certification to ISO 9001, gives you a status which is recognised by most clients.  It used to be that ISO 9001 companies were in the minority and this would make them stand out.  Now companies are realising that they are going to be left behind without it.  I know of many companies who have lost contracts because they are not certified to ISO 9001.  Many clients invariably ask for ISO 9001. If they don’t, then tender documents will require you to go in to detail of your QA management systems.

So what is ISO 9001 and how do we go about getting certification?

ISO 9001 is a QA management standard.  Note that it is management standard, not a performance standard.  So it is not a just matter of doing the right thing; it is also how you approach that in an auditable, sustainable and improving way.
Essentially there are two steps to gaining certification:

  • Setting up and implementing management systems to cover the clauses in the ISO 9001 standard.
  • Being audited by a UKAS-accredited certification body.  This requires initial certification visits and then repeat visits to maintain certification.

So how do I go about setting up and implementing management systems?

Before we go any further, I’d just like to recommend that your documentation should be implementation-based.  What I mean by this is that it should be written from the perspective of the users of the different systems and not look like semi-legal documents.  I recommend the following:

  • Use flowcharts wherever possible.  A system comprising a couple of pages of flowcharts is far more understandable that multiple pages of, “The Production Manager, on receipt of ……”.  Flowcharts are just as acceptable to the certification body.
  • Where text is necessary, write it in the form of an instruction to whoever is carrying out the action and possibly in tabular form.  So, in one column you may have “QA Co-ordinator” and in the next “File waste transfer notes”
  • Avoid text like “The QualityCo-ordinator shall ….”.  Sometimes it’s unavoidable, but minimise it.
  • Be concise.  You are not being judged on your weight of documentation, just that it covers the relevant ISO 9001 clauses and how well it is implemented. 
 It is also worth emphasising two further key points:
  • The philosophy should be “Say what you do and do what you say.”  It is pointless having an ideal system if the reality is different. 
  • Avoid as much as possible having additional requirements whose function is only to satisfy the 9001 system.  Some may be necessary, but keep these to a minimum.
ISO 9001 shows the following structure:


Whilst you could create a quality policy as the first step, it is best to regard this as being just a draft.  Once you have done the other steps, you will almost certainly have to amend it.


As part of the planning stage, you will need a system to address the 9001 requirement to have, and to manage QA objectives. 

Each objective must have some way of assessing if you have met the objective and a target completion date.  If you use INTACT (see below) then the individual actions towards meeting each objective are linked to the objective and shows the complete story; very handy when it comes to your certification visits.

Implementation and Operation

Key operations

You will need to identify the stages in your operations and the steps necessary to maintain quality.  Typical stages may be split into Estimation, Order Receipt, Pre-press, Materials Control, Printing, Finishing, Outworking, Despatch and Invoicing.

Where there are decision points in any step, then you need to define who is authorised to make the decision and how is this recorded.  This last point is often the one that gets missed.

Where there may be a problem, you need to define how this may be addressed.  For example, what steps to take if the authorised person is unsure about his decision.  This is not too bad with internal decision makers, but you need to cover how outworking problems are resolved.

Support operations

ISO 9001 requires you to control those operations which support the key operations where these operations are necessary to ensure quality.  Therefore, you need to also address calibration and data back-up.


Many companies fall down when it comes to training records.  People may be competent through experience or training, but you need a system to record this.  I suggest that this system allows for both conventional training courses and an assessment of competence by somebody in authority in the company; you don’t necessarily have to attend a course to become competent but you need some record that somebody has assessed that person for competence.

Checking and corrective action

This is an essential part of the feedback loop that ensures that your system continues to run.  You need two parts to this:

Customer feedback and internal problems

There is the tendency with problems to immediately fix the problem and do nothing more.  You need a system to simply record both customer feedback and internal problems.  Once you have got these, periodically analyse these to determine any root causes.  It is worth categorising the problem, say Late Delivery, when it is recorded.  This doesn’t take any longer at that time and makes life simpler when analysing the data.

Note that, unlike earlier QA standards which seemed to concentrate on consistency, ISO 9001 places emphasis on customer satisfaction.

System effectiveness reviews

This is referred to in ISO 9001 as auditing, but this term means different things to different people and I therefore avoid it.  You need to review each systems to determine:

  • Is it fit for purpose?  What are its objectives and will it achieve them if implemented properly?
  • Is it being implemented properly?  Are people aware of it? Is there an unofficial alternative system being followed? (What I call the parallel universe syndrome.)

You will need a schedule of effectiveness reviews and people competent to carry them out.  Some certification bodies require a full set of reviews to have been carried out before certification.  Whilst this may be excessive, you will certainly have to have reviewed all the key systems before certification.

You should also plan to review the operations at any of your key suppliers, say your key outworkers such as spot varnishers.

Management Review

ISO 9001 requires you to have periodic management reviews and actually states the topics to be included.  In the initial stages these may be quite frequent but it may be possible to reduce the frequency later.  I would not recommend have a frequency any longer than every 6 months.  Some companies like to hold them every month.  

Making it all palatable

Without a doubt, the stages of setting this up from scratch require quite some effort and companies take one of two routes:
1.     Appoint someone internally and they work on this full-time
2.     Use external sources to set up the systems and carry out most of the initial work and then use internal people to run the system in additional to their prime role
If route [1] is taken, then it is probably acceptable to have systems that require some effort to track any data.  However, most companies do not have the luxury of having such a person.
If route [2] is taken, then provided that a sensible approach is taken to data management, the tasks to run the system should not be at all onerous.
Where SSS have provided the service to set up the system, then a computerised action management system called INTACT comes an inclusive part of the package.  Options within INTACT enable is to be used to manage QA, health and safety and training records.
Essentially, INTACT replaces the majority of the paperwork and all other systems such as spreadsheets and word-processed documents to form an integrated action management system.  All of the data, such as customer feedback, internal problems, system effectiveness reviews, objectives, management meeting minutes are logged within INTACT.  In addition, analysis of data can be done at the click of a button.

About the author

Phil Chambers BSc CMIOSH
Phil completed an apprenticeship with an engineering company, gained a Production Engineering degree and subsequently became a Chartered Engineer.  After a career mainly with Moog Controls and Cosworth, Phil joined CRA in Melbourne where he immediately started work on the safety of molten aluminium in addition to his main management role.  After a period concentrating on health & safety and environmental management, including molten aluminium operations in Australia, New Zealand and the USA, he returned to the UK in 1996 and formed Strategic Safety Systems Ltd. (SSS)
Phil is a Chartered Health and Safety Practitioner and was a contributor to the second edition of the Printers Guide to Health and Safety (available from HSE Books) and.  Phil has carried out certification support for many companies, with certification gained to ISO 9001, ISO 14001, OHSAS 18001, ISO 27001, FSC/FEPC and other standards.
In addition to certification support, SSS also provides health & safety and environmental services and computerised systems to manage these and other areas
Phil is married with four adult children and lists among his interests, the support of Gloucester Rugby Football Club



No comments:

Post a Comment