Looking back at my quality career since 1984, I remember contributing to a quality manual of a Motorola Division in 1987-88 for ISO 9001 certification. The standards were released in 1987. Initially, the ISO 9001 standards were developed to benefit from industry best practices and implement a quality management system for consistency since variation was thought to be evil according to Dr. Deming. A shared understanding developed that ISO 9000 standards meant ‘do what you say in documents and say in those documents what you do.’ The implication was that people said very little in the documents.
I have also learned by working at quality-driven companies that good practices include developing and designing good processes for excellent performance and documenting them for consistency or ongoing excellent performance. However, the third-party focus on compliance led to questionable designs of the processes and as a result, ISO 9001 in its first generation created a perception of excessive documentation.
Subsequent versions of ISO 9000 quality management standards have been released in 1994, 2000, 2008 and 2015 with the intent of making the quality management system standards to be more business-performance driven and require reduced required documentation. ISO 9001:2000 version was a major structural change from the original version of the ISO 9001 standards. Even government, military and FDA quality management system standards aligned with the ISO 9001 standards. Although the ISO 9001:2015 does not introduce a major structural change, it does introduce a few key element-level changes. However, at least medical device standards ISO 13485 have preserved the pre-2015 clause, in the case of preventive action.
How do ISO 9001:2015 standards visibly identify changes in the quality management system? The list includes removing the preventive action, replacing with risk assessment, use of business context for its scope and stakeholders, and better use of the PDCA model and emphasis on the process approach.
Over the years I have learned that QMS is a way of doing work at a company and includes all activities and everyone. Quality is a state of mind leading to behaviors to excel in everything, which implies striving for target performance and verifiable actions (compliance) with the desired results (effectiveness). In other words, a quality management system is practically a business management system. That is how the QMS should be perceived and deployed in an organization, instead of a boxed-up ‘quality’ function. With the right strategies, if the business is not doing well, business problems are the quality problems and can be addressed as such. Once I heard Bob Galvin, then CEO of Motorola, told his leadership team to take care of quality and the business will be taken care of.
Table 1: A High-Level Comparison of ISO 9001:2008 and ISO 9001:2015 Standards
Context of the Organization
To bring business relevance to a QMS, this section plays an important role and creates opportunities make a visible impact. Quality must make economic sense, and it must support achieving business objectives. In establishing a business context to our QMS, we used a stakeholder’s analysis matrix to establish their expectations and measurable objectives. Typically, stakeholders include customers, corporate, executives, employees, suppliers and community. QMS addressing all stakeholders’ expectations makes QMS relevant to each stakeholder. This section also has more explicitly required processes of the quality management system, and specified process inputs, sequence, interactions, outputs, criteria for effectiveness, and risks and opportunities, improvement and the required documentation including records. If the organization and its context are understood and specified as required in the ISO 9001 standards, the QMS could be designed for a ‘pull with benefits’ rather than a ‘push.’
ISO 9001:2015 identifies risks in the leadership and planning sections. The leadership section identifies risks associated with the conformity of products and services, and planning addresses risks associated with QMS. The leadership section is looking into risks with products and services, and the planning section addresses risks at the business level. SWOT (strengths, weakness, opportunities, and threats) can be used to identify business risks and process approach to identify product and services related risks.
SWOT stands for strength, weakness, opportunities, and threats. A cross-functional team performing the SWOT analysis identifies organizational strengths to benefit from, and weaknesses to minimize the adverse impact, opportunities identify areas to improve and serve customers better, and threats point to the potential market, technology or people risks. Once the risks are identified primarily in weaknesses, opportunities and threats sections, they can be analyzed using the FMEA (failure modes and effects analysis) method and prioritized using the risk priority number (RPN). High-risk items are then addressed through specific action items.
Product or process-related risks can be identified at considering potential risks associated with material, information, machine, tool, method, approach, skills, and people. Design and process FMEAs can be used to identify product and process-related risks that can be minimized.
Corrective and preventive actions are critical to the success of a QMS by driving continuous improvement and preventing recurring problems at the part, process or system level. There has been confusion between the corrective and preventive action. In a sense, even the corrective action shall be preventive in nature to avoid the recurrence of a problem. Experts have tried to articulate differences between corrective actions from preventive actions. Some people understood that corrective action is at a component or the opportunity level, while the preventive action is more at the higher system level. However, it was a constant confusion that eventually led to its removal from the ISO 9001:2015 standards. In intent, the preventive action has been replaced by the risk assessment and risk mitigation. However, the risk assessment and mitigation requirements are neither precisely articulated nor remedial actions accurately implemented.
I’ve learned in my early years at Motorola and AT&T Bell Labs that good companies implement quality management systems in order to produce good quality products and services with respect to its brand value. If a company has implemented an effective QMS to achieve its business objectives and comply with the ISO 9001 standards requirements, revisions in quality standards over time do not make a major impact on the success of its QMS. Organizations are not in the business of implementing a QMS, instead, organizations are in the business to serve customers using QMS. One must understand that all second or third party auditors are not equally equipped to perform effective quality audits against the requirements as intended. Instead, they perform compliance audits against the requirements as written.
回顾我自1984年以来的质量职业生涯，我记得在1987-88年为摩托罗拉分部的质量手册做出了贡献，以获取ISO 9001认证。该标准于1987年发布。最初，ISO 9001标准的开发是为了受益于行业最佳实践并实施质量管理体系以保持一致性，因为根据戴明博士的说法，变化是有害的。达成共识，即ISO 9000标准的含义是“按照您在文件中所说的做，然后在那些文件中说您要做的事情。”这意味着人们在文件中很少说。
ISO 9000质量管理标准的后续版本已于1994年，2000年，2008年和2015年发布，目的是使质量管理体系标准更加以业务绩效为导向，并减少所需的文档编制。 ISO 9001：2000版本是对ISO 9001标准原始版本的主要结构更改。甚至政府，军事和FDA质量管理体系标准也与ISO 9001标准保持一致。尽管ISO 9001：2015并未引入重大的结构更改，但确实引入了一些关键的元素级更改。但是，在采取预防措施的情况下，至少医疗设备标准ISO 13485保留了2015年之前的条款。
表1：ISO 9001：2008和ISO 9001：2015标准的高级比较
ISO 9001：2015在领导力和计划部分确定了风险。领导部分确定与产品和服务的一致性相关的风险，并计划解决与QMS相关的风险。领导部分正在研究产品和服务的风险，而计划部分则在业务级别解决风险。 SWOT（优势，劣势，机会和威胁）可以用来识别业务风险，并可以使用流程方法来识别与产品和服务相关的风险。