With the ISO 9000:2000 draft review process moving into its last phase, there has been a sudden increase of
interest in the scope and interpretation of the new requirements. Registrars, auditors, consultants and course providers are all under pressure to develop their positions on specific, technical
issues. Companies using ISO 9000 quality systems are also growing impatient as they wait to find out what they'll need to do to upgrade their systems.
The most visible changes
are in the structure of the ISO 9000 family of standards and in the sectional organization of the ISO 9001 standard. New requirements are predominantly in the areas of customer-related processes
and continual improvement. There are also miscellaneous new requirements pertaining to process control, measuring and monitoring devices, training and awareness, internal communication, work
environment, and legal and regulatory requirements.
The ISO 9000 series now consists of three standards:
ISO 9000:2000 Quality Management Systems -- Fundamentals and
ISO 9001:2000 Quality Management Systems -- Requirements
ISO 9004:2000 Quality Management Systems -- Guidance for Performance Improvement
ISO 9000 discusses the underlying concepts, approaches and roles of key
elements and provides definitions for the new vocabulary. ISO 9000 is not intended to be used as a specification; however, it is named in ISO 9001 as a
normative reference and thus can be used by auditors to support their interpretations of ISO 9001 requirements.
ISO 9001 is the actual specification for the quality management system. Its requirements define the criteria for the quality system audit. The role of this
standard in the series has not changed, but its content and sectional organization are completely revised. Quality system requirements are now organized into
four sections: Section 5 -- Management Responsibility; Section 6 -- Resource Management; Section 7 -- Product and/or Service Realization; and Section 8
-- Measurement, Analysis and Improvement. This new organization makes ISO 9001 more compatible with the ISO 14001 (environmental) standard, and is
consistent with ISO 9004's Plan-Do-Check-Act improvement cycle. It also corrects the undue emphasis on the manufacturing industries that characterized previous editions.
ISO 9002 and ISO 9003 will be discontinued. Instead of choosing a standard with the appropriate scope, all companies will now use ISO 9001, but they're
allowed to reduce the scope of the standard to exclude requirements that don't apply. The reduction of scope may only be applied to Section 7 -- Product
and/or Service Realization, and exclusions may not affect the organization's ability to meet requirements. Reduction of scope must be clearly identified in the quality manual.
The role of ISO 9004 in the series is unchanged. As in previous editions, it's a guide for developing quality management systems. However, it has been
completely rewritten to align it with the new ISO 9001. ISO 9004 is not named in ISO 9001 as a normative reference, and thus it can't be used to define audit
criteria for the ISO 9001 certification audit.
Overview of new requirements
The most important new requirements in ISO 9001:2000 concern customer- related processes and continual improvement. With regard to customer
processes, the new requirements call for identifying customer requirements, needs and expectations; determining customer satisfaction; establishing
procedures for customer communication; and making employees aware of the importance of meeting customer requirements. In the area of continual
improvement, the new requirements concern the quality policy, quality objectives, quality planning, quality performance data and management reviews.
There are also miscellaneous new requirements for process control, measuring and monitoring devices, training and awareness, internal communication, work
environment, and legal and regulatory requirements.
Rather than being grouped in specific, additional clauses, the new requirements
are spread throughout the standard and are often restated and expanded under several sections. For example, requirements pertaining to process control are
first introduced in Section 5, are developed in two separate clauses of Section 7, and then are restated in Section 8. This approach follows the logic of the
standard's new organization, but it also makes it difficult to identify and interpret the requirements. Often the intent of the standard can be interpreted only after
related requirements are culled from different sections and analyzed together.
ISO 9001:1994 had two clauses directly relevant to customer-related processes: Clause 4.3 -- Contract Review and Clause 4.7 --
Customer-Supplied Product. In the new revision, both clauses have been renamed and edited, but the underlying requirements are basically unchanged.
The corresponding clauses in ISO 9000:2000 are 7.2.2 -- Review of Customer Requirements and 7.5.3 -- Customer Property.
In addition to these two, there are six new clauses relevant to customer-related processes:
Clause 5.1 requires top management to demonstrate its commitment to creating awareness of the importance of fulfilling customer requirements.
Clause 5.2 requires top management to ensure that customer needs and
expectations are determined and converted into specific requirements.
Clause 5.6.3 requires that the management representative ensure awareness of customer requirements throughout the organization.
Clause 7.2.1 requires the organization to implement a process for identifying
customer requirements. The process is to include requirements that are not specified but are necessary for fitness of purpose; requirements dictated by
laws and regulations; and requirements for availability, delivery and support.
Clause 7.2.3 requires the organization to define and implement arrangements for communication with customers.
Clause 18.104.22.168 requires the organization to establish a system for obtaining
and using information on customer satisfaction and dissatisfaction.
Together, these clauses seem to demonstrate that the standard now requires
organizations to include in the quality system all departments and functions that deal with and represent customers. Typically, these would include marketing,
sales, customer service, billing and servicing. Once this intent is understood and accepted, interpretation and implementation of all underlying requirements will
follow naturally. Like everyone else in the system, these functions must develop effective methods and processes, document them in procedures, and maintain records of their activities.
To be sure, there will be a lot of resistance to such a sweeping interpretation in many companies. Marketing and sales people genuinely care about the quality
of the product or service they sell, but they don't necessarily see their own work as being directly relevant to quality. Many engineers had this kind of
adverse reaction when ISO 9000 asked them to define their methods and write procedures for the design and development process.
The effort necessary to implement the new requirements will depend on the complexity of marketing, sales and customer service operations, and on how
much documentation already exists. Typically, implementation will consist of the following actions:
Revising existing contract review procedures and/or developing new procedures to document the processes for identification of customer requirements
Developing a new procedure for measuring customer satisfaction and dissatisfaction, which may incorporate or reference the existing procedure for customer complaints
Developing procedures and work instructions defining arrangements for
communication with customers in matters pertaining to product information, order handling, customer complaints and customer feedback
Establishing programs for creating awareness of customer requirements and
the importance of meeting these requirements
Developing measures to ensure that customer needs and expectations are determined and converted into specific requirements. A written procedure is
not explicitly required, but there must be a means of demonstrating conformance.
ISO 9001:2000 doesn't actually have a clause named "Continual Improvement," which is curious because references to that concept are
everywhere. Many of the elements supporting the continual improvement cycle were already required in previous editions of the standard. But now there is a
new, stronger linkage between these elements, and there are several completely new requirements. Identifying the requirements that pertain to continual
improvement is not a precise science. The following requirements are all new; whether they're discussed here or under another heading doesn't really matter:
Clause 5.4 requires the quality policy to include commitments to meeting
requirements and to continual improvement, provide a framework for establishing and reviewing quality objectives, and be periodically reviewed for continuing suitability.
Clause 5.5.1 requires the organization to establish quality objectives
supporting the quality policy and the commitment to meet requirements and pursue continual improvement.
Clause 5.5.2 requires the organization to identify and plan activities and resources needed to achieve quality objectives.
Clause 5.7 requires the management review to evaluate the need for changes
to the quality system, policy and objectives and include review of performance and improvement opportunities. It also requires the outputs from the
management review to include actions related to improvement of the quality system, audits and resource needs.
Clause 8.4 requires the organization to collect and analyze data to determine
the effectiveness of the quality system and to identify where improvements can be made.
Clause 8.5.1 requires the organization to establish a procedure for the use of quality policy, objectives, and quality-related data and information to facilitate
These clauses clarify how the cycle of continual improvement is intended to
work. General policies (Clause 5.4) create a framework for more specific objectives (Clause 5.5.1) that are supported by planned activities and
resources (Clause 5.5.2). The organization collects and analyzes data to determine the effectiveness of the implemented activities (Clause 8.4). The
quality policy, objectives and data on quality performance are input into the management review (Clause 8.5.1), which then outputs changes to the policy,
shifts in objectives and actions to improve the system (Clause 5.7). It's imperative to understand these clauses as elements of such a continual cycle
and to create appropriate interfaces and linkages.
This basic structure for continual improvement is supported by many other
elements of the quality system. Some of these elements have already been required in previous editions of the standard, but others (such as activities for
collecting quality performance data, internal audits and measurement of customer satisfaction) are new. Indeed, it can be argued that each and every
element of the quality system has a role in the continual improvement cycle.
Implementation of these requirements will include:
Revision of the quality policy to include commitments to meeting
requirements and to continual improvement
Establishment of quality objectives consistent with the quality policy and the commitment to continual improvement
Establishment of plans to achieve quality objectives
Development of a new procedure for collecting and analyzing quality performance data
Development of a new procedure for using relevant information and data to
facilitate continual improvement
Revision of the existing management review procedure to address new requirements concerning the scope and output of the review
Training, awareness and communication
Training requirements in ISO 9001 :2000 are considerably broader. Most of Section 6 -- Resource Management is dedicated to training and related issues.
In addition to the old requirements for identifying training needs, providing training, assigning qualified personnel and maintaining records, the standard
now also requires organizations to evaluate the effectiveness of training and establish employee awareness programs.
There are also new requirements for internal communication in Section 5 -- Management Responsibility. Although these requirements are not specifically
linked to training, it will be natural to integrate training and employee awareness programs with the communication system.
The following clauses include requirements pertaining to training, awareness and communication:
Clause 5.1 requires top managers to demonstrate their commitment to creating an awareness of the importance of fulfilling customer requirements.
Clause 5.6.3 requires the management representative to ensure awareness of customer requirements throughout the organization.
Clause 5.6.4 requires the organization to establish a procedure for internal
communication regarding the quality management system.
Clause 6.2.2 requires the organization to evaluate the effectiveness of training and establish procedures for making employees aware of the importance of the
quality management system and of their own roles in achieving conformance with policies, objectives and requirements.
Implementation of these requirements will include:
Revision of the training procedure to define how training effectiveness is evaluated
Establishment of employee awareness programs (documented in procedures)
Development of new procedures for internal communication
Requirements related to process control are concentrated in Section 7 -- Product and/or Service Realization, particularly in Clause 7.1 -- General
Requirements and in Clause 7.5.5 -- Validation of Processes. Clause 7.1 includes a long and detailed list of formal process control measures and
activities, but doesn't clearly state the extent to which implementation of these measures is mandatory.
The clause states that "The organization shall determine how each process affects the ability to meet product and/or service requirements and shall…
determine and implement criteria and methods to control processes, to the extent necessary, to achieve product and/or service conformity with the
customer requirements." If this means that process control measures must be sufficient to eliminate the occurrence of nonconformity, it's the same as requiring
implementation of the best-known process control system for each process. But this could not be the intent of the standard. If such a requirement were to
be enforced, it would cost billions of dollars. On the other hand, if this clause means that process control measures are sufficient as long as the shipped
product conforms to requirements, one could comply by inspecting and segregating nonconforming product without any process control measures at all.
Again, this could not be the intent of the standard. The criteria for selecting and implementing appropriate process control systems must be somewhere in
between, but the standard fails to specify where.
There is also a process control-related requirement in Clause 8.2.2. The
requirement is to "… apply suitable methods for measurement and monitoring of processes necessary to meet customer requirements and to demonstrate the
process's continuing ability to satisfy its intended purpose." Here, again, the language is indefinite. It could imply formal process capability and process
performance studies, but could also mean a simple inspection of output. It will be a challenge for auditors to find a nonconformance based on this clause.
Because the new standard fails to provide any meaningful criteria for selecting and implementing process control measures, one can argue that nothing has
changed from the previous editions. Organizations can still decide on their own how they want (or don't want) to control their processes. Auditors can only
require that each process be reviewed for relevant process control measures, and that the implemented process control systems are properly operated and maintained.
Lack of clarity aside, it's obvious that the new standard has moved significantly toward requiring implementation of formal process control systems for all
relevant processes. Process control is no longer an optional activity expected only in special industries such as automotive or aerospace. With this new
standard, auditors will expect every organization, regardless of the nature of its product or service, to have the knowledge of process control techniques and
systematically evaluate all processes to determine which should be controlled and how.
The following clauses contain new requirements relevant to process control:
Clause 7.1 requires organizations to determine and implement the criteria and methods to control processes to the extent necessary to achieve product
conformity and consistent operation; to monitor processes, including measurement and follow-up actions, to ensure that processes continue to
operate satisfactorily; and to maintain records of the results of process control measures.
Clause 8.2.2 requires application of suitable methods for measurement and monitoring of processes.
The effort needed to implement these requirements will depend on the current state of process control programs in the company. In many smaller companies,
especially those lacking experience with formal process control, it will be substantial. First of all, they will need to acquire the relevant knowledge, and
then apply it to a systematic review of all key processes to identify those that need to be controlled. The next step will be to select suitable process control
measures for these processes. Finally, they will need to establish the actual control procedures and instructions and train process operators in their use.
All together, there are more than 30 new actionable and auditable requirements in ISO 9000:2000. About three-quarters of them fall into the four
major categories discussed above. The remaining requirements can't be neatly grouped into such major categories; they're spread throughout the standard and
pertain to diverse elements of the quality system. Most of them are minor and easy to understand and implement. Of the remaining requirements, the following four are probably the most important.
Clause 5.3 requires organizations to identify and gain access to legal requirements regarding quality aspects of products and/or services. To
implement this requirement, a new procedure should be developed to define how applicable legal and regulatory requirements are identified and how they
are communicated to those responsible for their implementation.
Clause 6.5 requires organizations to define and implement the suitable work environment needed to achieve product and/or service conformity. At first, this
clause may be interpreted as a movement of ISO 9000 into the realm of health and safety. However, careful reading reveals that the work environment is
relevant only in the context of product conformity. To identify a nonconformance against this clause, auditors must have objective evidence that
working conditions are detrimental to achieving product conformity. A minor violation of health and safety regulations or standards would not, in itself, be
sufficient to trigger a nonconformance. Work environment may be specified in laws and regulations, in a company's health and safety manuals and policies, in
external standards and codes of practice to which the company subscribes (for example, SA8000), or even in contracts. In some instances it may be also
appropriate to establish specific limits for particular processes, operations or areas, regardless of whether these are regulated.
Clause 7.3.7 requires organizations to determine the effect of design changes
on the overall design and determine whether reverification or revalidation of design is required. To implement this requirement, the procedure dealing with
design changes should be amended to require a review of the effects that changes may have on the overall design. The procedure should include a
checklist, or should at least define the scope of the review, to determine whether full or partial reverification or revalidation of the design is required.
Clause 7.6 requires organizations that use software for product verification to
validate it prior to use and control the development of special-purpose software. The extent of software development controls shall be the same as for
controls that apply to design and development of products (Clause 7.3). To implement these requirements, the procedure dealing with control of measuring
and testing devices should be amended to define validation requirements for inspection and testing software, including assignment of responsibilities,
validation scope and criteria, and methods for authorizing and releasing the software. The procedure should also require that special purpose software be
developed in accordance with the same control requirements that apply to design and development of products. Companies that often develop or
customize special inspection software should have a dedicated procedure for this purpose.
Overall, ISO 9001:2000 is a much better standard than its predecessors. It represents a more modern approach to quality management and is closer to
current management system thinking. The most important improvements are the reorganization of the standard to follow the Plan-Do-Check-Act loop, the
introduction of systems and activities to facilitate continual improvement, greater emphasis on employee awareness and involvement, and the incorporation of
functions representing the voice of the customer into the quality system.
On the negative side, the standard introduces these new ideas and concepts
with some hesitation and a lack of conviction. A typical example is Clause 5.5.1 -- Objectives. It calls for establishment of quality objectives, but there are
no specific requirements for defining the process for establishing the objectives and no requirements for developing programs to support, monitor and review
the objectives. The same is true for the identification of customer needs and expectations and many other new elements. At this stage, it seems that the
standard only introduces the new concepts without requiring proper structures to implement them.
About the author
Jack Kanholm is the author of several books on ISO 9000, QS-9000 and ISO 14000. This article was inspired by his latest book, ISO 9000:2000, 33 New Requirements and Compliance Guide
, which was published in September. All of Kanholm's books are available on the Internet at www.aqapress.com. If you have any comments or questions regarding this
article, e-mail the author at firstname.lastname@example.org .