ISO 9000:2K



ISO 9000:2000

is almost

ready to hit

the shelves --

here's what

you can


by Jack Kanholm

With the ISO 9000:2000 draft review process moving into its last phase, there has been a sudden increase of interest in the scope and interpretation of the new requirements. Registrars, auditors, consultants and course providers are all under pressure to develop their positions on specific, technical issues. Companies using ISO 9000 quality systems are also growing impatient as they wait to find out what they'll need to do to upgrade their systems.

 The most visible changes are in the structure of the ISO 9000 family of standards and in the sectional organization of the ISO 9001 standard. New requirements are predominantly in the areas of customer-related processes and continual improvement. There are also miscellaneous new requirements pertaining to process control, measuring and monitoring devices, training and awareness, internal communication, work environment, and legal and regulatory requirements.


 The ISO 9000 series now consists of three standards:

 ISO 9000:2000 Quality Management Systems -- Fundamentals and Vocabulary

  ISO 9001:2000 Quality Management Systems -- Requirements

  ISO 9004:2000 Quality Management Systems -- Guidance for Performance Improvement


 ISO 9000 discusses the underlying concepts, approaches and roles of key elements and provides definitions for the new vocabulary. ISO 9000 is not intended to be used as a specification; however, it is named in ISO 9001 as a normative reference and thus can be used by auditors to support their interpretations of ISO 9001 requirements.

 ISO 9001 is the actual specification for the quality management system. Its requirements define the criteria for the quality system audit. The role of this standard in the series has not changed, but its content and sectional organization are completely revised. Quality system requirements are now organized into four sections: Section 5 -- Management Responsibility; Section 6 -- Resource Management; Section 7 -- Product and/or Service Realization; and Section 8 -- Measurement, Analysis and Improvement. This new organization makes ISO 9001 more compatible with the ISO 14001 (environmental) standard, and is consistent with ISO 9004's Plan-Do-Check-Act improvement cycle. It also corrects the undue emphasis on the manufacturing industries that characterized previous editions.

 ISO 9002 and ISO 9003 will be discontinued. Instead of choosing a standard with the appropriate scope, all companies will now use ISO 9001, but they're allowed to reduce the scope of the standard to exclude requirements that don't apply. The reduction of scope may only be applied to Section 7 -- Product and/or Service Realization, and exclusions may not affect the organization's ability to meet requirements. Reduction of scope must be clearly identified in the quality manual.

 The role of ISO 9004 in the series is unchanged. As in previous editions, it's a guide for developing quality management systems. However, it has been completely rewritten to align it with the new ISO 9001. ISO 9004 is not named in ISO 9001 as a normative reference, and thus it can't be used to define audit criteria for the ISO 9001 certification audit.

Overview of new requirements

 The most important new requirements in ISO 9001:2000 concern customer- related processes and continual improvement. With regard to customer processes, the new requirements call for identifying customer requirements, needs and expectations; determining customer satisfaction; establishing procedures for customer communication; and making employees aware of the importance of meeting customer requirements. In the area of continual improvement, the new requirements concern the quality policy, quality objectives, quality planning, quality performance data and management reviews. There are also miscellaneous new requirements for process control, measuring and monitoring devices, training and awareness, internal communication, work environment, and legal and regulatory requirements.

 Rather than being grouped in specific, additional clauses, the new requirements are spread throughout the standard and are often restated and expanded under several sections. For example, requirements pertaining to process control are first introduced in Section 5, are developed in two separate clauses of Section 7, and then are restated in Section 8. This approach follows the logic of the standard's new organization, but it also makes it difficult to identify and interpret the requirements. Often the intent of the standard can be interpreted only after related requirements are culled from different sections and analyzed together.

Customer-related processes

 ISO 9001:1994 had two clauses directly relevant to customer-related processes: Clause 4.3 -- Contract Review and Clause 4.7 -- Customer-Supplied Product. In the new revision, both clauses have been renamed and edited, but the underlying requirements are basically unchanged. The corresponding clauses in ISO 9000:2000 are 7.2.2 -- Review of Customer Requirements and 7.5.3 -- Customer Property.

 In addition to these two, there are six new clauses relevant to customer-related processes:

 Clause 5.1 requires top management to demonstrate its commitment to creating awareness of the importance of fulfilling customer requirements.

 Clause 5.2 requires top management to ensure that customer needs and expectations are determined and converted into specific requirements.

 Clause 5.6.3 requires that the management representative ensure awareness of customer requirements throughout the organization.

 Clause 7.2.1 requires the organization to implement a process for identifying customer requirements. The process is to include requirements that are not specified but are necessary for fitness of purpose; requirements dictated by laws and regulations; and requirements for availability, delivery and support.

 Clause 7.2.3 requires the organization to define and implement arrangements for communication with customers.

 Clause requires the organization to establish a system for obtaining and using information on customer satisfaction and dissatisfaction.


 Together, these clauses seem to demonstrate that the standard now requires organizations to include in the quality system all departments and functions that deal with and represent customers. Typically, these would include marketing, sales, customer service, billing and servicing. Once this intent is understood and accepted, interpretation and implementation of all underlying requirements will follow naturally. Like everyone else in the system, these functions must develop effective methods and processes, document them in procedures, and maintain records of their activities.

 To be sure, there will be a lot of resistance to such a sweeping interpretation in many companies. Marketing and sales people genuinely care about the quality of the product or service they sell, but they don't necessarily see their own work as being directly relevant to quality. Many engineers had this kind of adverse reaction when ISO 9000 asked them to define their methods and write procedures for the design and development process.

 The effort necessary to implement the new requirements will depend on the complexity of marketing, sales and customer service operations, and on how much documentation already exists. Typically, implementation will consist of the following actions:

 Revising existing contract review procedures and/or developing new procedures to document the processes for identification of customer requirements

  Developing a new procedure for measuring customer satisfaction and dissatisfaction, which may incorporate or reference the existing procedure for customer complaints

 Developing procedures and work instructions defining arrangements for communication with customers in matters pertaining to product information, order handling, customer complaints and customer feedback

 Establishing programs for creating awareness of customer requirements and the importance of meeting these requirements

  Developing measures to ensure that customer needs and expectations are determined and converted into specific requirements. A written procedure is not explicitly required, but there must be a means of demonstrating conformance.

Continual improvement

 ISO 9001:2000 doesn't actually have a clause named "Continual Improvement," which is curious because references to that concept are everywhere. Many of the elements supporting the continual improvement cycle were already required in previous editions of the standard. But now there is a new, stronger linkage between these elements, and there are several completely new requirements. Identifying the requirements that pertain to continual improvement is not a precise science. The following requirements are all new; whether they're discussed here or under another heading doesn't really matter:

 Clause 5.4 requires the quality policy to include commitments to meeting requirements and to continual improvement, provide a framework for establishing and reviewing quality objectives, and be periodically reviewed for continuing suitability.

 Clause 5.5.1 requires the organization to establish quality objectives supporting the quality policy and the commitment to meet requirements and pursue continual improvement.

 Clause 5.5.2 requires the organization to identify and plan activities and resources needed to achieve quality objectives.

 Clause 5.7 requires the management review to evaluate the need for changes to the quality system, policy and objectives and include review of performance and improvement opportunities. It also requires the outputs from the management review to include actions related to improvement of the quality system, audits and resource needs.

 Clause 8.4 requires the organization to collect and analyze data to determine the effectiveness of the quality system and to identify where improvements can be made.

 Clause 8.5.1 requires the organization to establish a procedure for the use of quality policy, objectives, and quality-related data and information to facilitate continual improvement.


 These clauses clarify how the cycle of continual improvement is intended to work. General policies (Clause 5.4) create a framework for more specific objectives (Clause 5.5.1) that are supported by planned activities and resources (Clause 5.5.2). The organization collects and analyzes data to determine the effectiveness of the implemented activities (Clause 8.4). The quality policy, objectives and data on quality performance are input into the management review (Clause 8.5.1), which then outputs changes to the policy, shifts in objectives and actions to improve the system (Clause 5.7). It's imperative to understand these clauses as elements of such a continual cycle and to create appropriate interfaces and linkages.

 This basic structure for continual improvement is supported by many other elements of the quality system. Some of these elements have already been required in previous editions of the standard, but others (such as activities for collecting quality performance data, internal audits and measurement of customer satisfaction) are new. Indeed, it can be argued that each and every element of the quality system has a role in the continual improvement cycle.

 Implementation of these requirements will include:

 Revision of the quality policy to include commitments to meeting requirements and to continual improvement

  Establishment of quality objectives consistent with the quality policy and the commitment to continual improvement

 Establishment of plans to achieve quality objectives

 Development of a new procedure for collecting and analyzing quality performance data

 Development of a new procedure for using relevant information and data to facilitate continual improvement

  Revision of the existing management review procedure to address new requirements concerning the scope and output of the review

Training, awareness and communication

 Training requirements in ISO 9001 :2000 are considerably broader. Most of Section 6 -- Resource Management is dedicated to training and related issues. In addition to the old requirements for identifying training needs, providing training, assigning qualified personnel and maintaining records, the standard now also requires organizations to evaluate the effectiveness of training and establish employee awareness programs.

 There are also new requirements for internal communication in Section 5 -- Management Responsibility. Although these requirements are not specifically linked to training, it will be natural to integrate training and employee awareness programs with the communication system.

 The following clauses include requirements pertaining to training, awareness and communication:

 Clause 5.1 requires top managers to demonstrate their commitment to creating an awareness of the importance of fulfilling customer requirements.

  Clause 5.6.3 requires the management representative to ensure awareness of customer requirements throughout the organization.

 Clause 5.6.4 requires the organization to establish a procedure for internal communication regarding the quality management system.

  Clause 6.2.2 requires the organization to evaluate the effectiveness of training and establish procedures for making employees aware of the importance of the quality management system and of their own roles in achieving conformance with policies, objectives and requirements.


 Implementation of these requirements will include:

  Revision of the training procedure to define how training effectiveness is evaluated

 Establishment of employee awareness programs (documented in procedures)

 Development of new procedures for internal communication

Process control

 Requirements related to process control are concentrated in Section 7 -- Product and/or Service Realization, particularly in Clause 7.1 -- General Requirements and in Clause 7.5.5 -- Validation of Processes. Clause 7.1 includes a long and detailed list of formal process control measures and activities, but doesn't clearly state the extent to which implementation of these measures is mandatory.

 The clause states that "The organization shall determine how each process affects the ability to meet product and/or service requirements and shall… determine and implement criteria and methods to control processes, to the extent necessary, to achieve product and/or service conformity with the customer requirements." If this means that process control measures must be sufficient to eliminate the occurrence of nonconformity, it's the same as requiring implementation of the best-known process control system for each process. But this could not be the intent of the standard. If such a requirement were to be enforced, it would cost billions of dollars. On the other hand, if this clause means that process control measures are sufficient as long as the shipped product conforms to requirements, one could comply by inspecting and segregating nonconforming product without any process control measures at all. Again, this could not be the intent of the standard. The criteria for selecting and implementing appropriate process control systems must be somewhere in between, but the standard fails to specify where.

 There is also a process control-related requirement in Clause 8.2.2. The requirement is to "… apply suitable methods for measurement and monitoring of processes necessary to meet customer requirements and to demonstrate the process's continuing ability to satisfy its intended purpose." Here, again, the language is indefinite. It could imply formal process capability and process performance studies, but could also mean a simple inspection of output. It will be a challenge for auditors to find a nonconformance based on this clause.

 Because the new standard fails to provide any meaningful criteria for selecting and implementing process control measures, one can argue that nothing has changed from the previous editions. Organizations can still decide on their own how they want (or don't want) to control their processes. Auditors can only require that each process be reviewed for relevant process control measures, and that the implemented process control systems are properly operated and maintained.

 Lack of clarity aside, it's obvious that the new standard has moved significantly toward requiring implementation of formal process control systems for all relevant processes. Process control is no longer an optional activity expected only in special industries such as automotive or aerospace. With this new standard, auditors will expect every organization, regardless of the nature of its product or service, to have the knowledge of process control techniques and systematically evaluate all processes to determine which should be controlled and how.

 The following clauses contain new requirements relevant to process control:

  Clause 7.1 requires organizations to determine and implement the criteria and methods to control processes to the extent necessary to achieve product conformity and consistent operation; to monitor processes, including measurement and follow-up actions, to ensure that processes continue to operate satisfactorily; and to maintain records of the results of process control measures.

 Clause 8.2.2 requires application of suitable methods for measurement and monitoring of processes.


 The effort needed to implement these requirements will depend on the current state of process control programs in the company. In many smaller companies, especially those lacking experience with formal process control, it will be substantial. First of all, they will need to acquire the relevant knowledge, and then apply it to a systematic review of all key processes to identify those that need to be controlled. The next step will be to select suitable process control measures for these processes. Finally, they will need to establish the actual control procedures and instructions and train process operators in their use.

Additional requirements

 All together, there are more than 30 new actionable and auditable requirements in ISO 9000:2000. About three-quarters of them fall into the four major categories discussed above. The remaining requirements can't be neatly grouped into such major categories; they're spread throughout the standard and pertain to diverse elements of the quality system. Most of them are minor and easy to understand and implement. Of the remaining requirements, the following four are probably the most important.

  Clause 5.3 requires organizations to identify and gain access to legal requirements regarding quality aspects of products and/or services. To implement this requirement, a new procedure should be developed to define how applicable legal and regulatory requirements are identified and how they are communicated to those responsible for their implementation.

  Clause 6.5 requires organizations to define and implement the suitable work environment needed to achieve product and/or service conformity. At first, this clause may be interpreted as a movement of ISO 9000 into the realm of health and safety. However, careful reading reveals that the work environment is relevant only in the context of product conformity. To identify a nonconformance against this clause, auditors must have objective evidence that working conditions are detrimental to achieving product conformity. A minor violation of health and safety regulations or standards would not, in itself, be sufficient to trigger a nonconformance. Work environment may be specified in laws and regulations, in a company's health and safety manuals and policies, in external standards and codes of practice to which the company subscribes (for example, SA8000), or even in contracts. In some instances it may be also appropriate to establish specific limits for particular processes, operations or areas, regardless of whether these are regulated.

 Clause 7.3.7 requires organizations to determine the effect of design changes on the overall design and determine whether reverification or revalidation of design is required. To implement this requirement, the procedure dealing with design changes should be amended to require a review of the effects that changes may have on the overall design. The procedure should include a checklist, or should at least define the scope of the review, to determine whether full or partial reverification or revalidation of the design is required.

 Clause 7.6 requires organizations that use software for product verification to validate it prior to use and control the development of special-purpose software. The extent of software development controls shall be the same as for controls that apply to design and development of products (Clause 7.3). To implement these requirements, the procedure dealing with control of measuring and testing devices should be amended to define validation requirements for inspection and testing software, including assignment of responsibilities, validation scope and criteria, and methods for authorizing and releasing the software. The procedure should also require that special purpose software be developed in accordance with the same control requirements that apply to design and development of products. Companies that often develop or customize special inspection software should have a dedicated procedure for this purpose.


 Overall, ISO 9001:2000 is a much better standard than its predecessors. It represents a more modern approach to quality management and is closer to current management system thinking. The most important improvements are the reorganization of the standard to follow the Plan-Do-Check-Act loop, the introduction of systems and activities to facilitate continual improvement, greater emphasis on employee awareness and involvement, and the incorporation of functions representing the voice of the customer into the quality system.

 On the negative side, the standard introduces these new ideas and concepts with some hesitation and a lack of conviction. A typical example is Clause 5.5.1 -- Objectives. It calls for establishment of quality objectives, but there are no specific requirements for defining the process for establishing the objectives and no requirements for developing programs to support, monitor and review the objectives. The same is true for the identification of customer needs and expectations and many other new elements. At this stage, it seems that the standard only introduces the new concepts without requiring proper structures to implement them.

About the author

 Jack Kanholm is the author of several books on ISO 9000, QS-9000 and ISO 14000. This article was inspired by his latest book, ISO 9000:2000, 33 New Requirements and Compliance Guide , which was published in September. All of Kanholm's books are available on the Internet at If you have any comments or questions regarding this article, e-mail the author at .

Today's Specials

Menu Level Above 

[Contents] [News] [WebLinks] [Columnists]

This Menu LeveL 

[ISO 9000:2K] [CMM] [QS-9000] [Happy] [DMIS] [Vision]

Menu  Level Below 


Copyright 1999 QCI International. All rights reserved.
Quality Digest can be reached by phone at (530) 893-4095. E-mail:
Click Here