ISO Registered is a banner proudly and prominently hung in many corporate lobbies. But what does it really tell a prospective customer about the companys capability, competence and quality?
There is considerable confusion regarding ISO 9000 standards and in how to appropriately interpret registration. The purpose of this note is to present readers with basic, general information on the history, structure, objectives and the direction of ISO and the ISO 9000 standards.
The note starts with a short introduction to ISO. It then provides a brief history of the development of the ISO organisation, followed by a description of the available ISO 9000 management systems registrations. The note then outlines the process a company follows to successfully attain registration and ends with a brief comment on the current status and direction of ISO 9000 registration standards.
You will note there are a number of references listed at the end of this note. Interested readers can use these to access more complete information regarding ISO 9000 and other standards. Many of the sites provided offer additional links to related sites.
Exhibit 3 Consultants, Registrars, and Other Information Sources
Exhibit 4 ISO Member Countries
International Organization for Standardisation (ISO), the federation responsible for establishing ISO standards, is made up of regulatory bodies from over 130 countries. It is headquartered in Geneva, Switzerland. The mission of the organization is to promote development of standardisation and related activity in the world in the hope of facilitating the international exchange of goods and services and of helping develop international co-operation in the spheres of intellectual, scientific, technological and economic activity.
The word standard, in the context of the ISO, refers to documented agreements containing technical specifications or other criteria to be used consistently as rules or guidelines. Application of the standards is intended to ensure consistency in materials, products, processes and services used or produced.
An interesting fact is that while ISO is commonly thought to be an acronym for International Organization for Standardisation, the organization advises that it is a word derived from the Greek word Isos, which means, equal. It was thought that this word would connote the standardisation mission of the organization and denote the name of the organisation. As you explore this note, you can decide whether you agree that their choice of ISO was appropriate.
W. Edwards Deming was one of the pioneers in arguing that the most rational approach to product and service quality assurance was to standardise and incrementally improve production processes, rather than to rely solely on inspection of output. His research concluded that the majority of quality problems exist in processes rather than being the fault of the workforce. His philosophy was that quality had to be built into the production processes in order to reduce quality problems at the end-user level. Demings work in post-war Japan underpins the notion of incremental improvement that pervades that countrys approach to business, especially in manufacturing .
Previous to Demings work, there were other efforts to establish standards, such as the International Electrotechnical Commission (IEC), which began in 1906. It set standards to be used in the electronics field. This initiative was followed by work done by the International Federation of National Standardising Associations (ISA), which was founded in 1926. The ISA emphasised mechanical engineering processes of the time until, in 1942, the activities of the ISA ceased due to World War II. It remained dormant until a 1946 meeting in London, England, at which time the regulators from 25 countries decided to create a new international organization with the objective of facilitating the international co-ordination and unification of industrial standards. From the organisational work that followed the 1946 meeting, the ISO was officially formed, on February 23, 1947 .
The first ISO standard, entitled Standard Reference Temperature for Industrial Length Measurement was published in 1951. From this start, many standards followed. These were initially highly specific and used primarily by engineers or other technical specialists. The first of the management system standards was ISO 9000, introduced in 1987.
ISO 9000 was developed under a technical committee called ISO/TC 176, on which there are currently more than 50 participating countries, with about 20 other observers. The committee representatives are drawn from business, government and other interested organizations. It may interest the readers to know that Canada, under the Standards Council of Canada, is the current chair of the technical committee.
Currently there are over 300,000 ISO 9000 registrations worldwide.
3 Need for Standards
Trade barriers occur when different countries develop different standards for similar technology. As economies became more interdependent, it became obvious that standards accepted worldwide would facilitate trade. This motivation led to establishment of the ISO and its predecessors. A stated aim of the ISO, through its implementation of standards, is to facilitate the transfer of trade, exchange and technology through:
While the focus of this note is on ISO 9000, many other ISO standards have been established including standards for:
- Enhanced product quality and reliability at a reasonable price.
- Improved work environment and environmental protection and reduction of waste.
- Greater compatibility and inter-operability of goods and services.
- Simplification for improved usability.
- Reduction in the number of models and thus reduction in costs.
- Increased distribution efficiency and ease of maintenance.
The ISO 9000 family of standards was chosen because of its focus on management systems. Globalization of business has led to sourcing on a worldwide basis in many industries and in an increasing number of industries. When there is international consensus within an industry to adhere to standards, companies have greater assurance that suppliers will be able to incrementally lower costs, at least on a relative basis, deliver with greater reliability and provide required quality, consistently.
- Film speed codes
- Telephone cards
- Banking cards
- Internationally standardised freight containers
- Universal system of measurement
- Paper sizes
- Metric screw threads
- International codes for country names, currencies and languages
4 Management Systems Registrations
There are many standards systems administered by various organizations, any of which would provide an extremely interesting basis for discussion. This note, however, will focus on management system registrations to ISO 9000 standards. These are known as generic management system standards. (See Exhibit 1 and Exhibit 2.)
A common misconception is that ISO registration assures the level of product quality. In other words, many people believe that if two companies produce the same product and each company is ISO registered, the product quality is the same. This may not, and likely will not, be true. Under the management standards of ISO 9000, it is standardisation of processes within and across the firm that is the objective. The focus is on standardising processes to ensure that the specific companys customers consistently receive an acceptably high quality product or service. It is therefore perfectly appropriate to have two ISO 9000 registered firms produce similar products, but have one firm produce the product at a much higher level of quality than the other, as long as the products or services both produce or provide are acceptable to their own clients. Again, success of ISO registration hinges on two key outcomes. One is that the firm produces products or services of acceptable quality to their clients. The second is that the processes utilized deliver those products or services at a consistent quality level.
While in the past, it has not been the objective under ISO 9000 to standardise a firms processes with some benchmark industry best practice, future versions of the standard will address this. There is a new telecommunication standard, TL9000, which uses such benchmarking practice as is ISO 9000 when revisions are completed. The registration of an organization indicates that the company has documented process procedures and records in place and that because of documentation and regular audit of records, those procedures should be consistently applied and the result should be a product or service of a consistent quality.
A related misconception is that ISO standards can be applied only to firms that produce products. In fact, they are as applicable to firms in the service sector.
The approach to developing the management system standards, based on the work of Edwards Deming, focuses on the way the organization goes about its work, the processes. The standards define how the organization undertakes its various processes. Consistent application and audit is expected to lead to incrementally improving product or service quality. Exhibit 2 attempts to summarise the objectives of the ISO 9000 process.
5 ISO 9000
ISO 9000 registration includes standards dealing with specific applications, consistent with other ISO registrations. The first group of management system registration standards developed by ISO, called ISO 9000, includes standards 9001, 9002 and 9003. These are primarily concerned with quality management and they address the procedures the organization undertakes to ensure that its products or services conform to the customers requirements.
The 9000 standard and the 9004 guidelines are used for interpreting the various 9000 standards. ISO 9000 is entitled Quality Management and Quality Assurance Standards. It establishes the starting point for understanding and selecting the standards appropriate to the companys needs. Under ISO 9004, entitled Quality Management and Quality System Elements, guidance for implementation of a quality system is provided, so that it will satisfy the companys customer needs and so that it will comply with the other standards, 9001, 9002 and 9003.
The standards of ISO 9000 are the actual standards that a company can be registered under. Note that a company is registered to only one of the ISO 9000 standards: 9001, 9002 or 9003.
ISO 9003 brings up the issue of supplier standards. In most cases, evidence of ISO registration by the supplier, eliminates the need for a purchaser to perform an audit of a supplier. If they are not registered, most vendors are not required to submit to an audit to verify consistency of their product. For the most part, confirmation of acceptable supplier standards usually entails an assessment of the goods ordered and the timeliness of the delivery.
- The ISO 9001 standard covers design and development, production, installation and service by an organization. This is the most encompassing of the ISO 9000 standards. Companies engaged in the design and redesign of products or services and those that provide service and support of products primarily use it. This standard is used when a company wishes to demonstrate process consistency in the design and development of products or services, as well as in production, installation and servicing. (See Exhibit 1)
- The ISO 9002 standard covers all elements of ISO 9001 except for the design and development and service. Companies that manufacture and install products that are designed by other companies are the primary users of this standard. This standard is used when the company wishes to demonstrate process consistency in production, installation and servicing.
- The ISO 9003 standard is the standard least commonly used. It covers only final inspection and test activities. Companies that select, test and represent to its customers, products that are designed and manufactured by others, use this standard. This standard is used when a company only wishes to demonstrate process consistency to control the product or service by final inspection and test.
6 Registration Process
There are several steps that a company typically completes in order to attain registration to one of the ISO 9000 standards. We have chosen to summarise them under the headings below.
The total time period from the decision to proceed to successful registration is usually 12 to 18 months. Development costs of ISO 9000 quality systems can range from $25,000 to $100,000 depending on the quality system selected and the size and complexity of the organization.
6.1 Step 1 The Executive Decision
The first step for most companies is to have its executive make the decision to achieve registration to an ISO standard. The question then becomes, Why does a company choose to register?
The answer most often cited is to gain competitive advantage. Many large manufacturers, led in the early 1980s by the auto industry, began demanding that suppliers provide external assurance of their quality standards. Much of the incentive for this was a desire to improve product quality and reduce costs to counter market share gains made by foreign, especially Japanese, automobile manufacturers. This practice quickly spread to other industries, giving firms that were registered to ISO standard, or other quality management standards, an advantage in winning contracts with significant customers.
While competitive advantage in sales is an understandable motivation, reflection on the objectives of the ISO standards themselves provides what is perhaps a more significant reason. The real meaning of the ISO registration is confirmation that the firm has documented its processes and confirmation that those processes are used consistently throughout the firm. The goal of ISO is, however, consistent with Deming philosophies, to have the firm continually audit and incrementally improve the processes in order to continually improve the quality and the consistency of quality of the firms output and to ensure that the firms customers are satisfied. This notion of consistency, incremental improvement and customer satisfaction may be the more compelling justification for a firm pursuing registration. In the end, gains should be realized in the firms cost structure as efficiency improves. That in turn should to lead to competitive advantage in the market.
6.2 Step 2 Engage the Consultant or Assign Internal Staff
Once the companys executive has made the decision to attain registration, many companies elect to engage a systems consultant. This is not, however, mandatory. The alternative is to assign to internal staff the responsibility of managing the preparation phase of putting into place procedures and documents that are needed for registration. The trade-off is, of course, the cost of the consultant versus the opportunity cost of re-deploying one or more staff members.
When a consultant is to be engaged to put in place those procedures and documents needed to attain registration, it is typically done on a bid basis. These consultants are expected to be thoroughly knowledgeable of the requirements for registration. This can be a weakness in the registration process, however, because while many consultants are professionals such as accountants or engineers, and as such are governed by their respective professional associations, no regulations or governing body are currently in place to specifically regulate the activity of these consultants. True, incompetent consultants will likely go out of business in the long run; nonetheless, numerous firms may be harmed while they continue to operate.
The first decision for the firm preparing for ISO audit is to determine the appropriate ISO standards model (9001, 9002 or 9003) to which the firm should register. See Exhibit 1 for a listing of the standards under ISO 9001. Selection of the appropriate standard is made with the guidance of ISO 9000, Quality Management and Quality Assurance Standards - Guidelines for Selection and Use.
Once the appropriate standard is established, the firm catalogues existing policies and procedures in a manual that will serve as a process baseline reference. ISO 9004 is used as a guide by providing the elements necessary to develop a quality management system. The time required to complete this step in the registration process will depend on the ISO standard chosen, the size of the business and the complexity of its management systems.
6.3 Step 3 Implement Standard Policies Throughout the Firm and Internally Audit for Consistency
The third step in the process to registration is to ensure that all documented procedures outlined in the manual are correct and complete. All staff should be trained to ensure that procedures are being followed consistently across the firm. This step can take between three and nine months, again depending on the complexity of the firm.
Internal audit is used to verify that processes are operating consistent with the documented procedures. The audit can verify implementation progressively as the various procedures are put into place, or it can be completed once the organization is satisfied that processes have been implemented and are operating consistent with the documented procedures. The audit examines each of the elements included in the standard selected and using sampling techniques, tests are applied to ensure that the documented procedures are being consistently implemented.
The firm can augment the internal audit with contracted external audit that can be conducted by a consultant or a registrar. These audits, called gap analysis, are performed prior to the registration audit. They are similar to advanced opinions.
6.4 Step 4 Management Approval, Contracting of Registrar and Assessment
Once the firms management is satisfied that documented procedures are being consistently implemented, a call for bids is made to contract a Registrar. These firms perform the external auditing function and issue the actual ISO registration.
Registrars operate under one of the accreditation boards, such as the Registrar Accreditation Board in the U.S. and the Standards Council of Canada. As an example, one registrar, Deloitte & Touche Quality Registrar Inc., is registered under the Registrar Accreditation Board (RAB) and the Standards Council of Canada. The RAB periodically audits Deloitte & Touche LLP to ensure proper auditing procedures and adherence to ISO standards, such as the defined standard hours to complete a typical registration. These are mandated in an ISO document, guide 62. In addition, there is a requirement that auditors have industry expertise and for the Registrar to have the specific NACE codes for the area or business they are auditing.
Once selected, the registrar may be asked to perform a document review, possibly followed by an optional pre-assessment or they will be asked to complete the full assessment of the organisation. There are four possible outcomes to a full assessment: .
2. Approved with opportunities for improvement
3. Approved with minor items of non-conformance (4 or 5 minor items of
non-conformance, all focused in one area, constitutes a major item of
4. Declined due to major items of non-conformance (any item of major
non-conformance requires decline of registration)
The pre-assessment will obviously add to the total assessment cost, but if sufficient deficiencies exist, the pre-assessment can avoid the cost of a failed full assessment. A firm declined after full assessment and still wishing to attain registration would, as a minimum, be required to correct the items of non-conformance and resubmit to a review of the corrective action put in place to eliminate the original non-conformance.
The firms management system can be characterised as having four levels, with each level built on the preceding one.
Level 1. Policy
Covering the responsibility of management and the goal of the quality system for the particular organization
Level 2. Procedures
Covering all aspects of the organization included in the elements of the standard
Level 3. Work Instructions
Which directly references the procedures documented in Level 2 and specifies how the related tasks are to be completed
Level 4. Work Records
Show that procedures are being properly followed through the Work Instructions (the audit trail)
There are few outright declines in registration, which is as expected, particularly where a firm opts to engage a consultant to help prepare for registration. While there may not be control of the consulting groups, as mentioned under Step 2 of the registration process, failure of client firms to attain registration would quickly destroy a consultants ability to attract clients.
Once attained, ISO registration is effective for a period of three years, after which the firm must undergo another full assessment.
6.5 Step 5 The Post-Registration Requirements
Once registered, the company must continue to undertake internal audits and maintain a management review. This process is intended to ensure that the management system is being maintained.
External audits are conducted at least each year by the original registrar, under the original engagement contract, for the three years the registration is effective. These audits are to reconfirm company compliance to the ISO standards and to gauge the management system effectiveness to the appropriate ISO 9000 standard. If non-conformances are not corrected, registration can be withdrawn. At the end of the second year of the registrars contract, the firm may again calls for bids from registrars or they may decide to re-engage their existing registrar to complete the re-registration assessment at the end of three years and to conduct external audits for the following three year period.
7 The Future
Given the history of the development of ISO cited earlier in the note, the reader might have developed an impression that there is some instability in the standards organization. There is no concern about the survival of ISO given its current wide membership, but its structure is a voluntary federation of national standards organisations and as such, its future can never be taken for granted. The basic work that it now undertakes, however, has proceeded throughout this century under various structures and, whether under the ISO or under some reformation, standards development can be expected to continue. This is particularly likely with todays trend toward increasing globalisation
But how does ISO intend to keep relevant in the dynamic markets, industries and economies of today? A key ISO policy with respect to ISO 9000 has been to revise their standards every five years. This is done to ensure that the standards do not become irrelevant. Under the revisions now moving toward adoption, there is an effort to merge ISO 9001, 9002 and 9003 into a single requirements model called ISO 9001:2000, Quality management systems Requirements. This is undertaken based on a belief that there has been a proliferation of standards over the past ten years with the result, increased confusion over the meaning of the standards. To accomplish this merging of standards, the new standards will be more generic than the current ones. It is not clear that this objective can be accomplished and if the more generic standard is insufficient to satisfy users, there may well be the need to publish additional standards.
There is also an increase in the emphasis placed on demonstrated quality improvement in the management system, in the current draft standards ISO 9000, 9004 and 9001:2000. This is to be driven by internal analysis of the metrics against the goals and objectives of the organization. Also, the 2000 standard emphasizes a process driven approach to the design of the system. This will move ISO 9000 closer to Demings original philosophies of incremental improvement and it should increase the currencyof the ISO 9000 registration.
International Organisation for Standardisation
World Certification Services, Ltd.
Standards Council of Canada
Canadian Environmental Auditing Association (ISO 14000)
Information Technology Industry Council
This note was prepared in May 2000. ISO standards are periodically updated and as such, specific detail in the note will become obsolete over time. Reference should be made to ISO published documents if updated standards are critical to the readers task. These can be purchased, online, from the ISO home page, as well as from other vendors.