What is ISO 9001 and Should I Care?
Service Detail from DNV GL - Business Assurance North America
What is ISO 9001 and Should I Care?
The Role of Standards
The objective of any standard, whether it relates to the manufacture of cars, airplanes, machinery, or the delivery of a service – transportation, hospitals, etc. – is the same. Standards are designed to promote, facilitate and enable consistency in a process or product; to provide assurance that the process or product output will meet requirements; to provide a uniform and predictable output every time a set of procedures are executed. Because standards assist buyers and consumers in establishing confidence levels in the products and services they procure, standards facilitate fair trade practices.
The ISO 9000 series of standards
ISO 9000 consists of a series of Quality Management System standards that are designed to facilitate the establishment of business processes aiming to ensure that customer requirements are met or exceeded. They can be applied in any manufacturing industry or service sector. The series consists of three quality system standards: ISO 9000, ISO 9001 and ISO 9004. If a company chooses to adopt the standards, ISO 9001 is the document which contains the "requirements" that the company must meet in order to attain a certificate of compliance, should they choose to demonstrate conformance.
The ISO 9000 series of standards is one of more than 16,000 different standards which are maintained by the International Organization for Standardization in Geneva, Switzerland. The reference to "ISO" comes from the Greek word "isos" meaning equal or the same. The concept is one of consistency, predictability and repeatability of processes.
Evolution of the ISO 9000 series of standards
The ISO 9001 standard has evolved from the best practices of many different international standards. Perhaps the most notable are BS 5750 (UK) and MIL-Q-9858 (a former U.S. military standard). The ISO 9000 standards were first released in 1987, revised in 1994, and again in December 2000 and October 2008. This review and revision cycle will continue approximately every five years.
The December 2000 revision included some significant changes in the structure and content of the standards, which have been carried over in the 4th Edition (2008) document. The former ISO 9002 and ISO 9003 have been made obsolete. The only auditable and certifiable standard is ISO 9001.
The standards are revised through review and revision recommendations made by ISO member countries or national bodies. There are approximately 140 member countries and national bodies. Each member, through its committees and subcommittees, provides input on suggested changes to the standards back through a hierarchy to ISO's headquarters in Geneva, Switzerland. The ISO Technical Committee responsible for the ISO 9000 series is the TC 176. For more information on the work of the TC 176, please visit www.tc176.org.
Why should an organization implement ISO 9001
Without satisfied customers, an organization's future is at risk! To keep customers satisfied, the organization needs to meet and/or exceed their requirements. The ISO 9001 standard provides a universally recognized, tried and tested framework for taking a systematic approach to managing the organization's processes, so that they consistently turn out product that satisfies customers' expectations.
The 5 main clauses of ISO 9001:2008
• Quality Management System
• Management Responsibility
• Resource Management
• Product Realization
• Measurement, Analysis and Improvement
Application of the standards
The standards are not designed to tell you how to run your business, but rather to allow you to be compliant with the standard in a manner that best suits the way you decide to run your business. There are some "shalls" which are non-negotiable requirements if you wish to be certified by an independent certification body, also known as registrars. ISO 9001 also allows for some of its requirements not to be applied in case such business processes are not the responsibility of the organization. For example, if an organization is not involved with the design of the products they assemble, they can claim an exclusion of the requirements contained in ISO 9001 for product design and development, and still be considered in compliance with the Standard.
Relative positioning of ISO 9000
On a scale of "no formal quality management system" on the left, to "world-class operations" on the right, an ISO 9001 compliant system is something of a midpoint. Certification to ISO 9001 is not a panacea for the troubles of industry. It is not a replacement for sound business strategies and management. It is not a solution to a weak business environment or a struggling economy. Conformance to ISO 9001 is the basis for building a sound quality system. It is an infrastructure that will facilitate improvements in processes and increases in the effectiveness and efficiency of the system. If certification to ISO 9001 is in your plans, it should be viewed as a journey and not a destination. It should be the platform on which to build operations and continual improvement towards a world class system.
Industry specific variations of ISO 9000
A number of different industry sectors have adopted ISO 9001, added supplemental requirements which are specific to their own industry, and modified the title of the standard. The most notable of these are:
• ISO/TS 16949 - Automotive
• AS9100, 9110 and 9120 - Aerospace
• ISO 13485 - Medical Devices
• TL 9000 - Telecommunications
In addition, the healthcare sector has developed IWA 1 – this is a guidance document, based on ISO 9004 on the application of ISO 9004 in Healthcare. IWA 2 is a guidance on the application of ISO 9001 in education and IWA 4 is a document which provides guidelines for the application of ISO 9001 in local government. It is likely that other industry sector specific schemes will be developed in the future.
ISO 14001 is a standard designed to address Environmental Management Systems. ISO 9001 and ISO 14001 are developed to make them very compatible and to facilitate implementation in an integrated manner.
Acceptance of the standards
The ISO 9000 series of standards has been accepted and adopted throughout the world. We approach an estimated 1 million certificates issued in more than 154 countries. Europe now exceeds 400,000 certificates with more than 35,000 in the UK alone. There are currently more than 35,000 certificates in the U.S., 7,000 in Canada and approximately 4,000 in Mexico. It is estimated that an additional 20,000 companies in North America are actively in the process of implementing an ISO 9001 compliant management system.
Should ISO 9001 certification be in my plans?
There are costs associated with implementing an ISO 9001 compliant quality management system. If companies are to make this investment, then it is important that they are able to derive a benefit and a return on that investment.
In the late 1980's the European Union adopted the ISO 9000 series of standards. Contracts and requests for quotations were issued to potential North American suppliers from these European countries. In many instances, in order to be able to bid on one of these contracts, the supplier had to be able to demonstrate that they were either ISO 9000 certified or in the process of implementing an ISO 9000 system. These companies were the early adopters of ISO 9000 certification. Today, however, most of the North American companies that choose to be certified have little or no interest in exporting – there are other driving forces.
There are three reasons to consider ISO 9001 certification:
1. For the value of an ISO 9001 compliant system to improve processes and increase the productivity and effectiveness of the system. These attributes can, in turn, result in reduced scrap and rework, and therefore increase profitability, and increase customer satisfaction.
So how do you determine if certification will have value for you and your company? The key is to benefit from those who have already gone through the certification process. Most companies that have become certified are usually proud of their achievement and happy to share their experience with others. Lists of certified companies are available from the registrars or certifying bodies. By selecting companies who are in similar businesses to yours (your direct competitors are probably not going to share much information with you!) and asking them a few pertinent questions, you can get a pretty good feel for the value of certification to these companies.
Questions like: What have been the benefits of certification? Have you measured these benefits and expressed them in dollars – i.e. return on investment? What was the single biggest barrier to certification? What would you do differently if you had to do this over again? How much did it cost and how long did it take?
2. From a sales and marketing point of view, would certification make a difference? With a similar price, product or service to your competitors, would ISO 9000 certification make a difference in your customers' decision process in selecting a supplier? Does certification represent a means of differentiating you from your competition? Are you losing business because your competitors are already certified?
Talk to your sales and marketing personnel, get answers to these questions on a regular basis – things change. Talk to your major customers and find out if ISO 9000 certification has value to them.
3. Are one or more of your largest customers likely to require that you have ISO 9000 certification in order to continue to be a preferred supplier, or worse, require certification to even be allowed to bid on contracts?
Ford, GM, and Daimler-Chrysler and other automobile manufacturers gave their first tier suppliers of automotive parts no option – they had to be certified to ISO/TS 16949 in order to continue doing business with them. Similarly, most of the Aerospace supply chain is operating under the mandate of attaining and maintaining certification to AS9100, as a requirement to do business with aircraft manufacturers and major defense contractors.
How long does it take and how much will it cost?
The answers to these three questions should provide you with a strong basis to be able to make an informed decision as to whether ISO 9000 should be in your company's plans. One thing is key if, based on the answers to the above questions, you make a determination that ISO 9000 should be in your company's future, put plans in place to do it at your speed, not someone else's. Do not wait until your best customers give you an "or else" ultimatum requiring you to be certified in six or nine months in order to continue to do business with them.
The certification process
The basic steps to certification involve a review by an external company – the ISO 9000 certification body or registrar. These typically include a documentation (quality manual) review, an on-site pre-assessment or readiness review, now known as stage 1 audit and an on-site certification (stage 2) assessment. The onsite assessment is basically to verify, through objective evidence, that the documented system is implemented, effective and meets the requirements of the ISO 9001 standard.
The length of time necessary to implement an ISO 9001 compliant system is a function of the size of the company, the number of employees, the complexity of the processes, the maturity of the organization and the degree to which the existing system meets the requirements of the standard. A typical time line for implementation would be six to eighteen months. Certification costs, that is those fees paid to the registrar, are typically small compared to the internal costs of implementation. The fees are generally driven by the number of audit days required to verify compliance, which in turn depends upon the number of employees, as well as the quantity and complexity of the processes. Most registrars will provide a no obligation quotation on request.
Selecting a Registrar
If you are planning on becoming certified to ISO 9001, ISO/TS 16949, ISO 14001, or any accredited management system scheme, the selection of your certifying body is an important decision. Do not underestimate the importance of a careful evaluation before selecting your registrar. A poor decision might have a significant impact to your organization.
Your choice of registrar is a relationship that will be in place for a long time. That is why it is so important that your choice is one which will provide you with a partnership approach to certification, provide you with value-added services, and result in a certification which is recognized and accepted by your customers and prospects.
In the ISO 9000 market place there are more than 70 registrars in North America offering certification services. It is an unregulated market – that is anybody can set themselves up as a certification body, perform audits and issue certificates. It is very much a "buyer beware" market place. So how do you go about making an informed decision when selecting your registrar?
The "rules" that registrars operate under are largely governed by the accreditation bodies. Most of the countries that have adopted the ISO 9000 series of standards have their own national accreditation body.
In the U.S., that body is the ANSIASQ National Accreditation Board (ANAB). Accreditation is an important attribute when selecting a registrar and a key factor in making your initial "short list" of candidates. In order to become "accredited", a registrar has to undergo a rigorous audit and review process against the ISO/IEC 17021 standard and additional requirements. Very similar to ISO 9000 certification process, in order to maintain their accreditation, they are subject to on-going surveillance or periodic audits. But not all accredited registrars are created equally. There are considerable differences among them.
Interpretation of the standards and overall philosophy
There are variances in how registrars interpret the standards, their general audit philosophy – are they auditing to the letter of the standard, or do they adopt a more pragmatic approach of auditing to the intent of the standard?
What kind of customer service response can you expect? What is their track record on customer satisfaction? What experience do they have in your industry sector– how many certificates have they issued to businesses like yours?
These questions are best answered by talking to clients who have selected and have become certified by the registrar you are considering. Reference accounts are fine but are generally selected or pre-screened by the registrar. A more effective and potentially unbiased approach is for you to make the customer selection yourself. If a registrar is accredited they are obligated to produce and maintain a list of all companies that they have certified. Pick six or seven companies.
Select companies that are either in similar businesses to yours, geographically close to you, or just pick companies whose judgment you trust. Call these companies and ask the challenging questions – "What was your experience with XYZ registrar? What impressed you most about the company? What did you like least about your dealings with them? Would you recommend them to others?"
If you ask these questions of six or seven companies, you will get a good picture of the overall character and philosophy of the registrar.
Money is important to most of us as individuals, as employees and as managers and owners of businesses. Most of the major registrars have an overall cost of certification, which is very similar. Auditor day rate might appear to be a convenient indicator to compare registrar costs, but it will not give you the basis for an apples-toapples comparison.
An important thing to keep in mind is that registrars have many different ways of actually structuring their quotations. Some registrars have application, listing and administration fees, adders to travel expenses, cancellation and deferment fees. There are almost as many pricing schemes as there are registrars. How they price is not nearly as important as the overall cost for certification. Having said that, keep a look out for cancellation and deferment charges, which can be particularly unfriendly.
Irrespective of how a quotation is structured, the important thing is that you are able to determine the exact "cost-of-ownership." Most registrars will have certificates which are valid for three years. However the pricing is structured, ask for quotations in a format that will allow you to determine the full costs for a three-year period, which is the typical certification cycle. That way you can make an apples-to-apples comparison.
People Factors and Price
When making a registrar selection, price is important but should not be your primary selection criteria. If you make a decision based solely on price, you are probably making a decision that you may regret later. Certification is a free market service. If a registrar is unaccredited, there are no rules or requirements for auditor training and qualifications, industry experience, the methodology for the certification process and more. Compliance with accreditation requirements costs money but has value to you as a customer.
Look for registrars that offer "value added" services beyond the structured certification process, such as: your company's listing on their web site, electronic access to your audit reports and audit schedule.
The external fees you will pay to registrars for certification are small compared to money you will have invested internally in putting your system in place. Most estimates will agree that the internal costs are at least 10 times the costs that you will pay the registrar. Having made the commitment and investment to implement a compliant system, keep cost in mind when making your registrar selection but make sure that you take into account the other important factors.
Most registrars who are accredited have very similar "technical" competencies because these competencies are defined and are requirements of the accreditation bodies. Some registrars will have the right philosophical approach described above and most will be about the same price range.
All these things being equal, how do you make an informed decision? The registration process is a "people" business. Outside of the certificate itself, there is no physical product. The "product" consists of a series of interfaces from initial requests for information, requests for quotations, answers to questions, visits and presentations.
Ask yourself the following questions about your initial experiences when dealing with a potential registrar. They will give a good indication where the registrar is on the "people factor" scale:
- What was and has been the response to your requests?
- Were the responses timely?
- What was the general attitude of the people you had to deal with?
- Do they really act like they would want and work to keep your business?
- Are these the kind of people that you would look forward to having a long term business relationship with?
© 2009 Det Norske Veritas, All rights reserved. Any reproduction of this information in part or in whole is prohibited without written consent of the publisher, Det Norske Veritas (DNV).
The information contained in this reference material is distributed as a guide only; it has been compiled from sources believed to be reliable and to represent the best current opinion on the subject. No warranty, guarantee or representation is made by DNV, as to the absolute correctness or sufficiency of any representation contained in this reference material.