Saturday, February 5, 2011

ISO 9001 Standards & ISO 14001 Standards

In order to assist organizations to have a full understanding of the new ISO 9001:2008, it may be useful to have an insight on the revision process, how this revision reflects the inputs received from users of the standard, and the consideration given to benefits and impacts during its development.

Prior to the commencement of a revision (or amendment) to a management system standard, ISO/Guide 72:2001 Guidelines for the justification and development of management system standards recommends that a “Justification Study” is prepared to present a case for the proposed project and that it outlines details of the data and inputs used to support its arguments. In relation to the development of ISO 9001:2008 user needs were identified from the following:

-the results of a formal “Systematic Review” on ISO 9001:2000 that was performed by the members of ISO/TC 176/SC2 during 2003-2004
-feedback from the ISO/TC 176/Working Group on “Interpretations”
-the results of an extensive worldwide “User Feedback Survey on ISO 9001 and
The Justification Study identified the need for an amendment, provided that the impact on users would be limited and that changes would only be introduced when there were clear benefits to users.

The key focuses of the ISO 9001:2008 amendment were to enhance the clarity of ISO 9001:2000 and to enhance its compatibility with ISO 14001:2004.

A tool for assessing the impacts versus benefits for proposed changes was created to assist the drafters of the amendment in deciding which changes should be included, and to assist in the verification of drafts against the identified user needs. The following decision making principles were applied:

1) No changes with high impact would be incorporated into the standard;

2) Changes with medium impact would only be incorporated when they provided a correspondingly medium or high benefit to users of the standard;

3) Even where a change was low impact, it had to be justified by the benefits it delivered to users, before being incorporated.

The changes incorporated in this ISO 9001:2008 edition were classified in terms of impact into the following categories:

-No changes or minimum changes on user documents, including records

-No changes or minimum changes to existing processes of the organization

-No additional training required or minimal training required

-No effects on current certifications

The benefits identified for the ISO 9001:2008 edition fall into the following categories:

-Provides clarity

-Increases compatibility with ISO 14001.

-Maintains consistency with ISO 9000 family of standards.

-Improves translatability.

Audit Of Electronic Documents In ISO 9001 Standards

Audit Of Electronic Documents In ISO 9001 Standards

Electronic documents that establish management system policies and procedures can be in a variety of file formats depending on the software applications that are utilized by the organization to generate the documents. Electronic file formats include, Text, HTML, PDF, etc. Spreadsheets and databases formats are also considered to be electronic “documents” subject to the control elements of the management system to being audited.

Given the relative ease with which users can now create electronic spreadsheets and other electronic documents, auditors (either internal or external) should ensure that policies governing the controls that apply to management system documentation in-general are also employed for electronic documents through appropriate procedures.

Organizations need to employ suitable and effective methods within the electronic environment for ensuring the adequate review, approval, publication and distribution of its management system documentation. These should be consistent with the methods for the development and modification of electronic documents.

In many cases document control measures may also be standard features of software applications used for their creation. Therefore auditors should understand these application-specific controls to the degree that these are utilized as a basis for conformance to the applicable management system standard.

Given the increased capacity to modify, update, reformat and otherwise improve documents within an electronic-based management system, auditors should pay particular attention to control elements such as document identification and document revision level.

As electronic media facilitates an increased rate of document modifications, auditors should verify that the controls being employed for the management of obsolete documents are considered within the organizations’ document control policies and procedures.

Auditors should verify that electronic-based documentation exists to provide orientation to users with regard to the functional and control aspects associated with electronic documents. Additionally, “Point-of-use” requirements associated with the applicable management system standards will typically be addressed in part by the organization’s document access policies. Auditors should understand the organization’s policies and procedures regarding user privileges as these become important factors for properly realizing the organization’s processes.

External electronic communication with suppliers, customers and other interested parties may involve the exchange of documents. Given that these external documents may contain key parameters that specify the functioning of the organization’s processes, auditors should verify the degree to which these documents are formally introduced and controlled within the electronic-based management system.

How To Prepare ISO 9001 Standards Audit Check List

How To Prepare ISO 9001 Standards Audit Check List

There are a few steps to prepare ISO 9001 Standards Check List, namely:

1. Apply the concept of Plan Do Check Act (PDCA). This PDCA concept is applied at the Quality Management System and the process levels.

2. Convert the question to requirement raised by QMR or the QMS Committee which derived from theISO 9001 standards. In this case, several questions can lead to one single requirement.

3. To edit those questions to suit the process that is to be audited. For example, you are going to audit the Purchasing/Procurement Department and you’re sitting down with the Audit Team trying to come up with relevant questions.

The main objective in auditing any process is to extract adequate information and evidence in order to verify that the process is conformant to the ISO 9001 requirements and that, it is effective in achieving its objectives. As an auditor, you need to be able to investigate, assess and verify the conformity and effectiveness of a given process, in terms of its planning, implementation, monitoring & measurement and improvement. As a Lead Auditor, preparing your Audit Team for the actual audit is crucial in ensuring success of the audit excercise. There is no better way to do that than by developing the audit questions with them.

ISO 9001 Standards – Risks and opportunities

The first things to consider when we want to change a people intensive process are:
• What do the people involved fear? These are the risks – things that we must prevent.
• What do people hope for? These are the opportunities – things that we must strive to obtain.
In order to better understand risks and opportunities, we used a two-step approach. We started by interviewing two developers and one manager. The interviews were semi-structured in that we had a set of questions that we needed answers to but in
addition, we used follow-up questions to gain a better understanding of the answers to the predefined questions. The focus of the interview was on what they expected would happen if the company implemented an ISO 9001 certified process. Two typical examples of what came out of the interviews are shown below – one from a developer and one from a manger.
Manager: Implementing ISO 9001 will cost quite a lot. At the same time, the company will get a better overview of its competence, its experience and its document templates. ISO certification is an investment. We are, however, unsure of how long we have to wait before we can reap the benefits.
Developer: Some of the developers may have a negative attitude towards ISO certification because they are afraid it will hurt creativity. This is not only true for ISO 9001 standards but holds also for coding standards and other rules and regulations. Rules
and standards can take away all the fun from the job. In many ways this is the same attitude as we saw when we started to reuse components – many developers were afraid that they would not be allowed to develop things but just had to use “toy bricks”.
After the interviews we found that:
A. Everybody in the company – both mangers and developers – filled in the questionnaire.
The items in the questionnaire that got an average score of 5.0 or more were considered for risk and opportunity analysis. This gave us the following items:
• When we get ISO certified, we will have to generate more documents for each development project.
• It is important that all employees participate actively in the introduction of new processes, standards and procedures. This is consistent with e.g. Trittmann et al’s observation
• Active management participation is important in order to make the introduction of an ISO certified process a success.
• Active management support is important in order to make the introduction of ISO certification a success.
• An ISO certified process will lead to better working practices in the company in general.
Based on our findings, we identified the following risks that needed to be controlled throughout the implementation of the ISO 9001 certified process:
Risk 1: The introduction of new documents or additions to existing documents.
We decided that we should not make new documents except if absolutely needed.
Risk 2: Developer participation. The developers must be included at all steps in
the process. Their experiences and advices are important input to the new processes and procedures.
Risk 3: Management participation and support. Management must show their commitment by allocating money and time to the ISO implementation activities.
Opportunity 1: Better working practices. The changes in the development process must be considered to be improvements by the developers.
Management and developers are in agreement in the sense that everything the developers found important also was ranked high by management. There were, however, some cases where the two groups disagreed strongly – average score difference greater than 2.0. In all cases, management ranked these items higher than the developers.
The points are:
• Introducing an ISO certified process will cost a lot but will be a good investment – developers 3.3 vs. mangers 6.0
• Introducing an ISO certified process will give the company a better control over the order situation – developers 3.0 vs. mangers 6.0
• Introducing an ISO certified process will give us more satisfied customers already after one year – developers 3.2 vs. mangers 6.0
Management is more optimistic than the developers when it comes to business related issues such as order situation and customer satisfaction.

Extreme Programming For ICT In ISO 9001 Standards

Extreme Programming represents a new wave in software development known as the approach. Tom de Marco, the father of structural analysis, calls Extreme Programming the most important movement in software engineering. The strong points of Extreme Programming in the ICT context are as follows:
– Risk minimization. ICT is developing very fast. To catch up with current developments it is necessary to make investments in new technologies and try new tools out. On the other hand, new tools and technologies are immature and one cannot depend on them. The best approach is to make some (preferably small) investment now and after some time invest more or give up, depending on the developments (it is like buying an option on the stock exchange). Extreme Programming is based on incremental software development and its suites the strategy very well.
– Customer orientation. In Extreme Programming all the business decisions are made by the customer and he has the full control over the development process.
– Lack of excessive paperwork. In Extreme Programming programmers concentrate on programming, not on writing documentation. The only artifacts they have to produce are test cases and code.
– Quality assurance through intensive testing. In XP programmers first create test cases then they write code. Automated tests and integration are performed several times a day and they drive the development process.
– Lack of overtime. Short releases and increments allow to gain experience very fast. This makes planning easier and more dependable. As a result programmer do not have to (always) work overtime.
Extreme Programming has also weak points. The most important are problems with software maintenance.
Since the only artifacts are test cases and code, after some time it can be very difficult to maintain the software. It would be also the problem from the ISO 9001 point of view. In the remaining part of the paper we propose how to solve that problem.