Quality 101
Learns from ISO 9001:2015
Having conducted well over 700 audits, I've noticed some patterns.
By Roderick A Munro
March 29, 2023
When the ISO 9001:2015 first was released, I started looking at how this new standard was going to impact
industries. I had been a full time auditor for about two years with one of the old time registrars and I was eager
to see how the new standards for both the ISO 9001 and ISO 14001 would affect companies. Now approaching
10 years and a senior lead management system audit and having conducted well over 700 audits, there are some
patterns that have developed that are interesting to note.
One of the early ways I updated myself on the new standard was an ASQ TV webinar offered by Mark Ames
(AQS Management systems). He was talking about the concept of “risk” being added into the new standard, and
commented about the number of times the words “as necessary” or “as appropriate” appear in the 9001. He said
that whenever these two phases are used that it was the intent of the ISO TAG 176 to mean “risk-based
thinking”! To me, that was a very powerful statement and I comment to clients today that I better never hear
another supervisor say to me during an audit that the company does something in a specific way because “That
is the way that we have always done it.” Talk about setting up an audit trail. However, this comment does not
seem to have been widely publicized and many people seem to be unaware of the depth of “risk-based thinking”
requirements in the 9001 or other ISO Management System Standards (MSS). In reality, the ISO 9001 has 34
reference to risk-based thinking instead of just the nine times that the word “risk” appears in the standard.
A Flourish data visualization
Another key learning for me has been around the concept of internal audits in clause 9.2. In the standard under
the clause 9.2.2 f), there is a Note that states to see ISO 19011 for more details. It seems very few people have
heard of the ISO 19011:2018 Guidelines for auditing management systems. This is a potential problem and that
guidance document is mentioned in the Bibliography as well as being listed in the “audit” of terms in both the
ISO 14001 and ISO 45001 as well as other ISO MSS.
The second point here is that the ISO 9001 has 131 times when the word “Shall” appears. Here is where things
started changing in 2015. The ISO 9001:2008 had 136 shall’s and including 36 times when letters were used
(e.g. a, b, c) with only one shall having over six letter items under it. In the ISO 9001:2015, there are 52
groupings of letters with over 11 of them going over six letter items. So if you count these as “shall statements”,
you get a total of 365 times that the internal auditor should be verifying the system.
What I find in practice is that the vast majority of my clients are running their internal audit program the same
way that most registrars do. That is to conduct annual reviews of the process or clause elements one time each
for about the same total mandays as the registrar. The issue is that registrars conduct what is called a random
audit of the clauses and do not look at each and every shall statement. So one of my metrics in doing audits is to
look at the total number of findings that the client has for a year compared to how many findings the registrar
has. The point is that the internal audit program should be so robust, that it make it very hard for the external
third party auditor to find much. Many clients barely have twice my count and I have lost track of how many
times that I have more findings than the internal audit program. Thus an indication of a weak internal audit
program.
The answer for this audit issue should be around the concept of “Risk Based Internal Auditing” that is a
growing topic in many lectures and article. The simple concept here is to break the internal audit process down
into smaller components that can be auditing in an hour or two and then do a risk analysis on that list into what
areas are the highest risk to the organization for bottom line results or problem areas that management might
identify. By creating a matrix of high, medium and low risk areas, the audit manager can now focus the internal
audit team on conducting high-risk items doing audit twice a year in those areas, medium risk once a year and
low risk every other year. Many companies that deploy this approach are finding that the overall internal audit
time is being reduced and the audits add more value to the company and reduce the number of external audit
findings from the third party registrars.
Another point around your internal auditor process is how are you constantly updating your team to learn more
about auditing concepts and how to understand the process approach and risk based auditing strategies. With the
proliferation of webinars and online sources today (such as ASQ TV), one thought here is to conduct periodic
(maybe quarterly) lunch and learn sessions or similar meetings where the company can share these ideas with
the entire audit team and let them discuss their learnings and applications to the audit process.
Another topical area is around ISO 9001 clause 9.1 Monitoring, measurement, analysis and evaluation. Many
people understand the word measurement to be some form of calibrated equipment; however, when questioned,
few people can define what a monitoring gage might be. Some industries such as automotive and aerospace are
much more clear around the use of monitoring gages. Whenever I see some form of gage on a machine
(typically pressure gages) that someone has drawn red or green lines on or has shades of red or green, I simply
ask how they know that they can trust that gage? If someone thought that the gage was important and put those
marking on it, then that measurement must have some importance to the operation of that piece of equipment
and thus its ability to produce good parts. Not all gages have to be or even can be calibrated! Think about this
this way – any time you get into an airplane that is used for instrument flight reference (IFR) which is all
commercial and military aircraft, how do the pilots have such an excellent safety record of getting from point A
to point B? Yet most of the instruments in the cockpit can NOT be calibrated. They are monitored. FAA
requires that every 100 hours of flight time for the aircraft that every gage in the cockpit is pulled and verified
to some form of a master to ensure proper operations. So in your plant, redundant system that are verified by
maintenance or a simple gig with a calibrated pressure gage used by maintenance with maybe quick disconnects
on the machine gages during the annual PM may be all that is needed.
The last item to look at here is around the effectiveness of training programs. With the large variation in
multigenerational workforces, many organizations are struggling with how to ensure that their training
programs are effective. One way to help this is to provide more simulation training. This could be as simple as
purchasing a Remote Control Forklift Toy for use in Forklift training after the slides are presented to allow the
new hire to demonstrate that they understand how the equipment works before you let then out on the real thing,
even with an observer. Another improvement idea for post training evaluation is to utilize the Rice & Munro
Training Evaluation Model. Many professional trainers have heard of the Kirkpatrick Evaluation Model but are
unable to complete levels three and four. The Rice & Munro method allows for organizations to utilize their
internal audit programs working with their training coordinators to functionally complete the full four levels of
evaluations to ensure that you have continual improvement in your training process.
These are some of the key learnings that I have come across the past 10 years, and I hope that you will find
some useful nuggets here to look at your organization for potential improvements in any of your ISO MSS
registered programs.