Quality 101 Learns from ISO 9001:2015 Having conducted well over 700 audits, I've noticed some patterns. By Roderick A Munro March 29, 2023 When the ISO 9001:2015 first was released, I started looking at how this new standard was going to impact industries. I had been a full time auditor for about two years with one of the old time registrars and I was eager to see how the new standards for both the ISO 9001 and ISO 14001 would affect companies. Now approaching 10 years and a senior lead management system audit and having conducted well over 700 audits, there are some patterns that have developed that are interesting to note. One of the early ways I updated myself on the new standard was an ASQ TV webinar offered by Mark Ames (AQS Management systems). He was talking about the concept of “risk” being added into the new standard, and commented about the number of times the words “as necessary” or “as appropriate” appear in the 9001. He said that whenever these two phases are used that it was the intent of the ISO TAG 176 to mean “risk-based thinking”! To me, that was a very powerful statement and I comment to clients today that I better never hear another supervisor say to me during an audit that the company does something in a specific way because “That is the way that we have always done it.” Talk about setting up an audit trail. However, this comment does not seem to have been widely publicized and many people seem to be unaware of the depth of “risk-based thinking” requirements in the 9001 or other ISO Management System Standards (MSS). In reality, the ISO 9001 has 34 reference to risk-based thinking instead of just the nine times that the word “risk” appears in the standard. A Flourish data visualization Another key learning for me has been around the concept of internal audits in clause 9.2. In the standard under the clause 9.2.2 f), there is a Note that states to see ISO 19011 for more details. It seems very few people have heard of the ISO 19011:2018 Guidelines for auditing management systems. This is a potential problem and that guidance document is mentioned in the Bibliography as well as being listed in the “audit” of terms in both the ISO 14001 and ISO 45001 as well as other ISO MSS. The second point here is that the ISO 9001 has 131 times when the word “Shall” appears. Here is where things started changing in 2015. The ISO 9001:2008 had 136 shall’s and including 36 times when letters were used (e.g. a, b, c) with only one shall having over six letter items under it. In the ISO 9001:2015, there are 52 groupings of letters with over 11 of them going over six letter items. So if you count these as “shall statements”, you get a total of 365 times that the internal auditor should be verifying the system. What I find in practice is that the vast majority of my clients are running their internal audit program the same way that most registrars do. That is to conduct annual reviews of the process or clause elements one time each for about the same total mandays as the registrar. The issue is that registrars conduct what is called a random audit of the clauses and do not look at each and every shall statement. So one of my metrics in doing audits is to look at the total number of findings that the client has for a year compared to how many findings the registrar has. The point is that the internal audit program should be so robust, that it make it very hard for the external third party auditor to find much. Many clients barely have twice my count and I have lost track of how many times that I have more findings than the internal audit program. Thus an indication of a weak internal audit program. The answer for this audit issue should be around the concept of “Risk Based Internal Auditing” that is a growing topic in many lectures and article. The simple concept here is to break the internal audit process down into smaller components that can be auditing in an hour or two and then do a risk analysis on that list into what areas are the highest risk to the organization for bottom line results or problem areas that management might identify. By creating a matrix of high, medium and low risk areas, the audit manager can now focus the internal audit team on conducting high-risk items doing audit twice a year in those areas, medium risk once a year and low risk every other year. Many companies that deploy this approach are finding that the overall internal audit time is being reduced and the audits add more value to the company and reduce the number of external audit findings from the third party registrars. Another point around your internal auditor process is how are you constantly updating your team to learn more about auditing concepts and how to understand the process approach and risk based auditing strategies. With the proliferation of webinars and online sources today (such as ASQ TV), one thought here is to conduct periodic (maybe quarterly) lunch and learn sessions or similar meetings where the company can share these ideas with the entire audit team and let them discuss their learnings and applications to the audit process. Another topical area is around ISO 9001 clause 9.1 Monitoring, measurement, analysis and evaluation. Many people understand the word measurement to be some form of calibrated equipment; however, when questioned, few people can define what a monitoring gage might be. Some industries such as automotive and aerospace are much more clear around the use of monitoring gages. Whenever I see some form of gage on a machine (typically pressure gages) that someone has drawn red or green lines on or has shades of red or green, I simply ask how they know that they can trust that gage? If someone thought that the gage was important and put those marking on it, then that measurement must have some importance to the operation of that piece of equipment and thus its ability to produce good parts. Not all gages have to be or even can be calibrated! Think about this this way – any time you get into an airplane that is used for instrument flight reference (IFR) which is all commercial and military aircraft, how do the pilots have such an excellent safety record of getting from point A to point B? Yet most of the instruments in the cockpit can NOT be calibrated. They are monitored. FAA requires that every 100 hours of flight time for the aircraft that every gage in the cockpit is pulled and verified to some form of a master to ensure proper operations. So in your plant, redundant system that are verified by maintenance or a simple gig with a calibrated pressure gage used by maintenance with maybe quick disconnects on the machine gages during the annual PM may be all that is needed. The last item to look at here is around the effectiveness of training programs. With the large variation in multigenerational workforces, many organizations are struggling with how to ensure that their training programs are effective. One way to help this is to provide more simulation training. This could be as simple as purchasing a Remote Control Forklift Toy for use in Forklift training after the slides are presented to allow the new hire to demonstrate that they understand how the equipment works before you let then out on the real thing, even with an observer. Another improvement idea for post training evaluation is to utilize the Rice & Munro Training Evaluation Model. Many professional trainers have heard of the Kirkpatrick Evaluation Model but are unable to complete levels three and four. The Rice & Munro method allows for organizations to utilize their internal audit programs working with their training coordinators to functionally complete the full four levels of evaluations to ensure that you have continual improvement in your training process. These are some of the key learnings that I have come across the past 10 years, and I hope that you will find some useful nuggets here to look at your organization for potential improvements in any of your ISO MSS registered programs.