Frequently asked questions on ISO 9000 and ISO 14000 certification using the Compliance Procedure Packs.



- What programs do I need to be able to read the example files?
- What programs do I need to adapt the example files?
- What are the requirements of a Procedure?
- What is the difference between a ‘revision number’ and an ‘issue number’?
- How do I draw flowcharts?
- What procedures are mandatory for ISO 9001: 2000?
- Does my documentation have to be in paper format?
- What is a ‘quality manual’?
- What is the ‘level’ of a procedure?
- What is the difference between a ‘procedure’ and a ‘work instruction’?
- How many procedures/controlled documents should I have for ISO 9000?
- What is the function of a procedure in real life?
- How do I integrate the requirements of several Standards, such as ISO 9001 and ISO 14001?
- What are ‘exclusions’ to ISO 9001?
- Which assessing body (Notified Body) or Registrar should I use?
- What does the assessment process consist of?
- What is a Scope of Approval?
- Do I get ‘registered’, ‘certified’, ‘accredited’ or what?
- What is a Major Non-conformance, Area of concern, Minor Discrepancy, Opportunity for Improvement, etc?
- What aspects of the business have to be covered?
- How are remote sites/shifts handled?
- What should I tell staff about to be assessed to ISO 9000 for the first time?
- What is an ‘inter-relationship’?
- What is a ‘special process'?
- What happens after initial certification?
- What happens on Follow-up visits?
- How do I use the logo when I have got it?



What programs do I need to be able to read the example files?

An example of every file in the Packs can be read with Adobe Acrobat Reader or any other program that reads .pdf files. Acrobat Reader is free and is usually included on all PCs and Macs. If you don't already have it, you can download it here

In general, it should be noted that most of the examples will not transpose directly into your quality or environmental system and will need some modification, if only the Procedure Number, date and revision

Top of page


What programs do I need to adapt the example files?

The text files can be modifed with Microsoft Word, any version after Word 2000.

The .cht files use an excellent flowcharting program from Novagraph called Chartist. Their web site is at www.novagraph.com . This is very intuitive to use, produces small files and has many times more functionality than is needed to produce flowcharts for ISO 9001 or ISO 14001. It is very much cheaper than Visio. There is a free 30-day demo on their web site. Both Packs include a 25% discount voucher on the sales price of the latest version.

The .vsd files can be opened with Microsoft Visio, sometimes part of the Office Suite bundles. This is a professional level flowcharting package of which writing quality or environmental procedures is a very small part of its capability. IT Departments will usually have a copy.

Top of page


What are the requirements of a Procedure?

A procedure is a piece of information that tells someone how to do something. A process. It can be in any format; I was once involved in creating video Procedures for ISO 9001. Flowcharts, text, or hieroglyphics will do as long as people understand them. For readability, lean is best. Use the language and jargon of the staff, not the assessor.

Procedures must be 'controlled documents' which means they must be listed on a Master List, have a revision number, and for ISO 14001, have a date of issue. Somehow the responsibility for authorising it must be defined, which can either be a signature on every document, or one on the Master List every change.

Top of page


What is the difference between a 'revision number' and an 'issue number'?

None. They both increment by one every change to the underlying document.

Top of page


How do I draw flowcharts?

See our page entitled Well Structured systems adapted from the IQA's Quality World magazine , written by Quality Clinics in 1998, which is the de-facto standard on quality and environmental flowcharts. You will land up with the leanest possible quality manual if you use flowcharts.

Top of page


What procedures are mandatory for ISO 9001: 2000?

A simple-minded reading of ISO 9001 suggests there are only 6 mandatory procedures, and you will certainly require these. ISO 9001 does say at the front (Clause 4.1) that ‘The organisation shall establish, document, implement and maintain a quality management system’ and the usual interpretation is written procedures.

Top of page


Does my documentation have to be in paper format?

In theory, no. A public folder on the server with write access to a few and read access to all will be sufficient for internal use, as long as any member of staff who is asked by an Assessor knows where to find the folder and most staff have access to a PC. If you do this, descriptive titles reflected in the file name and good following of functional boundaries will allow people to find what they need to read more easily, especially if you put each Department into a separate sub-folder.
It is very important that ordinary members of staff do not feel daunted by the procedures.

In practice, the assessor(s) will almost certainly want to see large and random parts of the system as they go round, meaning either they need access to your PCs which you may not want, or they need paper copies. Most of them have laptops now; maybe one day I will hand them a memory stick with the system on. …Watch this space.

Top of page


What is a 'quality manual'?

The phrase Quality Manual can have two meanings. One is the top-level policy document that most systems have (Quality Clinics call it an ISO 9000 Compliance Statement) which is the entry point for the assessors to find their way into your system. There is an example, and details of how to customise it in the ISO 9001: 2000 Compliance Procedure Pack.

The other meaning is for all the documentation relating to your system. This goes back to the days of ISO 9001: 1994 and before when most companies had 20 procedures (20 clauses in these standards) in a folder.

Top of page


What is the 'level' of a procedure?

To take the simple example of writing a procedure for making a cup of tea, a high level example would be a box on a flowchart for getting through the day that says 'make tea' or a lower level example would start ' boil kettle' and continue; or one could envisage a still low level procedure that starts 'take the lid off the kettle and check the water level'. Generally, the more familiar people are with the process, the higher level people write at. One sometimes sees very detailed procedures describing new computer data entry processes, with screen shots and text. After a year or two it is best to rewrite onto one sheet of paper.

As a general rule for ISO 9000 and ISO 14000 certification, the higher the level, the better. For training new staff in a process, or introducing a new process to the company, the lower the level the better. I didn't invent the rules.

Top of page


What is the difference between a 'procedure' and a 'work instruction'?

See above. Under ISO 9000: 1994 and before, most companies had 20 procedures, which mapped to the 20 clauses of those Standards. These were bought off the shelf, or copied from company to company by 'Consultants' using early word processors. In order to get some semblance of something meaningful into the system, some companies then wrote down what people actually did and called them work instructions. For obvious reasons, this distinction has largely died out now.

Because they were covering the same business functions, it was much too easy for an assessor to find conflicting statements between the two versions.

Top of page


How many procedures/controlled documents should I have for ISO 9000?

An unanswerable question. The basic six, a compliance statement, a quality policy statement and an org chart. Then you need enough to cover the business from enquiry to delivery at a suitable level (see above), while incorporating all the requirements of ISO 9000. See the ISO 9001: 2000 Procedure Compliance Pack for more examples of this in real life, and the document lists of some real companies.

Top of page


What is the function of a procedure in real life?

There are several processes within the areas covered by ISO 9000 and ISO 14000 where if they failed, there is no immediate impact. That is not to say they are unimportant, for example, a calibration system in engineering, emission monitoring in an environmental system, or records archiving in any business. A procedure and an audit can be an early warning to management that something important but longer term has stopped.

When business processes are being changed, a well written procedure of how it used to be done can make sure all points are covered by the new process.

When business processes are being changed, the process of logically working out a written procedure can help to make sure all the loose ends are tied up.

When a new starter joins the company, it can be useful for the trainer to refresh themselves of all the points to cover and the standard methodology from a procedure. Note; do not give the procedure to the new starter and call it training.

Top of page


How do I integrate the requirements of several Standards, such as ISO 9001 and ISO 14001?

Most companies start with an ISO 9001 system, so you need to stop thinking of it as a 'quality system' and find another name for it, such as 'management system' or 'documentation system' or whatever you choose. It just becomes a repository for any controlled documents. Many companies without a formal Health and Safety system put a H&S Policy as a controlled document.

If it has the old '20 procedures' philosophy or the old 'Procedures and Work Instructions' structure, it is probably a good time to get rid of them, and assign responsibilities as described in the article here

Some things it is not worth integrating; you are likely to always have separate Compliance Statements for ISO 9001 and 14001. Similarly Quality Policy and Environmental Policy statements. Reviews are generally kept separate.

Organisation Charts, document control, calibration, records keeping, internal audits can all be integrated to advantage. See our Audit Management System software for integrating several Standards' internal audit requirements.

Much of ISO 14001 is to do with Maintenance functions so it is likely there will be a block of Maintenance procedures covering aspects that impinge on environmental matters, such as wastes, effluents, emissions, etc.

Other documents, such as process instructions can have aspects of as many Standards as are reflected in the work being carried out. For example; a laboratory process instruction might start with listing PPE to be worn, continue with how to carry out the process and finish with how to store the reagents used before disposal.

Top of page


What are 'exclusions' to ISO 9001?

ISO 9000 is structured so that it applies to all enterprises. Some Clauses of it obviously do not apply, such as calibration in a non-science/technology/engineering industry. If a Clause (only within Section 7) really does not apply to you, you are allowed, indeed required, to write an exclsuion statement with the reason you consider it an exclusion in the system. See the ISO 9001: 200 Procedure Compliance Pack for more details and examples.

Top of page


Which assessing body (Notified Body) or Registrar should I use?

There are several aspects to this.

  • If you have to get ISO 9001 certification as part of a CE mark requirement (e.g. Medical Devices, ATEX), then they are called Notified Bodies and you must use an NB who is approved for that Directive. Not all Directives require ISO 9000 certification, e.g LVD, EMC and usually the low risk categories of others. Generally most organisations such LRQA, DNV, SAI, TUV have Notified Body status for the majority of Directives.
  • For ISO 9001 and ISO 14001, an ordinary (UKAS or national equivalent certified) certification body can be used. They are commercial organisations and fees vary considerably, and in some way will include expenses such as the Assessors travelling to you. You should get a quotation for the full 3 year cycle as some are light on front-end costs.
  • Being separate commercial organisations, they have different logos which you can use, if you want, to advertise in approved ways that you have certification. If you are getting certification to impress a major customer who uses a particular Registrar, or a particular Registrar has a majority presence in your industry, you may well get more recognition for your efforts by using them.
  • If possible, avoid Registrars who still use the desk top review process below. See 'What does the assessment process consist of?'
  • You can tell quite a lot about their attitude from their sales process. You are, after all, a customer.
    • Documentation-heavy from the enquiry stage?
    • Dictatorial or customer focussed?
    • Easy to talk to?
    • Helpful?

In the UK, we have found that both LRQA and BSI offer you an 'assigned assessor' i.e the same assessor for repeated visits. This is useful as they get to know your system and ask more relevant questions. Interestingly, in the LRQA system, you the customer choose which assessor; in the BSI system, BSI choose.

Top of page


What does the assessment process consist of?

Certification is nearly always a two stage process, an investigation into whether your system covers the requirements of the Standard as a paperwork exercise and an investigation as to whether you do what the paperwork says. There are two fundamental methods. For the first stage;

  • you supply a copy of your documentation (on paper) to them for a 'desk top review' and get a usually dry and verbose (they have to 'prove' to their own management what they have looked at) report. These have no understanding of your business built in and are against the concept of ISO 9001: 2000 that it is 'your' system.
  • The assessor does a visit to your premises. He has a look round and reviews the paperwork, and you have an opportunity to explain any quirks. You will learn a lot about their attitude as well.

For the second stage, one or more assessors visit and do an audit, after you have corrected any problems raised at the first stage. There is a formal process to this visit;

    1. Agreed date, number of assessors, usually Scope.
    2. Opening meeting, most senior person on site attends with other senior management representatives and Quality Manager. Senior Managers welcomes them. Assessors state purpose, rating structure for discrepancies they may find, actions in the event of each.
    3. If there is more than one Assessor, they usually have a meeting of their own, the senior one taking the Management elements, the junior one(s) taking operational elements. They need a private office for this.
    4. Company assigns guides to each assessor, knowledgeable about the areas to be covered. Usually a member of the Quality department or a senior manager who has been involved.
    5. Assessors and guides go off and do audit. Good communication between guides helps resolve any incipient problems.
    6. Coffee breaks, lunch arranged. Rare to go off site for lunch these days.
    7. If there is more than one Assessor, they usually have interim meetings through the day or at the end of each day and a mini-wash up meeting with the company representatives.
    8. Report writing stage. Assessors have to take copious notes of where they have been, who they have seen, what they looked at, and at the end write a long (17 page in one case) final report on their findings. Expect 20% of the time allotted to assessment to be spent writing up.
    9. Final meeting. They thank you for your hospitality. They tell you if you have passed or failed. They list the discrepancies. This is all subject to ratification by their head office, but I have never known them to be overturned, and what would it say about the Registrar's quality if they were?
Top of page


What is a Scope of Approval?

The Scope of Approval is a short set of words that describes what you are certified for. It will appear on your certificate. In real life, these have no impact on customer-supplier relations, it is the possession of a certificate that counts, so seek to be assessed for the minimum. Get it wriitten as wide as possible.

Top of page


Do I get 'registered', 'certified', 'accredited' or what?

Companies whose quality (or other) management system is passed by an appropriately approved Certification body (Registrar) are Registered or Certified. It is the Certification Body that gets accredited by a national body (in the UK; UKAS) to offer certification to a Standard in certain industry sectors.

Top of page


What is a Major Non-conformance, Area of concern, Minor Discrepancy, Opportunity for Improvement, etc?

There are several aspects to this.

  • Conceptually, they are first and foremost looking for compliance. There are certain failures to meet ISO 9001 and ISO 14001 that are instant problems. Whether these impact on the business is immaterial. For example, ISO 9001 says you must refer to the six mandatory Procedures in the top-level document. Failure to do so is an instant Major non-conformance. Probably 70% of discrepancies raised are of this nature, with newer or less competent Assessors accounting for the majority of these. Do not expect business level insights into quality or environmental management.
  • At the next level, there are emphases on certain aspects of quality and environmental certification that are not detectable from the Standards themselves. For example, in ISO 14001, legislative compliance with certain environmental legislation is absolutely key, with other environmental legislation, and aspects such as increasing recycling or environmental footprint of products way down the list.
  • Even within this logic there are certain things they learn on their training courses that you just have to grit your teeth and do. Again in ISO 14001, you must have a procedure for dealing with a delivery lorry losing its oil on your car park. I do not run their training courses.
  • Each Registrar has its own terminology for ranking any problems they find. Their ranking also defines the actions they have to take, i.e failing you, and also the actions you have to take, e.g correct by next visit, write in with action plan with x days, etc. There is some leeway in this, and a generally good attitude from the company will often mitigate, except in strict compliance areas.
Top of page


What aspects of the business have to be covered?

This question has several answers;

  • Many businesses have several business streams on one site, for example, selling equipment and running training courses on its use, or a hire service for that equipment. Especially if it is an occasional activity you can exclude this by not having it on your Scope of approval. Usually repair and calibration of the equipment would have to be covered. It would seem that hardware is necessarily in, service activities can be optionally excluded. Probably best to avoid surprises and mention if an activity is 'outside the Scope' in a top-level document.
  • You have to cover the full process from enquiry to despatch/invoicing. Accounts are never covered directly, except that Credit Note analysis is often used as a quality control metric.
  • You will have increasing difficulty not covering design, especially of engineering products. The old split between ISO 9001 (design) and ISO 9002 (manufacture) is still there in most assessors' mindsets, and they generally don't like looking at design, but the regulators of certification (UKAS) are pushing for more inclusion Design might include software and the average assessor gets terrified.
  • Many more examples are given in the Procedure Packs
Top of page


How are remote sites/shifts handled?

The rules differ between ISO 9001 and ISO 14001. ISO 14001 certification relates to a site, and the assessors will not stray from it. For ISO 9001, certification relates to an organisation. If it operates from more than one site, usually they will visit all sites that you select as under that Scope.

If you carry out work on customers' sites, they will often want to visit that initially and occasionally on subsequent visits, especially if it appears on your Scope. That would include servicing, commissioning, installing, sometimes training, etc. They never visit Salesmen's activities.

If you run shifts, they will want to visit during each shift.

Top of page


What should I tell staff about to be assessed to ISO 9000 for the first time?

In most industries, there is now a core of people who have some experience of management system certification. Sometimes this is very old-fashioned, sometimes plain wrong.

Most importantly, tell them to read their Procedures, which hopefully they have been involved in writing and get any problems corrected before the assessment. Do not rely on having done an audit in that area.

Stress to them that as a minimum, following the procedures is all that is required. They can do more, but not less. That does require some knowledge of the procedures.

They should answer questions put to them positively and simply, without going into when things go wrong. In other words “I look on the system, and if it says there is stock, I pick it” rather than “Just because the system says there is stock, it doesn't always mean there is stock, so I always check it”

Tell them, and particularly the guide, to be careful to only talk about what is in their direct responsibility. When the process goes beyond their remit, refer the assessor to the next person in the chain. Don't try and say what someone else does, the assessor may talk to them later, get a fractionally different slant on the process and feel you are not in control. Then they start delving.

Tell them not to worry if the assessor does not come to them!

Top of page


What is an 'inter-relationship'?

Nobody quite knows, but they must be defined, according to ISO 9001: 2000. In the Standard, there is a nice little diagram which you can copy into your documentation with a couple of modifications to show you understand and haven't just copied it. There is a copy in the Pack. There are also other ways described in the ISO 9001: 200 Compliance Procedure Pack.

Top of page


What is a 'special process'

There is no such thing as a 'special process' any more, it was a term in versions of ISO 9000 prior to 2000. You may still hear it from newer or less competent assessors. Given the engineering origin of BS 5750, the predecessor to ISO 9000, special processes were processes that could not be (were not routinely) inspected afterwards. That rapidly became only welding, brazing and sometimes soldering.

The modern version of ISO 9000 talks (Clause 7.5.2) about ‘The organisation shall validate any processes for production and service provision where the resulting output cannot be verified by subsequent monitoring or measurement.’ Note that in several cases recently this has been interpreted by assessors in exactly the same way as the old requirement, when it is actually very different. In most cases and across most industries, enough training or work-checking or other process-validation such as monitoring inputs and outputs is carried out to ensure quality. It is one of the Clauses that is regularly put in as an Exclusion. See the ISO 9001: 200 Compliance Procedure Pack for details of how to handle this.

Top of page


What happens after initial certification?

After the party, work goes on as normal. It is important to thank everyone for their part, as you will get less cooperation next time if you don't.

The assessors will initiate (hopefully) the process of getting you a certificate which normally takes a couple of weeks. If you got the assessors in because you were in a huge rush for a contract you can say you have been 'recommended for approval'.

When you do get the certificate, check the details, spelling mistakes are not unknown.

One of the questions the assessors may ask is whether you want to be included in a national/international register of ISO certified companies. I have never known anyone get any business through this, but if its free and not too much like hard work…

Decide what action needs to be taken to correct any problems raised. It is good PR to have a go at some of their 'optional' ones if you think them useful.

Carry on doing your own audits, reviews, quality control, etc.

You can modify the procedures if you find they don't work, as long as you don't contravene ISO and do the change following the change procedure.

Decide if you want that assessor as the assigned one, and tell the Registrar, if their system permits.

Await next visit.

Top of page


What happens on Follow-up visits

Motivating staff to the same pitch for follow up visits gets increasingly difficult. It is very important that you didn't exaggerate at the initail assessment or in your procedures.

Beforehand you need to make sure the system is tidy and there are no obvious loose ends: the audit system is up to date, complaints have been dealt with and signed off, you have waste transfer permits, etc, etc..

You can often check on their paperwork, or by reference to ISO 9000, what aspects of your company they will be looking at on each visit. Forewarn them, so they can go on holiday.

There is a formal routine to follow up visits;

  1. The date is agreed in advance, at least the first one should be with the same assessor who did the initial assessment.
  2. The assessor will look at 'the management aspects' which are management reviews, audits, complaints, actions taken to correct any previous discrepancies and any changes to the system.
  3. The assessor will select or will have pre-selected an area of the system or the Standard to look at.
  4. He or she will look at it in about the same depth as at the initial assessment.
  5. They will find a couple of small things wrong
  6. They will spend 20% of their time writing a report
  7. They will go away.
Top of page


How do I use the logo when I have got it?

This is one of those bizarre things nobody has ever got properly sorted out. It's a complete mess. There is no requirement to use the logo at all if you don't want to. If you have a clearly defined corporate image, you may find them a stylistic mess.

'The logo' is made up of two parts, the bit on the left is the logo of the Registrar and has one set of rules as to where you can use it. The bit on the right is the property of the Registrar's governing body and has different rules, which vary internationally. For example, in the UK you can't use the right hand bit on vehicles or flags, but you can the left.

The only solution is to read carefully the Regulations you will be sent on successful certification. And by the way, some require you to put your certification number wherever you put the left hand bit. Oh, and some won't allow you to put the logo anywhere near your product or on product advertising, but it can go on a catalogue. Once again, I didn't invent the rules.

Top of page












 
iSixSigma - Six Sigma Quality Resources bottom bar upHome linkPrint Ducument linkContact Us Link
Produced by Quality Clinics Ltd, Harpenden, Herts. Co No 02748168 (England and Wales)
Website created and maintained by Slurpy Studios
Home Page About Us link Contact Us link Six Sigma.com