Can a refined ISO 9004 better complement ISO 9001?
Supporting RoleCan a refined ISo 9004 better complement ISO 9001? by William A. Stimson
StandardSThe ANSI/ISO/ASQ Q9000 SerIeS of QualityManagement Standards consists of three component standards: ISO9000—Quality Management, ISO 9001—Quality management sys-tems—Requirements and ISO 9004—Quality managementsystems—Guidelines for performance improvements.1 The first standard provides definitions necessary to understandthe intent of the set, the second supplies ISO 9001’s requirements,and the third gives guidelines for performance excellence. Takentogether, the standards are components because they form acomplete tactical approach to quality management. Component standards are generally recognized in thelegal system. In the United States, guidance standardssuch as ISO 9000 and ISO 9004 are considered compo- In 50 Words or lessnents of a series, along with ISO 9001. Guidance docu- • Recent versions of ISO 9004 in 2000 and 2009ments that are part of a series can be used to establish have moved the stan-a company’s due diligence and duty of care, and can be dard away from comple- menting ISO 9001 toused by courts to establish evidence of negligence or a supplementing it. • A new version of ISOdesign defect.2 9004—combining the A plaintiff could argue that the issues raised by ISO 2000 and 2009 ver- sions—could better sup-9004 should be considered first by every organization port the requirements of ISO 9001 by addressingestablishing a quality management system (QMS) and strategic and tacticalintegrated into its QMS before registering to ISO 9001. issues. Unfortunately, the role of ISO 9004:2009 has changed. September 2011 • QP 27
Rather than complementing ISO 9001, ISO 9004 now the quality of product and service, or, in their absence, supplements it. ISO 9001 is a good, but imperfect, tacti- invite quality failure. ISO 9001 contributes comprehen- cal approach to ensure the quality of goods and servic- sively, covering activities in four general categories: es. Previously, ISO 9004 complemented the tactical ap- management, resources, operations and improvement. proach with guidelines that clarified, expanded on and Within these categories, each requirement serves as an extrapolated information for those users who wished instruction, teaching the reader the elements neces- to go beyond ISO 9001’s minimum requirements. sary to achieve the requirement. Now, ISO 9004 has abandoned its tactical support, Appropriately, the standard tells you what to do, taking a grander and more strategic approach to build- but it does not tell you how to do it. There are two good ing a QMS. At first blush, this seems to be a marvelous reasons for this. First, ISO 9001 must be broad enough step. Now, we have two approaches: tactical and stra- to apply to a wide range of industries and services. tegic. What could make more sense? Specificity would result in a document so cumbersome The problem lies in ISO 9001’s imperfection. It is as to be impractical. Second, if you tell a contractor not—and cannot—be a holistic tactical standard. To how to do a job, you own the result. understand the harm I believe has been done to quality ISO 9001 requires that the quality system be imple- with this new direction, you must understand the role mented and documented. Although the standard’s each standard has traditionally played in maintaining 2008 version has somewhat reduced the amount of quality management. documentation, clause 4.2.4, control of records, still requires 20 different types of records be kept. ISO 9001’s role This may seem like a vast paper empire, but it ISO 9001:2008’s clause 1.1 defines the standard’s role serves a necessary purpose: protection against liabil- exactly: ity. There are defects in every system of production, This International Standard specifies requirements and all products will fail sooner or later. Producing for a quality management system where an organiza- a paper trail that shows your processes are effective tion: a) needs to demonstrate its ability to consistently contributes to a successful plea of due diligence in the provide product that meets customer and applicable event of litigation. statutory and regulatory requirements, and b) aims to The weak link in ISO 9001—and, in my view, a huge enhance customer satisfaction through the effective deficit—is its apparent lack of concern with product application of the system, including processes for con- reliability. The intended-use clauses—7.2.1, product re- tinual improvement of the system and the assurance of quirements, and 7.3.6, design validation—imply future conformity to customer and applicable statutory and use, but product reliability is not explicit and must be regulatory requirements.3 constructed from other requirements, supporting doc- The essential role of ISO 9001 is oriented to the quality uments, guidelines and duty-of-care legal precedents. of product or service. ISO 9001 is titled Quality manage- Duty-of-care refers to the duty of a firm’s officers to ment systems—Requirements. Many critics consider it fulfill the requirements of a contract and to evaluate too weak to ensure quality of product or service. Such potential risks. critics misunderstand the role of a standard. A standard This shortcoming in ISO 9001 is difficult to under- is an agreement by participants to conduct business in a stand, given that reliability is often called “quality over certain way. If the requirements are too difficult, you will time.”4 How can a standard that purports to represent have few participants and thus no standard. quality assurance fail to grasp that product reliability In short, a standard is a compromise. Writers of is part and parcel of that quality? A product that lasts standards understand this. Their age-old strategy is to only until you get home cannot claim to hold quality. find a doctrine that can be agreed on, tie some firm but The answer must lie in the earlier observation that nonbinding complements to it, then toughen require- if a standard is too tough, subscribers will not sign on. ments and complements in ensuing years as people get It seems many manufacturers are unwilling to provide accustomed to them. reliability as a product characteristic. Instead, they of- The role of ISO 9001 is to provide a set of good busi- fer warranty. But warranty is a poor substitute for reli- ness practices that are known to either contribute to ability if there is an element of hazard in product use.28 QP • www.qualityprogress.com
StandardSThe problem lies in ISO 9001’s imperfection.It is not—and cannot—be a holistic tacticalstandard. Fortunately, in litigation you can maneuver around 3. Involvement of people.this impasse to get to reliability. Although ISO 9004 is 4. Process approach.not contractual, it is possible to allude to product reli- 5. System approach to management.ability in its guidelines and then count on the courts to 6. Continual improvement.associate the two standards as components of a series. 7. Factual approach to decision making. 8. Mutually beneficial supplier relationships.ISO 9004:2000’s role ISO 9004:2000 also expands on ISO 9001’s clauseSimilar to ISO 9001, ISO 9004 defines its role in clause 1: 5, management responsibility, in all its subclauses. This International Standard provides guidelines beyond ISO 9004 expands on subclause 5.2, customer focus, the requirements given in ISO 9001 in order to consider to include more on the needs and expectations of in- both the effectiveness and efficiency of a quality man- terested parties. Previously, “interested parties” was a agement system and consequently the potential for im- rather vague notion in the world of quality. The ISO provement of the performance of an organization. 5 9004 definition includes the customer, of course, but If there is any question that ISO 9004 supports its also end users, employees, investors, suppliers and so-partner standard in its essential role, the matter is clar- ciety at large.ified in clause 0.1 of the guidelines: Very importantly, subclause 5.2 delineates custom- The design and implementation of an organization’s ers and end users, which implicitly declares the differ- quality management system is influenced by varying ence between warranty and reliability. Warranty, often needs, particular objectives, the products provided, the misunderstood as an arm of quality, is the opposite of processes employed, and the size and structure of the quality. It pays out only in the event of product defect. organization. 6 The guidelines expand on clause 5.6, management This clause from ISO 9004:2000 echoes the purpose review, by describing a review process that followsof ISO 9001:2008. an improvement algorithm. Thus, the review process According to Jack West, former chairman of the U.S. becomes instructive. Improvement is a major goal ofTechnical Advisory Group 176, and two colleagues, the management review, and conducting the review forumrequirements standard provides process stability, and in an improvement process provides iteration and un-the guidelines provide a performance excellence mod- derstanding of the principle.el that will make an organization a world-class com- ISO 9004:2000 expands on ISO 9001’s clause 6, re-petitor. West calls the two standards a “consistent pair” source management, in all its subclauses. It expandsthat will enhance market success.7 on subclause 6.4, work environment, adding clarity In my opinion, the guidelines support the require- with a list of environmental concerns to include issuesments in two ways: clarification and extrapolation. In of safety and even creativity in the provision of meth-all of its subclauses, ISO 9004:2000 expands on ISO ods and opportunities to encourage innovation and9001’s clause 4, quality management system. Beyond new ideas.this, ISO 9004 adds clause 4.3, use of quality manage- The guidelines include ergonomics and special fa-ment principles, to provide eight management traits cilities for personnel who need them. In summary, ISOthat tend to ensure a successful QMS: 9004 includes in its definition of the work environment1. Customer focus. all “factors that influence motivation, satisfaction and2. Leadership. the performance of people, potentially enhancing the September 2011 • QP 29
performance of the organization.”8 You might say that As a former writer of standards and specifications, a good work environment offers an atmosphere for cre- I regard ISO 9004:2000 as an admirable piece of work. ativity. The guidelines then continue to add four more ISO 9004:2009’s role subclauses: 6.5, information; 6.6, suppliers and part- According to the International Organization for Stan- nerships; 6.7, natural resources; and 6.8, financial re- dardization (ISO), its purpose in publishing interna- sources. As finance is normally considered the purview tional standards is to enable consensus on solutions of financial auditors, ISO 9004 treads carefully here. It that meet the requirements of business and the broad- simply states that resource management will plan and er needs of society. This broad view is echoed by ASQ, control the financial resources necessary to implement which states one of its purposes as being responsible and maintain an effective and efficient QMS. for enriching the lives of its members, improving their ISO 9004:2000 expands on ISO 9001’s clause 7, prod- workplaces and communities, and making the world a uct realization, in all its subclauses. The design and better place by applying quality tools, techniques and development process is included in the clause and systems. includes consideration of functional and performance These are great ambitions, indeed, and it’s not my requirements, as well as regulatory, statutory and de- intention to challenge them. ISO 9004:2009 takes a sign support requirements. ISO 9004 adds product life strategic approach and a very good one, although you cycle and ergonomics to this list of design consider- might question what is meant by “interested parties.” ations, as well the risk issues of reliability, safety, dis- In particular, the standard offers a well-defined ma- posal and the environment. turity model that can be effective for corporate self-as- ISO 9004:2000 expands on ISO 9001”s clause 8, sessment. But the strategic approach of the guidelines measurement, analysis and improvement, in all its sub- is one of governance rather than of quality, and its con- clauses. In its expansion of subclause 8.2, monitoring nection to ISO 9001 is unclear. The word “products” is and measurement, ISO 9004 again approaches the line seldom used, and the customer has been defocused as where quality and finance meet. It states the organiza- the objective. tion will: The standard offers five levels of maturity, the low- • Plan, make available and control the financial re- est as level one and the highest as level five. The cus- sources of the quality system. tomer is the focus of level two. “Interested parties” are • Measure the effectiveness and efficiency of the cost the focus of level five. The term “interested parties” is of quality. so broadly defined as to include everyone. No manage- • Examine results of measurements for purposes of ment can respond to the demands of everyone. Man- improvement. agement must focus on its mission, and somewhere in • Include quality financial reports in management re- the middle of that view should be the organization’s views. products, services and customers. ISO 9004 also adds guidelines on an organization’s To be sure, the customer is listed among the inter- self-assessment. ested parties, along with shareholders. But sharehold- In my work as a forensic consultant in litigation, ers don’t need help from ISO standards; customers do. I have observed a strong negative correlation among The first responsibility of a corporate board of direc- systemic product failure, fraud and false claims, and tors is accountability to shareholders.9 The Sarbanes- product reliability. Oxley law was written to protect shareholders. Other For me, the greatest contribution that ISO 9004:2000 interested parties include various governments, which makes to quality management lies in its guidelines on can look out for themselves. If the CEO is a member of identifying end user needs such as dependability and the board, which is often the case in the United States, life cycle costs (clause 5.2.2); use of reliability tools in then who is looking out for the customer? If it is not risk assessment (clause 7.3.1); analysis of fault modes ISO 9000, then it is no one. and life-cycle data in design and development (clause If ISO 9001 were a standalone document for tacti- 7.3.3); life-cycle cost analysis (clause 8.2.1); and the use cal quality, the new guidelines would make sense. You of failure mode and effects analysis (clause 8.5.3). would have two quality standards: one for a tactical ap-30 QP • www.qualityprogress.com
StandardSthe standard offers a well-defined maturitymodel that can be effective for corporateself-assessment.proach and one for a strategic approach. But ISO 9001 ees are empowered to control their work. W. Edwards cannot stand alone. It cannot resolve critical issues Deming was correct in his belief that most people wantbecause participant agreement cannot be obtained for to do good work.12 In fact, many operators will resistcertain issues, such as product reliability. orders to do otherwise. Speaking of ISO management standards, Steven The prime contractor’s responsibility for productRoss, a certified information systems auditor, said quality has become increasingly critical in this age ofthat ISO management standards writers wait until best outsourcing. So commonplace is outsourcing todaypractices are widely understood, then document that that many former manufacturers have become littleunderstanding as broadly as possible. Hence, ISO man- more than assemblers. In his October 2001 QP articleagement standards can be quite vague where there is “Why Quality Gets an F,” R.H. Hoyer showed how Fordno concensus.10 Motor Co. is a good example of this.13 This is why the earlier version of ISO 9004 was so ef- Subcontractor management becomes difficult infective—it complemented ISO 9001 by offering tactical distributed outsourcing, particularly in the area of flowapproaches to critical issues for those performers who down of information. Common flow-down clauses in-were willing to accept them. And it offered the courts clude product specifications, scope of work, disputea very well-defined description of ISO 9000 as a set of resolution guidelines, and state and federal regulations.good business practices. Because of the difficulty related to supplier control, The critical issues that are missing from ISO a prime contractor is tempted to rely too heavily on9004:2009 are: outsourced quality systems and may liberally interpret• Product reliability. this reliance in its own quality manual. This is permit-• Employee empowerment. ted in ISO 9001’s clause 4.1, general requirements of• Prime contractor responsibility for quality. the QMS, which states: “The type and extent of control In the case of product reliability, all the clauses per- to be applied to these outsourced processes shall betaining to dependability, life-cycle costs, and failure defined within the quality management system.”14modes and effects have been removed. Risk assess- You can argue, and I have, that tight control is im-ment remains as a guideline, but the nature of the risks plicit in the standard, but it is a difficult fight usingto be examined is vague. semantics. The principle should be explicit: A prime Employee empowerment is one of those concepts contractor is always responsible for the quality of de-with a meaning difficult to agree on, but at the tactical livered product. You could never get this in ISO 9001,level it was best described in the old Mil-Q-9858 stan- but you could in ISO 9004.dard: Personnel who perform quality functions shall have suffi- Common sense approach cient, well-defined responsibility, authority and organiza- Strategy, too, needs focus. A document cannot be all tional freedom to identify and evaluate quality problems things to all people and still be effective because all peo- and to initiate, recommend or provide solutions.11 ple will not agree on all things. It is reasonable and neces- In government lingo, “shall have” is a directive, so sary to provide tactical requirements. On critical issuesthe statement is a declaration of empowerment. for which consensus cannot be achieved, tactical guide- Employee empowerment is a critical issue because lines are necessary to complement the requirements.production fraud is virtually impossible when employ- ISO 9004 can best support the requirements of ISO September 2011 • QP 31
StandardS 9001 strategically and tactically. This is easy to do; 6. Ibid. 7. Jack West, Joseph J. tsiakals and Charles a. Cianfrani, “the Big Picture,” indeed the work has already been done. Strategic sup- Quality Progress, January 2000, pp. 106-110. 8. International Organization for Standardization, ISO 9004:2000—Quality port is described in its 2009 version. Tactical support is management systems—Guidelines for performance improvements. described in its 2000 version. Trimming the two may be 9. Organization for Economic Cooperation and development, Principles of Corporate Governance, 2004. necessary to combine them into a useable document. 10. Steven J. ross, “IS Security Matters,” Journal of the Information Systems Audit and Control Association, Vol. 2, 2010, pp. 4-5. The strategic approach can be reduced by focusing 11. Mil-Q-9858a, Military Specification Quality Program Requirements, Prepar- on strategy as it supports ISO 9001. The tactical ap- ing authority: the United States air Force, 1993. 12. W. Edwards deming, Out of the Crisis, Massachusetts Institute of technol- proach can be reduced by focusing on critical issues ogy, 1982. that cannot be agreed on in ISO 9001 committee but 13. r.W. Hoyer, “Why Quality Gets an F,” Quality Progress, October 2001, pp. 32-36. are necessary to achieve effective production and ser- 14. International Organization for Standardization, ISO 9001:2008—Quality management systems—Requirements. vice. Three of the critical issues are product reliability, employee empowerment and supplier control. QP ReFeReNCeS 1. ANSI/ISO/ASQ Q9000 Series: Quality Management Standards: ANSI/ISO/ ASQ Q9000-2005, ANSI/ISO/ASQ Q9001-2008 and ANSI/ISO/ASQ Q9004- WILLIAM A. STIMSON is a management consultant 2009, aSQ Quality Press, http://asq.org/quality-press/display-item/index. in Charlottesville, VA, specializing in forensic html?item=t2100&xvl=76St_t2100 (case sensitive). systems engineering and is a recognized expert 2. James W. Kolka, ISO 9000: A Legal Perspective, aSQ Quality Press, 2004. witness. He holds a doctorate in systems engineer- 3. International Organization for Standardization, ISO 9001:2008—Quality ing from the University of Virginia in Charlottesville. management systems—Requirements. Stimson is a senior member of ASQ and a certified 4. robert H. Lochner and Joseph E. Matar, Designing for Quality, Quality quality auditor. He is the author of Internal Quality resources and aSQ Quality Press, 1990. auditing: Meeting the Challenge of ISO 9000:2000 5. International Organization for Standardization, ISO 9004:2000 Quality and the role of Sarbanes-Oxley and ISO 9001 in Corporate Management: management systems—Guidelines for performance improvements. a Plan for Integration of Governance and Operations.32 QP • www.qualityprogress.com