By Praveen Gupta

Looking back at my quality career since 1984, I remember contributing to a quality manual of a Motorola division in 1987–88 for ISO 9001 certification. The standard was released in 1987. Initially, the ISO 9001 standard was developed to benefit from industry best practices and implement a quality management system (QMS) for consistency since variation was thought to be evil according to Dr. Deming. A shared understanding developed that ISO 9001 meant “do what you say in documents and say in those documents what you do.” The implication was that people said very little in the documents.

I have also learned by working at quality-driven companies that good practices include developing and designing good processes for excellent performance and documenting them for consistency or ongoing excellent performance. However, the third-party focus on compliance led to questionable designs of the processes and as a result, ISO 9001 in its first generation created a perception of excessive documentation.

Subsequent versions of ISO 9001 were released in 1994, 2000, 2008, and 2015 with the intent to make the quality management system standard more performance-driven and reduce required documentation. ISO 9001:2000 was a major structural change from the original version of the ISO 9001 standard. Even government, military, and FDA quality management system standards aligned with the ISO 9001. Although ISO 9001:2015 does not introduce a major structural change, it does introduce a few key element-level changes. However, at least the medical device standard ISO 13485 has preserved the pre-2015 clause in the case of preventive action.

How does ISO 9001:2015 visibly identify changes in the quality management system? The list includes removing preventive action, replacing it with risk assessment, the use of business context for scope and stakeholders, better use of the PDCA model, and an emphasis on the process approach.

Over the years I have learned that a QMS is a way of doing work at a company that includes all activities and all people. Quality is a state of mind leading to behaviors to excel in everything, which implies striving for target performance and verifiable actions (compliance) with the desired results (effectiveness). In other words, a quality management system is practically a business management system. That is how the QMS should be perceived and deployed in an organization, instead of a boxed-up “quality” function. With the right strategies, if the business is not doing well, business problems are the quality problems and can be addressed as such. Once I heard Bob Galvin, then CEO of Motorola, tell his leadership team to take care of quality and the business will take care of itself.

Table: High-level comparison of ISO 9001:2008 and ISO 9001:2015

Context of the organization

To bring business relevance to a QMS, this section plays an important role and creates opportunities to make a visible impact. Quality must make economic sense, and it must support achieving business objectives. In establishing a business context to our QMS, we used a stakeholder’s analysis matrix to establish their expectations and measurable objectives. Typically, stakeholders include customers, executives, employees, suppliers, and the community at large. The QMS addressing all stakeholders’ expectations makes the QMS relevant to each stakeholder. This section also has more explicitly required processes of the quality management system, and specified process inputs, sequence, interactions, outputs, criteria for effectiveness, risks and opportunities, improvement, and the required documentation, including records. If the organization and its context are understood and specified as required in the ISO 9001 standards, the QMS could be designed for a “pull with benefits” rather than a “push.”

Risk assessment

ISO 9001:2015 identifies risks in the leadership and planning sections. The leadership section identifies risks associated with the conformity of products and services, and planning addresses risks associated with the QMS. The leadership section is looking into risks with products and services, and the planning section addresses risks at the business level. Strengths, weaknesses, opportunities, and threats (SWOT) can be used to identify business risks and the process approach to identify product and service-related risks.

SWOT analysis

A cross-functional team performing a SWOT analysis identifies organizational strengths from which to benefit, weaknesses to minimize the adverse impacts, opportunities to identify areas to improve and serve customers better, and threats from potential market, technology, or people risks. Once the risks are identified primarily in the weaknesses, opportunities, and threats sections, they can be analyzed using the failure modes and effects analysis (FMEA) method and prioritized using the risk priority number (RPN). High-risk items are then addressed through specific action items.

Product or process-related risks can be identified by considering potential risks associated with material, information, machines, tools, methods, approaches, skills, and people. Design and process FMEAs can be used to identify product and process-related risks that can be minimized.

Preventive action

Corrective and preventive actions are critical to the success of a QMS by driving continuous improvement and preventing recurring problems at the part, process, or system level. There has been confusion between corrective and preventive actions. In a sense, even the corrective action should be preventive in nature to avoid the recurrence of a problem. Experts have tried to articulate the differences between corrective actions from preventive actions. Some people understood that corrective action is at the component or the opportunity level, while preventive action is found more at the higher system level. However, it was a constant confusion that eventually led to its removal from the ISO 9001:2015 standard. In intent, the preventive action has been replaced by the risk assessment and risk mitigation. However, the risk assessment and mitigation requirements were not precisely articulated, and remedial actions were accurately implemented.

I’ve learned in my early years at Motorola and AT&T Bell Labs that good companies implement quality management systems to produce good quality products and services with respect to its brand value. If a company has implemented an effective QMS to achieve its business objectives and comply with the ISO 9001 standard requirements, revisions in quality standards over time do not make a major impact on the success of its QMS. Organizations are not in the business of implementing a QMS; instead, organizations are in the business to serve customers using a QMS. One must understand that all second or third-party auditors are not equally equipped to perform effective quality audits against the requirements as intended. Instead, they perform compliance audits against the requirements as written.

About the author

Praveen Gupta is the director of quality at Stephen Gould and author of Business Innovation in the 21st Century. He pioneered the implementation of Six Sigma at Motorola, and has consulted with dozens of companies for process, product, or profit improvement. He has taught business innovation, operations management, and process improvement at IIT, UIC, and DePaul. He is an ASQ Fellow, an advisor to BrainPan (a firm founded by his students), and the Quality Professional of the Year for 2016.

This article first appeared on the Quality Magazine website and is published here with permission.