Posted by & filed under ISO9001: RISK ASSESSMENT AND MANAGEMENT, Uncategorized.



When I go into a new contract, the first thing I must do is to recognise the vocabulary of the organisation. I need to know how information is expressed and conveyed. My understanding of the vocabulary, and where it might need to be changed, is critical for developing the quality system. The interpretation of nouns such as  “measurement” and “continuous improvement”  into quality system processes has become more critical now that international standards agencies are emphasising their importance for certification.

Quality records which formerly were expressed in words are being crunched into numbers which don’t always improve processes, let alone the bottom line.   I have even seen one comment that nothing in process development was any use unless it was, or could be, measured. I wonder how they manage uncertainty; I assume the need hasn’t arisen.

Uncertainty is, of course, at the heart of the requirement to assess and manage risk. One of the international standards undergoing revision defines the effects of uncertainty as “… the deficiency (in part or whole) of information {my bold italics} related to, understanding or knowledge of, an event, its consequence, or likelihood.”

So, based on the above, we need to look at potential risk in information, which can mean in product, development, documentation, employee calibre, to mention a few sources. The conversion of information into numbers requires superior and experienced judgement by suitably authorised persons within the organisation. We want to avoid creating a flurry of measurement levels, classifications and categories (to mention a few) in the never-ending search for perfection. Risk management must be based on root cause analyses of sufficient depth and clarity on which to define and base the numbers. The analyses will be described in words, not numbers. Numbers on their own describe nothing unless related to a condition that can be described in words.

Take for example the Defect Categories below. As prose they are sufficiently clear to allow the reader (QAM, Quality Engineer, technician) to make judgements (risk assessments) from their experience and to ensure the data meets the required standard or specifications.  The categories can apply to many different kinds of business. No flow charts or complicated diagrams are required. They are statements of fact, easily understood.

The “Description” vocabulary is sufficiently specific to alert interested parties, such as quality management representatives and other responsible authorities, to current or potential  nonconformances. From this specific vocabulary they should be able to initiate their corrective and preventive actions. The positive or negative effects (deviations from the expected) can be judged accordingly.

The categories can be used for internal audit, customer complaints, and part of continuous improvement and, therefore, risk assessment and management; avoid cosmetic additions such as colour; e.g., “Critical” is coloured red, “Major” yellow, and so on. If a colour is necessary to note “Critical”  e.g.,for  red tags on items segregated in the nonconformance area, the quality assurance procedure will include a reference to the tag and its place in the process being described.

The addition of colour to categories such as “critical” could imply another level of measurement; e.g., red = priority 1. We already know from the Defect Category that the first level is critical and needs priority, so there is no need to send the reader in another direction. It is over-egging the pudding and introduces the need for yet another definition.








CriticalThe product is inoperable and this is seriously affecting the customer’s business
MajorThe product is wholly or partly inoperable which is inconvenient for the customer
SignificantThe defect in the product should be rectified by the next planned release. If there is no planned release, a new release is required.
MinorThe defect should be rectified in the next (planned?) release. The customer is prepared to accept the product in its current condition without rectification.
EnhancementThe reported defect is not covered by a customer requirement.  An enhancement is advisable.


In the example above “Critical” denotes a situation with possible dire consequences to the customer’s business and (inevitably) to the supplier. Everyone in business understands that this is a two-way street; the effect on the customer has to affect the business, even if it is only short term.

These categories are useful for risk assessment: a sort of reverse root cause analysis starting with applying e.g., “Critical” to carefully-chosen Key Performance Indicators could bring a different set of information from that derived from nonconformances.

I can hear the statisticians and other measurement enthusiasts protesting, but a number does not say what is, Numbers simply indicate conditions which have had, or will have, to be defined and clarified in words..  The words in the box are easily understood; this is important when so many different languages by the readers and users could be involved. They have been in the industrial and public lexicon for a sufficiently long time to be used without misunderstanding.

Posted by & filed under ISO9001:2008.

Creating a Master Document List (MDL)

One of the main tasks in developing a formal quality system is to create an MDL that will record, in hard copy or electronically, all the documents involved — from contract review to final delivery of the product, with the revision status.

It is never too early to establish the following:

  • Who will control the list? (Preferably limited to one authorized individual, usually the Quality Management Representative (QMR)).
  • Who will have authorized access for review, revision and amendment? (Usually the QMR, but in larger companies it could be the technical library or engineering staff authorized person.)
  •  Who should be considered when compiling the list of “authorized, responsible individuals”? (Identify any persons responsible for review and release. Circulate their names and responsibilities to those with authority and responsibility for signing off design development and other critical processes).
  • Is there a Signatories List to safeguard against, and identify, the squiggles that some people use as signatures?
  • Are documents verified thoroughly before issue, including content, a logical sequence of events with the reader in mind, grammar and spelling? (No wandering apostrophes and misplaced commas!).

Digital (electronic records)

Verify that:

  • signatures are limited to authorised persons,
  • signatures are validated against a Signatories List to ensure accuracy, reliability and consistency,
  • records are protected to enable ready retrieval throughout the retention period (MASTER DOCUMENT LIST),
  • secure, computer-generated, time-stamped audit trails are used to independently record the date and time of operator entries and actions, particularly those that create, modify or delete electronic records,
  • changes to records do not obscure previously recorded information,
  • audit trail documentation is retained for at least the time required by IMH Documentation Requirements procedures,
  •  persons who develop, maintain or use electronic record/electronic signatures have the education, training and experience to perform their assigned tasks,
  •  documents are written clearly with the reader in mind.

Consider also:

• Where do the documents begin to appear in the design and production process?

• Do they include user documents?

• What is the distribution (see Signatories List) (Please, no uncontrolled copies!)

• What are the connecting authorities and responsibilities for each document? (Who needs to know? Include external authorities where applicable)

• Where will hard copy documents be kept? (Secure from damage or other deterioration such as climate, for example):

Customer Service Documentation:
Purchase Orders                                                       Administration Department
Completed Jobs
Contracts                                                                   XYZ Computer System
I.M.Happy IM&TE Records                                      Quality Assurance Department
Quality Assurance Documentation:
Quality Policy and Procedures Manuals (Master)            Quality Assurance Dept
Audit Documentation (Master Copies)
Training Records                                                           HR Department
Personnel Files
Regulatory Files
Service Manuals                                                            Operations Department
Proprietary Documents                                      CEO’S/Finance Director’s Office

• Who will be in charge of the documents at the point of use?

• Has documentation development been included in the quality plan and management quality objectives?


You may be under the impression that the above concerns are known and understood by all senior company executives, who govern themselves accordingly; unfortunately, they do not. I have seen files of critical documents stored in the most lamentable conditions, subject to the onslaught of seagulls. This is less likely to happen nowadays, with documents stored electronically. Many companies, however, simply update documents and put the latest version online at prescribed (or ad hoc) intervals, consigning previous versions to the waste basket. The history and revision trail of the document can be preserved if the previous revisions have been exported to another authorized individual within the company, but this process can weaken the security of documents. Revision status is critical for the smooth running of the processes.

As well as all the above preparations and TLC, I would like to think that you are paying close attention to the style and content of the documents. Clarity is essential; try to stay away from “management speak” and other faddy language that can clutter the best thought-out and well-intentioned policies and procedures.


Start the document control process in small, manageable pieces. Remember to assign the relevant authorities and responsibilities at the earliest possible stage in the project. Nothing will create more confusion than a last-minute attempt to assess and categorise documents. Document control can be a major embarrassment in certification assessment; it can also hamper day-to-day activities if neglected.

You don’t want this to happen in your company, do you?


Posted by & filed under THE ISO9001 CHALLENGE.

Senior Executives need to be very sure of the commitment, responsibility, authority and extra work loads before they begin developing a formal quality system.

Many hours of patient explanation may have to go into preparing senior executives for the application of ISO9001, for example.  My first meeting with senior executives can be very revealing.

I ask: “Have you chosen the standard?”

The answer is usually yes, even if they’ve chosen the wrong one for their business.

Next question: “Have you read the standard, and do you have a good idea of what it means in commitment?” (Some­times they haven’t read it at all).

Answer: “Well, we’ve just looked through it briefly. We were hoping to get some guidance from you”

Me: “Well, that’s what I’m here for. Can you tell me why you have decided to initiate an ISO9001 quality system’?”

Answer: “Our customers are pressing for it” (or we are los­ing a share of the market, or we want a share of the market where ISO9001 is mandatory).

Me: Have you appointed anyone to be the management rep­resentative for the quality system?”

Answer: “Yes, we thought that John Bright, who is Manager of Purchasing. Shipping, Marketing, Packaging, and fills in for Operations could fit this in with his other duties”. (You think I am making this up?)

I reply something along the lines of: “I’m afraid that it would not be wise to have the quality manager do anything else but concentrate on the quality system, at least until registration. He/she will be working full time on learning the responsibili­ties and the processes. I shall be training him/her to come up to speed with writing and verifying procedures, (although I prepare the first drafts) straightening out the current docu­mentation, conducting internal audits, and training employ­ees in the company quality policy and the meaning of ISO.” At this point I can see my prospective client (with eyeballs glazing over) having second thoughts, or is still convinced that developing the quality system is only a part time job with a bit of word processing thrown in.


Careful consideration of available resources (time, skills) will save a lot of aggravation in the long run.


Posted by & filed under CERTIFICATION BODIES.

For some months a discussion has been raging on a LinkedIn group around the possibility of establishing an international data base to which organisations could refer if they wish to confirm the certification status of a company or agency re ISO standards.The data base would be set up using the International Aerospace Quality Group data base, OASIS, as a model.

While this might seem a very attractive proposition, purporting to save time now spent in checking accredited lists in many different countries, I believe there is one major hurdle which its more enthusiastic proponents don’t seem to have considered.

The OASIS database is a product of the International Aerospace Quality Group (IAQG). OASIS houses supplier and audit assessment data for all companies who hold an accredited certification in any of the AQMS series of Standards (i.e. – AS9100, AS9110 and AS9120). The International Aerospace Quality Group (IAQG) has set firm requirements regarding the inclusion of aerospace certified suppliers in the OASIS database. It is not optional – if you hold an accredited certificate to AS9100, AS9110 or AS9120 – you must be entered into the OASIS database. SAE International document AS9104 details the Certification Bodies’ requirements for Aerospace Certification Programs.

If any aerospace certified supplier refuses to be a part of OASIS, or refuses to set up an OASIS administrator, Certification Bodies are required by the IAQG to revoke the certificate of registration.

It is one thing to register all certified organisations on an international database; it is quite another to impose the above restriction.




Posted by & filed under ISO9001:2008.

How do we manage quality system training for employees who are on site for short periods, perhaps only two or three hours or days? For example, many temporary employees are hired by the day from union halls. They will work in many different companies and environments.

I helped to prepare a Pulp Handling Handbook for a marine freight forwarding company, for use in the warehouse by temporary employees. It was very simple with pictures of damaged (nonconforming, unaccept­able) and non-damaged (acceptable) pulp and the applicable forms. Employees who had been on site for only a few hours could recognise a nonconforming situation in a contained environment and inform their immediate supervisors.

These employees often suggested improvements to the quality system based on their experience of conditions and processes along the waterfront. “Best practices” became obvious as more and more employees recognised what was working for them and making the job easier.

No need to discount temporary employees’ contribution to continuous improvement. Best practices discovered during such employees’ brief tenure can translate into improved customer relations and economies of time and labour.

Posted by & filed under AS9100.

The following certification issues are being considered for clarification by AS Senior Document Representatives, following recent discussions by SDRs, CBs and representatives from industry:


  • What is considered a single site? (e.g.; a company with three buildings located on three different streets). What is the definition of location?
  • What is considered a ‘lost’ certification? Is it when suspended and/or withdrawn?
  • What kind of an audit is needed for a transfer?
  • Are all sites required to be listed in OASIS and have an administrator for a campus?
  • What is required to be verified in this requirement:
  • “No certificates to AQMS standards or any combination of AQMS standards requiring a certification decision shall be issued, unless all major and minor nonconformities have been contained; satisfactorily corrected with root cause analysis; and the corrective action has been implemented, reviewed, accepted, and verified by the CB.”

Further notes:

“At this time, 80% {of representatives) do not want to separate AS9100 from the base of ISO9001 as has been rumored. There will also be more of a focus on servicing and not just production. They are planning for a 2016 release of AS9100.”

I will update as new information comes in.

Posted by & filed under ISO9001:2008.

One part of quality system costs can be monitored by introducing a tick box on the Purchase Order to track all items and services purchased for the quality system. Quality system purchases can be separated from stationery. toilet paper and pencils.

This information will be useful for the Man­agement Review of the quality system, which has to take place at least once a year. ‘Cost of the quality system’ is always on the agenda. It will also be useful for Measurement and Analysis.

Posted by & filed under ISO9001:2008.

User publications are sometimes given short shrift in design development plans and processes.

Consider the following carefully:

  • how well does the author need to know the product?
  • at which stage should the author(s) be brought into the design process?
  • what does the reader (user) really need to know, as opposed to what the author thinks is a good idea?

Bring the author in at the earliest possible stage –  the earlier the better: in fact, as soon as the design process is under way, at preliminary design stage.







RECENT DISCUSSION: You are a Q.M taking on a new position. What are the first things that you would do in your new position?


Jean’s comment

“If you start with an internal audit you should discover how the quality system has been managed, and from that an idea of the attitudes, experience, knowledge of the processes and commitment of signing authorities and responsibilities. After this you will have a better chance of conducting useful conversations with senior management and other interested parties and see if your KPIs are worthwhile and if others are needed “


Comment in response


“ Unfortunately, anecdotal information is not respected by Management, generally; it would be a personal risk acting on only this {introductory discussions with management} information.

For this reason, Jean White’s recommendation is spot on. Once a report is compiled from the formal internal audit and published to Management, and a level of professional trust is established, one can then make plans for drilling down to the causes of problems existing in the system. Ultimately, root cause analysis (done right!) will unearth the systemic causes of problems. Another important reason for using the internal audit approach is that we have to use verifiable evidence/data in our profession.”







Employee name:


Stage 1: observation of technique Stage 2: carry out procedure under supervision
Stage 3: carry out procedure unsupervised Stage 4: qualified to train others



Training unit & stage

Date completed


Trainer (supervisor)