Wednesday, January 30, 2008

The 10 Biggest Quality Mistakes

One of the most effective ways to improve is to learn from other people’s mistakes. Experience has taught me that there are plenty of mistakes out there to learn from. The trick is to recognize them and understand what to do instead. Unfortunately, I keep seeing the same mistakes over and over. They aren’t mistakes because they violate a standard such as ISO 9001; they’re mistakes because they violate good sense. Let’s examine the 10 most common quality mistakes and see how they can be corrected.

1. Limiting quality objectives to traditional quality topics

The term “quality objective” is an unfortunate one. It introduces subjectivity (i.e., quality) into a subject that should be quite clear (objectives). A much better term would simply be “measurable objectives” because that requires less interpretation. The word “quality” clouds the issue and makes many people want to narrow the focus of what a quality objective can be.

The truth is that quality is reflected in everything an organization does, and a quality objective can be anything measurable that relates to the organization’s success. A quality objective might relate to finances, customer feedback, safety, efficiency, speed or innovation. All these attributes relate to quality in one way or another. When selecting quality objectives, organizations should examine what matters most to their success. Whether the resulting measure is tied to traditional quality control or quality assurance is irrelevant.

2. Holding infrequent management reviews

Management review is the process used by top management to analyze data, make decisions and take action. Ideally, it’s a preventive process because data should indicate threats before they blossom into full-blown problems. If top managers are unable to analyze data proactively and prevent problems, then they’re not doing their jobs. Holding management reviews once or twice a year ensures that actions taken won’t be preventive. Only through timely and frequent data review can actions be preventive. Once or twice a year won’t cut it.
Many people argue that their organizations already review data on a weekly and monthly basis. This means that management review is still after the fact; the decisions have already been made. Management review must be included in existing meetings. Instead of a twice-yearly dog-and-pony show, cover the inputs and outputs of management review as they occur naturally during existing meetings. After a month or two, you’ll have addressed all the required inputs and outputs. Using this approach, you’ll have information that’s timely and resulting actions that are preventive. Another advantage is that you dispense with the need for long, laborious management reviews. They happen in a smooth and effective manner that’s much more likely to drive improvements.

3. Sending out long, complex customer surveys

The days of the long and complicated customer survey are over. People don’t have time to complete them. Even when organizations design shorter surveys, the questions are often confusing and fraught with interpretation problems. The scales that accompany the questions are often unbalanced and illogical. As a result, organizations end up with a small amount of valid data. Better to have no data at all than data that could lead you in the wrong direction.

Instead of a survey, why not simply ask your customers what they like and dislike? Don’t limit their responses to survey topics. Let your customers dictate the content of their feedback in response to open-ended questions. Few are more powerful than the following: What do you like? What don’t you like? What would you like to see different in the future? Open-ended feedback is also much easier to understand and take action on. A customer- satisfaction index of 3.8 is hard to interpret. On the other hand, seven out of 10 customers telling you that your Web site is confusing is very easy to interpret.

4. Assuming everyone knows what “nonconforming” looks like

When I visit organizations, one of my favorite questions is, “Where do you put the nonconforming products?” Control of nonconforming products is one of the most basic kinds of controls, and it speaks volumes about the rest of the controls embraced by the organization. Unfortunately, where I often find nonconforming products is wherever someone decided to leave them. They’re not uniquely identified, either. In other words, nonconforming products are treated no differently than any other products. When I ask why this is happening, the most common answer I get is, “Because everyone knows that’s nonconforming.” No, they don’t. No matter how nonconforming a product is, there will be someone who won’t recognize it as such. The stories of bent, broken and blown-up products that somehow got used anyway aren’t urban legends. They’re true.

Smart organizations positively identify all nonconforming products, and really smart organizations segregate them to remove all chance of accidental use. Error-proof your control of the nonconforming product process so that nobody has to assume anything.

5. Failing to use the corrective action process

Corrective action is the systematic way to investigate problems, identify their causes and keep the problems from happening again. Nobody wants problems, but it’s essential to have a way of dealing with them when they come up. The more the corrective action process is used, the better the organization gets at addressing its risks and problems. That’s why I’m astounded when I hear about organizations that avoid using their corrective action processes. Of course, I always ask why they’re doing this, and I often get one of these answers:
• Corrective action isn’t effective for large problems.
• Corrective action isn’t effective for small problems.
• Nobody understands root cause.
• Our problem-solving tools are confusing.
• Our procedure requires too much paperwork.
• Corrective action takes too long.
• I hate our corrective action form.
• Top management frowns on corrective action because it means that someone screwed up.

These aren’t corrective action problems but problems with the organization’s approach to corrective action. An effective corrective action process is typically seamless, simple and intuitive. The whole point is to add a little structure to problem solving, not to create additional bureaucracy.

Here are some hints to make your corrective action process more user friendly and effective:
• Strip it down to the essentials. A corrective action must clearly describe the problem, how it’s caused, actions taken to remove the causes, results of actions taken and how the actions were effective. Only include additional elements when you can prove that they add value.
• Remove all jargon from the process. Strange words only discourage people from using the process.
• Don’t insist on a raft of signatures . It’s not necessary for half the management staff to sign off on every corrective action.
• Remove paper from the process as much as possible. Use electronic media to track corrective actions.
• Communicate corrective actions widely. When people see that corrective actions accomplish something, they’re much more likely to participate in the process.
• Provide problem-solving tools, but give people some discretion in their use . If your procedure requires a failure mode and effects analysis to be completed for every corrective action, it will probably discourage people from starting corrective actions.
• Use teams for corrective actions whenever possible. This gives people experience in the process and also increases the effectiveness of most solutions.

6. Applying document control only to official documents

Most organizations do a decent job of controlling “official” documents, the procedures and work instructions that form the core of the quality management system (QMS). These are often written, approved and issued according to very specific guidelines. What organizations don’t do very well is control unofficial documents, many of which are more important than the official ones. What am I talking about? Here are some examples that are often found in production areas:
• Post-it notes with special requirements written on them
• Memos that include procedural steps
• E-mails with customer specifications
• Photographs showing what a product should look like
• Drawings indicating how product components fit together
• Samples of product showing defect limits

These informal resources become documents when they’re shared for people to
use, and they’re some of the most important documents within an organization. They’re distributed and posted in a hurry--usually without control--because the information they communicate is considered critical. Nobody can quibble with the speed of distribution, but the lack of control guarantees problems later. I’ve seen 10-year-old memos posted in organizations that exhorted personnel to perform obsolete job steps. When documents aren’t controlled, mistakes and nonconformities are inevitable. Apply document control to all documents, and scrutinize your document control process to keep it streamlined and effective.

7. Focusing audits on petty, nonstrategic details

Auditing is the process of comparing actual operations against commitments the organization has made. It’s a simple, fact-driven process that can generate huge improvements. However, these can occur only if auditors focus on the right things. Too often, internal auditors become preoccupied with petty details and neglect the big issues. They’re uncomfortable examining the big, strategic issues. It’s much easier just to nitpick. Organizations rarely provide enough training and skill-building to their internal auditors, so it’s no wonder that they aren’t prepared to carry out their duties to the fullest.

A robust internal auditing process examines make-or-break issues. Here are just a few of the items that internal auditors should probe in detail:
• Customer satisfaction. Is the organization capturing and analyzing customer satisfaction data? How is it acting on the data? Do trends show improvements in customer satisfaction?
• Management review. Does management review happen as planned? Does the necessary information and data get reviewed? What actions result?
• Corrective action. Is corrective action applied to existing nonconformities? Is it timely? Does evidence indicate that causes are removed to prevent recurrence?
• Preventive action. Does the organization take preventive action based on data and information? Is it effective?
• Internal audits. Are audits scheduled and carried out based on status, importance and prior audit results? Do audit nonconformities become corrective actions? Is the entire scope of the management system audited?
• Objectives. Are objectives established and communicated? Do employees understand them?
• Control of nonconforming products. Are all nonconformities positively identified? Are dispositions carried out as required? Are trends analyzed for improvement?

There are, of course, many other important issues an audit process could examine. The point is that internal auditors should go after the items that really affect the organization’s success. Focusing on petty details serves no purpose but to confuse everyone about the purpose of audits.

8. Training some personnel, but not all

Most organizations provide significant training to hourly production personnel. Salaried and managerial personnel are often neglected, however. Why? Because there’s a perception that salaried workers don’t affect product conformity. This is a serious error.

All personnel must be included in the training process. Salaried and managerial personnel need more--not less--training because their decisions and actions have more lasting effects. When an hourly employee makes a mistake, it could cost money. When a top manager makes a mistake, it could put you out of business. Doesn’t it make sense to train these people? Do it early and often.

9. Doing anything just because an external auditor told you to

External auditors wield great influence. Their statements and judgments can have a lasting effect on the way an organization conducts business. This can be good or bad. Usually, it’s bad. Most external auditors working for a registrar are removed from the realities of running a business. They travel from organization to organization, gradually collecting paradigms about the way a QMS should be implemented, maintained and improved. These paradigms are sometimes reflected back to the organization in the form of recommendations or nonconformities.

In my travels to companies, I often ask people why they’re carrying out a process the way they are. I always raise this question when the process seems unwieldy or illogical. In a surprising number of cases, the answer will be, “Because the external auditor said we should do it that way.” What a waste. Do a reality check on the auditor’s recommendations. Never do anything just because an auditor would like it done that way. A certificate on the wall isn’t worth it.

10. Employing someone who only oversees the QMS

Having a person who does nothing but oversee the ISO 9001 (or any other) QMS is one of the worst ideas in the history of quality. Why? Because it guarantees two things:
First, the QMS coordinator will become isolated from the rest of the organization. Because the person does nothing but serve the QMS, he or she loses touch with why the organization exists in the first place. The system becomes paramount over the organization’s business concerns. Second, the QMS will become bloated and bureaucratic because it must expand to completely fill someone’s time. Procedures become more complicated, methods more cumbersome and the benefits more ambiguous.

A QMS is nothing more than a guiding structure of methods, and it shouldn’t take a huge dedication of time and effort to maintain. Yes, someone should keep the system on track, but that person should have other responsibilities as well. Pair the ISO 9001 coordinator job with other responsibilities that focus on understanding what the organization does, especially responsibilities related to the product, customers and improvement. If the QMS is so bureaucratic that it requires the time of an entire person (or, heaven forbid, an entire staff), then the system needs to be streamlined. An effective QMS should make an organization more competitive, not weigh it down.

Thursday, January 24, 2008

ISO 9001:2008 – How it will Impact your Auditing

By Craig Cochran
(Originally published in The Auditor, Jan-Feb 2008)

Auditing is all about comparing evidence to requirements. That’s why changing requirements always grab the attention of auditors. As most of you know, ISO 9001 is undergoing a revision that is scheduled to be published in 2008. The new standard, ISO 9001:2008, includes mainly editorial amendments: re-arranged words but few significant changes. There are a few things that auditors should take note of, though. Let’s take a look at the Draft International Standard of ISO 9001:2008 and discuss how it might impact your auditing.

Statutory requirements

The word statutory will be inserted in a couple of places within the introductory part of the standard. This is primarily to make the language consistent with section 7.2.1—determination of requirements related to the product—which has always required that the organization determine statutory and regulatory requirements for its products. Even though the concept is not new, the requirement reminds all auditors that they need to understand the legal requirements of the products they’re auditing. Statutory and regulatory requirements are often taken for granted by auditors, with the assumption that the organization knows what applies to its products. This is not always the case. During the planning phase, auditors must research the statutory and regulatory requirements on the product produced by the organization, and make sure they able to effectively evaluate this.

Technically, there is a difference between statutory and regulatory requirements. It’s a very fine difference, though. We’ll cover it briefly for the sake of completeness. Statutes are laws. They say what you can and can’t do in broad terms. Regulations are usually specific guidelines published and enforced by regulatory bodies. The bottom line is that statutes and regulations are both enforced by authorities that can make your life difficult. Understand what statutes and regulations apply to your products, and make sure you’re able to meet them. Satisfaction of this clause is typically achieved in a two part manner:

  • Developing a process for understanding and staying up-to-date with statutes and regulations
  • Compiling an index or listing of statutes and regulations applicable to your products

These processes are not specifically required by ISO 9001, but they would represent an effective way of meeting the requirement.

It’s worth noting that statutes and regulations can come from the country in which you are based, and they can originate from countries in which you’re selling your products. Multinational organizations have to consider statutory and regulatory requirements everywhere they operate in the world. Understanding and staying current with statutes and regulations can become somebody’s full time job for companies that operate around the globe.

This clause is also very significant for companies that produce highly-regulated products. Examples of highly regulated products include:
* Drugs and pharmaceuticals
* Medical devices
* Food
* Aircrafts and aircraft parts
* Explosives and firearms

Management representative

ISO 9001:2008 will clarify who can act as the management representative. That role must be held by a member of the organization’s management. This makes 2 things clear:
The management representative is an employee of the organization (not a consultant)
The management representative is someone with the responsibility and authority to make decisions, assign resources, and get things done.

In the past, the decision of who was assigned as management representative was usually unchallenged by auditors. This will need to receive some new scrutiny by auditors to ensure that the assignment meets the full intent of ISO 9001:2008. Besides being a member of the organization’s management, there are 3 responsibilities that must be carried out by the management representative and which auditors must verify:

1. The management representative will ensure that the processes of the quality management system are established, implemented, and maintained. This is the project management aspect of being a management representative. Establishing, implementing, and maintaining a QMS requires that the management representative must coordinate many different efforts and continually sell the benefits of the system. It bears repeating that the management representative does not own the system, though. Everybody owns the management system, led by top management.

2. The management representative will report to top management on the effectiveness of the management system. This happens during management review, possibly the most important process of the entire standard. The management rep does not need to personally collect and present the data on effectiveness, but they make sure it happens. The most effective management reviews involve a wide range of organizational managers and influencers, with the management representative coordinating their input.

3. This basically means that the management representative must help promote a customer focus throughout the organization. There is nothing more important to the organization’s success than the customer, and the management representative must continually remind everyone of this fact. Promotion of awareness can be accomplished in many ways, and here are a few simple ways that come to mind:
* Posting data on customer feedback trends
* Publishing product specifications
* Holding meetings that address customer issues
* Serving as a liaison between the organization and the customer
* Distributing memos and emails that clarify customer requirements


The competence and training requirements of ISO 9001 have long been some of the most confusing. The reason is that the standard specifies some broad requirements and gives the organization total discretion for how they will be applied. This discretion has been tightened a bit through the requirement that the organization “ensure the necessary competence has been achieved.” This replaces the previous requirements for evaluating the effectiveness of training.

Ensuring that competence has been achieved can take place in a number of manners, but the most obvious is a demonstration of the newly developed skills or abilities. This works especially well for competency building aimed at skills and training. “Okay, we’ve talked about the task, and we’ve demonstrated how it should be performed. Now you give it a try.” If the trainee is able to effectively perform the task over the period of observation, then they could be reasonably considered competent. Keep in mind that the period of observation could be an hour, day, week, or month. It all depends on the complexity of the skill being demonstrated. Most “on-the-job training” programs focus on this kind of evaluation. The trainee starts out as an apprentice and then gradually begins performing many of the tasks themselves. The training culminates in the trainee being able to demonstrate the full range of skills involved with the job.

The inspection of an employee's work or product can verify that competence has been achieved. For employees who produce a tangible good or deliver a service, this is often a reasonable indicator of whether training has had the desired effect. Many organizations already have existing systems for inspecting their products, and these systems can be channeled into the training program. But this will only work if the product's inspection is traceable back to individual employees.

Tests and examinations can be used to ensure that competence has been achieved, especially when the competence is related to knowledge and facts. Be aware that many individuals simply don't perform well on formal tests or examinations, regardless of the quality of the instruction and training materials, so this may not be an ideal gauge of effectiveness. Another drawback is that tests are heavy on administration, requiring someone to spend a great deal of time creating the tests, making sure that all learning objectives are addressed, creating answer keys, creating a grading scale, taking time to grade the tests, dealing with test anxiety and disappointment, and so on. Tests and examinations do have the advantage of resulting in a numerical score, which is easy to quantify and track over time.

Finally, some organizations use performance reviews to draw judgments on whether employees have achieved competency. Most organizations already use performance reviews of some sort. As long as a logical connection can be made between the training and the job performance, the system will work. One caution, however: Make sure to separate the record of performance review from the record of training effectiveness evaluation, as every organization seeking to keep or gain ISO 9001 registration will be required to provide evidence of the evaluation to its third-party auditor. Showing performance review records to outside parties will create ethical (as well as legal) problems, so you're far better off maintaining separate files.

Auditors will need to probe the issue of competence deeper than they have in the past. What was once accepted as meeting requirements may not meet the requirements of ISO 9001:2008.

Work environment

ISO 9001:2000 will add a note in order to clarify the scope of work environment. Notes are not auditable, of course, but they provide insights on how to interpret the requirements that are auditable. The note states that work environment includes physical, environmental, and other factors needed to produce the products in question. Consider the following examples:

Candy manufacturer: Raw materials are received into the facility and are immediately moved into a climate controlled storage area. The cleanliness of the storage area is immaculate, far different than most other warehouses. A weekly inspection is conducted to look for any evidence of pests. The raw materials are transported into manufacturing by personnel wearing white gloves and smocks, and all manufacturing is tightly controlled under Good Manufacturing Practices. All outside doors and windows are kept closed and the housekeeping is very strict; even the garbage cans are clean and spotless. Nobody with any kind of illness is permitted inside the facility, and no jewelry is permitted to be worn. Once manufacturing is complete, the finished product is stored in an area that is maintained at 40 degrees F, plus or minus 4 degrees, and the gauge used to monitor the temperature is calibrated. A weekly audit is conduced to evaluate the condition of finished product in inventory.

Insurance company: People are stationed at desks and perform work on computers and telephones. The office temperature is maintained at “typical office conditions,” which is usually a compromise between the women who like the office warmer and the men who like it cooler. Dress codes are enforced so personnel are not distracted in their work and to maintain a professional environment in the event customers visit. Personnel are not allowed to play music from their radios or computers, as the sound disturbs people in their work, even when played at low volume. Hot food items are restricted to the break rooms, as some employees were offended by the smells of certain foods that were consumed at desks. Personnel photographs are decorations are permitted in cubicles, but nothing that could constitute a threatening work environment are allowed. Everything about the office is maintained is a pleasant yet bland manner because this is the environment that was found to result in the highest productivity, lowest service defects, and fewest personnel problems.

Paper mill: The inside of the plant is very damp, and a half inch of water is on most of the floors. Additionally, the nature of the production process is very hot in some areas, and the ambient temperature in the summer can reach over 110 degrees. During winter months, temperatures in the warehouses are just a few degrees above freezing. For many years, the harsh environmental conditions were simply accepted as a given. The conditions didn’t negatively affect the product, so management felt no need to change anything. Recently it became clear that employees were becoming ill at a higher than normal rate, however. The increased illnesses affected the mill’s attendance rate, which in turn impacted its ability to produce paper on schedule. Work conditions are being improved now that the link between the environment and product conformity was recognized.

In all these cases, the work environment is focused on what is needed for the product in question. Sometimes organizations discover connections between the work environment and product conformity that they didn’t know existed, as in the paper mill example. ISO 9001 simply says that you will determine the environmental conditions that you require. Whatever you require is what you will be expected to provide and maintain.

Here are some typical controls related to specific work environment variables:

* Temperature and humidity: Gauges for monitoring, records of conditions, records of gauge calibration, investigation of affected product when conditions fail to meet environmental requirements

* Safety hazards: Identification of hazards, prioritization of risks, procedures for job safety, monitoring of compliance, records of monitoring, corrective action on accidents and near misses, regular meetings to discuss safety issues

* Lighting, noise, vibration: Specifications for characteristic, procedures for maintaining specifications, ongoing measurement of characteristic, records of measurement, calibration of gauges, records of calibration

* Housekeeping: Procedures for housekeeping, defined responsibilities, training of personnel, periodic audits of housekeeping, corrective action on nonconformities, signage to remind personnel of guidelines

* Personal hygiene & behavior: Documented policies for personnel, recurring training, monitoring by supervision, counseling for employees

ISO 9001 does not require documented procedures or records related to work environment, though it often makes sense to have such things. In cases where the organization establishes requirements for work environment, then the only way to verify that the environmental conditions were met would be through records. Documentation would also be required to consistently communicate the work environment requirements and controls.