Chapter 10: ISO 9000 Quality Management System

High Points of This Chapter

1. ISO 9000 standards have had great impact on the implementation of international trade
and quality systems by organizations worldwide; deal with the management systems used
by organizations to ensure quality in:
 design
 Production
 Delivery
 support products
2. The new ISO 9001:2015 standards includes several important changes for Quality
Management Systems, including modifications in terminology, the introduction of new
context-based clauses, emphasis on management’s role in quality, and a focus on risk-
based approach.
3. To maintain its registered status, the supplier organization must pass periodic surveillance
audits by a registrar.
4. The ISO 14000 is a standard for an environmental management system; to reduce the
environmental footprint of a business and to decrease the pollution and the waste a
business produces.
5. cGMP refers to the Current Good Manufacturing Practice regulations enforced by the
U.S. Food and Drug Administration (FDA).
6. AS9100 is a widely adopted and standardized quality management system for the
aerospace industry.

International Standards Overview

Standards – exists principally to facilitate international trade and to avoid harming customers
and society.
Pre-standardization Era – before 1980; there were various national and multinational standards
Standards that have been around for decades:

 electrical
 mechanical
 chemical process compatibility

Other standards were developed for the military and other groups for the nuclear power industry,
and to a lesser extent, for a commercial and industrial use.
1980s – most of the organizations in the industrialized world began to improve quality and safety
at record paces; hence, there became a need to fill a void.
Common Quality Management System – the void between the customer and the supplier; non-
binding “contract
ISO 176 Technical Committee – filled the void in the form of the ISO 9000 set of standards,
which was followed by environmental standards named as ISO 14000.
ISO 9000 – basis of the development of sectors quality system standards of certain
industry/economic sectors.
These industries are:

 automotive industry (QS 9000)

 pharmaceutical and medical devices industry (cGMPS)
 government regulatory agencies
 military procurement agencies (AS9100 and the Mission Assurance Provisions, MAP)

ISO 9000 Quality Management System Standard

ISO 9000 Standards –

 have had great impact on international trade and quality systems implementation by
organizations worldwide
 have been adopted as national standards by 70 countries
 have been applied in a wide range of industry/economic sectors
 apply to all generic product categories: hardware, software, processed materials, and
services
ISO 9000 Family of Standards – provides quality management guidance, quality assurance
requirements and supporting technology for an organization’s quality management system
(guidelines on what features are to be present in the management system)
Certified Quality Management System – can be registered upon implementing ISO 9000
Technical Committee 176 of the International Organization of Standardization (ISO) –
created, produced, and maintained the standards in the ISO 9000 family
ISO/TC176 – first meeting was held in 1980
ISO 8402 – vocabulary standard; first published in 1986.
The initial ISO 9000 series was published in 1987, consisting of the following:

 Fundamental concepts and road map guideline standard ISO 9000

  Three alternative requirements standards for quality assurance (ISO 9001, ISO 9002, or
ISO 9003)
 Quality management guideline standard ISO 9004

The market for quality management and quality assurance standards itself grew rapidly, partly in
response to trade agreements such as the:

 European Union (EU)

 General Agreement on Tariffs and Trade (GATT)
 North American Free Trade Association (NAFTA)

ISO 9001:2015

 Certificates for the ISO 9001 Standard have been issued to over million organizations in
over 170 countries.
 After 25 years of implementation of the first ISO 9001 Standard, a revised version was
introduced.
Major Differences in Terminology from ISO 9001:2008 to 9001:2015
ISO 9001:2008 ISO 9001:2015
Products Products and services
Exclusions Not used
Documentation, records Documented information
Work environment Environment for the operation processes
Purchased product Externally provided products and services
Supplier External provider

In addition, two new clauses have been introduced regarding the context of the organization:

 Clause 4.1 Understanding the Organization and its Context

 Clause 4.2 Understanding the needs and expectations of interested parties

Risk-based approach – another significant change in the ISO 9000:2015 in which have been put
more emphasis on
ISO 9001:2015
Clause Application of Risk-Based Thinking
Clause 4 The organization is required to determine its QMS
processes and to address its risks and opportunities
Clause 5 Top management is required to:
 Promote awareness of risk-based thinking
 Determine and address risks and opportunities
 that can affect product/service conformity
Clause 6 The organization is required to identify risks and
opportunities relation to QMS performance and take
appropriate actions to address them
Clause 7 The organization is required to determine and provide
necessary resources
Clause 8 The organization is required to manage its operational
processes
Clause 9 The organization is required to monitor, measure,
analyze, and evaluate effectiveness of actions taken to
address the risks and opportunities
Clause 10 The organization is required to correct, prevent, or
reduce undesired effects and improve the QMS and
uodate risks and opportunities

External Driving Forces

The driving forces that have resulted in widespread implementation of the ISO 9000 standards
can be summed up in one phrase: the globalization of business. The changes have led to
increased economic competition, increased customer expectations for quality, and increased
demands upon organizations. These changes include the following:
 New technology in virtually all industry/economic sectors
 Worldwide electronic communication networks
 Widespread worldwide travel
 Dramatic increase in world population
 Depletion of natural resource reserves, arable land, fishing grounds, and fossil fuels
 More intensive use of land, water, energy, and air
 Widespread environmental problems/concerns
 Downsizing of large organizations and other organizations, flattened organizational
structure and outsourcing of functions outside the core functions of the organization
 Number and complexity of language, culture, and legal and social frameworks
encountered in the global economy
 Diversity a permanent key factor
 Developing countries becoming a larger proportion of the total global economy, there are
new kinds of competitors and new markets

Internal Response to External Forces

ISO 9000 implementation involves establishing policy, setting objectives for quality, designing
management systems, documenting procedures, and training for job skills.
The concept of organizations adopting performance excellence program including business
process management as a means of adapting to challenging customer needs is emphasized in ISO
9000 standards.
“In this world of rapid change, how can a single family of standards, ISO 9000, apply to all
industry and economic sectors, all products, and all sizes of organizations?”
ISO 9000 standards through the assurance of consistent product quality are best achieved by
simultaneous application of two kinds of standards:
 Product standards (technical specifications) – applies to the characteristics of the product
and of the process through which it is produced. These standards are specific to a
particular product—both its intended functionality and its end-use situations.
 Quality system (management system) standards – domain of the ISO 9000 standards. It is
the distinction between product specifications and management system features.

Distinctions between Organizational Performance Excellence Programs and ISO

Standards

The ISO 9000 family standards contain requirements and guidelines which is a quality system
model to be used for quality assurance purposes for providing confidence in product quality.
A requirements standard becomes binding upon an organization wherever it:
 is explicitly called up in a contract between the organization and its customer
 seeks and earns third-party certification/registration

All of the ISO 9000 family standards are generic; they are nonprescriptive in describing what
management system functions shall or should be in place but do not describe how to carry out
those functions.

The ISO Standards do not include the full scope of managing for quality. It is only an assurance
system focused on processes that only impact customer requirements being met. Organizations
saw ISO Standards as an important part of their performance excellence program which is the
inclusion of the planning, control, and improvement methods and applying these to all processes
to manage quality.
Quality control is different form quality assurance.
 Quality control: what to monitor to ensure requirements are met
 Quality assurance: provides information on how our system is performing to
predetermine product specs and plans. It is reviewing and auditing the system to provide
gains on improvements
 Providers of training, assessment, or advice in quality management
 Developers of related standards

Quality System Certification/Registration

Quality assurance requirements are called up in a two-party contract:

First Party – Providing organization or supplier.
Second Party – Customer organization.
First-party audits - Internal audits sponsored by its management to verify that its quality system
meets the contract requirements.
Second-party audits - Provisions to have external audits sponsored by the management of the
customer organization to verify that the supplier organization’s quality system meets the contract
requirements.
Certification/Registration-Level Activities
Quality system certification/registration – A means to reduce the redundant, non-value-adding
effort of multiple audits.
Third Party – Also called a “certification body,” or “registrar” in other countries, conducts a
formal audit of a supplier organization to assess conformance to the appropriate quality system
standard, say, ISO 9001 or 9002. When the supplier organization is judged to be in complete
conformance, the third party issues a certificate to the supplying organization and registers the
organization’s quality system in a publicly available register.
“certification” and “registration” – Two successive steps signifying successful completion of
the same process.
Surveillance Audits – Done by the supplier organizations to maintain its registered status. Often
conducted semi-annually. They may be less comprehensive than the full audit.

Accreditation-Level Activities
Systems of Registrar Accreditation – Set up worldwide to ensure competence and objectivity
of the registrars.
Accreditation Bodies – audit the registrars for conformity to standard international guides for
the operation of certification bodies. Scrutinize the quality system of the registrar through audits
that cover the registrar’s documented quality management system, the qualifications and
certification of auditors used by the registrar, the record keeping, and other features of the office
operations.

Mutual International Acceptance

Various other countries have also implemented these three areas of activity:
1. Accreditation of certification bodies/registrars
2. Certification of auditors
3. Accreditation of auditor training courses
In principle, there should be no need for a supplies organization to obtain more than one
certification/registration. A certificate from a registrar accredited anywhere else in the world
should, in principle, be accepted by customer organizations anywhere else in the world.
The international Organization for Standardization (ISO), in January 1995 reaffirmed its support
for the Quality System Assessment Recognition (QSAR) and approved a plan of system aimed at
encouraging worldwide acceptance of ISO 9000 certificates.
If we step back and compare the current situation to the alternative of widespread second-party
auditing of the quality systems of supplier organizations, it must be acknowledged that the
present situation is better because there is:
 Much less redundancy of auditing
 Much improved consistency of auditing
 The potential for even less redundancy and further improved consistency through the use
of international standards and guides as criteria and through mutual harmonization efforts
driven by the marketplace.

Formal International Mutual Recognition

For the United States, there is one further complication. Almost alone among the countries of the
world, the US standards system is a private sector
American National Standards Institute (ANSI) – A private sector organization which is the
coordinating body for standards in the United States. Under the ANSI umbrella, many
organizations produce and maintain numbers of American national standards. Most of these
standards relate to product technical specifications. Among the largest US producers of standards
are:
 American Society of Testing and Materials (ASTM)
 American Society of Mechanical Engineers (ASME)
 Institute of Electrical and Electronics Engineers (IEEE)
ANSI System – Provides a consistent standards development process that is open, fair and
provides access to all parties that may be materially affected by a standard.
Three levels of activities and infrastructure in relation to conformity assessment in international
trade:
 Certification/Registration Level
 Accreditation Level
 Recognition
Recognition – The national government of country A affirms to the government of country B
that A’s certification and accreditation infrastructure conforms to international standards and
grades.

Conformity Assessment and International Trade

Under the European Union’s modular approach, to qualify to be able to use the mark, the
supplier organization must produce evidence of conformity in four areas:
1. Technical documentation of product design
 2. Type testing
3. Product surveillance (by samples, or by each product)
4. Surveillance of quality assurance

Internal Control of Production – Focuses on the product surveillance aspects.

Full Quality Assurance – Focuses on certification/registration to ISO 9001 and relies upon ISO
9001 requirements for capability in product design

Guiding Principles
The guiding principle should be that primary reliance must be places on the concept of “truth in
labelling,” by means of which every customer has routine, ready access to the information upon
which to judge all four elements of the scope of a supplier’s registered quality system.

Industry-Specific Adoptions and Extensions of ISO 9000 Standards

Medical Device Industry

 In the United States, the Food and Drug Administration (FDA) developed and
promulgated the Good Manufacturing Practice (GMP) regulations.
 The GMP operates under the legal imprimatur of the FDA regulations, which predate the
ISO 9000 standards.
 In the United States, the FDA is in late stages of developing and promulgating revised
GMPs that parallel closely the ISO 9000 standard, plus specific regulatory requirements
related to health, safety, or environment.
 The expansion of scope to include quality system requirements related to product design
reflects the recognition of the importance of product design and the greater maturity of
quality management practices in the medical device industry worldwide.
 Similar trends are taking place in other nations, many of which are adopting ISO 9001
verbatim for their equivalent of the GMP regulations.

What are cGMPs?

 cGMPs refer to Current Good Manufacturing Practice regulations enforced by the FDA.
 They provide for systems that ensure proper design, monitoring, and control of
manufacturing processes and facilities.
 Adherence to cGMP regulations ensures the identity, strength, quality, and purity of drug
products.
 cGMP requirements were established to be flexible in order to allow each manufacturer
to decide individually on how to best implement the necessary controls by using
scientifically sound design, processing methods, and testing procedures.
 According the C in cGMP requires companies to use technologies and systems that are
up-to-date
 It is important to note that cGMPs are minimum requirements.

Why Are cGMPs Important to Software Development?

 A consumer usually cannot detect that a drug product is safe or if it will work. Although
cGMPs require testing, testing alone is not enough to ensure quality.
 Therefore, it is important that drugs are manufactured under conditions and practices
required by cGMP regulations to ensure that quality is built into the design and
manufacturing process at every step.

To ensure that quality is built into the design and manufacturing process, and to
help to ensure safety and efficacy of drug products, production lines must comply to
these cGMP requirements:

o Good condition of facilities

o Properly maintained and calibrated equipment
o Qualified and full trained employees
o Reliable and reproducible processes

How does FDA Determine if an Organization is Complying with cGMP

Regulations?

 The FDA inspects pharmaceutical manufacturing facilities worldwide using scientifically

cGMP-rained individuals whose job is to evaluate whether the organization is following
cGMP regulations.
 In August 2002, the FDA announced the pharmaceutical cGMPs for the twenty-first
Century Initiative, which intends to integrate quality systems and risk management
approaches into its existing programs to encourage adoption of modern and innovative
manufacturing technologies.
 cGMPS for the twenty-first century initiative steering committee created a Quality
System Guidance Development working group to compare current cGMP regulations to
other quality management systems. It mapped the relationship between cGMP regulations
and various quality system models such as the Drug Manufacturing Inspections Program,
the Environmental Protection Agency’s Guidance for Developing Quality Systems for
Environmental Programs, ISO Quality Standards, and other quality publications.
 In ISO, a new technical committee, ISO/TC210, has been formed specifically for medical
device systems.
 ISO/TS 16949: Automotive Industry

 In the years preceding publication of the 1987 ISO 9000 standards, various original
equipment manufacturers (OEMs) in the automotive industry had developed company-
specific proprietary quality system requirements documents.
 Upon publication of ISO 9001:1994, the major U.S. OEMs began implementation of an
industry-wide common standard, labeled QS-9000, that incorporates ISO 9001 verbatim
plus industry-specific supplementary requirements.
 On Dec 14, 2006, all QS 9000 certifications were terminated. ISO 9001 and ISO/TS
16949 were no longer valid. QS 9000 is considered to have been superseded by ISO/TS
16949.
 ISO/TS 16949:2009, in conjunction with ISO 9001:2008, defines quality management
system requirements for design and development of automotive-related products. It also
applies where customer-specified parts are manufactured for productions and/or service.
 ISO/TS 16949:2009 can be applied throughout the automotive supply chain.

Computer Software

 The global economy has become permeated with electronic information technology (IT).
 First, it should be noted that computer software development is not so much an industry
as it is a discipline.
 Second, many IT practitioners emphasize that computer software issues are complicated
by the multiplicity of ways that computer software quality may be critical in a supplier
organization’s business. For example:

o The supplier’s product may be complex software whose functional design

requirements are specified by the customer.
o The supplier may actually write most of its software product, or may integrate off-
the-shelf packaged software from sub-suppliers.
o The supplier may incorporate computer software/firmware into its product, which
may be primarily hardware and/or services.
o The supplier may develop and/or purchase from sub-suppliers software that will
be used in the supplier’s own design and/or production processes of its product.

 However, it is important to acknowledge that hardware, processed materials, and services

often are involved in a supplier organization’s business in these same multiple ways.

What, then, are the issues in applying ISO 9001 to computer software development?
 There is general consensus worldwide that:
o The generic quality management system activities and associated requirements in
ISO 9001 are relevant to computer software, just as they are relevant in other
generic product categories (hardware, other forms of software, processed
materials, and services).
o There are some things that are different in applying ISO 9001 to computer
software.

 ISO/TC176 developed and published ISO 9000-3:1991 as a means of dealing with this
important, paradoxical issue.

 ISO 9000-3 provides guidelines for applying ISO 9001 to the development, supply, and
maintenance of (computer) software. ISO 9000-3 offers guidance that goes beyond the
requirements of ISO 9001, and it makes some assumptions about the life cycle model for
software development, supply, and maintenance.

 In the United Kingdom, a separate certification scheme (TickIT) for software

development has been operated for several years, using the combination of ISO 9001 and
ISO 9000-3. The scheme has received both praise and criticism from various
constituencies worldwide. Those who praise the scheme claim that it:

o Addresses an important need in the economy to provide assurance for customer

organizations that quality requirements will be satisfied
o Includes explicit provisions beyond those for conventional certification to ISO
9001
o Provides a separate certification scheme and logo to exhibit this status publicly
o Those who criticize the scheme claim that it
o Is inflexible
o Includes unrealistically stringent auditor qualifications in the technology aspects
of software development
o Is almost totally redundant with conventional third-party certification to ISO 9001

 In the United States, a proposal to adopt a TickIT-like software scheme was presented to
the ANSI/RAB (Registration Accreditation Board) accreditation program. The proposal
was rejected, primarily on the basis that there was no consensus and support in the IT
industry and the IT-user community.

Standardization Is Here to Stay

 Standards are here to stay. Many industries are working together with various standard-
setting bodies to improve their standards and mandate as many systems as possible to
ensure safety and quality of our products.
 For instance, ISO 31000:2009, Risk Management – Principles and Guidelines – was
developed to help organizations manage risk effectively.
 The ISO has published a standard to facilitate implementation of quality management
systems.
 ISO 13485:2003, Medical Devices – Quality Management Systems – Requirements for
Regulatory Purposes, is based on quality management system requirements currently
contained in medical device regulations around the world.