Standards for Management Systems: A Comprehensive Guide to Content, Implementation Tools, and Certification Schemes

By Herfried Kohl

This book guides readers through the broad field of generic and industry-specific management system standards, as well as through the arsenal of tools that are needed to effectively implement them. It covers a wide spectrum, from the classic standard ISO 9001 for quality management to standards for environmental safety, information security, energy efficiency, business continuity, laboratory management, etc. A dedicated chapter addresses international management standards for compliance, anti-bribery and social responsibility management.

In turn, a major portion of the book focuses on relevant tools that students and practitioners need to be familiar with: 8D reports, acceptance sampling, failure tree analysis, FMEA, control charts, correlation analysis, designing experiments, estimating parameters and confidence intervals, event tree analysis, HAZOP, Ishikawa diagrams, Monte Carlo simulation, regression analysis, reliability theory, data sampling and surveys, testing hypotheses, and much more. An overview of the necessary mathematical concepts is also provided to help readers understand the technicalities of the tools discussed. A down-to-earth yet thorough approach is employed throughout the book to help practitioners and management students alike easily grasp the various topics.

• Language: English
• Publisher: Springer
• Release date: Feb 19, 2020
• ISBN: 9783030358327

Book preview

© Springer Nature Switzerland AG 2020

H. KohlStandards for Management SystemsManagement for Professionalshttps://doi.org/10.1007/978-3-030-35832-7_1

1. Standards for Management Systems: Overview and Main Ingredients

Herfried Kohl¹  

(1)

Erlangen, Germany

Herfried Kohl

Email: HerfriedKohl.Books@yahoo.com

In this chapter, you’ll

Get a basic motivation and overview about the topic called management system standards.

Learn where these standards come from and what’s the role and authorization of the national and international committees creating them.

Have a look at the important concept of supply chain.

Have a first look at the concept of process which plays a central role in all standards for management systems.

Understand the high-level structure which is shared by all standards for management systems.

Understand why risk-based thinking is important.

1.1 Does the World Need Management System Standards?

1.1.1 General Motivation

Imagine you are part of the management team of an organization. Very likely, you will be confronted with questions like the following on a daily basis:

How can we improve the quality and efficiency of our production and service provision processes?

Are the quality levels of our products and services where we want to see them?

How can our organization comply with the continuum of requirements defined by customers and authorities?

What is our program to improve information security throughout the organization?

How can we reduce the negative impacts of our organization on the environment?

Is our energy performance state of the art? What can we do to improve it?

Are our response processes to potential disruptive events sufficient to ensure business continuity?

Do we have to improve our interaction with cooperating organizations and partners?

Are the assets of our organization well managed and what would be the opportunities for improvements?

Are our health and safety policies and processes state of the art or do they need improvement?

Do we really have a reliable oversight what risks and opportunities our organization faces? Are our risk management tools adequate?

Considering our organization’s corporate social responsibility policy: Do we ensure that it is supported by our suppliers?

Management system standards may help you to find answers to these questions. These standards define requirements, offer guidance and show what you should do, to deal with your daily management issues in a rational and decisive manner.

Of course, the standards themselves cannot directly deliver answers and solutions to all your management issues. However, they require you to have processes and organizational structures, to deal with your issues in a systematic way. This includes, for example:

The standards define frameworks for your management topics (quality management, environmental management, information security, etc.).

One of the intents of these frameworks is to enable your organization to implement a fact-based management approach. The standards require management by fact. Don’t base decisions and management on beliefs or cloudy assumptions, but on facts!

The standards focus on the processes of your organization and call for risk-based thinking.

The standards define requirements for your management systems. Some of them include industry-specific requirements (e.g. food, automotive, telecommunication, railway, healthcare).

The standards are built on the Plan-Do-Check-Act principle and call for continual improvement.

The standards define the basis for certification schemes of management systems (e.g. for quality, environment, information security).

When you start reading management system standards for the first time, you very likely will not be overwhelmed by the style in which they are written. Most readers find it pretty abstract and not always easy to understand. Transforming formal requirements of standards into actions adequate to your organization may be even more difficult. It is one intent of this book, to make this translation process easier for you. However, we will stay reasonably close to the texts of the standards. Where needed, we shall illustrate requirements by examples.

Let us have a look at some of the driving forces behind management system standards.

1.1.2 Global Supply Chains

Supply chains are the backbone of modern industries. In a sense, the term chain is misleading, as it seems to imply that a supply chain is sort of a linear structure. However, this is not the case and most real supply chains are better represented by networks than by linear models. In addition, most of them are not limited to a local or national level but are global. Have a look at your smartphone and try to guess how many suppliers have been involved to finally assemble that piece of technology. The same holds in the food sector, automotive industry and basically any major industry you may consider.

Supply chains are complex, and supply chain management has evolved to a topic with many special aspects:

Organizational;

Financial;

Legal;

Logistics;

Business continuity;

Quality and environment;

Information security;

Social compliance;

and others.

We don’t need and shall not go into the details of supply chain management in this book. However, our main topic of management system standards is strongly related to it and triggered by its needs. To ensure, for example, quality and environmental requirements to be fulfilled along a supply chain, agreements must be made among its members. Today, management system standards are very essential parts of these agreements.

When, for example, an OEM in the automotive industry defines quality, environmental and social compliance requirements for its own organization, products and services, these requirements will be sent down the supply chain as requirements to be met by suppliers. Not being that formal and relying on hope, that suppliers will voluntarily comply with the OEM’s requirements, would make little sense and erode its own objectives.

It’s here that management system standards enter the scene. Without quality management practices that are state of the art, quality objectives can’t be reached in a sustainable manner. The same holds for environmental issues, business continuity requirements and so on. Supply chain requirements are an important factor which triggers the development and diffusion of management systems. In today’s business relationships, management system requirements are fixed in contracts between organizations, its suppliers and customers. ISO 9001, IATF 16949, ISO 27001 and others are examples. For that reason, the practical needs of supply chains triggered the development and application of management system standards on the local and global scale, and they still do so.

1.1.3 Robust Processes and Reliable Process Management

Once upon a time, a production company or service organizations were fine, if its rejects were below one percent, say. Some of today’s industries would face a serious problem, if defect rates of products would not be at a one part per million levels. This is why:

Today’s organizations must continually work on the improvement of their processes.

Robust, efficient and capable processes call for the application of advanced tools like:

Design FMEA, process FMEA, product FMEA;

Statistical process control;

Risk assessment, evaluation and control methods;

Reliability theory;

and many others.

Processes and their management are in the focus of modern management system standards. You will see this kind of thinking in all of the standards discussed later in the book. The general requirements include:

Plan and design your processes adequately.

Implement them.

Control and monitor your processes.

Improve them if needed.

Although these requirements may sound pretty logical, the real art in practice is to realize them under the constraints your organization may have in daily life.

1.1.4 Globally Accepted Requirements for Management Systems

Supply chains and advanced requirements for processes aren’t something invented just recently. And of course, management system standards and their requirements have a long history. Predecessors of current standards may be found in the defense and aerospace industry, in the food sector, in the pharmaceutical industry and in others. These early examples of industry standards for management systems had their main focus on quality management and product quality issues.

After the first release of ISO 9001 as a generic quality management system in 1987, the idea to create management system standards for other aspects of organization’s management issues became popular. Today, we see a whole bunch of generic and industry-specific standards with different scopes of application.

Figure 1.1 shows some of the major current examples of generic management systems to be discussed in Chap. 2 of the book. All these standards are global ISO standards and genuine in the sense that they may be applied by organizations in any industry, irrespective of their size, ownership, complexity or other specifics. For that reason, you’ll find organizations referring to these standards all around the globe.

../images/441311_1_En_1_Chapter/441311_1_En_1_Fig1_HTML.png

Fig. 1.1

Generic management system standards (selection)

1.1.5 Genuine Versus Industry-Specific Models for Quality Management Systems

Genuine management system standards are fine for most industries; however, for some core industries they were found not being specific enough. This holds true especially for industry-specific quality management requirements. For that reason, as we shall see in Chap. 3 of the book, some industries (including automotive, railway, telecommunication and others) decided to take ISO 9001 as a basis, but to enhance it with specific additional requirements for organizations in their industries. Some of these industry-specific quality management system standards even include requirements from other genuine standards as health and safety, business continuity or information security.

1.1.6 Certification Schemes

All management system standards (genuine or industry-specific) come with their associated certification schemes. The certification of the management system of an organization is basically based on a third-party audit of that system against the respective standard. The audit is done by an independent third-party organization, called certification body. In principle, anyone can do third-party audits. However, in order to demonstrate its independence, competence and global acceptance, the certification body shall have so-called accreditations for the respective type of audits. Details on this will be discussed in Chaps. 7 and 8 later in the book.

What are certificates according to management system standards like ISO 9001 good for? The idea behind is that a certified organization can demonstrate its compliance with the requirements of the respective standard. In many areas, this type of certification is now a necessary requirement to become accepted as a supplier in business-to-business relationships. In industries like automotive or food, you’ll hardly find any organization not certified according to the respective relevant industry standards. In Chap. 8 of the book, you may learn more about certification (Fig. 1.2).

../images/441311_1_En_1_Chapter/441311_1_En_1_Fig2_HTML.png

Fig. 1.2

Summary: Why management system standards?

1.2 Where Do All These Management System Standards Come from?

1.2.1 Why Are Most Management System Standards Global?

You may ask where all these standards for management systems come from and who has the authority to create them. As a rule, modern standards for management systems need to be agreed on an international scale. In the era of globalized business, it would make little sense to establish requirements for management systems solely on local needs or traditions. For that reason, standards like ISO 9001 for quality management systems or ISO 27001 for information security are global standards in the sense that their creation follows well-documented and transparent processes organized by national and international organizations. In this context, the International Organization for Standardization (ISO) plays the major role.

1.2.2 ISO—International Organization for Standardization

lSO was founded in 1946, when representatives of 25 countries met in London and decided to create a new international organization with the goal to coordinate the creation and unification of industrial standards. Operation of ISO started in February 1947. In 2017, ISO had members from more than 160 countries and celebrated its 70th birthday. Its Central Secretariat is in Geneva, Switzerland.

ISO is a federation of national standard bodies, which are its member bodies. The technical work of ISO (e.g. creating standards) is done in so-called ISO Technical Committees and working groups. Member bodies have the right to send representatives to these ISO committees. In addition, for important standards (e.g. ISO 9001), national standard bodies create so-called mirror committees with national representatives.

Of course, management system standards are just one field of ISO’s activities. All sorts of technical standards are by far the bigger fields of output. ISO is usually little known in public, but literally any individual or organization is touched directly or indirectly by the results of ISO’s work. Standards are all around us, and they are needed to make a complicated technical world function.

How are standards created? ISO has elaborated processes, described in the following documents:

ISO/IEC Directives, Part 1—Consolidated ISO Supplement—Procedures specific to ISO (9th edition, 2018);

ISO/IEC Directives, Part 2—Principles and rules for the structure and drafting of ISO and IEC documents (8th edition, 2018).

Both papers may be found at www.​iso.​org. They are complemented by additional documents and sheets to be used along the process. We shall not go into the details of the relatively complex processes and organizational issues, but give the following sketch of the essentials:

1.

To start the process of standard development, there must come from somewhere an idea for a new standard on a specific topic. These so-called new work item proposals (NWIPs) may be suggested by national standard organizations or other associated members of ISO.

2.

If ISO decides to follow up the proposal, the respective standard development project is typically associated with a Technical Committee. A working group of experts is formed under the auspices of the respective Technical Committee. These experts are usually nominated by the national standard organizations, interested in the new standard.

The task of the working group is to develop a Committee Draft (CD) of the standard.

Remark You may find a complete list of existing Technical Committees and their scopes of activities on ISO’s homepage www.​iso.​org. Here, you also may follow the status of committee work for each standard.

3.

If the CD is accepted by the Technical Committee (based on consensus found with the national standard organizations), a Draft International Standard (DIS) is developed.

Comments received during the consensus phase of the CD will be taken into account.

4.

Once the DIS is finished, the so-called DIS ballot is initiated and national standard bodies give their feedback. The DIS is accessible also to the interested public for comments. However, their comments are collected and communicated to ISO by the national standard organizations.

5.

All that input and comments are evaluated, and the Final Draft International Standard (FDIS) is created.

6.

The next step is an internal ballot within ISO and the national standard bodies. The interested public is not involved in that step.

7.

The ISO standard is finished and published.

For these individual steps and ballots, standardized timeframes are defined. Effective interaction between ISO and the national standard bodies is essential during the process. As may be seen, interested parties have the chance to influence some of the ballots. In the end, standards are the result of international voting. It may happen that single national standard bodies vote against a drafted standard, but the result is shaped by the majority’s voting.

Typically, standards are updated every 5–7 years.

1.2.3 National Organizations for Standardization

National organizations for standardizations develop and update national standards and collaborate in the development of international ones. The procedures followed are comparable to those sketched above for ISO, just applied on a local scale. In addition, national organizations for standardization decide if an ISO standard will be implemented as a national standard. If the reader is interested in the details, these procedures are typically published on the respective national standard organization’s homepage.

As far as management system standards are considered, these are usually implemented as national standards by all standard organizations. Be aware, however, that it may take some time, until an ISO standard will be issued as a national standard. For that reason, if you want to be ahead of the time, the best information source is always ISO’s Web platform. Here, you may learn what standards are under design or published and which Technical Committee or working group is responsible for it. Also, if you’re looking for a copy of a standard, usually the ISO version is the first you may get. The same holds for the drafts of standards.

It must be stressed on the other side that national standard organizations frequently initiate and drive the development of ISO standards. For example, in the field of management system standards, ISO 9001 or ISO 55001 may be traced back to British predecessors. It makes sense, therefore, to have an eye on the activities of your national standard organization or others, to see what’s going on.

1.2.4 The Role of Industry Organizations and Other Interested Parties

As we shall see in Chap. 3 of the book, besides ISO and the national standard organizations, there are some more organizations, developing management system standards. Typically, these are associations of interested parties with special interests in certain industries and with the necessary empowerment, to set standards. Important examples include:

Automotive industry;

Railway industry;

Telecommunication;

Food and feed industry;

Forestry;

Healthcare;

and others.

We shall have a closer look on these developments in Chaps. 3 and 4.

1.3 Processes: Why Are They in the Focus of Management Systems?

Processes are the backbones of modern management system standards. What is a process and why do processes matter? Roughly speaking, a process is a transformation of an input into an output. For example, the input may be some physical material which is processed to get a defined output. It also may be information being transformed into other information. In a service process, nonmaterial activities may be combined with material stuff to make a process. As an example, think of the processes you may find in a hotel or hospital.

Organizations are as diverse as they can be and so are their processes. It’s amazing, however, that despite this diversity, there is a solid common ground, techniques and methods, which allow you to design, analyze, control and optimize processes with certain general techniques and tools.

Industries are changing rapidly and so do organizations. Processes which were adequate ten or twenty years ago will hardly do today. Business process management (BPM) became an important field that develops rapidly. For example, there’s hardly a business today which processes would not be deeply rooted in computer algorithms. For that reason, many of the essential process management techniques are strongly influenced by or even come from informatics and computer sciences.

Figure 1.3 illustrates a typical classification of processes:

../images/441311_1_En_1_Chapter/441311_1_En_1_Fig3_HTML.png

Fig. 1.3

Typical classification of an organization’s processes

Management processes

These include high-level management processes for strategy, finance and legal.

Core processes

These are the value-creating processes of an organization, including production and service provision, design, operation management, supplier management, customer relation management and more.

Support processes

These processes are supportive and include human resources, IT, financial department services and others.

Supplier and business partners on the left of Fig. 1.3 symbolize input to the organization and its processes . Customers, stakeholders and interested parties on the right symbolize requirements and expectations on the organization’s processes, products and services.

This type of process classification gives a nice overview about the type of processes one may find in an organization. It teaches us nothing, however, how processes should be designed, implemented, managed, controlled and improved. For this, one needs the repertoire of BPM.

The toolbox of modern BPM is huge. In this book, we shall confine ourselves to some of those issues which are most important in the context of management systems. It should be clear, however, that very specific processes need their tailor-made management tools. BPM should, therefore, not be considered as a fixed number of methods and recipes which offer a medicine for every disease, but as an evolving field that strongly interacts with the evolution of modern industries, rapidly changing organizational structures and technological needs.

Another way to illustrate the importance of processes is the following sketchy example that brings us closer to concepts like statistical process control (SPC), key performance indicators (KPIs) and the like (Fig. 1.3). A flowchart is employed to represent this simple process. Flowcharts are a well-known and widely used tool to illustrate, design and analyze processes. They originate from computer sciences, where they are helpful to analyze the structure of algorithms or show the architecture of computer programs (see Sect. 6.​4 for more details).

Imagine an arbitrary process composed of five process steps like in Fig. 1.4. Walking down the process, let in each step be a certain probability (caused by whatever for the moment) that something goes wrong in that step. In the example given these probabilities are 5% in the first step, 2% in the second and so on. At first sight, you may think these failure rates aren’t that bad at least for some businesses—let’s say for a typical restaurant process. However, the risks (the probabilities to fail) in each step multiply and the total risk of the process is the product of all these partial risks: Getting only 95% correct results out of step one, these are further discounted by two percent in step two and another five percent in step three and so on. In numbers, this leads to

../images/441311_1_En_1_Chapter/441311_1_En_1_Fig4_HTML.png

Fig. 1.4

Simple process with failure rates

$$ \begin{aligned} & \left( {1 - \frac{5}{100}} \right)\left( {1 - \frac{2}{100}} \right)\left( {1 - \frac{5}{100}} \right)\left( {1 - \frac{10}{100}} \right)\left( {1 - \frac{10}{100}} \right) \\ & \quad = \mathop \prod \limits_{k = 1}^{5} \left( {1 - \frac{{p_{k} }}{100}} \right) = 0.7164. \\ \end{aligned} $$

In this setting, we would get the desired correct output from the fictitious process only in 71.6% of the cases! This is not acceptable, no matter what business you may consider.

Let us illustrate some additional important points with this oversimplified example:

1.

How do we determine the failure rates mentioned in the example?

Obviously by measurement. It’s done with the help of a sampling method counting the positive versus the negative outcomes in each step of the process. Push this approach to a more advanced level, and you get the idea of what’s called quality control chart in statistical process control—a standard tool in many industries.

2.

Once you detected that failure rates of individual process steps and the output of the process in total aren’t acceptable, you should start a business process improvement program. A detailed analysis what’s going on in each process step and what runs wrong will be part of such a program. Root-cause analysis is a keyword.

There are field-proved approaches to do this type of analysis, and we shall come back to some of them later in the book. If you can’t wait, have a look at Chap. 6.

3.

If you are in the situation that a new process must be designed and implemented, this should be based on a clearly defined list of requirements. Process design steps, planning activities and pilot studies will be needed. The establishment of the process must be done under controlled conditions. All management system standards define requirements concerning this issue. Chapter 6 shows you some crucial tools for getting things done.

In a nutshell, the process approach promoted by all modern management system standards may be sketched as follows:

1.

Understand process management!

Have a sound understanding of the process approach in general and the relevant processes of your organization. Establish, implement, maintain and continually improve relevant processes and include the following characteristics:

Purpose;

Input;

Output;

Clear definition and description of process steps (what is done and how?);

Measurement and controlling elements;

Ownership.

So-called turtle diagrams (Fig. 1.5) may be helpful to sketch these things in a single picture (see Chap. 6 for further details):

../images/441311_1_En_1_Chapter/441311_1_En_1_Fig5_HTML.png

Fig. 1.5

Turtle diagram —elements of a process

2.

Identify and know your processes!

Identify the relevant processes of your organization and categorize them. As mentioned before, frequently used categories include:

Core processes or customer-oriented processes;

Support processes;

Management processes.

Management system standards address all three types, but core processes are especially in the focus. This is simply because these are the value-creating processes. The output of core processes is what customers buy.

3.

Learn to model your processes!

There are many ways how to model processes. Flowcharts are common, as they allow you to sequence the individual steps of a process. A flowchart may show the coarse-grained picture of a process or its fine structure, depending on your needs. You should get some maturity drawing flowcharts, as it is such an important tool. Software is available to make drawings of flowcharts easy. However, there are more tools available to model and manage processes. Some of them will be described later in the book, especially in Chap. 6.

Be aware that advanced tools are employed in some industries. As an example, consider simulation software that is employed to model processes, design or redesign its elements and optimize them dynamically. Depending on the industry you’re interested in, you will need to master the respective approaches and techniques used.

4.

Implement the process approach and create awareness!

Ensuring staff understands the importance and details of relevant processes and follows them is an ongoing challenge for all organizations. Trainings and daily supervisions are important. Coming back to flowcharts, they are a good tool to be employed in awareness trainings, as they offer a simple pictorial way to illustrate processes, their critical elements and control points.

Generally speaking, personnel should:

Have a good understanding of the relevant processes he/she is part of.

Understand, what are the criticalities of a process and what are the consequences, if one deviates from defined process flows.

Understand, who’s the owner of a process. This is the person (or group of persons), who is authorized to make decisions concerning the process.

Know precisely what’s his/her role in the process.

Adequate trainings should be mandatory. In addition, documented information like process descriptions or standard operation procedures may be helpful or even required by the respective management system standard, by other sources or because the organization decides so.

Don’t consider these principles to be obvious and trivial. Many problems, inefficiencies and undesired events in organizations may be traced back to the point that one or more of these principles were not followed.

1.4 Risk-Based Thinking: A Cornerstone of Management System Standards

Risk-based thinking is a critical ingredient to all modern management system standards. To get a clearer picture which risks are meant, let’s have a look at some important aspects:

(a)

Management system standards consider risks being effects of uncertainties.

These effects may be positive or negative. Positive effects are usually called chances or opportunities.

Uncertainties may come from lack of information, unpredictability, missing understanding and the like.

(b)

Risk management should be understood in a positive sense and enable the organization to harvest positive risks (chances).

(c)

Risk management should enable the organization to identify, control and possibly eliminate factors that may have negative impacts on the organization’s performance, efficiency of processes, quality of products and services, etc.

(d)

To give some random examples for risks in the context of ISO 9001:

Insufficient training of personnel.

This is a risk, as insufficient trained staff may, for example, cause negative impacts on processes at all levels of the organization. Consequences may reach from being negligible to catastrophic.

Inadequate processes.

May lead to unpredictable outputs, safety issues and more.

Wrong raw material is used in production.

May have potential negative impacts on safety of employees and facilities. Likely negative impacts on product quality.

Lack of precision in contracts with clients.

May lead to unexpected liabilities and other negative impacts.

Failures in the design and development process.

May lead to design results that don’t conform with customer requirements, legal requirements, etc.

(e)

All standards for management systems address risks and risk-based thinking, specific to the needs of the respective standards. Examples include:

ISO 14001—Environmental management system

For example: Environmental risks and risks that may endanger the planned environmental performance.

ISO 27001—Information security management system

For example: Internal information security risks, as well as risks, that may impact customers and other business partners.

ISO 37001—Anti-bribery management system

For example: Different types of bribery risks on different levels and for different functions of the organization.

We shall see more details and examples throughout the book. Although management system standards require the implementation of risk-based thinking and adequate risk management techniques, these standards mostly don’t specify details. Instead, they leave them to the organization applying the respective management system standard. It is expected, however, that risk management techniques employed by the organization are adequate and reflect the needs of the respective industry and organization. For that reason, when it comes to quality management, you will expect from a food company a more elaborated risk management system than from a hotel, say.

Management system standards don’t come with specific requirements for risk management and risk management techniques. However, the leading international guidance standard for risk management is ISO 31000 and we shall go into some of its details in Chap. 2. Mostly, it is this document that is employed by organizations to get guidance on risk management.

1.5 Universal Design: The Architecture of Management System Standards

ISO decided in 2012 that all standards for management systems will follow the same template. This is an important step forward toward increased user friendliness of standards and their compatibility. In the past, management system standards published for different scopes (including quality management, environmental management and others) followed different paths and wordings. Practitioners found it difficult, to compare the requirements of standards. This also was felt as a hindrance factor to create integrated management systems in organizations.

Management system standards written according to the new design rules all show the following general structure. Of course, the detailed content of individual clauses varies from standard to standard, but the unified template makes orientation easier and increases compatibility. Definitions of terms used in the standards as well as wordings are harmonized as much as possible (Table 1.1).

Table 1.1

Harmonized table of contents for management system standards

© Springer Nature Switzerland AG 2020

H. KohlStandards for Management SystemsManagement for Professionalshttps://doi.org/10.1007/978-3-030-35832-7_2

2. Generic Standards for Management Systems: An Overview

Herfried Kohl¹  

(1)

Erlangen, Germany

Herfried Kohl

Email: HerfriedKohl.Books@yahoo.com

In this chapter, you’ll get an overview about the following generic management system standards, their content, meaning and requirements:

ISO 9001:2015—Quality management system;

ISO 14001:2015—Environmental management system;

ISO 22301:2019—Business continuity management system;

ISO 27001:2013—Information security management system;

ISO 44001:2017—Collaborative business relationship management system;

ISO 45001:2018—Occupational health and safety management system;

ISO 50001:2018—Energy management system;

ISO 55001:2014—Asset management system.

You will also learn about the special standards:

ISO 17025:2017—Laboratory management;

ISO 21001:2018—Management system for educational organizations.

You will understand the risk management guidance standard:

ISO 31000:2018—Risk management guidelines.

We also shall have a short look at:

ISO 22316:2017—Organizational Resilience.

Numerous examples, checklists and other material are scattered in the text.

2.1 Introduction

Management system standards may be divided into two groups:

1.

Generic management system standards;

2.

Industry-specific management system standards.

In this chapter, we deal with the first group. Generic standards don’t show any industry-specific requirements, but may be applied to any organization, no matter what’s its business or size. An advantage of these standards is their flexibility. A disadvantage may be seen in the fact that they are written in a somewhat abstract language and they don’t explicitly contain any industry-specific requirements. Sometimes it may be difficult for the reader, to translate one or the other of the standards’ requirements to its own special context. However, a little exercise will help and I hope this book will support the process. The most important industry-specific management standards will be introduced in Chap. 3.

The overall philosophy behind generic management system standards is to offer organizations a framework for the establishment, implementation and continual improvement of their management systems. The reader should keep in mind the answers to the following three FAQs:

1.

Why are there so many standards for different aspects of a management system?

The intent is that the different standards are complementary to each other in their scope, and together they should cover the various aspects of the management system of an organization (Fig. 2.1).

../images/441311_1_En_2_Chapter/441311_1_En_2_Fig1_HTML.png

Fig. 2.1

Modular system of management system standards

2.

Does the concept of genuine management system standards make sense at all? It seems that very different organizations are forced to adopt one and the same management system, which reduces creativity and diversity.

If that were the case, the standards wouldn’t make sense. However, that’s not what management system standards do. It is important to understand that each of these genuine standards defines requirements that shall be met by organizations, when they decide to comply with the respective standard. The standards leave it open, how organizations manage this compliance. It isn’t the intent of the standards, to standardize management systems. However, this sort of misunderstanding and prejudice may still be found frequently. If it occurs, it shows a big misunderstanding.

3.

Concerning the language of the standards: Is there anything special?

As mentioned before, management system standards are written in a specific slang which you should get used to. In this book, I’ll stay close to it, but try to explain and translate issues where it seems to be helpful. Especially, there are four verbs, which are used in a specific and precise way by the standards (Table 2.1). The reader should keep their meaning in mind. It makes a difference if something is a requirement or a recommendation, permission or capability!

Table 2.1

Special use of certain verbs in management system standards

Reading the sections of this chapter should suffice to give you an overview about the individual standards and their content. However, if you’re a practitioner, a quality manager, say, the full text of the respective standards should be on your table sooner or later.

2.2 ISO 9001—QMS—Quality Management System

This section includes:

A very short history of ISO 9001;

Motivation, why ISO 9001 is important;

A discussion of the requirements of ISO 9001 :2015;

Reference to the guide ISO/TS 9002 :2016;

Reference to the guide ISO 9004 :2018;

Some examples to illustrate the application of ISO 9001:2015 requirements;

An overview about the ISO 100xx-series.

2.2.1 Introductory Remarks

In this section, we give an overview about the standard.

ISO 9001:2015—Quality management systems—Requirements.

The international standard ISO 9001 for quality management systems may be considered as the mother of all management system standards in the modern sense. It had some predecessors in the defense and other industries, but it was mainly the British Standard BS 5750 which served as a model for the first edition of ISO 9001 back in 1987. Since then, the standard has been revised several times and the overall structure and details of requirements have changed. The latest release issued end of 2015 again brings some significant changes, including more user friendliness for a wide range of industries around the globe. As it should be, each release included the lessons learned from the applications of preceding editions.

I will not go into details, how the requirements of the standard changed over time, as this is of little practical importance for today’s users. You just have to stick with the newest edition (Fig. 2.2).

../images/441311_1_En_2_Chapter/441311_1_En_2_Fig2_HTML.png

Fig. 2.2

History of ISO 9001 revisions since its first release in 1987

Here is a frequently asked question: How may one standard for quality management systems serve the needs of such different industries like food, agriculture, mechanical engineering and all type of service industries, to mention just a few examples? Well, the standard ISO 9001 does not define specific requirements for any individual industry but general requirements for a quality management system.

For instance, the standard defines requirements concerning the personnel of an organization: Necessary knowledge, training needs, responsibilities and authorities of individuals. Obviously, these requirements will be very different from organization to organization and from industry to industry. However, all organizations have in common that they shall deal with the mentioned issues in a systematic and adequate manner. The same holds for all other requirements of ISO 9001. They are generic and each organization has to fill them with life.

ISO 9001 strongly focuses on the organization’s processes. Again, the processes of an Internet retailer are very different from those of a hospital. However, ISO 9001 requires that processes shall be designed, established, implemented, controlled and improved properly, no matter what the details of the organization are. The primary intent of ISO 9001 is to guide you through a certain set of general requirements which are expected to hold for each and any business, no matter where it is located or what’s its size. It is the task of each individual organization, to comply with these general requirements and to materialize them in an adequate way.

A potential barrier which can make the practical implementation sometimes difficult is this: Because of the broad scope of industries addressed, ISO 9001 is necessarily written in a technical and abstract language. You will hardly find the specific technical terms used in your industry and organization in the standard. This makes it necessary for the novice, first to understand clearly the content, intent and the requirements of the standard. In a second step, all these should be translated into the specific language of your organization and its context. Although this may seem to be a somewhat awkward process, this kind of decoding and encoding helps to understand the standard and to comply with its requirements.

Is it necessary to adopt the technical wording and slang of the standard in your quality management system? The answer is: No! Continue to use the wording and the specific technical slang of your industry as this is the language you and your people are used to. Make sure, however, you deal with the requirements of the standard in an adequate way. For example: If you run a hospital, you don’t need to start talking of design and development planning. However, if you are involved in clinical trials or the development of new therapy schemes, the general requirements of ISO 9001 for the design and development of products and services will matter for your organization. In addition, you will discover that these requirements will also matter, if you’re implementing in your organization therapy schemes developed elsewhere, as this should obviously be done in a planned and controlled way. In such and many other situations, ISO 9001 will offer guidance and define requirements at the same time (Fig. 2.3).

../images/441311_1_En_2_Chapter/441311_1_En_2_Fig3_HTML.png

Fig. 2.3

Customers and interested parties trigger your quality management system

Here are some more recommendations, how to get the hang of the standard:

1.

ISO 9001 follows a simple logic: Understand the expectations and requirements of your customers and employ the quality management system model suggested by ISO 9001, to achieve customer satisfaction and continual improvement of your organization’s quality performance.

2.

Don’t get lost in the language and structure of ISO 9001! It is important to understand step by step its logic and requirements, but the trick is to let the standard work for you and not the other way around. You will have mastered the standard, if you don’t have to look up one or the other clause or requirement, but if you got its logic and apply it instinctively in each relevant step of your business.

Just a remark in passing: You may even apply it to organize and improve your private life! Try it! It may be fun and it’s a good exercise!

3.

Do everything, to get a gut feeling for the requirements of ISO 9001. Don’t stick too much with the text of the standard but try to get its spirit.

4.

Exercise the application of ISO 9001 requirements not only in your own business but think what they mean for others. Imagine, for example, you prepare for a job interview. Your questions about your potential new employer might include Table 2.2:

Table 2.2

Questionnaire for a job interview

Ask these and other relevant questions, connect them with corresponding clauses of ISO 9001, and you already start thinking like a quality manager or auditor!

2.2.2 The Principles Behind ISO 9001

ISO 9001 is built on seven principles (Fig. 2.4). It is important to keep these in mind during the lifetime of your QMS.

../images/441311_1_En_2_Chapter/441311_1_En_2_Fig4_HTML.png

Fig. 2.4

Basic principles behind ISO 9001

Here are some comments on these principles:

1.

Customer Focus

1.1.

If your organization wants to survive, focus on customers is critical. Main customers are usually outside of your organization. However, internal customers are important as well and must be kept in the focus.

1.2.

Ensure you understand the (changing) requirements, needs and expectations of customers and other interested parties. Base your understanding on facts and data.

1.3.

Ensure you can fulfill customer requirements and expectations.

1.4.

Align your planning and target setting with customer needs and expectations.

1.5.

Ensure your services and products offer value to your customers.

2.

Leadership

2.1.

Top management shall define the quality policy of the organization. An environment must be created that supports this policy and makes its realization feasible.

2.2.

Managers at all levels shall align with the organization’s objectives and targets.

2.3.

The quality of services and products is a strategic factor.

2.4.

Ensure the availability of adequate physical, human and other resources.

3.

Engagement of People

3.1.

Determine the necessary knowledge and competence of your staff.

3.2.

Ensure your staff has the necessary knowledge and competencies needed. Train your staff.

3.3.

Ensure personnel is aware of the importance of quality and the quality management system and understands what it means for each single workplace.

3.4.

Empower your people and encourage participation in quality programs. Stimulate quality improvement.

4.

Process Approach

4.1.

Identify quality-relevant processes and their interactions.

4.2.

Manage your processes. This includes their establishment, implementation, control and improvement. Base the management of processes on facts and data.

4.3.

Ensure that processes and their interactions are understood by personnel.

4.4.

Control inputs and outputs of processes.

5.

Improvement

5.1.

Make sure quality improvement is a key issue for the organization.

5.2.

Ensure personnel understands that improving processes, performance, service and product quality are key factors for further development.

5.3.

Encourage risk-based thinking.

5.4.

Propagate root-cause analysis, corrective actions and improvement techniques.

6.

Evidence-Based Decision Making

6.1.

Base decision on analysis, objective data and logical thinking.

6.2.

Employ data from process control, customer feedback, complaints, benchmarking, audits and other relevant sources.

6.3.

Validate your measurement methods.

6.4.

Verify data before using them.

6.5.

If you take actions, monitor impacts and results.

7.

Relationship Management

7.1.

Understand the importance of your business relationships.

7.2.

Implement criteria and methods for the evaluation of business relationships.

7.3.

Determine the critical business relationships for your organization.

7.4.

Establish your business relationships on mutual benefits and interdependence.

7.5.

Work with your relevant business partners on the continual improvement of relationships.

As simple as these principles may sound, they will have huge positive impact if they are followed on a continual basis and become part of the organization’s DNA.

2.2.3 Discussion of the Clauses of ISO 9001

In this section, we will discuss the requirements of ISO 9001 and illustrate them with some examples for illustrational purposes. Table 2.3 shows the table of content of ISO 9001:2015 for overall orientation.

Table 2.3

Table of contents of ISO 9001:2015 giving an overview about the requirement modules (the standard also contains two informal Appendices A and B, not shown)

As mentioned before, ISO 9001 may be considered as the prototype of all management system standards and it has found worldwide acceptance and application. The standard looks back to a history of thirty years. As the topic of quality management is crucial for every organization, the discussion of ISO 9001 requirements will be sort of more extensive than the discussion of the other management system standards later in the book.

2.2.3.1 Context of the Organization

Understanding the organization and its context

The context is the set of those internal and external issues that influence your organization and its ability to achieve the intended results of its QMS. This clause of the standard requires you to identify these issues and get a clear picture of them. Some aspects of the context are of general nature and influence many organizations in a similar way. However, most of them will be specific to your organization and reflect its very individual situation. Examples include:

Economic factors that influence your organization (e.g. general economic situation, inflation forecast, tax conditions);

General status of your industry;

Legal and regulatory conditions and expected changes;

Changing technologies in your industry;

(Changing) expectations of relevant interested parties.

Internal issues specific to your organization might include:

Current and intended market position and overall performance of the organization;

Infrastructure and equipment: Current status and future needs;

Human resources: Current status and future needs;

Current and future requirements and expectations of clients and business partners;

Expectations of owners and stakeholders.

Organizations from small family business to big multinationals have or should develop their tailor-made approaches and toolboxes that help them to keep these issues on the radar and classify them according to their potential impacts and risk relevance. Although this requirement may seem simple at first sight, in real life it is frequently a challenge. For smaller organizations being less complex, topics should be easy to handle. For medium and large organizations, the task is complex and needs systematic approaches. Updating the context of the organization should be a fixed part of strategy processes (Table 2.4).

Table 2.4

Potential approaches to determine the context of the organization (examples)

SWOT analysis is a simple and widely used tool, to identify strengths, weaknesses, opportunities and threats of an organization. It may prove to be helpful when an organization determines its context. See Chap. 6 for more details (Fig. 2.5).

../images/441311_1_En_2_Chapter/441311_1_En_2_Fig5_HTML.png

Fig. 2.5

SWOT analysis tableau

Understanding the needs and expectations of interested parties

Despite of your customers, other relevant interested parties may have expectations or define requirements for your organization. There may be many such parties, but the intention of the standard is to focus on those which may influence your organization’s ability, to supply products and services that comply with defined quality specifications (Table 2.5).

Table 2.5

Relevant interested parties, their needs and expectations, and how to identify them

Determining the scope of the quality management system

The scope of the organization’s QMS shall be clearly defined. In practice, it may include the whole organization or only parts of it. Some examples may help to better understand:

1.

A French-based multinational company runs a major production site in France and three affiliates in Spain, Germany and Italy. The site in Italy is urgently requested by its clients from the chemical industry, to demonstrate compliance with ISO 9001 within the next year. Although the headquarters already decided to implement an ISO 9001 QMS companywide within the next three years, the affiliate in Italy is prioritized and designed to go ahead.

In this example, the scope of the QMS will change over time, starting with the affiliate in Italy. As the headquarters is in France, however, certain relevant parts and processes linking the Italian site to the headquarters shall be included in the QMS from the very beginning.

2.

A hospital based in Prague, Czech Republic, with 1200 employees runs 10 departments. The management of the clinic decides to implement a QMS according to ISO 9001, however prefers a step-by-step approach. Reasons include to keep the project manageable and to learn from the ups and downs during the implementation process before the rollout of the project to other departments.

For that purpose, the General Surgery and Intensive Care departments are selected to be the forerunners of the project. In this example, the organization and processes of the two chosen departments will be in the focus during the first part of the QMS implementation. However, interfaces to clinic management and other departments shall be fixed. For example:

The top management of the clinic shall be involved and be part of the pilot project from the very beginning.

Interfaces to other parts of the clinic shall be fixed and dealt within the project. These will include, for example, the diagnostic departments, clinical laboratory and parts of the administration.

3.

Company XYZ runs three production lines (A, B, C) for different products and customer segments. The management launches the project to implement a QMS for production line B, as specific quality requirements are defined for the products of this line by regulatory organizations and clients.

Again, such an approach is possible, although the ultimate target should be to extend the QMS to the remaining production lines A and C. Interfaces to top management, administration and other departments shall be respected and dealt with even if the scope is first limited to production line B.

It should be mentioned in passing that certification of management systems may and will be constrained to the scope of the QMS. In case 3 above, for example, an ISO 9001 certification of Company XYZ with Scope Production Line B would be possible.

On the other hand, some processes and activities shall not be excluded. If for line B (in case 3) design and development processes are essential, they cannot be excluded from the QMS for line B, as being an important part of that line.

Quality management system and its processes

This clause states the formal and overall requirement that an organization that wants to comply with ISO 9001 shall establish a QMS and implement, maintain and improve it according to the requirements of the standard.

As pointed out before, the biggest focus by far is on the organization’s processes that influence its capability to produce products or deliver services at the quality level requested by its customers and relevant stakeholders. In detail, this means for the QMS:

Identify the processes needed for the organization’s QMS.

Determine inputs and outputs of these processes.

Determine the individual steps of the QMS processes.

Determine monitoring and measurements needed, to control QMS processes.

Determine ownerships, responsibilities and authorities for QMS processes.

Determine the risks to be addressed by the processes and ensure that processes achieve intended results. Manage the risks.

Determine interactions between QMS processes throughout the organization.

Ensure that necessary resources are available.

Ensure that QMS processes are continually improved, if needed.

Translating these requirements into practical actions will typically start with:

Listing of all relevant QMS processes: Key, support and management processes.

Listing of additional QMS processes, required by ISO 9001 (e.g. internal audit processes, process to determine stakeholders and other systemic processes).

Process mapping techniques as described in Chap. 6 of the book may be employed in this step. Examples include:

Flowcharts;

Turtle diagrams;

SIPOC diagrams.

Software programs are available to assist in doing the process mappings.

2.2.3.2 Leadership

ISO 9001 requires top management of the organization to be accountable for the effectiveness of the organization’s QMS. This is the central message. The other requirements of this clause follow more or less by straightforward logic.

Leadership and commitment

In most cases, it follows from the organization’s legal structure, who is top management. As a rule, legal entities require a nominated top management. In practice, top management of an organization may be represented by the CEO (chief executive officer), general manager, managing owner, managing partners and others. Whatever the details of the organizational setting, in each case, top management is accountable for the QMS.

Depending on size and other aspects of the organization, top management will implement a clearly defined management structure with defined responsibilities for individual aspects of the QMS. Top management shall:

Make clear that it is accountable for the effectiveness of the QMS.

Top management shall encourage other management functions with respect to the QMS.

Ensure that a quality policy and quality objectives are established and met.

Ensure that personnel know the quality policy, defined quality objectives and understand their importance.

Ensure that the processes of the QMS are part of the real management system. Their interactions with other management processes shall be specified.

Remark This requirement may sound weird at first sight. However, practice shows, it is much needed. Too often organizations implement sort of a shadow organization for quality management which is designed to impress customers and certification companies but has little to do with daily reality.

Ensure that necessary resources are available during the whole lifetime of the QMS.

Ensure that risk-based thinking and the process approach of ISO 9001 is understood by employees and practiced.

Promote continual improvement of the QMS.

Due to these requirements, top management will continue to play the major role during the whole lifetime of the QMS.

Customer focus

The leadership expected from top management shall include the following:

Ensure that regulatory, statutory and customer requirements are systematically determined and met.

Ensure that risks and opportunities with potential impact on the conformity of products and services as well as on customer satisfaction are determined and managed.

Ensure that the organization focuses on customer satisfaction.

Policy

The quality policy of the organization shall be established, implemented and maintained by top management. It shall form a framework for the setting of quality objectives and be appropriate to the context and strategic direction of the organization. The policy shall include a commitment to comply with applicable requirements, as well as a commitment to continual improvement of the QMS. The quality policy shall be communicated and applied within the organization. It shall be available