A look inside ISO 9000

ISO.OCT–Grayhill/SC–Oct

A look inside ISO 9000

This broad-based international specification helps ensure consistent
quality from suppliers

BY SPENCER CHIN Associate Editor

ISO 9000 is the latest standard in the world of electronic products and
systems–both commercial and military. But ISO 9000 is not a product
safety or reliability standard like those under UL, CSA, VDE, and other
regulatory agencies. Instead, it is an international family of
specifications and standards for quality assurance management systems.
ISO 9000 was written over a seven-year period by representatives of 91
countries that belong to the International Organization for
Standardization. The standards cover not only the quality control systems
used on the manufacturing floor, but also set guidelines for management
involvement, design control, review of customer specifications, supplier
monitoring, and training. To meet the requirements of the specification, a
supplier must have a documented system to address each area. As quality
standards, the ISO 9000 guidelines fall about midway between the
MIL-Q-9858 specification and the coveted Malcolm Baldridge National
Quality Award. Unlike ISO 9000, however, the Baldridge award does not
stipulate any maintenance of the standards which win the award. ISO 9000,
by contrast, is an ongoing certification program that requires constant
adherence to the policies and procedures that won certification in the
first place. Until the development of ISO 9000, no internationally
accepted and followed criteria existed to determine good quality assurance
programs. This is quality assurance, not quality control, which is a
mechanical aspect of product manufacturing or service. In short, ISO 9000
is a model for common sense. By establishing a model to follow toward
developing individual quality assurance programs and for the certification
process, the standard provides a consistent baseline that runs across all
industries and throughout the world.
Today, major companies in major industries–including IBM,
Hewlett-Packard, AT&T, and others–have either adopted or are in the
process of adopting ISO 9000. Moreover, the European community now
requires ISO 9000 certification of prime contractors in key industries.
These contractors, in turn, often require their key suppliers to be
certified. Companies without certification risk being unable participate
in the European market, and most likely the global market as well.

Achieving certification In its simplest form, there are three steps to
achieving ISO 9000 certification. 1. Document what you do and do what you
document. 2. If it moves, train it. 3. If it doesn't move, calibrate it.
Five certification levels make up ISO 9000: ISO 9000, ISO 9004, ISO
9001, ISO 9002, and ISO 9003. The classification levels do not form a
hierarchy; rather, they are each separate standards geared to different
business and customer requirements. ISO 9000 and ISO 9004 provide
guidelines for quality management, while ISO 9001, ISO 9002, and ISO 9003
provide models for quality assurance programs that depend on the type of
products and services provided by the seller. The table details the areas
covered by ISO 9001, 9002, and 9003. ISO 9001 is the most comprehensive
of the standards, and it is especially important for an organization that
designs and develops its products. ISO 9002 is intended for organizations
that do little in the way of product development. ISO 9003 only concerns
itself with final test. The ISO 9000 standards are such that a company
chooses the specific standard by which it wants certification. While an
organization that designs its products could choose certification under
ISO 9002 and promote such certification, the certificate would not cover
product design and development functions. Therefore, the customer must
determine whether the specific certification is sufficient to its needs.
Regardless of what individual quality standards the customers specify,
however, by beginning with ISO 9001, they are assured of a known,
consistent level of quality. And if sample components are used for
evaluation, an ISO 9001 certified company, by virtue of its certification,
provides an implied assurance that all delivered components will meet the
specifications (within agreed tolerances) of the evaluation parts.

The certification audit To be certified, a supplier must be audited by
an accredited assessor organization. The job of the audit team is twofold.
First, they review the quality systems documentation submitted by the
supplier. If they find it complete and appropriate for the type of product
or service and marketplace served by the supplier, an on-site audit date
is scheduled. Otherwise, the documentation is returned with a brief
explanation of the weaknesses found. At least 20 ISO 9000 audit
companies, called registrars, now operate in the U.S. The box at the end
of this article lists some of these registrars along with additional
sources of information. Some registrars have been accredited by the
Registrar Accreditation Board (RAB), while others are approved by various
European commerce departments. Factors involved in selecting a registrar
include accreditation, costs, backlog, location, responsiveness, length of
the certification period, and number of annual follow-up audits required.
Don't expect to find a detailed explanation of precisely how each
department should function in the specifications. Because ISO 9000 cuts
across many types of companies and functions, the specifications are
somewhat generic and left to common sense interpretation. The on-site
audit typically lasts three or four days for a team of four auditors. They
look for evidence that the systems outlined in the documentation are being
followed, and the candidate company is committed to a program for
continuous improvement. Discrepancies or shortcomings in either area are
noted and must be corrected before certification is granted. The initial
certification is valid for about three years, so long as interim
mini-audits, three or four per year, don't uncover discrepancies. After
three years, another in-depth audit is required to retain certification.
Costs for ISO 9000 certification vary greatly. Costs depend on the
business, the desired certification level, the number of facilities (and
number of employees per facility) to be audited, and the maturity and
documentation of the existing quality assurance system. Out-of-pocket
costs for the audit range from $8,000 to $25,000 per site. To this cost
must be added the costs of travel for the audit team, the cost of future
audits, any time needed to modify system documentation, and perhaps
consulting, training, and equipment fees.

Information in this article was supplied by Grayhill, Inc. The company
became certified to ISO 9001 early this year. Grayhill is a La Grange,
IL-based maker of switches, keyboards and keypads, termination hardware,
and solid-state relays and I/O modules.

TABLE: ISO CERTIFICATIONS LEVELS

AREA CERTIFICATION LEVELS Management Involvement in the Quality A
B Assurance System

Contract or Purchase Order Review A B

Selection and Monitoring of Suppliers A B

Inspection of Incoming Materials A B

Control of In-House Materials A B

Techniques and Equipment Used to Inspect Products A B and Processes

Storing and Shipping Products A B

Problem Handling A B

Qualified and Trained Staff A B

Final Inspection and Training A B C

Product Design and Document Control A

KEY: A- ISO 9001; B- ISO 9002; C- ISO 9003

BOX: For additional information on ISO 9000, contact the following:

Registrar Accreditation Board (RAB). George Lofgren or Judy Kearney (414)
272-8575

Bureau Veritas Quality International (BVQI). Greg Swan (716) 484-9002

U.S. Dept. of Commerce Office of European Community Affairs Mary
Saunders (202) 377-5276

Quality Systems Update (CEEM Publications). Dennis Foley (800) 745-5565

American National Standards Institute (212) 642-4900

BSI Audio/Visual Training Tape ($295). 011-44-908-220908

STAT-A-MATRIX Group Paul Berman 908-548-0600