Compliance Vs. Conformance – Ensuring Your Company is on the Right Side of ISO 17021

Does Your Organization’s Quality Management System (QMS) Conform to International Standards?

In quality management, the key idea is and has always been compliance. Quality managers emphasize that they are complying with rules, regulations, laws – and the company’s quality management system (QMS). But what does the QMS itself comply with? And who assesses if the QMS is valid? This is where the idea of conformance comes to the fore. While ‘complying’ means that a system obeys the expectations of that system, to ‘conform’ with expectations, an external entity must evaluate and judge whether the system follows the rules and standards established for its focal area. As such, the International Organization for Standardization (ISO) has recognized the significance of conformance and issued a set of guidelines known as ISO 17021 which are used to instruct auditors and ensure uniformity of QMS application, regardless of where in the world the audit is taking place. In this article, we will examine the key differences between ‘compliance’ and ‘conformance’ to avoid the mistaken ideas that arise from their interchangeable word usage, and explore why QMS software applications, such as QMS2GO, must understand and utilize ISO 17021 to ensure that a QMS is not complying with the wrong set of assumptions.

Table of Contents

1. Defining and Understanding: ‘Compliance’ Versus ‘Conformance’

2. Why Conformance is Critical to Avoid Faulty Assumptions

3. What is ISO 17021 and How Does it Help QMS Implementation?

4. Why ISO 17021 and Conformance Evaluations are Essential for QMS2GO

5. References

Defining and Understanding: ‘Compliance’ Versus ‘Conformance’

The key problem of understanding the ‘compliance’ versus ‘conformance’ question is the way these words are used interchangeably in QMS guidance literature. Even the ISO itself has inadvertently contributed to this confusion: on their introductory website to ISO 17021, the ISO refers to the guidance as a ‘conformity assessment’ – but then says that ISO is used to evaluate ‘compliance management systems.’[1] Although this distinction is clear when reading ISO 17021 closely, a cursory glance can conflate the two terms – and this is exactly what has happened, leading to no end of consternation for both linguists and quality managers.

Let’s begin with simple definitions. Merriam-Webster defines ‘compliance’ as “the act or process of complying to a desire, demand, proposal, or regimen…” and “conformity in fulfilling official requirements.”[2] Note that this definition does include the idea of ‘conformance’ but is not itself conformance. Rather, it is about diligently following a prescribed series of steps and actions. This implies that ‘compliance’ is primarily about fulfilling requirements, rather than ascertaining whether the requirements are actually correct. You could, for example, be in complete compliance with a policy which is totally wrong.

Now, let’s look at the definition of ‘conformance’ from Merriam-Webster. The dictionary defines this word (under the related entry of ‘conformity’) as “action in accordance with some specified standard or authority.”[3] This gets to the heart of the matter: ‘conformance’ / ‘conformity’ is about action directed by the authority which promulgates a standard. Unlike compliance, it is concerned with properly-guided action, rather than following requirements. It is for this reason that the ISO chose ‘conformance’ as the key word to describe ISO 17021.

With the terms now defined, let us also aim to understand what they truly mean within a quality management context. If we aim for compliance, we are fundamentally attempting to follow what the QMS has dictated to us. We are operating under an assumption that the QMS is correct, has been correctly implemented, and is therefore a reliable standard. We trust this because we trust the auditors, and the certifying body who has approved of the auditors, to know the QMS and therefore ensure it has been correctly instituted. Within this set of assumptions, compliance will provide a quality manager and the organization’s staff with repeatable, predictable excellence.

However, and this is the critical point to remember, those assumptions are only as good as the trust we can place in them. If our trust is not solid, because we are uncertain of the auditors, or because the certifying body’s guarantee carries no weight, then we will not be able to act in good faith during compliance, because we will not know if the compliance is to a correct interpretation of the QMS standard. In this uncertain scenario, compliance becomes a non-factor, or perhaps even a detriment to quality.

Why Conformance is Critical to Avoid Faulty Assumptions

As described above, compliance is based upon trust in assumptions. And assumptions need to be based on trust in the proper organization and application of the QMS standard. Conformance thus becomes essential for setting correct assumptions, because it is based on a fundamental understanding of the standards which govern QMS implementation, application, and compliance. Conformance is, fundamentally, the guardrail to the guardrail.

Auditors are responsible for assessing if a company’s standard is in conformance with proper guidelines. They rely on their impartiality and training to examine the standard’s application within a greater context. The trouble, however, is in finding individuals and organizations that understand how to achieve conformance, and that achieve it consistently.

Achieving conformance is not about what your company does, but rather about the auditors and certifiers you rely on. These third parties must be in conformance with the QMS standard, to know whether your company is. They must be impartial and able to evaluate across the various sectors and focal areas that they cover within industry. And most importantly, they must be highly competent, and able to apply that competence alongside critical thinking and analysis, to determine how conformance can be established, or how inadvertent deviations can be corrected. Otherwise, application of conformance guidelines risks becoming just another extension of compliance box-checking, vulnerable to misinterpretation and flawed application.

To ensure that certification bodies have the ability to instruct auditors and provide reasonable assurance that they are qualified to assess conformance, it is necessary to have guidelines and structure to establish proper thinking and training. This is why ISO 17021 exists: it is a standard dedicated to the maintenance of other standards.

What is ISO 17021 and How Does it Help QMS Implementation?

Recognizing that certification bodies need to understand how to guide auditors, the ISO created the ISO 17021 guidance to establish “the competence, consistency, and impartiality of bodies providing audit and certification of all types of management systems.”[4]

As is the case with other ISO standards, the ISO itself does not assess or certify conformance or compliance. Instead, they provide the tools (in the form of their guidance standards) for third-party entities to certify for proper understanding and implementation (and therefore, conformance). This system can best be imagined as a waterfall: the ISO is the source of the water, which then cascades down through the falls with certification bodies as the top of the falls, certified auditors as the base, and companies in compliance as the larger outflow of water into the river or lake. Each link in that chain has to hold up for the water to keep flowing.

Where many companies get tripped up is in the waterfall itself. They have the water source (the ISO) and the water destination (their organization). But they inadvertently skip over the part where the water flows from one to the other, which leads to the water drying up and compliance being unproductive runoff. This usually happens when companies avoiding auditing, use auditors who do not understand conformance, or trust auditors who are certified by entities that do not follow the ISO guidelines. Furthermore, companies that attempt to achieve conformance on their own can cause additional complications. They may not understand ISO 17021, or they may be biased toward desired company results, both of which can prevent impartial assessment of the QMS usage.

In a scenario where everything is working properly, ISO 17021 aids QMS implementation by assisting its assessors. It provides assurance that the experts know what they need to know and act in accordance with proper guidance. It is the hidden backstop behind the other ISO quality management standards, as well as many other standards (such as API Q1). But until now, it has not been something that most companies could directly engage with on their own, without risking a breakdown in impartiality.

Why ISO 17021 and Conformance Evaluations are Essential for QMS2GO

This brings us to QMS2GO and its revolutionary approach to ISO standard utilization. As regular readers of this blog already know, QMS2GO is no ordinary quality management software. It is an AI-powered quality management assistant which internalizes core standards and verifies a company’s work product against them. The result is that QMS2GO provides more than just tools to a quality manager – it can also provide pre-auditing checks. And the most powerful demonstration of this is the software’s ability to utilize ISO 17021.

As noted, companies generally do not benefit from trying to apply conformance checks themselves. It is almost impossible to maintain impartiality when your quality manager is also trying to audit their own work. But AI enables a new paradigm, because software is impartial. By compartmentalizing your company’s work output under a QMS standard and then running an automated check of that output and the QMS against ISO 17021 in another compartmentalized module, QMS2GO can provide immediate preliminary feedback to identify areas of potential non-conformance. A flag from the software can alert a quality manager that auditing may be necessary. With regular automated checks, QMS2GO may be able to provide advance notice of problems before they become obvious and cause disruptions. Furthermore, because your QMS2GO software will internalize an understanding of ISO 17021 as relating to your company’s focal area, the AI can provide suggestions for immediate corrective actions to return to conformance. QMS2GO is not a replacement for human auditors, nor is it meant to change these core ideas of how conformance is achieved and maintained. But it can provide early alerts, critical fixes, and most importantly, awareness of the problem – so that companies can take the necessary actions to engage an auditor and avoid a non-conformance crisis.

QMS2GO provides these remarkable features due to the way the software is designed. The AI is able to rapidly access full documentation of current ISO and other relevant standards, which are programmed into the software. This understanding is also coupled with a generative AI component, which allows quality managers to use the software to help create documentation. All of this documentation, along with other data that a company allows the software to internalize, forms an exclusive databank that the AI can cross-check against the company’s QMS standard. This cross-checking is what enables compliance: confirming that the documents have checked the requisite boxes and followed the proper assumptions. But separately from this, QMS2GO has another component: the conformance module. In this partitioned section of the software, which is not influenced by the generative AI, the current ISO 17021 guidance has been internalized within the databank. When an auto-check of the output portion of QMS2GO is run, the QMS standard (as well as all compliance documentation) is cross-checked against the conformance module, quickly assessing for deviations. If deviations are found, they are flagged, and remedial actions are tagged to each line item. The compartmentalization of the software is the crucial aspect of this approach: while the compliance portion directly interacts with a quality manager, the conformance portion does not. This provides the impartiality necessary for simple auditing, and ensures that a quality manager has a first line of defense against inadvertent deviations.

Future iterations of QMS2GO will expand upon this principle. The development team has envisioned a version of the software that can recommend and place quality managers in touch with human auditors, once a potential conformance issue has been flagged. By working directly with auditors, QMS2GO will help make their jobs easier by providing preliminary guidance for where issues may exist. Ultimately, the software may even become a training tool for auditors and be utilized by certification bodies to provide example auditing cases and to trial-implement solutions within a virtual simulation.

But we need not focus on the future. In the here and now, QMS2GO already provides a powerful tool to maintain conformance in your company. The software can give you and your team the most valuable asset in business: time. Imagine what you will be able to do when you have advance warning that your compliance practices may be compromised by inadvertent non-conformance. Envision how much work loss, and monetary loss, can be prevented by simply knowing about a problem sooner. This is the power of QMS2GO. Ultimately, the software is the means by which ‘compliance vs. conformance’ can transform into ‘compliance + conformance.’ QMS2GO gives you the power to achieve both, in the same intuitive program – empowering your company by providing control of the entire quality management process.

Learn how we can serve you. Reach out and schedule a call today.

Authors

Yelena Rymbayeva is the Chief Marketing Officer of QMS2GO. A veteran marketing professional with experience in software, product development, and entertainment-focused startups, she has written extensively on business organizational best practices, efficiency strategies, and quality management system implementation, with an emphasis on small/mid-sized manufacturers and technology development companies.

Nicholas R. Zabaly is the Editor-in-Chief of QMS2GO’s research and knowledgebase operations. An experienced researcher and technical writer, he has worked closely with the company since its foundation and serves as its lead article writer.

Additional References and Resources

[1] International Organization for Standardization (ISO) – “ISO/IEC TS 17021-12:2021” – https://www.iso.org/standard/81685.html

[2] Merriam-Webster – “Compliance” – https://www.merriam-webster.com/dictionary/compliance

[3] Merriam-Webster – “Conformity” – https://www.merriam-webster.com/dictionary/conformity

[4] International Organization for Standardization (ISO) – “ISO/IEC 17021-1:2015” – https://www.iso.org/standard/61651.html