Understanding ISO 9001:2015 Quality Management System.
ISO 9001 is the international standard that specifies requirements for a quality management system (QMS). Organizations use the standard to demonstrate the ability to consistently provide products and services that meet customer and regulatory requirements. It is the most popular standard in the ISO 9000 series and the only standard in the series to which organizations can certify. Successful businesses understand the value of an effective Quality Management System that ensures the organization is focussed on meeting customer requirements and they are satisfied with the products and services that they receive. ISO 9001 is the world’s most recognized management system standard and is used by over a million organizations across the world. .ISO 9001 was first published in 1987 by the International Organization for Standardization (ISO), an international agency composed of the national standards bodies of more than 160 countries. The current version of ISO 9001 was released in September 2015. ISO 9001:2015 applies to any organization, regardless of size or industry. More than one million organizations from more than 160 countries have applied the ISO 9001 standard requirements to their quality management systems. Organizations of all types and sizes find that using the ISO 9001 standard helps them organize processes, improve the efficiency of processes, and continually improve. You can integrate ISO 9001:2015 with other management system standards such as ISO 14001:2015, ISO 45001:2018, ISO 27001:2013, etc. lIt bring quality and continual improvement into the heart of the organization and increase the involvement of the leadership team. It also introduces risk and opportunity into the management system. It’s an agile business improvement tool that makes it relevant to the requirements of your own organization to gain sustainable business improvements. It brings quality management and continual improvement into the heart of an organization. This gives an opportunity for organizations to align their strategic direction with their quality management system. The starting point of the new version of ISO 9001 is to identify internal and external parties who support the QMS. This means that it can be used to help enhance and monitor the performance of an organization. It will help you become a more consistent competitor in the marketplace. It will also help you to meet present and identify future customer needs. This increases efficiency that will save you time, money, and resources. It Improves operational performance that will cut errors and improves profits. It will motivate, engage, and involve staff with more efficient internal processes. It will help you win more high-value customers, and achieve improved customer retention with better customer service. It will broaden business opportunities by demonstrating compliance
All ISO management system standards are subject to a regular review under the rules by which they are written. Following a substantial user survey the committee decided that a review was appropriate and created the following objectives to maintain its relevance in today’s marketplace:
- Integrate with other management systems
- Provide an integrated approach to organizational management
- Provide a consistent foundation for the next 10 years
- Reflect the increasingly complex environments in which organizations’ operate
- Ensure the new standard reflects the needs of all potential user groups
- Enhance an organization’s ability to satisfy its customers
The structure is based on the mandate that Annex SL from the ISO Directives is applied to management system standards. The clause structure in ISO 9001:2015 is being aligned with other management system standards. The structure is to provide a presentation of requirements. It is not a model for the document for documenting the organization’s policies, objectives, and processes. There is no requirement for the structure of an organization’s quality management system documentation to mirror that of this International Standard.
Structure of ISO 9001:2015
ISO 9001:2015 is based on Annex SL – the high-level structure. This is a common framework for all ISO management systems. This helps to keep consistency, align different management system standards, offer matching sub-clauses against the top-level structure, and apply common language across all standards. It will be easier for organizations to incorporate their QMS into core business processes and get more involvement from senior management. The Plan-Do-Check-Act (PDCA) cycle can be applied to all processes and to the quality management system as a whole. The reason for the change is to adopt the common approach outlined in Annex SL, the new document that all ISO management system standards, including ISO 9001, ISO 14001, and the recently released ISO 27001, must follow. Currently, ISO 9001 contains 8 sections, of which four attempts to approximate “plan, do, check, act.” The new structure, based on Annex SL, has 10 sections four of which also approximate to “PLAN, DO, CHECK, ACT.” All new management system standards will have this common structure. Here is the new structure:
This section describes the scope of the management system standard and will be unique to the individual standard. Clause 1 details the scope of the standard and there has been very little change to this clause from ISO 9001:2008.
This section references other relevant standards, which are indispensable for the application of the document and will also be unique.ISO 9000, Quality Management System – Fundamental and vocabulary is referenced and provides valuable guidance.
Terms and Definitions
Section three contains definitions, and while some of these are common terms related to Annex SL, other definitions will be unique to the management system standard. All the terms and definitions are contained in ISO 9000:2015 – Quality Management – Fundamentals and vocabulary. In ISO 9001:2015 the term products and services include all output categories such as hardware, services, software, and processed materials. The term services are to highlight the difference between products and services in the application of some requirements. In most cases, the terms are used together. In some cases, the word product is only used to specify a certain requirement.
An organization’s context involves its “operating environment.” The context must be determined both within the organization and external to the organization. This part is about understanding the organization’s purpose, the management system, and who the stakeholders are. It describes how to set up the management system and requires a broader understanding of the situation and needs of the business. It establishes the context of the QMS and how the business strategy supports this. The ‘context of the organization’ is the clause that underpins the rest of the standard. It gives an organization the opportunity to identify and understand the factors and parties in their environment that support the quality management system. To establish the context means to define the external and internal factors that the organizations must consider when they manage risks. An organization’s external context includes its outside stakeholders, its local operating environment, as well as any external factors that influence the selection of its objectives (goals and targets) or its ability to meet its goals. An organization’s internal context includes its internal stakeholders, its approach to governance, its contractual relationships with its customers, and its capabilities and culture. Firstly, the organization will need to determine external and internal issues that are relevant to its purpose, i.e. what are the relevant issues, both inside and out, that have an impact on what the organization does, or that would affect its ability to achieve the intended outcomes of its management system. It should be noted that the term “issue” covers not only problems which would have been the subject of preventive action in previous standards, but also important topics for the management system to address, such as any market assurance and governance goals that the organization might set. Secondly, an organization will also need to identify the “interested parties” that are relevant to their QMS. These groups could include shareholders, employees, customers, suppliers, and even pressure groups and regulatory bodies. Each organization will identify its own unique set of “interested parties” and over time these may change in line with the strategic direction of the organization. Next, the scope of the QMS must be determined. This could include the whole of the organization or specifically identified functions. Any outsourced functions or processes will also need to be considered in the organization’s scope if they are relevant to the QMS. The final requirement of Clause 4 is to establish, implement, maintain, and continually improve the QMS in accordance with the requirements of the standard. This requires the adoption of a process approach and although every organization will be different, documented information such as process diagrams or written procedures could be used to support this.
There are two new clauses relating to the context of the organization, 4.1 Understanding the organization and its context and 4.2 Understanding the needs and expectations of interested parties. Together these clauses require the organization to determine the issues and requirements that can impact the planning of the quality management system. Interested parties cannot go beyond the scope of ISO 9001. There is no requirement to go beyond interested parties that are relevant to the quality management system. Consider the impact on the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements or the organization’s aim to enhance customer satisfaction. Organizations can go beyond the minimum requirements to determine additional needs and expectations for interested parties that would not be “relevant” at the discretion of the organization and should be clear in the quality management system.
This requirement requires a greater union between the QMS and wider business planning activities. it requires organizations to ascertain, monitor, and review both internal and external issues that are relevant to its purpose and strategic direction, and have the ability to impact the QMS and its intended results. The organization should determine external and internal issues for the organization relevant to its purpose, strategic planning, and which affect the organization’s ability to achieve its objectives. The Organization should monitor and review the information about external and internal issues. Management Review required the monitoring of external and internal issues. The organization must consider issues related to values, culture knowledge, and performance of the organization for the understanding of internal issues. The organization must consider issues related to arising from the legal, technological, competitive, market, cultural, social, and economic environments, whether international, national, regional, or local for the understanding of external context. The internal context may include, but is not limited to:
- Product and service offerings
- Governance, organizational structure, roles, and accountability.
- Regulatory requirements
- Policies and goals, and the strategies that are in place to achieve them.
- Assets like facilities, property, equipment, and technology
- Capabilities understood in terms of resources and knowledge like capital, time, people, processes, systems, and technologies.
- Information systems, information flows, and decision-making processes (both formal and informal).
- Relationships of the staff/volunteers/members and the perceptions and values of their internal stakeholders including suppliers and partners.
- Organization’s culture.
- Standards, guidelines, and models adopted by the organization and
- Form and extent of the organization’s contractual relationships.
The external context’s micro-environment consists of the organization’s immediate operations and how they affect its performance and decision-making. Some of the micro-environmental context factors
Customers – Organizations must attract and retain customers by offering products services that meet their needs along with providing excellent customer service
Employees/Members/Volunteers – There must be the availability of people with the motivation to remain as contributing members of the organization and develop the skills necessary to provide a competitive edge
Suppliers – Suppliers provide organizations with the resources they need to carry out their activities. If a supplier provides bad service, this affects the way the organization operates. Close supplier relationships are an effective way to remain competitive and secure the resources needed
Investors – All organizations require investment to grow. They may borrow the money from a bank or have people invest in their work. Relationships with investors need to be managed carefully as problems can detrimentally affect the long term success of the organization
Media – Positive media attention can bring success to the organization by maintaining its reputational strength. Managing the media (including the presence in social media) is a challenge.
Competitors – Members of the organization need to have a sense of belonging. Can the organization offer benefits that are better than those offered by the competitors? Is there a strong value proposition? Competitor analysis and monitoring are crucial if an organization is to maintain or improve its position in the competitive landscape of the community. The organization must always be aware of its competitor’s activities. The landscape can change quickly.
A broadening of scope beyond just customers. Requires the organization to determine “the relevant requirements” of “relevant interested parties” e.g. a person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity.
The organization shall determine relevant interested parties and requirements of relevant interested parties. Interested parties include Customers, Partners, Persons in the organization, External providers. Relevant interested parties to be considered are those that potentially could impact the organization’s ability to provide products and services that meet requirements. Monitor and review information related to interested parties and relevant requirements. Management Review requires the monitoring of relevant interested parties.
4.3 Determining the scope of the QMS.
The scope statement must state the products and services covered. The organization must establish the scope of the quality management system by determining the boundaries and applicability of the quality management system. While determining the scope the organization must consider the internal and external issues determined in 4.1., the requirements of relevant interested parties in 4.2. and the products and services of the organization.
Requirements that can be applied by the organization shall be applied. Requirements that cannot be applied cannot affect the organization’s ability to provide products and services that meet requirements. The organization must maintain scope as documented information stating the Products and services covered by the QMS and any Justification where a requirement cannot be applied. Any interested party which is not relevant to the quality management system need not be considered and similarly, any requirement of the interested party need not be considered. Determining what is relevant or not relevant is dependent on whether or not it has an impact on the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements or the organization’s aim to enhance customer satisfaction. The organization can decide to determine additional needs and expectations that will meet its quality objectives. However, it is at the organization’s discretion whether or not to accept additional requirements to satisfy interested parties beyond what is required by this Standard.
The revised standard will focus on application and not just the exclusions. There are no limits to which clauses where the application can be determined. Justification will be required as documented information to ensure that limited application does not affect the organization’s ability to provide for the provision of products and services. The application of requirements may vary. Where a requirement can be applied within the scope of its quality management system, the organization cannot decide that it is not applicable. Where a requirement cannot be applied (for example where the relevant process is not carried out) the organization can determine that the requirement is not applicable. However, this non-applicability cannot be allowed to result in failure to achieve conformity of products and services or to meet the organization’s aim to enhance customer satisfaction. A manufacturing organization that does not have any monitoring and measuring resources could determine requirements in 7.1.5 do not apply. Organizations that build from a customer-provided design could determine requirements for design in 8.3 do not apply. Organizations could not determine that requirements such as competence are not applicable since this directly affects the ability to provide a product that meets requirements.
4.4 Quality Management System and its processes.
A major change that specifies the number of factors to be considered when planning the processes that make up the QMS. Although a process-planning approach has been previously expressed in earlier standards, this greatly reinforces the requirement. The standard requires the organization to establish a process-based management system. This is required to be maintained and continually improved. The clause sets out high-level requirements for the design of such a process-based management system. These processes are integral and also there are support processes that underpin the operation of the entire QMS. It does not mean that you have to fill your quality manual with flowcharts. If flowcharts work for you then use them.
The process is a set of interrelated activities that transform activity inputs into outputs. For example The process of converting a box of components into a working security system.
The process approach is a management strategy that requires organizations to manage their processes and the interactions between them. Thus you need to consider each major process of the company and its supporting processes.
All processes have:
- operational control;
- appropriate measurement & monitoring
Each process will have support processes that underpin and enable the process to become realized. So, for example, a typical alarm company will take inquiries/sales and convert them into working alarm systems. Below is a block diagram of a typical alarm company processes with support processes and other considerations.
Example support processes and considerations:
Example of other processes and considerations:
Questions to ask:
- What are the inputs to the process?
- Where do the inputs come from?
- What are the outputs of the process?
- Where do the outputs go to?
- Is there an effective interrelationship between processes?
- Who plans the process?
- Who conducts the process?
- Are responsibilities and authorities defined?
- Who monitors and measures the process?
- What resources are required for the process? – Materials, people, information, environment, infrastructure, etc.
- What documented information is required for the operation and control over the process?
- What competencies & training are required?
- What awareness and knowledge is required?
- What methods are used to control and run the process?
- What are the risks and opportunities for the process?
- What happens when the process goes wrong or does not yield the correct output or result?
- How can the process be improved?
- Is the process part of the management review process?
- Is the process subject to internal audit?
The answers to the questions above form the basis of the process, its control, measurement, and improvement.
This clause provides requirements for commitment, policy, and responsibilities. The emphasis is more on leadership than on management. This clause places requirements on “top management”. Top Management is the person or group of people who directs and controls the organization at the highest level. It is no longer the responsibility of an individual or to have a “Management Representative” who is responsible for the QMS. There is an increased emphasis on people “owning” the QMS rather than one individual. The purpose of these requirements is to demonstrate leadership and commitment by leading from the top. Top management now has greater involvement in the management system and must ensure that the requirements of it are integrated into the organization’s processes and that the policy and objectives are compatible with the strategic direction of the organization. The quality policy should be a living document, at the heart of the organization. To ensure this, top management is accountable and has a responsibility to ensure the QMS is made available, communicated, maintained, and understood by all parties. There is also a greater focus on top management to enhance customer satisfaction by identifying and addressing risks and opportunities that could affect this. Top management needs to demonstrate consistent customer focus by showing how they meet customer requirements, regulatory and statutory requirements, and also how the organization maintains enhanced customer satisfaction. In the same context, they need to have a grasp of the organization’s internal strengths and weaknesses and how these could have an impact to deliver products or services. This will strengthen the concept of business process management. In addition, top management needs to demonstrate an understanding of the key risks associated with each process and the approach taken to manage, reduce, or transfer the risk. Finally, the clause places requirements on top management to assign QMS relevant responsibilities and authorities but must remain accountable for the effectiveness of the QMS.
5.1 Leadership and commitment.
Greater emphasis is placed on the role of top management. Requires top management to “demonstrate leadership and commitment”, and suggests that a more hands-on approach is expected. ISO 9001:2015 requires top management to be much more “hands-on” with respect to their QMS. Where the word “ensuring” is used in sub-clause 5.1.1, top management may still assign this task to others for completion. Where the words “promoting”, “taking”, “engaging” or “supporting” appear, these activities cannot be delegated and must be undertaken by top management themselves. Top management must:
- have accountability for the effectiveness of their organization’s quality management system;
- ensure that their organization’s quality policy and quality objectives are consistent with the organization’s overall strategic direction and the context in which the organization is operating;
- work alongside their people in the organization in order to ensure that the quality objectives are achieved;
- ensure that the quality policy is communicated, understood and applied across the organization;
- make sure that the quality management system is achieving the results that are intended;
- lead people to contribute to the effective operation of the system;
- drive continual improvement and innovation and develop leadership in their managers.
The top management is required to ensure that:
- the requirements set out in ISO 9001:2015 are met;
- QMS processes are delivering their intended outcomes;
- reporting on the operation of the QMS and identifying any opportunities for improvement is taking place;
- a customer focus is promoted throughout the organization;
- whenever changes to the QMS are planned and implemented, the integrity of the system is maintained.
The top management should ensure that the organization should have knowledge of the law and is aware of the customer’s expectations and is delivering. Knowing what can go wrong with what you are selling and providing and what opportunities you also have when you deliver this; opens doors, for example, to other workstreams; They should be making sure that the customer is happy. Understanding customer specifications/ needs. Ensure you know exactly what the customer wants and documenting this from the initial inquiry to commissioning paperwork.
Policy requirements are enhanced. A requirement is introduced that the quality policy is appropriate to the context of the organization and that it is applied throughout the organization. Write the policy to include:
- making sure it reflects your business size, ethos and what you are trying to achieve;
- how you will decide what you are going to achieve and how you will check this;
- committing to doing it the right way (e.g. in line with standards and best practice);
- committing to try to continually improve.
Tell everyone about it.
- Making sure it is written.
- Making sure people know it and understand it.
- Giving it to people who have an interest in your business (e.g. clients/suppliers/manufacturers/staff).
- Publishing it on your website.
The example includes written Quality policy, company induction, basic training, toolbox talks.
The requirement for a Management representative is no longer specified. The duties previously assigned to that role may now be assigned to any role or split across several roles. The top Management must ensure that responsibilities are allocated across the organization to maintain the management system to make sure what is supposed to happen is happening. While allocating Roles, Responsibilities, and authorities, the organization must remember the customer at all times and the outcome of the business processes and how it can be improved. Remembering to update the system as and when you change how you work or the intended process is amended. The organization must be defining job roles prior to recruitment, allocating job descriptions to personnel, and linking this to the processes within the business. For eg A sales administrator might be expected to have 12 months’ experience of writing quotations. When they join there would be a period of training and reinforcing this through a written job description. The output would be a more senior colleague reviewing quotes, confirming they are correct, and ensuring that the customer is being quoted for what they asked for. If a form or process is amended along the way advising the sales administrator and ensuring the new versions are applied.
The clause of Planning includes a) risks and opportunities, b) the setting of goals and objectives to achieve plans, and c) resources. It also requires a greater application of goals and objectives to integrate with the management system’s planning and operation to ensure the success of the organization. This clause must be considered along with Clause 4.1 ‘context of the organization’ and Clause 4.2 ‘interested parties’. The first part of this clause concerns risk assessment whilst the second part is concerned with risk treatment. When determining actions to identified risks and opportunities these need to be proportionate to the potential impact they may have on the conformity of products and services. Opportunities could, for example, include new product launches, geographical expansion, new partnerships, or new technologies. The organization will need to plan actions to address both risks and opportunities, how to integrate and implement the actions into its management system processes and evaluate the effectiveness of these actions. Actions must be monitored, managed, and communicated across the organization. Another key element of this clause is the need to establish measurable quality objectives. Quality objectives must be consistent with the quality policy, relevant to the conformity of products and services as well as enhancing customer satisfaction. The last part of the clause considers the planning of changes that must be done in a planned and systemic manner. There is a need to identify the potential consequences of changes, determine who is involved when changes are to take place, what resource needs to be allocated.
The main objectives of ISO 9001 are to provide confidence in the organization’s ability to consistently provide customers with conforming goods and services and to enhance customer satisfaction. The concept of “risk” in the context of ISO 9001 relates to the uncertainty in achieving these objectives. ISO 9001 incorporates risk-based thinking in its requirements for the establishment, implementation, maintenance, and continual improvement of the quality management system. Organizations may choose to implement a formal risk management program such as 31000 but are not compelled to do so. The concept of risk is built into the whole management system. Risk-based thinking is also part of the process approach. Risk-based thinking can also help to identify opportunities. For risk-based thinking, the organization must understand any external and internal issues as given in clause 4 context of the organization. Risks and opportunities are determined in clause 6.1. Implementing Risk-based thinking also assures preventive action. One of the key purposes of a quality management system is to act as a preventive tool. ISO 9001:2015 does not have a separate clause titled preventive action. The concept of preventive action is controlled through risk-based thinking by managing risks and opportunities identified in clause 6.1
6.1 Actions to address risks and opportunities.
This sub-clause requires a risk-based approach. In addition to this clause, the reference to the terms ‘risk’ and ‘opportunity’ are made throughout the standard. Consider the issues determined in clause 4.1 and the needs and expectations of interested parties in clause 4.2 to determine your risk and opportunity. The organization should determine risks and opportunities to assure that that the quality management system can achieve its objective, prevent or reduce undesired effects, and for continual improvement. The organization shall plan actions to address risks and opportunities. The actions identified should be appropriate to its potential impact on the QMS. The action of risk and opportunities must be integrated and implemented into the QMS processes. The effectiveness of these actions must be evaluated.
NOTE: No formal risk management program is required.
Actions to address the risks – First, the organization should identify the risks and opportunities it wants to address. Then the organization must determine the severity of each risk and opportunity. Understanding the severity, the organization must plan action to address the risk and opportunity. This can be captured in the Risk plan. Plan how all the elements can come together, and how it will be run, and a means of checking them, and that the plan is on track. Use risk methodologies to ensure that you apply things appropriately. The greater the risk and the impact on the organization, the greater the control measures, planning, management, etc. If necessary, have a Plan B. Consider how an understood risk can be used in a positive way to look at other ways of doing things or other products.
6.2 Quality objectives and planning to achieve them.
No quality plan can be complete without having measurable quality objectives. An objective should include a description of who is responsible, what is the target, when is it planned to be achieved. Progress must be monitored. Also, requires objectives to be set for relevant processes. Ensure that whatever objectives you implement they are SMART
Some key rules are as follows:
- Make sure they comply with the law and industry standards.
- Make sure they conform with the products and services to make them better.
- Monitor your objectives periodically to check what you are doing.
- Tell the staff what they are and what you expect of them.
- Updated when the management changes something.
Keep records of this. This should be included in the customer SLA and planning should be in place to ensure you can resource this response rate. An example could be Understanding the total number of planned maintenance, the number of reactive maintenance to ensure you calculate the appropriate levels of resources. Organizations need to clearly understand how these will be realized. For example, if your aim is to provide national coverage, how will this be achieved? What resources will you allocate, recruiting staff countrywide? Who will manage it? Have you understood when it needs to be achieved and what will you do to check it is effective?
6.3 Planning of changes.
The clause lists items to be considered in change management. When some changes need to be made in the organization either in the product, service, or process, the impact of the change needs to be considered before a change is made. You will need to demonstrate that you have:
a) considered why are you changing it and what could happen when you make the change;
b) ensured that the QMS doesn’t get affected negatively, e.g. something can’t be done any longer once you have changed a process like you stop recording the number of quotes you are doing and therefore you don’t have an ability to review conversion rates;
c) thought about what you need to achieve it (e.g. people/technology, etc.);
d) considered what changes need to be made in the organization to make it happen.
The SUPPORT clause includes most of the expected support processes that exist in an organization. Clause 7 ensures there are the right resources, people and infrastructure to meet the organizational goals. It requires an organization to determine and provide the necessary resources to establish, implement, maintain, and continually improve the QMS. This requirement covers all QMS resource needs and covers both internal and external resources. There are additional requirements to meet applicable statutory and regulatory requirements. It continues to cover requirements for infrastructure and environment for the operation of processes. Organizational knowledge is a requirement which deals with requirements for competence, awareness, and communication of the QMS. Organizations are required to examine whether the current knowledge they have is sufficient when planning changes and whether any additional knowledge is required. There is a key requirement for maintaining the knowledge held by an organization to ensure the conformity of products and services. This could include the knowledge held by an individual as well as for example, the intellectual property of an organization. Personnel must not only be aware of the quality policy, but they must also understand how they contribute to it and what the implications of not conforming are. The organization requires “documented information”. It includes the terms “documents” and “records”. Organizations need to determine the level of documented information necessary to control the QMS. This will differ between organizations due to size and complexity. In line with the increased importance of information security in organizations, there is also a greater emphasis on controlling access to documented information such as the use of passwords. Organizations should also have systems in place to provide a back-up should IT systems crash. Human resources are renamed as “competence”, and communication, which will require a new approach in most organizations, is given its own section rather than a mention as a management responsibility. Finally, document control has been renamed “documented information.” It now covers both procedure/document control and records control.
The organization must determine and provided the resources needed for the establishment, implementation, maintenance, and continual improvement of the QMS. The organization must have the resources it needs to ensure the effective operation of the QMS. Resources may include raw materials, infrastructure, finance, personnel, and IT, all of which can be either internally or externally provided. The organization must have a clear understanding of:
- what an organization has in house and whether this is sufficient/fit for purpose to achieve its goals and objectives.
- what additional support might be needed externally.
For example Specialist skills that are better outsourced due to the size of the organization (e.g. security screening, health, and safety advice).
This standard expects an organization to determine and provide the appropriate number of personnel to effectively implement the QMS and for the operation and control of its processes. Allocation of staff in order to achieve the required outcome. This means determining that you have someone to carry out a specific process e.g. recruitment, screening, and training of staff. Dependent on the size of the organization this may be one or two people or a team. The senior management will need to determine the resource needed and maintain this. This will be about ensuring you have the right number of engineers or security officers to provide the service that you have quoted. This will depend on the specifics set out in the contract and terms. e.g. ensuring you have sufficient engineers to respond within 24 hours. Ensuring you have sufficient trained security officers to replace those who may be sick or on holiday.
Essentially a company needs to consider all the things they will need in order to deliver a service and product to the customer . This may be :
- buildings, water, gas, electricity, etc.
- equipment such as e computers, operating systems, printers, software, monitoring equipment, etc
- vehicles that may be needed for engineers, managers, sales and survey staff;
- information such as standards that have to be applied, the internet, mobile phones, tablets, etc.
The environment for the operation of processes clause ensures that the organization determines, provides, and maintains an environment necessary for the operation of its processes and to achieve conformity. The term environment refers to the work environment and is used to describe the set of conditions in which employees perform their work and under which products and services are produced. Conditions can include physical, social, psychological, and environmental factors (such as temperature, lighting, recognition schemes, social and occupational stress, ergonomics, etc). It can also relate to conditions on how work is actually done (complex, repetitive, creative, interactive, team, etc.) in work processes and procedures. The standard makes reference to the environment that you work in and may include the following:
- Equality Opportunities, whistleblowing, the anti-bullying policy.
- Violence at work, counseling support, lone working.
- Office-based risk assessment, space, noise levels.
The organization needs to decide what tools it uses to measure organization performance. It also needs to consider whether these tools will give them everything they need as a result. You may use commissioning paper trail and or electronic processes. For eg to monitor Customer Service, you may take feedback after installing via phone call. Other organizations may have a CRM in place. Some of the Suitable measuring tools may be equipment that is used to test and commission systems such as multimeters, insulation testers, sound pressure level meters, etc. You may be required to do calibration of all the test equipment that you use.
Measurement traceability is the process of validating the equipment that will be used to measure products and resources. This will give the organization confidence that all measurements are completely correct. You need to establish whether this is relevant to you and meeting all applicable requirements for the product and services.
- Is it required to be calibrated?
- Allocated unique reference numbers and listed on a register of some sort.
- Allocated to personnel as and when needed and a clear process in place to ensure all staff knows how to use it properly.
- Able to identify calibration status
- Protected from an adjustment that could affect results of measurement
- Protected from damages during moving, repairs, or storage
- Non-conforming devices are checked against a conforming device
Organizations are expected to check results from calibration to ensure they are comfortable and they have not been tampered with. You may have Maintenance Register.
The organization shall determine the knowledge necessary for the operation of the QMS, ensure the conformity of products and services, enhance customer satisfaction. As necessary the organization is responsible for maintaining, protecting, and making sure the knowledge is available. Knowledge is to be considered when making changes to the organization. Knowledge required depends on the size and complexity of the organization, the risks and opportunities it needs to address, accessibility of knowledge, the process for considering and controlling past, existing, and additional knowledge. As long as the conformity of products and services can be achieved, the balance between knowledge held by competent people and knowledge made available by other means is at the discretion of the organization. Consideration can be given to whether competent employees have this knowledge
The organization needs to determine the necessary competence of its employees, and ensure those employees are competent on the basis of appropriate education, training, and experience. The organization must have a process for determining the necessary competence and achieving it through training or other means. Determining competence is a necessity in any organization. Working out on the skills your team has and the skills they don’t yet have and the skills they will need to achieve the company’s objectives. For example to achieve the objective of “Increase in sales”, you need to improve the competency of your sales team by training them.
The clause of Awareness is closely related to the clause of competence. Employees must be made aware of the Quality Policy and its contents. They must also be aware of how their personal performance currently impacts QMS and its objectives or may impact it in the future. They must understand the implications of positives or improved performance, and poor performance may be to the QMS. There is a greater focus on not just communicating the policy but to ensure that it is understood by all the employees and how it affects their work, especially if they deviate from it. They must understand what they contribute and how this can make the organization better. From a QMS point of view, the organization should look to explain policies more clearly so that the staff understands their meaning. It may useful to capture this on a training record,
For Quality Policy the employees:
- Read and understood = insufficient
- Understand companies aim = Yes
- Understand the company’s processes in which they are involved = Yes
- Understand their impact = Yes
- Understand they can have a positive effect = Yes
- Understand they can have a negative effect = Yes
This clause includes both internal and external communication about the QMS. Processes for internal and external communication need to be established within the QMS.
The key elements of Communication that an organization must establish are
- what needs to be communicated?
- when it needs to be communicated?
- how it should be done?
- who needs to receive the communication? and
- who will communicate?
It should be noted here that any communication outputs should be consistent with related information and content generated by the QMS for the sake of consistency. This is a straightforward clause and is simply about effectively communicating to all those within the organization and those affected by it. Internal communications can include briefings to staff on:
- new policies;
- new or amended objectives;
- new or amended strategies;
- new clients;
- new or amended technology;
- new products;
- issues with suppliers;
- anything that will have an impact on them.
Designate a person responsible for updates that may be either department heads or Top Management.
The term “documented information” in the ISO 9001 is basically a combination of the two terms “documents” and “records”. “Documents”, “Documentation” and “Records” are combined to become “Documented information”. It refers to all of the important information within the organization that must be kept organized and controlled. It is a requirement to determine, make available, and maintain knowledge. It mentions issues such as confidentiality, access, and data integrity. The organization may adopt information security due to the increasing use of electronic documents/data. Documented procedures (e.g. to define, control, or support a process) are now expressed as a requirement to maintain documented information. and records is expressed as a requirement to retain documented information. The current version ISO 9001 does not require a quality manual or documented procedure as Annex SL does not require documented procedures or a quality manual. The requirements for documented information are spread throughout the standard. In summary, they are:
- 4.3 Scope of the QMS
- 4.4 Support operation of its processes and need for confidence.
- 5.2.2 a) Quality policy
- 6.2.1 Quality objectives
- 18.104.22.168 Monitoring and measuring resource – ﬁtness for purpose
- 22.214.171.124 Basis used for calibration or veriﬁcation
- 7.2 d) Evidence of competence
- 7.5.1 b) Documented information determined by the organization as being necessary for the effectiveness of the QMS
- 8.1 e) Extend necessary (for confidence in processes and product/service conformity)
- 126.96.36.199 Review of requirements related to products and services
- 8.2.4 Amended documented information
- 8.3.2 Design and development requirements met
- 8.3.3 Design and development inputs
- 8.3.4 Design and development control activities
- 8.3.5 Design and development outputs
- 8.3.6 Design and development changes/results of reviews etc.
- 8.4.1 Results of evaluations, monitoring, re-evaluations of external providers
- 8.5.1 a) Characteristics of the products/services, activities to be performed, and result achieved.
- 8.5.2 Maintain traceability
- 8.5.3 Reports on what has occurred
- 8.5.6 Control of changes – results of reviews, personnel authorizing, necessary actions
- 8.6 Release of products and services – traceability of person(s) authorizing release, evidence of conformity
- 8.7.2 Describes nonconformity, actions taken, concessions, authority
- 9.1.1 Evidence of the monitoring and measurement results
- 9.2 f) Evidence of the audit program and the audit results
- 9.3.3 Evidence of the results of management reviews
- 10.2.2 Evidence of the results of any corrective action and the nature of the nonconformity
This clause deals with the execution of the plans and processes that enable the organization to meet customer requirements and design products and services. It places a greater emphasis on the control of processes especially planned changes and review of the consequences of unintended changes, and mitigating any adverse effects as necessary. The standard acknowledges the trend towards greater use of subcontractors and outsourcing. This is demonstrated by the requirement to establish criteria for monitoring the performance of these parties in addition to keeping records used to establish selection criteria. The Clauses covers the requirements for products and services. It requires communication with regards to contingency actions where required and also the treatment of customer property. Plan, implement, and control processes need to meet requirements for products and services.
These clauses ensure requirements for products and services are defined and claims for products and services offered are met. It establishes, implements, and maintains an appropriate design and development process. It also ensures externally provided processes, products and services conform to requirements. Production and service provision must be under controlled conditions (identification, verification, and validation). Products and services are not to be released until planned arrangements are completed. Nonconforming outputs are to be identified and controlled. When determining the extent of these activities organizations must consider the risks associated with a product or service, customer requirements, customer feedback, and any statutory requirements.
In order to meet the requirements for the delivery of products and services, the organization needs to plan, implement, and control its processes. The first step is to determine the requirements for products and services, meaning what features the product or service will have. Then, the organization needs to define how processes will be performed and what criteria the product or service needs to meet to be accepted for release. Finally, the organization needs to determine the resources needed for the processes and the records needed to demonstrate that the processes were carried out as planned. Once they have done their planning for what they are going to sell, they then must plan the detail of how this can be done operationally. The organization may need to :
- Set up supplier accounts/trade accounts.
- Purchase stock.
- Ensure staff have the correct skills and understand the process.
- Purchase tools and vehicles.
- Make sure you have enough staff.
- Issue clear instructions, drawings, procedures risk assessments to enable them to do the job.
The organization needs to show clear control of the process. They will be expected to check that delivery is as expected and when there are deviations that this is managed and negative impacts controlled. The same control should be applied to subcontractors.
8.2 Requirements for products and services.
Requirements for products and services are closely related to communication with customers. This communication must include information related to the products or services, handling inquiries, contracts or orders, customer feedback, handling and controlling customer property, and, if needed, establishing specific requirements for contingency actions. Before offering the product or service to the customer, the organization needs to ensure that the requirements for the products and services are defined and that the organization is able to deliver such products or services. Requirements for products and services include any applicable legislation and the requirements that the organization considers to be necessary. After receiving the order, the organization must, prior to delivery, review the requirements related to the product and keep records about the review. If the customer changes its requirements, these also must be reviewed and recorded. In case of changes, the organization must ensure that all documented information is amended and all relevant persons are aware of the changes.
This is essentially about how you relate to the customer, to include:
a) what you are selling;
b) how they can expect to be dealt with (e.g. formal quote/email/letter/terms you will work under/within);
c) getting feedback from the customer;
d) looking after their property (e.g. premises whilst you are in there);
e) what plans you put in place for if something goes wrong.
Ensuring the customer has a clear written quotation and specification relating to the services they want. Allocating a specific person/manager to the customer so that they have one key contact for all communication; that way, positive and negative feedback is captured and dealt with. you must give useful information about your products/services. you must provide some mechanism to have your customers ask about the products/services and e a way for customers to inquire about your invoices and fees. The customer must have a way to ask about changes. There should be a way to collect customer complaints and a way to collect feedback. If your customers provide their property as a part of your product/service, they must be able to understand how it is handled. If there are any risks associated with your product or service, your customer must be told of them and how they are handled
Organizations need to be clear about what is required in order to sell their products and services. You must review customer requirements before committing to supply the product or service. You need to take into account a few things here. You must consider:
- Applicable acts and regulations
- What to do when providing verbal contracts.
- for legal and industry norm;
- elements the organization determines as necessary for their own needs.
Once all that is considered and reviewed, you need to formally accept the requirements with confirmation back to the customer of what you are going to deliver and when. You need to keep documented information on this review. The organization must be able to deliver what it is selling. Liaise with suppliers, attend open days, read the product literature.
Organizations are expected to review whether they can provide what they intend to sell. This review must include taking into account:
a) what the customer orders, the install and any after work, e.g. maintenance / follow up / servicing;
b) elements that need to be completed to ensure the job is fitted correctly – meter reading tests / commissioning forms / standard operational check;
c) anything else the company need to implement;
d) legal and industry standards
e) any variations. If the customer has changed their order, this needs to be defined and the customer must accept this change if they haven’t already confirmed it in writing.
Reviews must be documented. If they want to use new products and services, this must be recorded. Customers should be made aware of the impact of changing products and services, etc. Organizations may choose to do a contract review either using paper or electronic documents, confirmation emails, quote proposals, etc. It must also record any change in technology you might use.
If there is any change in the Customer order, this needs to be tracked and documented. Someone in the organization who is responsible for executing the customer order must ensure that all related departments related to executing the order are aligned. You should seek and record evidence that your organization has ensured that all relevant documented information relating to changed product or service requirements, is amended and that relevant personnel is made aware of the changed requirements. Define your organization’s arrangements for amending documented information and communication of changed requirements e.g. updated contract review records, amended orders/contracts, memos, change notices, quality plans, meeting minutes, together with communication to relevant interested parties (persons within or outside the organization that may be impacted by the change).
This clause refers to design and development management, from the initial idea to the final acceptance of the product. The definition of design is “a plan or drawing produced to show the look and function or workings of a building, garment, or another object before it is made.” Putting it simply if the organization is creating something be it a tangible product or intangible service, there will certainly be an element of Design. ISO 9000 explains that the terms “design” and “development” are often used as synonyms, and defines the different phases of overall design and development. This means that design can’t be used apart from development and that they represent one single process. During design and development planning, all its phases must be defined with appropriate activities of review, verification, and validation for each phase. ISO 9001 refers to the design and development of the product and not to the design and development of processes. Design and development inputs requirements relate to the product include:
- Functional requirements and product performance requirements
- Legal and regulatory requirements for product
- Information from previous similar projects
- Other requirements relevant to design and development, usually customer requirements, market information, package, etc.
Design and development outputs must be in a form suitable for verification related to input elements and must be approved before acceptance. They can be in the form of a drawing, engineering documentation, plans, etc. The organization also needs to define design and development review activities. The purpose of these activities is to determine whether the design and development process goes in the intended direction. The review must be done in appropriate phases and at the end of the project. The review identifies problems during design and development and suggests actions to resolve them. It can include other interested parties. The design and development review must be recorded. Also, the company needs to identify, review, and control changes during the design and development of products and services. A record should be kept regarding the changes, results of reviews, authorization of the change, and actions taken to prevent adverse effects.
The steps involved in Design and Development includes
- Planning – The organization must have a plan on how to do the design and development. A design and development plan which will have the project timescales, deliverables, responsibilities of team & individuals, persons of authority for sign-off for an internal, or external customer, design reviews at a relevant phase in the project e.g. start, confirmation of inputs, post verification, post validation, finish, etc., resources required throughout the project, communication with subsequent process owners, and required controls throughout the project and intended use of the output.
- Inputs – there are many inputs to the process. The inputs may be:
- The requirements from the customer like what do they want to achieve and what are their needs & expectations
- The parameters & constraints of designs e.g. materials, dimensions, functionality, life cycle, sustainability, etc.
- The statutory and regulatory requirements or codes of practice like product and safety directives, building regulations, etc
- availability of information from previous designs like a review of learnings – good/bad/potential improvements, etc.
- Controls – It is a critical step in the Design and Development. It helps the organization to determine how the results to be achieved such what are the project deliverables, how will they be achieved and how will they be measured (acceptance criteria). The reviews have to be conducted throughout the project as mentioned above at the relevant phase in order to meet the input requirements.
- Verification – Verification helps to establish that the product or service is being designed/developed as intended in relation to the input requirements. This can be done through different types of testing (e.g. prototype, proof, demonstration, inspection, analysis, or acceptance).
- Validation – The product or service that has been designed or developed that it must fulfill the requirements of its intended use, most likely reviewed once the deliverables have been achieved. For example testing under operating conditions, in order to validate that the product/service meets the customer’s requirements and covers all outputs, including potential risks of use. Conducting reviews post verification and validation in order to iron out any potential issues – these are all critical requirements of design and development controls and must be documented.
- Outputs – It is the outcome of the Design and Development process. Typical examples of outputs include conceptual designs, technical/engineering drawings, product specifications, manufacturing instructions, bill of materials, information for purchasing, and other subsequent processes. The output must meet the input requirements ie it has achieved the intended results. The organization must determine that they can move forward in the project using the outputs, and must confirm any necessary equipment for measuring and/or testing and the acceptance criteria.
- Changes – The organization must have an established formal process for controlling design and development changes throughout the project and during reviews. The changes have to be documented and the results of design and development reviews communicated. There has to a person of authority to authorize the changes. The process must include a mechanism to identify the most up-to-date revisions and mitigate the risk of using superseded versions, Examples of this can be version no /revision no /authorization control on drawings, a design/drawing register, engineering change notes, etc.
8.4 Control of externally provided processes, products, and services.
This clause refers to purchasing. The purchasing includes products and services you acquire from suppliers and outsourced processes. ISO 9001:2015 expresses “suppliers” and “Outsourcing” as external providers of products and services. “Purchasing” and “Purchased products” are referred to as “Externally provided products and services”. Clause 8.4 Control of externally provided products and services addresses all forms of external provision, whether it is by purchasing from a supplier, through an arrangement with an associate company, through the outsourcing of processes and functions of the organization, or by any other means. The organization needs to establish and document criteria for suppliers selection, which includes how crucial the purchased product or service is to the quality of your product. The results of the supplier evaluation must be recorded. The organization is required to take a risk-based approach to determine the type and extent of controls appropriate to particular external providers and externally provided products and services. In order to ensure that externally provided processes, products, and services do not have an adverse effect on the conformance of the organization’s products and services, the organization needs to establish controls including verification and other activities. As part of the controls, the organization needs to communicate to external providers its requirements for:
- the processes, products, and services to be provided
- the approval of methods, processes, and equipment
- verification or validation of the activities that the organization intends to perform
- Type and extent of control
The organization must evaluate the critical suppliers against a fixed set of criteria. The criteria can include technology, Quality, Responsiveness, Delivery, Cost, Environmental impact. As they use these suppliers they will need to monitor their performance against its requirements. It takes some effort to ensure that the suppliers are performing, but it is time and resources very well spent. As they regularly talk with critical suppliers about the issues and requirements a relationship will be built, one which will be mutually beneficial in the long-term. The organization must ensure outsourced processes are controlled. It must define the controls for the supplier. These controls could be defined through purchase orders, in agreements, or in contracts. In addition, it needs to control the actual product or service they purchase. It could ask for a certificate of conformance, or a test report or a third-party test. The organization doesn’t require to have “one-size-fits-all” controls for all suppliers. For the critical suppliers that have a significant risk to the organization, they need to put tighter controls in place. For others – not so much. Also, they must ensure that suppliers meet local laws and regulations. Also, they need to inspect the product or service from the supplier.
2. Information for external providers
This is about ensuring that third party suppliers and subcontractors have a clear understanding of what they are expected to supply. This is typically done with a purchase order but it could also be by contract or agreement. Other methods of spelling out requirements for suppliers can be inspection and test plans, work briefs, statements of work, and even forecasts.
8.5 Production and service provision.
An expansion on previous requirements e.g. documented information to specify intended results and to determine the nature and extent of any post-delivery (after-sales) activities. The production and services provision process need to be performed under controlled conditions that will ensure that the product or service delivered is compliant with initial requirements. This includes a sufficient level of documentation, like procedures, work instructions, and records, monitoring and measurement equipment, appropriate infrastructure, etc. The organization must use suitable means to identify outputs when it is necessary to ensure products and services conformance. When the traceability is a requirement, the organization needs to control the unique identification of outputs and retain documented information necessary to enable traceability. In cases when the organization uses property belonging to a customer or external provider, it is required to identify, verify, protect, and safeguard this property. When the property of the customer or external provider is lost or damaged, the organization will have to report to the owner and retain documented information on what has occurred. The decision on the extent of post-delivery activities will be affected by the following:
- statutory and regulatory requirements
- potential undesired consequences related to products and services
- lifetime, use, and the nature of the products and services
- customer requirements and feedback.
In case of changes in the production and service provision process, the organization must review and control the changes in order to ensure continuing conformity with the requirements.
- Control of production and service provision: The organization must carry out the activities to provide product or service under controlled conditions. The common controlled conditions that should be used include documented information for products and services, suitable monitoring and measurement resources (including equipment), suitable infrastructure and environment, competent persons, validation of the ability to achieve results, actions to prevent human error, and activities controlling product release, delivery, and post-delivery. As with all other processes, these do not need to be documented procedures unless non-conformances would occur if the procedure was not written down.
- Identification and traceability: Many industries, such as the food, aerospace, and automotive industries, require the ability to have specific identification of items, and the ability to trace the elemental parts that make up the items. This is normally used when there is a failure of an internal component and you want to know what other items contain components from the same batch of parts. In short, when this is appropriate it needs to be controlled. The organization must also have a method of telling the status of a product or service through the operation process. For example, is a piece of software tested for functionality, is a product tested and ready for use, or is a service ready to be used?
- Property belonging to customers or external providers: This requirement is very important if the organization uses the customer or supplier property. It can come in many forms such as piece parts that will become part of the delivered product, special equipment to perform specific testing for the customer, or even proprietary information that is needed to use to design and deliver the product or service. When a customer or other party has given any property to use in supplying their needs, it is needed to control that property from unintended use and have a way of dealing with that property with external party involvement should there be a problem with it. Records of this activity need to be maintained to show accurate records of customer or external property. In fact, personal data that is provided by the customer and supplier would also need protection.
- Preservation: For products or services, there is a need to use proper handling throughout the process to make sure it does not degrade, including through delivery to the customer. These actions will vary widely depending on the product, but could include such things as reducing moisture exposure on metallic parts that could rust, ensuring electronic media storage is maintained so that a software program is not degraded during delivery to the customer, proper cleaning of parts that are affected by contamination, marking and labeling for safety warnings, and using stock in order of receipt (often called first in-first out or FIFO) for stock that can degrade over time.
- Post-delivery activities: Sometimes there is a need to perform activities on the product or service after it has been delivered to the customer. While the requirements for what needs to be done can vary greatly from one product or service to another. The organization needs to consider statutory and regulatory requirements, any undesired consequences of the product once in use, the nature and lifetime of your products and services, customer requirements, and customer feedback. Taking these into account will give you an idea of what needs to be done after delivery, such as warranty provisions, maintenance services, or even recycling and final disposal services.
- Control of changes: If it is necessary to change your production and service provisions, the organization must make these changes in such a way as to protect the continued conformity of the product and service requirements. These changes need to be planned and documented to demonstrate that the change was properly authorized and implemented. This change is about the processes you have in place to provide the products and services.
The release of the products and services shouldn’t be performed until the organization ensures that the products and services are conforming to the requirements. Demonstrating the conformance can be done by documenting evidence of the conformance, which includes criteria for the acceptance and information about the person who authorized the release of the product or service. Just ensure you implement checks that the product and service are delivered as expected (e.g. commissioning paperwork, customer satisfaction/feedback, and signatures).
Nonconforming outputs must be prevented from unintended use or delivery, so the organization must identify and control nonconforming outputs that emerge from any phase of production or service delivery. Depending on the nature of the nonconformity, the organization can take one or more of the following actions:
- segregation, containment, return, or suspension of the provision of products and services
- informing the customer
- obtaining authorization for acceptance under concession
Conformity to the requirements must be verified when the nonconforming output is corrected. The organization also needs to keep documented information that describes the nonconformity, the action taken, concessions obtained, and the authority deciding the action with respect to the nonconformity. You do not need a documented procedure any longer to detail how you will deal with things that go wrong but you do need to do the following:
- Fix it.
- Remove it if necessary.
- Tell the customer.
- Ask them to accept it.
You should record what you do when things go wrong:
- About what is wrong.
- what you did as a result.
- What concessions you gave? (e.g. did the customer accept it but you altered the cost)
- Who had the authority to make the change?
The section on evaluation includes monitoring, measurement, and analysis, internal audits, and management review. Requirements for monitoring, measurement, analysis, and evaluation are covered and you will need to consider what needs to be measured, methods employed, when data should be analyzed and reported on, and at what intervals. Documented information that provides evidence of this must be retained. There is now an emphasis on directly seeking out information that relates to how customers view the organization. Organizations must actively seek out information on customer perception. This can be achieved in a number of ways including satisfaction surveys, analysis of market share, and complaints lodged. There is now an explicit requirement that organizations must show how the analysis and evaluation of this data are used, especially with regards to the need for improvements to the QMS. As with other ISO standards, Internal audits must also be conducted. There are requirements relating to defining the ‘audit criteria’ and ensuring the results of the audits are reported to ‘relevant’ management’. Management reviews are required. Documented information must be retained as evidence of management reviews.
9.1 Monitoring, measurement, analysis, and evaluation.
There is a new requirement to obtain information relating to customer views and opinions of the organization. This requirement should not be equated with the requirement for managing equipment for monitoring and measuring from clause 7.1.5 of the standard. This is about a wider aspect of monitoring and measuring. Information derived from monitoring, measurement, and analysis represents inputs in the process of improvement and management review. The organization needs to determine what needs to be monitored and measured, how, and when, as well as when the results will be analyzed. It is required to measure your own performance as a supplier in order to get information about user’s observations, and the extent to which you fulfilled their requirements. Monitoring customer satisfaction levels must be constant activity in order to determine trends, and because opinions about your performance can change. Information about customer satisfaction can be collected via phone, interview or questionnaire, direct contact with the user on the field, etc. Once the monitoring and measuring are performed and the results are gathered, the organization needs to analyze the results in order to evaluate the conformity of products and services, degree of customer satisfaction, the performance of the QMS, the effectiveness of actions taken to address risks and opportunities, the performance of external providers, and need for improvements to the QMS.
9.2 Internal Audit.
There continues to be a need to carry out internal audits and to do it effectively. The goal of an internal audit is not to determine nonconformity; its goal is to check whether your QMS:
a) complies with the requirements of ISO 9001 and the requirements of your organization
b) is effectively implemented and maintained
There is no need for an internal audit procedure but it may be useful to keep it. You do need to define audit criteria. There is more emphasis on how they are done, how feedback should be taken and audits being corrected in a reasonable time to fix non-conformances identified. Ensuring that all the right people are included in the audit outcome. At the end of the audit, you will get audit results by evaluating the data you collected during the audit. Audit results can be manifested as positive, recommendations for improvements, and nonconformities (major and minor). Verification of actions taken to fix the non-conformity may be needed, and in that case, the next step is a follow-up audit. The audit schedule must take customer feedback into account. The organization can determine the technique of doing internal audits and the length of the intervals between the two audits is up to you. They can decide how the organization conforms to the requirement of QMS and that of ISO 9001. The organization can determine the manner by which it can maintain the system. To conduct the audit the organization must:
- Plan approach to internal audits based on the importance of the processes.
- For each audit, work out the scope of what will be covered. You can’t audit 100% of the process, but you do need to cover enough to be satisfied that the important issues have been captured.
- Make sure the auditors are independent of the process under audit.
- Report all findings to the relevant managers so there aren’t any surprises.
- Ensure that the corrective actions from the audit are dealt with.
- Retain the audit results in a document.
A Management Review is a formal, structured meeting that involves top management and takes place at regular intervals throughout the year. They are a critical and required part of running an ISO 9001 Management System.
The purpose of a Management Review meeting is to review and evaluate the effectiveness of your Management System, helping you to determine its continued suitability and adequacy. At least once a year, the top-level management must review the QMS in order to determine its:
- Appropriateness – does it serve its purpose and satisfy the needs of the organization?
- Adequacy – does the QMS conform to standard requirements?
- Applicability – are activities performed according to procedures?
- Effectiveness – does it accomplish the planned results?
This review must evaluate possibilities for improvement and needs for changing the QMS, Quality Policy, and objectives. Considering the inputs for the management review, such as the results of the previous management reviews, changes in the context, customer satisfaction survey results, performance of the QMS and suppliers, etc., the top management must make decisions regarding opportunities for improvement, need for changes in the QMS, and resources needed for the upcoming period. A Management Review also ensures that all levels of management are made aware of any changes, updates, revisions, etc. to the day-to-day workings of the Management System itself. The organization will need to decide when it will take place, what will be discussed, and who should attend. You must document when the meetings have occurred and what has been discussed. A Management Review should cover the following topics:
- Discussion on the status of any issues from the previous meeting.
- Changes to external and internal issues that affect the Management System.
- Examination of the performance of the Management System.
- Review of available resources and their adequacy.
- Examination of how effective the actions are taken towards identified risks and opportunities were.
- Identification of further opportunities for improvement.
The inputs to the Management review should be:
- Minutes of previous Management Review meeting
- Management System documentation
- Internal and External Audit Reports
- Relevant records (including customer feedback, corrective action log, etc.)
- Register of Legal and other requirements
- Complaints analysis
- Corrective and preventive actions and close-out of Management Information Reports
- Policies review
In order to keep improving your Management System, you need to be looking for trends both inside and outside of the organization. Consider looking for trends in the following areas:
- The requirements of external interested parties
- Compliance to legislation, regulations, and other requirements
- Changes to products, services, and processes
- Customer satisfaction and complaint records
- Non-conformances and the effectiveness of any corrective actions taken in response
The output to the management review includes decisions and actions related to:
- Any opportunities for improvement within the organization
- Any changes to the Management System, processes, or policies that are required
- Any revisions to company objectives or Key Performance Indicators (KPIs)
- Any amendments to business plans or budgets
- Any changes to the resources that are needed for the smooth running of the Management System
These types of changes affect day-to-day operations so it is important to keep staff informed of these changes as this will ensure that your Management System is operating effectively.
Improvement covers nonconformity and corrective action, as well as continual improvement, all of which are outlined in clause 8 of the current standard. Preventive action is replaced by “risk” under the clause of planning – improvement is now defined as a proactive planning activity. This clause starts with a new section that organizations should determine and identify opportunities for improvement such as improved processes to enhance customer satisfaction. There is also a need to actively look for opportunities to improve processes, products and services, and the QMS, especially with future customer requirements in mind. However, there are some corrective action requirements. The first is to react to the nonconformities and take action, as applicable, to control and correct the nonconformities and deal with the consequences. The second is to determine whether similar nonconformities exists or could potentially occur. The requirement for continual improvement has been extended to cover the suitability and adequacy of the QMS as well as its effectiveness, but it no longer specifies how an organization achieves this.
Your organization should actively seek out and realize improvement opportunities that will better enable it to achieve the intended outcomes of its management system. Potential sources of improvement opportunities include the results of analysis and evaluation of quality performance, compliance, internal audits, and management reviews. The actions for improvement can be in the form of corrective actions, training, reorganization, innovation, and so on. Improvement can be achieved through corrective actions. It can be achieved incrementally over time by a step change. It can be a breakthrough process achieved through innovation or by reorganization and transformation. There is now a requirement for organizations to focus clearly on customer satisfaction and customer needs, not only that but to look for ways to improve:
a) products and services, now and for the future;
b) fixing and controlling issues to reduce things going wrong;
c) improving the QMS.
No requirement for a procedure on preventive action. This term is removed.
10.2 Nonconformity and corrective action.
Any nonconformity needs to be reacted upon by taking actions to control it and deal with the consequences. Once identified, a nonconformity should trigger a corrective action in order to remove the cause of the nonconformity and prevent its recurrence. The effectiveness of actions taken must be evaluated and documented, along with the originally reported information about the nonconformity / corrective action and the results achieved. We must also record the nature of nonconformities. On discovering a nonconformity, an explicit requirement is introduced for organizations to determine whether other similar nonconformities actually exist, or could potentially exist.
When something goes wrong you must:
- react to it by
- do something / take action / fix it;
- deal with the impact it had (e.g. upset customer).
- evaluate what went wrong to prevent it from happening again and check there are no other similar issues that could happen.
The Key now is to update risks and opportunities. Keep records of all non-conformities, what you did to resolve them, implement additional measures, etc.
Continual improvement is a key aspect of the QMS, to achieve and maintain the Quality Management System’s suitability, adequacy, and effectiveness regarding the organization’s objectives. There is now a clearer expectation for organizations to use data from monitoring and measuring to review the organization’s performance and that of the QMS. Organizations should use this information, analyzing it and ensuring that the QMS is adequate for the organization. The impetus for continual improvement must come from the use of as a minimum:
- Risks and opportunities;
- Analysis and evaluation of data;
- Audit results;
- Management review;
- Non-conformity and corrective action.
Consider using the PDCA cycle (Plan, Do Check, Act) to guide your continuous improvement efforts. Once you’ve identified the improvement action to take, you cycle through the PDCA phases by planning the action (plan), implementing what is planned (do), monitoring the process and reporting results (check), and taking any further actions to improve if necessary (act).
If you need assistance or have any doubt and need to ask questions contact me at firstname.lastname@example.org. You can also contribute to this discussion and I shall be happy to publish them. Your comment and suggestion are also welcome.