Your Guide to Implementing ISO 9001
Benefits of Implementation
The benefits of implementing a Quality Management System which is compliant with ISO 9001 can be far-reaching. Simply adopting a process approach to operations can immediately highlight areas for improvement. Documenting processes in a meaningful way can also help with communicating quality actions and strategy to people at all levels. Inductions and training are linked directly to business objectives and people within the organization are clear on their contribution to overall performance and success.
Adopting a customer focus adds value for customers and is likely to enhance their satisfaction and loyalty. Repeat business is less costly to achieve than new business so it pays to keep your current customers happy.
Not only can a Quality Management System (QMS) enhance your customers’ satisfaction, it will also have a positive impact on your reputation. Being able to demonstrate a formal commitment to quality is often a pre-requisite for formal tendering procedures, in particular for public sector contracts. Having a certified QMS can open doors to a range of contract opportunities and therefore potentially boost your revenue and market share.
Implementing a QMS can also help you to be more efficient. Using resources, this includes people, materials, time, money and external partners and suppliers, as effectively and efficiently as possible has a direct positive impact on profitability.
Involving the people within your business fosters deeper engagement with operations. This can lead to reduced
turnover of staff, better productivity, enhanced trust and collaboration and a skilled and happy workforce.
Consistent and predictable outcomes lead to greater understanding of capability and capacity. Understanding
organizational capability and capacity can help you to manage growth and the associated risks.
Focusing on root cause analysis when investigating problems ensures solutions are robust and improvements are effective. Ongoing monitoring and measuring provides evidence of the effectiveness of processes and can demonstrate the effectiveness of previous decisions and actions. (Remember the quality principle of evidence-based decision-making.)
A QMS also helps you to manage your supply chain. Encouraging strong, effective communication between
parties ensures expectations and requirements are clear before everyone is committed. This leads to improvement opportunities for mutual benefit.
Risk Based Thinking/Audits
Audits are a systematic, evidence-based, process approach to evaluation of your Quality Management System. They are undertaken internally and externally to verify the effectiveness of the QMS. Audits are a brilliant example of how risk-based thinking is adopted within quality management.
1ST PARTY AUDITS - INTERNAL AUDITS
Internal audits are a great opportunity for learning within your organization. They provide time to focus on a particular process or department in order to truly assess its performance. The purpose of an internal audit is to ensure adherence to policies, procedures and processes as determined by you, the organization, and to confirm compliance with the requirements of ISO 9001.
Devising an audit schedule can sound like a complicated exercise. Depending on the scale and complexity of your operations, you may schedule internal audits anywhere from every month to once a year. There’s more detail on this in section 9 – performance evaluation.
The best way to consider frequency of audits is to look at the risks involved in the process or business area to be audited. Any process which is high risk, either because it has a high potential to go wrong or because the consequences would be severe if it did go wrong, then you will want to audit that process more frequently than a low risk process.
How you assess risk is entirely up to you. ISO 9001 doesn’t dictate any particular method of risk assessment or risk management. You may wish to review ISO 31000 for more information on risk management.
2ND PARTY - EXTERNAL AUDITS
Second party audits are usually carried out by customers or by others on their behalf, or you may carry them out on your external providers. 2nd party audits can also be carried out by regulators or any other external party that has a formal interest in an organization.
You may have little control over the timing and frequency of these audits, however establishing your own QMS will ensure you are well prepared for their arrival.
3RD PARTY - CERTIFICATION AUDITS
Third party audits are carried out by external bodies, usually UKAS accredited certification bodies such as NQA.
The certification body will assess conformance to the ISO 9001:2015 standard. This involves a representative of the certification body visiting the organization and assessing the relevant system and its processes. Maintaining certification also involves periodic reassessments.
Certification demonstrates to customers that you have a commitment to quality.
Process Based Thinking/Audits
A process is the transformation of inputs to outputs, which takes place as a series of steps or activities which result in the planned objective(s). Often the output of one process becomes an input to another subsequent process. Very few processes operate in isolation from any other.
“Process: set of interrelated or interacting activities that use inputs to deliver an intended result.” ISO 9000:2015 Fundamentals and Vocabulary
Even an audit has a process approach. It begins with identifying the scope and criteria, establishes a clear course of action to achieve the outcome and has a defined output (the audit report). Using the process approach to auditing also ensures the correct time and skills are allocated to the audit. This makes it an effective evaluation of the performance of the QMS.
“Consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system.”
ISO 9000:2015 FUNDAMENTALS AND VOCABULARY
Understanding how processes interrelate and produce results can help you to identify opportunities for improvement and thus optimise overall performance. This also applies where processes, or parts of processes, are outsourced.
Understanding exactly how this affects or could affect the outcome and communicating this clearly to the business partner (providing the outsourced product or service) ensures clarity and accountability in the process.
The final process step is to review the outcome of the audit and ensure the information obtained is put to good use. A formal Management Review is the opportunity to reflect on the performance of the QMS and to make decisions on how and where to improve. The Management Review process is covered in more depth in Section 9 – performance evaluation.
Section 1: Scope
A Quality Management System is primarily intended to enhance customer satisfaction. It does this through the application of the processes determined by you as necessary for your operations, as well as the processes determined by the standard as necessary for continuous improvement. A QMS aims to assure conformity to customer requirements and applicable legal requirements.
The intention is for all requirements (clauses) of the standard to be applicable irrespective of the size and nature of the organization implementing the QMS. Whether you provide a product or a service, or a combination of both.
There are times when certain clauses may become not- applicable. For example, where you do not carry out any design and development activities or where measurement traceability, or any subsequent calibration of equipment, is not part of your product or service. These have previously been referred to as ‘exclusions’ however the expectation here is that a justification will be made as to why the clause is deemed to be not-applicable rather than simply being excluded from the QMS.
Section 2: Normative References
‘Normative references’ simply means any other documents which are referenced within the management system standard. In the case of ISO 9001:2015, there are many references made to ISO 9000:2015 – Quality management systems - Fundamentals and vocabulary.
This document explains the key concepts and defines the core terminology used in ISO 9001:2015. Whilst it is not mandatory to purchase ISO 9000:2015 alongside ISO 9001:2015, it can be valuable in fully understanding the purpose of a QMS and in creation and implementation of your unique system.
There is an assumption throughout the standard that each term used is understood according to its definition described in ISO 9000:2015.
Section 3: Terms and Definitions
The terms and definitions used in ISO 9001:2015 are taken directly from ISO 9000:2015 – Quality management systems - Fundamentals and vocabulary.
The key terms used throughout the standard are:
‘Product’ – this is the result of a process and may include services or advice. This is essentially what you provide to a customer.
‘Process’ – is a set of interrelated or interacting activities which uses inputs to deliver outputs. Processes are how you operate on a daily basis.
‘Interested party’ – is a person or organization that can affect, be affected by or perceive themselves to be affected by your decisions or activities.
‘Risk’ – is the effect of uncertainty. This can apply to any area of operations not just financial risks.
‘Risk-based thinking’ – is about planning your objectives and actions taking into account the known risks and their potential effects. The ideal situation is to minimise the likelihood or impact of unwanted outcomes.
‘Objective’ – is the result to be achieved. Objectives must be SMART – Specific, Measurable, Achievable, Realistic and Timely.
‘External provider’ – is any provider of external processes, products or services. This includes not only your direct suppliers of materials but also anyone to whom you outsource processes or parts
of processes. For example, an outsourced customer contact service.
‘Documented information’ – is any document, record or other information which is necessary for the operation of processes or is required by the quality management system. It can include photographs, diagrams, videos, process maps, standard operating procedures and can be on any medium i.e. paper or electronic.
‘Audit’ – is a systematic evaluation of whether or not processes are adhered to and whether or not those processes meet the requirements of the standard.
‘Preventive action’ – is action taken to prevent a potential non-conformity or other undesired effect. This is usually a big part of the planning process and is helped along by activities such as process mapping, SWOT analysis and risk assessment.
‘Corrective action’ – is action taken to correct a mistake, or non-conformity, and to deal with any consequences. It should also prevent recurrence of the issue or any other potential issues.
When you write your quality management system documentation, you don’t have to use these exact terms. However, it does help to clarify the meaning and intention if you can define the terms you have used. Providing a glossary within your system documentation may be useful.
Section 4: Context of the Organizations
Quality management principles have always intended to have a holistic approach to customer focus. Quality control generally only checks what has been done. Quality assurance aims to ensure what has been done is right first time.
Quality management uses the principles detailed above in the introduction to provide a ‘bigger picture’ view of business operations in order to ensure quality is built in from the start and in all areas, not just production or service delivery. Understanding the purpose and strategic direction of your organization is key to being able to establish the customer requirements and resource requirements to achieve your business objectives.
WHAT IS 'CONTEXT'?
The introduction of a formal analysis of business context has been a challenge for many organizations when implementing ISO 9001:2015. Firstly, understanding what the standard means by ‘context’ and secondly working out how to evidence this for an auditor.
So, to approach the first issue... what is context? In respect of ISO 9001:2015, context refers to a range of factors including:
In short, context describes who you are, what you do, who you do it for, why you do it and where you do it. Whatever ‘it’ is. It could be making a product or providing a service, or a combination of both.
FACTORS AFFECTING THE CONTEXT OF THE ORGANIZATION CAN BE INTERNAL OR EXTERNAL
EVIDENCING CONTEXT ANALYSIS TO AN AUDITOR
ISO 9001:2105 does not specify that your consideration of context must be documented. Your auditor will expect to find some evidence of consideration, much of which will be through documentation such as meeting minutes or business plans. However, there is no requirement for you to provide a specific document in respect of clause 4. The rest of the auditor’s assessment will be established through conversation and observation.
If you do wish to document your consideration of this clause, a SWOT analysis is often a great way of establishing internal and external context. When you pay focused attention to your Strengths, Weaknesses, Opportunities and Threats, you have a clear understanding of where positive action can be taken.
You may have heard of a PESTLE analysis:
Carrying out a PESTLE analysis for your organization (as described above) could be an effective way to evidence your consideration of external context. It may also bring up issues you hadn’t previously considered. External issues can often fall outside of your control as an organization.
Understanding these issues and their potential impact on your operations contributes to a thorough assessment of risks and opportunities. Do you know what you would do if your landlord suddenly served you notice to leave your premises? How would a change in legal requirements affect your overheads? What are your competitors doing and should you also be doing the same (or better)?
An interested party is pretty much anyone who is affected, can be affected or can perceive themselves to be affected by an action or omission of your organization. If you’ve carried out a thorough analysis of internal and external context, your interested parties are likely to be already quite obvious. They will include shareholders, landlord, regulators, customers, employees and competitors and may extend to the general public and the environment depending on the nature of your business.
You don’t have to try to understand or satisfy their every whim. That wouldn’t be very practical! You simply have to determine which of their needs and expectations are relevant to your quality management system. What are their key expectations of you and your products/services? How can you incorporate these into your processes and monitoring to ensure optimum performance?
SCOPE OF THE MANAGEMENT SYSTEM
The scope of your management system refers to the physical and / or geographical site within which your operations take place, the products/services included in the QMS, the relevant parties and any areas which you have determined to be not applicable. Your scope statement must be maintained as documented information.
Your scope statement may look something like this:
“Joe Bloggs and Co provide <products / services> for <customers> in <industry>. The quality management system is designed to incorporate all operations at our site in <town/city> with all clauses of ISO 9001:2015 determined as applicable.”
Section 5: Leadership
Previous editions of ISO 9001 referred to Management. ISO 9001:2015 talks about Leadership. Leadership in this context means active involvement with the QMS, aligning its objectives with overall business strategy and promoting the adoption of risk-based thinking, the process approach and evidence-based decision-making.
These are not actions which can be delegated. An external auditor will expect to discuss leadership with those who manage the organization at the highest level (i.e. your ‘top management’).
Leadership is a term open to interpretation. Leadership in terms of your quality management system refers to promoting the system, the process approach and risk-based thinking.
Ensuring quality objectives are compatible with the strategic direction of the organization. Providing the right resources to achieve these objectives. Communicating the importance of the QMS and engaging and supporting people within the organization to contribute effectively to the QMS. ISO 9001:2015 also refers to leadership at all levels within an organization. This means allowing experts within your organization to develop and demonstrate their own leadership abilities.
The primary focus of ISO 9001 is customer satisfaction. As such, top management are also expected to demonstrate leadership and commitment to customer focus. Carrying out the assessment of context described above helps to ensure all relevant customer and legal requirements are considered and maintained.
A key action in terms of leadership is to set a quality policy which supports the achievement of your objectives. This might include how you select suppliers or partners, how you recruit and train your staff, how you monitor and measure process performance and how you ensure all applicable requirements are satisfied. Your quality policy will also include a commitment to the continual improvement of your quality management system.
ROLES AND RESPONSIBILITIES
ISO 9001:2015 doesn’t specify a requirement for a nominated quality representative. The expectation is that quality activities will form part of the day-to-day activities for most people within the organization. It may help to review your existing job descriptions to ensure these activities are included along with details of where the role has responsibility and / or authority relating to the QMS.
Of course, it makes sense to nominate someone, or a small team of people, to be the main point of contact for the QMS. It certainly makes life easier for an external auditor to have a clear point of contact. However, this is by no means an opportunity for the commitment to be diluted. The point of contact must have suitable authority to manage the system and make continual improvements as determined by the top management.
Section 6: Planning
Clause 6 is all about planning. If you’re not a natural planner, this can seem quite daunting! Effectively, this is the ‘preventive action’ that you may have heard referred to in previous versions of ISO 9001. The difference in this most recent update is its promotion to much nearer the beginning of the standard (it used to be tacked on to the end, like an afterthought).
If you’ve been thorough in your assessment of context and the needs and expectations of interested parties, then the potential risks and opportunities will likely have made themselves quite apparent. You’re looking to answer the following questions:
- What are we trying to achieve?
- What could stop us from achieving our objectives?
- How will we address these issues?
- How can risks be turned into opportunities?
- How can opportunities help us to improve?
- Who will be responsible for actions?
- When will we need to take action by?
- How will we know whether our actions were effective?
Addressing risks and opportunities and achieving your quality objectives require an action plan.
Objectives need to be:
Aligned with your quality policy
Relevant to the conformity of your products / services
Quality objectives also need to take account of the requirements which you identified in your analysis of interested parties (i.e. they need to meet customer requirements as well as legal / regulatory requirements).
Quality objectives must be communicated and they must be updated as necessary. This is an area where you are expected to maintain documented information.
An effective way to communicate quality objectives is to include them in induction training, display them around your site or electronically via an intranet or similar, incorporate them into supplier contracts (if it’s appropriate to share them outside of your organization).
Your action plan should include:
What will be done
What resources will be required (to the best of your understanding at the time)
Who will be responsible for the actions
When actions will be completed
How results will be evaluated
Putting these into a simple matrix can help to clarify the objectives, however if you already record this type of information somewhere else, there is no need for you to duplicate.
When you’ve put so much time and effort into all this planning, it would be a shame for an inadvertent change to mess it all up!
In light of this, clause 6.3 expects that any changes that you determine are necessary to the quality management system are carried out in a planned manner. This should take into account the extent of the changes deemed necessary, the potential impact on the existing system, how you will resource the changes and any effect this may have on current roles, responsibilities and authorities.
Section 7: Support
Clause 7 concerns itself with resources. This applies to people, infrastructure and environment as much as physical resources, materials, tools etc. There is also a renewed focus on knowledge as a significant resource within your organization. When planning your quality objectives, a major consideration will be the current capacity and capability of your resources as well as those you may need to source from external suppliers / partners.
Simply, do you have the right people with the necessary skills / attributes in appropriate roles? If you’re currently missing some specific skills, how do you plan to address this? Will you recruit or will you outsource? If you’re outsourcing, how will you communicate your requirements to your supplier / partner? (more on this later in this section).
This includes determining, providing and maintaining the premises, hardware, software, transportation, storage, technology etc that are needed to carry out your business operations. Ensuring you can cope with customer demands can be helped by the work you did to address clause 4 and clause 6.
This isn’t referring to the great outdoors. This means providing an environment that is suitable for what you are trying to achieve. Whether that is a factory, office, studio or any other type of working space, make sure you have the right atmosphere to enable you and your employees to operate effectively. Adequate heat, light, airflow, hygiene, noise levels etc all contribute to an effective working environment.
This can also include addressing some of the softer elements such as employee wellbeing, stress-reduction, clear lines of reporting, employee appraisals, rewards systems etc).
MONITORING AND MEASUREMENT RESOURCES AND TRACEABILITY
If measurement traceability is an important factor in your product / service delivery then you must ensure that all monitoring and measuring equipment is fit for the activities undertaken and is suitably calibrated and maintained. You must maintain documented evidence of such equipment being fit for purpose.
There are many lessons learned along the way in business. Many of these lessons can only be learned through experience and having been present at the time. This type of knowledge becomes invaluable to the organization so it makes sense to capture and share this learning.
Keeping records of project plans, product developments, customer feedback, testing records, prototypes, etc all contribute to capturing and sharing internal organizational knowledge.
If you maintain a CRM (Customer Relationship Management tool) then you can also use this as a medium for capturing and sharing knowledge. Circulating meeting minutes, project de- briefs and process documentation also provide opportunity to share essential organizational knowledge.
FORMAL LEARNING AND DEVELOPMENT
Sometimes it may be necessary to acquire additional knowledge to enhance understanding. This could be acquired through formal external learning and development. In which case, ensure you keep training records and note any expiry dates and plan refreshers if applicable.
Another way to acquire additional knowledge can be through specific recruitment. If you choose this route, it can really help to have a clear job description and person specification. This helps to avoid being distracted away from the core skills / knowledge that you wish to attract and can ensure the new recruit can see how they contribute to the QMS from outset.
COMPETENCE AND AWARENESS
We all know that training doesn’t always equal competence. If you implement training, or your recruit people with specific qualifications, have in mind how you intend to assure competence in the role. This could be through observations, appraisals, samples of work produced, a buddy / mentor system or more formal testing.
Ensure you keep records of competence assessments along with evidence of training / qualifications.
Awareness can be addressed through ensuring your QMS is explained during recruitment and induction, at regular appraisal or review meetings with line management, through regular meetings and / or communications relating to quality objectives and progress towards them. The chances are you already do this, don’t feel the need to implement anything over and above.
Utilise your existing communication channels, methods and frequencies. Tailor your communication to your audience to ensure everyone knows what they need to know. Consider who will be responsible for general communication, such as website content, general marketing. Consider who will be responsible for specific communication such as customer / client liaison, product specific literature and the relevant needs of the intended audience.
It’s also worth considering incoming communication. Who is responsible for receiving legislative updates within your organization and making sure they are disseminated to relevant people? Who handles customer enquiries
The standard refers to areas where you must “maintain” documented information and others where you must “retain” documented information. Put simply, maintain means that you must keep it up to date, for example your quality policy and quality objectives. Retain means you must keep records as evidence that you have satisfied that particular requirement.
Version control is an important part of managing documentation. You don’t need to create a fancy system or spend a fortune on clever software. You simply have to ensure that all documents relating to your QMS are easily identifiable, are in a suitable format, are protected from unintended alteration or destruction, and are available to the right people in the right version at the point at which they are needed.
Section 8: Operation
So, after all the planning and risk assessment, we’re ready to move on to the “do” stage. Clause 8 is all about having appropriate control over the creation and delivery your product or service.
The first step is to ensure you have fully understood all the requirements for your product or service. This will involve liaising with customers as well as implementing measures to ensure all applicable legal requirements are met. It is essential that you determine and review your organization’s ability to meet the necessary requirements before you commit to anything.
If you carry out any kind of quoting process, complete tender documentation or submit project plans before you and your customer commit to the work, then this is all suitable evidence of a thorough review of capability to meet requirements. There’s no need to do anything additional.
If there are any subsequent changes to requirements or to the product or service agreed, you will need to ensure these are properly recorded and authorised. You also need to ensure the changes are adequately communicated to any relevant parties such as suppliers or partners.
DESIGN AND DEVELOPMENT
Design and development used to be considered only applicable in manufacturing situations. Arguably, services as much as products, are designed and developed to achieve a set of objectives or outcomes for the customer. When designing your product or service, you need to consider the process stages, reviews, authorisations and sign-off, how you will validate and verify the effectiveness of the product or service, the intended life-cycle of the product or service and any post-delivery support you may provide.
You may also need to consider how you will interact with your customer during the design and development process. How involved do they need to be?
ISO 9001:2015 doesn’t dictate that you have to follow any specific process, it’s best to start by documenting what you currently do. Then work from there to see if any improvements are required.
DESIGN AND DEVELOPMENT INPUTS, CONTROLS, OUTPUTS AND CHANGES
When designing or developing your product or service, you will need to consider the legal requirements, any other standards that may apply, the potential consequences of failure and anything you have learned along the development journey.
You will be required to retain documented information on design inputs. Design and development controls refers to any touch points along the design process where validation, verification, testing, authorisation or any form of sign-off or acceptance may be required.
You will be required to retain documented information on design and development control activities.
Once you have determined the design inputs and the necessary controls to assure conformity, you will then need to ensure your outputs meet those requirements. This is the place where you would also keep records of monitoring, measurement, traceability (e.g. of materials or measurements) and acceptance criteria.
This could be in the form of a bill of materials, technical specification or handbook, user guide, process manual, system guide or service level agreement.
Any changes to the design and development of the product or service must be identified, controlled, recorded and communicated to ensure the product or service conforms to the customer and other applicable requirements along with clear authorisation for the changes.
MANAGING EXTERNAL PROVIDERS
Let’s face it, not many of us operate in isolation from other organizations. There are such a wide range of business services available these days that it’s likely you outsource some of your operations or at least rely on a couple of key suppliers to keep things running smoothly. It’s essential that you manage these relationships to mutual benefit.
Your QMS is mainly concerned with external providers and suppliers where their products or services are incorporated with your own. For example, where you outsource a customer helpline, where you buy components for your products
or where you sub-contract the fitting or servicing of your products. It’s not so bothered with the purchase of every-day office consumables, although from a financial perspective it pays to keep a good relationship with these types of suppliers too.
During your considerations of context, interested parties and risks and opportunities, you may find that some suppliers or partners feature quite heavily. These are the ones you need to focus on managing. Do you have an alternative lined up in case of failure of your preferred supplier or partner? Just what will be the impact of a failure on your ability to meet your customer requirements?
Once you understand the potential impact of the actions or failures of these suppliers / partners then you can put appropriate controls in place to mitigate the risks. Perhaps you will visit their premises and carry out a 2nd party audit, or you could build specific controls and review points into contracts and/or service level agreements.
You may find it helpful to categorise your suppliers / partners and highlight the ones which are critical to your operations.
UNDERSTANDING YOUR OPERATIONAL PROCESSES
A simple way to bring together all the necessary steps, resources, risks, monitoring and measurement of your operational processes is through process mapping. By documenting the start and end points, steps, responsibilities and check-points along the way, you can be assured that all customer and applicable requirements are taken into account.
Process maps, or standard operating procedures also make great tools for training your employees and ensuring all roles understand their contribution to the QMS. Understanding how your processes interrelate is also a key part of implementing a coherent quality management system.
With the right amount of planning and consideration, failures and non-conformances should be minimal. However, they can and do still occur. If at any stage of a process something goes wrong, you need to be able to identify this issue, isolate it and where possible prevent it from reaching the customer.
You might prevent a non-conforming product or service from reaching your customer through immediate correction, quarantine or by obtaining a concession from the customer.
If an issue is identified after the product or service has been released to the customer, then you may need to be able to implement a product recall or at least identify who received the faulty goods or services. Traceability is key here so your records need to be clear and up to date.
You will need to retain documented information on non- conformities including what happened, what remedial actions were taken, any concessions obtained and who authorised actions to resolve the issue.
Section 9: Performance Evaluation
There are three main ways in which performance of a QMS is evaluated. The first being process monitoring and customer feedback, the second being through internal audits and the third being the management review.
As an organization you will need to decide what you need to monitor in order to be assured that your processes are operating as intended. You will also need to establish how often you will monitor, what resources will be required and how results will be recorded, analysed and evaluated. This often results in a series of Key Performance Indicators (KPIs) which relate directly to your quality objectives (set in section 6). You will need to retain documented information as evidence of the results of performance monitoring.
As the primary focus of ISO 9001:2015 is customer satisfaction, it makes sense that this is a key source of information on the performance of the quality management system. Obtaining customer feedback on how they perceive their needs and expectations to have been fulfilled can be achieved through both formal and informal measures. For example, you may carry out a formal customer survey periodically, or you may monitor informal feedback such as repeat business, warranty claims, complaints and compliments, conversations with customers.
ISO 9001:2015 determines that internal audits must be carried out at planned intervals. It is for you, the organization to decide what those intervals should be. As an indication, you may wish to audit all processes at least once across an annual period, with higher-risk processes being audited more frequently. The purpose of internal audits is two-fold. Firstly to check that the management system conforms to the requirements specified by you, the organization as necessary for your operations; secondly to ensure conformity to the requirements of ISO 9001:2015.
Audit frequency should also be influenced by the results of previous audits and any changes which you are aware may affect the process. So, if you have a problematic process or area, it would make sense to audit it more frequently for a while until a solution is implemented and has been seen to be effective.
Internal audits are a great opportunity to spend some time investigating a specific process or area and evaluating its performance. It is an ideal way to find areas for improvement and to fix potential issues before they occur. Think of internal audits as keeping your finger on the pulse of your organization. Internal audit findings must be reported to relevant management and naturally form part of the management review agenda.
Where necessary, corrective actions must be taken without undue delay. If a long-term fix requires significant planning and maybe funding approval, consider whether a short-term fix is possible and appropriate.
Management review is an essential element of a quality management system. It is the formal point at which top management review the effectiveness of the QMS and ensure its alignment to strategic direction. Management review must take place at planned intervals and an agenda of inputs is specified within clause 9.3.2.
It is not essential for one single management review meeting to take place covering the full agenda. If you currently hold a range of meetings that cover the inputs between them, there is no specific need to duplicate.
However, you may find that a big-picture view is made easier by considering the management review inputs in one meeting rather than separating them. It really depends on the size and structure of your organization and who attends each of the meetings.
Management review meetings commonly take place as an annual event, however much like internal audits, their frequency is not specified by ISO 9001:2015. It’s up to you to decide. During implementation and early stages of settling in to your QMS, it may make sense to hold meetings more frequently.
You will need to retain documented information on your management reviews, these would normally be meeting minutes or perhaps call recordings if you carry out conference calls.
Section 10: Improvement
As we know, the primary focus of ISO 9001:2015 is customer satisfaction. Using the knowledge and evidence gathered through effective monitoring and measuring of processes, the next step is to make improvements to enhance customer satisfaction. These could be improvements to your products or services, to the methods and resources used or to the quality management system itself.
Having checked during internal audits and management reviews that you are measuring and monitoring the right things, this is now your opportunity to adjust the system as you see fit. If you’re sure you’re meeting all current customer requirements, are there amendments you need to make to address future requirements? Are there any areas where you could be more efficient? Perhaps these have been highlighted by your internal audits.
Was any corrective action taken effective at preventing the problem from recurring? If you went for a short-term fix, this is now the time to work on your long-term improvements to solve the issues.
When a non-conformity does occur, including complaints, you will need to make sure you keep a full record, including what happened, what actions where taken at the time and the results of any further corrective actions implemented. You will need to retain documented information in respect of non-conformity as evidence for your external auditor.
If you already have a system for recording these things, there’s no need to create a new one. Provided you are recording all the necessary information as determined by ISO 9001:2015, your existing records should be sufficient.
Continual improvement is a requirement of ISO 9001:2015. However, it doesn’t mean that you must make improvements all the time just for the sake of it. Having your quality objectives aligned with your strategic direction provides unity of purpose and ensures that actions throughout the organization are working together towards the same goal.
A thorough analysis of customer feedback will provide you with ample opportunity to find areas for improvement of products and services. Analysis of process performance provides evidence of areas where efficiency improvement may be made. Process-based audits provide you with a spot light on areas where processes and responsibilities cross over. These are often places where things can get missed, don’t get caught out working in silos.
ROOT CAUSE ANALYSIS
An important part of corrective action is to carry out a root cause analysis in relation to the issue that occurred. If you don’t get to the bottom of why or how it happened, then it’s likely whatever fix you implement will not be fully effective. A simple approach such as “5 Whys” is a good root cause analysis tool. You start with the issue, then ask “Why” enough times to reach the root cause. Usually 5 times of asking is enough but for more complex problems you may need to dig deeper.
Problem statement: Packing line 1 was out of action for 2 hours today.
Why? Because the roll of packaging got tangled up in the machine
Why? Because it wasn’t fitted correctly into the machine
Why? Because the operative wasn’t properly trained
Why? Because they were an agency worker who had only just started.
In this example, 4 times of asking why is enough to get to the root of the problem. There are a number of solutions which could be implemented here including not putting new or agency workers on that specific job role. It’s clearly a simplified example, some problems will be much more complicated and will require intricate analysis of detail to fully understand what went wrong. However, only by establishing the root cause can we be assured that corrective action can be effective and we can work to prevent similar issues occurring elsewhere.
Get the Most From Your Management System
Top tips to get the most out of your quality management system:
Start with “Why”. Make sure your reasons for implementing a QMS are aligned with your strategic direction otherwise it may become unsustainable.
Get everyone involved. They don’t all have to become decision-makers but make sure you communicate as relevant to everyone. Engagement is key to success.
Make sure your quality objectives are SMART (Specific / Measurable / Achievable / Realistic / Timebound)
ISO 9001:2015 doesn’t prescribe any specific method of risk assessment so implement a strategy that works for you and is relevant for your organization.
ISO 9001:2015 doesn’t prescribe the creation of a quality manual. However, you do need to consider where you will contain your quality documentation, policies and procedures. They can be in any format, soft or hard copy.
Protect electronic documents from unintended alteration or destruction using access permissions and make sure you have back-up copies.
Write your quality policy in such a manner that you are happy for it to be seen by anyone and everyone. A copy is likely to be requested in formal tendering procedures.
Process documentation doesn’t have to be all written. You can use images, videos, models and prototypes to bring them to life. Making them meaningful and accessible to all your employees will boost engagement and adherence to planned processes.
Review your monitoring and measuring activities regularly to ensure you’re monitoring and measuring the right things. These activities should be providing you with useful business intelligence that can inform the way you operate.
There is no substitute for commitment from top management. An effective QMS is promoted, supported and engaged with by the highest level of leadership.
Quality Management Toolkit
ISO 9001 FAQs
ISO 9001 Implementation Guide
ISO 9001 to ISO 27001 Gap Guide
Integrated Quote Request Form
Annex SL Comparison Tool
Need a Consultant?
Download Certification Logos