Understanding Non-Applicable Requirements
Many organizations and auditors took this requirement to represent a minor change other than the fact that now non-applicability can apply to the entire standard. It became readily apparent that determining the quality management system (QMS) scope was not fully understood regarding organizational context.
ISO 9001:2015 requires the organization to determine the boundary and applicability when establishing the QMS scope. Therefore, it is important to understand how the requirements of section 4 build from an understanding of the business environment and needs of interested party into the scope and implementation of QMS processes.
The QMS scope needs to coincide with business goals by understanding and taking into account both external and internal issues captured in clause 4.1. The QMS scope must consider the relevant interested party requirements referred in clause 4.2 so as to ensure requirements can be met and appropriate applicability is determined.
In addition, it is imperative that the QMS scope is appropriate to the products and services supplied by the organization thereby ensuring that it is appropriate to the business.
Doubtful Clause Non-applicability
All that said, there are some ISO 9001:2015 clause requirements where non-applicability would be near impossible to justify and 3rd party auditors should be weary and probing when they are confronted with that situation as most if not all customers provide some type of service or product.
Clause 8.1 operational planning and control required for planning, implementing, and controlling the processes for products and services.
Clause 8.2 for communicating, determining, and reviewing requirements for product and services to ensure customer satisfaction.
Clause 8.5.1 for controlling production and service provision to ensure intended results are achieved.
Clause 8.6 - for release of products and services to the customer ensuring that all requirements have been met.
Clause 8.7 - to control outputs that do not meet requirements.
Before we explain why, it is important to understand that the organizational context and proper perspective is critical when determining non-applicable requirements. Service organizations frequently distort QMS applicability for services they provide due to the context lens they view their own quality system through. For example, let’s consider Clause 8 Operations for an organization that performs engineering services to customers.
Case Study Background
Consider an engineering services organization that provides contracted engineering design and development services to their customers. The organization has 12 full-time employees and a pool of engineering contractors with Masters or Doctorate Engineering degrees.
Clause 8.1, Operational Planning and Control – The engineering services organization is required to develop a plan for providing services to the customer and controlling those activities. Will the services desired be “off-the-shelf” or include some unique customer requirements to be designed? What is the plan required for designing, procuring and delivering the engineering services?
Clause 8.2, Requirements for Products and Services – The engineering services organization will need to effectively communicate with the customer to determine requirements, price, and review the requirements for services to be rendered. What level of customization will need to be considered?
Clause 8.3, Design and Development – The engineering services organization will apply Clause 8.3 to how the organization designs and develops the services it supplies to customers. Is this an “off-the-shelf” solution or does it require some customization? How will this customization be planned and scheduled? Are there any unique customer, statutory, and regulatory requirements to be considered? Will reviews with the customer be conducted to ensure the released work products meet customer needs? Will verification and validation occur to ensure conformity of released work products? Will the work products delivered require additional contractor resources and specialized training? How will engineering service changes be controlled?
Clause 8.4, Control of Externally Provided Processes/Products/Services – Let’s focus the discussion for this clause on the acquisition of contractor services. Obviously, the organization will need to evaluate competency and skill needs so the appropriate contracting resources can be acquired. If any gaps in expertise is identified, it is expected that additional training or supplementing with resources would be required. The delivery and quality of these contractor services will need to be evaluated for effectiveness and that appropriate action is taken.
Clause 8.5, Production and Service Provision – Clause 8.5 is how the organization controls and executes the engineering services it provides for its customers. It would be expected that the clause 8.5 services would meet requirements of clause 8.3 for their customer’s QMS. Clause 8.5 provisions would include identification and control of engineering service design data and safeguarding customer intellectual property. All engineering service work product changes will need to be controlled.
Clause 8.6, Release of Products and Services – The engineering services organization will need to verify that design data meets requirements and deliver these services to the customer.
Clause 8.7, Control of Nonconforming Outputs – The engineering services organization will be required to control any nonconforming outputs.
All ISO 9001 requirements are applicable to an organization’s QMS unless the requirements do not have an effect on the organization’s ability or responsibility to ensure product and service conformity and enhanced customer satisfaction. So valid justification cannot be limited to “we just don’t want to do it” or “we don’t have the resources to do it”. A good rule of thumb is that if the organization can apply the requirement, then it shall apply the requirement.
The ISO Auditing Practices Group provides some excellent guidance regarding justification… ”When an organization makes a claim for non-applicability of a requirement, auditors need to see documented objective evidence that the following two conditions are both fulfilled:
the requirement cannot be applied
by not applying the requirement there is no effect on the organization’s ability or responsibility to ensure the conformity of its services and the enhancement of customer satisfaction.
Only if these can be proven, should an auditor accept the non-applicability.”1
An accurate and all-encompassing QMS scope is fundamental to an effective QMS. All of the requirements in section 4 set the foundation for the QMS. An organization can review the applicability of requirements due to the size or complexity of the organization, the management model it adopts, the range of the organization’s activities and the nature of the risk and opportunities it encounters.2
Often organizations attempt to justify excluding requirements rather than looking at the controls and defining effective practices for implementation.
References and Notes
1 ISO 9001 Auditing Practices Group Guidance on: Service organizations, 13 January 2016.
2 ISO 9001:2015, Annex A.5