ISO 9001:2015 continues to model itself after the Plan-Do-Check-Act (PDCA) model for continual improvement. The idea behind this is to first Plan or establish your Quality Management System (QMS). Once the QMS is established, we then want to implement it (the “Do” stage). After we have allowed the system to run for some time, we then need to check it to see how effective our system is.
ISO 9001:2015 Quality Management System is a framework for setting up a QMS that works best for your company.
With the release of the ISO 9001:2015 standard came an update to the structure of all ISO standards. ISO 9001, along with all other ISO standards, now follows the new Annex SL – Structure. This means that that ISO 9001 has the following structure:
- Normative References
- Terms and Definitions
- Context of the Organization
- Performance Evaluation
The first 3 sections in the standard are really setting the intent for what the standard is trying to accomplish. The true requirements of ISO 9001:2015 starts with Section 4.
Here is a quick breakdown of each section 4-10 and what the standard is trying to accomplish with these sections.
Section 4: Context of the Organization
We often get asked what the Context of the Organization is because the wording is not intuitive. This section really is the foundation of your Quality Management System and the foundation of the business.
This section asks a few core questions:
- Who are my interested parties? In other words, who is impacted by what we do? This can include customers, employees, stakeholders, regulatory agencies, etc. Ultimately, you want to identify what you need to do to make all these groups happy.
- What are my internal and external concerns? These concerns are your true business risks. What you are trying to identify here is what are the concerns for each of the interested parties you identified. You want to identify risks where you could fall short on these concerns and close those gaps. That will be further discussed in Section 6.
- What is included in my ISO 9001 Quality Management System?
- What is the scope of my QMS: What processes, equipment, products, services, etc. are part of my QMS.
- Is there any part of the standard that doesn’t apply? If there is a section of the standard that doesn’t apply to you, you are able to exclude it. For example, if your company doesn’t do design, you can exclude it from your QMS scope for certification.
- What are the boundaries of my QMS: What buildings, locations, etc. are included in my QMS. You are able to decide if you only want one location included or possibly even one piece of equipment. It’s up to you to decide.
Section 5: Leadership
With the ISO 9001:2015 standard, there is much greater emphasis on ensuring leadership is involved in the management system and responsible for the areas under their control.
Previous versions of the standard often required a QMS Management Representative to be in charge of the Quality Management system. The problem with this is that in many cases, that person ended up being responsible for the entire Quality Management System. They would often manage the QMS with little to no involvement from other managers or leaders within the organization. The QMS became an isolated system that ultimately ran separate from the business operations.
ISO 9001:2015 aimed to fix this issue by requiring leadership to be more involved. The ISO 9001 standard sets certain commitments that leadership must meet and there is no longer a requirement to have a management representative.
Leadership is expected to be fully involved in the QMS and responsible for their department’s role in the QMS. This is further identified through the Quality Policy and Roles & Responsibilities identified in Section 5.
Section 6: Planning
Once you have identified what should be included in your quality management system, who the interested parties are and what their concerns are, it’s time to evaluate the risks or opportunities they present.
The ISO 9001 standard does not require a formal risk assessment process, such as a Failure Mode & Effects Analysis (FMEA), but it does require you to evaluate the organizations internal and external concerns to identify relevant risks and opportunities.
The main thing here is to determine what controls you have in place to address these risks and what controls may need to be implemented. The more significant risks are the ones that should feed into your Quality Objectives. The idea here is to continually improve over time by continuing to reduce the potential impact of the highest risks. Once those risks are controlled, you move on to the next highest risks.
As changes occur within the organization, from changes to processes, adding equipment or changes to production volume, it’s important to evaluate the impacts that these changes can have on the business. This is where the management of change process comes into place.
Section 7: Support
This section of the standard is all about making sure you have the resources necessary to cover the management system. It starts with the proper facility resources, including internal environment, space, etc. From there, the standard ensure the employees are aware of the necessary quality requirements and trained on their applicable responsibilities.
ISO 9001 requires proper communication with all relevant parties. What needs to be considered is how quality requirements are effectively communicated to anybody who either has the potential to impact the quality management system or can be impacted by it.
The last part of this section requires the quality management system documentation to be controlled. The organization needs to ensure that the documentation in use by employees is the most current and is controlled at the point of use. Records from the quality management system need to be maintained for a specific period of time.
Section 8: Operations
The controls identified in Section 6: Planning are implemented here in Section 8. Section 8 focuses on operational planning and controls. It address all operational requirements including, sales, design, production, quality assurance and quality checks, delivery, customer satisfaction, etc.
This section also addresses how externally provided product / services are handled (outsourcing) and how the company addresses nonconforming product.
This section is considered the “Do” portion of the PDCA cycle for continual improvement.
Section 9: Performance Evaluation
Once you have set-up your quality management system and implemented it, now it’s time to see how effective your QMS. This section puts in place the requirements to evaluate the effectiveness of the many requirements of the management system.
One of the main things the ISO 9001:2015 standard is concerned with is customer satisfaction. So it makes sense that this is the first thing the standard wants you to evaluate. From there, we want to evaluate how effective each process is. To do this, you need to identify the key metrics for each process that will be measured.
To evaluate the effectiveness of the quality management system as a whole, an internal audit needs to be conducted. This requirement is often mis-understood ad many people think a full system audit needs to be conducted every year. It’s true that an internal audit needs to be conducted at least annually, but it doesn’t necessarily have to be a full system audit.
The idea behind the internal audit schedule is to audit the areas that have the biggest concerns, previous issues or recent changes. Many companies will audit the entire system each year, but it’s not necessarily required. Companies can choose to conduct one full audit or break up the audit into specific processes. Ultimately, all processes need to be audited over a 3 year cycle. This aligns with the 3 year certification cycle.
Another way to evaluate the overall effectiveness of the management system is through the Management Review process. The management review is meant to look at where the quality management system has been effective, where gaps have been identified and where improvements can be made. Management reviews are typically required at least annually, but it’s beneficial for them to be conducted a little more frequently so companies can more effectively evaluate the quality management system on an ongoing basis.
Section 10: Improvement
All ISO standards are built off the premise of continual improvement. A companies quality management system is never expected to be perfect. There is always room to improve as companies continue to grow. The process takes into account all improvement activities identified throughout the management system. Outputs of the improvement process drives changes back through the planning process as part of the PDCA cycle.