There are six (6) implementable clauses within ISO 9001:2015 Quality Management System Standard.
Within this series of posts for the next six weeks we will discuss the requirements to all six clauses and the correct interpretation thereof.
4.0 Context of the Organization
The ‘Context of the Organization’ is a new requirement. You should allow additional time to prepare for each audit in order to establish a suitable understanding of the circumstances, and the market in which your organization operates. To be compliant, evidence should be obtained that proves that your organization is reviewing all pertinent internal and external issues at periodic intervals.
Although there is no requirement for documented information to define the context of the organization, your organization will find it helpful to retain the types of documented information listed below to help justify compliance:
1. Business plans and strategy reviews;
2. Competitor analysis;
3. Economic reports from business sectors or consultant’s reports;
4. SWOT analysis;
5. Minutes of meetings (Management and design review minutes);
6. Process maps, tables, spreadsheets, mind mapping diagrams;
4.2 The needs and Expectations of Interested Parties
‘Understanding the Needs and Expectations of Interested Parties’ is a new requirement. You should allow additional time to prepare for each audit in order to establish a suitable understanding of the relevant interests of relevant interested parties that impact the QMS. If this differs from the perception, you should be prepared to challenge this. Look for evidence that the organization has undergone a process to initially identify these groups, and then to identify any of their requirements that are relevant to your organization’s quality management system.
You should also determine whether these groups’ requirements are reviewed and updated as changes in their requirements occur, or when changes to your organization’s QMS are planned.
4.3 Determining the Scope of the QMS
This requirement is comparable to ISO 9001:2008 Clause 4.2.2 – Quality Manual. You will need to verify that your organization’s scope exists as documented information (which may be in the form of a Quality Manual) in accordance with Clause 7.5.1a. Look for confirmation that your organization has determined the boundaries and applicability of the QMS to establish its scope with reference to any external and internal issues referred to in 4.1 and the requirements of relevant interested parties referred to in 4.2.
Check that this has been done in consideration of your organization’s context and your products. You should review any exclusions previously noted under ISO 9001:2008 for ongoing suitability. Check that legacy issues which limited scope and omitted activities do not affect product conformity. Check that they are recorded and that the rationale for the exclusion is stated and justified.
4.4 The QMS and its Processes
This requirement is comparable to ISO 9001:2008 Clause 4 - Quality Management System and Clause 4.1 – General Requirements. You should review how your organization has designed its process-based management system.
Existing operational procedures, work instructions and flow charts are valid examples of documented information and can be used to evidence the requirement for ‘documented information to support the operation of processes is being met’.
Check that process inputs and outputs are defined and review how each of the processes are sequenced and how they interact. Look for evidence that your organization has:
1. Assigned duties/process owners; (Clause 5.3)
2. Assessed risks and opportunities; (Clause 6.1)
3. Provided resources; (Clause 7.1)
4. Maintained and retained documented information. (Clause 7.5.1)
5. Implemented measurement criteria; (Clause 9.0)
6. Improved its processes and the QMS; (Clause 10.0)
Most of the requirements from Clause 4.4 are comparable to those found in ISO 9001:2008 Clauses 4.1 and 8.1 - General Requirements and Clause 8.2.3 - Monitoring and Measurement of Processes.
Based upon the extent of your organization’s QMS and processes, you should seek and record evidence that your organization has maintained documented information to support the operation of its processes; and that it has retained documented information to provide confidence that the processes are being carried out as planned.
Identifying Key Processes
Key processes are steps that you go through to give the customer what they want, e.g. from order acceptance to design through to delivery. Whereas support processes do not contribute directly to what the customer wants but do help the key processes to achieve it. Support processes include often human resources, finance, document control, training and facilities maintenance, etc.
A good way to do this is to think about how workflows through your organization. Consider how the inputs and outputs to the key processes flow from one process to the next, what sub-processes might exist within it and how the support processes link in. For now, ignore the standard, in fact put it in a draw and forget it exists. Instead focus on your key processes and how the departments interface with each other.
Once you have defined the processes and interfaces; go back to the standard and determine which processes are responsible for meeting which requirements. When defining your organization’s processes, think about each process and department and assign try to define those processes around the current organizational model and not around the requirements of the standard.
Certification auditors will expect to see a process model that explains the key processes of the business and how each relates and links to the others. The depth of process explanation may be as detailed as the company chooses, but should be based on its customer and applicable regulations or statutory requirements, the nature of its activities and its overall corporate strategy. In determining which processes should be determined and documented the organization may wish to consider factors such as:
Customer oriented processes affect or interact with the customer,
Support oriented processes support other process,
Management oriented processes are normally conducted by Top management,
Assessment oriented processes help provide data to determine compliance and process performance.
Sequence and Interaction
The auditor must see evidence that the organization has determined their processes and that the interactions are also defined, all within the IMS manual. Subsequently, this includes the actual and technical inputs and outputs of the processes to show their inter-relationship. This requires the description of the interactions between the processes and should include process names, process inputs and process outputs in order define their interactions. Interaction means how one influences the other. Auditors commonly agree that the description of the interactions of the processes cannot be done if the processes are not determined (names).
The organization is not required to produce system maps, flow charts, lists of processes etc. as evidence to demonstrate that the processes and their sequence and interactions were determined. Such documents may be used by organizations should they deem them useful, but they are not mandatory. Graphical representation such as flow-charting is perhaps the most easily understandable method for describing the interaction between processes.