What to Know About Management Processes, Quality Objectives, QMS Documentation, and More, When Implementing ISO 9001
Management Processes, Quality Objectives, QMS Documentation and Support Processes – What you need to know (Part 3)
In Part 3 of the series: ISO 9001 Implementation – What You Need to Know, Jim Lee, simpleQuE’s CEO focuses on the management and support processes. While many companies are able to achieve ISO 9001 certification with internal resources, expert advice from a qualified ISO 9001 consultant can reduce confusion and lengthy delays. Jim has assisted many companies in attaining and maintaining their certifications, and he has created this series of helpful articles for companies implementing an ISO 9001 quality management system (QMS).
ISO 9001 Management Processes
In Part 2 of the series, Jim explained the section of the requirements regarding Scope, Context of the Organization, Processes and Interactions. In this article Jim picks up the discussion with Management Processes and the next steps for establishing a solid ISO 9001 quality management system.
1. The context of the company (Clause 4.1) doesn’t need to be documented, but it needs to be understood. What’s the vision for the business in 2-5 years and how are you going to get there? What business or strategic planning exists periodically to understand and determine what direction the business should take? This may be informal and not documented, but should be able to be verbalized. Different people in the business will have different perspectives on the context of the business. What are the various factors that affect the strategic direction of the business? Examples of factors that can affect a business might be any internal trends, industry trends, customer needs, technology factors, uncertainties, economic climate, political factors, etc. How you periodically evaluate the changing factors affecting the business and adjusting the strategic direction is what the standard wants to see occurring, whether informally or formally. This also plays into the requirements for risk management (Clause 6.1) to help identify positive opportunities and negative risks that may require actions to properly manage.
Larger companies typically have documented, structured, strategic or business planning processes that can be shown or discussed. The internet has many templates and tools for strategic planning, but ISO doesn’t require this to be formal, especially for small, privately held companies.
2. Develop and document a quality policy statement based on the ISO 9001 requirements of Clause 5.2. This should be short and sweet, not a full page. The quality policy statement must contain two things: includes a commitment to satisfy applicable requirements; and includes a commitment to continual improvement of the QMS. The quality policy statement needs to support the purpose and context of the company, along with its strategic direction. This is where the quality policy statement is further customized to better fit the business and culture. In the end, this quality policy statement provides a foundation for setting the company’s quality objectives. You should be able to link back some of the company’s objectives to meeting applicable requirements, and continual improvement of the QMS which are stated in the policy. Employees don’t need to have the quality policy memorized, but they need to be able to find it and explain what it means in their own terms, and know how they support the quality policy in the job they perform.
3. Develop and document the quality objectives based on the ISO 9001 requirements of Clause 6.2. There should be at least one clear objective for each core process that is monitored and measured to determine whether you’re getting better or worse and whether the process is effective as you work toward your objectives, or not. Auditors are typically looking for quality objectives that provide evidence of:
- Quality performance (of product or service),
- Delivery performance
- Customer satisfaction, which could include customer scorecards (if provided), and
- Some means of evaluating core process effectiveness.
By the time of your certification audit, most certification bodies will need at least 3 months (preferably >12 months) of performance data. Many companies have to mine their data to extract this historical performance data. Determine the ongoing frequency for monitoring and reporting on this performance data, and establish processes to ensure it is continually monitored and evaluated.
4. Determine what management or executive overview training might be required so that leadership understands their role and responsibilities. With regard to training and competency, the gap analysis should have identified potential training needs (e.g., What do process owners need to know? Who needs to know about ISO 9001 clause by clause? Who needs trained to be an ISO 9001 internal auditor?).
5. Management review meetings are intended to periodically oversee the effectiveness of the quality management system. You will need to have completed a management review meeting according to Clause 9.3, with appropriate records and action items. Best practice is to utilize and take credit for existing management meetings that frequently cover some of the topics in Clause 9.3, as long as there are meeting minutes showing topics covered with action items. When taking credit for multiple, existing, periodic management meetings to satisfy portions of the management review requirements, you can then conduct one annual meeting to cover topics in 9.3 that aren’t covered in the ongoing management meetings. Through the course of 1 year you will need to demonstrate that every topic in 9.3 is covered at least once through the year through the meeting records.
There are some processes not yet covered in this series to achieve ISO 9001 certification. They may fall under management or supporting processes, but are not core processes. Nowhere in the standard is there mention of management or supporting processes. These terms can be changed or eliminated, but core processes don’t cover all the ISO 9001 requirements. There needs to be a way to cover these extra ISO requirements outside of the core processes.
1. Where the ISO 9001 standard historically used terms like “quality manual”, “document”, “documented procedures”, and “records”, the standard now uses the term “documented information” (Clause 7.5) to collectively refer to it all. If you have a procedure for document control and record control, please don’t change the terminology. There is no explicit requirement for a procedure on documented information (Clause 7.5), however it is one of the fundamental needs of a QMS to have a defined and structured method to control documentation and records (Clause 7.5) which is near impossible to do without a procedure.
Note that Appendix A.1 of the standard explicitly states that there is no requirement in ISO 9001 that you use the same terminology that the standard uses, or the structure clause by clause for the QMS documentation. For better internal adoption, it is better to use the company’s terminology versus ISO 9001 terminology. The ISO 9001 standard is written to be translated into multiple languages, so the terminology used is not always ideal for internal comprehension.
The term “maintain documented information” is the terminology used by the standard to mandate that some type of document is required (whether a procedure, form, template, etc.). The term “retain documented information” denotes a record is required as evidence of conformity to the ISO requirement. Download “Where Documented Information Appears in ISO 9001:2015” to see every clause and requirement in ISO 9001 where some type of document and record is needed.
Also determine where “documented information” is required by the ISO 9001 standard and determine whether your organization will need any additional documented procedures to help standardize these processes. A list of these documented procedures should be created, and must be referenced from within your Quality Manual.
The minimum expected topics to be covered in procedures for ISO 9001 are:
- The control of documented information (formerly known as document and record control). This could be broken into 2 procedures, or combined into one.
- Internal audits
- Non-conforming products
- Corrective Actions. For some companies, especially service companies, it may make sense to combine nonconforming and corrective actions into one procedure.
The size and complexity of your company may dictate the need for more procedures. It is recommended, and better common practice, that procedures be separate documents from the Quality Manual for longer term ease in maintenance and upkeep of the documents.
2. A Quality Manual is not mandatory, but is common practice. Quality Manuals have not needed to duplicate the standard and cover each clause and sub-clause for over 20 years. There are still some certification body auditors and quality managers who struggle with condensed quality manuals, but there is no value to regurgitate the entire standard. With one sentence you can state that you meet all the requirements of ISO 9001. There is a happy medium in between which will be appropriate for your company and culture. Our typical quality manuals are between 3-10 pages (and have been for 20 years), but there are still a few businesses that demand the old-school quality manual approach. There are no wrong answers, some are better than others.
3. Other common supporting processes may include Nonconformity and Corrective Actions (Clause 10.2), if not covered within another process. Assist applicable company personnel on the nonconformity and corrective action process with addressing any gaps uncovered and ensuring a documented procedure is in place. There must be adequate documentation of formal corrective actions, root causes of the corrective action including records being retained of any populated tools or forms that may be used, records of adequate verification of corrective action closure, communication with company management on corrective actions issued, and ensuring that when applicable, a review of impact on identified risks are performed. It is common to have a corrective action log to summarize and track corrective actions to ensure adequate closure and that none fall through the cracks and are missed. Nonconforming product was addressed separately in Part 2 of the series.
4. Calibration may be identified as a supporting process (Clause 7.1.5). The process owner for calibrating the company’s inspection and test equipment will need to address any gaps uncovered regarding the scheduling of calibrations for inspection and test equipment, defining a recall program if and when equipment is found out of calibration, retention of calibration records, and use of calibration standards that are traceable to nationally recognized reference standards. Every gauge must be traceable to calibration records to be able to determine the calibration status. It is common to have some type of calibration log to track status. There are many software solutions to assist with the calibration program.
5. Review the training process with applicable staff members to verify the process used to determine the required competency level for each job title in the organization and see that adequate records show employee’s competencies (Clauses 7.2 and 7.3). Review of any needs to retrieve and methods to transfer organizational knowledge (tribal knowledge or inherent knowledge known by one person that should be shared) in the organization (Clause 7.1.6).
6. Change control historically was hidden within design, which many companies excluded. The latest ISO 9001 standard pulled change control outside of design and engineering and have made it companywide (Clause 8.5.6). There should be some process to plan and manage changes. This can include changes in: production processes, suppliers, raw materials, inspection methods or frequency, packaging, etc. Many quality problems are due to ineffective change control.
7. The process owner for “internal audits” (Clause 9.2.2) must ensure:
- a documented procedure is in place,
- an audit planning schedule is created and used,
- auditors are independent of the area audited,
- records of audits are retained,
- audit findings initiate corrective actions,
- audit results (findings) are shared with company management,
- and that a full system internal audit is completed prior to an external audit with a certification body.
- internal auditors should also be trained and competent to perform internal audits. Some companies outsource their internal audits because they obtain greater value.
Note: Be sure to follow ISO 19011 (Guidelines for Auditing Management Systems) for guidance on completing your internal audit.
ISO 9001 Implementation – What You Need To Know Series
In case you missed Part 1 and Part 2 of the series: ISO 9001 Implementation – What You Need To Know, learn more at Syncing the ISO 9001 Quality Management System With Your Business System and What to Know When Implementing Your ISO 9001 Quality Management System and Processes.
In Part 4 of the series: Jim reviews ISO 9001 internal audits using the process audit approach and provides more links to free resources. What You Need to Know About ISO 9001 Internal Audits When Implementing your QMS
SimpleQuE is a leader in AS, IATF® and ISO consulting, auditing and training. Whether you are just beginning the certification process or looking for a partner for ongoing maintenance and internal audits, simpleQuE makes the process easier and more efficient. Contact us for a consult and see the difference that simpleQuE can bring to your quality management process.
Learn More About The simpleQuE Advantage