Implementing your ISO 9001 Quality Management System and Processes (Part 2)

SimpleQuE’s CEO, Jim Lee, has assisted many companies in attaining their certifications, and he has created a series of helpful articles for companies implementing an ISO 9001 quality management system (QMS). While many companies are able to achieve ISO 9001 certification with internal resources, expert advice from a qualified ISO consultant can reduce confusion and lengthy delays. In Part 2 of the series:  ISO 9001 Implementation – What You Need To Know, Jim goes deeper into the section of the requirements regarding Scope, Context of the Organization, Processes and Interactions.

Determine and Document the “Scope” of Your QMS (Clause 4.3).

The “scope” is a brief description of what your company does and will be stated on your ISO 9001 certificate:

Example: Design and manufacturing of molded plastic products

Example: The manufacture and testing of electric motors, actuators, and motorized devices

NOTE: The certification body must help finalize the proper wording for your scope statement. If you search the internet for ISO 9001 certificates you will find plenty of other examples of scope statements used on company’s certificates. Whatever the final scope statement becomes, you ultimately are required to retain that as some type of documented information in your QMS, typically in the quality manual.

Identify, Justify, Document

Next, identify, justify, and document any activities, products or services that your company does not provide, and are not applicable from ISO 9001:

Example: 8.3 Design and Development, because your company is not responsible for designing products if it only makes products to customer designs and specifications.

What if a portion of the business is not included in your ISO certification? This is not recommended, but it can be done. Where this might be common is where you have one or two remote sales offices or people that perform sales from their homes. Many will only list the company site address on their certificate and exclude the sales office addresses, but will include sales activity performed remotely when auditing the company site. You will need to work with the certification body up front at the quoting phase to see what is permitted and what is not, to ensure there are no surprises at the end when you try to get certified. Fully disclose what you’re trying to exclude when talking with the certification body, to see if it is possible and how it changes your scope statement so you don’t mislead the public with the scope on your ISO certificate. You are the customer and the certification body wants to help you be successful under the rules that must be followed.

Plan the Structure of Your Quality Management System (QMS)

The next step is to define and document your key or “core” business processes (Clause 4.4). The core business processes are the value stream of the business, from sales to delivery of the product or service.

This is a very important step to implement ISO 9001 effectively and to integrate the business system with the quality system. When the business system and quality system are the same, you get management and cross functional buy-in and support for the quality system.

Creating a simple process flow diagram will be very helpful to graphically depict the value stream of the core business processes. Once determined, you will need to define and somehow document these processes to show who is responsible for the process, the sequence and interaction, the inputs and outputs expected, how the process is controlled, and how the effectiveness of each process is monitored and measured. A “turtle diagram” is a helpful tool to use for this purpose, but not required. Here are a turtle diagram and template example to download. There are other tools you may choose to use to help understand and define a process.

Procedures for these core processes are not required, but the standard requires you to maintain some type of documentation to support the operation of your core processes (Clause 4.4.2). Depending on your business and culture you get to determine the type of documentation (work instructions, procedure, turtle diagram, etc.). The items expected to be documented for these core processes are in Clause 4.4 and are partially met with the process flow diagram showing the interaction of processes. Responsibilities and authorities may be documented in job descriptions, organization charts, or work instructions. There is flexibility in how core processes are defined and documented.

It is common practice to have approximately 3 to 7 “core” business processes. More is okay. If you have significantly more than this it may be too detailed (or departmentally focused) and you should group some of the processes together into a higher-level process. Try not to use departments, and instead use terms that define the high-level business process. For example, consider using “product design” versus “engineering” since the former utilizes many departments and helps break down department barriers. Even though engineering is the process owner, many departments or functions support product design.

Key Point

It would help to show which processes may be partially or fully outsourced, and where there might be interface with a corporate entity or sister sites that may or may not be within your QMS scope.

A good double-check to ensure core processes are addressed, is to make sure the requirements in Clause 8 are covered with your defined core processes. ISO requirements outside of Clause 8 are typically not core processes, because they aren’t part of the business’ value stream. Typically, this includes:

1. A “sales” process (Clause 8.2, and some of 8.1). With applicable sales personnel verify:

1. 1. consistency in steps and records used to determine customer inquiries and requirements, the quoting process with records, the risk thought process for quoting versus no-quoting, any documentation of order changes and how these are communicated internally, how any applicable statutory and regulatory requirements are understood and implemented, and how customer complaints are addressed and documented (returns, corrective action requests, etc.).
   2. how are orders and contracts reviewed and accepted, with exceptions being resolved, compared to what was quoted. ISO requires evidence with some type of records for contract or order review.

2. A “supply chain” or “purchasing” process (Clause 8.4). With applicable personnel verify:

1. 1. consistency in steps and records that show how suppliers are selected initially and the criteria how they are evaluated (risk thought process) and re-evaluated for their ongoing performance, how they may be eliminated, where their level of acceptance is documented in the system, what is done with information related to customer mandated suppliers, how purchase orders are documented, reviewed and approved prior to issue, how changes to purchase orders are communicated and any records retained, and review of purchase order content to ensure it completely describes the product or service necessary including any applicable flow-down information from customer requirements.
   2. Additionally, how is the purchased product (ultimately) verified as having met the stated requirements (receiving inspection or qualified supplier or proven performance history or verified when used in production, etc.)? What is done if requirements are not met (nonconforming material, supplier performance, risk management)? How is this information on supplier performance retained? Where is it documented and how is it communicated with the authority performing supplier performance evaluation?

3. A “product design” process (Clauses 8.3 and 8.1).

1. 1. Is there a consistent process for performing design of new products? If so, what is the process and how is it defined and followed? Does it consider the complexity of the design? Does it have set stages and review points? Does it have verification and validation activities? How are resources assigned for the design? Is the customer or end user involved? Is there a defined list of documents retained on the design? Is this consistently implemented in the organization and what records are retained for this process? Are they retained consistently in the system?
   2. Is there a process for defining design input parameters? What is considered? How is this documented and retained?
   3. Is there a process for defining necessary outputs from the design? What reviews are conducted to ensure outputs meet inputs? Is information retained on verification and validation activities and how are these activities and their necessary outputs defined? What is done if verification and validation results do not meet expectations?
   4. How are any necessary design changes documented and how do these changes impact the design? Who needs to be involved/approve any design changes? What actions are taken to prevent adverse impacts?

Key Point

Many companies provide engineering or technical support to customers without being design responsible. The ultimate test is whether you can sell that design to multiple customers because you have design ownership, or can establish a new product, change the product, or change the specification. Another test to determine design responsibility is whether your company has the responsibility to test and verify the design performance in the customers’ application or end-use application.

Your chosen certification body will always help you determine whether you’re design responsible or not for your ISO 9001 scope. It is best to solidify that with the certification body office at time of quote, before any audit. With applicable personnel verify consistency in steps and records addressing the following:

4. A “production”, “operations” or “service provision” process (Clauses 8.5, 8.6 and 8.1).

Keep in mind that many departments support operations or production. With applicable personnel verify consistency in the process regarding scheduling of production/service to meet customer needs, communication of changes on scheduling, communication of production/service needs to meet customer requirements, any necessary identification and traceability requirements and the maintenance of this system, addressing customer owned material and its identification and communication as is necessary, review of any necessary preservation requirements, review of any service requirements (e.g., installation, warranty, etc.), control and communication of change in the process and how this is performed, review of any maintenance requirements in the system and how this process is managed (schedule, training requirements, outsourced, records retained on maintenance, etc.).

Provide clarity and definition where inspections, tests, release, and/or completion of the product occurs (Clause 8.6). With applicable personnel verify the process used to inspect product/ service at various stages is performed to confirm product meets requirements. This is all internally defined by your company for your product or service. There needs to be evidence that product meets requirements as it progresses through the internally defined stages, and records showing who authorized the product to proceed to the next stage. This can include operator self-inspections and passing product to the next operation, as long as there is traceability back to the operator approving their work. In other cases, this may be the quality function performing inspections and tests, with records showing who released the product.

Where product does not meet requirements, it is identified as is necessary to an internally defined procedure for the control of nonconforming material (Clause 8.7). With applicable personnel verify consistency in nonconforming material identification, segregation, reaction, disposition, record retention, and notification to applicable parties when necessary. Where applicable, also review any concessions, waivers or deviations retained on acceptance of nonconforming material as-is, and who authorized it. Some companies may choose to make the nonconforming product process a supporting process versus a core process.

ISO 9001 Implementation – What You Need To Know Series

In case you missed Part 1 of the series:  ISO 9001 Implementation – What You Need To Know,  learn more at Syncing the ISO 9001 Quality Management System With Your Business System and Priorities. 

In Part 3 of the series:  ISO 9001 Implementation – What You Need To Know, Jim focuses on the Management Processes, Context of the Company, Quality Objectives, and Supporting Processes.

Part 4 covers internal audits and making sure the requirements of the QMS and the standard are met, What You Need to Know About ISO 9001 Internal Audits When Implementing your QMS 

SimpleQuE is a leader in AS, IATF® and ISO consulting, auditing and training.  Whether you are just beginning the certification process or looking for a partner for ongoing maintenance and internal audits, simpleQuE makes the process easier and more efficient. Contact us for a consult and see the difference that simpleQuE can bring to your quality management process.