The company analyses and evaluates appropriate data and information arising from monitoring and measurement. The results of analysis are used to evaluate; conformity of products and services and; the degree of customer satisfaction; the performance and effectiveness of the Quality Management System; if planning has been implemented effectively; the effectiveness of actions taken to address risks and opportunities; the performance of external providers; the need for improvements to the Quality Management System.
Do you already have a quality management system and it is certified? If yes, then the 2015 version of ISO 9001 should pose no real problem. It is just another system change, a system improvement, a preventive action and or one of those ‘proposed changes’ that will impact on the system.
Here is present for you. Below is quality.com.au’s new and improved quality policy based on 2015. Cut and paste as much of it or as little of it as you want. Quality Policy. quality.com.au is committed to providing exceptional products and service in management system design, development, implementation and support.
Let me set the table with the following thoughts. A quality management system to reveal and support best practice should take 3~6 months to design and take to certification. A quality management system for certification sake should take 2~3 months to design and take to certification. There is plenty of pro and con with both scenarios, but one that can only ever be determined by the corporate sponsor of the project or the owner of the business, who best know or want a particular outcome.
Or FTEs and other mysteries. All certification companies are governed (within Australia) by JAS-ANZ (Joint Accreditation System Australia New Zealand, I know you all wanted to know that!). Their official ‘name’ is a Conformity Assessment Body (let’s just call them CABs or certification bodies). They are granted accreditation to conduct conformity assessments on products, processes, systems and standards which if successful results in a third-party endorsement or a certification.
One of the first things we do at quality.com.au and indeed for our clients when we are their virtual quality manager, is to organise the next audit date with our certification provider before the auditor finishes the current audit. Can I do that I hear you read? Yes you can. Well you can if you have chosen one of the more forward thinking certification providers. Most providers have centralised ‘operations’ type department that plan and coordinate dates and resources to ensure audit plans and durations are met. However, there is a huge disconnect between what you expect and what you receive.
There are many pros and cons about the fraternity of certification auditors, not the least being whether they are an employee or a subcontractor of the certification body. Here are a few thoughts. In the first instance, make sure you know whether they are an employee or not. Why? It is just good to know, especially with regard any conflict of interest that might occur or be perceived. If you don’t know, ask. There is nothing quite so wrong that your auditor is also a consultant for your biggest competitor. A little checking via LinkedIn and Facebook could also help.
Choose a certification provider as you would any other service provider and base your decision on price, service and quality. Just remember, you can only ever have 2 of these 3 attributes. Be comfortable with the two you want. Unfortunately, not all of the certification providers give quality service. There are many contributing factors to this, but three predominant reasons are; lack of client service; poor 'back office' support; and inadequate client facing personnel. So, if you are not getting what you expected or not getting what you were promised, contact your provider and get them to fix the situation. After all, you are investing a great deal of time and resources to your certification, make sure you are getting what you deserve.
Personally, to change a certification date, a precertification date or a post certification date is not best practice. To a certification body and / or the friendly auditor, it suggests the priority your company is placing on either the certification process or the quality management system itself might be lacking. Do it too often and the desired business relationship could be soured.
Let’s focus on communication. Yep, good old communication. A whole sub clause on how and why. Here is the rub for 7.4 Communication. The company determines the internal and external communications relevant to the Quality Management System, including what it will communicate; when to communicate; with whom to communicate; how to communicate and; who communicates. No required retained or maintained documented information. No prescription. But the certifiers are, perhaps, giving it a little too much attention. As always, the easiest way to get over that hurdle is to have a policy or a process or a procedure. A give away will follow. But if you read on, you can decide what is best for your company.
And with the demise of training, competence is brought to the fore. The standard, clause 7 Support; 7.2 Competence has described; The company has: determined the necessary competence of person(s) doing work under its control that affects the performance and effectiveness of the Quality Management System; ensured that these persons are competent based on appropriate education, training or experience; where applicable, taken actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; retained appropriate documented information as evidence of competence. Such applicable actions can include, but not limited to the provision of training to, the mentoring of, or the reassignment of currently employed persons; or the hiring or contracting of competent persons. All pretty straightforward really.
The company continually improves the suitability, adequacy, and effectiveness of the Quality Management System. The company considers the results of analysis and evaluation, and the outputs from management review, to determine if there are needs or opportunities that shall be addressed as part of the continual improvement. So says ISO. No not that ISO the other ISO. This is the last word on all things quality from the standard. Yes, that is right, the last clause, sub clause in the standard. And so restricted.
The company ensures that outputs that do not conform to their requirements are identified and controlled to prevent unintended use or delivery. The company takes appropriate action based on the nature of the nonconformity and its effects on the conformity of products and services. This also applies to nonconforming products and services detected after delivery of products and during or after the provision of products. The company deals with nonconforming outputs in one or more of the following ways: correction; segregation, containment, return or suspension of the provision or products and services; informing the customer; and obtain authorisation for acceptance under concession.
The company reviews and controls changes for production or service provision to the extent necessary to ensure continuing conformity with requirements. The company retains documented information describing the results of the review of change, the person(s) authorising the change, and any necessary actions arising from the review. And in meerkat terminology…”simples”. Well the change control is. The design, production, servicing may not, but let’s not drag in details to ruin a good blog. It is all about the change and the controlling of the change and the roles and responsibilities that are defined around change.
The company monitors customer perceptions of the degree to which their needs and expectations have been fulfilled. The company determines the methods for obtaining, monitoring and reviewing this information. Examples of monitoring customer perceptions can include but are not limited to customer surveys, customer feedback on delivered products and services, meetings with customers, market share analysis, compliments, warranty claims and technician reports.
The actual clause is called; property belonging to customers or external providers. In it, the company exercises care with property belonging to customers or external providers while it is under the company's control or being used by the company. The company identifies, verifies, protects, and safeguards customers' or external providers' property provided for use or incorporation with the products and services.
I have written a few times about this topic and I just love revisiting one of the fundamentals, so let’s go. The standard wants… The company's Quality Management System includes: documented information required by the standard; documented information determined by the company as being necessary for the effectiveness of the Quality Management System. When creating and updating documented information the company ensures appropriate: identification and description (e.g. a title, date, author or reference number); format (e.g. language, software version, graphics) and media (e.g. paper, electronic); review and approval for suitability and adequacy.
The annex to the new standard (A.6) says that "Where ISO 9001:2008 would have referred to documented procedures ... this is now expressed as a requirement to maintain documented information”, and "Where ISO 9001:2008 would have referred to records this is now expressed as a requirement to retain documented information".
Did you know your certification is based on a triennial cycle (three years)? Triennial cycles are a requirement of JAS-ANZ. So don’t try and ask your certification body to extend it or to ignore it. They can’t. They won’t. So what does this mean? The complete certification cycle roughly follows this sequence. As always it is unique to your circumstance, complexity, risk and certification body. So take the following as a guideline only.
A Quick Checklist on how to prepare for an external audit. Some nice touches include recognition on the ‘welcome board’ at reception, product samples, conduct pre audit discussions / meetings for planning, interpretation, etc. Above all relax, enjoy. This should be the culmination of a desired project, a desired corporate goal and that all is in place to get the desired certification, first time.
The company ensures that externally provided processes, products and services conform to requirements. The company determines the controls to be applied to externally provided processes, products and services and when: products and services from external providers are intended for incorporation into the company's own products and services and; products and services are provided directly to the customer by external providers on behalf of the company; a process or part of a process provided by external provider because of a decision by the company; The company shall determine and apply criteria for the evaluation, selection, monitoring of performance, and re-evaluation of external providers, based on their ability to provide processes or products and services and in accordance with requirements. The company retains documented information of these activities and any necessary actions arising from the evaluations.
Following hot on the heels of last month’s ‘what do you do?’ comes a further explanation of context. The standard itself wants answers to the following; internal and external issues; needs and expectations of interested parties; the scope of your quality management system; interaction and controls between the quality management system and processes.
The company determines and selects opportunities for improvement and implements any necessary actions to meet customer requirements and enhance customer satisfaction. These include improving products and services to meet requirements as well as to address future needs and expectations; correcting, preventing, or reducing undesired effects; improving the performance and effectiveness of the Quality Management System. Examples of improvement can include but not limited to correction, corrective action, continual improvement, breakthrough change, innovation, and reorganization. Deep breath.
The company conducts internal audits at planned intervals to provide information on whether the Quality Management System: Conforms to: The company's own requirements for its Quality Management System; the requirements of this standard; is effectively implemented and maintained. Now for the wordy bit. The company: plans, establishes, implements and maintains an audit program, including the frequency, methods, responsibilities, planning, requirements and reporting which shall take into consideration the importance of the process concerned, changes affecting the company, and the results of previous audits; defines the audit criteria and scope for each audit; selects auditors and conduct audits to ensure objectivity and the impartiality of the audit process; ensures that results of the audits are reported to the relevant management; takes appropriate correction and corrective actions without undue delay; retains documented information as evidence of the implementation of the audit pro
Following hot on the heels of last month’s ‘what do you do?’ comes a further explanation of context. The standard itself wants answers to the following; internal and external issues; needs and expectations of interested parties; the scope of your quality management system; interaction and controls between the quality management system and processes. There is no all-embracing formula, template, document to manage context, but rather a series of interrelating documentation to ensure the overall context can be established. Perhaps the closest would be a strategic plan, that would then be underpinned by a business plan, which would then be underpinned by process specific or risk specific set of documentations which can be in any format or media that you think is appropriate to the reader. Sheesh. What ever happened to …’I am a baker. I bake bread!’, but sadly no.
This sub clause is trying to be all inclusive. It is trying to leverage the quality management system away from the quality manager and or the ‘management representative’ and forcing stuff up the corporate food chain. There are no real changes from the previous version of the standard, other than the use of the words…. top management. The requirements are; the company's top management ensures that the responsibilities and authorities for relevant roles are assigned, communicated and understood within the company.
An interesting concept from the standard. Get top management involved, get them demonstrating leadership and commitment and set some ground rules around it. It is a two-part clause, with the second focusing on the customer, which I have written about previously. At last count, and just in the first two sub clauses, the standard sets ten rules. Yes, ten!
This sub clause is trying to be all inclusive. It is trying to leverage the quality management system away from the quality manager and or the ‘management representative’ and forcing stuff up the corporate food chain. There are no real changes from the previous version of the standard, other than the use of the words…. top management.
The company’s top management reviews the company's Quality Management System at planned intervals to ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the company. The management reviews are planned and carried out taking into consideration: the status of actions from previous management reviews; changes in external and internal issues that are relevant to the Quality Management System; information on the performance and effectiveness of the Quality Management System, including trends in: customer satisfaction and feedback from relevant interested parties; the extent to which Quality Objectives have been met; process performance in conforming products and services; non-conformities and corrective actions; monitoring and measurement results; audit results; the performance of external providers; the adequacy of resources; the effectiveness of actions taken to address risks and opportunities [see 6.1]; opportunities for improvement.
When a nonconformity occurs, including any arising from complaints, the company will: react to the nonconformity and, as applicable: act to control and correct it; deal with the consequences; evaluate the need for action to eliminate the cause[s] of the nonconformity, in order that it does not recur or occur elsewhere, by: reviewing and analysing the nonconformity; determining the causes of the nonconformity; determining if similar nonconformities exist, or could potentially occur; implement any action noted; review the effectiveness of any corrective action taken; update risks and opportunities determined during planning, if necessary; make changes to the Quality Management System, if necessary. Corrective actions are appropriate to the effects of the nonconformities encountered. The company retains documented information as evidence of the nature of the nonconformities any subsequent actions taken and the results of any corrective action. What a yawn. The most important clause in
Just a little bit yawny (not sure that is a word) but it does set the tone for one of the pillars of an effective quality management system. The company plans, implements and controls the processes (see 4.4) needed to meet the requirements for the provision of products and services and to implement the actions determined in clause 6 by: determining the requirements for the products and services and; establishing criteria for the processes and the acceptance of products and services and; determining the resources needed to achieve conformity to product and service requirements; implementing control of the processes in accordance with the criteria; determining, maintaining and retaining documented information to the extent necessary: to have confidence that the processes have been carried out as planned; to demonstrate the conformity of products and services and to their requirements.
Let’s start with monitoring, measurement and evaluation. The company determines: a) what needs to be monitored and measured; b) the methods for monitoring, measurement, analysis and evaluation needed to ensure valid results; c) when the monitoring and measuring are performed; d) when the results from monitoring and measurement are analysed and evaluated. The company evaluates the performance and the effectiveness of the Quality Management System. The company retains appropriate documented information as evidence of the results. Another ‘general’ clause heading, another yawn. But……wait, this is pretty good stuff. We get to pick what we monitor and measure. Just make sure it meets your customer needs and your stakeholder needs. Notice I said needs. NOT wants or should. However, customer don’t necessarily know what they need and often look at what they want. So educate them, negotiate with them and make sure we all know the what.
An exquisite little sub clause of the profoundly ‘der’. Could the standard do without it? Perhaps, but it is well crafted, if not a little condescending, but one that is mostly ignored by consultants and auditors…… The standard says. When the company determines the need for changes to the Quality Management System, the changes are carried out in a planned manner. The company considers the: purpose of the changes and the potential consequences; integrity of the Quality Management System; availability of resources; and allocation or reallocation of responsibilities and authorities.
You have chosen your certification provider. They have conducted the document review. They have conducted the stage 1 review. Now, depending on the requirements of the certification provider, they have deemed you ready for the certification audit. This will be based on the progress of your corrective actions raised during the previous two steps and the required volume of records to enable the effectiveness of your quality management system to be judged. This can be a week, a month, the magic three months, a year or any time frame deemed appropriate.
The requirements of the standard are; The company's top management will establish, implement and maintain a Quality Policy that: is appropriate to the purpose and context of the company and supports its strategic directions; provides a framework for setting Quality Objectives; includes a commitment to satisfy applicable requirements and; includes a commitment to continual improvement of the Quality Management System.
Preservation. The company preserves the outputs during production and service provision, to the extent necessary to ensure conformity to requirements. Preservation can include identification handling, contamination control, packaging, storage transmission or transportation and protection, as needed. And the bleeding obvious award goes to….. Yeah, I am a little jaded with this clause. One, because it is a radical simplification of what used to be a 4 sub clause topic with their own sub clause headings containing so much prescription that the manufacturing world had no illusion as to what was needed. But now?
Finally you say. The doing part of the standard. Providing products and services to customers. But before we do, we must specify how we control the provision of such stuff before we actually do. So it’s back to the planning stage and delving into just what controls we will need in order to make a quality product or service. Production and service provision; Control of production and service provision. The company implements production and service provision under control conditions.
According to ISO themselves, two of the most important objectives in the revision of the ISO 9001:2015 have been: a) to develop a simplified set of standards that will be equally applicable to small as well as medium and large organizations, and b) for the amount and detail of documentation required to be more relevant to the desired results of the organization’s process activities.
So we have determined what we do. We have tried to explain what we do. We have even taken into consideration what others, both internally and externally want us to do. Now it is time to determine and possibly describe the length and breadth of the quality management system and its processes to enable us to do what we do and to continually do it better. So easy, I hear you read. Well, there is a beautiful caveat at the end of this post which will make it easy, but I won’t spoil it here.
n the wonderful Aussie vernacular……der! Firstly, I would like to publicly state that I love the standard. I love the process of determining its applicability to companies and I really, really like objectives. Objectives, targets, programs and more. If you cannot measure it, you cannot improve. But to belittle the intent by sticking on the bleeding obvious in the clause’s title, and then to go on and describe what you need to do to plan achievement, just blows my mind. Leave well enough alone. Please. I have never met a business owner, manager, operative that didn’t have objectives and not one of them that didn’t plan to achieve them. Deep breaths, deep breaths and ……… the rant is done.
Ok, so last month I rambled about the importance of quality objectives and just where they fit in the wonderful corporate food chain. Remember, we are addressing a quality standard, and therefore we have address quality objectives. But, don’t let that stop you adding other objectives into the mix. Especially, if you are designing your quality management system along the ‘one rule’ credo. Sure, you remember that! A thoughtful quality management system is the framework for all activities in a company. All departments, all disciplines, all stuff. Create one rule, one system company wide. And as my Buddhist friends would say, Nirvana!! But as soon as you have rules for some and not others, then you may as well expect that not all people will tow the same corporate lines or rules, because they will think it is doesn’t apply to them, the same as quality is not about them. A slippery slope indeed.
The company implements planned arrangements, at appropriate stages, to verify that product and service requirements have been met. The release of products and services to their customers does not proceed until the planned arrangements have been satisfactorily completed, unless otherwise approved by a relevant authority, as applicable, or by the customer. The company retains documented information on the release of products and services. Documented information includes a) evidence of conformity with the acceptance criteria; b) traceability to the person(s) authorising the release.
Yep, the standard finally acknowledges our business has customers. You know. Clients, purchasers, patrons, consumers, etc. And so the standard wants one, to communicate with them, then two determine what they want (even if they don’t know what they want).
The standard says, the company determines and provides the resources needed for the establishment, implementation, maintenance and continual improvement of the Quality Management System. The company considers: the capabilities of, and constraints on, existing internal resources; what needs to be obtained from external providers. This is not just some glib commentary on having a quality manager, a clever consultant and or the best online platform, albeit all three are important, the standard really wants us to focus on the business and the risk of the very core capabilities of the business and this includes our external providers.
Welcome back ‘test equipment’? Well a rose by any other name. The requirements are similar, a little watered down, but the intent is still important. The standard says… The company determines and provides the resources to ensure valid and reliable results when monitoring or measuring is used to verify the conformity of products and services and to requirements. The company shall ensure that the resources provided: a) suitable for the specific type of monitoring and measurement activities being undertaken; b) are maintained to ensure their continuing fitness for purpose. The company retains appropriate documented information as evidence of fitness of purpose of the monitoring and measurement resources.
The company ensures that it can meet the requirements for products and services and what is to be offered to customers. The company conducts a review before committing to supply products and service to a customer, to include
In the ISO world, a nonconformity is the starting point. Whatever you call them, corrective actions, nonconformances, reviews, TLAs (three letter acronyms), etc, the process needs to start. So start one. You don’t need the answers, you just need to kick start. Once started and you realise you don’t know a lot (or you think you do), escalate the situation and start your task force. Even a task force of one is good position. Need a little more oomph? Look at your strategic risk register. Nothing on pandemics? I bet most strategic risk registers or risk plans have not contemplated such a risk. Let’s not stop there.
The certification process is site specific and scope specific. So, who determines what is in scope and what isn’t? Well, the majority of the decision lies with you, the client. You are in charge of determining risk and risk management and in doing so, you get to document the scope of the quality management system in relation to the activities within that site. Normally, this means ALL activities within a site.
Did you know that when a company gets certified, it is only certified at the nominated site or sites, and only to the defined scope of certification? The site specific thing is intriguing. I thought at the beginning of this great industry in the late eighties, yes last century, that site specific certification was just a fee gouge. It probably still is, but in these modern days of connectivity and centralisation of services such as accounts, sales, administration, etc, it might be more so than ever as certification providers can’t get their head around the modern world we live in.
One of the many wonderful aspects of the new revision of the ISO 9001 standard, is that an attempt has been made to enable more interpretation of the requirements of a thoughtful quality management system. It clearly implies that as we the owner of such a system, we get to determine what we need to include in order to meet our own commercial needs.
The four stages of certification and what auditors audit do are. 1. Documentation Review; Normally a desk top review scenario of just the documentation you supply to them. The auditors are looking for a policy, a quality manual (or similar), the mandatory maintained documented information, mandatory retained documented information, your own procedures, associated forms, records and an interrelationship document explaining the processes of the company. 2. Pre-Certification Review...
Most quality management system design and implementations are done on a project basis. That means there is a plan and a deadline. Quite often such plans are based on financial or calendar year deadlines. This means that nearly all quality management system certifications are ‘promised’ for completion either in June or December of any given year. By sticking to such an arbitrary line in the sand, most businesses then have certification audits planned for these two months as well. Firstly, the impact on your company during these busy periods may outweigh the benefits, leave employees stressed with the timing or you may experience availability issues.
A classic question for all CEOs and floor sweepers alike. What the heck do we do and what do we want to do? In big business there is visioning, missioning, goal setting, target measuring, market analysis, focus groups, policy and much much more, more and more. In small business, we offer far more than we would like to do, but in order to make ends meet, we take on more and more until we finally burn out or are lucky enough to realise a cash flow that will enable us to niche or focus on what we do and what we want to do.