Understanding ISO 29001:2022 Quality Management System.
ISO/TS 29001, as an international standard, is the result of the collaboration between ISO and the international oil and gas industry, which is primarily focused on the oil and gas supply chain. It specifies the Quality Management Systems requirements for the layout, establishment, production, and implementation of products and services for the petroleum, petrochemical and natural gas industries.. This standard is a supplement to ISO 9001:2015. The supplementary requirements and guidance to ISO 9001:2015 have been developed to manage supply chain risks and opportunities associated with the petroleum, petrochemical and natural gas industries and to provide a framework for aligning requirements with complementary standards employed within the industries. Since 29001 is also based on ISO 9001, which contains requirements on error prevention, reduction of variation and waste management from the service provider. These requirements have been written separately in order to ensure clarity and perceptibility. ISO 29001 is suitable for all companies within the oil and gas industry as it was developed to ensure quality and improvement within this particular sector. ISO 29001 provides the basis for continuous improvement by emphasizing the prevention of errors and reducing deviations and wastes in the supply chain and service providers. This standard, along with the specific requirements of the customer, defines the basic requirements of the quality management system for those who have accepted this certificate. The Oil and gas industry is one of the critical industries that need to follow heavy regulations and scrutiny. Even a single failure could mean disaster for the environment in addition to the harms and impacts on the other connected sectors of the industry. The industry needs a quality management system with an emphasis on compliance that can provide them comprehensive insights into processes and product quality to identify the scope of improvements going forward. ISO 29001 meets the specific needs of the oil & gas industry by developing a quality management system that, with a view to continuous improvement, seeks several benefits, including:
- preventing and/or managing operational risks
- business continuity in the face of adverse situations (e.g. accident/downtime of sections of a plant or service disruptions)
- reducing costs
- improving staff safety and environmental protection
- reducing product waste and inefficient use of the supply chain.
All ISO management system standards are subject to a regular review under the rules by which they are written. Following a substantial user survey the committee decided that a review was appropriate and created the following objectives to maintain its relevance in today’s marketplace:
- Integrate with other management systems
- Provide an integrated approach to organizational management
- Provide a consistent foundation for the next 10 years
- Reflect the increasingly complex environments in which organizations’ operate
- Ensure the new standard reflects the needs of all potential user groups
- Enhance an organization’s ability to satisfy its customers
The structure is based on the mandate that Annex SL from the ISO Directives is applied to management system standards. The clause structure in ISO 9001:2015 is being aligned with other management system standards. The structure is to provide a presentation of requirements. It is not a model for the document for documenting the organization’s policies, objectives, and processes. There is no requirement for the structure of an organization’s quality management system documentation to mirror that of this International Standard.
Structure of ISO 29001:2020
Since ISO 29001:2020 is based on ISO 9001:2015 it has the same structure as that of ISO 9001:2015. ISO 29001:2022 like ISO 9001:2020 is based on Annex SL – the high-level structure. This is a common framework for all ISO management systems. This helps to keep consistency, align different management system standards, offer matching sub-clauses against the top-level structure, and apply common language across all standards. It becomes easier for organizations to incorporate their QMS into core business processes and get more involvement from senior management. The Plan-Do-Check-Act (PDCA) cycle can be applied to all processes and to the quality management system as a whole. SO 29001:2020, based on Annex SL, has 10 sections four of which also approximate to “PLAN, DO, CHECK, ACT.” All management system standards will have this common structure. Here is the structure:
This section describes the scope of the management system standard and will be unique to the individual standard. Clause 1 details the scope of the standard
Clause 2. Normative References
This section references other relevant standards, which are indispensable for the application of the document and will also be unique.ISO 9000, Quality Management System – Fundamental, and vocabulary is referenced and provides valuable guidance.
Clause 3. Terms and Definitions
Section three contains definitions, and while some of these are common terms related to Annex SL, other definitions will be unique to the management system standard. All the terms and definitions are contained in ISO 9000:2015 – Quality Management – Fundamentals and vocabulary.
Some additional Terms not available on ISO 9001:2015 but included in ISO 29001:2020 are
3.1 quality specification level (QSL)
level defining the extent of control activities, typically including testing, inspection, verification and validation, undertaken by the provider to demonstrate conformance with requirements based on the determination of operational risk and/or obligations
3.2.1 competence catalogue
hierarchical structured list of the competences required to perform a task
3.2.2 competence profile
skills and behaviour, each specified at a level of proficiency, required to perform a role or activity in line with the associated risk or opportunity
3.2.3 proficiency level
level of ability and behaviour attributes within a specific skill
3.3 inspection and test plan
tabular presentation of a quality plan, typically used for process or product applications, to define the specific sequence of operational activities, instructions, acceptance criteria, information to be maintained and retained, and associated provider, customer and independent conformity assessment activities
Clause 4: Context of the Organization
4.1 Understanding the organization and its context.
This requirement requires a greater union between the QMS and wider business planning activities. it requires organizations to ascertain, monitor, and review both internal and external issues that are relevant to its purpose and strategic direction, and have the ability to impact the QMS and its intended results. The organization should determine external and internal issues for the organization relevant to its purpose, strategic planning, and which affect the organization’s ability to achieve its objectives. The Organization should monitor and review the information about external and internal issues. Management Review required the monitoring of external and internal issues. The organization must consider issues related to values, cultural knowledge, and performance of the organization for the understanding of internal issues. The organization must consider issues related to arising from legal, technological, competitive, market, cultural, social, and economic environments, whether international, national, regional, or local for the understanding of external context. The internal context may include, but is not limited to:
- Product and service offerings
- Governance, organizational structure, roles, and accountability.
- Regulatory requirements
- Policies and goals, and the strategies that are in place to achieve them.
- Assets like facilities, property, equipment, and technology
- Capabilities understood in terms of resources and knowledge like capital, time, people, processes, systems, and technologies.
- Information systems, information flows, and decision-making processes (both formal and informal).
- Relationships of the staff/volunteers/members and the perceptions and values of their internal stakeholders including suppliers and partners.
- Organization’s culture.
- Standards, guidelines, and models adopted by the organization and
- Form and extent of the organization’s contractual relationships.
The external context’s micro-environment consists of the organization’s immediate operations and how they affect its performance and decision-making. Some of the micro-environmental context factors
Customers – Organizations must attract and retain customers by offering products services that meet their needs along with providing excellent customer service
Employees/Members/Volunteers – There must be the availability of people with the motivation to remain as contributing members of the organization and develop the skills necessary to provide a competitive edge
Suppliers – Suppliers provide organizations with the resources they need to carry out their activities. If a supplier provides bad service, this affects the way the organization operates. Close supplier relationships are an effective way to remain competitive and secure the resources needed
Investors – All organizations require investment to grow. They may borrow the money from a bank or have people invest in their work. Relationships with investors need to be managed carefully as problems can detrimentally affect the long term success of the organization
Media – Positive media attention can bring success to the organization by maintaining its reputational strength. Managing the media (including the presence in social media) is a challenge.
Competitors – Members of the organization need to have a sense of belonging. Can the organization offer benefits that are better than those offered by the competitors? Is there a strong value proposition? Competitor analysis and monitoring are crucial if an organization is to maintain or improve its position in the competitive landscape of the community. The organization must always be aware of its competitor’s activities. The landscape can change quickly.
To be read along with clause 4.1 of ISO 9001 Please click hear for clause 4.1 of ISO 9001. The organization must have records as an evidence of its understanding of its context, The records must identify external and internal issues. There must be records of monitoring and review of these external and internal issues.The record must identify if the issues have positive or negative factors or their condition for consideration. The record must also identify how the external issues are arising , whether it is arising from legal, technological, competitive, market, cultural, social and economic environments, whether international, national, regional or local. The record must also identify how the internal issues are arising , whether it is related to values, culture, knowledge and performance of the organization.
4.2 Understanding the needs and expectations of interested parties.
A broadening of scope beyond just customers. Requires the organization to determine “the relevant requirements” of “relevant interested parties” e.g. a person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity.
The organization shall determine relevant interested parties and the requirements of relevant interested parties. Interested parties include Customers, Partners, Persons in the organization, External providers. Relevant interested parties to be considered are those that potentially could impact the organization’s ability to provide products and services that meet requirements. Monitor and review information related to interested parties and relevant requirements. Management Review requires the monitoring of relevant interested parties.
To be read along with clause 4.2 of ISO 9001 Please click hear for clause 4.2 of ISO 9001.The organization must have records as an evidence that it understood the needs and expectation of interested parties. There must be records of the interested parties relevant to QMS, their requirements relevant to QMS. The record must also include monitor and review of these interested parties and their relevant requirements.
4.3 Determining the scope of the QMS.
The scope statement must state the products and services covered. The organization must establish the scope of the quality management system by determining the boundaries and applicability of the quality management system. While determining the scope the organization must consider the internal and external issues determined in 4.1., the requirements of relevant interested parties in 4.2. and the products and services of the organization.
Requirements that can be applied by the organization shall be applied. Requirements that cannot be applied cannot affect the organization’s ability to provide products and services that meet requirements. The organization must maintain scope as documented information stating the Products and services covered by the QMS and any Justification where a requirement cannot be applied. Any interested party which is not relevant to the quality management system need not be considered and similarly, any requirement of the interested party need not be considered. Determining what is relevant or not relevant is dependent on whether or not it has an impact on the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements or the organization’s aim to enhance customer satisfaction. The organization can decide to determine additional needs and expectations that will meet its quality objectives. However, it is at the organization’s discretion whether or not to accept additional requirements to satisfy interested parties beyond what is required by this Standard.
The focus is on the application and not just the exclusions. There are no limits to which clauses where the application can be determined. Justification will be required as documented information to ensure that limited application does not affect the organization’s ability to provide for the provision of products and services. The application of requirements may vary. Where a requirement can be applied within the scope of its quality management system, the organization cannot decide that it is not applicable. Where a requirement cannot be applied (for example where the relevant process is not carried out) the organization can determine that the requirement is not applicable. However, this non-applicability cannot be allowed to result in failure to achieve conformity of products and services or to meet the organization’s aim to enhance customer satisfaction. A manufacturing organization that does not have any monitoring and measuring resources could determine requirements in 7.1.5 do not apply. Organizations that build from a customer-provided design could determine requirements for design in 8.3 do not apply. Organizations could not determine that requirements such as competence are not applicable since this directly affects the ability to provide a product that meets requirements.
To be read along with clause 4.3 of ISO 9001 Please click hear for clause 4.3 of ISO 9001.If any of the interested parties as mentioned in clause 4.2 makes a request, then the organization can advice the interested parties of any requirements of ISO 29001:2020 which is not applicable to the scope of its quality management system
4.4 Quality Management System and its processes.
This specifies the number of factors to be considered when planning the processes that make up the QMS. The standard requires the organization to establish a process-based management system. This is required to be maintained and continually improved. The clause sets out high-level requirements for the design of such a process-based management system. These processes are integral and also there are support processes that underpin the operation of the entire QMS.
To be read along with clause 4.4 of ISO 9001 Please click hear for clause 4.4 of ISO 9001.The Organization must define the extent of Documents including of procedure and records required to meet the requirement of relevant interested as mentioned in clause 4.2 and clause 4.3
5.1 Leadership and commitment.
Greater emphasis is placed on the role of top management. Requires top management to “demonstrate leadership and commitment”, and suggests that a more hands-on approach is expected. ISO 29001:2020 requires top management to be much more “hands-on” with respect to their QMS. Where the word “ensuring” is used in sub-clause 5.1.1, top management may still assign this task to others for completion. Where the words “promoting”, “taking”, “engaging” or “supporting” appear, these activities cannot be delegated and must be undertaken by top management themselves. Top management must:
- have accountability for the effectiveness of their organization’s quality management system;
- ensure that their organization’s quality policy and quality objectives are consistent with the organization’s overall strategic direction and the context in which the organization is operating;
- work alongside their people in the organization in order to ensure that the quality objectives are achieved;
- ensure that the quality policy is communicated, understood and applied across the organization;
- make sure that the quality management system is achieving the results that are intended;
- lead people to contribute to the effective operation of the system;
- drive continual improvement and innovation and develop leadership in their managers.
The top management is required to ensure that:
- the requirements set out in ISO 29001:2020 are met;
- QMS processes are delivering their intended outcomes;
- reporting on the operation of the QMS and identifying any opportunities for improvement is taking place;
- a customer focus is promoted throughout the organization;
- whenever changes to the QMS are planned and implemented, the integrity of the system is maintained.
The top management should ensure that the organization should have knowledge of the law and is aware of the customer’s expectations and is delivering. Knowing what can go wrong with what you are selling and providing and what opportunities you also have when you deliver this; opens doors, for example, to other work streams; They should be making sure that the customer is happy. Understanding customer specifications/ needs. Ensure you know exactly what the customer wants and documenting this from the initial inquiry to commissioning paperwork.
To be read along with clause 5.1 of ISO 9001 Please click hear for clause 5.1 of ISO 9001.
Policy requirements are enhanced. A requirement is introduced that the quality policy is appropriate to the context of the organization and that it is applied throughout the organization. Write the policy to include:
- making sure it reflects your business size, ethos and what you are trying to achieve;
- how you will decide what you are going to achieve and how you will check this;
- committing to doing it the right way (e.g. in line with standards and best practice);
- committing to try to continually improve.
Tell everyone about it.
- Making sure it is written.
- Making sure people know it and understand it.
- Giving it to people who have an interest in your business (e.g. clients/suppliers/manufacturers/staff).
- Publishing it on your website.
The example includes written Quality policy, company induction, basic training, toolbox talks.
To be read along with clause 5.2 of ISO 9001 Please click hear for clause 5.2 of ISO 9001.
5.3 Organizational roles, responsibilities, and authorities.
The requirement for a Management representative is no longer specified. The duties previously assigned to that role may now be assigned to any role or split across several roles. The top Management must ensure that responsibilities are allocated across the organization to maintain the management system to make sure what is supposed to happen is happening. While allocating Roles, Responsibilities, and authorities, the organization must remember the customer at all times and the outcome of the business processes, and how they can be improved. Remembering to update the system as and when you change how you work or the intended process is amended. The organization must be defining job roles prior to recruitment, allocating job descriptions to personnel, and linking this to the processes within the business. For eg A sales administrator might be expected to have 12 months’ experience in writing quotations. When they join there would be a period of training and reinforcing this through a written job description. The output would be a more senior colleague reviewing quotes, confirming they are correct, and ensuring that the customer is being quoted for what they asked for. If a form or process is amended along the way advising the sales administrator and ensuring the new versions are applied.
To be read along with clause 5.3 of ISO 9001 Please click hear for clause 5.3 of ISO 9001.The organization must define the roles at all relevant function, levels and process. The organization must have a procedure for establishing the responsibilities and authorities to ensure that QMS conform to the requirement of the ISO 29001:2020 std, all process are delivery their intended output, promotion of customer focus through out the organization, integrity of QMS is maintained when changes to QMS is planned and implemented, and reporting the performance of QMS as well as the opportunities of improvement to the top Management . The organization must have record of these roles , and responsibilities and authorities of these roles.
The main objectives of ISO 29001 are to provide confidence in the organization’s ability to consistently provide customers with conforming Products and services and to enhance customer satisfaction. The concept of “risk” in the context of ISO 29001 relates to the uncertainty in achieving these objectives. ISO 29001 incorporates risk-based thinking in its requirements for the establishment, implementation, maintenance, and continual improvement of the quality management system. Organizations may choose to implement a formal risk management program such as ISO 31000, ISO/TR 31004 and IEC 31010 provide guidance on risk management principles, framework and generic processes, and risk assessment techniques . In these ISO and IEC deliverables, risk includes opportunity. The concept of risk is built into the whole management system. Risk-based thinking is also part of the process approach. Risk-based thinking can also help to identify opportunities. For risk-based thinking, the organization must understand any external and internal issues as given in clause 4 context of the organization. Risks and opportunities are determined in clause 6.1. Implementing Risk-based thinking also assures preventive action. One of the key purposes of a quality management system is to act as a preventive tool. ISO 9001:2015 does not have a separate clause titled preventive action. The concept of preventive action is controlled through risk-based thinking by managing risks and opportunities identified in clause 6.1
6.1 Actions to address risks and opportunities.
This sub-clause requires a risk-based approach. In addition to this clause, the reference to the terms ‘risk’ and ‘opportunity’ are made throughout the standard. Consider the issues determined in clause 4.1 and the needs and expectations of interested parties in clause 4.2 to determine your risk and opportunity. The organization should determine risks and opportunities to assure that that the quality management system can achieve its objective, prevent or reduce undesired effects, and for continual improvement. The organization shall plan actions to address risks and opportunities. The actions identified should be appropriate to its potential impact on the QMS. The action of risk and opportunities must be integrated and implemented into the QMS processes. The effectiveness of these actions must be evaluated.
Actions to address the risks – First, the organization should identify the risks and opportunities it wants to address. Then the organization must determine the severity of each risk and opportunity. Understanding the severity, the organization must plan action to address the risk and opportunity. This can be captured in the Risk plan. Plan how all the elements can come together, and how it will be run, and a means of checking them, and that the plan is on track. Use risk methodologies to ensure that you apply things appropriately. The greater the risk and the impact on the organization, the greater the control measures, planning, management, etc. If necessary, have a Plan B. Consider how an understood risk can be used in a positive way to look at other ways of doing things or other products.
To be read along with clause 6.1 of ISO 9001 Please click hear for clause 6.1 of ISO 9001.The organization must establish a procedure to support and demonstrate the establishment of process of management of risks and opportunities. The procedure must define the tool, technique and their application for the identification and identification of risk and opportunities, and also prevention and mitigation of risk. It must identify relevant interested parties, sources of risk and opportunity, areas of impacts, events and their causes, and their potential consequences, The procedure must also include analyses for potential risk and opportunity by determining its consequences and likelihood, evaluation of risk and opportunity and to develop controls for them, and application of appropriate risk treatments and opportunity realization plans. The organization must also have record as an evidence of support and demonstration of the management of risks and opportunities as per the process established.
6.2 Quality objectives and planning to achieve them.
No quality plan can be complete without having measurable quality objectives. An objective should include a description of who is responsible, what is the target, when is it planned to be achieved. Progress must be monitored. Also, requires objectives to be set for relevant processes. Ensure that whatever objectives you implement are SMART
Some key rules are as follows:
- Make sure they comply with the law and industry standards.
- Make sure they conform with the products and services to make them better.
- Monitor your objectives periodically to check what you are doing.
- Tell the staff what they are and what you expect of them.
- Updated when the management changes something.
Keep records of this. This should be included in the customer SLA and planning should be in place to ensure you can resource this response rate. An example could be Understanding the total number of planned maintenance, the number of reactive maintenance to ensure you calculate the appropriate levels of resources. Organizations need to clearly understand how these will be realized. For example, if your aim is to provide national coverage, how will this be achieved? What resources will you allocate, recruiting staff countrywide? Who will manage it? Have you understood when it needs to be achieved and what will you do to check it is effective?
To be read along with clause 6.2 of ISO 9001 Please click hear for clause 6.2 of ISO 9001.
6.3 Planning of changes.
The clause lists items to be considered in change management. When some changes need to be made in the organization either in the product, service, or process, the impact of the change needs to be considered before a change is made. You will need to demonstrate that you have:
a) considered why are you changing it and what could happen when you make the change;
b) ensured that the QMS doesn’t get affected negatively, e.g. something can’t be done any longer once you have changed a process like you stop recording the number of quotes you are doing and therefore you don’t have an ability to review conversion rates;
c) thought about what you need to achieve it (e.g. people/technology, etc.);
d) considered what changes need to be made in the organization to make it happen.
To be read along with clause 6.3 of ISO 9001 Please click hear for clause 6.3 of ISO 9001.Any risk and opportunities which are associated with proposed change management must be managed as per as the procedure or Process of management of Risk and opportunities as mentioned in clause 6.1 . The organization must establish a procedure to manage the process of change. The organization must have records as an evidence of the implementation of change management.
The organization must determine and provided the resources needed for the establishment, implementation, maintenance, and continual improvement of the QMS. The organization must have the resources it needs to ensure the effective operation of the QMS. Resources may include raw materials, infrastructure, finance, personnel, and IT, all of which can be either internally or externally provided. The organization must have a clear understanding of:
- what an organization has in house and whether this is sufficient/fit for purpose to achieve its goals and objectives.
- what additional support might be needed externally.
For example Specialist skills that are better outsourced due to the size of the organization (e.g. security screening, health, and safety advice).
To be read along with clause 7.1.1 of ISO 9001 Please click hear for clause 7.1.1 of ISO 9001
This standard expects an organization to determine and provide the appropriate number of personnel to effectively implement the QMS and for the operation and control of its processes. Allocation of staff in order to achieve the required outcome. This means determining that you have someone to carry out a specific process e.g. recruitment, screening, and training of staff. Dependent on the size of the organization this may be one or two people or a team. The senior management will need to determine the resource needed and maintain this. This will be about ensuring you have the right number of engineers or security officers to provide the service that you have quoted. This will depend on the specifics set out in the contract and terms. e.g. ensuring you have sufficient engineers to respond within 24 hours. Ensuring you have sufficient trained security officers to replace those who may be sick or on holiday.
To be read along with clause 7.1.2 of ISO 9001 Please click hear for clause 7.1.2
Essentially a company needs to consider all the things they will need in order to deliver a service and product to the customer. This may be :
- buildings, water, gas, electricity, etc.
- equipment such as e computers, operating systems, printers, software, monitoring equipment, etc
- vehicles that may be needed for engineers, managers, sales and survey staff;
- information such as standards that have to be applied, the internet, mobile phones, tablets, etc.
To be read along with clause 7.1.3 of ISO 9001 Please click hear for clause 7.1.3 of ISO 9001. The organization must have a procedure to establish a process for identifying Infrastructure and their usage to achieve conformity of the product and services. The organization must retain records as evidence implementation of the procedure for identification and usage of infrastructure. The procedure and record must include infrastructure to be maintained, method of maintaining including frequency and monitoring for the infrastructure to ensure infrastructure integrity for performance requirements. It must also include outcome of maintenance, including applicable testing methods and acceptance criteria and responsible personnel. For service related infrastructure such as equipment or Machines it must include usage history, repairs or redress, modifications, re manufacturing, inspection, and test activities that allow direct verification for reuse of infrastructure as well as list of critical spare parts as recommended by the original equipment manufacturer or customer or technical requirement or combination of three. The organization can apply risk based maintenance which includes the concept of
— preventive and predictive maintenance;
— reliability centred maintenance;
— mean time between failures;
— system, design and process failure mode and effects analysis;
— failure mode and criticality effects analysis;
— process control plans; and
— others that are in context of the organization and its risks.
7.1.4 Environment for the operation of processes
The environment for the operation of processes clause ensures that the organization determines, provides, and maintains an environment necessary for the operation of its processes and to achieve conformity. The term environment refers to the work environment and is used to describe the set of conditions in which employees perform their work and under which products and services are produced. Conditions can include physical, social, psychological, and environmental factors (such as temperature, lighting, recognition schemes, social and occupational stress, ergonomics, etc). It can also relate to conditions on how work is actually done (complex, repetitive, creative, interactive, team, etc.) in work processes and procedures. The standard makes reference to the environment that you work in and may include the following:
- Equality Opportunities, whistleblowing, the anti-bullying policy.
- Violence at work, counseling support, lone working.
- Office-based risk assessment, space, noise levels.
To be read along with clause 7.1.4 of ISO 9001 Please click hear for clause 7.1.4 of ISO 9001
7.1.5 Monitoring and measuring resources
The organization needs to decide what tools it uses to measure organization performance. It also needs to consider whether these tools will give them everything they need as a result. You may use commissioning paper trail and or electronic processes. For eg to monitor Customer Service, you may take feedback after installing via phone call. Other organizations may have a CRM in place. Some of the Suitable measuring tools may be equipment that is used to test and commission systems such as multimeters, insulation testers, sound pressure level meters, etc. You may be required to do calibration of all the test equipment that you use.
To be read along with clause 22.214.171.124 of ISO 9001 Please click hear for clause 126.96.36.199 of ISO 9001. The organization must establish a procedure that defines the processes and controls to manage monitoring and measurement resources (equipment). The procedure must have mechanism to ensure equipment are suitable for he specific type of monitoring and measurement activities being undertaken. Their maintenance for their continuing fitness. The organization must also have record as an evidence of fitness for purpose of the monitoring and measurement resources
188.8.131.52 Measurement traceability
Measurement traceability is the process of validating the equipment that will be used to measure products and resources. This will give the organization confidence that all measurements are completely correct. You need to establish whether this is relevant to you and meeting all applicable requirements for the product and services.
- Is it required to be calibrated?
- Allocated unique reference numbers and listed on a register of some sort.
- Allocated to personnel as and when needed and a clear process in place to ensure all staff knows how to use it properly.
- Able to identify calibration status
- Protected from an adjustment that could affect results of measurement
- Protected from damages during moving, repairs, or storage
- Non-conforming devices are checked against a conforming device
To be read along with clause 184.108.40.206 of ISO 9001 Please click hear for clause 220.127.116.11 of ISO 9001. Organization must have a procedure and all relevant records as an evidence of the procedure being followed for the measurement traceability. The procedure must demonstrate the conformance and measurement traceability of the measuring equipment used to determine product conformity to requirements. Organizations are expected to check results from calibration to ensure they are comfortable and have not been tampered with. You may have a measuring equipment register Register. The procedure must include a unique identification, specific to each piece of equipment. The procedure must establish as mechanism for calibration or verification of the measuring equipment or both, at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards When no such standards exist, the procedure must establish the basis used for calibration or verification. It must include the identification for determining their status. It must establish mechanism for safe guarding the measuring equipment from adjustments, damage or deterioration that would invalidate the calibration status and subsequent measurement results. The procedure must establish a mechanism for action to be taken when validity of previous measurement results has been affected when a instrument is found to be defective during its planned verification or calibration or when in use. It must also establish a mechanism for customer notification.
7.1.6 Organizational knowledge
The organization shall determine the knowledge necessary for the operation of the QMS, ensure the conformity of products and services, enhance customer satisfaction. As necessary the organization is responsible for maintaining, protecting, and making sure the knowledge is available. Knowledge is to be considered when making changes to the organization. Knowledge required depends on the size and complexity of the organization, the risks and opportunities it needs to address, accessibility of knowledge, the process for considering and controlling past, existing, and additional knowledge. As long as the conformity of products and services can be achieved, the balance between knowledge held by competent people and knowledge made available by other means is at the discretion of the organization. Consideration can be given to whether competent employees have this knowledge
To be read along with clause 7.1.6 of ISO 9001 Please click hear for clause 7.1.6 of ISO 9001
The organization needs to determine the necessary competence of its employees, and ensure those employees are competent on the basis of appropriate education, training, and experience. The organization must have a process for determining the necessary competence and achieving it through training or other means. Determining competence is a necessity in any organization. Working out on the skills your team has and the skills they don’t yet have and the skills they will need to achieve the company’s objectives. For example to achieve the objective of “Increase in sales”, you need to improve the competency of your sales team by training them.
To be read along with clause 7.2 of ISO 9001 Please click hear for clause 7.2 of ISO 9001. The organization must establish a procedure and all relevant records as an evidence of implementation of procedure for competence. The procedure must define the practices employed to manage competence requirements of personnel whose responsibilities influence the achievement of quality objectives. The procedure must include the determination of necessary competence of its employees whether staff ,workers, contract workers, full time or part time or outsourced, on the basis of appropriate education, training, or experience. In case gaps are identified in the competence the procedure must include actions to be taken to acquire necessary competency and evaluation of the effectiveness of the actions taken .The procedure must also validate the competence to the risk level associated to the above mentioned task as per procedure as given in clause 6.1. Competency Matrix/ catalogue, proficiency levels, criteria for attaining and maintaining proficiency, competence profiles can be part of the competency model as a part of the procedure. Validation of proficiency levels can include technical interviews, assessments and on job/ classroom/online training.
The clause of Awareness is closely related to the clause of competence. Employees must be made aware of the Quality Policy and its contents. They must also be aware of how their personal performance currently impacts QMS and its objectives or may impact it in the future. They must understand the implications of positives or improved performance, and poor performance may be to the QMS. There is a greater focus on not just communicating the policy but to ensure that it is understood by all the employees and how it affects their work, especially if they deviate from it. They must understand what they contribute and how this can make the organization better. From a QMS point of view, the organization should look to explain policies more clearly so that the staff understands their meaning. It may useful to capture this on a training record,
For Quality Policy the employees:
- Read and understood = insufficient
- Understand companies aim = Yes
- Understand the company’s processes in which they are involved = Yes
- Understand their impact = Yes
- Understand they can have a positive effect = Yes
- Understand they can have a negative effect = Yes
To be read along with clause 7.3 of ISO 9001 Please click hear for clause 7.3 of ISO 9001. The organization must also ensure that its employees whether staff ,workers, contract workers, full time or part time or outsourced are aware of related to their work the customer requirement, regulations, the process of risk mitigation, the requirements of conformity assessment.
This clause includes both internal and external communication about the QMS. Processes for internal and external communication need to be established within the QMS.
The key elements of Communication that an organization must establish are
- what needs to be communicated?
- when it needs to be communicated?
- how it should be done?
- who needs to receive the communication? and
- who will communicate?
It should be noted here that any communication outputs should be consistent with related information and content generated by the QMS for the sake of consistency. This is a straightforward clause and is simply about effectively communicating to all those within the organization and those affected by it. Internal communications can include briefings to staff on:
- new policies;
- new or amended objectives;
- new or amended strategies;
- new clients;
- new or amended technology;
- new products;
- issues with suppliers;
- anything that will have an impact on them.
Designate a person responsible for updates that may be either department heads or Top Management.
To be read along with clause 7.4 of ISO 9001 Please click hear for clause 7.4 of ISO 9001
7.5 Documented information.
The term “documented information” in the ISO 29001 is basically a combination of the two terms “documents” and “records”. “Documents”, “Documentation” and “Records” are combined to become “Documented information”. It refers to all of the important information within the organization that must be kept organized and controlled. It is a requirement to determine, make available, and maintain knowledge. It mentions issues such as confidentiality, access, and data integrity. The organization may adopt information security due to the increasing use of electronic documents/data. Documented procedures (e.g. to define, control, or support a process) are now expressed as a requirement to maintain documented information. and records are expressed as a requirement to retain documented information.
7.5.2 Creating and updating
When documented information is created or updated, organization should ensure that it is appropriately identified and described (e.g. title, date, author, reference number). It must be in an appropriate format (e.g. language, software version, graphics) and on appropriate media (e.g. paper, electronic). Confirm that documented information is reviewed and approved for suitability and adequacy. When documented information is created or updated, Organization should ensure that it is appropriately identified and described (e.g. title, date, author, reference number). It must be in an appropriate format (e.g. language, software version, graphics) and on appropriate media (e.g. paper, electronic). Documented information should be reviewed and approved for suitability and adequacy.
7.5.3 Control of documented information
A robust document control process invariably lies at the heart of any compliant management system; almost every aspect of auditing and compliance verification is determined through the scrutiny of documented information. With this in mind, it becomes apparent that the on-going maintenance of an efficient document management system must not be overlooked. Organization must control the documented information required by the QMS. A suitable process must be implemented to define the controls needed to; approve, review, update, identify changes, identify revision status and provide access. The documented information process should define the scope, purpose, method and responsibilities required to implement these parameters. In order to comply with the documented information requirements, it is essential that all personnel understand what types of information that should be controlled and more importantly, how this control should be exercised. To get the most out of your documented information process, it must communicated to ensure that staff and other users of the documentation information understand what they must do in order to manage that information effectively and efficiently. Demonstrate the organization’s arrangements for controlling documented information required by ISO 29001 and your organizations own requirements, including:
- Availability e.g. document accessibility (hard copy, electronic media), readily available at the point of use;
- Suitability e.g. format, media suitable to the environment, ease of understanding, language, interpretation;
- Protection e.g. document authentication, document markings (official, secret, restricted, confidential, private, sensitive, classified, unclassified), access controls (individual, role specific),
- Physical security (master documents, server rooms, libraries) IT security (User ID, password, servers, download, back up, encryption, ‘read only’, ‘read/write’), protection from corruption and unintended alterations.
- Demonstrate the organization’s arrangements for document retention e.g. organization/legal/contractual retention periods, storage, preservation, back up, retention of knowledge, disposal, obsolescence e.g. withdrawal, replacement, legacy archive and suitable identification (‘for information only’, ‘not to be used after….’, ‘uncontrolled copy’, ‘for reference purposes only’, etc.
Ensure your organization protects electronic data, e.g. security policy, system access profiles, password rules, storage and back-up policy including protection from loss, unauthorized changes, unintended alteration, corruption, physical damage. Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.
To be read along with clause 7.5 of ISO 9001 Please click hear for clause 7.5 of ISO 9001. The organization must establish a procedure for Control of Documented Information. The procedure must include mechanism for distribution, access, retrieval and use of the Documented Information (Documents and Records.). It must include storage and preservation, including preservation of legibility, ) control of changes (e.g. version control), retention and disposition. It must also include the process for preventing unintended alteration of Records. It must Include process for identification and control of Documented Information (Documents and Records.) of External origins (Example can include standards, equipment manual, Tender document, Purchase order, Invoice, etc ). It must also include the practice of integrating external specification requirements, including addenda, errata, and updates that are used in manufacturing and designing of product or services into related operating processes.
8.1 Operational planning and control.
In order to meet the requirements for the delivery of products and services, the organization needs to plan, implement, and control its processes. The first step is to determine the requirements for products and services, meaning what features the product or service will have. Then, the organization needs to define how processes will be performed and what criteria the product or service needs to meet to be accepted for release. Finally, the organization needs to determine the resources needed for the processes and the records needed to demonstrate that the processes were carried out as planned. Once they have done their planning for what they are going to sell, they then must plan the detail of how this can be done operationally. The organization may need to :
- Set up supplier accounts/trade accounts.
- Purchase stock.
- Ensure staff have the correct skills and understand the process.
- Purchase tools and vehicles.
- Make sure you have enough staff.
- Issue clear instructions, drawings, procedures risk assessments to enable them to do the job.
The organization needs to show clear control of the process. They will be expected to check that delivery is as expected and when there are deviations that this is managed and negative impacts controlled. The same control should be applied to subcontractors.
To be read along with clause 8.1 of ISO 9001 Please click hear for clause 8.1 of ISO 9001. The organization must take into account the customer’s scope when determining the requirements for the products and services. The organization can establish a quality plan, service quality plan or inspection and test plan which specifies the processes of QMS and the resources to be applied to a specific product, service, project or contract. This and all relevant records, as an evidence of implementation must be controlled as per procedures given 6.1 and 7.5. While planning the operation base on the risk of achieving requirement and improvement opportunities the organization must apply change management process as per the procedure given in clause 6.3. When contingency plans are established as a risk treatment it must include at minimum roles and responsibility for response, communication and immediate actions.
8.2 Requirements for products and services.
Requirements for products and services are closely related to communication with customers. This communication must include information related to the products or services, handling inquiries, contracts or orders, customer feedback, handling and controlling customer property, and, if needed, establishing specific requirements for contingency actions. Before offering the product or service to the customer, the organization needs to ensure that the requirements for the products and services are defined and that the organization is able to deliver such products or services. Requirements for products and services include any applicable legislation and the requirements that the organization considers being necessary. After receiving the order, the organization must, prior to delivery, review the requirements related to the product and keep records about the review. If the customer changes its requirements, these also must be reviewed and recorded. In case of changes, the organization must ensure that all documented information is amended and all relevant persons are aware of the changes.
8.2.1 Customer communication
This is essentially about how you relate to the customer, to include:
a) what you are selling;
b) how they can expect to be dealt with (e.g. formal quote/email/letter/terms you will work under/within);
c) getting feedback from the customer;
d) looking after their property (e.g. premises whilst you are in there);
e) what plans you put in place for if something goes wrong.
Ensuring the customer has a clear written quotation and specification relating to the services they want. Allocating a specific person/manager to the customer so that they have one key contact for all communication; that way, positive and negative feedback is captured and dealt with. you must give useful information about your products/services. you must provide some mechanism to have your customers ask about the products/services and e a way for customers to inquire about your invoices and fees. The customer must have a way to ask about changes. There should be a way to collect customer complaints and a way to collect feedback. If your customers provide their property as a part of your product/service, they must be able to understand how it is handled. If there are any risks associated with your product or service, your customer must be told of them and how they are handled
To be read along with clause 8.2.1 of ISO 9001 Please click hear for clause 8.2.1 of ISO 9001.
8.2.2 Determining the requirements for products and services
Organizations need to be clear about what is required in order to sell their products and services. You must review customer requirements before committing to supply the product or service. You need to take into account a few things here. You must consider:
- Applicable acts and regulations
- What to do when providing verbal contracts.
- for legal and industry norm;
- elements the organization determines as necessary for their own needs.
Once all that is considered and reviewed, you need to formally accept the requirements with confirmation back to the customer of what you are going to deliver and when. You need to keep documented information on this review. The organization must be able to deliver what it is selling. Liaise with suppliers, attend open days, read the product literature.
To be read along with clause 8.2.2 of ISO 9001 Please click hear for clause 8.2.2 of ISO 9001.
8.2.3 Review of the requirements for products and services
Organizations are expected to review whether they can provide what they intend to sell. This review must include taking into account:
a) what the customer orders, the install and any after work, e.g. maintenance / follow up / servicing;
b) elements that need to be completed to ensure the job is fitted correctly – meter reading tests / commissioning forms / standard operational check;
c) anything else the company need to implement;
d) legal and industry standards
e) any variations. If the customer has changed their order, this needs to be defined and the customer must accept this change if they haven’t already confirmed it in writing.
Reviews must be documented. If they want to use new products and services, this must be recorded. Customers should be made aware of the impact of changing products and services, etc. Organizations may choose to do a contract review either using paper or electronic documents, confirmation emails, quote proposals, etc. It must also record any change in technology you might use.
To be read along with clause 8.2.3 of ISO 9001 Please click hear for clause 8.2.3 of ISO 9001. The organization must establish a procedure for Contract Review that defines the process for the review of requirements related to the provision of products or services before committing to the customer.
8.2.4 Changes to requirements for products and services
If there is any change in the Customer order, this needs to be tracked and documented. Someone in the organization who is responsible for executing the customer order must ensure that all related departments related to executing the order are aligned. You should seek and record evidence that your organization has ensured that all relevant documented information relating to changed product or service requirements, is amended and that relevant personnel is made aware of the changed requirements. Define your organization’s arrangements for amending documented information and communication of changed requirements e.g. updated contract review records, amended orders/contracts, memos, change notices, quality plans, meeting minutes, together with communication to relevant interested parties (persons within or outside the organization that may be impacted by the change).
To be read along with clause 8.2.4 of ISO 9001 Please click hear for clause 8.2.4 of ISO 9001.
8.3 Design and development of products and services.
This clause refers to design and development management, from the initial idea to the final acceptance of the product. The definition of design is “a plan or drawing produced to show the look and function or workings of a building, garment, or another object before it is made.” Putting it simply if the organization is creating something be it a tangible product or intangible service, there will certainly be an element of Design. ISO 9000 explains that the terms “design” and “development” are often used as synonyms, and defines the different phases of overall design and development. This means that design can’t be used apart from development and that they represent one single process. During design and development planning, all its phases must be defined with appropriate activities of review, verification, and validation for each phase. ISO 29001 refers to the design and development of the product and not to the design and development of processes. Design and development inputs requirements relate to the product include:
- Functional requirements and product performance requirements
- Legal and regulatory requirements for product
- Information from previous similar projects
- Other requirements relevant to design and development, usually customer requirements, market information, package, etc.
Design and development outputs must be in a form suitable for verification related to input elements and must be approved before acceptance. They can be in the form of a drawing, engineering documentation, plans, etc. The organization also needs to define design and development review activities. The purpose of these activities is to determine whether the design and development process goes in the intended direction. The review must be done in appropriate phases and at the end of the project. The review identifies problems during design and development and suggests actions to resolve them. It can include other interested parties. The design and development review must be recorded. Also, the company needs to identify, review, and control changes during the design and development of products and services. A record should be kept regarding the changes, results of reviews, authorization of the change, and actions taken to prevent adverse effects.
To be read along with clause 8.3.1 of ISO 9001 Please click hear for clause 8.3.1 of ISO 9001.
The organization must have a plan on how to do the design and development. A design and development plan which will have the project timescales, deliverables, responsibilities of team & individuals, persons of authority for sign-off for an internal, or external customer, design reviews at a relevant phase in the project e.g. start, confirmation of inputs, post verification, post validation, finish, etc., resources required throughout the project, communication with subsequent process owners, and required controls throughout the project and intended use of the output.
To be read along with clause 8.3.2 of ISO 9001 Please click hear for clause 8.3.2 of ISO 9001.The organization must establish a procedure for Design and development of products and services that defines the processes used to plan and control design and development activities of products and/or services. During the planning stage the organization must ensure that the process of managing risks and opportunities are incorporated in the design development process as per the procedure given in clause 6.1
There are many inputs to the process. The inputs may be:
- The requirements from the customer like what do they want to achieve and what are their needs & expectations
- The parameters & constraints of designs e.g. materials, dimensions, functionality, life cycle, sustainability, etc.
- The statutory and regulatory requirements or codes of practice like product and safety directives, building regulations, etc
- Availability of information from previous designs like a review of learnings – good/bad/potential improvements, etc.
To be read along with clause 8.3.3 of ISO 9001 Please click hear for clause 8.3.31 of ISO 9001.The input to the Design and Development should also include output o process of managing risks and opportunities are incorporated in the design development process as mentioned 8.3.2 and can also include environmental and safety conditions as part of performance requirement.
It is a critical step in Design and Development. It helps the organization to determine how the results to be achieved such as what are the project deliverables, how will they be achieved and how will they be measured (acceptance criteria). The reviews have to be conducted throughout the project as mentioned above at the relevant phase in order to meet the input requirements.
To be read along with clause 8.3.4 of ISO 9001 Please click hear for clause 8.3.4 of ISO 9001.
It is the outcome of the Design and Development process. Typical examples of outputs include conceptual designs, technical/engineering drawings, product specifications, manufacturing instructions, bill of materials, information for purchasing, and other subsequent processes. The output must meet the input requirements ie it has achieved the intended results. The organization must determine that they can move forward in the project using the outputs, and must confirm any necessary equipment for measuring and/or testing and the acceptance criteria.
To be read along with clause 8.3.5 of ISO 9001 Please click hear for clause 8.3.5 of ISO 9001.
The organization must have an established formal process for controlling design and development changes throughout the project and during reviews. The changes have to be documented and the results of design and development reviews communicated. There has to a person of authority to authorize the changes. The process must include a mechanism to identify the most up-to-date revisions and mitigate the risk of using superseded versions, Examples of this can be version no /revision no /authorization control on drawings, a design/drawing register, engineering change notes, etc.
To be read along with clause 8.3.6 of ISO 9001 Please click hear for clause 8.3.6 of ISO 9001.
8.4 Control of externally provided processes, products, and services.
This clause refers to purchasing. The purchasing includes products and services you acquire from suppliers and outsourced processes. ISO 9001:2015 expresses “suppliers” and “Outsourcing” as external providers of products and services. “Purchasing” and “Purchased products” are referred to as “Externally provided products and services”. Clause 8.4 Control of externally provided products and services addresses all forms of external provision, whether it is by purchasing from a supplier, through an arrangement with an associate company, through the outsourcing of processes and functions of the organization, or by any other means. The organization needs to establish and document criteria for suppliers’ selection, which includes how crucial the purchased product or service is to the quality of your product. The results of the supplier evaluation must be recorded. The organization is required to take a risk-based approach to determine the type and extent of controls appropriate to particular external providers and externally provided products and services. In order to ensure that externally provided processes, products, and services do not have an adverse effect on the conformance of the organization’s products and services, the organization needs to establish controls including verification and other activities. As part of the controls, the organization needs to communicate to external providers its requirements for:
- the processes, products, and services to be provided
- the approval of methods, processes, and equipment
- verification or validation of the activities that the organization intends to perform
To be read along with clause 8.4.1 of ISO 9001 Please click hear for clause 8.4.1 of ISO 9001.
8.4.2 Type and extent of control
The organization must evaluate the critical suppliers against a fixed set of criteria. The criteria can include technology, Quality, Responsiveness, Delivery, Cost, Environmental impact. As they use these suppliers they will need to monitor their performance against its requirements. It takes some effort to ensure that the suppliers are performing, but it is time and resources very well spent. As they regularly talk with critical suppliers about the issues and requirements a relationship will be built, one which will be mutually beneficial in the long-term. The organization must ensure outsourced processes are controlled. It must define the controls for the supplier. These controls could be defined through purchase orders, in agreements, or in contracts. In addition, it needs to control the actual product or service they purchase. It could ask for a certificate of conformance, or a test report, or a third-party test. The organization doesn’t require to have “one-size-fits-all” controls for all suppliers. For the critical suppliers that have a significant risk to the organization, they need to put tighter controls in place. For others – not so much. Also, they must ensure that suppliers meet local laws and regulations. Also, they need to inspect the product or service from the supplier.
To be read along with clause 8.4.2 of ISO 9001 Please click hear for clause 8.4.2 of ISO 9001.The organization must establish a procedure for control of externally provided processes, products, and services. The procedure must ensure that externally provided processes, products and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers and remain within the control of its QMS. It must define controls that it intends to apply to an external provider (suppliers/vendors/ contractors etc.) and those it intends to apply to the purchase product or services by taking into consideration their potential impact of their processes, products and services consistently meeting customers and legal requirements and the effectiveness of those controls. The procedure must determine the necessary verification, to ensure that the externally provided processes, products and services meet requirements. The organization must have the records as an evidence of the effectiveness of the verification activity. The procedure must include the planned assessment of the performance of external provider to be periodically so as to adjust the type and extent of controls to manage associated risks and opportunities. The procedure should address the risks to the achievement of specified requirements and improvement opportunities for the products and/or services
8.4.3 Information for external providers
This is about ensuring that third-party suppliers and subcontractors have a clear understanding of what they are expected to supply. This is typically done with a purchase order but it could also be by contract or agreement. Other methods of spelling out requirements for suppliers can be inspection and test plans, work briefs, statements of work, and even forecasts.
To be read along with clause 8.4.3 of ISO 9001 Please click hear for clause 8.4.3 of ISO 9001.
8.5 Production and service provision.
An expansion on previous requirements e.g. documented information to specify intended results and to determine the nature and extent of any post-delivery (after-sales) activities. The production and services provision process needs to be performed under controlled conditions that will ensure that the product or service delivered is compliant with initial requirements. This includes a sufficient level of documentation, like procedures, work instructions, and records, monitoring and measurement equipment, appropriate infrastructure, etc. The organization must use suitable means to identify outputs when it is necessary to ensure products and services conformance. When traceability is a requirement, the organization needs to control the unique identification of outputs and retain documented information necessary to enable traceability. In cases when the organization uses property belonging to a customer or external provider, it is required to identify, verify, protect, and safeguard this property. When the property of the customer or external provider is lost or damaged, the organization will have to report to the owner and retain documented information on what has occurred. The decision on the extent of post-delivery activities will be affected by the following:
- statutory and regulatory requirements
- potential undesired consequences related to products and services
- lifetime, use, and the nature of the products and services
- customer requirements and feedback.
In case of changes in the production and service provision process, the organization must review and control the changes in order to ensure continuing conformity with the requirements.
8.5.1 Control of production and service provision:
The organization must carry out the activities to provide products or services under controlled conditions. The common controlled conditions that should be used include documented information for products and services, suitable monitoring and measurement resources (including equipment), suitable infrastructure and environment, competent persons, validation of the ability to achieve results, actions to prevent human error, and activities controlling product release, delivery, and post-delivery. As with all other processes, these do not need to be documented procedures unless non-conformance would occur if the procedure was not written down.
To be read along with clause 8.5.1 of ISO 9001 Please click hear for clause 8.5.1 of ISO 9001. The organization must establish a procedure that defines the controls used to meet the requirements of of production and/ or service provision. The Control conditions must include the special characteristics of the product , services or the activities of the organization, the results that needs to be achieved, availability of monitoring and measuring equipment, ensuring of monitoring and measuring activities (inspection) takes places at different stages of production/service to have the confidence that both the processes themselves and the process outputs (product/service) meet the organization’s acceptance criteria. Suitable infrastructure and work environment. Competent personal with required qualification.Product and service release, delivery and post-delivery activities are implemented. action to prevent human error like use of work instruction and training of employees. The organization must also establish a procedure for validation of processes , where the results cannot be verified by subsequent monitoring or measurement. The process itself is initially validated and then periodically re-evaluated. The procedure must include required equipment, competence of personnel, use of specific methods, including identified operating parameters, identification of acceptance criteria and re validation. The organization must have all relevant records as an evidence of the procedures being followed and to demonstrate the control effectiveness.
8.5.2 Identification and traceability
Organization should seek and record evidence that product is identified (as appropriate) and its status with regards to monitoring and measuring (conforming or not) is identified throughout the manufacturing processes. Where traceability is a requirement, Organization should be controlling and recording the unique identity of the product throughout the production process to ensure that only products that have passed the required inspections and tests are utilized. organization must have a process in place for the identification and traceability of outputs, in terms of the monitoring and measurement requirements at all stages of production, to enable the demonstration of conformity to requirements, e.g. physical part marking, labeling, tags, bar codes, signage, visual indicators, part segregation, lay down areas, storage racks. There are several ways of identifying products to prevent them becoming mixed with other parts, components, or orders. The most obvious is using tags or stickers with a unique traceability identifier, such as a lot or batch number included on the product labels. The identification may be engraved in the product itself, or the product may simply be marked by a colour. Establish and implement a procedure to identify the product through the design, development, manufacture and delivery stages. The established a traceability system should track components from raw material through inspection, test, and final release operations, including rework:
- Establish the identity and status of products;
- Maintain the identity and status of products;
- Maintain records of serial or batch numbers.
To be read along with clause 8.5.2 of ISO 9001 Please click hear for clause 8.5.2 of ISO 9001. The organization must establish a procedure and all relevant records as an evidence of implementation of procedure for Identification and traceability. The procedure defines the processes for use of suitable means for the identification and traceability of outputs (product and services) to enable the demonstration of conformity to requirements. It also defines the process for the identification of status of outputs (product and services) to enable the demonstration of conformity to requirements through out the manufacturing/ servicing process. Where traceability is a requirement, Organization must controlling and record the unique identity of the product throughout the production process to ensure that only products that have passed the required inspections and tests are utilized.
8.5.3 Property belonging to customers or external providers:
This requirement is very important if the organization uses the customer or supplier property. It can come in many forms such as piece parts that will become part of the delivered product, special equipment to perform specific testing for the customer, or even proprietary information that is needed to use to design and deliver the product or service. When a customer or other party has given any property to use in supplying their needs, it is needed to control that property from unintended use and have a way of dealing with that property with external party involvement should there be a problem with it. Records of this activity need to be maintained to show accurate records of customers or external property. In fact, personal data that is provided by the customer and supplier would also need protection.
To be read along with clause 8.5.3 of ISO 9001 Please click hear for clause 8.5.3 of ISO 9001. The organization must establish a procedure and all relevant records as an evidence of implementation of procedure for Control of Customer /External provider property. The procedure defines the processes for the care the organization must exercise with property belonging to customers or external providers while it is under the organization’s control or use by identifying, verifying, protecting and safeguarding it. If property is lost or damaged or found to be unsuitable, this needs to be recorded and the customer needs to be notified.
Adequate measures must taken to protect and preserve the product during internal processing and delivery to the intended destination. The preservation process must include packaging, storage and other product specific handling methods, the requirements for which are likely to be an output of the design process.
- Identification – The organization must ensure that products are properly identified and do not become mixed with other orders. All products are clearly identified. This is relative to identification and traceability however for preservation of product it is a requirement and not ‘as applicable’;
- Handling – This may include bulk handing using moving equipment or physical contact where handling may influence product conformity. Suitable handling methods should be implemented throughout the processes.
- Packaging – The organization must ensure that labeling and marking of shipped products are sufficient to enable adequate identification and traceability back through QMS. This should include ensuring that labeling and marking maintains its integrity and remains affixed throughout the shipping process. The methods must be established for packaging the product to preserve its integrity. Package products appropriately for shipping in order to preserve the product’s integrity throughout the shipping process;
- Storage – This should include storage conditions to prevent the deterioration, damage or loss. The product should be stored in a manner to safe guard product;
- Protection – Raw materials, in-process materials, inspected product, nonconforming product and product ready for shipping should be identified with its status and protected from any unintended alteration. Appropriate measures are in place to protect product. This will vary depending on the product.
To be read along with clause 8.5.4 of ISO 9001 Please click hear for clause 8.5.4 of ISO 9001. The organization must establish a procedure and all relevant records as an evidence of implementation of procedure for risk based Preservation. The procedure defines the methods used to preserve products and constituent parts throughout operations up to the delivery to its destination and or service delivery in order to maintain conformity to requirements. The procedure must also consider preservation of work environment controls. The procedure must also define the process for preservation of product and constituent parts kept in storage area before use or delivery to prevent damage or deterioration . It must also include type and frequency of assessment of products and constituent parts to detect deterioration. The procedure must also address identification and traceability marks, transportation, handling, packaging, and protection requirements, as applicable
8.5.5 Post-delivery activities:
Sometimes there is a need to perform activities on the product or service after it has been delivered to the customer. While the requirements for what needs to be done can vary greatly from one product or service to another. organization must meet requirements for post-delivery activities associated with the products and services. When determining the extent of post-delivery activities that are required, Organization should consider:
- Statutory and regulatory requirements;
- The potential undesired consequences associated with its products and services;
- The nature, use and intended lifetime of its products and services;
- Customer requirements;
- Customer feedback.
Taking these into account will give you an idea of what needs to be done after delivery, such as warranty provisions, maintenance services, or even recycling and final disposal services.
To be read along with clause 8.5.5 of ISO 9001 Please click hear for clause 8.5.5 of ISO 9001.
8.5.6 Control of changes:
The organization must implement a process for responding to unplanned changes that are considered essential in order to ensure that products or services continue to meet their specified requirements, in such a way that conformity with requirements is maintained. Changes should be documented and information retained about the changes, including who authorized the change and the actions arising from the change. The organization should make changes in a thoughtful manner and to consider the potential impact to other process, products and possibly the customer. Key items to consider are:
- Is the impact of the change evaluated to determine its affects to work in process or products already delivered?
- What process control documentation (procedures, travellers, forms, etc.) will need updating as the result of change to be implemented?
- Was the change approved prior to implementation including, where applicable, approval by the customer, statutory or regulatory authority?
- Does retained documented information indicate the source of change and information on necessary actions and approvals?
Organization must implement a process to control unplanned changes in accordance with the requirements set out above.
To be read along with clause 8.5.6 of ISO 9001 Please click hear for clause 8.5.6 of ISO 9001. The organization must review and control the unplanned changes of the product and service provision which includes changes in the organizational structure, key or essential personnel, critical providers, design, the management system in order to ensure that products or services continue to meet their specified requirements, in such a way that conformity with requirements is maintained. The organization must also review the changes due to the assessment of risk and opportunities and corrective action. The organization must notify the customers when these changes impact its product or services. Where specified the customer must also be notified of the effect of changes on residual or new risks.
8.6 Release of products and services.
The organization must have a process (method, techniques, formats, etc.) is in place to monitor and measure the characteristics of product to verify that requirements are being met. This must be accomplished at appropriate stages of the design and development process. Records must be maintained to provide evidence of conformity and indicate the person(s) authorizing the release of products. The release of product or delivery of service must not be completed until the planned requirements defined in Clause 8.1 have been met. The release of product may include, according to product planning and the verification stages; release to the next operation, release to an internal customer, or release to final customer, etc. Planned arrangements can include design verification and design validation, which can involve modelling, simulations, experiments, trials, prototypes, functional testing, performance testing; inspections comprising, in-process, first article and final inspection; thorough examination through destructive and non-destructive testing; customer acceptance testing, product certification/qualification, third party qualification from a regulator, recognized society, or independent testing body etc. For product release or service delivery, the planning requirements may be waived, but must be approved by relevant authority and by the customer as appropriate. Monitor and measure product characteristics to ensure they are able to demonstrate:
- Product characteristics are continually met;
- Evidence of conformity with product requirements.
Retain records to provide evidence that acceptance criteria have been met might include: e.g. certificate of conformity, release certificate, regulatory certificate. Ensure traceability to the person(s) authorizing the release such as name, authorized signatories, user identification, stamp impression etc., including their authority status (release signatory, certifying staff, scope of authorization etc.).
To be read along with clause 8.6 of ISO 9001 Please click hear for clause 8.6 of ISO 9001. The organization must establish a procedure and all relevant records as an evidence of implementation of procedure for Release of products and services.The procedure defines the process for implementation of planned arrangements, at appropriate stages, to verify that the product and service requirements have been met. The product or service should not be release until all the arrangements and complete and requirements being met or being approved by customer or relevant authorities. On the release of product and service the organization must have records of evidence that acceptance criteria have been met including person authorizing the release.
8.7 Control of nonconforming outputs.
Nonconforming outputs must be prevented from unintended use or delivery, so the organization must identify and control nonconforming outputs that emerge from any phase of production or service delivery. Depending on the nature of the nonconformity, the organization can take one or more of the following actions:
- segregation, containment, return, or suspension of the provision of products and services
- informing the customer
- obtaining authorization for acceptance under concession
Conformity to the requirements must be verified when the nonconforming output is corrected. The organization also needs to keep documented information that describes the nonconformity, the action taken, concessions obtained, and the authority deciding the action with respect to the nonconformity. You do not need a documented procedure any longer to detail how you will deal with things that go wrong but you do need to do the following:
- Fix it.
- Remove it if necessary.
- Tell the customer.
- Ask them to accept it.
You should record what you do when things go wrong:
- About what is wrong.
- what you did as a result.
- What concessions you gave? (e.g. did the customer accept it but you altered the cost)
- Who had the authority to make the change?
To be read along with clause 8.7 of ISO 9001 Please click hear for clause 8.7 of ISO 9001. The organization must establish a procedure and all relevant records as an evidence of implementation of procedure for control of non conforming output. The procedure ensure that non conforming output including those nonconforming products and services that are detected after delivery of products, during or after the provision of services are identified and controlled to prevent their unintended use or delivery. Based on the nonconformity and its effect on the conformity of products and services, the organization shall take appropriate action which can be correction, segregation, containment, return or suspension of provision of products and services, informing the customer and obtaining authorization for acceptance under concession. Once nonconforming outputs are corrected, Conformity to the requirements shall be verified.
9.0 Performance Evaluation
9.1 Monitoring, measurement, analysis, and evaluation.
Organization must develop a process (method, techniques, format, etc.) to identify, collect and analyze various data and information from both internal and external sources, including:
- Monitoring and measuring results;
- Process performance results;
- Meeting objectives;
- Internal audit findings;
- Customer surveys and feedback;
- 2nd or 3rd party audit results;
- Competitor and benchmarking information;
- Product test results;
- Supplier performance information.
This ‘input’ (information and data) should reflect upon the adequacy, suitability and effectiveness of the quality management system and its processes. The ‘output’ (result of the analysis) must provide information (understanding, insight, awareness, confidence, knowledge of, etc.). The analysis output must provide insight to:
- Customer satisfaction and perception;
- Product conformance;
- Process performance;
- Product and process characteristics;
- Trends in products and processes;
- Opportunities for preventive action;
- Suppliers and subcontractors.
Other potential or useful options might include:
- Need for corrective action;
- Opportunity for improvement;
It is important to document and retain as evidence the results of the evaluation of the performance of the quality management system. The quality objectives and the related KPIs established under Clause 6.2 provides useful input into addressing this clause.
Monitoring and measuring QMS operations and activities will establish a mechanism to ensure that your organization is meeting its policies, objectives and targets. In order to meet this requirement, your organization must perform six steps:
- Identify the activities that can have a significant impacts and risks;
- Determine key characteristics of the activity to be monitored;
- Select the best way to measure the key characteristics;
- Record data on performance, controls and conformance with objectives and targets;
- Determine the frequency with which to measure the key characteristics;
- Establish management review and reporting.
To be read along with clause 9.1.1 of ISO 9001 Please click hear for clause 9.1.1 of ISO 9001.
9.1.2 Customer satisfaction
The organization must have a consistent and systematic approach to deal with customer feedback and is obtaining information on customer perception. Just collecting data on customer perceptions is not sufficient, it must seek and record evidence that it has analyzed and evaluated customer data and that conclusions have been made with regard to the effectiveness of the management system.
- Are there any trends?
- Is the situation stable, improving, or deteriorating?
- Are customer needs and expectations changing?
A consistent and systematic approach has to be implemented to deal with customer complaints. This approach would typically include defined responsibilities for logging and tracking complaints, clearing technical issues, determining problem causes and actions to address them. Specific examples of complaints must be sampled. The link between the customer complaint process and corrective action also requires special scrutiny. Determine appropriate methods for monitoring and measuring customer satisfaction by:
- Using customer satisfaction surveys;
- Providing methods for receiving and dealing with customer feedback;
- Providing suitable processes to monitoring trends in, and reviewing customer data.
To be read along with clause 9.1.2 of ISO 9001 Please click hear for clause 9.1.2 of ISO 9001. The organization must establish a procedure and all relevant records as an evidence of implementation of procedure to measure customer satisfaction. The procedure defines the process employed to monitor customers’ perceptions of the degree to which their needs and expectations have been fulfilled. The procedure must include the methods for obtaining, monitoring and reviewing this information.
9.1.3 Analysis and evaluation
The organization must analyse and evaluate data and information, obtained either internally about the QMS and its operational process, or externally about its suppliers. Organization must develop a process (method, techniques, format, etc.) to identify, collect and analyze and evaluate data and information from both internal and external sources (i.e. quality records, monitoring and measuring results, process performance results, objectives, internal audit findings, customer surveys and feedback, 2nd or 3rd-party audit results, competitor and bench marking information, product test results, complaints, supplier performance information, etc.). This ‘input’ (information and data) should reflect upon the adequacy, suitability and effectiveness of the quality management system and its processes. The ‘output’ (result of the analysis) must provide information (understanding, insight, awareness, confidence, knowledge of, etc.). The analysis output must provide insight to:
Customer satisfaction and perception;
Product and process characteristics;
Trends in products and processes;
Opportunities for preventive action;
Suppliers and subcontractors.
Need for corrective action;
Opportunity for improvement;
Any record with data that is an established part of the management system may be considered relevant for analysis. Records are evidence of system performance and should be analyzed for potential improvements.
To be read along with clause 9.1.3 of ISO 9001 Please click hear for clause 9.1.3 of ISO 9001. The organization must establish a procedure and all relevant records as an evidence of implementation of procedure for the identification, collection and analysis of data to demonstrate the suitability and effectiveness of the quality management system. Analysis must be conducted to evaluate
a)conformity of products and services;
b) the degree of customer satisfaction;
c) the performance and effectiveness of the quality management system;
d) if planning has been implemented effectively;
e) the effectiveness of actions taken to address risks and opportunities;
f) the performance of external providers;
g) the need for improvements to the quality management system
The analysis must also include data generated from monitoring and measurement, internal audits, management reviews, and other relevant sources.
9.2 Internal Audit.
There continues to be a need to carry out internal audits and to do it effectively. The goal of an internal audit is not to determine nonconformity; its goal is to check whether your QMS:
a) complies with the requirements of ISO 29001 and the requirements of your organization
b) is effectively implemented and maintained
There is no need for an internal audit procedure but it may be useful to keep it. You do need to define audit criteria. There is more emphasis on how they are done, how feedback should be taken, and audits being corrected in a reasonable time to fix non-conformances identified. Ensuring that all the right people are included in the audit outcome. At the end of the audit, you will get audit results by evaluating the data you collected during the audit. Audit results can be manifested as positive, recommendations for improvements, and nonconformities (major and minor). Verification of actions taken to fix the non-conformity may be needed, and in that case, the next step is a follow-up audit. The audit schedule must take customer feedback into account. The organization can determine the technique of doing internal audits and the length of the intervals between the two audits is up to you. They can decide how the organization conforms to the requirement of QMS and that of ISO 29001. The organization can determine the manner by which it can maintain the system. To conduct the audit the organization must:
- Plan approach to internal audits based on the importance of the processes.
- For each audit, work out the scope of what will be covered. You can’t audit 100% of the process, but you do need to cover enough to be satisfied that the important issues have been captured.
- Make sure the auditors are independent of the process under audit.
- Report all findings to the relevant managers so there aren’t any surprises.
- Ensure that the corrective actions from the audit are dealt with.
- Retain the audit results in a document.
To be read along with clause 9.2 of ISO 9001 Please click hear for clause 9.2 of ISO 9001. While planning for the interval for the internal audit, the organization must consider the risks and opportunities and the the results of performance evaluation of the processes to be audited. The planned internal can be monthly, quarterly, annually, or according to a schedule that differs for areas or processes over the course of a year.
9.3 Management review.
A Management Review is a formal, structured meeting that involves top management and takes place at regular intervals throughout the year. They are a critical and required part of running an ISO 9001 Management System.
The purpose of a Management Review meeting is to review and evaluate the effectiveness of your Management System, helping you to determine its continued suitability and adequacy. At least once a year, the top-level management must review the QMS in order to determine its:
- Appropriateness – does it serve its purpose and satisfy the needs of the organization?
- Adequacy – does the QMS conform to standard requirements?
- Applicability – are activities performed according to procedures?
- Effectiveness – does it accomplish the planned results?
This review must evaluate possibilities for improvement and needs for changing the QMS, Quality Policy, and objectives. Considering the inputs for the management review, such as the results of the previous management reviews, changes in the context, customer satisfaction survey results, performance of the QMS and suppliers, etc., the top management must make decisions regarding opportunities for improvement, need for changes in the QMS, and resources needed for the upcoming period. A Management Review also ensures that all levels of management are made aware of any changes, updates, revisions, etc. to the day-to-day workings of the Management System itself. The organization will need to decide when it will take place, what will be discussed, and who should attend. You must document when the meetings have occurred and what has been discussed. A Management Review should cover the following topics:
- Discussion on the status of any issues from the previous meeting.
- Changes to external and internal issues that affect the Management System.
- Examination of the performance of the Management System.
- Review of available resources and their adequacy.
- Examination of how effective the actions are taken towards identified risks and opportunities were.
- Identification of further opportunities for improvement.
The inputs to the Management review should be:
- Minutes of previous Management Review meeting
- Management System documentation
- Internal and External Audit Reports
- Relevant records (including customer feedback, corrective action log, etc.)
- Register of Legal and other requirements
- Complaints analysis
- Corrective and preventive actions and close-out of Management Information Reports
- Policies review
In order to keep improving your Management System, you need to be looking for trends both inside and outside of the organization. Consider looking for trends in the following areas:
- The requirements of external interested parties
- Compliance to legislation, regulations, and other requirements
- Changes to products, services, and processes
- Customer satisfaction and complaint records
- Non-conformances and the effectiveness of any corrective actions taken in response
The output to the management review includes decisions and actions related to:
- Any opportunities for improvement within the organization
- Any changes to the Management System, processes, or policies that are required
- Any revisions to company objectives or Key Performance Indicators (KPIs)
- Any amendments to business plans or budgets
- Any changes to the resources that are needed for the smooth running of the Management System
These types of changes affect day-to-day operations so it is important to keep staff informed of these changes as this will ensure that your Management System is operating effectively.
To be read along with clause 9.3 of ISO 9001 Please click hear for clause 9.1.1 of ISO 9001.
Your organization should actively seek out and realize improvement opportunities that will better enable it to achieve the intended outcomes of its management system. Potential sources of improvement opportunities include the results of analysis and evaluation of quality performance, compliance, internal audits, and management reviews. The actions for improvement can be in the form of corrective actions, training, reorganization, innovation, and so on. Improvement can be achieved through corrective actions. It can be achieved incrementally over time by a step change. It can be a breakthrough process achieved through innovation or by reorganization and transformation. There is now a requirement for organizations to focus clearly on customer satisfaction and customer needs, not only that but to look for ways to improve:
a) products and services, now and for the future.
b) fixing and controlling issues to reduce things going wrong.
c) improving the QMS.
No requirement for a procedure on preventive action. This term is removed.
To be read along with clause 10.1 of ISO 9001 Please click hear for clause 10.1 of ISO 9001.
10.2 Nonconformity and corrective action.
Any nonconformity needs to be reacted upon by taking actions to control it and deal with the consequences. Once identified, a nonconformity should trigger a corrective action in order to remove the cause of the nonconformity and prevent its recurrence. The effectiveness of actions taken must be evaluated and documented, along with the originally reported information about the nonconformity / corrective action and the results achieved. We must also record the nature of nonconformities. On discovering a nonconformity, an explicit requirement is introduced for organizations to determine whether other similar nonconformities actually exist, or could potentially exist.
When something goes wrong you must:
- react to it by
- do something / take action / fix it;
- deal with the impact it had (e.g. upset customer).
- evaluate what went wrong to prevent it from happening again and check there are no other similar issues that could happen.
The Key now is to update risks and opportunities. Keep records of all non-conformities, what you did to resolve them, implement additional measures, etc.
To be read along with clause 10.2 of ISO 9001 Please click hear for clause 10.2 of ISO 9001. The organization must establish a procedure and all relevant records as an evidence of implementation of procedure for non conformity and corrective action.
10.3 Continual improvement.
Continual improvement is a key aspect of the QMS, to achieve and maintain the Quality Management System’s suitability, adequacy, and effectiveness regarding the organization’s objectives. There is now a clearer expectation for organizations to use data from monitoring and measuring to review the organization’s performance and that of the QMS. Organizations should use this information, analyzing it and ensuring that the QMS is adequate for the organization. The impetus for continual improvement must come from the use of as a minimum:
- Risks and opportunities;
- Analysis and evaluation of data;
- Audit results;
- Management review;
- Non-conformity and corrective action.
Consider using the PDCA cycle (Plan, Do Check, Act) to guide your continuous improvement efforts. Once you’ve identified the improvement action to take, you cycle through the PDCA phases by planning the action (plan), implementing what is planned (do), monitoring the process and reporting results (check), and taking any further actions to improve if necessary (act).
To be read along with clause 10.3 of ISO 9001 Please click hear for clause 10.3 of ISO 9001. The organization must establish a procedure and all relevant records as an evidence of implementation of procedure for Continual improvement. The implementation of improvements shall be subject to management of change as per the procedure give in clause 6.3
If you need assistance or have any doubt and need to ask questions contact me at firstname.lastname@example.org. You can also contribute to this discussion and I shall be happy to publish them. Your comment and suggestion are also welcome.