Jack Sehkon and Associates Inc.

ISO 9001 Dissected

ISO 9001 Context/Stakeholders – Clause 4.1/4.2

The intention is to develop a strategic direction or plan for your organization by identifying and understanding its relevant internal and external issues. The internal issues can be determined through tools such as SWOT analysis. The external tools can be scanned using tools such as PESTLE analysis. 


SWOT refers to Strengths, Weaknesses, Opportunities, and Threats. Once the internal issues have been determined, these are qualified either as strengths or weaknesses. The strengths lead to opportunities, whereas the weaknesses point to threats. These opportunities and threats are prioritized using a risk assessment criterion. The prioritized SWOT issues become potential strategic issues, which are weighed against ease of implementation/difficulty of implementation criteria. Following this analysis, a 5-year strategic plan is developed with most implementable issues handled in 1st year, while the least implementable issues handled during the last year. Once the 5-year strategic plan is developed, strategic objectives and targets are generated. 


PESTLE refers to Political, Environmental, Social, Technological, Legal, and Economical. PESTLE is used for external scanning, beyond the control of your organization. Once the PESTLE related issues are determined, they are prioritized using a risk assessment criterion. The prioritized PESTLE issues become potential strategic issues, which are weighed against ease of implementation/difficulty of implementation criteria. Following this analysis, a 5-year strategic plan is developed with most implementable issues handled in 1st year, while the least implementable issues handled during the last year. Once the 5-year strategic plan is developed, strategic objectives and targets are generated. 

The prioritized strategic plan for the PESTLE and SWOT is reviewed for any overlapping and duplication. These finalized strategic objectives and targets are then supported by an operating plan which covers day-to-day operational processes. 

Looking to certify your organization's QMS?

Contact JSA Inc. for questions related to your company’s QMS certification. Our proven and successful strategies can help you achieve ISO 9001 certification without any delays and hassles. Hire JSA for ISO 9001 certification project!

Scope – 4.3

The scope of the quality management system refers to their geographical and process boundaries. The process boundaries include the functions at a given site/location. The geographical boundaries include various sites/locations within the scope of the quality management system. The purpose of defining the scope is to identify the beginning and the end of the management system. The scope helps the QMS designers in terms of process determinations and amount of work to be done to put the QMS on paper. In addition, it also helps the auditors to develop a focus for auditing. The scope should be factual and not misleading, to minimize the amount of work to be done for developing a quality management system. The scope is documented and reflects the physical location on the registration certificate. 

Quality Management System – 4.4

QMS covers the design, implementation, maintenance, and continual improvement including the processes for QMS. The design of a QMS typically includes the following documented information:

It is required to identify processes for quality management system and their interaction. A process approach can be used to meet this intent through a flow chart or a process map. The details include process inputs, process outputs, resources, checks & balances with acceptance criteria, and various types of controls. The above identified processes can be risk assessed to determine the focus for the QMS. Once the focus has been determined, then various types of documented information as depicted in the above pyramid, is developed, and approved for consistency, content, conformity, conciseness, and freedom form conflict. Following this, appropriate training and awareness is provided on the designed QMS to all employees and outsourced personnel. The rollout of the designed documented information/QMS is executed amongst all levels and functions of the organization through various questionnaires and hands on assistance as needed. Then the implementation of the QMS is evaluated through internal auditing. Following the evaluation, a management review is conducted to determine the suitability, adequacy, and effectiveness of the quality management system by following predefined inputs. At this stage, the QMS has been successfully implemented and ready for external certification by a certification registrar which conducts the Stage 1 (documentation and readiness audit) and Stage 2 (implementation and effectiveness audit). Any required follow-ups are taken by the auditee. The external registrar, on completion of follow-ups, issues a registration certificate for the QMS. 

The QMS is then maintained for its integrity considering any future changes that could be triggered by customer, ISO standard, stakeholders, and applicable statutory and regulatory bodies. 

Leadership – Clause 5.1

It is required to have the commitment from the top management with respect to the quality management system. The requirements pertain to the following:

  • Take ultimate accountability for the effectiveness of the quality management system. 
  • Ensure the drivers of QMS i.e., quality policy/quality objectives are aligned with the bigger picture of the organization i.e., strategic plan/strategic direction. 
  • Understand the concepts of process approach and risk-based thinking and promote that among the organization. 
  • Make sure that the requirements of QMS as defined in 9001:2015 standard are understood and designed into the organization’s functional processes as appropriate.
  • Understand and ensure the intended outcomes of the quality management system i.e., quality objectives and key performance indicators are achieved.
  • Grasp the value of contribution of the quality management system to the organization and emphasize that importance throughout the organization. 
  • Promote the benefits of appropriate culture within the organization for the effectiveness of the quality management system. 
  • Envision the drivers for continuous improvement and put the framework in place for the path forward.

ISO 9001 Quality Policy -Clause 5.2

The quality policy is the brainchild of the top management. It is like a lighthouse for an organization which sets the directions. Although the policy is a qualitative document, its importance should not be underestimated. A quality policy spells out the high-level expectations from the top management and should not act as a lecture for the employees. Lays out what is to be expected from the organizations in the years to come.

ISO 9001:2015 standard required 3 commitments to be addressed in the quality policy. These commitments include the following:

  • Meet/exceed customer requirements.
  • Comply with applicable statutory and regulatory requirements.
  • Continually improve the management system i.e., the organization’s performance by using the management system as a leverage. 

These commitments can be expressed in any manner within the policy. In addition, the policy provides a framework for setting up objectives i.e., the qualitative statements within the policy provide a flavour of quality objectives. 

The quality policy must be made available and understood by the employees of the organization. Every employee within the organization must understand the intent of the policy and how he/she contributes to the purpose of the organization. 

The quality policy must be documented. 

ISO 9001 Roles And Responsibilities – Clause 5.3

It is required that the top management assigns the responsibilities and authorities within the organizations. This can be achieved through an organization chart. The other ways to satisfy this process is through job descriptions or the assigned roles within a given policy/procedure. The roles and responsibilities must include how employees contribute to the quality management system from the perspective of their job. 

The requirements also cover assigning personnel from top management for overseeing the design, implementation, and maintenance of the quality management system in accordance with ISO 9001. In addition, the reporting of the performance of the QMS (intended outcomes, KPIs, and other related data) is required by the assigned top management personnel to the top management. 

ISO 9001 Risks And Opportunities – Clause  6.1

It is required to identify the risks and opportunities through the determination of internal and external issues, as well as the stakeholders i.e., an organizational risk register. This organizational risk register must cover the boundaries defined within the scope of quality management system. Then, the standard requires these organizational risks and opportunities to be addressed by designing into the quality management system. Practically, the designing at the quality management system level can be done by connecting with functional level risks, as well as processes. This means marrying the organizational risk register with the functional risk register and then address these risks and opportunities through the functional processes such as policies, procedures, and tools. Organizations can achieve this by using simple tools such as Excel spreadsheet. A sample of such tool is provided below:

Quality Objectives – 6.2

While quality policy is a qualitative tool as a driver, the quality objectives are a quantitative tool that is measurable and tangible for the most part. The quality objectives are the business drivers that will impact your company’s bigger picture i.e., overall organizational performance. Quality objectives should be aligned with the strategic objectives. These objectives can be established at different functions and levels and cover the following areas:

  • Product conformance.
  • Process conformance.
  • Customer satisfaction.
  • Compliance with applicable statutory and regulatory requirements.
  • Financial performance.
  • Employee oriented objectives. 

In addition, the requirements cover means/programs for achieving objectives. This could include designing an overall program for achieving objectives, dividing the program into sequential steps, assigning responsibilities and timelines for each program step, and tracking the progress of each step. 

Change Management – 6.3

It is required to identify the changes related to the quality management system. The organization must define the nature of the changes to be addressed. Such a nature could include changes related to processes, design, customer requirements, regulatory and statutory requirements, product specifications, and other applicable criteria such as codes, standards, etc. The change is proposed with adequate description and its acceptable criteria. Once the change has been proposed, its impact or consequences upon the other relevant processes must be assessed using a risk-assessment methodology. After risk-assessments, the proposed change is implemented as per original intent. The relevant personnel are made aware of the impact of the change upon other processes. The change management records are retained. 

Resources – 7.1.1/7.1.2

The resources requirements are determined with respect to the design, implementation, maintenance, and continual improvement of the quality management system. The resources stated here include people, infrastructure, and any other support systems. The personnel required to support the overall system are determined based upon their skill sets to fulfill and satisfy the requirements of the organization and QMS processes. The capabilities and restraints of the determined personnel are considered to identify the resources to be outsourced. 

Infrastructure – 7.1.3

The infrastructure consists of buildings, equipment, hardware, software, and any transportation needs. The process requires the determination, provision, and maintenance of infrastructure required for the quality management system. The determination of the infrastructure can be achieved through capital budgets that assist you to justify new or modified infrastructure. The provision of the infrastructure covers the installation of the infrastructure justified previously. The last component of the infrastructure i.e., the maintenance can be achieved through preventive maintenance and predictive maintenance programs. The preventive maintenance program covers a predetermined schedule based upon the risk-assessment of the equipment i.e., critical, or non-critical. The predictive maintenance program includes scheduling the maintenance program based upon the condition of the equipment. 

Environment – 7.1.4

It is required to cover the environment/work environment needed for the QMS and its processes. This could include physical conditions such as temperature, light, humidity, etc. The other requirements include social and psychological factors related to personnel. These factors could lead to employee-burnout, bullying, embarrassment, that could impact the ability of an organization to meet customer requirements and comply with applicable statutory and regulatory requirements. The social and psychological factors are not directly covered within the QMS; however, every organization has a health & safety management system which addresses these issues. In addition, every Province has an Employment Standards Act that required every employer to address basic employee protection measures such as bullying, harassment, burnouts, etc. 

Monitoring & Measuring Resources – 7.1.5

It is required to identify the monitoring and measuring activities that are taken during the implementation of QMS and its processes. Generally, the required monitoring and measuring activities are addressed in the functional process maps with a relevant acceptance criterion. Once the monitoring and measuring activities have been determined, then monitoring and measuring resources (devices/equipment) are determined. The identified monitoring and measuring resources (devices/equipment) must be suitable for the type of monitoring and measurement required and must be maintained to ensure their fitness for purpose. 

The monitoring and measuring consist of calibration and/or verification. The calibration is defined as a verification over the entire range of a monitoring and measuring device, whereas the verification is defined as a single-point verification. When traceability is required either by the customer or by a statutory or regulatory requirement, the following protocols are required:

  • Calibrate or verify the monitoring and measuring equipment against a national or international standard. 
  • Identify the status of the calibrated or verified monitoring and measuring equipment.
  • Protect the monitoring and measuring equipment against any tinkering with its status. 
  • When the monitoring and measuring equipment is found to be unfit for its intended use, appropriate actions shall be taken to correct the equipment, as well as the impacted product. 
Organizational Knowledge – 7.1.6

It is required to determine the knowledge related to the operation of processes and its execution, integrity preservation, and sustainability within the organization. This knowledge must be made available to the extent necessary through IT controls such as read-only access, read-review access, and read-review-approved access. 

To address the changing needs and the trends within your business/industry sector, the organization will take advantage of its existing knowledge, as well as determine a strategy for acquiring or accessing rational knowledge/required updates to meet/exceed the customer needs/expectations, stakeholder’s perceptions, and applicable statutory/regulatory requirements effectively and efficiently. 

The organizational knowledge is generally gained through experience and employed/shared to achieve the organizational goals/objectives/targets/KPIs. 

The internal sources of knowledge could include intellectual property (proprietary information/copyrights), lessons learned from past projects both good and bad, internal specifications, operating procedures, strategic documents, implied knowledge based upon experience, product improvements, process improvements, and service improvements. 

The external sources of knowledge could include external standards, codes of practices, conferences, academia, customer knowledge, and stakeholder protocols. 

Competence – 7.2

The competence is defined as the ability to apply knowledge and experience, and can consist of education, training, or experience. The organizations are required to determine the competence for various roles and responsibilities through a job description. The job description may cover education, technical skills (job-related unique skills), human skills (culture, harmonious, positive skills), and soft skills (Microsoft applications, software, etc.). The actual competence of the new employee is compared against job description to identify the gaps required to be fulfilled. The identified gaps are addressed through actions taken that could include job shadowing, mentoring, outsourcing, on-the-job training, orientation training, regulatory & statutory requirements training, and any other training such as OHS and environmental related. The training content and the method of delivery must be defined to achieve intended outcomes. Once the training has been delivered, its evaluation of effectiveness must be determined. The evaluation can be done either through a quiz or a job observation which is more effective. Subsequently, the records of training are retained. 

Awareness – 7.3

It is required to cause the awareness of the people working under the control of an organization i.e., employees. The awareness package can cover the following:

  • Quality Policy
  • Quality Objectives
  • Process Identification (process list)
  • Risk Assessment (risk register)
  • QMS scope
  • Strategic Plan
  • System Procedures
  • Operating Procedures
  • Operating Work Instructions
  • QMS tools (templates, forms, checklists, and databases)
  • Statutory & Regulatory Requirements
  • Standards & Codes
  • Specifications
Communications – 7.4

It is required to keep active communications relevant to the quality management system within your organization and externally. The purpose is to keep everyone engaged in the mindset of quality by sharing ongoing progress contributed by the quality management system. This can be done by sharing the information regarding the status of current projects, new upcoming projects, new strategic issues, compliance with permits and licences, stakeholder’s perception, internal resource challenges, technological advances, organizational technical capability, equipment successes/challenges, resource constraints, and use of outsourced personnel. 

The process to conduct the internal and external communications regarding quality management system could consist of the following:

  • The content of communication.
  • The timing of communication.
  • The audience for communication.
  • The methodology for communication.
  • The communicator.
Documented Information – 7.5

This describes the requirements for documented information by the standard and the organization. The requirements by the standard are depicted within a given sub-process of the ISO 9001:2015 standard. However, the requirements to be determined by the organization are based upon the risk-assessment conducted by the organization. 

The extent of documented information required depends upon the size of the organization and the nature of its products and services, as well as the complexity of the processes including competence of personnel. The nature of the documented information could include the following:

  • Quality Policy
  • Quality Objectives
  • Process Identification (process list)
  • Risk Assessment (risk register)
  • QMS scope
  • Strategic Plan
  • System Procedures
  • Operating Procedures
  • Operating Work Instructions
  • QMS tools (templates, forms, checklists, and databases)
  • Statutory & Regulatory Requirements
  • Standards & Codes
  • Specifications

The identified documented information must be developed and approved for consistency in accordance with an acceptable criterion. The criteria could include conformity, free of conflict, clarity, consistency, content, and conciseness.  In addition, a criterion for review of developed documented information must be created so that the documented information remains relevant and effective. The criteria for the review could be based upon the risk levels of the documented information. 

The identified documented information must be controlled. The nature of control includes the following:

  • Availability at point of work
  • Suitability and appropriateness
  • Distribution
  • Access
  • Retrieval
  • Storage and preservation
  • Control of changes (version control)
  • Retention and disposition

In addition, documents of external origin (statutory & regulatory, OEM, operation & maintenance manuals) must be controlled to avoid inadvertent use. 

Operational Planning And Control – 8.1

It is required to conduct operational planning to implement and control the processes to meet the requirements for provision of products and services. The plan could consist of the following:

  • Determination of requirements for products and services.
  • Criteria for processes and the subsequent acceptance criteria
  • The resources needed for conformity with product and service requirements.
  • Executing the processes in accordance with the criteria.
  • Determine, maintain, and retain necessary documented information.

The planning can be presented in any form. One of the examples of this form could be a quality plan. A quality plan is a subset of quality management system depicting the requirements of QMS using a process approach in a sequential manner such as customer requirements determination, design & development, supply chain activities, production & service provision, product/service delivery, non-conforming product and services, monitoring and measurement, management review, and continual improvement. 

Product/Service Requirements – 8.2
It covers the customer requirements, their review, and the customer communication.

Determining the customer requirements could involve the following:

  • Request for quotation/proposal and a decision to proceed or not to proceed.
  • Proposal development includes identification of customer product/service requirements, statutory & regulatory requirements, product/service specifications, scope of work, design/development of product/service, project estimation, project schedule, project roles & responsibilities, and your organization’s capability to deliver products and services.
  • Confirmation of a contract.
  • Review of the contract.
  • Any contract amendments.

The organization shall retain documented information on the resorts of the review.

Design & Development – 8.3

This covers overall requirements pertaining to design & development of products and services. 

Design/Development Planning:

The very first step pertains to design & development planning. The planning should consist of the following:

  • The nature, design, and duration of the design/development activities.
  • The number of stages during design/development activities such as conceptual, detailed design, discipline oriented, or progress stages.
  • The nature of controls during design/development activities such as reviews, verification, and validation.
  • Roles, responsibilities, and authorities during design/development process. 
  • Internal and external resources required.
  • Interfaces required.
  • Role of customers.
  • Role of users.
  • Requirements for final products/services.
  • Level of control by customers and stakeholders.
  • Nature of documented information to be retained.

Design/Development Inputs:

The nature of inputs for any specific design/development project could include the following:

Functional requirements:

  • Business requirements describe the high-level business needs, such as carving a market share, reducing customer churn, or improving the customers’ lifetime value.
  • User requirements cover the different goals your users can achieve using the product and are commonly documented in the form of user stories, use cases, and scenarios.
  • Product requirements describe how the system needs to operate to meet the business and user requirements. They include functional requirements and non-functional requirements.

Performance requirements:

Performance Requirements Table

In addition, the inputs could include statutory & regulatory requirements, information from similar previous designs, applicable codes of practice, and potential consequences for failure.  The inputs are retained as documented information. 

Design/Development Controls

The controls could include reviews, verification, and validation. 

The ‘reviews’ could include evaluation of outputs against inputs for a given stage of the design/development i.e., conceptual, detailed design, specific discipline such as architecture, mechanical, electrical, structural, instrumentation, and chemical. The design stages could include conceptual, detailed design, and individual engineering discipline progress levels. The review could also be conducted on single-engineering discipline drawings such as mechanical, electrical, etc. 

The ‘verification’ refers to evaluation of overall outputs against inputs for a design/development project. This can be achieved through consolidated design reviews, alternate hand calculations to evaluate software-driven calculations, squad (multi-discipline) checks. The verification could include multi-discipline checks in terms of their outputs including their interfaces and alternate calculations for the original calculations (hand calculations VS computer/software calculations). 

The ‘validation’ refers to the product being able to perform as designed i.e., fit for the purpose. The validation can be achieved in several ways such as customer approval, performance test or approval by a relevant statutory and regulatory requirement.

Design/Development Outputs:

The requirements for design/development outputs could include:

  • Must meet input requirements.
  • Must be adequate to enable the normal functioning of the product/service. 
  • Must include checks and balances with the acceptance criteria.
  • Must cover operating and maintenance instructions for the product/service designed.

Design/development outputs must be documented. 

Design/development outputs could include design/development discipline drawings, layout drawings, process & instrumentation drawings, mechanical flow diagrams, electrical schematics, software driven calculations, engineering specifications, operating manuals, and maintenance manuals.

Design/Development Changes:

Design/development changes are managed so that there are no adverse impacts on the conformity to requirements. Ideally, the design/development change process should include the following:

  • Identification of the changes.
  • Risk assessment for the impact of the changes on relevant process. 
  • Change development.
  • Change execution.
  • Documented information to be maintained and retained. 


It covers the requirements for externally provided products, processes, and services in various scenarios to conform to the requirements of quality management system. This overall process can be broken down into the following processes:

  • Supplier evaluation, selection, monitoring, and re-evaluation.
  • Type and extent of control over outsourced products/processes/services.
  • Information for external providers. 

Supplier evaluation, selection, monitoring, and re-evaluation

This requires the overall process for pre-qualifying, surveillance, and maintenance of suppliers. The supplier evaluation can be conducted by developing a pre-defined questionnaire consisting of management structure, equipment, technical skills, management system status, financial capability, and OHS record. A criterion is established to determine the supplier’s ability to be qualified or not. The suppliers are selected based upon that criterion.

Once pre-qualified, suppliers are subjected to ongoing review based upon predetermined criteria such as performance, price, delivery, and quality based upon the risk levels. 

The re-evaluation could be based upon any factors shown below:

  • Past performance.
  • Documentation provided.
  • Onsight audit.
  • All the above.

The results of evaluation, selection, and re-evaluation are retained. 

The monitoring of pre-qualified suppliers could include the following:

  • Quality issues
  • On Time delivery
  • Price

The nature of monitoring could be decided by the following criteria:

  • Potential impact of the product/service provided by them on products/services.
  • Nature of the controls applied to the supplier and the product.
  • Effectiveness of the controls applied to them.
  • Nature of verification activities applied to the supplier.
Production & Service Provision – 8.5

This covers production/manufacturing for products and/or services delivery. Production/service provision is required to be carried out under controlled conditions. This process is responsible for the survival of every organisation. Every auditor spends 60-70% of their interview time on this process alone. The controlled conditions are summed up as below:

  • To execute product/service provision, cover documented information (reference process 7.5 of ISO 9001) such as work instructions and intended outcomes are required to be known and understood.
  • Monitoring and measuring resources (reference process 7.1.5 of ISO 9001) such as monitoring/measuring devices, as well as the competence are needed to operate monitoring/measuring devices.
  • The identified monitoring and measuring activities are implemented at different stages of the product/service provision to verify control over processes or their outputs accompanied by the acceptance criteria.
  • Determined infrastructure (reference process 7.1.3 of ISO 9001) and environment (reference process 7.1.4 of ISO 9001) are employed for the operation of processes. 
  • Validation and periodic re-validation of the capability of processes to deliver intended outcomes during the resulting output will be verified through monitoring and measurement. 
  • Implementation of a role model behaviour complimented by documented vision and values to eliminate human error. 
  • Carrying out the product/service release through a designated person and in accordance with planning that will include customer approval and/or applicable statutory/regulatory authority.
  • Managing the delivery of products/services in accordance with customer requirements and applicable statutory & regulatory requirements.
  • Ensuring post-delivery activities such as warranty, maintenance services, and any other contractual obligations, are identified, planned, and executed when necessary. The post-delivery activities can be based upon applicable statutory & regulatory requirements, adverse lessons learned during the past, nature/use/intended outcome of products and services, and customer requirements.
  • Ensuring that the property belonging to the customer and/or to external providers is protected during production and service provision and reported if damaged or lost. 
  • Carrying out the identification and traceability of the process outputs and it is required to demonstrate the conformity of the product/service. The requirements for identification and traceability either may be imposed by the customer or by applicable statutory & regulatory requirements. In addition, this requirement demonstrates the status of the product/service at any given stage during production and service provision. 
  • Management of change is implemented to manage change and its impact upon other processes by conducting a risk-assessment on the proposed change. 
Product/Service Release – 8.6

This process covers how to release the products/services with due diligence to maintain the integrity of the products/services. The release only follows all the requirements with respect to products/services that have been verified against its acceptance criteria. Practically, this could be achieved by ensuring a completed and signed inspection test plan. The person releasing the products/services is held accountable for the due diligence. 

The products/services release happens after verifying a signed-off ‘inspection test plan’. In some situations, customer approval may be required prior to release and in other situations, an approval of applicable statutory & regulatory authority is required. 

Non-Conforming Outputs – 8.7

This process applies when the process outputs do not conform to their requirements. Those non-conforming situations are identified, and the product/service is controlled to prevent their unintended use or delivery. This process is applicable not only to the product non-conformities, but also to the outputs from all processes belonging to various processes. Once the non-conforming outputs are identified, then the immediate actions/corrections are applied, subjected to original monitoring & measuring criteria, and then released. Various options for addressing the non-conforming outputs include correction, segregation/containment/return of products/services, informing the customer and obtaining authorization for any concessions.

Documented information required to be retained for non-conforming outputs includes non-conformity description, actions taken, concessions obtained, and the authority of the person deciding the actions for non-conformity. 

Performance Evalutation – 9.1

This process covers requirements for monitoring, measurement, analysis, and evaluation of data with respect to quality management system performance and its effectiveness. The requirements include:

  • What to monitor and measure.
  • The method for monitoring, measuring, analysing, and evaluating.
  • When to conduct monitoring and measuring.
  • When to analyse and evaluate the results from monitoring and measurement.

The above data can be represented through key performance indicators (KPIs). 

The following topics are required to be evaluated through analysis of:

  • Product and services conformity (nature of defects, number of defects, category of defects, throughput, percent yield, and scrap)
  • Degree of customer satisfaction (customer satisfaction index, customer complaints)
  • Performance and effectiveness of QMS (quality objectives and various functional KPIs, compliance with applicable statutory & regulatory requirements, market share, business diversification, merger-mania, and acquisitions)
  • Effectiveness of implementation of planning (planned VS completed statistics, impact of team approach, production backlogs)
  • Effectiveness to implement risks and opportunities (identification of all applicable risks, coverage of every functional area, appropriateness of risk assessment methodology, consistency in executing risk assessment methodology, benchmarking assessed risks against identified issues)
  • Performance/effectiveness of external providers (on time delivery, price, quality, responsiveness to issues, technical capability).
  • Improvements to quality management system (product oriented, process oriented, system oriented)

Specifically, the requirements are to determine the perception of the customer as to how well their needs and expectations have been fulfilled. This could be achieved through customer surveys, customer complaints, market share analysis, warranty claims, etc.). 

Internal Audits – 9.2

This process deals with purpose, structure, implementation, and reporting of internal audits for quality management systems. Internal audits are conducted to determine if an organization is “walking the talk” i.e., if their current quality management practices are in sync with their own QMS policies, procedures, and relevant tools. In addition, internal audits are conducted to determine your organization’s QMS conforms to ISO 9001:2015 standard requirements. Furthermore, the internal audits gauge if your organization’s QMS is helping to improve your organization’s performance by using the management system as a leverage. Finally, internal audits ensure that the quality management system stays aligned with the strategic plan of your organization.

It is required that an internal audit program be planned, rolled out, and maintained with consideration to the following:

  • Audit frequency.
  • Audit methodology.
  • Audit responsibilities.
  • Audit planning requirements.
  • Audit reporting.
  • Risk assessment.
  • Changes within the organisation.
  • The results of the previous audit. 

With respect to each audit, the following is required:

  • Define audit objectives (conformity, compliance, and opportunity for improvement), scope (geographical and process boundaries), and criteria (policies, procedures, ISO standard, statutory & regulatory requirements, customer specifications, and supplier contractual obligations). 
  • Select auditors to ensure impartiality.
  • Conduct audits objectively. The audits are conducted through interviews, review of documents/records, and observations of work environment. When the information from these sources becomes verifiable, it is termed as ‘evidence’. This evidence is evaluated against the audit criteria to draw findings of conformity and nonconformity. The findings of non-conformity may be graded. 
  • Report audit results to relevant management.
  • Take appropriate correction and corrective actions without due delay.
  • Retain documented information related to audit program implementation and audit results. 
Management Review – 9.3

This process relates to determination of level of performance and effectiveness of quality management systems. Specifically, this determination relates to, if your QMS is suitable (appropriate for the nature of your business), adequate (if it covers all functional areas/processes), and effective (in meeting intended outcomes). In addition, this process ensures that your management system is aligned with the strategic direction of your organisation i.e., is the strategic direction driving/guiding/coaching your quality management system. 

To conduct a management review with discipline and pre-defined structure, the following inputs are mandatory to be understood, addressed, and documented as evidence:

  • Changes in internal and external issues relevant to QMS (review SWOT and PESTLE analysis).
  • Information on the performance and effectiveness of QMS including the following:
  • Customer satisfaction and stakeholder’s feedback (customer satisfaction index).
  • The extent to which quality objectives are met (lagging, too easily achievable, and no planning).
  • Process and product performance (throughput, cycle time, process yield, total revenues, and profit margins).
  • Nonconformity and corrective actions (number of nonconformities, nature of non-conformities, nature of root causes, and successful corrective actions).
  • Monitoring and measuring results (monitoring and measuring matrix based upon quality plan i.e., sales, design, supply chain, production, service delivery, shipping, warranty, and commissioning & installation).
  • Audit results (internal audits, external audits, supplier audits, customer audits, compliance audits, project audits, and quality plan audits).
  • Adequacy of resources (overtime, production backlog, and sickness time).
  • Effectiveness of addressing risks and opportunities (nature of risks, functional departments, risk assessment methodology, consistency in risk assessment, and validation of calculated risks against actual issues/incidents).
  • Opportunities for improvement (process improvements, product improvements, product diversification, and enhanced supplier relationships). 

This process requires to address the specific/well-defined decisions and actions related to above inputs with assigned responsibility and timelines. The actions and decisions may lead to opportunities for improvement, changes to QMS, and resource allocation and re-allocation. Finally, this process requires retained documented information that demonstrates the evidence of effective management review. 

Improvement -10.1

This process covers overall continual improvement of the quality management system to enhance meeting customer requirements/customer satisfaction, hence, driving your business performance up. The overall approach to continuous improvement could include the following:

  • Improving product/services to meet present needs, as well as to address future needs and expectations taking into consideration your product/service nature, market projections, survivability of your product/services, involving stakeholder’s needs & expectations, ever changing technological advances, and predicting/planning/executing sustainability issues.
  • Correcting, preventing, or reducing undesired effects to the use of process approach, risk-based thinking, data analysis and evaluation, and validation of assessed risk and opportunities against actual issues/concerns. 
  • Improving the performance and effectiveness of your QMS through quality policy, quality objectives (business drivers), organizational context, addressing risks & opportunities, management of change, competence and awareness, value adding documented information, quality planning, customer needs and expectations, robust design & development, mutually beneficial supplier relationships, effective and efficient product/service provision, due diligence product/service delivery, all inclusive non-conforming outputs considerations, practical/appropriate/value-adding data prediction/ collection/analysis/evaluation, meaningful/effective internal audits, suitable/adequate/effective management reviews, simpler but effective root cause analysis, process based corrective actions, appropriate driver based continuous improvement, and above all, alignment with strategic direction/plan. 

The improvement can include any major initiatives such as breakthrough change, innovation, and reorganization. However, the continual improvement includes corrections and corrective actions based upon process related root causes. 

ISO 9001 NCR/CA – 10.2

Upon identification of a non-conformity, this process is required to control the non-conformity by applying a correction (immediate fix) and validate the conformity of the corrected product/service to the original criteria. The correction only fixes the symptoms and allows the non-conforming product after correction, to be delivered to the customer. 

At this point, the organization determines if it is necessary to investigate the non-conformity subject to the criteria such as dollars spent on correction, complexity of the product, and the risk levels of the process which led to non-conformity. If decided to investigate, a root cause methodology is determined based upon the nature of the non-conformity. This methodology is then executed to determine the root causes that trigger the non-conformity at the first place. A caution is used not to stop halfway when looking for root causes; otherwise, the real root cause will not surface.

Based upon the identified root causes, corrective actions are developed, and a risk assessment is done to determine the impact of the proposed corrective action on any of the related processes. The proposed corrective action is implemented and documented with fiscal sanity in mind. The implemented corrective action is monitored for any repeat symptoms for a reasonable length of time. If corrective action is successful, then the corresponding risk register is revised and updated to reflect the implemented corrective action. Consequently, any changes resulting from the risk assessment are made to the processes of the QMS. 

This process requires retention of documented information to demonstrate the nature of non-conformities, correction, corrective action, and its effectiveness. 

NOTE: 2 tools for root cause analysis namely 5 Whys (below) and 6 M’s (above) are provided. However, a greater number of tools exist and are available depending upon the nature of the problem or non-conformance. 

NCR corrective action
Continual Improvement – 10.3

Once all is said and done, in terms of management system design, implementation, and maintenance, the time has come to take your business to the next level i.e., performance enhancement, increased market share, higher profit margins, larger customer base, lesser product defects, happier customer, comfortable stakeholders, productivity increasement, process improvements, enhanced supplier relationship, and revised strategic plan in sync with the business reality and customer needs/expectations. 

continual improvement of quality management system

The next level is continual improvement i.e., incremental & progressive improvement. This process achieves continual improvement by improving suitability, adequacy, and effectiveness of the quality management system. The vehicle to achieve continual improvement is use of: 

  • Results of analysis and evaluation.
  • Outputs from management review.

As you can see from above, the trick to continual improvement is data management:

  • Envision the result or the metric (KPI) to be tracked. 
  • Determine data analysis methodology i.e., subjective, or statistical based.
  • Determining appropriate data and information.
  • Determining proper sample size for data/information.
  • Collecting that data and information.
  • Trend and analyse the data (peaks and valleys).
  • Evaluate the peaks and valleys for better performance i.e., lessons learned.
  • Incorporate lessons learned into the QMS for process, product, and system improvement.
  • Monitor and measure the status of improvement.
  • Sustain that status. 
Scroll to Top