·
41 minute read
Reference Manual for SQMC Students
Version 2 (2020) Revision A (2025).
TIP! If viewing this manual from inside your Digital Workbook, we suggest you open the full version in its own tab which makes browsing, searching and bookmarking easier.
Thank you for joining the ISO 9001 Internal Auditor course at the Scottish Quality Management Centre.
This intensive two-day programme is designed to equip delegates with the knowledge and practical skills required to plan, conduct, report on, and follow up internal audits of a Quality Management System in accordance with ISO 9001:2015 and recognised auditing best practice.
This course is developed and delivered by the Scottish Quality Management Centre (SQMC), a long-established, internationally accredited training provider; and its content is aligned with the professional expectations of the Chartered Quality Institute for internal auditing competence and good practice.
This Technical Reference Manual draws upon the internationally recognised guidance for auditing management systems set out in ISO 19011:2018, together with the collective contribution of some of SQMC’s most experienced tutors and associates, past and present.
The content is made freely available to SQMC-trained Internal Auditors and Quality Professionals as a long-term technical reference, supporting effective internal auditing practice throughout their careers.
Acknowledgement of Contributors
SQMC gratefully acknowledges the contribution of the associates listed below (in chronological order of their association with SQMC) — including those who have served as directors of the organisation — whose professional expertise, insight, and written contributions have informed, reviewed, and shaped the content of this Technical Reference Manual.
 |
Ian W. Hannah SrMASQ; FCQIFounder of the Scottish Quality Management Centre. |
 |
Derek Millar I.Eng, MASQ, FCQI |
 |
Ron Rivans BSc, C.Eng, MIM, MCQITechnical Director from 2013 - 2022. |
 |
Karen MacKenzie CQP, MCQI, MASQ, FCIPDDirector of Certification & Course Design. |
 |
James Hughes MRICS |
 |
Robert Bell BSc - Quality Management, HND - Quality Mgt., MCQI |
 |
Andrew Gillies MBA, CMIOSH, MCQI CQP |
 |
Alex Kirk MBA, CMIOSH |
 |
Anne Barber MCQI CQP |
|
|
Cath MacNeil BSc, MSc, IOSH, MCQI |
Introduction & Learning Objectives
This Technical Reference Manual accompanies the ISO 9001 Internal Auditor course delivered by the Scottish Quality Management Centre. The course is designed to provide participants with the knowledge, understanding, and practical skills required to audit effectively using ISO 9001:2015 as audit criteria, in accordance with recognised auditing best practice.
Knowledge
By the end of the course, participants should be able to explain:
- the purpose and structure of a Quality Management System;
- the role and application of Quality Management System standards, with particular reference to ISO 9001:2015;
- the principles and purpose of management system auditing;
- the role of internal audits within an organisation’s management system;
- the business benefits that arise from effective implementation, monitoring, and continual improvement of a Quality Management System.
Participants should also be able to explain the role and responsibilities of an internal auditor, including the need to plan, conduct, report on, and follow up internal audits in accordance with the guidance provided in ISO 19011:2018.
Skills
In addition to understanding the theory, participants will develop the skills and confidence required to:
- plan and prepare an internal audit of part of a Quality Management System;
- conduct an audit using ISO 9001:2015 as audit criteria;
- gather and evaluate objective evidence;
- report audit findings clearly and accurately;
- follow up audit results in order to support corrective action and continual improvement.
These skills will be practised and assessed through written exercises, group activities, and simulated audit situations.
The Format of the Course
The ISO 9001 Internal Auditor course is tutor-led and highly interactive, using a variety of learning methods, including discussion, practical exercises, and real-world examples. PowerPoint slides are used sparingly, with emphasis placed on discussion, critical thinking, and practical application.
Participants will work directly with the ISO 9001:2015 and ISO 19011:2018 standards throughout the course. A brief recap of foundational concepts is provided at the outset, before building progressively on this knowledge to develop effective internal auditing competence.
Assessment and Certification
Assessment is continuous and based on participants’ performance in written exercises, practical audit activities, and overall engagement with the course. Those who achieve the required standard will be awarded a Certificate of Achievement by the Scottish Quality Management Centre.
Supporting Documents and Training Materials
Course materials are designed to support both learning during the course and future reference. This Manual contains material that extends beyond what can be covered in the classroom and is intended to serve as a long-term reference tool for SQMC-trained Internal Auditors and Quality Professionals.
Quality Through the Ages
Authored and compiled by Kenny Hannah, SQMC Managing Director.
Introduction
“Quality Management, Quality Assurance, Quality Control!”
It’s so common to hear these three terms, so much so they’ve become part of our everyday, non-work-related vernacular. But all of us, who become professionally involved in Quality, should understand the differences. Let’s begin by taking a look at the official and internationally agreed definitions for each:
Quality Management
"Management with regard to quality [which can include establishing quality policies and quality objectives, and processes to achieve these quality objectives through quality planning, quality assurance, quality control, and quality improvement.]”
Quality Assurance
A phrase that used to be all-encompassing (as well read, shortly), but has evolved to specifically refer to the “part of quality management focused on providing confidence that quality requirements will be fulfilled.”
Quality Control
"Part of quality management focused on fulfilling quality requirements.” This is typically carried out through inspection of an end product (or service) to check it has no faults and fits the bill.
We describe these as the ‘official’ definitions, because the text in italics are excerpts from a formal document called ISO 9000 (the latest issue, published in 2015). This is one a family of International Standards, thoughtfully and painstakingly formulated by an international committee of Quality Professionals to provide us with one, common benchmark for all things Quality-related. Essentially, these Standards are to you and me at work, what the conductor is to an orchestra. When all eyes are on the conductor, the musicians play together in synchrony, regardless of how many there are, what their native language is, or whether they even like the piece of music they’re playing! The audience pay their money to hear harmony, and the concert hall stake their reputation on it! And so it is in the world of business and service providers.
The strictest man in Babylon
In a vague sense, the first ‘International Standard’ for Quality that we know of dates back to around 1754 B.C. It was part of a code of law the sixth Babylonian king, Hammurabi, enacted; and a well-preserved copy of it is on display at the Louvre, Paris.
The code, while morally primitive compared to our modern concepts of equality and human rights, nevertheless championed certain business ethics we can well relate to, such as establishing a minimum wage and encouraging bosses to ensure sound health and safety conditions for workers.
Within the code, the king decreed strict Quality Control measures for a diverse range of activities which included building control, and the manufacture of weapons of war.
While it has rudimentary roots in ancient times, Quality as we understand it today began to take shape in medieval times, thanks to master craftsmen who sought to assure customers of the quality of their products through marks, stamps and symbols. They grouped together with likeminded peers and formed guilds (we might call them ‘unions’, nowadays), agreeing rules of best practice and product integrity. By the end of the 13th Century, they had formed independent committees which would inspect the goods, and the goods that met the requirements were given another mark or stamp of approval. This was the hallmark of Quality Assurance that would prevail until the Industrial Revolution was in full swing.
The Industrial Revolution
The Industrial Revolution brought about more specialisation in labour as well as mechanisation. Manufacturers tried to maintain the same level of craftsmanship from the past, whilst making room for speed and quantity.
Quality Assurance practices began to evolve into established and specialised duties performed by a trained workforce which took responsibility for the quality of the products being produced. Industrial progression introduced the concept of mass production, so the need to monitor the quality of products produced by numerous workers made the roles of quality inspectors an integral part of a company's structure.
Thanks to such an important moment in manufacturing history, the modern ideology of Quality Assurance was born. Innovators like Frederick Winslow Taylor, an American mechanical engineer and one of the first management consultants, revolutionised the way manufacturing was processed.
No longer focused purely on speed and productivity, the quality of the end product was now a major factor too. New and improved manufacturing methods saw the need for employers to train employees rather than developing their skills by trial and error. Taylor also believed in enforcing the use and upkeep of stringent documentation and scientific procedures as well as creating a culture where both workers and managers produced products of the highest level.
This way of running a manufacturing business was scientific management in its infancy. In essence, Taylor believed that to achieve efficiency and productivity, you had to match the right worker to the right task, based on capability and motivation, and train them to work at maximum efficiency.
Quality Control, or statistical process control, came about during this time too, using statistical methods to help ensure quality, and has been evolving ever since.
During World War I, product manufacturing achieved a higher level of difficulty, as mass production flourished, it brought along several side effects and it seemed that there was no balance between speed and quality. Taylor's philosophy focused on the belief that making people work as hard as they could was not as efficient as optimising the way their work was carried out.
Though workers earned more and productivity increased, the overall quality of the products suffered, due to poor workmanship on a large scale. As a solution, full-time supervisors were introduced to the factory floor, in charge of identifying, isolating, and, if possible, reversing product quality issues.
The Industrial Revolution changed the work dynamic of craftsmen, turning them into factory workers and shop owners into production supervisors, marking an initial decline in employees’ sense of empowerment and autonomy in the workplace. Quality in the factory system was ensured through the skill of labourers supplemented by audits and inspections. Defective products were either reworked or scrapped and workers retrained if necessary.
In the years following the Industrial Revolution, manufacturing products became more complicated and workers, in turn, had to become more specialised and able to inspect products for quality after manufacture. Factory managers created inspection departments to keep defective products from reaching customers, a practice that focused more on the end results than on the process itself. Reputation for quality, recommendation and repeat custom became go-to words in product manufacturing.
Florence Nightingale – ‘the lady with the lamp’ – was a true pioneer for the concept of Quality in nursing care. A devout Christian, she began to feel in her teens a calling from God to leave her family’s upper-class bubble in Hampshire and Derbyshire, to learn nursing and serve and care for others. She experienced obstruction and discouragement from her father, initially, but by 1855 she’d begun attending to wounded soldiers in hospital during the Crimean war. It was whilst serving there that she came to understand poor hospital sanitation went hand in hand with the death rate amongst wounded soldiers, which was as high as 60% during the Crimean War.
Nightingale believed in practices like hand washing, ensuring surgical tools were sanitised before and after use, bed linens were changed as regularly as possible and insisting on clean wards at all times, which are what we consider to be basic standards in hospitals today. She was also a champion for good nutrition and regular fresh air. She nailed these practices and mortality plummeted to 1 per cent!
Though Florence didn’t manufacture a product, she promoted Quality Assurance for the service of nursing, which has not only improved nursing as a whole, but it has stood the test of time.
Public expectations of Quality have continued to grow ever since, and businesses across all sectors have invested in it.
Quality Assurance in the modern age
Quality Assurance is now everywhere a product or service is developed and produced. In large companies, there is even a whole department dedicated to it.
Walter A. Shewhart
The origin of what we would call modern Quality can be traced back to the 1920s when Walter A. Shewhart began his work on developing controlling processes, which made sure that not only the finished product was of a good standard, but the ongoing processes were the best they could be.
Shewhart knew the importance of analysing data resulting from current processes, with statistical techniques to check if such processes were successful at controlling quality. Because of his methods, he is considered a pioneer in statistical control charts. This revolutionary tool went on to completely change the way we assess and conduct the management of processes, creating a whole generation of Quality Experts.
Most famously, he is the creator of the PDCA, which translates to Plan, Do, Check, Adjust, a four-step management tool which is extensively used in business for controlling and continuously improving processes and products.
Statistical tools resulted in incredibly robust processes, which led to the formation of Quality Control engineering and Quality Experts, and many companies formed quality departments to combine this expertise.
Even during World War II, Quality Assurance was introduced when inspecting and testing munitions, and it is said that the practice was vital to war efforts.
Post War
Joseph Juran
At the end of the war, many countries were left with destroyed infrastructures, and the painstaking effort began to rebuild them. Japan’s own effort was overseen by general MacArthur, who created two key roles given to Joseph Juran and W. Edwards Deming, who created the Quality Assurance of the modern age. They pitched the concept of collaboration towards quality to Japanese businesses who saw the potential in these ideas and employed them to rebuild their economy.
With the economic boom of the 1980s, we saw an increased move towards global trade. Countries and manufacturing industries were required to agree on common Quality Assurance Standards. Quality Assurance Standards would help in enhancing the trust between various companies across the globe.
W. Edwards Deming
As a result of international trade, companies again started to follow statistical control quality and management systems. In the 1980s, the emergence of theories of total quality management (TQM) further improved manufacturing practices.
The ISO 9000 Series of Standards
Another major development in the history of Quality was the adoption of the ISO 9000 standard series. A total of 91 nations joined the International Organisation for Standardisation (ISO) as members.
Now, ISO 9001 is an internationally recognised quality management standard which is used as the benchmark for many companies.
Quality Assurance and Control strategies today were conceived as a result of years of collaboration and testing by huge names in the industry like Juran, Deming and Armand V. Feigenbaum. Japanese companies embraced the concept and the Toyota Production System is a great example of the integration of these concepts with the use of focused tools. Many companies are busy deploying this methodology, but it takes time to get it right and most importantly to achieve a consistent result across the board.
The Quality movement is still maturing and constantly evolving thanks to Juran, Deming, Feigenbaum and their Japanese counterparts Ishikawa, Shingo and Taguchi. The one thing we have come to realise is that Quality is a journey, not a destination!
We can expect more development and challenges in the decades to come.
Key governing bodies
However, help is at hand with a range of organisations and publications that set out to ensure companies achieve these Quality Assurance objectives. Here are four of the biggest:
1. The ISO 9000 Series of Quality Management Systems Standards from the International Organisation of Standardisation (ISO) is a set of standards that assists companies in ensuring their products or services meet customers’ needs, within statutory and regulatory requirements.
According to ISO 9000, Quality Assurance (also referred to as Quality Control) is the part of quality management focused on fulfilling quality requirements, which is normally carried out by stringent controls until the product is faultlessly produced to exact international standards. Most recently in 2015, the ISO 9001 standard was revised to increase emphasis on risk management.
Organisations can obtain Quality Assurance certification by fulfilling the requirements defined in ISO 9001. This certificate is proof that a company adheres to quality standards. There are more than one million ISO 9001 certified companies on the global market.
2. The British Standards Institution is the national standards body for the UK. It champions a range of technical standards on products and services in all sectors and also provides certification and services to companies who require help in this area of their business.
3. The Chartered Quality Institute, once known as The Institute of Quality Assurance, represents the chartered national body for professionals in Quality. Its services help to improve the overall performance of companies by training and developing their quality management resources.
4. Across the pond, the American Society for Quality (ASQ) is a non-profit organisation dedicated to advancing quality innovation in various industries like manufacturing, service, health care, and government.
SQMC Commentary for ISO 9001:2015
This tool has been developed with the help of many decades of industry experience and insight from our team of Chartered Quality Professionals, and is Intended as a side-by-side study aid for SQMC students learning about ISO 9001.
What is ISO 9001 and why use it?
ISO 9001:2015 (the number referenced after the colon being the year of publication) is the internationally recognised Standard for the management and measurement of an organisation’s Quality Management System. The Standard provides a framework for managing and improving organisation’s system using a process approach. It helps the organisation to improve customer satisfaction levels, internal efficiency and employee involvement.
What is a ‘process approach’?
The Standard promotes the adoption of a process approach when developing, implementing and improving the effectiveness of a Quality Management System, which enhances customer satisfaction by better meeting their requirements.
Understanding and managing interrelated processes as a system contributes to the organisation’s effectiveness and efficiency to achieve its output goals. This approach enables control of the interrelationships and interdependencies of the processes, so that the overall performance of the organisation can be enhanced. The process approach involves the systematic definition and management of processes, and their interactions, so as to achieve the intended results in accordance with the organisation’s strategic direction (and, importantly, its Quality Policy – more on this to follow). Management of the processes and the system as a whole can be achieved using Shewhart / Deming’s Plan-Do-Check-Act cycle (“PDCA” for short), with an overall focus on risk-based thinking, aimed at taking advantage of opportunities and preventing undesirable results.
The application of the process approach in a Quality Management System enables:
- Understanding and consistency to meet requirements
- The consideration of processes in terms of added value
- The achievement of effective process performance
- Improvement of processes based on evaluation of data and information
The PDCA Cycle
Perhaps the quickest way to understand how ISO 9001 works is to become familiar with how it aligns with the Plan-Do-Check-Act cycle (PDCA). The following diagram is adapted from the Standard:
Putting it into context
The above diagram describes the core elements of the Standard. Let’s take a look at each one in turn:
- At either side of the circle we have customers. On the left, customers asking for our services. On the right, customers receiving our services.
- At both sides, customers will influence the nature and operation of the organisation’s system.
- Inside the circle we have a top-level process which can be applied to any organisation.
- As the system operates, the effectiveness is measured and reviewed, leading to continual improvement.
Remember the Seven (Quality) Management Principles
When studying the ISO 9001 clauses, it’s helpful to bear in mind that it’s based on the Quality management principles. The descriptions of these can be found in your complementary copy of ISO 9000; which includes a statement of each principle, a rationale of why the principle is important for the organisation, some examples of benefits associated with the principle, and examples of typical actions to improve the organisation’s performance when applying the principle.
Later in this manual we will revisit these Quality management principles, but for now, here is a reminder of what they are:
- Customer focus
- Leadership
- Engagement of people
- Process approach
- Improvement
- Evidence-based decision making
- Relationship management
A quick re-cap before we dive into the Standard
ISO 9001:2015 employs the process approach*, which incorporates the Plan-Do-Check-Act
(PDCA) cycle and risk-based thinking.
- The process approach enables an organisation to plan its processes and their interactions.
- The PDCA cycle enables an organisation to ensure that its processes are adequately resourced and managed, and that opportunities for improvement are determined and acted upon.
- Risk-based thinking enables an organisation to determine the factors that could cause its processes and its quality management system to deviate from the planned results, to put in place preventive controls to minimize negative effects and to make maximum use of opportunities as they arise.
Quality Management Systems – Requirements
(ISO 9001:2015)
Clause One: Scope
The term ‘scope’ is commonly used in the world of Quality, International Standards, and auditing. It refers to the definition, extent and boundaries of whatever is to be laid out or examined. To the auditor, preparing for their audit, it’s the specifics of what they’ll be examining during the audit. In the context of an International Standard, such as ISO 9001, the scope is defined in order to provide a specific and concise summary of the purpose and application of the clauses contained within it.
Clause Two: Normative references
The refers to specific documents that relate to the Standard you are reading. Only one document is referenced in ISO 9001:2015 – the very similarly-titled ISO 9000:2015. They are part of a ‘family’ of Quality Standards in the ‘9000’ numeric range. Whereas ISO 9001 is sub-titled “Quality Management Systems – Requirements”; it’s big brother, ISO 9000, is sub-titled “Quality Management Systems – Fundamentals and Vocabulary”.
Clause Three: Terms and Definitions
As hinted in Clause Two, there is some very important ‘Quality Speak’ in the vocabulary of International Quality Standards. It’s important to know, without ambiguity, what the Standard requires, and by extension, we therefore need to ascertain what exactly a certain word or phrase means, when stated in a Quality context. The supporting document, ISO 9000, dedicates its entire third section to spelling out these crucial terms and conditions, in great details, such as you might find at the beginning of a legal contract. Thankfully, these terms and definitions are freely available to read on the official website of the International Organisation of Standardisation (ISO): Moreover, SQMC cover them as part of both our classroom-based and virtual Quality Management Systems training courses.
Clause Four: Context of the Organisation
4.1 Understanding the organisation and its context
To a certain extent, every organisation operates within its own, unique context. So what factors might affect its Quality Management System (QMS) and the strategic objectives it has? On an on-going basis, the organisation must consider all issues, internally and externally, that impact on its QMS and its ability to function successfully.
What the Standard is looking for here is evidence that the organisation considers both internal and external issues that can impact on its strategic objectives and the planning of its QMS. The organisation needs to understand the components of its business – what are they going to sell and to whom? How do they operate as a business? Who is their competition and how are they operating? What are the legal and regulatory requirements that have to be considered? Identify the fundamental aspects of your business.
Karen MacKenzie
4.2 Understanding the needs and expectations of interested parties
The organisation is required to determine who could affect its QMS, and how they can affect its ability to satisfy its customers’ requirements. Its customers, themselves, would be considered an ‘interested party’; as are their suppliers, employees, the government, regulatory bodies, and in many cases, shareholders. All have the ability to influence the success of the QMS, and the organisation’s ability to deliver consistent products or services. Consideration must be given to the actual requirements of these parties, too, because they will crop up regularly throughout the development and maintenance of the QMS.
Imagine if you are a producer of concrete lintels that uses huge amounts of sand and gravel and that you rely on the cheap source of these raw materials from a quarry next door to your factory where transport is not an issue.
If this quarry were to close, as quarries often do because of various reasons, it would seriously affect your business as the sudden increase in cost of having to bringing these materials to the remote location of your factory would make you totally uncompetitive overnight. Your supplier of sand and gravel is an "interested party".
As your ISO 9001 certification auditor, I would expect to see in your annual review or in your risk register some reference to a review of the status of the trading status of this company by the management of your organisation as this is one of the major risks to your business. You should also be able to show how you would absorb such a sudden increase in prices, were the quarry to fold.
Ron Rivans
4.3 Determining the scope of the Quality Management System
Here’s that word again – scope. We first see this in Clause One. Now, in the context of a QMS, scope is the crucial cornerstone that defines the boundaries within which the QMS will apply. When deciding upon the scope of its QMS, the organisation can make use of the work already done to meet the requirements of Clauses One and Two, because the organisation’s context and its interested parties will play an integral part. Once decided, the scope is to be documented, and should specify the products and/or services to come under the jurisdiction of the QMS. In the document, any clause of the Standard that doesn’t apply to the scope of the QMS must be detailed, with an explanation why it is being omitted. This document is to be kept up-to-date and controlled.
Simply put, all the requirements of the Standard (ISO 9001:2015) must be considered and covered by a document called the Scope. If an exception to a clause has to be made it should be stated in the Scope, e.g. a company may have the capability to make a product from a customer's drawings but does not have design & development capabilities. (see Clause 8.3).
Ian W. Hannah
4.4 Quality Management System and its process
In order to initially create and then make continuing improvement to its Quality Management System, an organisation must meet the requirements of the Standard. This must include the processes needed for the QMS to function, and how they interact together. It’s necessary to determine the methods needed to manage those processes, and the resources required to support them. Who are the authorities involved? Which staff have responsibilities, and what are they? What are the risks for each of the processes, and conversely, what are the opportunities? How will the processes be evaluated?
Another requirement of the Standard is to document the information associated with the processes and maintain it. Then, when being audited by an external party, the organisation will be able to provide evidence that the processes were carried out as intended. On the other hand, when internally auditing the QMS, it will be clear and simple to identify where and why any particular process wasn’t carried out effectively. This allows the auditor to add value to the organisation by pin-pointing areas that need tightened up, or re-thought.
The focus of this clause is to identify, manage and control all of your QMS processes (production, customer enquiries, internal audit etc) and to include sub-processes; also, key processes of leadership, planning, support, operations, performance evaluation and improvement. They need to be systematically defined and managed as well as mapping their relationship to each other to show how they achieve their intended results in accordance with their policy and strategic direction.
Karen MacKenzie
Clause Five: Leadership
5.1 Leadership and commitment
An organisation seeking ISO 9001 Certification is making the strategic decision to take accountability for how well its QMS performs. This requires complete buy-in from the Top Management, to encourage its operations to focus on Quality and its customers. A Quality Policy must be established, all legal and regulatory requirements met, regular management review meetings held, and correct resources provided for.
From the implementor’s perspective, this is about having the MD and his team on board with the reasons for implementing the system. There must be a visible ‘buy-in’ from the guy at the top. It’s all very well having nice vision/goals/policy documents etc., however, they are all pretty useless if the top folk in the business don’t believe in them. This is where the [2015] version of the standard differs significantly as when being certificated the auditor needs to conduct an interview with the MD to gauge their level of Leadership and commitment that is real! It is therefore very important that the top team believe in and understand why they are implementing the system.
Andrew Gillies
5.2 Policy
A Quality Policy is required. This is a high-level document outlining their focus on Quality and customer satisfaction, the Quality objectives framework within the organisation, and its commitment to continual improvement of the QMS. The policy states the general direction of the organisation and that it will achieve it in accordance with the relevant regulations. All interested parties must have access to this policy, whilst within the organisation, it must be adequately communicated throughout the staff. Keeping the policy up-to-date is vital.
The development of a policy must be implemented by top management and be appropriate to the purpose and context of the organisation and crucially, it must support its strategic direction. It must additionally provide a framework for the setting and review of quality objectives and to continually improve their quality management system. Any change to the strategic direction of the organisation may require a rethink of the policy statement.
The organisation’s quality objectives must be consistent with the policy statement. The policy must be available in documented form, it must be communicated, understood and applied throughout the organisation and must be available to relevant interested parties.
It is vital to remember that documented information can be in any medium, so a video clip on social media, a metal plaque on the wall in the organisation’s entrance hall are all acceptable.
James Hughes
5.3 Organisational roles, responsibilities and authorities
Top Management is required to assign responsibilities and make authorities for key roles relating to the QMS, within the organisation; and define and communicate these to all levels.
Top Management must establish the organisational framework necessary to make the QMS work; it must define its structure and lines of reporting and ensure that all are clear about their roles and responsibilities...
Role – the defined or expected behaviour associated with a particular position.
Responsibility – the duty obligation and accountability for the performance of assigned duties, tasks and activities.
Authority – the power or right to control, command, issue orders, make decisions, assign resources, delegate and ensure compliance to company policies and practice.
Accountability – means taking responsibility for and accepting the consequences of your actions in achieving results and proving it to others.
Karen MacKenzie
Clause Six: Planning
6.1 Actions to address risks and opportunities
The organisation must consider risks and opportunities when planning and developing its QMS. Aspects to consider include how interested parties and context may help or hinder the QMS. What action can be taken to mitigate risks? How can opportunities be used to the advantage of the organisation?
Here are a couple of real-life anecdotes to help SQMC students contextualise this clause:
When this clause of the standard was initially discussed many organisations took the attitude of “We have a HS&E Risk Register. We’ll use that as the basis for this requirement and add to it as and when required.” They didn’t recognise that it involved Business Risks and Opportunities rather than the risks associated with personnel health and safety. In addition, not all risks to the business are entirely negative as opposed to risks to product safety which should always be mitigated.
Another example is, during an ISO 9001:2015 foundation training course the group was discussing clause 6.1 and the implications to the organisation if all of the risks weren’t identified or correctly mitigated. One delegate mentioned that during a recent transition audit conducted by the certification body, the purchasing manager was asked what plans were in place to mitigate the risk of a major shipment of key components transported in shipping containers from the normal supply source based in China, being hi-jacked by Somalian pirates off the east coast of Africa and held to ransom. Obviously, this question is based on the potential loss of the normal supply chain and what measures have been identified to meet any such shortfalls, but the purchasing manager was at a loss to provide an answer saying that such a dramatic occurrence hadn’t crossed his mind.
By rights it shouldn’t have been up to the purchasing manager to identify all of the potential risks affecting his area of operations on his own. The identification of Risks and Opportunities to the organisation should be conducted by a multi-disciplinary team within the organisation thereby allowing people outwith the affected department to throw in off-the-wall ideas and notions for consideration.
Footnote: By coincidence, one delegate on the course worked for a shipping company and did have a solution to the question stating – “Transport the goods using Russian registered ships. The Somalians won’t approach Russian ships as they’ll get blown out of the water!
Robert Bell
6.2 Quality objectives and planning to achieve them
Organisations must establish Quality objectives for all departments and functions relevant to the QMS. It must make plans to achieve these objectives and how it will measure, evaluate and (if necessary) action the results. Most organisations derive their Quality objectives from their Quality Policy, and plan them, at each stage, using the mantra of "What", "Who", "When", and "How"?
Documented quality objectives and targets must be established at each relevant function and level within the organization. The objectives and targets establish an important link between the policies and the management programmes. The objectives and targets must be consistent with the policies, including the commitment to continual improvement.
Depending on the size, management structure, and other factors pertaining to your organization, the objectives may be established and reviewed by various personnel and with direct top management input. Objectives can apply to an entire organization, can be site-specific, or can be specific to individual activities. The appropriate level(s) of management personnel should define the objectives and targets.
The scope and number of the objectives and targets must be realistic and achievable. Otherwise, the success and continued commitment from top management and employees will diminish. Targets must be quantified where practicable and the units that are used to quantify the targets are referred to as key performance indicators (KPIs). A KPI is defined as an expression that is used to provide information about management system performance.
Imagine you are the production manager and the Managing Directors is reviewing the complaint levels during your management review meeting under clause 9.3 of ISO 9001: 2015 only to find that they are repeatedly high. The MD decides this cannot continue and asks you to take on the task of reducing this number of complaints from 10% to 5% per annum. You would make this an objective that you will be responsible for achieving. In so doing you will develop a plan showing how you will reduce this level, who will be involved to help you, what resources you will need and when you hope to deliver the improvement. You must show clearly how often you will report on the progress of this achievement.
Ron Rivans
6.3 Planning of changes
Changes within the organisation should be delivered in a controlled and well-thought-out manner. Why make the change? What will happen as a result? What impact will it have on the other aspects of the QMS (responsibilities, authorities, resources, etc.).
A client, concerned about the amount of money they were spending on various certifications, checked that the one they needed was a specific health and safety certificate. As a result, they decided to drop their ISO 9001 certification. The unintended consequence was that they lost their health and safety certification which had embedded in it that all organisations needed to have a fully functioning ISO 9001 system. By not planning the change properly they ended up on the back foot and having to spend a lot to get their ISO 9001 certificate back in place.
Cath MacNeil
Clause Seven: Support
7.1 Resources
The QMS must be supported with particular internal and external resources: people, infrastructure, environment, monitoring factors and knowledge of the organisation. The latter should be readily-available, and not reliant on the minds of key employees.
Strangely this is one of my favourite clauses because more often than not when conducting either internal or 2nd party audits on organisations you’ll always hear the excuse “Oh, yes well, we haven’t been doing that quite as often as the work instruction/procedure etc. states because we don’t have enough resource.” This often leads to a nonconformance which top management have to address.
7.1.4 – Environment for the operation of the processes.
For the first time the ISO 9001 standard mentions the effect that the work environment has on human performance. As far back as the early 1990’s human factors and their influence on performance were recognised within the aviation industry. At that time approximately 80% of aviation accidents and incidents were attributed to mistakes made by humans within the operation, maintenance and repair of aviation products to the extent that mandatory training in Human Factors and Human Performance is now a pre-requisite to maintenance and aircrew involved in such task, in addition, continuation training within a two-year period is also mandated.
When I review the closure of nonconformances during audits I challenge any that identify “Human Error” as the Root Cause. I consider Human Error as the result of some other factor which has a negative influence on the individual performing the task, such as lack of resources, time pressures, insufficient training etc. Human error many be a contributing cause but is rarely the Root Cause.7.1.6 – Organisational knowledge
With my background in aviation, specifically gas turbines, I’m sometimes asked to witness testing at certain stages during the repair and overhaul operations. On one occasion I was asked to attend and witness a final operational test on an engine prior to the release to the customer. After a 3-hour journey to the site I duly arrived at the test cell to be informed that the test had been cancelled. The test cell manager had decided to leave the company at short notice and no-one else could operate the equipment. There were no written instructions available and the manager didn’t like to share his expertise with anyone else. The following week I received a call to go back to the witness the engine test. The manager had been persuaded to return and he oversaw the operations. The engine met the test criteria and was duly shipped off to the client. The test cell manager left the company again shortly afterwards but had only passed on a little of the knowledge he had gained from years of experience.
Robert Bell
7.2 Competence
The organisation must have a process in place to determine and measure its staff and sub-contractors’ competence levels for their role at work. Their suitability must be determined by this process, and aspects such as training, qualifications and experience levels must be taken into consideration.
From the auditor’s perspective, competence essentially replaces what was previously referred to as training. There is quite a difference between these terms, anyone can be trained, however, that doesn’t necessarily mean that they are competent. Employees can also be competent without having had any formal training, through the experience they have built up over many years. A simple way to audit against this clause is to establish how the business records the competence required for each role, generally via a matrix. This allows the auditor to graphically understand the roles in the business and the competence required for each role accordingly. It is then about gathering objective evidence by selecting several staff from the matrix and follow through to review evidence of certification/training to fulfil the competency requirement expected.
Andrew Gillies
7.3 Awareness
All key staff are to be aware of the QMS. Share the Quality Policy with them, and how integral their role is to the overall QMS and meeting its objectives.
I remember asking a Managing Director of a very prestigious company if they had a policy, in which they replied that yes, they had and explained that they had also signed and dated it. I then turned to his senior management team of which there was 12 around the table and asked them if they were aware of such a policy and they all said they were aware.
I then asked the MD “so what do you have in the policy”? and he informs me that he has set out clear aims and objectives for the company. I asked the question who will be responsible for achieving these aims and objectives of which he was clearly proud of and he motioned to everyone around the table. At this point I went around each manager and asked them what their objectives were, and had they achieved them. A very sheepishly group of managers all replied that they were not aware of what their objectives were and therefore had not achieved them.
My reply to the Managing Director was if there is no awareness of what their objectives are, the policy becomes a useless piece of paper with no meaning.
Alex Kirk
7.4 Communication
The organisation must establish internal and external communication processes, considering what, when, how, by whom and to whom the communications will be made – and whether they are consistent with the rest of the QMS.
The big thing in this section is the recognition that different folk need to know different things. Your clients need to know that you have ISO 9001, they might want to know that you have plans in place to reduce rejects, but they don’t need to know that a particular product range is dreadful and that you have isolated it to a training issue in a particular department. Those who do need to know that are the training department and the department where the issue is occurring. Similarly, the objective to reduce costs, needs to be known by top management, but what the people on the shop floor need to know is that the reduction in waste due to faulty product is contributing to the company’s overall objectives, and that this is being tackled by more training. So, it’s different parts of the same message that need to be given to different people.
Cath MacNeil
7.5 Documented information
The QMS must be supported by controlled internal and external documented information. As well as documents and records required by the Standard, itself, this sub-clause also relates to any record or document that is important to the organisation’s processes and operations.
Activities, staff, processes, products, services, and size must be considered when establishing documents. New documents and updates of existing ones must be managed and recorded. The records must be consistently identified, formatted, reviewed and approved.
Even the control must be controlled! Sub-clause 7.5.3.2 prescribes that the documents and records control, creation, identification, distribution, access, retrievability, storage, use, changes, protection and preservation are subject to control.
To demonstrate conformity with Clause 7.5, consider these three requirements:
1st Requirement: Determine FORMAT (language, software version, graphics) and MEDIA (paper, electronic) to be adopted.
2nd Requirement: Determine that conformity with ISO 9001:2015 can be demonstrated by “MAINTAINING” and “RETAINING” information required by the Standard (such as procedures, manuals, forms, checklists, records etc. and “cloud stored” information which can be downloaded to a computer or smartphone. The Quality Policy and objectives are also integral information elements).
3rd Requirement: Determine the “extent” of required documented information as is necessary to satisfy the following two factors:
(i) The requirements of the relevant clauses of the Standard.
(ii) The “extent” of documentation required to demonstrate controls within companies of various sizes and complexities.
To summarise, initially determine the FORMAT and MEDIA to be used, the MAINTENANCE and RETENTION methods to be adopted - plus the EXTENT of the Quality Management System – and also read the paragraphs linked to Clause 7.7 in BS EN 9000:2015 and in BS EN 9002:2016 for additional clarification.
Derek Millar
Clause Eight: Operation
8.1 Operational planning and control
For the organisation to successfully meet the requirements for delivering products or services, it must develop, implement and control the processes involved. What features and functions is the product to have? What criteria must the product (or service have) meet? How will the processes work in reality, and what resources will it require? How will fulfillment of the processes be measured? What records will the organisation need to keep to demonstrate each process was fulfilled correctly?
As we have been going through the Standard, you will have picked up on the fact that all the clauses are inter-related. Now we have arrived at operational planning and control, and you have had a chance for a quick glance through what this says, you will realise it is talking about good practices on how you deliver your service or manufacturing. Hopefully, you will see where your organisation fits into the requirements as we move through the clause and I am sure you will be able to demonstrate / provide information relating to how your organisation works.
Whether you are manufacturing or providing a service you need to be able to plan what you need to put in place to meet your customers’ requirements. Having the correct resources (people, equipment, raw materials) enables you to prepare your processes and procedures to ensure that you can deliver on time and provide the correct service / product - which is
essential to keep your customers happy and continue to provide you with repeat business.As a successful organisation you will be managing your processes in such a way that they can be reproduced against set criteria (measure your processes at critical points on an ongoing basis) and be able to provide this information to your customers if they request it. If you need to change a process, for any reason, then you should manage the changes in a controlled way – again keeping full records of the changes being made with procedures / work instructions updated and by whom. If your planned changes don’t provide you with the results you want then you can revert back to your previous process using the records you have retained. This process also applies to any problems that might arise during normal working, for example a piece of equipment fails or say, a new employee inadvertently makes a mistake, then you can quickly put in remedial actions.
Anecdote! A production line is working at full speed – unfortunately all the material has to be scrapped due to a problem that occurred at the very beginning of the process. Unfortunately, the Line Manager was fixed on throughput rather than quality.
Result of investigation: A new employee was feeding in the wrong type of material – no supervision to check their work.
Due to customer demand the Line Manager had stopped the usual process checks. These would have picked up the problem quite quickly and been easily rectified with only a small amount of scrap.Resolution: By failing to follow the correct procedures, measure the process at identified critical points this resulted in 100% scrap. A very unhappy customer plus the cost to the organisation of a full day’s production having to be scrapped!
Anne Barber
8.2 Requirements for products and services
More often than not, the requirements for a product or service is dependent upon good communication between an organisation and its customers. Information must be able to flow between the two parties effectively. From enquiries to orders, keeping any property provided by the customer safe and secure, managing the customer’s feedback, and where needed, reviewing the requirements for contingency purposes. The organisation must clarify the customers’ requirements for the product or service and verify them prior to accepting the order. This should be documented, which will protect both parties, and the documents changed in accordance with any amendments made.
8.2 is a large section in 9001 and covers the activities involved in communicating with a customer to find out exactly what it is that they want from your organisation. Once you have all of this information in as much detail as possible, the organisation needs to look at what else is involved in producing the desired product or service, i. e. any legal or regulatory requirements, any aspects it’s just not possible to have and so alternatives will need to discussed with the customer, can it be made within timescales, with the material the customer wants, are there any restrictions on shipping etc. Once all this information is brought together then a decision can be made about whether it is feasible to make the required product for the customer.
Karen MacKenzie
8.3 Design and development of products and services
There are many factors to consider when planning the design and development of the product or service, and the Standard requires a process to be created, followed and maintained accordingly. What are the requirements? What are the complexities involved? The customer’s expectations? Who will participate, and what are their responsibilities? What documentation and resources are going to be needed?
The inputs and resources used in the design and development must be clearly defined, and the related documents and records properly controlled. The process must be controlled, and the organisation must show how the results will be defined, how reviews are carried out, validations and verifications performed. Careful though must be given to how outputs will be produced and compared with the original requirements. Any changes made to the design must be identifiable, whether they are made during the design and development process, or afterwards. These changes have to be reviewed and controlled.
This clause covers all the processes, such as planning, required to ensure that the product meets functional and performance requirements, e.g. a new car battery may start the car, but will it be rugged enough to satisfy the customer?
Ian W. Hannah
8.4 Control of externally provided processes, products and services
When purchasing products or services from other parties, the organisation must have a process by which they evaluate which supplier to use. Consideration must be given as to how important the product or service being purchased is to the organisation. Monitoring and control of the supplier’s processes, products or services, and performance is crucial. Clear communication to the supplier of the organisation’s expectations is paramount. What are its requirements of the product or service? What does it require in terms of equipment, process, and competence?
Here are a couple of anecdotes to aid the understanding of this clause:
I first heard the term “Intelligent Customer” used by a member of the Nuclear Industry Inspectorate, the UK nuclear industry regulator (now the Office for Nuclear Regulation) when describing what a particular organisation was NOT. This particular publicly funded organisation had awarded a number of high cost projects to large contractors with the attitude “This is what we want. Tell us when it’s finished, and we’ll come over for the ribbon cutting ceremony and some drinks and nibbles.”Unfortunately, in too many cases when the projects were handed over they weren’t capable of meeting their required intent and costly delays, rework and modifications followed – all paid for from the public purse.
One of the main problems was that the client abdicated all responsibility for the project to the main contractor, who in
turn passed on a lot of the work to sub-contractors who in turn passed them down etc., and so it went on until the people actually performing the work weren’t totally aware of what the requirements were or what standards were to be met. It was only when the client was being called to account by the people who were footing the bill that things started to change and posters proclaiming “Value to the Taxpayer” as one of the company goals started to appear on noticeboards and team briefings.Responsible organisations should always monitor the work being performed by others on their behalf.
In my pervious life as a quality engineer within an aerospace maintenance organisation, one of my roles was to monitor and approve purchase orders for aviation parts and accessories which had been generated by the Purchasing Department. On one occasion one of the purchasing team presented me with a PO for a particular critical part from a company which wasn’t on our Approved Supplier List (ASL) – we performed al lot of supplier audits! When I asked her why she was trying to use an unapproved supplier she stated that none of our regular suppliers had that part available and this company, which she had found during a trawl of the internet had six in stock but they didn’t have the correct level of certification. She wanted to if know could we use them as the lack of this particular part was holding up a final build and would affect the monthly production figures. The company had promised her that they would ‘source’ the correct certification and send it in within a few days. When I gave an emphatic ‘NO’ that we couldn’t use them I was bombarded by the purchasing manager, the engineering manager (who should have known better) and the production manager for not sanctioning the purchase. The following Monday we found out from one of our regular US based suppliers that the particular company in question was under investigation from the US FAA for dealing in counterfeit parts. Needless to say I never did receive apologies from the purchasing manager, the engineering manager (who should have known better) or the production manager.
Robert Bell
8.5 Production and service provision
The organisation must establish and implement controlled conditions for production, service provision, delivery and post-delivery processes. At the output stage, suitable identification of the product must be given, if traceability is required; and in some cases, this will be a unique identification reference (such as a serial number). Documented information must be retained to aid traceability.
Where property – either belonging to a supplier or a customer – is utilised, it must be kept identifiable, protected and monitored. Again, documented information is crucial, here, especially in cases where the property may go missing or become damaged, and an explanation given to the owner.
The orgnaistion must identify any activities that will be required after the product or service is delivered.
Young Kenneth wants to buy a Pizza restaurant and his lawyer advises him to ask Rudyard Kipling’s questions:
What? What controls are in place? Recipes? Oven temperature? Chef competence?
Where? Where do the materials and ingredients come from (traceability), and are their use by dates feasible?
When? When do you take the money/credit card (the customer’s property)?
How? How do you store raw materials, and how do you pack the Pizza for delivery (preservation)?
Who? Who is responsible afterwards (customer feedback; lifetime of the product)?
What? And what do you do if the customer changes his order (Changes)?
Bruce Moyes
8.6 Release of products and services
Products and services must not be released until their conformance to the requirements is achieved and documented.
This clause refers to all the checks and tests that have been made before the product is released to the customer and by whom. i.e. who signed off the Certificate of Conformity.
Ian W. Hannah
8.7 Control of nonconforming outputs
It’s important that products that don’t meet their requirements don’t slip through the output process for delivery or use. Any outputs that don’t conform must be identified, evaluated and their impact examined. Many manufacturing companies will use a "quarantine area" (an area of the shop floor marked off with yellow tape) to ensure that defective product does not find itself being sent to the customer, in error.
The organisation must take action to document, correct the nonconforming outputs and verify their correction (or in some case, if appropriate, evidence that the customer will accept/has accepted them). The documentation should describe the actions and decisions made to ensure the outputs aren’t used or delivered.
The intent of ISO 9001 Clause 8.7 is to prevent the unintended delivery or use of nonconforming outputs (outputs should be considered as products and/or services) and that any nonconformity is controlled and corrected to prevent its unintended use by or delivery to the customer. Clause 8.7 only requires an organization to deal with outputs that fail to conform to specified requirements.
As the first step in the process, the root-cause of the nonconformity should be determined, and the effectiveness of the subsequent corrective action should be monitored and evaluated. Corrective actions can be triggered through nonconforming tests or other work, customer complaints, internal or external audits, management reviews, and observations by staff.Imagine you have just finished heat treating a tray of metal castings and the magnetic particle inspection which follows the heat treatment shows two of the castings show distinct longitudinal cracking on the surface.
Your job as the inspector or quality controller is to isolate these cracked castings and allow the good ones to proceed to the next stage of manufacturing. The isolated castings are non-conforming products as they are damaged and cannot be used as good castings. You must now decide whether you can repair them by surface dressing or scrap them. If the cracks are fine you might offer the castings to your customer who may be able to use them by surface grinding.
Corrective action may be implemented to address the root-cause(s) and contributing cause(s) of the nonconformity or action taken to prevent recurrence of the nonconformity. As part of the corrective action process you must identify all the causes (root-cause and contributing causes) that have or may have generated an undesirable condition, situation, nonconformity, or failure.
A nonconformity may also arise from an action in which case corrective action is triggered through nonconforming tests or other work, customer complaints, internal or external audits, management reviews or observations by staff.
The nonconformity must be documented and so must any subsequent corrective/preventive action to address the nonconformity.
Ron Rivans
9.1 Monitoring, measuring, analysis and evaluation
This clause enlarges the focus of measurement and monitoring the QMS, unlike Clause 7.1.5 of ISO 9001, which focuses on the actual equipment used. Clause 9.1 applies to what needs the monitoring and measurement, and how it is to be done.
What is important to me within this section is the very start, determining what needs to be monitored and measured. Within manufacturing, everyone agrees that the products need to be measured and production needs to be monitored. One memory I have is of a new feature in one of the printing machines in the first company I worked in using ISO 9001. The machine used computer controlled statistical methods to determine when the ink colour was going off requirements and put it to rights, however, the operators would intervene and it was realised that they were noticing things later than the machine and their correction typically put the colour wrong in the other direction. Tools work, if you let them.
The other area that still causes me concern is within the offices, I believe that an awful lot of people assume that you cannot monitor and measure office activities, whereas this is not the case. It could be that the number of drafts of a document is a measure, the length of time to produce a report, the number of purchase orders processed per day, the number
of emails to clarify points, there are a hundred ways to measure office activities, and from the data it would be possible to determine which processes need to be improved. Recently there was a job interview where the girl being interviewed talked about how she spent all of her time sending out credit notes because invoices were incorrect, a whole life spent correcting someone else’s errors and she never questioned why they were wrong in the first place. She should have questioned, and her boss should have too, it’s such an important section of the standard.
Cath MacNeil
9.2 Internal audit
Internal audit, used correctly and effectively, is a tool of great value to an organisation. The audits should be done looking for conformity, not non-conformities. This purpose of this clause is to ensure the QMS both complies with the requirements of the organisation (after all, why would they want a QMS that doesn’t work well for their own, unique operations?) as well as the requirements of the ISO 9001 Standard. The audit will provide results which will help inform the decision makers of how effectively their organisation is functioning. These results may take the form of positive feedback, improvement requests or recommendations, and ‘nonconformities’. Nonconformities fall into two brackets, depending upon the seriousness of their impact to the QMS: ‘minor’ and ‘major’.
ISO 19011:2018 is a whole ISO standard written about how to carry out internal audits, as they are one of the keystones of management systems, audit schedules must be based on risk, areas of higher risk audited more frequently and in more depth; audits must be planned to determine resourcing feasibility, competence of auditors required in order to collect sufficient, valid reliable evidence to make reasoned judgements on the degree of conformity with stated criteria.
Karen MacKenzie
9.3 Management review
Top level management is required to review the organisation’s QMS no less than once per year. They must consider whether the needs of the organisation are still being adequately met by the QMS; whether it meets the requirements of the Standard, and whether the activities the organisation performs are in accordance to the relative procedures; and whether the QMS is achieving the desired results, as planned.
Perhaps the Quality objectives are outdated, now? Or the overall Quality Policy requires refinement?
The bosses should be taking a close look at the feedback from customers (satisfaction surveys, complaints, etc.), previous findings of management reviews, or any changes to the context of the organisation (see Clause 4.1).
The Management Review Meeting (often monthly) is very important event at which, amongst other things, the Internal Audit Reports are discussed, and decisions made to ensure that the organisation is still "on track" regarding its Quality Policy.
Ian W. Hannah
Clause Ten: Improvement
10.1 General
Using the findings of the management review, opportunities for improvement must be identified and implemented. How can customer satisfaction be increased? Are there opportunities to be more innovative? What corrective action is required, and are there any nonconformities to rectify?
I once explained to a student that there is a great deal of ways that an organisation can make continuous improvements within their organisations, although improvement needs to be evidenced.
As an auditor I visit many different and varied organisations and what always surprises me is the when I ask how they measure improvement they willingly hand me there accident statistic, non-conformances, sickness records, regulatory improvement notices etc which are all reactive measures and have a place in monitoring improvement but they often fail to show the proactive measures 9the good stuff) they are taking to make improvements within their organisations. I often ask do you carry out workplace Inspections auditing, training, briefings, toolbox talks, safe operating instruction, procedures etc which they often say yes, we do all that but are often lapse in recording that they do.
I explained the importance of recoding both reactive and proactive measures if we are to show that we are not only looking at the negative but looking at addressing opportunities for positive improvements whether it’s our service delivery, improving customer satisfaction and needs or improving the quality of our products or the safety of our employees if we evidence these this will go a long way in addressing areas for continual improvement.
Alex Kirk
10.2 Nonconformity and corrective action
Nonconformities raised during the internal audit process require to be rectified, via a ‘corrective action’. The corrective action should be recorded, alongside the record of the nonconformity, itself.
From the observer’s perspective, this clause falls into ‘Act’ in the PDCA cycle. It is about reviewing where things have gone wrong – and what the business intends to do to make things right. Many people think that corrective action is the end of story, however, this also requires further follow-up to ensure that actions taken have been effective. An example of this could be a supplier of a critical component for a manufacturing company, where the supplier continues to provide defective parts. The immediate action would be e.g. holding a meeting with them, conduct a review, give them a final warning. Such action is only effective if it actually prevents the nonconformity from re-occurring, therefore agreed actions need to be checked to ensure they are effective.
Andrew Gillies
10.3 Continual improvement
One of the central elements of an effective QMS is its purpose of continual improvement. Without it, the QMS would soon become unsuitable and inadequate to the organisation’s objectives and operations.
This clause is completely focused on the improvement of the quality management system, based on the results arising from the analysis and evaluation in Clause 9.1.3 (analysis and evaluation) – all the findings and results from the topics listed there are potential improvements for the management system as opposed to improvements in products and services.
Karen MacKenzie
The Seven (Quality) Management Principles
There are seven management principles that can be used to enhance the performance of an organisation, and to achieve success in a sustainable manner. These principles are not just a cornerstone of Quality management Standards, but also of many other related management systems Standards. The principles can be tied to many clauses of ISO 9001 (we’ve mapped these out for you, below).
Principle 1: Customer Focus
The primary focus of quality management is to meet customer requirements and strive to exceed customer expectations.
Relates to: 4.1 – 4.4; 5.1 2; 8.2.1; 8.2.2; 8.2.4; 8.5.3; 9.1.2
Principle 2: Leadership
Leaders at all levels establish unity of purpose and direction and create conditions in which people are engaged in achieving the organisation’s quality objectives.
Relates to: 4.1 – 4.4; 5.1 onwards through the ‘5’s’; 9.3
Principle 3: Engagement of People
Competent, empowered and engaged people at all levels throughout the organisation are essential to enhance the organisation’s capability to create and deliver value.
Relates to: 4.1 – 4.4; 5.2.2; 5.3; 7.1.2; 7.1.3; 7.1.4
Principle 4: Process Approach
Consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system.
Relates to: Introduction – 0.3; 4.1 – 4.4; 6.1.2; 7.1.2; 7.1.3; 7.1.4; 7.1.6; 8; 9; 10
Principle 5: Improvement
Successful organisations have an ongoing focus on improvement.
Relates to: 4.1 – 4.4; 6.1 – 6.3; 9.1.3; 9.1; 10
Principle 6: Evidence-Based Decision-Making
Decisions based on the analysis and evaluation of data and information are more likely to produce desired results.
Relates to: 4.1 – 4.4; 6.1 – 6.3; 7.1.6; 8.1; 9; 10
Principle 7: Relationship Management
For sustained success organisations manage their relationships with interested parties such as providers.
Relates to: 4.1 – 4.4; 6.1; 8.4
NB: These are not exhaustive – there are other clauses related to the Principles.
