ISO 9001 Certification Requirements
Posted On July 8, 2019
We have referred to the ISO 9001 Quality Management System in a number of previous posts, you may know a company that is ISO 9001 certified or you may have seen the certification emblem on some of your favorite products. I’m sure you understand by now why organizations pursue a Quality Management System using this ISO standard. As you may also want to do the same for your organization, it is important that you understand the ISO 9001 standard, its requirements and structure.
The ISO 9001 standard is basically a booklet containing the ISO 9001 certification requirements. The first version was published in 1987 and the current version was released in September 2015, therefore it is referred to as ISO 9001:2015. It is the ‘bible’ for organizations working towards ISO 9001 certification, the reference document that both management and staff have to continuously refer to for direction, the question that people will often ask is ‘What does the Standard say’? What the Standard says is what we call its requirements.
ISO 9001 Requirements
The ISO 9001:2015 standard is constructed around the Quality Management Principles and its requirements are broadly separated into ten sections (called ISO 9001 clauses). Clauses 1 through to 3 do not include any requirements:
Clause 1_The scope of the ISO 9001 Standard: This explains why organizations should use this standard, as discussed in previous posts the reasons should fundamentally be:
1. To demonstrate that they have ability to consistently meet customer and applicable legal requirements
2. To enhance customer satisfaction by implementing the system
This clause also emphasizes the generic nature of this standard i.e It is applicable to any type of business, industry and organizations of any size.
Clause 2_Normative Reference: The Normative Reference for the ISO 9001 Standard is the ISO 9000 standard.
ISO 9000:2015, Quality management systems — Fundamentals and vocabulary. ISO 9000 provides definitions of keywords mentioned in ISO 9001. It is a reference standard which is vital to the application of ISO 9001:2015.
Clause 3_Terms and definitions: Reference is given to ISO 9000: 2015 for definition of terms used in ISO 9001:2015 as explained in clause 2.
The Mandatory Requirements of the ISO 9001 QMS
Clauses 4 to Clause 10 are the mandatory requirements of the ISO 9001 standard. All elements of the five clauses are mandatory except for the Product Realization section, which allows for a company to exclude portions that are not applicable. In order for an organization to be certified, an auditor will look at whether it satisfies the requirements of each clause.
Clause 4_ General Quality Management System requirements
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the quality management system
4.4 Quality management system and its processes
This section deals with general requirements for a QMS, as well as all documentation requirements. It requires the organization to understand its internal and external environments. The PEST/PESTEL analysis and SWOT analysis are useful tools that an organization can use to understand its strengths and weaknesses, opportunities and risk factors should be identified and the information used in determining the strategic direction of the organization.
Please note that the standard will not ask you to do a PESTEL or SWOT analysis as it is not prescriptive but its up to the organizations determine the best way to satisfy the requirement and this is the mind to carry when going through all the requirements, how can this be achieved?
ISO 9001 requires the organization to show that it is attentive to the needs of all the relevant stakeholders. There a must be a means for reviewing information about customers and all relevant stakeholders e.g owners, employees, providers, bankers, regulators, unions, partners, community, news media, competitors, law enforcement, emergency responders.
The Scope of the QMS is the boundary of the quality management system. Which services/Products are covered, which sites etc. An organization can choose to be accredited for one product/service or one site. In the situation where the QMS only covers part of the organization, its necessary that the organization clearly defines and communicates to its stakeholders the boundaries (Scope) of the QMS.
An organization must establish, implement, maintain, and continually improve the QMS processes and their interactions. To support the operation of these processes, procedures and work instructions must be available to give direction and standardization. Records must be maintained as proof that the processes are being carried out as planned. Performance Indicators must be in place to ensure effective operation and control of processes.
Clause 5_ Leadership
5.1 Leadership and commitment
5.1.2 Customer focus
5.2.1 Developing the quality policy
5.2.2 Communicating the quality policy
5.3 Organizational roles, responsibilities and authorities
Leadership is required to show commitment to the Quality Managenement System through a number of responsibilities which include formulation and communication of a Quality Policy and Quality Objectives and assigning of roles, responsibilities and authorities for key roles within the organization including that of Quality Management.
Leadership is expected to promote process approach and risk based thinking in their role. Risks and opportunities that can affect the conformity of products and services and therefore impact Customer satisfaction should be continually identified and acted upon to continuously improve. This clause has a strong emphasis on risk based approach.
6.1 Actions to address risks and opportunities
6.2 Quality objectives and planning to achieve them
6.3 Planning of changes
When we know what we want to do, we have laid out our direction and determined our Quality Policy, its time to plan. This clause gives provision for well-thought-out and organized actions before implementing and before effecting any changes to the Quality Management System. The opportunities and risks also have to be evaluated and weighed before making a decision. Questions like what if? must be asked and provisions made for eventualities. This includes allocation of resources and therefore budgeting. This is in contrast to haphazard changes that can adversely affect processes and eventually the Customer. Quality Objectives are an important way of showing that the Quality Management System is well-thought-out. If formulated correctly they can give a year direction of what the organization wants to achieve, they need to be SMART-Specific, Measurable, Attainable, Realistic and Time Bound and should be consistent with the Quality Policy. I have seen organizations that have set out to implement a Quality Management System but do not have a timeline for when they want to be certified or accredited, and it follows that there is no budget for the Quality department, such is an example of failure to plan which some have equated to planning to fail.
Clause 7_ Support
7.1.4 Environment for the operation of processes
7.1.5 Monitoring and measuring resources
7.1.6 Organizational knowledge
7.5 Documented information
7.5.2 Creating and updating
7.5.3 Control of documented information
It is no secret that implementing a Quality Management System will require a conceited effort and resources form the organization. This section takes look at the items needed to realize the requirements of ISO 9001:2015, resources on hand vs. what needs to be acquired. This includes human resources, equipment and plant resources, software and information systems. Gaps should be addressed through hiring, training and procurement. Where external resources may need to be used these should be evaluated for adequacy, these include consultancy services, external suppliers, external calibration services etc. An important section in this clause is the maintenance and retention of documented information, resources should be made available for this to happen, e.g a small organization any need a computer to type out procedures and a printer to print them out to keep as paper copies while a large multinational may need to invest in an electronic document control system. These decisions have to be made within the context of the organization.
While clause 7 deals with the requirements in the support services or systems, this clause deals with the processes in the actual operations of the organization. Operation planning and control should be done through determination of product and services requirement, establishing criteria for the processes and for the acceptance of products and services, determining the resources needed to achieve conformity to product and service requirements, implementing the control of the processes in accordance with the criteria and maintaining and retaining the documented information to the extent necessary to have confidence that the processes have been carried out as planned and to demonstrate conformity of products and services to requirements. The organization needs to determine the requirements of the products and services as determined by regulatory, legal an industry specific requirements and ensure that these can be met. Customer requirements also need to be sought and reviewed as required with effective customer communication and feedback
The design and development of the products and services can be broken into three phases
1. The pre design stage which involves planning the processes, determining the required input;
2. The actual development stage were the inputs are fed at the beginning of the process, what is important here is to ensure that processes are carried out as documented and that controls are in place to pick any deviations from the requirements
3. The post design and development stage involves the output and evaluation of conformity to requirements
Clause 9_Performance Evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1.2 Customer satisfaction
9.1.3 Analysis and evaluation
9.2 Internal audit
9.3 Management review
9.3.2 Management review inputs
9.3.3 Management review outputs
It only makes sense that there should be a way to stop and evaluate if the organization is still on track, if the processes are happening as planned. ISO 9001 requires that determination should be made what will be monitored and measured in this evaluation, how frequently this will be done, what methods will be used and how results from these evaluations will be used to improve. Customer Satisfaction evaluations, Internal Audits and Management reviews are requirements to evaluate and monitor the effectiveness of the Quality Management System.
10.2 Nonconformity and Corrective Action
10.3 Continual Improvement
The organization must show that it is committed to continuous improvement through action on findings from performance evaluation activities described in clause 9 and also through identification and control of arising errors//non-conformities. There must be means to ensure that root causes are identified and corrective action aimed at eliminating the errors so that is does not ever occur again. An important part of this clause is the assessment of risk and preventing their causing adverse events.
As you went through this standard, I’m sure most of these are things you do already in your organization, the only problem may be that it is not done systematically. This standard is important in ensuring that all the requirements are addressed and that there is evidence for it, this evidence is what the auditors will want to see during the audit process. When the requirements are met the certification body will gladly confer certification. It can be a long journey towards certification, but with commitment and planning success is guaranteed.
Please feel free to contact me for any clarification, questions, ideas and insights and Let’s reason together.