Q&A from the recent ISO 9001:2015 Webinar
NQA Assessor Kevin Gunn has answered your questions from the last ISO 9001:2015 webinar in August.
If you disclaimed clause 7.3 of the old standard, can we do the same with the new standard?
All references to “exclusions” in ISO 9001:2008 sub-clause 1.2 “Application” have been removed.
This is because all of the requirements in ISO 9001:2015 are intended to be applicable to all Organisations and any products and services.
However, ISO 9001:2015, Annex A.5 recognises that there may be circumstances where it is impossible for an Organisation to conform to a specific requirement – for example, where it does not operate a “required” process. In these instances, the Organisation can deem the requirement “not applicable” providing this does not affect its ability to supply conforming products or services or compromise its aim to enhance customer satisfaction.
Clause 4.3 requires the QMS scope to contain the justification for any requirement that the Organisation determines is not applicable to the scope of its QMS. Furthermore, the Organisation cannot claim conformity to ISO 9001:2015 if this impacts the Organisation’s ability or responsibility to ensure the conformity of its products and services and the enhancement of customer satisfaction.
In the case of claiming Clause 7.3 – Design and Development as an exclusion against the ISO 9001:2008, this can still be claimed as not applicable against the ISO 9001:2015 Standard under Clause 8.3 as long as it is justified accordingly.
How much detail do you expect to be given on the gap analysis tool and must all sections be filled in?
Prior to the Transition Audit being undertaken, clients are required to complete table 1 (New Concepts) of the relevant transition checklist and strongly encouraged to also complete table 2 (ISO 9001:2015 Requirements).
Clients are also encouraged to complete an Internal Audit and a Management Review against the new standard as this exercise serves both to ensure that all requirements have been addressed in the management system and to provide easy reference to these requirements during the Transition Audit.
If you don't document your Interested Parties, how can you provide objective evidence that you have reviewed it?
The easiest way to provide objective evidence that you have reviewed your particular Interested Parties is to document the discussion within the minutes taken during you routine formal Management Review meetings.
Having already produced a list of typical Interested Parties and their needs and expectations allows a focus for subsequent meetings.
(Applicable Clause - 9.3.2 Management Review Inputs, b) changes in external and internal issues that are relevant to the quality management system and c) information on the performance and effectiveness of the quality management system, including trends in customer satisfaction and feedback from relevant interested parties.
There is nothing within the 2015 Standard which prevents you from just adding a “last reviewed date” to the documented list of Interested Parties which coincides with the date of the last Management Review meeting to confirm this approach.
Providing “Competence” always appears to be the hardest to established are you able to shed some light on this?
Clause 7.2 is essentially an amalgamation of ISO 9001:2008 sub-clause 6.2.1 “Human Resources – General” and sub-clause 6.2.2 “Competence, training and awareness” (save for requirement 6.2.2 d), which now transfers to ISO 9001:2015 clause 7.3 “Awareness”.
The Organisation must determine the competency requirements for those people performing work under its control.
Once these competency requirements have been determined, the Organisation must then ensure that those people possess the necessary competencies, either on the basis of appropriate education, training or experience.
The Organisation is required to take action to acquire the necessary competence. Actions taken need to be evaluated for effectiveness.
The Note in this clause gives examples of applicable actions, such as training, recruitment or use of external people.
If there is a competency deficiency, action must be taken to achieve competence or to gain the necessary competencies from other sources, for example, recruitment or use of external people. An assessment needs to be subsequently undertaken to determine whether this has been successful in raising competence to the required level.
Organisations must retain appropriate documented information (records) to evidence competence.
If you’re relocating the company over the next 6 months the transition audit will fall in-between the move, can we postpone the audit till the move is completed?
Under the current UKAS requirements, the maximum permissible time in between Audit is 15 months.
It is strongly suggested that if you foresee a potential issue such as this, that you contact your dedicated Client Executive and/or your assigned Assessor to determine the absolute latest that the Audit can take place (as long as your current Certification is not allowed to expire).
Can you recommend literature on process audit?
Please use the following links to the NQA Website for further guidance in conducting effective Process Audits.
Webinar: https://www.nqa.com/en-gb/resources/events/webinar-top-tips-for-effective-process-auditing
Assessor Blog: https://www.nqa.com/en-gb/resources/blog/january-2017/effective-internal-audits
Do we need to audit the provision of necessary persons, i.e. workload and Organisational structure?
Sub-clause 7.1.1 updates ISO 9001:2008 clause 6.1 “Provision of resources”.
It requires an Organisation to determine and then provide all the resources necessary to establish, implement, maintain and continually improve its quality management system. Resources include people (7.1.2), infrastructure (7.1.3), the environment for the operation of processes (7.1.4), monitoring and measuring resources (7.1.5) and Organisational knowledge (7.1.6).
In doing so, the Organisation is required to consider both the capabilities and constraints on its existing internal resources as well as what needs to be sourced from external providers.
The explicit reference in ISO 9001:2008 clause 6.1 b) to “identifying resources needed to enhance customer satisfaction” has been deleted from sub-clause 7.1.1. (although this is implicit).
There is now an explicit requirement to consider both internal and external QMS resource requirements.
Auditors must now evidence that Organisations have considered their need for external resources in addition to their need for internal ones.
Sub-clause 7.1.2 requires an Organisation to provide those people necessary for the effective operation of its quality management system and its processes in order that it can consistently meet customer and applicable statutory and regulatory requirements.
This is essentially an existing requirement separated out from ISO 9001:2008 clause 6.1 “Provision of resources”.
Will auditors be looking for formal training as an auditor to the new standard?
The requirements of the 2015 Standard is a significant enhancement of what was the requirements of the 2008 Standard therefore it is highly recommended that existing Internal Auditors undertake some form of conversion training.
ISO 19011 states that, in terms of determining Auditor competence; Auditors should possess the knowledge and skills necessary to achieve the intended results of the audits they are expected to perform.
We are already trained as auditors is this sufficient?
See answer to question 8.
The requirements of the 2015 Standard is a significant enhancement of what was the requirements of the 2008 Standard therefore it is highly recommended that existing Internal Auditors undertake some form of conversion training.
ISO 19011 states that, in terms of determining Auditor competence; Auditors should possess the knowledge and skills necessary to achieve the intended results of the audits they are expected to perform.
Where can I purchase a copy of the 2015 standard?
NQA would suggest purchasing a copy from the ISO Standards Catalogue: https://www.iso.org/store.html
If you decide to stick to procedures which in some causes include flowchart processes would this cause any concerns during external audit?
No concern whatsoever, modern Management Systems tend to be a mixture of various formats, as long as they reflect the Process in question and achieve the desired outcome.
Effective processes can demonstrated by means of flow charts, a narrative approach or a combination of both.
If you are just starting out with ISO standards where would you recommend you start?
Get a copy of the relevant Standard - latest version i.e. ISO 9001:2015 (NQA would suggest purchasing a copy from the ISO Standards Catalogue: https://www.iso.org/store.html
- Consider the resources which are going to be needed (including a suitable candidate who will be the Quality Manager (Management Representative), Quality Engineer etc, someone with extensive product / service knowledge would be preferable)
- Source an IRCA Registered training provider and let them advice you on the best course of action depending on your circumstances
- Arrange a training course for the Manager (Management Representative) who is going to be expected to establish, document, implement and maintain your Quality Management System
- Consider Internal Auditing and arrange a suitable training course for the likely Internal Auditor
- Consider the hierarchy of documents likely to be needed which will form the basic structure of your QMS which meet the requirements of the Standard i.e.:
- Policy
- Procedures
- Processes
- Work Instructions
- Forms
- Etc
- Alternatively, consider employing the services of a suitably competent Consultant to assist you in the early creation of your QMS and prepare you for the 2 Stage Certification Process (NQA can suggest three NQA approved Consultants if this is your preferred option)
- Contact a UKAS Accredited Certification Body (CB) of your choice one your QMS has been established an implemented
- NQA come highly recommended!
What does it mean by an integrated audit and integrated processes?
System
An Integrated Management System (IMS) is a management system which integrates all components of a business into one coherent system so as to enable the achievement of its desired outcome.
Integrated means combined i.e. putting all the internal management practices into one managed Management System. (Commonly a mixture of ISO 9001, ISO 14001, OHSAS 18001).
Common areas between the Management Standards and the necessary Processes involved in order to robustly achieving compliance with the requirements of these Standards may be integrated in order to:
- Achieve consistency
- Improve internal and external communication
- Avoid duplication and gain cost savings
- Identify and rationalise conflicting responsibilities and relationships
- Harmonise and optimise Processes
- Identify and facilitate staff training and development
Processes
Once the Processes / common Elements which can be easily integrated have been identified, typically:
- An integrated documentation set
- Management Reviews
- Internal Audits
- Policy
- Objectives
- Systems and Processes
- Improvement mechanisms
- Leadership, Management Support and Responsibilities
Audits
Integrated Internal Audit maybe conducted by suitably competent Auditors which can reduced the Audit Load for the business.
How do you review risk in a management review?
One suggested way is to create a Risk Register which lists and prioritises all the identified Risks i.e. Business, Process, Product, Service, Internal, External etc. (many approaches accepted – most common PESTEL, SWOT etc).
Once this Register has been established and internally sanctioned by Top Management, the same Register can be used to review the current status during each subsequent Management Review.
However, the Risk Register should also be reviewed following:
- New product development
- Introduction of a new Process
- Before implementation of an improvement / Corrective Action
- On the discovery of a Non-Conforming Product/Service
- etc
What would be your most important key tip for a successful transition?
There is not one definitive tip, more like a number of key tips:
- Allow plenty of time to prepare and make the necessary changes to you QMS (considering , in most cases, daily activities can divert and distract, allowing in the region of 6 to 12 months is reasonable)
- Get Top Management commitment and convey the significant differences the 2015 Standard shall require
- Arrange suitable (IRCA recognised / Certified) transition / conversion training for the key members of staff
- Get a copy of the 2015 Standard
- Research, research and more research to get the best understanding of the key changes to the 2015 Standard
- Decide on the future structure of your QMS. You may decide to change the structure due the differences that Annex SL (common text and structure) will bring to the design, operation and performance of your QMS
- Create a Plan – allocate responsibility and share the load if possible
- Adopting the Process approach can involve a significant mind-set change in some businesses. Confirm Process ownership early on in the Process, this should be driven downwards as a positive change by Top Management. (Pictorial demonstration of the Interaction of Key Processes is also explicit in the new Standard and is often overlooked
- Consider what would be the most effective way to demonstrate and routinely review:
- Context of the Business
- Interested Parties and their need and expectations
- Risk
- Identification
- Mitigation
- Tolerance v Acceptance v non-acceptable Risk
- Risk Based Thinking
- Recording and prioritising
- Top Management involvement, commitment
- Internal and External Issues you have to deal with on a daily basis
- Obtain a copy of the latest version of the NQA ISO9001:2015 Gap Analysis which will need to be completed as part of the transition process
- Talk to both your allocated Assessor and the wider NQA team, they are equipped to deal with any questions you may have relating to the standard changes – all you have to do is ask – we are here to assist you through this process to successful completion!
Instead of having a long wordy document for the QMS would it be ok to enlarge and complete the Plan Do Check Act cycle (as a wall chart/ pictogram) to reflect our working practices and reference to supporting documents i.e. the risk register?
Modern Management Systems tend to be a mixture of various formats, as long as they reflect the Process in question and achieve the desired outcome. Effective processes can demonstrated by means of flow charts, a narrative approach or a combination of both.
Depending on the nature and complexity of the Business, Turtle Diagrams are an effective way to demonstrate the Interaction and Inter-dependency of Key Processes.