There’s quite a bit of sorcery surrounding ISO 9001 and it’s often consultants who proliferate that view, but we’re going to provide the simplest explanation of what you have to do to comply with ISO 9001 in as few words as possible.
ISO 9001:2015 is 19 pages long and around 7000 words excluding the Forward, Introduction and Annexes. This article aims to distil ISO 9001 into something smaller and easier to digest which if complied with should still get an organisation through a certification audit (please don’t hold us to that and use this as an excuse not to buy the standard 😊).
What we have developed is a set of instructions one tenth the size of the standard which has just 25 steps to compliance. It also provides some links to more resources for additional guidance material if required:
- Understand what your organisation does, where it does it and who for.
- Understand who has an interest or stake in your organisation and what they expect from you.
- Establish who does what in your organisation, what qualifications, competences and experience they need and who reports to who.
- Understand what risks and opportunities your organisation faces.
- Write a policy to encompass Item 1, the general quality requirements you intend to abide by, the fact that you intend to improve your system and how you intend to set objectives.
- Determine what you plan to do about those risks and opportunities.
- Establish objectives for the organisation and where possible establish them around activities which reduce the risks and promote the progress of opportunities (i.e. controls).
- All organisations have a risk of process failure, so understand what controls each process needs to have in place to ensure it doesn’t fail.
- Some of the process controls should include activities to satisfy those who have an interest or stake in your organisation.
- Whether you provide products or services to your customer, make sure you know what constitutes ‘good quality’, establish processes so you know and your customers confirm you are delivering it.
- Make sure you know what you need to undertake your work: materials, plant, equipment, resources, environment, infrastructure, etc and any requirements these must meet and provide it. Make sure you review this to ensure what you need to undertake activities continues to be available.
- Ensure your staff are competent to undertake their work and if where they aren’t provide supervision and training until they are.
- Ensure your external providers (suppliers, contractors, subcontractors) providing quality critical goods, services and processes know what your quality requirements are and meet them. Establish this before engaging them and then manage their performance once engaged.
- Understand your customer’s requirements (even things they might not say or know) and ensure those requirements and what you are providing are adequately documented (even if it changes) so that it is never in dispute.
- Make sure any design activity adequately documents requirements, is controlled, considers risks and confirms that the output effectively addresses all the requirements (see Design procedure resource).
- Makes sure that adequate records exist to allow you to trace critical information for issues to determine their cause and the true extent of the issue (critical info. such as materials, equipment, people, dates, document versions, etc).
- Where things go wrong have a process for assessing them which investigates the cause, immediately takes action to prevent further things going wrong, notifies the customer if necessary, takes action to fix the issue and confirms it was effective and prevents it (or anything similar) from happening again.
- Monitor and measure what is important to the:
>quality of your products, services and processes
>provide evidence of compliance
>organisation (i.e. their objectives).
- Conduct internal audits using trained auditors against a program focused on the implementation of the organisation’s controls established to manage the risks and opportunities.
- Where significant quantities of data are obtained through monitoring and measurement, analyse the data and establish methods to predict future risks or opportunities to be acted on.
- Have a process which plans and prioritises the actions to be taken, assigns responsibilities and timescales.
- Document all of the above (as a requirement in your system and as records providing proof of meeting requirements), include any external documents necessary for staff to do their work, make it available to staff, protect it from unauthorised amendment, make sure staff can find the parts that are important to them and that it is clear what is and isn’t current.
- Ensure staff understand how they contribute to quality and the organisations objectives.
- Ensure your system is being used, by using it as the backbone of your business. If it’s important, it should be written down. If it’s written down it’s either part of your management system or a record of activities and should be trustworthy.
- Review the management system and items 1-24 at least annually and if the review finds things have changed or failed to keep up with change then take action in accordance with Item 21.