top of page

You may have seen ISO9001 stated in a tender you have reviewed, seen it in marketing material of a competitor or even read it on the box of a product you have purchased. But what is ISO9001?

ISO9001 is the international standard for quality management systems. The standard originated in Australia as AS3901-1987/ISO 9001:1990 and has undergone several changes before the 2000 standard to which the current standard is very much the same with slight word changes.

 

The quality standard is intended to be an international model for the highest standard of business management (not just about making a quality product). The intention of the standard is aimed at ensuring you meet the customers requirements and any other requirements that exist for the product such as standards, specification, legal requirements etc.

 

The quality standard starts with requirements to document a system. This doesnt have to be a huge document that is too complicated for anyone to read and understand. It just has to be documentation that includes:

  • A quality policy and objectives (can be one page),

  • A quality manual describing your business in relation to the areas of the standard (usually about 20 pages is enough),

  • Six mandatory documented procedures (document control, records management, internal audits, non conforming product/defects, corrective action and preventive action), and

  • Any other documents that you think are required for your business to operate smoothly and effectively. For example you might document an SOP or a checklist for doing a task that if not done properly will have a major impact on the finished product (i.e mixing chemicals, applying waterproofing membrane, completing CAD drawings etc).

What is ISO9001 Quality Management

Quality Manual


In ISO9001, the quality manual is required to provide an overview of your quality management system. This includes describing the scope of the management system (e.g. 'the ACME quality management system has been established to manage the business processes for provision of design, manufacture, sales and repair of widgets throughout Australia and New Zealand'). The manual must also specify any exclusions to ISO9001 (section 7) such as 'we have excluded 7.3 Design as our company does not undertake any design'. The manual must also include the six procedures or reference them and describe how the business processes interact e.g. a process map.

 

Control of Documents and Records (Must be documented in a procedure(s))

 

The document control clause of ISO9001 requires that you put processes in place to ensure that personnel are using current documents (such as the use of dates and version numbers in a footer), that documents are approved (perhaps the Managing Director reviews and approves all procedures), that documents are reviewed and updated from time to time and that current documents can be accessed in a condition that enables them to be used (e.g. saved on a shared network drive, with old documents removed or labeled superseded).

 

The records control clause of ISO9001 requires that you have a procedure that outline how to identify what records need to be kept, how long they need to be kept for, where to keep them so they don't get damaged and how to dispose of them (confidential, recycle etc). This includes both hard copy records and electronic records.

 

Management Commitment and Customer Focus

 

These clauses of ISO9001 really just require that you implement other clauses including create the quality policy, establish objectives, conduct management review, provide resources, determine customer requirements and ensure they are met to enhance customer satisfaction.

 

Quality Policy

 

A quality policy is typically a one page document that describes the overall intent of the quality management system. The content of the policy can be whatever you like as long as it includes commitments to comply with requirements and continually improve the effectiveness of the management system.  The policy must also provide a basis for establishing your quality objectives. An example would be that you may have a commitment in the policy to provide exception customer service. You could then have an objective to respond to all enquiries within 24hours.

 

Quality Objectives and Planning

 

It was mentioned above that you need to have quality objectives. The idea is that your overall commitments in the policy will be the outcome of you achieving your quality objectives. For example the policy might say you are committed to defects free handover of all construction projects and then you may have a quality objective for three people to conduct a defects inspection prior to handover. This can be complimented with other objectives such as no more than 10 defects identified during the first inspection, or even a step before this with construction checklists completed for each trade at each location in the job. The standard is not specific here, its up to you to decide what would really make you the best company in your field and set objectives to achieve this outcome. The only requirement is that the objectives are established for each relevant level within the business (top down to the coal face) and that they are measureable and consistent with the commitments in the policy.

 

Of course objectives will need to be reviewed, monitored and tracked to ensure you are achieving your goals and the goals remain relevant.

 

Responsibility and Authority

 

The responsibilities for each person working at the company need to be defined and communicated. There are several ways of doing this including jog descriptions for each person, listing responsibilities in the quality manual and listing responsibilities within procedures. In addition to responsibilities, authorities also need to be defined and communicated. This is commonly through an organisation chart.

 

Management Representative

 

You need to allocate a person within the company who is considered to be part of management whom will have the overall responsibility for ensuring that the quality management system processes are established, implemented and maintained. This person also needs to report to top management on the performance of the quality management system. This reporting doesn't need to specifically written reports, but should at least be through a meeting of some sort and minuted. These responsibilities need to be specified somewhere such as in the manual or in the persons job description.

 

Internal Communication

 

This simply requires that you put in place methods for internal communication and that these methods include communication about how well the quality management system is working. This could be informal discussions and emails for a small company or may be a more formal regular meeting for a larger company.

 

Management Review

 

The Management Review clause requires that the top management of the company review how the company is performing by analysing certain information such as policy, objectives, results of audits and inspections, feedback and complaints from customers and staff, product and process conformity, outstanding actions, changes and opportunities for improvement. The standard leaves determining the frequency up to the company but is generally expected by external auditors that this will be at least once a year. In reality if you only thought about these things once per year, you probably wouldn't make it to the next year. Also you probably talk about these things in different meetings at different frequencies. That is fine, as long as you are covering these items you can do it however bests suits your business.

 

Competence, training and awareness

 

Competence requirements for each position that may affect the product must be defined. As for many jobs there is no mandatory formal qualification required, this can sometimes be difficult for organisations. Typically the competency requirements may include experience, formal or informal training courses and any other type of training. An easy way to present this is by way of a competency matrix that shows each position and the required qualifications, training and skills.

 

The competency requirements established in the previous paragraph can then be used to identify what training needs an individual may have. Any gaps that exist must be addressed by providing appropriate training. This training needs analysis is often conducted at the time of recruitment, annual performance review and when considering promotion. The effectiveness of the training needs to also be assessed. This could be by way of a competency assessment following training, test/quiz, performance review etc.

 

In addition to having the competency to carry out their tasks, personnel must also be made aware of the relevance and importance of the work they do and how they contribute to the quality of the product and companies objectives. An induction could be an example of this.

 

Records must be maintained to demonstrate that personnel meet the competency requirements that were established above. This will typically be personnel files with copies of certificates and maybe a training register that summarises it all.

 

Infrastructure and Work Environment

 

These clauses require that you provide adequate infrastructure and work environment to meet the customer requirements. For example, appropriate tools and equipment, computers and IT equipment, software, safe and clean environment etc.

 

Planning of product realisation

 

ISO9001 requires in this clause that you plan the delivery of the product/project/service. This includes establishing quality objectives and requirements for the product, establishing processes and documents, identifying resource needs, required verification, validation, monitoring, measurement, inspection and testing requirement, and records required to be kept from the process.

 

The output of this planning is commonly in the form of a quality plan, product delivery plan, set up of a project within a database etc.

 

Customer related processes

 

ISO9001 requires that you determine the requirements for the product. This includes specified customer requirements, unspecified but expected customer requirements, statutory and regulatory requirements as well as any other requirements. An example of this would be for an architect. They have requirements specified by the customer in the form a brief that may include 4 bedrooms in a house, a swimming pool etc. They have unspecified requirements like the house will have a front door, a roof etc. They have statutory and regulatory requirements such as the house must comply with the Building Code of Australia (BCA), requirements of the local governments LEP etc.

 

Once the requirements have been identified, they must be reviewed by the organisation to confirm that the requirements are clearly defined, any issues are resolved and that the organisation has the capacity (resources, skills, financials etc) to provide the product in accordance with requirements. Where requirements are not documented, there should be a process to confirm with the customer. For example reading back a customer order, return brief, email etc.

Records from this review are required by ISO9001 to be kept. This particular record keeping requirements can be difficult for companies as often this review is an internal discussion and not something that is documented. Examples of records could be meeting minutes, tender review form and sometimes even the completed tender submission itself.

 

Customer communication processes must also be established such as communicating product information (product data sheets, safety data sheets, specifications etc), enquiries / contracts / order handlings etc and processes for handling customer feedback and complaints.

 

Design and development

 

This clause is a common exclusion claimed by organisations. If your company does not carry out any design then it can be claimed as an exclusion in the scope section of the quality manual. If you do design, then read on.

 

The design process is required to be systematically planned to determine design and development stages, required to design reviews, verification and validation for each stage and responsibilities for design processes. The output of this process is commonly in the form of a design plan, product development plan etc.

 

In addition to the design planning, the design inputs and outputs are required to be identified and recorded. Inputs are the items or information used to complete the design for example specifications, standards, design brief, performance requirements, lessons learnt from other designs etc. Outputs of the design could be drawings, specifications, calculations, CAD files etc.

 

During the design process, design review, design verification and design validation activities are required to be undertaken. Design reviews are generally completed at stages during the design processes to confirm that the design is progressing in the right direction and will likely meet the requirements. Design verification is typically carried out on or near completion of the design to confirm that the completed design/outputs have met the design inputs. Design validation is completed at the end of the design process to confirm that the finished product actually works and performs as intended for example prototyping.

 

If a design change occurs, ISO9001 requires that it is identified and records are maintained. The change must be reviewed to confirm it doesnt impact other parts of the completed design and also be subject to the same review, verification and validation as the initial design.

 

Purchasing 

 

ISO9001 requires that controls be implemented in purchasing to ensure that the products / materials /services that are purchased for your product conform to requirements. It also requires that the company you are purchasing from is evaluated against a defined criteria. To do this, a criteria must be established. The criteria can be anything that you think is important and could impact your service to your customer. For example criteria may include a quality management system, past experience, accreditations, compliance with standards, capacity to supply etc. As well as evaluating the supplier initially, ISO9001 requires ongoing re evaluations. This is at a frequency you determine (e.g. annually) and could be against the original criteria or a different criteria. Records of these evaluations are required to be kept. Examples of records generally include supplier evaluation forms, supplier questionnaires, approved supplier register etc.

 

Once the suppliers have been assessed and approved, ISO9001 requires that you communicate your requirements clearly to the supplier. This could include requirements for approval of product, procedures, processes and equipment; requirements for qualifications of their personnel and quality management system requirements. This is commonly through purchase orders, subcontracts etc.

 

When the products or services are purchased, you are then required to verify that what you have been supplied is correct. This could include delivery inspections, testing of supplied parts and in some cases visiting the suppliers premise to observe the manufacturing process or inspection the product prior to delivery.

 

Production and service provision

 

This section of the standard is all about controlling the work. It requires that information be provided that describes job to be done (work instructions, specifications, standards, drawings, picking list etc depending on the industry). It also requires that suitable equipment be provided, monitoring and measuring equipment be provided that is calibrated, monitoring and measurement be carried out and product release, delivery and post delivery activities be specified and completed.

 

If your product or service can not be verified prior to use by the customer, then you must implement processes to validate the product. This includes specified methods, defined criteria for review and approval of processes, approval of equipment and qualifications, record keeping requirements and any revalidation.

 

The product and materials must be traceable through out the product realisation process. For example lot numbers, grid reference on plans, batch numbers etc.

 

Any customer property provided for use in the finished product must be identified, verified and safeguarded.

 

The product/service must be protected whilst it is being completed for example a builder leaving protective film on materials such as bench tops or bath tubs whilst the building is still under construction. 

 

Control of monitoring and measuring equipment

 

You are required to determine any monitoring and measuring (test) equipment that will be used and identify what calibration requirements exist. Equipment requiring calibration must be kept calibrated in accordance with the manufacturers requirements. For example a pressure gauge, laser level etc.

 

Equipment that is calibrated must be verified at specified intervals, or prior to use. Equipment must be kept safe from damage (not bouncing around in the back of a truck). Where equipment is found to be out of calibration, previous measurements must be rechecked with a calibrated item.

 

Records of calibration must be kept such as calibration certificates, calibration register, receipts etc. Where possible calibration should be carried out by a NATA accredited provider.

 

Customer Satisfaction

 

ISO9001 requires that you monitor information relating to customer perception. This does not specifically mean you must use a customer feedback form. In fact, customer feedback forms are probably the least effective way of obtaining feedback. The standard does not specify how you must obtain this information, only that you determine how you will do it and what you will do with the information.

 

Some possible methods include informal discussions with customers where you ask some planned questions about your performance. Answers should be recorded when convenient either on an internal form or in a register. Another method could be conducting an annual review of repeat business and trying to identify what aspects of your service have supported this so they can be repeated with other customers. Likewise, lost business can be a valuable source of information.

 

Internal audit (Must be documented in a procedure)

 

ISO9001 requires that you plan internal audits. This is commonly through a schedule.

 

You must then conduct internal audits at the time you planned by reviewing the implementation and effectiveness of your procedures. Records of audits must be kept, usually in the form of an internal audit report.

 

Internal audits are an area where many companies receive non conformance in certification audits. It is really not a difficult process, however it is often misunderstood. There are greedy training organisations out there who stretch out training on internal audits over 2 days! All an internal audit is, is reading through your procedure, identifying everything your procedure says you are going to do and making a list, then going out and looking for evidence that it is happening and that it is working.

 

Monitoring and measurement of Processes

 

Monitoring and measurement of processes is often covered by internal audits. Processes are the series of events that make up a procedure. The intention of monitoring and measurement of processes is identifying the high risk areas of your production and service provision that impact the finished product and monitoring these processes.

 

Monitoring and measurement of product

 

Monitoring and measurement of processes above is about monitoring the processes that produce the product. Monitoring and measurement of product is about monitoring the product itself. You will have seen the output of this clause in most electronic products you buy where in some inconspicuous place there will be a little sticker that says QC or quality check or similar. This is often carried out at completion of the product or completion of constituent parts of the product. These could be inspection and testing checklists, testing, independent review etc. ISO9001 requires that records are kept and that these records identify who approved the product for delivery to the customer.

 

Control of non conforming product (Must be a documented procedure)

 

Where the product does not conform to requirements, action must be taken to control it and prevent its unintended use. Non conforming product must be dealt with by taking action to eliminate or fix the non conformity, authorising release as is under the consent of the customer, taking action to preclude its use (quarantine) or taking action appropriate to the effects or potential effects if the product is already in use.

 

Corrected non conforming product must be subject to the monitoring and measurement of the original product and records must be maintained and used to prevent future occurrence.

 

Analysis of Data

 

ISO9001 requires that appropriate data be collected and reviewed to demonstrate that the quality management system is effective and identify any areas for improvement. This data includes customer satisfaction, product conformity, characteristics and trends of processes and products and suppliers. This trends analysis is often completed as part of the management review process described above but can be carried out through any process or combination of processes.

 

Corrective and Preventive Action (Must be a documented procedure)

 

If something goes wrong or is not working effectively then you are required to undertake an analysis to identify the cause(s) of the non conformity and take suitable action to address the cause(s). The standard separates corrective action and preventive action. Corrective being when the non conformity has occurred and preventive being when a potential non conformity is identified that has not yet occurred. The intent of the clauses is the same in that you will fix the cause and not just the outcome (bandaid solution).

 

The Clauses of ISO9001 and a brief explaination

bottom of page