ISO 9001 defines a series of requirements that an organization has to fulfil in order to have a functional quality management system (QMS) and obtain certification.
Below we explain the requirements of ISO 9001:2015 but it’s important to highlight that, although the requirements are generic, they have to be applied to the specifics of the organization, its products and services.
The requirements are grouped into 7 major chapters: context of the organization, leadership, planning, support, operation, performance evaluation and improvement.
Context of the organization
– The organization is required to identify internal and external issues relevant for its purpose and strategic direction. Examples of internal issues can be: the structure and governance of the organization, resources and capabilities, organizational culture, existing contractual relations, etc while external issues can be related to political and economic situation, financial markets, availability of key resources and workforce, etc;
– Interested parties and their relevant needs and expectations are to be determined by the organization. Some examples of interested parties are: customers, suppliers, employees, community, partners, final users of products and services, etc.
– ISO 9001 requires to define the scope of the QMS – activities and locations included in the management system and, if any, the requirements of the standard that, given the specifics of the organization’s activities, are not considered applicable (e.g. requirement 8.3. Design and development – in case no design and development activities are performed by the organization);
– The processes in the organization as well as their succession and interaction have to be identified (a process transforms input elements into outputs and outputs from one process can become input elements into the next – e.g. outputs from the purchasing process (i.e. products and services purchased) are inputs into the manufacturing or service provision process).
Defining the context of the organization is meant to ensure that the organization is aware of the external and internal realities of its environment, the interested parties and their requirements and takes into consideration those elements in its operations.
– Top management needs to support the QMS, to demonstrate commitment for the continual improvement of the system as well as to ensure the organization maintains the focus on its customers.
– Top management should define and communicate inside the organization a quality policy and
– to define roles, responsibilities and authorities for personnel, including roles and responsibilities for the administration and improvement of the quality management system.
In order to have a functional QMS and get benefits from its implementation the involvement and support from top management are key.
– Starting from the internal and external issues as well as needs and expectations of interested parties (identified as part of the context) the organization has to identify and treat relevant risks and opportunities to give assurance that the QMS achieves intended results, to enhance desirable effects, prevent or reduce undesired effects and achieve improvement.
ISO 9001:2015 does not require specifically for a certain approach to identification of risks and opportunities nor does it require a formal risk assessment. Still the organization has to demonstrate that it uses risk based thinking and there are actions meant to address the risks and opportunities identified. Obviously those actions have to be proportionate to the potential impact on the conformity of products and services.
– The organization is required to establish quality objectives, to plan their achievement and to monitor the achievement of quality objectives.
– When it plans to make changes to its QMS the organization is required to implement the changes in a planned manner.
– The resources needed for the implementation of the QMS as well as for the operation and control of processes shall be available.
– The organization must provide and maintain the needed infrastructure (buildings, utilities, equipment, software, IT&C,etc) depending of course on its activities, products and services.
– The environment for the operation of processes (including here physical factors like temperature, humidity, hygene, light, etc; psychological factors – ex. stress-reduction, burnout prevention and social factors like non-discriminatory and non-confrontational attitude) shall be available. Obviously the environment for operation of processes varies depending on the specifics of the organization and its activities.
– The organization has to identify, provide and maintain the appropriate measuring and monitoring resources needed to verify the conformity of its products and services. If for this purpose the organization uses measuring and monitoring equipment that require calibration/ verification then this equipment shall be available as required.
– The organization shall have access to the relevant knowledge needed to operate its processes and to achieve conformity of its products and services. Sources to obtain this knowledge differ according to the specifics of every organization (e.g. experience, intellectual property, industry standards, academia are just a few examples).
– ISO 9001 requires that the organization identifies the needed competence for persons doing work under its control and ensures that those persons are competent. Whenever appropriate, the organization should act to ensure people acquire the needed competence using different methods (training being the most popular but mentoring or re-assigning responsibilities represent other options).
– Personnel shall be aware of the quality policy and objectives, their contribution to the effectiveness of the QMS as well as the implications of not conforming to requirements.
– Effective communication (internal and external) processes shall be in place.
– The quality management system shall be supported by documented information. The extent of the documentation differs depending on the structure and size of the organization, on its activities, products and services. The organization shall establish controls for creating and updating the QMS documented information (defining a format for the documents, the media – paper and/ or electronic, controls for the review and approval of documents). Also the standard requires controls of documented information with regards to access, distribution, retrieval, use, storage, preservation, control of changes, retention and disposition. Those controls refer to both documents elaborated inside the organization and documents of external origin (e.g. documents from clients, external suppliers, etc).
– ISO 9001:2015 requires the organization to plan, implement and control the processes needed for the provision of products and services to its customers.
– Outsourced processes (subcontracting) that have an impact on the conformity of products and services shall also be controlled.
– Proper communication with customers shall be in place with regards to: providing information relating to products and services; handling enquiries, contracts and orders including changes; obtaining customer feedback including customer complaints; handling or controlling customer property and establishing requirements for contingency actions when requred depending on the specifics of products and services.
– The organization shall ensure that the requirements for products and services it intends to place on the market are established and it can meet the claims for the products and services offered.
– It is required that, before committing to supply products and services to a customer, the organization performs a review that confirms it has the capability to provide the respective products and services as required.
– In case the organization performs design and development activities this process needs to be appropriately controlled to ensure its results are adequate. The following aspects are required by ISO 9001:2015: planning of design and development; identification of input elements to design and development (essential requirements for products and services designed) as well as output elements from design and development; implementing controls to the design and development process (including reviews, verification and validation of design and development); identification and review of changes to design and development.
– The organization is required to ensure that processes, products and services purchased from external providers conform to requirements. ISO 9001:2015 requires to define and apply criteria for the evaluation/ re-evaluation, monitoring and selection of suppliers and to implement controls for products and services obtained from external providers taking into consideration the potential impact on the organization’s own products and services.
– The organization must use suitable means to identify products and services in order to ensure traceability.
– Property of customers or external providers (including here both tangible and intangible property) that is under the control of the organization shall be adequately protected.
– The standard requires that, depending of course on the specific of its products and services, the organization provides adequate preservation conditions (including here aspects like identification, handling, packaging, contamination control and transport).
– Post-delivery activities shall be planned and performed as required (depending on the products and services post-delivery activities may refer to warranties, legal and contractual obligations, maintenance services, recycling or final disposal, etc).
– ISO 9001 requires that prior to the release of its products and services the organization performs all needed verifications to ensure requirements have been fulfilled.
– When nonconforming outputs (products and services) are identified the organization shall take appropriate actions based on the nature and effect of the nonconformities. Such actions include: correction, segregation, containment, return or suspension of provision, informing the customer, etc.
– ISO 9001:2015 requires the organization to evaluate the performance and effectiveness of its QMS.
– Information on customer satisfaction (the customers’ perception of the degree to which their needs and expectations have been fulfilled) shall be obtained and reviewed. The methods to obtain customer satisfaction information are at the choice of the organization (e.g. customer surveys, meetings with customers, warranty claims, market-share analysis, etc).
– At planned intervals the organization shall perform internal audits of the quality management system to ensure it conforms to the requirements of ISO 9001:2015, it is implemented and maintained.
– Top management is required to review periodically the QMS to ensure it continues to be adequate, effective and in line with the strategic direction of the organization.
– The organization has to identify opportunities for improvement and act to improve the products and services in order to enhance customer satisfaction.
– Whenever nonconformities are identified (including those arising from complaints) the organization needs to apply corrections (aimed to control the nonconformity and its consequences) and corrective actions (meant to eliminate the cause of the nonconformities).
Those are in short the requirements of ISO 9001:2015. As mentioned at the beginning the requirements have to be understood and adapted in relation to the specifics of the organization, of its products and services.