Understanding ISO 9001:2008 Quality Management System
Chapter – 3
QUALITY MANAGEMENT SYSTEM – GENERAL AND DOCUMENTATION REQUIREMENTS
Author – K. R. Singhal
There are following clauses under this section:
4.1 – General requirements
4.2 – Documentation requirements
General requirements
(Please refer to Clause 4.1 of ISO 9001:2008)
The organization is required to carry out the following in accordance with the requirements of ISO 9001:2008 Standard:
establish a QMS
document a QMS
implement a documented QMS
maintain a established and documented QMS
continually improve effectiveness of the QMS
The organization must determine the processes needed for the QMS and their application throughout the organization. In this connection please see Clause 1.2 of ISO 9001:2008, which deals with the application of ISO 9001:2008.
The word ‘identify’ (mentioned in ISO 9001:2000) has been replaced by the word ‘determine’ in the new version. Accordingly, as per ISO 9001:2008 now the organization needs to determine (instead of identify) the processes needed for the quality management system and their application throughout the organization. After the word ‘measure’ the term ‘(where applicable)’ is added. Accordingly, as per ISO 9001:2008, organization needs to monitor, measure (where applicable), and analyze these processes.
The organization must determine the sequence and interaction of such processes (which are determined by the organization and needed for the QMS).
The organization must determine criteria and methods needed to ensure the effectiveness of operation and control of such determined processes.
The organization must:
monitor such determined processes
measure (where applicable) such determined processes, and
analyze such determined processes
The organization must implement actions necessary to achieve planned results and continual improvement of such determined processes.
Such determined processes must be managed by the organization in accordance with the requirements of ISO 9001:2008.
Where any process that affects product conformity to requirements and an organization chooses to outsource such process, the organization must ensure control over such process. The organization must define within the QMS:
the type of control to be applied to such outsourced processes, and
the extent of control to be applied to such outsourced processes
Three notes have been mentioned at the end of this clause in ISO 9001:2008, clarifying (i) processes needed for the QMS, (ii) an outsourced process, and (iii) responsibility of the organization. Accordingly,
Processes needed for the QMS include (a) processes for management activities, (b) processes for provision of resources, (c) processes for product realization, and (d) processes for measurement, analysis and improvement.
An outsourced process is identified as the process being needed for the QMS of the organization and such process being chosen to be performed by an external party.
Ensuring control over outsourced processes does not absolve the organization of the responsibility to fulfill all customer and legal requirements. The type and extent of control to be applied to the outsourced process may be influenced by various factors and ISO 9001:2008 mentions examples of such factors including (a) the potential impact of the outsourced process on the capability of the organization to provide product. (Here the product is the product that conforms to requirements.) (b) the degree to which the control for the process is shared (c) the capability of achieving the necessary control through the application of clause 7.4. (Clause 7.4 deals with the requirements of purchasing.)
The process approach is having the central approach to ISO 9001:2008 QMS Standard and we have observed that during the last few years, outsourcing activity has increased in organization, so the new version has expanded its requirements for outsourced processes. The new version (ISO 9001:2008 Standard) states a message clearly that an outsourced process is part of organization’s quality management system, even though it is performed by a party external to the organization. The new version (ISO 9001:2008 Standard) also states a message to think carefully about how the organization is going to control outsourced processes.
Additional requirement, the type and extent of control to be applied to outsourced processes need to be defined by the organization within the quality management system, has been added, in the new version. In the first note of this clause, there have been editorial changes. The word ‘should’ (as mentioned in ISO 9001:2000 Standard) has been deleted and after the words ‘…product realization and measurement’ (as mentioned in ISO 9001:2000 Standard), the words ‘, analysis and improvement’ have been added in ISO 9001:2008. Two additional notes (Note 2 and Note 3) have been given in ISO 9001:2008. These additional notes provide more explanation about outsourcing and nature of control to be applied to the outsourced process. According to Note 2 of this clause, an outsourced process is identified as one being needed for the quality management system of the organization, but such process is chosen to be performed by a party external to the organization. Note 3 of this clause clarify the following:
It is the responsibility of the organization to conform to all requirements (related to customer, statutory and regulatory requirements) and ensuring control over outsourced processes does not absolve the organization of the responsibility of conformity to all such requirements.
The type and extent of control to be applied to the outsourced process may be influenced by many factors.
ISO 9001:2008 mentions the factors that influence the type and extent of control and these include:
The potential impact of the outsourced process on the organization’s capability to provide product. Here product is that which conforms to requirements.
The degree to which the control for the process is shared.
The capability of achieving the necessary control through the application of requirements mentioned in clause 7.4 (Purchasing).
Thus, this clause clarifies requirements with regard to outsourced process clearly and now it is the intention of ISO 9001:2008 that control on outsourced organization and its processes must be included in the quality management system of the organization.
Documentation requirements
(Please refer to Clause 4.2 of ISO 9001:2008)
There are following four sub-clauses in this clause:
4.2.1 – General
4.2.2 – Quality manual
4.2.3 – Control of documents
4.2.4 – Control of records
General
(Please refer to Clause 4.2.1 of ISO 9001:2008)
The QMS documentation must include the following:
documented statement of a quality policy
documented statement(s) of quality objectives
a quality manual
documented procedures required by ISO 9001:2008
records required by ISO 9001:2008
Documents and records (determined by the organization to be necessary to ensure effective planning, operation and control of the processes of the organization)
Three notes have been mentioned at the end of this clause, clarifying (i) documented procedure (ii) the extent of QMS documentation difference, (iii) medium of documentation. Accordingly,
The term ‘documented procedure’ (in ISO 9001:2008) means that the procedure is established, documented, implemented and maintained. It is also clarified that a single document may address the requirements for one or more procedures. Further clarified that a requirement for a documented procedure may be covered by more than one document.
The extent of QMS documentation may differ from one organization to another organization due to (i) the size of the organization, (ii) type of activities of the organization, (iii) the complexity of the processes of the organization, (iv) the interaction of the processes of the organization, and (v) competence of personnel of the organization.
The QMS documentation may be in any form or type of medium.
This clause wordings (in the new version) are reframed, however, having same meaning as stated in ISO 9001:2000, such as –
(i) Quality management System documentation includes records.
(ii) The documents required may be combined.
(iii) The requirements of the standard (ISO 9001) may be covered by more than one document.
(iv)The organization may have a single document for multiple procedures or multiple documents for various requirements of the document procedures (Note 1 of the sub clause is expanded in ISO 9001:2008)
In this sub-clause the word ‘needed’ (mentioned in ISO 9001:2000 Standard) has been replaced by the word ‘determined’ (in ISO 9001:2008). Accordingly, as per ISO 9001:2008, the quality management system documentation of an organization must include the following:
documented statement of quality policy,
documented statement of quality objectives,
a quality manual,
documented procedures and records required by ISO 9001:2008,
documents, including records, determined by the organization, which are necessary to ensure effective planning, operation and control of processes of the organization.
The new version (ISO 9001:2008 Standard) has expanded the definition of documentation to include all QMS processes records.
In Note 1 of this sub-clause (4.2.1), following have been additionally clarified:
That a single document may address the requirements for one procedure or more procedures.
That a requirement for a documented procedure may be covered by more than one document.
Quality manual
(Please refer to Clause 4.2.2 of ISO 9001:2008)
The organization must establish and maintain a quality manual. The quality manual must include:
the scope of the QMS (with details of justification for any exclusions claimed by the organization as per clause 1.2 of ISO 9001:2008)
the documented procedures established for the QMS, or reference to such documented procedures, and
a description of the interaction between the processes of the QMS.
According to Clause 1.2 of ISO 9001:2008, all requirements of ISO 9001:2008 are generic and these requirements are meant to be applicable to all organization regardless of:
type of the organization,
size of the organization, and
product provided by the organization
Where any requirement or requirements of ISO 9001:2008 cannot be applied due to the nature of an organization and product of the organization, such requirement or requirements can be considered for exclusion.
Where exclusion are made, such exclusions are limited to requirements within clause 7 of ISO 9001:2008 and such exclusions must not affect the organization’s ability, or responsibility, to provide product that meets customer and applicable legal requirements, otherwise claims of conformity to ISO 9001:2008 are not acceptable.
If we compare ISO 9001:2000 (old version) and ISO 9001:2008 (new version) there is no change in the requirements of clause 4.2.2.
Control of documents
(Please refer to Clause 4.2.3 of ISO 9001:2008)
The organization must control documents required by the QMS. Records are a special type of document. The organization must control records as per requirements mentioned in clause 4.2.4 (Control of records) of ISO 9001:2008.
The organization must establish a documented procedure to define control of documents. Such documented procedure must include:
controls needed to approve documents for adequacy prior to issue of such documents
controls needed to review documents
controls needed to update documents, as necessary
controls needed to re-approve documents
controls needed to ensure that changes of documents are identified
controls needed to ensure that the current revision status of documents are identified
controls needed to ensure that relevant versions of applicable documents are available at point of use
controls needed to ensure that documents remain legible
controls needed to ensure that documents remain readily identifiable
controls needed to ensure that documents of external origin determined by the organization to be necessary for the planning and operation of the QMS are identified
controls needed to ensure distribution control of documents of external origin determined by the organization to be necessary for the planning and operation of the QMS
controls needed to prevent the unintended use of obsolete documents
controls needed to apply suitable identification to obsolete documents if they are retained for any purpose
In this sub clause, the requirements on control of external origin documents have been mentioned to give more clarity. External documents referred to are those needed for use in the quality management system. Now the organization needs to ensure identification and distribution control of documents of external origins determined by the organization to be necessary for the planning and operation of the quality management system. The old version (ISO 9001:2000) had the impression that all external documents needed to be identified and controlled. The new version (ISO 9001:2008 Standard) has clarified that the organization needs to identify and control the distribution of only those external documents that the organization needs to plan and operate organization’s quality management system. We can now say that only relevant external QMS documents need to be controlled, not all of them.
Control of records
(Please refer to Clause 4.2.4 of ISO 9001:2008)
The organization must control records established to provide evidence of conformity to requirements and of the effective operation of the QMS.
The organization must establish a documented procedure to define control of records. Such documented procedure must include:
controls needed for the identification of records
controls needed for storage of records
controls needed for protection of records
controls needed for retrieval of records
controls needed for retention of records
controls needed for disposition of records
The records must remain:
legible
readily identifiable, and
retrievable
There are editorial changes in this clause and requirements of this clause significantly reduced in length but requirements remain unchanged.
Questions
What are the key changes in clause 4.1 (Quality management system – General) in ISO 9001?
How many additional notes have been provided to clause 4.1 (Quality management system – General) in ISO 9001:2008?
What factors influence type and extent of control to be applied to the outsource process as per ISO 9001:2008?
What are the key changes in clause 4.2.1 (Documentation requirements – General) in ISO 9001?
Whether an organization may have a single document for multiple procedures as per ISO 9001:2008?
What are the key changes in clause 4.2.2 (Documentation requirements – Quality manual) in ISO 9001?
What are the key changes in clause 4.2.3 (Documentation requirements – Control of documents) in ISO 9001?
What are the key changes in clause 4.2.4 (Documentation requirements – Control of records) in ISO 9001?
Note from the author
The author of this literature has used his skills and knowledge to his best capacity to provide relevant and the latest information. Utmost care has been taken to ensure correctness and accuracy of the contents. However, omissions and errors, if any, in this literature are regretted. Reader’s suggestion for improvement is welcomed. Readers are requested to send their frank opinion, comment, criticism and assessment of this literature.
The purpose of this literature is to create awareness. Standard document ISO 9001:2008 may be obtained from International Organization for Standardization (ISO) or any member organization of ISO. Readers are advised to have ISO 9001:2008 for reference purpose.
An effort to create awareness .... Editor - Keshav Ram Singhal, Ajmer, India
Welcome!
Welcome!
Please also visit following blogs:
- 'ISO 9001 QMS Awareness' Blog in Hindi
- 'EMS Awareness' Blog
- 'Departmental Inquiry Awareness' Blog
- 'ISO 9001:2015 QMS Awareness' Blog
Academic comments are invited.
Encouragement Support - National Centre for Quality Management. Please become a member of NCQM.
Keshav Ram Singhal
Various information, quotes, data, figures used in this blog are the result of collection from various sources, such as newspapers, books, magazines, websites, authors, speakers etc. Unfortunately, sources are not always noted. The editor of this blog thanks all such sources.
People from more than 145 countries/economies have visited this blog: Afghanistan, Albania, Algeria, Angola, Argentina, Aruba, Australia, Austria, Azerbaijan, Bahrain, Bangladesh, Belarus, Belgium, Belize, Benin, Bhutan, Bosnia and Herzegovina, Botswana, Brazil, Brunei, Bulgaria, Burundi, Cameroon, Cambodia, Canada, Chile, China, Colombia, Costa Rica, Croatia, Cyprus, Czech Republic, Denmark, Dominican Republic, Ecuador, Egypt, El Salvador, Estonia, Ethiopia, European Union, Fiji, Finland, France, Georgia, Germany, Ghana, Gibraltar, Greece, Guatemala, Guyana, Haiti, Honduras, Hong Kong S. A. R. (China), Hungary, Iceland, India, Indonesia, Iraq, Ireland, Israel, Italy, Ivory Coast, Jamaica, Japan, Jersey, Jordan, Kazakhstan, Kenya, Kuwait, Laos, Latvia, Lebanon, Lesotho, Libya, Lithuania, Luxembourg, Macao S. A. R. (China), Macedonia, Malawi, Malaysia, Maldives, Malta, Manila, Mauritius, Mexico, Moldova, Mongolia, Montenegro, Morocco, Mozambique, Myanmar, Namibia, Nepal, Netherlands, New Zealand, Nigeria, Niue, Norway, Oman, Pakistan, Palestinian Territory, Panama, Papua New Guinea, Peru, Philippines, Poland, Portugal, Puerto Rico, Qatar, Rwanda, Romania, Russia, Saint Lucia, Samoa, Saudi Arabia, Saint Kitts and Navis, Serbia, Seychelles, Singapore, Slovakia, Slovenia, Somalia, South Africa, South Korea, Spain, Sri Lanka, Sudan, Swaziland, Sweden, Switzerland, Syria, Taiwan, Tanzania, Thailand, Trinidad and Tobago, Tunisia, Turkey, Turks and Caicos Islands, UAE, Uganda, UK, Ukraine, USA, Uzbekistan, Venezuela, Vietnam, Zambia, Zimbabwe etc. Total visitors number crossed 100,000 on 14. 02. 2013. Total visitors number crossed 145,000 on 30. 09. 2013. Total visitors > 200,000 (from 01.08.2014)
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment