The best way to explain the requirement of clause 4.1.1a in ISO 9001:2015 is organizations are now required to identify the inputs and outputs of the processes of their quality management system. Since these terms can be a bit confusing for some:
Inputs: Resources that are needed or used in the execution of a process step (raw materials, labor, information, etc.).
Outputs: The results or outcomes that are created through the execution of a process or process step.
The key to this requirement is understanding the transformational process that is performed by your business to create the product or service your company sells. Word of caution here: DO NOT GET TOO DETAILED when you are identifying the inputs and outputs. At a micro level, businesses can have hundreds of processes or steps and to identify the inputs and outputs of all those steps would be a monumental task.
Start at a very high level
I find the best, and most effective way to comply with this clause and get a good understanding of inputs and outputs is to utilize a tool commonly used in Lean Six Sigma practice called a SIPOC diagram. The SIPOC diagram is defined as, "A tool used by a team to identify all relevant elements of a process improvement project before work begins. It helps define a complex project that may not be well scoped, and is typically employed at the Measure phase of the Six Sigma DMAIC (Define, Measure, Analyze, Improve, Control) methodology." (iSixSigma, 2017)
SIPOC diagrams are very easy to complete. Here are the steps you should follow to create your SIPOC Diagram and Identify the Inputs and Outputs of your organization.
1. Clear some wall space and assemble a cross function group (3 to 5 people are generally sufficient). Post some flip charts with headings (S-I-P-O-C) written on each, or headings written on post-it notes posted to a wall.
2. Fill in the process steps vertically in the Process column (the "P"). If your organization was certified to previous versions of ISO 9001, you will already have a high level process map documented in your Quality Manual. Use this map as your process steps in the SIPOC. If you are starting new, describe what your organization does in 5 to 7 steps (roughly). An example manufacturer could be something like this: Quoting - Order Processing - Engineering - Outsourcing - Production - Shipping - Invoicing.
3. Identify the outputs of each process step. Once the process steps are in the center column, outputs are easily identified by asking the question, "what does this process step create?". Post those in the "O" column next to the associated step.
4. Identify the inputs of each process step. Now ask the question - "what resources are needed to accomplish the process step?" and post those next to the appropriate step in the "I" column.
Note: Following those steps to this point will give you a great start toward the understanding of your business' inputs and outputs. You can stop here if you'd like - but if you want to utilize the tool to its fullest, you take the following two steps and use that information to begin the formation of your list of interested parties.
5. Identify the customers that will receive the outputs. For each output, ask who the person, department, or entity is that will be receiving the output and list those in the "C" column. These customers could be internal or external to your organization.
6. Identify the suppliers of the inputs. Ask who provides each listed input and document those in the "S" column. Much like customers - suppliers can be internal or external to your organization.
Once this exercise is complete - confirm the information and document it in the appropriate location within your management system. Understanding the inputs and outputs helps provide a foundation for what comes next - evaluating (measuring) the inputs and outputs to determine potential opportunities for improvement.
The 2015 revision of ISO 9001 has removed the requirement of a Quality Manual, something that has been needed historically if your organization has wanted to achieve and maintain certification. This requirement appears no more! Woohoo! Shred those Quality Manuals and never look back!
Right? If the standard doesn't say we need it, then we don't need it. One less document to maintain. Finally, life as an ISO 9001 certified company is getting easier!
Let's hold on a second...
A common practice to create and maintain a Quality Manual for the ISO 9001:2008 standard (and earlier versions) was to create an exact copy of the verbiage in the standard, change all of the "shall" words with "will" or similar term that fits, change all references to "the organization" to the name of your company, slap a few logos on it, give it a control number and publish it.
And then...nothing. Let it sit for years until the new standard is published and then repeat this copy-paste process all over again. That practice, although common, doesn't help anyone.
It's Time to Re-Think the Manual
Now is the perfect time to rethink the Quality Manual. Take a step back and really consider what a manual should do for your company - provide the framework for your entire management system. Here are a few ideas to get you started.
Keeping your Business Manual Current
Even if your ISO Certified Company has a thorough and accurate Manual for the previous year, it is still very important to keep this document up to date. Here are some things to watch out for that may trigger the need for an update.
So, there are some things to think about. Even though the Quality Manual is not mandatory, it is still very much necessary. Use this opportunity to increase the role of the Manual within your business management system.
Do you have a have an interesting way that you have made your manual more valuable? Please share in the comments below.
Now ISO 9001:2015 does not disallow the use of printed out, controlled hard copies of procedures, work instructions, and the like. Companies choosing to maintain hard copies of the "approved" documents at point of use or in other controlled locations certainly can keep doing that and your certification won't suffer.
But, this is the 2015 version of the standard. Yes, 2015. It's time to simplify.
There are tools out there now that will facilitate compliance with all of the 9001 Documented Information requirements in an electronic environment, and drastically improve the document revision and approval process.
Facilitate, as in, make easier.
My personal favorite is Microsoft SharePoint.
Using Microsoft SharePoint can drastically simplify the way you're currently managing your business documents. Users can simply create a metadata based document library where you can tag documents, search based on keywords and tags, and not worry whether you're accessing a duplicate or latest version of the file. The SharePoint library can simply organize your documents that may be relative to one another ,and share the same security and permissions. Here are some of the features you can use to simplify your workload and management roles:
Version control is a distinctive feature for any enterprise-scale document collaboration platform. In SharePoint, the versioning feature automatically saves every version of a document. This allows multiple people to make changes to a document without the fear of overwriting a previous version.
An approval workflow feature is also available to simplify organization and sharing task responsibilities. The approval workflow routes items in a SharePoint site to specified people for approval. It manages and tracks all of the human tasks involved with the process and provides a record of the process when it completes. Approval workflows support any business process that requires sending documents or items to colleagues or managers for approval.
The check in - check out feature allows you to make changes to a file on a site, and ensures no one else can edit the file. When you have the file checked out, you can edit it online or offline and save it as frequently as needed. You can simply check out, check in, and discard changes you make to files in SharePoint libraries.
User permissions can allow users to specify who can view drafts and edit content on any document. This feature allows users to manage and assign documents to specific individuals without having to make all documents public within SharePoint.
Don't wait another minute. Start exploring this now.
There are so many benefits to moving from a paper based document control system to one that utilizes SharePoint that I would have to post another blog (or 2) to adequately describe them all. Making this leap will save you so much time, and it does not take too long to convert. If you would like a nudge to get started, shoot us an email, or post a comment below. We'd love to help you out!
The new ISO 9001:2015 has introduced updated management system standards that override the requirements presented in its predecessor, ISO 9001:2008. In particular, the original standards identified in ISO 9001:2008 under 4.2.3 Control of Documents and 4.2.4 Control of records have been overridden by the new standards in the 2015 version under 7.5.3 Control of documented information.
As part of the alignment with other management system standards a common clause on ‘Documented Information’ has been adopted. The terms “documented procedure” and “record” have both been replaced throughout the requirements text by “documented information”. Where ISO 9001:2008 would have referred to documented procedures (e.g. to define, control or support a process) this is now expressed as a requirement to maintain documented information. Where ISO 9001:2008 would have referred to records, this is now expressed as a requirement to retain documented information.
To better understand the changes presented in section 7.5.3 over the previous standards outlined in 2008, it is important to identify the difference between Documents and Records:
ISO 9001:2015 outlines the Control of Documented information in section 7.5.3 and is broken down into two separate requirements:
22.214.171.124 Documented information required by the quality management system and by this International Standard shall be controlled to ensure:
a) it is available and suitable for use, where and when it is needed;
b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
126.96.36.199 For the control of documented information, the organization shall address the following activities, as applicable:
a) distribution, access, retrieval and use;
b) storage and preservation, including preservation of legibility;
c) control of changes (e.g. version control);
d) retention and disposition.
With the new standard structure in place, don't get confused by this "new requirement" as it really isn't new. We used to have "documents" and "records" and now we "maintain" (i.e document) and "retain" (i.e. record) documented information.
The ISO 9001:2015 standard introduces Organizational Knowledge in their 7.1.6 Clause. It defines requirements for the handling of organizational knowledge in the following four phases:
Clause 7.1.6 aspires to raise the awareness of the management team to provide them with adequate and proper knowledge placement for the future. Identifying the four focal points from start to finish provides a path to make this section of the standard really work for you.
Some quick guidance to get started
Complete an assessment of the current knowledge base in order to gain a clear understanding of organizational knowledge as it exists today. As a part of this assessment, it’s important to be able to include the knowledge that exists with regard to customer expectations and requirements.
The goal of this is to answer the question, "what knowledge do we currently have?"
Next, identify the knowledge that is required to adequately and efficiently run the business and fulfill the expectations of the customer base. It is important to do these as separate activities. I have found it to be a rare event where the knowledge a business has is a perfect match for the knowledge they need.
The goal of this is to answer the question, "what knowledge do we currently need?"
In the next phase, work to understand the gaps between existing knowledge and needed knowledge, prioritize those gaps and take action. The action could potentially be through training and hands-on learning, educational courses, seminars, etc.
A second important consideration of this phase is to understand the logistics of the organization's knowledge - how is information that is "known" by some of the organization spread to the rest? Are there "pockets of wisdom" that are not evenly shared with the people who could benefit from the knowledge? Take intentional action to set up a system to share organizational knowledge. This should include specific methods and procedures that should be followed to exchange knowledge internally and maintain the information. Passing off lessons learned from successful and failed projects in the past to colleagues is a great way for managers and employees to share their knowledge.
Because we all know this is an evolving world, it is important to have your "ears to the ground" to monitor changes in your specific market and analyze the extent of how it affects the knowledge the organization requires. Is there a brand new piece of technology available that could be utilized? Are their opportunities in the market to create a new product line? Stay tuned in to the ever-changing marketplace, and make sure to have systems in place to acquire and maintain the necessary organizational knowledge to be successful.
Organizations must continually evaluate their current knowledge and assess if it is adequate to help achieve the company's mission. Like many of the clauses in ISO 9001:2015 there needs to be a system in place to periodically assess, plan and execute. Special note here: this should not be once per year right before the 3rd party auditor shows up! Seriously, though - they can tell if you are faking it.
Not only that, but in the words of my high school football coach, "You are only cheating yourself!" Use this clause of the standard to really drive improvement in the knowledge possessed by your organization.
The Context of the organization is a newly added requirement in Clause 4 of ISO 9001:2015, which requires the organization to evaluate itself and its context. To properly perform this evaluation, there is a lot to consider: you must define the culture of the company, objectives and goals that must be outlined, the complexity of products, the size of the company and its customers, the flow of processes and information, identifying risks, and recognizing opportunities regarding the context of the organization.
Clause 4 states that the organization must consider both the internal and external issues that may possibly impact its objectives, strategies, and the planning of the QMS.
How do I do it?
Building from the scope of your Quality Management System, consider the following to determine the context of the organization:
Once the internal and external issues have been identified and approached with thorough consideration, the organization can identify the needs of internal and external parties, which simply means determining whose opinion your organization needs to be in tune to.
The parties in discussion may include customers, end users, regulators, suppliers, partners, owners and shareholders, and even society as a whole. Taking their perspectives into consideration will aid you in implementing efficient and effective practices that meet their needs. Additionally, they can provide feedback to help you identify what needs to be improved within your company.
Next, begin formalizing and documenting the context of the organization. This is often done so on a completely new document that the certification body will want to see. You could (and should) also include this information in your existing Quality Manual (even though the standard “doesn’t require” a Quality Manual, we HIGHLY recommend it).
Not just a one-time exercise
It is necessary for management to implement a process to monitor and review the internal and external issues and context periodically moving forward.
A simple tool to use for external analysis is called a ‘PESTLE’ analysis. PESTLE refers to the Political, Economical, Social, Technological, Legal, and Environmental factors that need to be evaluated regularly. Schedule this in conjunction with existing management reviews to ensure it becomes part of your management routine.
Political - Political factors refer to the degree of government intervention in the economy. The legal and regulatory factors include tax policies, consumer protection laws, employment laws, labor laws, environmental regulations, and trade restrictions.
Economical - Economical factors include the inflation rate, exchange rate, unemployment rate, and other growth indicators like interest rates.
Social - Social factors include different cultural aspects of society and its demographics. This is what forms the macro-environment of an organization. This can ultimately include career attributes, population growth rates, health consciousness and safety awareness, and age distribution.
Technological - Due to the constant evolution of technology, consumers are becoming very tech-savvy and have a high demand for organizations to adapt to new and emerging technology at a rapid pace. Technological factors include new changes, R&D activity, automation, and innovation.
Legal - There are specific laws than can potentially affect the business environment in each country, while there are certain policies an organization can maintain for themselves. This may include consumer laws and safety standards.
Environmental – These include influences from your business environment, such as tourism, climate, weather, geographical location, environmental offsets, etc.
Having an understanding of the PESTLE Analysis will develop a stronger foundation within management on how to adapt to external factors that may determine the future changes of your organization. Grasping the ground realities of the environment you are operating in is essential to operating effectively.
Don’t Make it Too Hard!
Clarifying the context of your organization should not be a monumental task. Simply talk through some of the tools mentioned in this blog and formulate your written context. After all, you are just trying to develop a written explanation of why your organization exists, what you provide, and who you serve – all of this should be pretty easy to identify.
Thinking of Outsourcing your Internal Audits?
Christopher M. Spranger, MBA, ASQ MBB
Want to receive free tips to improve your business?