What is the ‘High Level Structure’?
Lets start at the beginning.
The ISO 9001:2015 high-level structure consists of:
- Section 1 – A definition of the scope of the standard.
- Section 2 – Normative references
- Section 3 – Terms and definitions referring to the ISO 9001 standard.
- Section 4 – Defines the requirements of understanding external and internal issues, interested parties and their requirements and the QMS scope.
- Section 5 – Defines top management responsibilities, setting roles and responsibilities and the quality policy content.
- Section 6 – Defines the requirements for assessing risks and opportunities, quality objectives and plans to achieve them.
- Section 7 – Defines requirements for availability of resources, competences, awareness, communication and control of documents and records.
- Section 8 – Defines the requirements for operational planning, control of design and development, control of externally provided processes, products and services, production and service provision, release of products and services and nonconforming outputs.
- Section 9 – Defines requirements for monitoring, measuring, evaluation, analysis, internal audit and management review.
- Section 10 – Defines requirements for nonconformities, corrective actions and continual improvement.
- Annex A – Clarifies the new structure, terminology and concepts of the 2015 version of the standard.
- Annex B – Lists other international standards for quality management and QMS.
Not all the clauses of the standard may be required for the organisation, some clauses may not be applicable and can be excluded from the scope of the QMS as long as the organisation can prove the why they have excluded them.
Why is there a Clause 0?
Clause 0.1 General, highlights the benefits of integrating a QMS into your organisation and is a general introduction to the standard:
a) The ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements;
b) Facilitating opportunities to enhance customer satisfaction
c) Addressing risks and opportunities associated with its context and objectives;
d) The ability to demonstrate conformity to specified quality management system requirementsISO 9001:2015
You are then introduced to the key concepts of the standard. The Process approach incorporates the PDCA cycle and Risk Based Thinking.
Requirements for documented information
Each clause of the standard is clear on what your organisations responsibilities are. You can identify where actions are required by spotting the following terminology:
“Shall” indicates a requirement;
“Should” indicates a recommendation;
“May” indicates a permission;
“Can” indicates a possibility or a capability.
Information marked as “NOTE” is for guidance in understanding or clarifying the associated requirement.ISO 9001:2015
These terms are very important to understand whilst making notes of what is mandatory and what is optional for you to do.
Fortunately, the standard doesn’t require an excessive amount of documentation. You will only need to create/hold documented information where the standard says; “the organisation shall retain/ maintain documented information…”.
However, you may wish to document certain policies and procedures if you feel it would be beneficial to the working of your QMS. Just remember, any additional documented information will need to be maintained or preserved properly, so its only worth doing where absolutely necessary or if you feel you have the resources to manage this.
0.2 Quality Management Principles
The principles are:
- Customer focus
- Engagement of people
- Process approach
- Evidence based decision making
- Relationship management
Clause 0.3 The Process Approach
What is a process?
The standard describes a process as a set of interrelated activities that manages the effectiveness and efficiency to achieve an intended result. For example, achieving a customer’s order which meets their satisfaction.
Identifying processes that drive an organisations activities, products and services helps to understand the ‘coherent system’, and thus the risks incurred and the appropriate controls.
Even though not all processes need to be documented, when creating new processes, it is a useful exercise to identify the inputs, outputs, controls and resources in a diagram to clearly identify all the stages and complexity of a process.
The standard provides an example of a process in clause 0.3.1:
The process approach is an effective way of organising your organisations activities and define the specific way you want that process carried out. It also gives you an opportunity to demonstrate to your interested parties how slick your processes are and what they can expect from you. This approach will also ensure consistency with your employees work results, especially where roles and assignments crossover or the process is extremely complex.
You might want to do this through documented instructions or provide training.
The process approach enables a business to:
– Understand and consistently meet the requirements;
– Consider processes in terms of adding value;
– Achieve effective process performance;
– Improve processes based on evaluation of data and information.ISO 9001:2015 Clause 0.3.1
The PDCA cycle enables an organization to ensure that its processes are adequately resourced and managed, and that opportunities for improvement are determined and acted on.ISO 9001:2015 Clause 0.1
The PDCA cycle (Plan, Do, Check, Act) needs to be implemented as good practice through your organisation to meet the requirements of ISO 9001:2015.
This 4-step method allows the organisation to manage processes from the start and control any necessary adjustments to continually improve them.
- PLAN = What needs to be done and how
- DO = Implement what was planned
- CHECK = Whether the inputs achieved the expected outputs and assess the results
- ACT = Make changes to continually improve the outcomes
Clauses that fall under the PDCA cycle:
- PLAN – Understanding the context of the organisation, defining the scope and quality policy, addressing risks and opportunities, setting quality objectives planning control of processes.
- DO – Implementation of various processes for fulfilling the QMS, achieving the quality objectives and implementation of control of processes.
- CHECK – Conduct monitoring and measuring, internal audits and management reviews.
- ACT – implement corrective actions and improvement initiatives.
Clause 0.3.3 Risk Based Thinking
Risk-based thinking enables an organization to determine the factors that could cause its processes and its quality management system to deviate from the planned results, to put in place preventive controls to minimize negative effects and to make maximum use of opportunities as they arise.ISO 9001:2015 Clause 0.1
Risk is the effect of uncertainty.
An effect can be a positive or negative deviation from the expected outcome. Whereas, uncertainty is the state of unknown consequences, or likelihood of occurring. This could be due to a lack of information or understanding at hand.
To have an effective QMS, you need to demonstrate risk-based thinking. This will allow your organisation an opportunity to put preventative measures in place to protect you from high risk consequences. This concept is encouraged throughout the entire standard, especially clause 6.1 when you are identifying and planning actions to address risks and opportunities, to mitigate negative impacts on the QMS. Other key areas are clause 4.1 when identifying the context of the organisation and clause 4.4 when planning and implementing quality management system processes, along with the extent of the documentation required.
Clause 1 to 3
Clauses 0 to 3 are clauses that predominantly describe the standard itself. They are important to understand as they form the foundation of top managements attitude and intentions towards the QMS. It also ensures the implementation team fully understand the key concepts of the standard and methodology.
Clause 1 describes the Scope of the ISO 9001:2015 standard, applicable when organisations:
1. Needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and;
2. Aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.ISO 9001:2015 Clause 1 Scope
Clause 2 and 3 refer to normative references and terms and definitions.
Annex A includes a brief overview of:
- Structure and terminology (A.1)
- Products and Services (A.2)
- Understanding the needs and expectations of interested parties (A.3)
- Risk based thinking (A.4)
- Applicability (A.5)
- Documented information (A.6)
- Organisational Knowledge (A.7)
- Control of externally provided processes, products and services (A.8)
A.1 Structure and terminology
This section explains the clause sequencing of the 2015 version of the standard and compares terminology differences between the new and previous version.
|ISO 9001:2008||ISO 9001:2015|
|Products||Products and services|
|Exclusions||Not used (See A.5 Applicability)|
|Management representative||Not used (Similar responsibilities and authorities are assigned but no requirement for a single management representative)|
|Documentation, quality manual, documented procedures, records||Documented information|
|Work environment||Environment for the operation of processes|
|Monitoring and measuring equipment||Monitoring and measuring resources|
|Purchased product||Externally provided products and services|
Products and Services (A.2)
The standard explains the terms ‘products’ and ‘services’ and how they are different to the terms used in the 2008 version.
Even though the term ‘product’ included all categories of businesses, the previous 2008 version was a little more difficult for service industries e.g. postal service, to apply the whole standard to. By including the term ‘service’ to the 2015 version, it has allowed businesses greater scope of applying the standard because it highlights the differences between products and services with specific requirements.
Understanding the needs and expectations of interested parties (A.3)
With reference to clause 4.2, annex A.3 explains there is no mandatory requirement in the standard to consider interested parties when defining your organisations context if they are not relevant to the QMS.
Risk based thinking (A.4)
Annex A.4 explains risk based thinking as a continuation of clause 0.3.3. The key areas of the standard where risk based thinking applies, the purpose of risk based thinking and applicability.
It highlights an important note that could be very time consuming if unnoticed by the implementation team, referring to clause 6.1…
Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process. Organizations can decide whether or not to develop a more extensive risk management methodology than is required by this International Standard, e.g. through the application of other guidance or standards.ISO 9001:2015 Annex A.4
The 2008 version allowed for ‘exclusions’ when identifying the scope of the QMS, the new standard does not. Now the standard specifies that you must consider the applicability of the requirements for your business. You must consider the size and complexity of your organisation, management model, activities and the nature of the risks and opportunities. Once the applicability has been considered and identified, then you can declare in the scope that the requirements of clause XYZ do not apply to your QMS. This decision must not negatively affect the QMS.
Documented information (A.6)
Annex A.6 explains what the differences are in terminology. Documented information is a new term in the 2015 version, previously known as ‘Documentation, quality manual, documented procedures, records’. Clause 7.5 is dedicated to documented information.
Organisational Knowledge (A.7)
Clause 7.1.6 is dedicated to organisational knowledge. Annex A.7 describes the reason for introducing the clause requirements:
a) safeguarding the organisation from loss of knowledge, e.g. through staff turnover; failure to capture and share information
b) encouraging the organisation to acquire knowledge, e.g. learning from experience; mentoring; benchmarkingISO 9001:2015 Annex A.7
Control of externally provided processes, products and services (A.8)
Clause 8.4 refers to externally provided processes, products and services and controls over them. These include purchasing from a supplier; associate company associations and outsourcing processes externally. The standard recognises that using external resources is a common practice especially in the case of service industries, so the organisations doing this need to apply the key concepts of the standard. When planning how to control those external companies, your organisation must practice risk-based thinking.
Annex B provides details of other International Standards for quality management and quality management systems that have been developed by ISO/TC 176. It compares them on table B.1 and the relationships between them.
P.S. Did this article help you? If you got value from it or know someone who would, please share it or leave a comment with suggestions.