Determining QMS Scope and Boundaries – Part 2

Greetings again… In Part 1 we identified the influencers, those parties who help make policy. Now let us look at the drivers behind those influencers.

Step 3 Understanding your Business Drivers

Business drivers are the factors that influence or direct an organization’s strategy and goals and therefore its business needs. These are different for each business and management identifies their organization’s major drivers in different ways.

Boundaries

Image copied under a Creative Commons license Some rights reserved by James Jordan

Top Management will want to know how the QMS will affect the organization’s business drivers. The “management representative” and the implementation team members need to work to ensure management understands these impacts by presenting information in terms that are important to management. Some examples of some general drivers are:

 

  • Financial
  • Legal
  • Social
  • Internal
  • External

Understand your business drivers – Financial

Financial drivers are typically the key drivers for business success. The impact on financial drivers by the QMS and improved efficiency will usually play a large role in system acceptance. These drivers should be identified and quantified to the extent possible to determine the potential impact on the organization’s financial health. Impacts can be verified or more accurately quantified during data collection and assessment activities.

Understand your business drivers – Legal

Many of the quality issues that can impact legal business drivers are closely linked to environmental or safety issues. Consequently, an effective quality management system can mitigate a potential legal burden associated with environmental impacts or safety hazards. Relevant legal issues surrounding design and use must also be identified. Once identified, procedures and communication channels are implemented to ensure legal and regulatory compliance requirements are addressed, relevant data is collected and appropriate documentation is completed.

Understand your business drivers – Social

Social pressures can be as daunting as financial and legal issues. A quality management system can help address social issues as well as provide evidence of an organization’s efforts to maintain its reputation. Many of the public concerns are related to environmental and safety issues, but there are others that are important. Some of these may include:

  • Occupational Health & Safety
  • Environmental stewardship
  • Corporate Social Responsibility
  • Information Security
  • Energy Management

Pressures can be exerted by local communities, trade associations, environmental groups, employees, and government entities, just to name a few. An organization should identify the relevant issues and install the systems necessary to minimize negative impacts and communicate the positive efforts being made to address them.

Understand your business drivers – Internal

Internal influencers have already been discussed, but there are also internal business drivers that impact an organization’s strategy and drive its business needs. Internal drivers are generally controlled by the organization and reflect the needs of an internal stakeholder, but can be a response to an external driver. These drivers should be identified as to how they relate to the needs and interests relative to quality. Relevant internal drivers can include:

  • Employee satisfaction – Employees want to do a good job and operate in a good working environment. Improving quality makes the process more efficient and can result in an improved operating environment by reducing the Cost of Quality.
  • Productivity – As operations are improved, raw materials are consumed more efficiently, they become more productive. Productivity is output over input; as output increases or input decreases, productivity is improved. An improved working environment promotes improved employee morale, more output relative to input, and improved operational control.
  • Technology – Advanced technologies are typically more cost effective and may improve the process or operation. In addition to improving efficiency, advanced technologies can also result in improved operational flexibility and better control.
  • Maintenance – Regular maintenance is critical to maintaining equipment operating efficiency, which results in better performance. It also promotes improved reliability, better schedule adherence, better utilization, and extended equipment life.
  • Organization development goals – Strategic goals by the organization to be the best, the first, the most efficient, the biggest producer, etc. drive the organization to include operational efficiency as a component of their management system. Financial, legal and social drivers all play into the organizational goals; and the role quality addresses those drivers.

Identify the relevant internal drivers, determine how they interface with the organization’s quality management and put in place the appropriate systems to address these connections.

Understand your business drivers – External

  • External drivers are typically outside the organization’s control. There are many external groups or stakeholders that could have an interest in the organization’s activities and / or QMS and help drive the organization’s direction. Their interest could be reflected through financial, legal or social drivers. The external groups that have or can have an impact on the organization should also be identified, and appropriate procedures and communication channels installed to address the needs and interests of these groups relative to organizational efficiency and effectiveness. A QMS can help with addressing these needs and interests. Some of the influencing groups could be:
  • Stockholders – Obviously, stockholders are interested in the profitability of the organization and in measures that reduce costs. They are also interested in the business operating legally and addressing relevant social issues, and they expect to be provided a measure of assurance of the business’s long term viability.
  • Lenders – Lenders want their money back with interest. A quality management system is a tool for the organization to address continual improvement thereby improving profits and efficiencies and enhancing long term existence.
  • Customers – Customers want value-added. Reducing costs and improving efficiencies allow high-quality products and services to be offered at the lowest price, thus improving the organization’s competitiveness.The continual improvement component of a quality management system can help an organization improve efficiencies and reduce costs.
    Suppliers – An efficient supply chain is important to competitiveness. An important component of supplier selection and maintenance is a commitment to continual improvement including quality, delivery, cost, availability and responsiveness. A quality management system can help with supplier selection. The presence of a quality management system would be one indication of a supplier’s commitment to continual improvement.
  • Public – The public in general as well as many public groups can be drivers for an organization’s operation. Both can provide pressure relative to product safety, resource conservation, alternative energy sources, and the like. Public utilities can impose requirements that must be addressed. A QMS can help an organization address these issues and provide evidence of its efforts.
  • Government – An quality management system can help an organization address existing regulations and plan for future government regulations. It provides the system to help the organization identify and address relevant government codes and laws.

Once influencers and drivers have been identified, you will need to determine the ‘space’ within which your organization operates. Like an onion, these ‘layers’ (boundaries) may be relatively transparent and difficult to clearly define, it will be up to you to determine the boundaries between that which you can control and that which you cannot. And, my friends, be ready to explain to an auditor where these boundaries lie. Anon.

Determining QMS Scope and Boundaries – Part 1

So far, in this series, we have explored the evolution of the Standards and History of Quality Systems. We have answered the question of what documentation is needed (recommended – remember, these are my opinions and nothing in life is guaranteed beyond that.) We have talked about Organizational Context (section 4.1) and last time we identified our Interested Parties (section 4.2.) Now, we will look at QMS Scope and Boundaries (section 4.3.) Today’s discussion will be in two parts, if for no other reason but to limit the size of the post – we are all busy and no one wants to read a ‘book’… or do you?

Step 1 Getting Started

The initial ‘push’ for implementing a quality management system (QMS) may come from your customers, management or other sources, but in any case, top management must be committed to the effort for it to be successful.

Getting started begins with identifying the benefits to the organization, setting out a clear plan for implementation, and understanding the basics of QMS documentation. In addition, the organization will need to identify its internal and external influencers and understand how the quality management system will affect them.

Boundaries

Image copied under a Creative Commons license Some rights reserved by James Jordan

Top management is responsible for developing the quality policy that communicates the importance of customer focus in the organization’s strategic plans and objectives.

Top management appoints a champion / customer advocate (formerly referred to as Management Representative – MR) who has overall responsibility for assembling the implementation team, and developing, implementing and maintaining the QMS. This individual works with top management to establish and document the scope and boundaries for the QMS

The implementation team, with top management’s input, lays out the plan for QMS development and implementation. The plan considers the overall time line for implementation, other organizational goals and priorities, and integration with other management systems (if applicable). It also considers available resources and designates responsibilities. Communication channels are established to make team assignments, provide guidance and support, check progress and report status. Information will need to flow in both directions between top management and organizational personnel and should include the sharing of successes at all levels of the organization.

Another element of getting started on QMS implementation is gaining an understanding of the role of documents and records in the system and the decisions the organization must make about its QMS documentation. There are a number of common misconceptions about the extent of documentation needed for a management system based on an ISO standard. For an ISO 9001 QMS, a variety of records must be maintained, but only a few documents are explicitly required. Organizations have a great deal of flexibility, but also responsibility, in determining what documents and records are needed to support their QMS. If you have been following my posts, you should have a good handle on this. If you are new to the blog, you may want to look at earlier postings to catch up.

Step 2 Identify Key Internal Influencers

Internal influencers are individuals in the organization who do or could have interest or influence on decisions related to quality. To gain support for the development and operation of the QMS, these individuals should be identified and their needs understood and addressed.

Management – Management wants the business to operate smoothly and must provide resources to ensure that the organization is efficient; employees are productive; regulatory requirements are addressed; and, shareholders are satisfied. An ISO 9001 QMS provides a mechanism for addressing management’s quality related issues. However, each manager is likely to have a different perspective relative to quality based upon their areas of influence (i.e. Sales, Purchasing, Design, Production, etc.) Consider each position or function and identify how quality is important and what would encourage their support and participation.

Employees – Employees want to be productive and use the most efficient methods and equipment. They want management to provide the resources so they can work smarter, not harder. Employees want a system in place to correct problems and continually improve efficiency without undue delay.

When identifying key internal influencers, determine the individuals in the organization whose responsibilities or activities will affect or be affected by the organization’s quality position.

In Part 2 we will look at the business drivers that influence and determine strategy and objectives. See you in Part 2.

Identifying Your Interested Parties

In the last post we looked at the context of the organization. OK we know who we are; what we do; our strengths, weaknesses, opportunities and threats, we can explore who we do it all for – our customers both internal and external. New clause, 4.2 requires that we identify our stakeholders (“interested parties”) who either have an interest in our products or an interest in our quality system.

Interested Parties

This is a big improvement over earlier versions because up until now only the customer has been focused upon. It all goes back to the MIL-STD that began it all. Mil-Q-9858, published in 1959 by the US government, for the US government. They didn’t care about anybody else, they were the customer. Today life is more complicated and ‘the customer’ may not be the customer. The current Standard, with focus on interested parties combined with the process approach introduces the concept of internal and external customers.

One of my clients is a manufacturer selling product through a network of distributors. Technically, the customer is that distributor and not the person who wanted the product. And customer satisfaction (in the past) was based upon response and delivery time, product quality was rarely a topic of discussion and with a liberal returns policy they always received high marks. With the 2015 revision the end-user becomes part of the mix. Thankfully, my client has a pride in workmanship and a sense of value-added so their marks remain high. They only had to find another way of determining (measuring) the perception of satisfaction from the end-user. You get the idea.

Slightly of topic… I got in a ‘fight’ with the auditor of a medical client who insisted that we remove the word ‘satisfaction’ and replace it with ‘feedback,’ which, in their defense is how the Medical Standard ISO13485 is worded. However, I challenged that there is no requirement to adopt either the structure or the terminology as stated in section 0.1 (general) of the introduction, “It is not the intent of this International Standard to imply uniformity of quality management systems or uniformity of documentation.” I also questioned the intent of the authors by asking,”Do we not want satisfied medical customers?” The auditor was not amused and we changed the verbiage to avoid a finding. The 2016 revision of ISO 13485 neither contains the new High Level Structure, nor the new requirements of context and interested partied found in ISO 9001:2015 so we will have to wait to revisit this at the next revision!

When identifying interested parties, you think of all the groups of people who may be directly or indirectly impacted by your product or service, as well as those that have a direct or indirect impact on your QMS. For each, identify whether they are internal (work for the company) or external (third parties.) Then decide why those groups might have an interest.

Like much of ISO 9001, you get to decide who an interested party is. The only expected party would be your customers, and everything beyond that is entirely up to you.

In most cases, however, your list might include:

Internal Interested Parties

• Employees (and their dependents)
• Owners / Sr. Management / Board of Directors of the company
• Departments usually thought to be outside of the QMS (legal, finance, etc.)

External Interested Parties

• Customers
• Suppliers / Vendors
• Regulators
• The Public
• Other end users of your product/service
• Certification bodies
• Competitors

Once you have your interested parties identified, you can start to think about why they care about you. ISO 9001:2015 gives you some pointers on where to start. The Notes in clause 4.1 lists the following suggestions:

Internal Issues

• values
• culture
• knowledge
• performance

External Issues

• legal
• technological
• competitive
• market
• cultural
• social
• economic

The last step in this process is to categorize whether the concern / issue is positive or negative. This will be helpful when we discuss Risk-Based Thinking – Coming to a blog near you soon.

Organization and its Context

An organization usually operates within a socioeconomic structure that is determined largely by management and comprises the “operating environment,” both internal and external to the organization.

Managing an organization is not an ‘objective’ thing, it is subjective to who you are, who you know, what you know and what you can do in terms of capabilities and resources. Do you want to: engage in social or green entrepreneurship; do something in social media; construction; fashion or something completely different? What impact would you like to make? How do you define success? Is it profit, social engagement, lower carbon footprint, or is it something else that drives you?

Organizational context includes every asset, liability, strength, weakness, preference and belief you and your team possess. So then context is the totality within which the organization seeks to achieve its sustainability goals.

Internal Context

The internal context includes, but is not limited to: product and service offerings; management, organizational structure, roles, and accountabilities; regulatory requirements; policies and goals, and the strategies to achieve them; assets (e.g., facilities, property, equipment and technology; capabilities, understood in terms of resources and knowledge (e.g., capital, time, people, processes, systems, and technologies); information systems, information flows, and decision-making processes (both formal and informal); relationships of the staff/volunteers/members and the perceptions and values of their internal stakeholders – including suppliers and partners; company culture; standards, guidelines, and models you have adopted and form and extent of contractual relationships. Internal context can also be defined as anything within the organization that may influence the way you manage internal risks.

attachmentYou need to conduct an internal analysis using “SWOT” (Strengths, Weaknesses, Opportunities and Threats) analysis or some other similar tool.

External Context

External context includes: outside stakeholders, local operating environment and any external factors that influence the selection of objectives (goals and targets) or the ability to meet those goals. Once the internal context is documented, you now need to conduct an external analysis using “PEST” (political, economic, social and technological) analysis or some other similar tool.

Completing a PEST analysis is simple and helps you understand and find ways to deal with the external context. Political factors; economic factors; ecological/environmental issues; national economies and trends, current legislation, general taxation issues; anticipated future legislation; taxation to activities, products, services; International legislation (global influences;) seasonality or other weather issues; regulatory bodies and processes; market and trade cycles; government policies; terms and change; specific sector factors; funding, grants, and initiative; customer/end-user drivers; market lobbying groups; interest and exchange rates; wars and conflicts; international trade and monetary issues; social factors; technology factors; lifestyle trends; competing technology development; demographics; associated/dependent technologies; consumer attitudes and opinions; replacement technology/solutions; media views; maturity of technology; law changes affecting social behaviors; information and communications; reputation of the organization; consumer buying mechanisms; consumer buying patterns; technology legislation; fashion and role models; innovation potential; major events and influences; technology access, licensing, patents; buying access and trends; intellectual property issues; ethnic/religious factors; global communication; advertising and publicity; social media use; ethical issues; maturity of organization’s products should all be considered. Although you cannot control these environmental factors you need to manage them to your advantage. You also need to protect yourself from PEST factors which may increase operational costs or affect your reputation.

The above analyses determine which factors can influence how the organization operates. You cannot control these factors, but you must seek to adapt to them.
Context determines the drivers of influence and priority for all stakeholders so understanding context is the first step in defining the internal and external factors that you must consider when you adopt Risk Based Thinking which we will discuss in an upcoming post.

Mandatory documents and records required by ISO 9001:2015*

According to the International Standard, Documented Information is required, but there is no prescriptive format. Anything that satisfies the requirement such that an auditor can determine compliance is acceptable. It is also important to keep in mind that one example of documented information can satisfy a single requirement, multiple requirements or multiple documents can satisfy a single requirement. You decide – just make sure that it / they are readily available for review. The following is a list of the required documented information. Note: where the term ‘maintain’ is used in conjunction with documented information it communicates a particular Procedure, Work Instruction or Form is required and that it is controlled. Where the term ‘retain’ is used in conjunction with documented information this communicates a record requirement. Information may be maintained or retained in any form or media (the Flow Chart below illustrates a risk-based corrective action process and constitutes one form of acceptable documented information.) The challenge is to determine what and how much is needed – not enough and you may have a problem ‘fighting for your right…,’ too much and you’ll have to justify how this “MIL-STD” based system is value-added to an auditor drooling to audit your Control of Documents process.

CAPA

Flow Chart concept courtesy of MasterControl.

Documented Information you need to maintain if you want to be compliant.

  • Scope of the QMS (clause 4.3)
  • Quality policy (clause 5.2)
  • Quality objectives (clause 6.2)
  • Criteria for evaluation and selection of suppliers (clause 8.4.1)

Documented Information you need to retain if you want to be compliant.

  • Monitoring and measuring equipment calibration records* (clause 7.1.5.1)
  • Records of training, skills, experience and qualifications (clause 7.2)
  • Product/service requirements review records (clause 8.2.3.2)
  • Record about design and development outputs review* (clause 8.3.2)
  • Records about design and development inputs* (clause 8.3.3)
  • Records of design and development controls* (clause 8.3.4)
  • Records of design and development outputs *(clause 8.3.5)
  • Design and development changes records* (clause 8.3.6)
  • Characteristics of product to be produced and service to be provided (clause 8.5.1)
  • Records about customer property (clause 8.5.3)
  • Production/service provision change control records (clause 8.5.6)
  • Record of conformity of product/service with acceptance criteria (clause 8.6)
  • Record of nonconforming outputs (clause 8.7.2)
  • Monitoring and measurement results (clause 9.1.1)
  • Internal audit program (clause 9.2)
  • Results of internal audits (clause 9.2)
  • Results of the management review (clause 9.3)
  • Results of corrective actions (clause 10.1)

This is all you need to satisfy the minimum document requirements. Use this post as a checklist to make sure you have covered all the bases.

Now for a little guidance… I promised you in the last post I would give you a ‘Magic Bullet,’ here it is. (Please remember, this is only a suggestion. It is not the only way to achieve certification. In addition, since I do not know your individual situation, there is no guarantee of certification.) However, it is one way to make the auditor’s life a little easier and I want to keep ‘my right to party.’

Yes, you want a Quality Manual!**

  • The International Standard begins by telling us we need to define our context (4.1) and determine our Interested Parties’ needs and expectations (4.2.) Put it in the manual.
  • We need to determine the Scope and Boundaries of our quality management system (4.3.) Put it in the manual.
  • We need to define QMS processes, interactions, etc. (4.4.) Put them in the manual.
  • Leadership – change in focus from Management Representative (MR) to top management. The MR is no longer required, but y’all still goanna want one (5.1.) Put ’em in the manual.
    – Quality Policy (5.2.1.) Put it in the manual.
    – Organizational roles, responsibilities and authorities (5.3.) Put it in the          manual.
  • Risk-Based Thinking (6.1.) Put it in the manual.
  • If you can see Russia from your Bedroom window, put it in the manual. You got it!

To readdress a previous discussion as to whether a copy of the ISO 9001:2015 is a requirement – you know what? You won’t know all the other stuff you are going to put in your Quality Manual without it. And one more thing, unless (those of you with existing systems are planning on renumbering all those SOPs,) you’re going to want to add a table ISO 9001:2015 elements vs. what you call things so the auditor can follow along with the bouncing ball.

Non-mandatory documents (Standard Operating Procedures)

There are numerous non-mandatory documents that can be used for ISO 9001 implementation. The following (including optional procedures) are highly recommended:

  • Procedures you have documented if you have an existing QMS (20 or so.)
  • Plus a few more… See below – new 2015 procedures are bolded.

Recommended (sample) list of standard operating procedures***

SOP-4.5.2 Control of Documents
SOP-4.5.3 Control of Records
SOP-6.1.1 Risk Management
SOP-6.1.2 Business Contingency
SOP-6.3 Change Management
SOP-6.4 Management Review
SOP-7.2.1 Resource Management – Knowledge
SOP-7.2.2 Resource Management – Training
SOP-8.2.3 Customer Related Processes
SOP-8.2.4 Product Complaint Handling (Optional)
SOP-8.3 Design & Development (If design responsible)
SOP-8.4.1 Supplier Evaluation & Monitoring
SOP-8.4.2 Purchasing – Raw Material (Optional)
SOP-8.4.3 Purchasing – Equipment & Services (Optional)
SOP-8.5.1.1 Process & Service Control
SOP-8.5.1.4 Maintenance & Repair (Optional)
SOP-8.5.3 Identification & Traceability
SOP-8.5.4 Customer Supplied Property
SOP-8.5.5 Preservation of Product
SOP-8.6 Control of Monitoring & Measuring Devices
SOP-9.1.2 Customer Feedback
SOP-9.2.1 Internal Audits
SOP-9.2.2 Monitoring & Measurement of Processes
SOP-9.2.3.1 Monitoring & Measurement of Product
SOP-9.2.3.2 Receiving Goods & Materials (Optional)
SOP-9.2.3.3 In-Process Inspection (Optional)
SOP-9.2.3.4 Final Inspection
SOP-9.3 Control of Nonconforming Product
SOP-9.4 Analysis of Data
SOP-10.1.1 Corrective Action
SOP-10.1.2 Preventive Action (Optional)
SOP-10.2 QMS Maintenance & Improvement (Optional)

*Note: Documented Information would not be applicable if the company does not perform the relevant processes.

**For those of you just getting started, you might want to hold off documenting a Quality Manual until this blog series is complete. For the rest of you – have at it.

***You may have noticed my numbering system does not exactly match that of the International Standard… Very good, the Standard states it does not have to (Annex 1 – Back of the book where nobody looks!) This is just my way of having a little fun with the auditor – and yes I use a table.

See you next time with a little guidance for dealing with organizational context. Ciao!