A quality management system enables you to manage your business processes effectively:
it is much more than a set of rules and procedures. When properly implemented and maintained, a QMS addresses the needs of your organisation and delivers tangible business benefits.
The new version of ISO 9001 has recently been published. One of the main aims of ISO 9001:2008 is to facilitate integration with other standards. Although there are no new requirements as such, there are some key clarifications to be taken into account.
There are three main objectives to the new standard:
Detail, clarify, improve the understanding of ISO 9001:2000 (previous version)
Improve compatibility with ISO 14001:2004 Simplify the way in which ISO 9001 can be integrated with other management system standards (such as OHSAS 18001)
There are no new requirements in the new standard:
The title, scope, and structure of the standard are unchanged
The process approach is confirmed
Compatibility with the latest revision of ISO 14001:2004 is maintained and improved upon
Preservation of the quality management principles included in ISO 9000:2000
There are five main areas to note. The relevant sections of the standard are noted in brackets.
1. A reinforcement of the notion of product conformity
2. Compatibility with other standards is evolving
3. A better understanding of outsourced processes
4. An editorial clarification of some requirements – for instance;
A reinforcement of the notion of product conformity2.3.4.
An editorial clarification of some requirements – for instance;A better understanding of outsourced processesCompatibility with other standards is evolving
• (6.4) work environment, including an explanatory note on work environment giving examples,
to help meet product conformity requirements
• (8.2.1) measurement of customer satisfaction, including a note broadening the scope beyond
satisfaction surveys to include other channels such as customer feedback5.
• (Introduction) the notion of risk
• (5.5.2) appointment of a management représentative
• (6.2.2) assessing the effectiveness of achieving compétence
• (8.5.2 et 3) assessing the effectiveness of corrective and preventive actions?
Some additional explanations regarding the requirements of the standard;An editorial clarification of some requirements – for instance;A better understanding of outsourced processesCompatibility with other standards is evolvingA reinforcement of the notion of product conformity
Showing posts with label quality management system. Show all posts
Showing posts with label quality management system. Show all posts
Friday, October 9, 2009
The Similarity between ISO 9001 and BS 7799-2
The Similarity between ISO 9001 and BS 7799-2
BS 7799-2:2002 is a specification for an Information Security Management System (ISMS). It is shortly to be upgraded to the status of a full
International Standard, and published as ISO/IEC 27001. The normative part of this standard has four sections and an annex . The requirements of the four sections are associated with the PDCA cycle. The annex defines all the controls that must be considered for generating the SOA. Thus the structure of BS 7799-2:2002, as will be ISO/IEC 27001, can be simply described as:
A PDCA framework;
An SOA.
ISO 9001:2000 is a specification for a Quality Management System (QMS). The normative part of this standard has five normative sections,
numbered 4 – 8. All of these requirements must be met in order to claim conformance with the standard, save for section 7 (Product Realisation),
where the standard states in paragraph 1.2 “Where exclusions are made, claims of conformity to this International Standard are not acceptable unless
these exclusions are limited to requirements within clause 7, an such exclusions do not affect the organisation’s ability, or responsibility, to provide
product that meets customer and applicable regulatory requirements”.
In Table 2 we relate the requirements of sections 4, 5, 6 and 8 to the PDCA framework. We treat section 7 as an SOA.
The BS 7799-2:2002 standard gives instruction on how the controls documented in BS 7799-2 Annex A are to be determined as being applicable or nonapplicable. In particular, if the control is applicable it must be justified in terms of the results of a risk assessment.
The controls listed in Section 7 of ISO 9001 may be excluded with justification. Thus, Section 7 of ISO 9001 may be treated in exactly the same manner as BS 7799-2 Annex A provided that applicable quality controls are also justified by
reference to a risk assessment. Conversely for an integrated MS, information security controls that are declared to be non-applicable should also be
justified as not applicable by reference to a risk assessment, in order to bring the two standards into line. Interestingly, this requirement was present in
BS 7799-2:1999 but was dropped in the 2002 revision.
The amalgamation of these two approaches in an integrated MS should not be seen as a disadvantage. The justification of non-applicable information security controls greatly simplifies the task of determining, given a change of threat or
business practice, whether a non-applicable control has now become applicable. The justification of Product Realisation controls by way of a reference to a risk assessment serves to remind us that, for many organisations, quality controls are not uniform across the whole organisation but are commensurate with the degree of risk involved.
For example, in the software business, a fixed price assignment with tight timescales to produce a bespoke software system has a greater risk than a
time and materials contract to supply programming staff, and the quality controls applied to management planning and reporting of the two projects would be very different.
BS 7799-2:2002 is a specification for an Information Security Management System (ISMS). It is shortly to be upgraded to the status of a full
International Standard, and published as ISO/IEC 27001. The normative part of this standard has four sections and an annex . The requirements of the four sections are associated with the PDCA cycle. The annex defines all the controls that must be considered for generating the SOA. Thus the structure of BS 7799-2:2002, as will be ISO/IEC 27001, can be simply described as:
A PDCA framework;
An SOA.
ISO 9001:2000 is a specification for a Quality Management System (QMS). The normative part of this standard has five normative sections,
numbered 4 – 8. All of these requirements must be met in order to claim conformance with the standard, save for section 7 (Product Realisation),
where the standard states in paragraph 1.2 “Where exclusions are made, claims of conformity to this International Standard are not acceptable unless
these exclusions are limited to requirements within clause 7, an such exclusions do not affect the organisation’s ability, or responsibility, to provide
product that meets customer and applicable regulatory requirements”.
In Table 2 we relate the requirements of sections 4, 5, 6 and 8 to the PDCA framework. We treat section 7 as an SOA.
The BS 7799-2:2002 standard gives instruction on how the controls documented in BS 7799-2 Annex A are to be determined as being applicable or nonapplicable. In particular, if the control is applicable it must be justified in terms of the results of a risk assessment.
The controls listed in Section 7 of ISO 9001 may be excluded with justification. Thus, Section 7 of ISO 9001 may be treated in exactly the same manner as BS 7799-2 Annex A provided that applicable quality controls are also justified by
reference to a risk assessment. Conversely for an integrated MS, information security controls that are declared to be non-applicable should also be
justified as not applicable by reference to a risk assessment, in order to bring the two standards into line. Interestingly, this requirement was present in
BS 7799-2:1999 but was dropped in the 2002 revision.
The amalgamation of these two approaches in an integrated MS should not be seen as a disadvantage. The justification of non-applicable information security controls greatly simplifies the task of determining, given a change of threat or
business practice, whether a non-applicable control has now become applicable. The justification of Product Realisation controls by way of a reference to a risk assessment serves to remind us that, for many organisations, quality controls are not uniform across the whole organisation but are commensurate with the degree of risk involved.
For example, in the software business, a fixed price assignment with tight timescales to produce a bespoke software system has a greater risk than a
time and materials contract to supply programming staff, and the quality controls applied to management planning and reporting of the two projects would be very different.
ISO 9001:2008 Requirements – QMS
ISO 9001:2008 Requirements – Quality Management System
Establish, document, implement, and maintain a quality management system. Continually improve its effectiveness in accordance with ISO 9001 requirements. Implement the system to:? Determine processes needed for the quality management system (and their application throughout the organization)? Determine process sequence and interaction? Determine criteria and methods for process operation and control? Ensure resources and supporting information are available? Monitor, measure where applicable, and analyze these processes? Implement actions to achieve planned results and continual process improvementManage these processes in accordance with ISO 9001 requirements. Define the type and extent of control applied to any outsourced processes that affect product conformity to requirements.NOTE 1: Processes needed for the quality management system include the processes for management activities (see 5), provision of resources (see 6), product realization (see 7), and measurement, analysis, and improvement (see 8).NOTE 2: An outsourced process is a process the organization needs for its quality management system, and which the organization chooses to have performed by an external party.NOTE 3: Ensuring control over outsourced processes does not absolve your organization of the responsibility to conform to all customer, statutory, and regulatory requirements. The type and extent of control applied to an outsourced process can be influenced by factors such as:? Potential impact of the outsourced process on your organization’s capability to provide product that conforms to requirements? Degree to which the control for the process is shared? Capability of achieving the necessary control through the application of 7.4
Establish, document, implement, and maintain a quality management system. Continually improve its effectiveness in accordance with ISO 9001 requirements. Implement the system to:? Determine processes needed for the quality management system (and their application throughout the organization)? Determine process sequence and interaction? Determine criteria and methods for process operation and control? Ensure resources and supporting information are available? Monitor, measure where applicable, and analyze these processes? Implement actions to achieve planned results and continual process improvementManage these processes in accordance with ISO 9001 requirements. Define the type and extent of control applied to any outsourced processes that affect product conformity to requirements.NOTE 1: Processes needed for the quality management system include the processes for management activities (see 5), provision of resources (see 6), product realization (see 7), and measurement, analysis, and improvement (see 8).NOTE 2: An outsourced process is a process the organization needs for its quality management system, and which the organization chooses to have performed by an external party.NOTE 3: Ensuring control over outsourced processes does not absolve your organization of the responsibility to conform to all customer, statutory, and regulatory requirements. The type and extent of control applied to an outsourced process can be influenced by factors such as:? Potential impact of the outsourced process on your organization’s capability to provide product that conforms to requirements? Degree to which the control for the process is shared? Capability of achieving the necessary control through the application of 7.4
Update on ISO 9001:2008
Update on ISO 9001:2008
Following a recent meeting of ISO’s Technical Committee TC176 in Helsinki, Finland, from June
11 – 15t, 2007, publication of the new version of ISO 9001 has been brought forward from 2009
and is now scheduled to be published in October 2008. Experts representing over 70 ISO member
bodies, met to discuss the comments received during circulation of the Committee Draft (”CD”) of
the new standard, and concluded that in view of the very limited changes being proposed, the draft
is now sufficiently mature to progress directly to the DIS (Draft International Standard).
The main changes being introduced into the new standard are as follows:
Clause 0.2 (Process approach)
Text added to emphasize the importance of processes being capable of achieving desired outputs
Clause 1.1 (Scope)
Clarification that “product” also includes intermediate product
Explanation regarding statutory, regulatory and legal requirements
Clause 4.1 (General requirements)
Notes added to explain more about outsourcing
Types of control that may be applied to outsourced processes
Relationship to clause 7.4 (Purchasing)
Clarification that outsourced processes are still responsibility of the organization and must be
included in the quality management system
Clause 4.2.1 (Documentation)
Clarification that QMS documentation also includes records
Documents required by the standard may be combined
ISO 9001 requirements may be covered by more than one documented procedure
Clause 4.2.3 (Document control)
Clarification that only external documents relevant to the QMS need to be controlled
Clause 4.2.4 (Records control)
Editorial changes only (better alignment with ISO 14001)
Clause 5.5.2 (Management rep)
Clarifies that this must be a member of the organization’s own management
Clause 6.2.1 (Human resources)
Clarification that competence requirements are relevant for any personnel who are involved in the
operation of the quality management system
Clause 6.3 (Infrastructure)
Includes information systems as example
Clause 6.4 (Work environment)
Clarifies that this includes conditions under which work is performed and includes, for example
physical, environmental and other factors such as noise, temperature, humidity, lighting, or weather
Clause 7.2.1 (Customer related processes)
Clarifies that post-delivery activities may include:
- Actions under warranty provisions
- Contractual obligations such as maintenance services
- Supplementary services such as recycling or final disposal
Clause 7.3.1 (Design & development planning)
Clarifies that design and development review, verification and validation have distinct purposes
These may be conducted and recorded separately or in any combination as suitable for the product
and the organization
Clause 7.3.3(Design & development outputs)
Clarifies that information needed for production and service provision includes preservation of the product
Clause 7.5.4 (Customer property)
Explains that both intellectual property and personal data should be considered as customer property
Clause 7.6 (Now retitled Control of Monitoring and Measuring equipment)
Explanatory notes added regarding the use of computer software: “Confirmation of the ability of computer software to satisfy the intended application would typically include its verification and configuration management to maintain its suitability for use.”
Clause 8.2.1 (Customer satisfaction)
Note added to explain that monitoring of customer perception may include input from sources such as customer satisfaction surveys, customer data on delivered product quality, user opinion surveys, lost business analysis, compliments, and dealer reports
Clause 8.2.3 (Monitoring / Measurement of process)
Note added to clarify that when deciding on appropriate methods, the organization should consider impact on the conformity to product requirements and on the effectiveness of the quality management system.
Following a recent meeting of ISO’s Technical Committee TC176 in Helsinki, Finland, from June
11 – 15t, 2007, publication of the new version of ISO 9001 has been brought forward from 2009
and is now scheduled to be published in October 2008. Experts representing over 70 ISO member
bodies, met to discuss the comments received during circulation of the Committee Draft (”CD”) of
the new standard, and concluded that in view of the very limited changes being proposed, the draft
is now sufficiently mature to progress directly to the DIS (Draft International Standard).
The main changes being introduced into the new standard are as follows:
Clause 0.2 (Process approach)
Text added to emphasize the importance of processes being capable of achieving desired outputs
Clause 1.1 (Scope)
Clarification that “product” also includes intermediate product
Explanation regarding statutory, regulatory and legal requirements
Clause 4.1 (General requirements)
Notes added to explain more about outsourcing
Types of control that may be applied to outsourced processes
Relationship to clause 7.4 (Purchasing)
Clarification that outsourced processes are still responsibility of the organization and must be
included in the quality management system
Clause 4.2.1 (Documentation)
Clarification that QMS documentation also includes records
Documents required by the standard may be combined
ISO 9001 requirements may be covered by more than one documented procedure
Clause 4.2.3 (Document control)
Clarification that only external documents relevant to the QMS need to be controlled
Clause 4.2.4 (Records control)
Editorial changes only (better alignment with ISO 14001)
Clause 5.5.2 (Management rep)
Clarifies that this must be a member of the organization’s own management
Clause 6.2.1 (Human resources)
Clarification that competence requirements are relevant for any personnel who are involved in the
operation of the quality management system
Clause 6.3 (Infrastructure)
Includes information systems as example
Clause 6.4 (Work environment)
Clarifies that this includes conditions under which work is performed and includes, for example
physical, environmental and other factors such as noise, temperature, humidity, lighting, or weather
Clause 7.2.1 (Customer related processes)
Clarifies that post-delivery activities may include:
- Actions under warranty provisions
- Contractual obligations such as maintenance services
- Supplementary services such as recycling or final disposal
Clause 7.3.1 (Design & development planning)
Clarifies that design and development review, verification and validation have distinct purposes
These may be conducted and recorded separately or in any combination as suitable for the product
and the organization
Clause 7.3.3(Design & development outputs)
Clarifies that information needed for production and service provision includes preservation of the product
Clause 7.5.4 (Customer property)
Explains that both intellectual property and personal data should be considered as customer property
Clause 7.6 (Now retitled Control of Monitoring and Measuring equipment)
Explanatory notes added regarding the use of computer software: “Confirmation of the ability of computer software to satisfy the intended application would typically include its verification and configuration management to maintain its suitability for use.”
Clause 8.2.1 (Customer satisfaction)
Note added to explain that monitoring of customer perception may include input from sources such as customer satisfaction surveys, customer data on delivered product quality, user opinion surveys, lost business analysis, compliments, and dealer reports
Clause 8.2.3 (Monitoring / Measurement of process)
Note added to clarify that when deciding on appropriate methods, the organization should consider impact on the conformity to product requirements and on the effectiveness of the quality management system.
Useful Aids to Implement ISO 9001 Standards
Useful Aids To Implement ISO 9001 Standards
Many companies implement ISO 9001 without using all the available tools. As a result, some companies may not fully optimize their implementation. This issue could be manifested as confusion over terms, misunderstanding about requirements, and perplexity concerning intention.ISO, the International Organization for Standardization, based in Geneva Switzerland issues thousands of standards, but we limit our scope to ISO 9001:2008 and its immediate “family”.This includes ISO 9000:2005 and ISO 9004:20002. ISO 9001 is a general industry standard for quality management, but ISO also issues industry specific standards. Many of these standards, such as ISO 13485 for medical devices, are based on ISO 9001 and can also utilize these available tools.
In addition to the information discussed below, ISO also issues standards related to specific activities that may arises in a quality management system. The following lists these supporting documents.
Automotive ISO/TS 16949:2002Education IWA 2:2007Energy PC 242, ISO 50001Food safety ISO 22000:2005Information security ISO/IEC 27001:2005Health care IWA 1:2005Local government IWA 4:2005Medical devices ISO 13485:2003Petroleum and gas ISO 29001:2003Ship recycling ISO/PAS 30000:2008Supply chain security ISO 28000:2007
Many companies implement ISO 9001 without using all the available tools. As a result, some companies may not fully optimize their implementation. This issue could be manifested as confusion over terms, misunderstanding about requirements, and perplexity concerning intention.ISO, the International Organization for Standardization, based in Geneva Switzerland issues thousands of standards, but we limit our scope to ISO 9001:2008 and its immediate “family”.This includes ISO 9000:2005 and ISO 9004:20002. ISO 9001 is a general industry standard for quality management, but ISO also issues industry specific standards. Many of these standards, such as ISO 13485 for medical devices, are based on ISO 9001 and can also utilize these available tools.
In addition to the information discussed below, ISO also issues standards related to specific activities that may arises in a quality management system. The following lists these supporting documents.
Automotive ISO/TS 16949:2002Education IWA 2:2007Energy PC 242, ISO 50001Food safety ISO 22000:2005Information security ISO/IEC 27001:2005Health care IWA 1:2005Local government IWA 4:2005Medical devices ISO 13485:2003Petroleum and gas ISO 29001:2003Ship recycling ISO/PAS 30000:2008Supply chain security ISO 28000:2007
ISO 9000 and ISO 14000 in plain language
Both “ISO 9000” and “ISO 14000” are actually families of standards which are referred to under these generic titles for convenience. Both families consist of standards and guidelines relating to management systems, and related supporting standards on terminology and specific tools, such as auditing (the process of checking that the management systemconforms to the standard).
ISO 9000 is primarily concerned with “quality management“. In the everyday context, like “beauty”, everyone may have his or her idea of what “quality” is. But, in the ISO 9000 context, the standardized definition of quality refers to all those features of a product (or service) which are required by the customer. “Quality management” means what the organization does to ensure that its products or services satisfy the customer’s quality requirements and comply with any regulationsapplicable to those products or services.
ISO 14000 is primarily concerned with “environmental management”. In plain language, this means what the organization does to minimize harmful effects on the environment caused by its activities.
In addition, both ISO 9000 and ISO 14000 require organizations that implement them to improve their performance continually in, respectively, quality and environmental management.
Both ISO 9000 and ISO 14000 concern the way an organization goes about its work, and not directly the result of this work. In other words, they both concern processes, and not products – at least, not directly. Nevertheless, the way in which the organization manages its processes is obviously going to affect its final product.
In the case of ISO 9000, the efficient and effective management of processes is, for example, going to affect whether or not everything has been done to ensure that the product satisfies the customer’s quality requirements. In the case of ISO 14000, the efficient and effective management of processes is going to affect whether or not everything has been done to ensure a product will have the least harmful impact on the environment, at any stage in its life cycle, either by pollution, or by depleting natural resources.
However, neither ISO 9000 nor ISO 14000 are product standards. The management system standards in these families state requirements for what the organization must do to manage processes influencing quality (ISO 9000) or the processes influencing the impact of the organization’s activities on the environment (ISO 14000). In both cases, the philosophy is that management system requirements are generic. No matter what the organization is or does, if it wants to establish a quality management system or an environmental management system, then such a system has a number of essential features which are spelled out in the relevant ISO 9000 or ISO 14000 standards.
ISO 9000 is primarily concerned with “quality management“. In the everyday context, like “beauty”, everyone may have his or her idea of what “quality” is. But, in the ISO 9000 context, the standardized definition of quality refers to all those features of a product (or service) which are required by the customer. “Quality management” means what the organization does to ensure that its products or services satisfy the customer’s quality requirements and comply with any regulationsapplicable to those products or services.
ISO 14000 is primarily concerned with “environmental management”. In plain language, this means what the organization does to minimize harmful effects on the environment caused by its activities.
In addition, both ISO 9000 and ISO 14000 require organizations that implement them to improve their performance continually in, respectively, quality and environmental management.
Both ISO 9000 and ISO 14000 concern the way an organization goes about its work, and not directly the result of this work. In other words, they both concern processes, and not products – at least, not directly. Nevertheless, the way in which the organization manages its processes is obviously going to affect its final product.
In the case of ISO 9000, the efficient and effective management of processes is, for example, going to affect whether or not everything has been done to ensure that the product satisfies the customer’s quality requirements. In the case of ISO 14000, the efficient and effective management of processes is going to affect whether or not everything has been done to ensure a product will have the least harmful impact on the environment, at any stage in its life cycle, either by pollution, or by depleting natural resources.
However, neither ISO 9000 nor ISO 14000 are product standards. The management system standards in these families state requirements for what the organization must do to manage processes influencing quality (ISO 9000) or the processes influencing the impact of the organization’s activities on the environment (ISO 14000). In both cases, the philosophy is that management system requirements are generic. No matter what the organization is or does, if it wants to establish a quality management system or an environmental management system, then such a system has a number of essential features which are spelled out in the relevant ISO 9000 or ISO 14000 standards.
ISO 9001 – Compatibility with other management systems
ISO 9001 Standards In General
The adoption of a quality management system should be a strategic decision of an organization. The design and implementation of an organization’s quality management system is influenced by— its business environment, changes in that environment, or risks associated with that environment,— its varying needs,— its particular objectives,— the products it provides,— the processes it employs,— its size and organizational structure.It is not the intent of this International Standard to imply uniformity in the structure of quality management systems or uniformity of documentation.The quality management system requirements specified in this International Standard are complementary to requirements for products. Information marked “NOTE” is for guidance in understanding or clarifying theassociated requirement.This International Standard can be used by internal and external parties, including certification bodies, to assess the organization’s ability to meet customer, statutory and regulatory requirements applicable to theproduct, and the organization’s own requirements.The quality management principles stated in ISO 9000 and ISO 9004 have been taken into consideration during the development of this International Standard.
The adoption of a quality management system should be a strategic decision of an organization. The design and implementation of an organization’s quality management system is influenced by— its business environment, changes in that environment, or risks associated with that environment,— its varying needs,— its particular objectives,— the products it provides,— the processes it employs,— its size and organizational structure.It is not the intent of this International Standard to imply uniformity in the structure of quality management systems or uniformity of documentation.The quality management system requirements specified in this International Standard are complementary to requirements for products. Information marked “NOTE” is for guidance in understanding or clarifying theassociated requirement.This International Standard can be used by internal and external parties, including certification bodies, to assess the organization’s ability to meet customer, statutory and regulatory requirements applicable to theproduct, and the organization’s own requirements.The quality management principles stated in ISO 9000 and ISO 9004 have been taken into consideration during the development of this International Standard.
Subscribe to:
Posts (Atom)