Audit of departments according to ISO 9001

20.09.2019

Reviews of the book The True, Mad, Guilty Moriarty l The True, Mad, Guilty

Life at Full Power - Jim Lauer, Tony Schwartz

Famous pirates of the Caribbean, next to whom the movie Jack Sparrow is just a boy

After publication new version standardISO 9001 :2015, perhaps the most questions and discussions arise regarding one of the new requirements - the use of risk-oriented thinking(in English “risk-based thinking”). I recommend watching the video "Main differences between ISO 9001:2015 and ISO 9001:2008".

On my blog, I wrote several articles on the topic of risk management (see articles: “Risk management instead of preventive actions”; “Risk management - basic steps”; “Risk management in business”, etc.). Continuing the topic, I decided to write about what “risk-oriented thinking” is in terms of ISO 9001:2015 and how to apply it.

Risk oriented thinking, first of all, it meansimplementation by an organization of a set of agreed measures and methods to manage and control numerous risks (positive and negative) affecting its ability to achieve planned goals. Risk-based thinking, in fact, replaces the requirement to take preventive actions from the previous version of the standard.

It can't be said that risk oriented thinking- this is a completely new requirement. It was always present in an implicit form in ISO 9001. In previous versions of the standard, includingISO 9001 :2008, there was a requirement to predict and prevent errors and inconsistencies (implementation of preventive actions), which also relates to risk-oriented thinking. Organizations trained people, planned work, assigned responsibilities and authorities, checked results, conducted audits and inspections, monitored and measured processes.All these actions were aimed at avoiding mistakes and achieving success.

Thus, organizations have tried to manage their risks and opportunities. Therefore we can say that it has always been part ISO 9001 and Organizational Quality Management Systems. It’s just that before it was implicit, but now it’s explicit.So why do the developers ISO 9001:2015 decided to make the use of risk-oriented thinking more explicit and actually replaced it with preventive actions? What new things should organizations do that they haven't done before?

The fact is that preventive actions in most organizations were often carried out “for show”, out of the need to fulfill the requirementISO 9001 , and not as a real tool for moving forward, continuous improvement. Often, preventive actions were carried out at an inappropriate level and haphazardly . In addition, in many organizations, the responsibility for assigning and implementing preventive actions was assigned to a member of the quality team, who were unable to cover all the issues that truly impact the organization at the top level and contribute to continuous improvement.

To meet the requirements of the new version of the standard, organizations need to plan and implement actions in response to risks and opportunities.

The new standard expects organizations to systematically identify and effectively address risks that may affect their ability to provide compliant products and services and meet customer needs. He also expects organizations to identify their capabilities that can enhance their ability to deliver compliant products and services to satisfy their customers.

The new standard also expects organizations to identify risks and opportunities that may affect their performance. Quality management systems or disrupt operations, and then determine actions to address those risks and opportunities. Organizations must also determine how they are going to make these activities part of their Quality Management System processes, and how they will monitor, evaluate and review the effectiveness of these activities and processes.

According to the requirements of the new version of the standard, top-level managers must be involved in the process of identifying, recording, eliminating and mitigating risks. Given this, from the very beginning of the application of risk-oriented thinking in an organization, it will be possible to see that it is more effective than previously used preventive actions.

It is important that the identification of risks and the selection of appropriate risk management measures are included on the agenda of regular management meetings. Equally important is to ensure that the organization has established channels through which all employees at lower levels can convey their views upward to the management team.

Then organizations will have risk oriented thinking, led by a team of top managers who possess key strategic knowledge about threats and opportunities for the business, and at the same time supported by information from all levels of the organization (some of which was previously unknown to them and, accordingly, was not considered).

Thus, instead of preventive actions, which previously were mainly carried out at a lower level, organizations are now offered risk-oriented thinking, led by a top management team that has complete and comprehensive information. Naturally, management decisions resulting from such an approach and subsequent actions will be more effective based on the participation of the entire company than a pre-existing preventive action process.

While risk oriented thinkingis now part of the new standard, however, the standard does not require a specific document describing the organization's risk-based approach. However, in my experience, it is better if it is described in a document to ensure consistency and uniformity of application throughout the organization.

I also recommend my article about another new requirement in ISO 9001:2015 - understanding the context of the organization. You can download it for free here e-book " ".

It is worth taking a closer look at the changes in the sections.

Section 4. Organizational context.

4.1 Understanding the organization and its context. The context of the organization is a combination of internal and external factors, which can influence the organization’s approach to developing and achieving goals (clause 3.2.2 of ISO 9000:2015). The new standard expects that before an organization sets out to establish a QMS, it understands its context. The obligations she has and her attitude towards this. The organization must understand external environment, performance, structure. Based on this, determine the scope of quality management and the challenges that the system will face.
4.2 Understanding the needs and expectations of stakeholders. Stakeholder (3.2.3. ISO 9000:2015). The 2008 sample was tailored to the interests of the client, and in 2015 we are interested not only in consumers, but in general in all interested parties. Outside the organization, such as regulatory authorities, suppliers, partners, society, banks, etc., and inside - labor collective, trade unions, youth organizations. Why is all this? For many companies, customers are not key factor success, which is recognized in the 4th section. The new edition emphasizes the organization's responsibility to all stakeholders.
4.3 Determination of the scope of application of the quality management system. Now an organization can develop unique management systems to suit its needs.
4.4. Quality management system and its processes. In the 2008 version there were two pillars: process management and documentation management, now there is one. There are practically no documents on the availability of quality management documents. There was a refusal guidance documents, and the main focus is on processes. Documentation management is moved to another section.

Section 5. Leadership.

In this section it is worth noting the reduction in the number of items. Now there is no need for a separate quality manual, there is no need for a separate quality manager. However, the Requirements remain, they are simply shifted not to specific people, but to the entire leadership as a whole. The section also now emphasizes that management requirements apply to all managers, even if they have only one person subordinate to them.

Section 6. QMS planning.

Previously, quality management planning issues were covered in sections 4 and 7. Now the developers have emphasized the importance of a systematic approach to quality management. Now it is necessary to engage in quality management especially planned and systematically. A change management system has been introduced, calling for systematic changes to the quality management system. The emergence of the concept of risk management. Risk-based thinking replaces preventive actions, the standard now has clear management tools that simplify integration with other management systems, and there is no longer a need for a special document describing the organization's risk-based approach.

Section 7. Resources.

IN old version the section was made with an emphasis on people. It was emphasized that there should be enough of them and it was necessary to monitor their level of qualifications, constantly increasing it. The emphasis remains, but now there is also a point about managing documented information. Documented information is information that an organization needs to control and maintain (including the media on which it is located). The term was introduced to bring documentation and records together without the need to separate them. However, it should be emphasized that no one prohibits the use of terminology that is convenient for a particular enterprise. As per note 1 and 2. It is argued that knowledge is an important resource that needs to be managed. Instructions for managing the knowledge base are prescribed. After all, one of the features of information is its obsolescence over time. And managing it is the path to its most rational use.

Section 8. Functioning.

Almost nothing has changed here, but now outsourcing and purchasing are managed using general point standard Previously, there was a very clear point - management of non-conforming products, but now these requirements apply generally to process outputs.

Section 9. Evaluation of performance results.

Quality management analysis is now included here

Section 10. Improvements.

The key is that improvement is now the responsibility of the enterprise.

Standardization in the world is planned for 2015 an important event-, which has been in development since June 2012. After analyzing data from a study of both actual and potential users of ISO 9001 and ISO 9004, conducted via the Internet in 10 languages among 11,722 respondents representing 122 countries, technical committee ISO/TC176 “Management and quality control” has released a truly innovative standard .

ISO 9001:2015 takes into account the current economic environment, global trends, current needs modern organizations and lays a solid foundation for the development of subsequent generations of standards for decades to come.

To date, a preliminary version of the standard called ISO/DIS (Draft International Standard) has already been released. Already in January 2015 International organization Office of Standardization (ISO) will present the version of FDIS (Final Draft International Standard), which will be the last intermediate stage before the final approval and release of ISO 9001:2015 in September of this year.

Already at the DIS stage, the published texts of the standard provide the most objective idea of the final version, and the structure and provisions of the standard will not contain major changes in the future. All innovations presented in the preliminary version of the ISO 9001:2015 standard are most likely to be included in full version, perhaps with certain additions and explanations.

NEW STRUCTURE AND PRINCIPLES OF ISO 9001:2015

Probably the most radical difference from the previous version of the ISO 9001 series standard will be the qualitative evolution of the standard from a quality management system, as a set of rules for monitoring product nonconformities and corrective actions, internal audits, documentation and records, to business management systems in general. ISO 9001:2015 focuses on aspects of organizational leadership, organizational knowledge, process planning and delivery, performance measurement, improvement, and risk management. The new version also places emphasis on achieving satisfaction and creating value from the organization's products/services for all stakeholders.

ISO 9001:2015 sets a new standard for a unified structure not only in the ISO 9001 series, but also in other management systems. The structure is called “Structure high level", and in accordance with it, all new standards will be developed in the future.

The structure of ISO 9001:2015 will be based on the following list of sections:

0. Introduction(general information and basic concepts - PDCA cycle, risk management, process approach, relationship with other standards);

1. Scope of application of the standard;

3. Terms and Definitions;

4. Organizational environment(2 new sections related to the context of the organization have been introduced: 4.1 – Understanding the organization and its context, 4.2 – Understanding the needs and expectations of stakeholders, and the role of the process approach is more clearly defined);

5. Leadership(in the new version, the requirements for leadership, quality policy, documentation of the responsibilities and powers of top management are strengthened and emphasized);

6. QMS planning(introduced new block requirements: Section 6.1 Activities to Respond to Risks and Opportunities, which requires the organization to establish a documented risk response plan);

7. Security(resources, competencies, staff awareness, interaction management, documented information);

8. Processes(process planning and management, development, release, control, change planning, external support, elimination of inconsistencies);

9. Functional assessment(monitoring, measurement, analysis, assessment of the organization’s performance and customer satisfaction, internal audit, QMS analysis);

10. Improvement(continuous improvement of products/services, as well as management systems, identification of inconsistencies and corrective actions).

The changes also affected the basic quality management principles. Instead of 8 principles, there are 7 left, the principle “ Systems approach» cancelled, the principle of “Mutually beneficial relationships with suppliers” has become more broad meaning and became “Stakeholder Relationship Management”, and the principle “The Role of Management” became “Leadership”.

Principles of quality management

NEW ISO 9001:2015 TERMS

One of the most important innovations in the version of the ISO 9001:2015 standard will be the introduction of a new concept "Organizational environment". This term includes the surrounding business environment as a combination of external and internal factors. When implementing a QMS and developing products and services, it is necessary to take into account the conditions of the organizational environment for strategic planning, analysis and risk assessment.
One of the components of the organizational environment is another new concept - "Interested party", by which we mean an individual/legal entity that has certain interests associated with the organization. These may be customers, suppliers, shareholders, partners, government and other parties.
New term "Organization Knowledge" expands on the concepts of personnel competence and awareness found in previous versions of the standard. The organization shall identify, acquire and maintain available knowledge necessary to ensure conformity of quality of products and services. established requirements and consumer expectations. Knowledge may be distributed among competent personnel and physical/electronic storage media at the discretion of the organization's management.

REMOVED REQUIREMENTS AND CONCEPTS OF ISO 9001:2015

Let's move on to the requirements and concepts that we will no longer see in the new text of the standard. It is worth noting that some provisions have not completely disappeared from ISO 9001:2015, but have only moved from prescriptive to advisory status.

The requirement for the organization to develop a “Quality Manual” in the new version is not mandatory. The requirement “Six mandatory documented procedures” for quality management is no longer relevant. These standards are considered obsolete, but organizations have the right to continue to apply them at their discretion;
Terms "record" And "document" are canceled, largely due to the spread electronic document management. Instead, the concept is introduced "documented information" describing the requirement for physical evidence of information storage (electronic or hard copies);
Section 4.3, which defines areas of application, no longer contains the concept "exception"– now organizations can independently decide which elements are not applicable to them, provided that the quality of goods and services does not suffer: " If any requirement of this International Standard cannot be applied, this shall not affect the organization's ability to ensure conformity of products and services.";
Term "outsourcing" also abolished, replaced by the concept "external support". This concept is discussed in Clause 8.6, Control of products and services from external suppliers, which combines the requirements for procurement and outsourcing processes from ISO 9001:2008. Measures to ensure that externally provided goods/services comply with established quality requirements are determined based on risk analysis;
Concept "product" is replaced by "goods and services", shifting the focus to the end result - the value created for the client and making the standard more flexible and universal;
In version 2015, the term was abolished "preventive measures" along with the relevant section. Preventive procedures become part of the risk management process.
The requirement to appoint Quality Management Representatives is removed. Management must now be directly involved in quality management.

Group of companies "TSESK" in 2015 offers the service! Call and get a FREE consultation from our experts!

Risk management is a required subject in almost every serious business course because business always operates under conditions of uncertainty. Uncertainty creates risks. Sources of risk include buyers and suppliers, technology and equipment, personnel and organizational rules.

The ISO 9001 standard, at its core, is one of the ways of risk management. Having summarized their experience, the creators of ISO 9001 realized that even companies that actually support quality management in accordance with the standard allow deviations in their work. The main reason for deviations is uncertainty beyond the scope of the standard. The occurrence of deviations in certified companies undermines confidence in the ISO standards system as a whole.

ISO 9001 has struggled with risk before. But in previous editions of ISO 9001, the section on preventive actions was highlighted as a separate component of the QMS. And since 2015, it was decided to integrate risk assessment, monitoring and management into the enterprise’s operating system.

The developers of the Standard emphasize that this change brings the Standard closer to the real Everyday life of people. Before crossing the road, a person always weighs the probability of being hit by a car and the expected benefit - the opportunity to catch a departing bus. He takes into account the traffic density, the distance to the intersection with a traffic light, the waiting time for the next bus, his own agility, and the need to take the bus in general. Certain categories - drivers, athletes, doctors - use the assessment of risks and opportunities professionally.

ISO 9001:2015 requires companies to consider risks continuously and systematically. Thus, preventive actions will be carried out during planning, during operational activities, and during subsequent analysis of work. At the same time, the organization increases the stability of product quality and the likelihood of achieving its goals. Footballers who know how to turn risks into opportunities better than others become champions. Organizations become successful because they intuitively or consciously apply risk-based thinking. This is exactly what ISO 9001:2015 calls everyone to do.

Analysis and methods of risk management

So, in 2015, the developers of ISO 9001 put forward additional requirement to obtain a certificate of conformity: “The organization must determine the external and internal factors ... affecting its ability to achieve ... the results of the quality management system.” From September 2018, the company will not only have to formulate rules of conduct in different situations, as required by the previous standard, but also introduce new method risk management - a mechanism for responding to previously unknown events. A reaction that will ensure consistent product quality.

To comply with ISO 9001:2015, companies should monitor their status after identifying potential sources of risk so that those risks can be managed by acting directly on the sources. In the Russian state standard GOST R ISO/IEC 31010, more than 30 analysis methods are given as examples: from brainstorming to Monte Carlo simulation.

Theory of Constraints (TOC) and the Method of Thought Processes

Theory of Constraints

The Theory of Constraints has been used for many years to reduce risks in the world's leading companies (Amazon, Boeing, General Electric and many others) and has proven itself well.

When a well-defined area of risk management is applied to a company's individual needs, target audience, perceptions and criteria, it is necessary to establish the "context" of the organization to begin risk management. Establishing context will capture the organization's goals, the conditions under which the organization is attempting to achieve its goals, stakeholders, and a variety of risk criteria—each of which will help identify and evaluate the nature and complexity of the organization's risk.

A convenient practical way to identify the main sources of risks and analyze them is provided by the theory of system constraints (TOS). This thought process method. We've been using it for several years now. To the analysis of risks of external and internal environment using of this instrument It is advisable to involve all key specialists of the enterprise.

After identifying and initially assessing the risks, they will need to be neutralized. TOS has several solutions in its arsenal for various environments with uncertainty - production, design, purchasing. These solutions represent a planning and execution system taking into account the main risks, risk monitoring and timely decision-making to prevent them.

Sales management ,

Product Management

On September 15, 2015, the ISO 9001:2015 standard was officially published. Almost immediately, certification of quality management systems against this version of the standard became available. ISO 9001:2008 will be in effect until September 2018, which means that for organizations that want to maintain ISO 9001 quality management system certification, but have not yet switched to it, there is only one year left to upgrade existing system. But let's start in order, and as a simple example sometimes we will reflect on the process of transporting water through a pipe so that the topic of the article is clear even to a reader who is far from management.

Why couldn’t it be possible to increase the price of goods or services in the example and receive 3 rubles for each repetition of the process? The principle of customer orientation comes from previous versions standard into a new one and is fundamental to quality management.

Quality of products and services produced by an organization is the ability to satisfy consumers. It is also determined by the expected or unintended impact on other stakeholders.

Quality = Value of the product or service / Cost of the product or service

In order to satisfy human needs, a product must have certain properties, and the degree of correspondence between the properties of a product and the needs satisfied with its help determines the quality of the product. Currently, the measure of product quality is the degree of consumer satisfaction, determined by the ratio of cost and value (use value) of the product or service.

For the consumer, expected value is the cost of a valuable (correctly made from the consumer's point of view), defect-free product. People will use a manufacturer's product if they are satisfied with its value C (the need to purchase it and the set of quality parameters offered) and the cost C. Companies that do not satisfy the needs of consumers either in P or in C soon find that customers leave them, and they lost their market area to more professional competitors who better understood customer needs. The higher the level of customer satisfaction, the higher the opportunities for business development.

Based on this approach, three situations should be considered.

1. C = C. This is a neutral situation. The consumer's expectations were confirmed, and the manufacturer recouped his costs and received the planned profit, as he expected, in accordance with the implemented quality parameters. This occurs only when the values of C and C set by the manufacturer coincide with the expected values of the consumer.

2. C > C. The consumer is satisfied. At the same time, the manufacturer is interested in obtaining greater profits by increasing the cost of sales of its products, and in this case he would be more satisfied with the ratio< С. Конкуренция с другими производителями уравнивает интересы потребителя Ц >C and the interests of the manufacturer C< С.

3. C< С. Потребитель не удовлетворен, и в большинстве случаев покупка товара может не совершиться. Производитель начинает терять приобретенных потребителей. Вот почему бизнес с таким соотношением Ц и С всегда считался плохим бизнесом.

Senior management must demonstrate leadership and commitment to customer focus by ensuring that:

customer requirements and applicable laws and regulations legal requirements defined, understood and consistently implemented;
risks and opportunities that may affect the adequacy of products and services and the ability to improve customer satisfaction are identified and addressed;
the focus is on increasing customer satisfaction.

Briefly, in our example in competitive environment You cannot raise the price to 3 rubles, given the same value for the consumer, as this will reduce the quality of the product or service. The greatest profitability will be shown by the competitor who, through risk-oriented thinking, can reduce quality losses in processes.

The article begins with a consideration of an example of water transmission through a pipe; now let’s figuratively replace the system of all organizational processes with a water supply system consisting of individual sections of pipes.

The point of the quality management system is to deliver “water” without loss through this “water supply”, while the consumer must receive exactly the “water” that he wanted, in the right amount, with the required characteristics, at a competitive price and on time.

Why do they not like QMS?

The organization must required volume:

develop, update and apply documented information to ensure the functioning of processes;
record and retain documented information to provide confidence that these processes are carried out as planned.

Documented information is a new term in 2015, previously the 2008 standard spoke of “documentation, quality manual, documented procedure, records.” Documented information required by the quality management system and ISO standard shall be controlled to ensure:

its availability and suitability where and when it is needed;
its sufficient protection (for example, from non-compliance with confidentiality, from improper use or loss of integrity).

For what? Plumber Ivanov, without informing anyone, left in an unknown direction; over time, a significant length of water pipeline came under his responsibility. Only he alone knew the details of the infrastructure and the accident that occurred could only be eliminated with an understanding of the structural features of the water supply system. New specialists need time, consumers suffer without water and demand that management of the water supply be handed over to competitors.

Once in this situation, management has a clearer understanding of this requirement of the standard. The requirement for competence also relates to this issue:

The organization must:

determine the necessary competence of the person(s) performing work under its control, which affects the performance and effectiveness of the quality management system;
ensure the competence of these individuals based on appropriate education, training and/or experience;
where applicable, take actions to achieve the required competence and evaluate the effectiveness of the actions taken;
record and retain appropriate documented information as evidence of competence.

Note- Applicable actions may include, for example, providing training, mentoring, or redistributing responsibilities among existing employees; or hiring persons with the required level of competence.

Why certification?

It is possible to satisfy customer needs as effectively as possible without certification.
Receive more favorable lending conditions, comply with the terms of tenders and competitions, increase loyalty to the company on the part of authorities and partners? Perhaps it will help.

By choosing you as an external supplier of goods or services, a business makes you link in the chain of its business processes. It is not always possible to get to know how things are going with the supplier, so having a certificate of compliance with the requirements of the ISO 9001 standard will be a positive signal for the client.