What You Need And What You Don't
ISO 9001 is the international standard for quality management systems (QMS). You can apply it to any organization and although it began as a relatively prescriptive document, the 2015 revision has no specific requirement for you to document procedures.
So, if the standard can apply to any organization, no matter what the industry, and there are no instructions about what procedures to record, how's a business to know which procedures to document?
Let's break that question down and start with the "how can the same standard apply to all organizations" element.
It is possible for one standard to apply to any organization because ISO9001 specifies what you need for the framework of your QMS and not the detail of your business operations. You can think of it in the same way as the tax system, except it doesn't involve the pain of paying a percentage of your profits each year. However, you will see some industry specific standards.
There are several industry specific standards which use ISO 9001 as a foundation.
The existence of these standards would, at first glance, appear to contradict the assertion that ISO 9001 is suitable for all businesses. But the standard covers only the framework of the system. It does not apply to the specific risk management, operational procedures or organizational outputs of an organization.
Some industries have complex statutory, regulatory, and customer requirements against which they, and/or their products and services, are assessed. To avoid maintaining separate management systems for quality management, regulatory compliance, customer requirements, etc. These industries develop their own standards which roll these elements into one "mega-standard" which is ISO 9001 plus the rules, regulations, and requirements specific to their sector.
The good news is that we developed Keeni.Space for businesses requiring operating procedure software to facilitate operations for rocket launches and space vehicles, where time is a premium and safety is vital. The Keeni platform combines years of lessons learned from the field, with stringent regulatory conditions and processes, to produce an intuitive management system. The Keeni is now deployed in industries beyond aerospace.
Now onto the next piece of our opening question "no instructions about which procedures to record".
In a change from previous versions, ISO 9001:2015 no longer has a requirement for any specific documented procedures. Which sounds like a fabulous excuse to throw caution to the wind, dump all of your documented procedures, save the time and effort spent in maintaining them, and do something less boring instead.
However, don't get too excited just yet.
While the standard does not require any specific procedures, it says that you must document and maintain the information you need to ensure your quality management system is effective.
The clause in question, clause 7.5.1 (b), states that:
"The organization's quality management system shall include documented information determined by the organization as being necessary for the effectiveness of the quality management system."
"Documented information" is the phrase now used in all ISO standards and covers every kind of document.
"Determined by the organization" this is the part of the clause which gives an organization the freedom to decide which elements of their system need procedures and documented information.
However, an organization must be able to show:
External auditors may ask organizations to justify the exclusion of any procedures and documented information from the quality management system.
"Necessary for the effectiveness of the quality management system." Meaning a way of ensuring an element of the system works - for example through procedures.
Now we know what the standard says about procedures we can get to "how's a business to know which procedures to document?"
While ISO 9001:2015 does not specify specific procedures, Keeni provides example procedures for your ISO Quality Management System. Signup and we will email them to you.
The standard requires an organization to apply a risk management approach to its quality management system, and it is this approach which will dictate which procedures you generate or identify as crucial for control.
The logical next step is that if the procedure is crucial for control, you should document that procedure, and everything else associated with it. These documents then become part of your quality management system.
Therefore, when deciding which procedures to document in your QMS, you need to split your thinking into two streams.
Stream one is the quality management system structure itself. These are the elements such as the control of documented information and the control of non-conformities and corrective action.
Stream two is the operations of your organization. These are the procedures that control the crucial steps in your organization's processes.
This is the easier of the two streams of procedures to identify and document, because while the exact detail of the procedure will vary from organization to organization, the requirement for and the overarching purpose of the procedure itself will be the same.
As a result, organizations should establish documented procedures to:
While ISO 9001:2015 does not specify specific procedures, Keeni provides six example procedures for your ISO Quality Management System:
Signup for free and we will email these six example procedures to you.
Remember way back at the beginning of this article when we spoke about documented information which is "necessary for the effectiveness of the quality management system"?
In order for the quality management system to be effective, an organization must:
Some of this documented information will be procedures.
Therefore, to identify the procedures specific to the needs of your organization, you must first have a clear picture of the processes that make up your business. Then you need to identify the points in those processes where there are potential risks to your business.
You can begin this exercise by using process mapping.
Almost everything we do involves a process whether it's making coffee at home or building rockets at work. The only difference is the complexity and number of the processes involved.
When mapping the processes of your organization you need to start by brainstorming what you do at a macro-level and then break that information down into the individual processes which make it happen. Finally, you would keep breaking those down until you arrive at a point where the process can no longer be broken down into a smaller process. For example:
Macro: We bake, distribute, and sell pies.
Baking the pies breaks down into other processes such as:
And so on.
Once you break down all of your processes, it's time to take a look at each one to determine if deviation from that process, or a problem with the inputs and outputs of that process will present a risk to your business.
Using the "baking pies" example again, this was broken down into constituent processes, one of which was measuring ingredients. Risks to the business, if something goes wrong with this process might include:
And so on.
Once you know which processes have potential risk factors, you can control those processes with procedures.
These are the procedures you should consider documenting for your ISO 9001 quality management system.
Some people use the words process and procedure interchangeability, but they are two different things.
A Process is WHAT you do.
A Procedure is HOW you do it.
Using our now familiar baking example, measuring ingredients is the process and the step-by-step of "take the bag of flour to the scales and weigh out 15 lbs of flour directly into the mix bowl" etc. is the procedure we use.
To document a procedure, you must first brainstorm exactly what happens in that procedure, step by step. This is best done in partnership with the people who carry out the procedure.
Buy in from all stakeholders will ensure the continued use of a documented procedure and help prevent, "Oh yes, I know we have that procedure written down, but it doesn't work so we ignore it and do it like this."
The procedure itself should detail:
Once you have documented the first drafts of your procedures, you should implement a management system. Digitizing operating procedures with modern software is the foundation for an effective ISO 9001:2015 certification. Thriving businesses use procedures for ISO certification to remove human error from their operations and incorporate constant process improvement into their daily routines. Keeni operating procedure software helps organizations transition from paper procedures, procedures in Word docs and PDF files, or spreadsheets in Excel to a system-oriented approach.
With Keeni you can easily upload the document for your procedure. Keeni converts the document into a procedure template that you can then make actionable. Engagement with your procedures is critical. Keeni gives you all the functionality you need to make your business processes actionable, auditable, and compliant for your ISO certifications.
ISO 9001 no longer requires you to have a hard copy of your management system or the procedures that are included.
It is perfectly acceptable to only have procedures in an electronic format.
If you choose to have a purely electronic QMS, you will have to show how you maintain and control not only the documented information itself but the medium in which it is created and used.
ISO 9001 does not prescribe any specific documented procedures as part of a standard compliant management system. What it says is that an organization must document procedures necessary for its effective operation.
There isn't a list of documented procedures, you must have. Instead, work out which documented procedures you should have.
Once you have your procedures documented in an electronic format such as a PDF or Word document, use Keeni as the management system for your digital workflows. Keeni procedure software improves team productivity and quality control.
While ISO 9001:2015 does not specify specific procedures, Keeni provides six example procedures:
Signup for free and we will email these six example procedures to you.