ISO 9001 Quality Manual
Example Quality Manual
by Graeme C. Payne
The following is an introduction to the example quality manual for “Mythical True Value Metrology.” The purpose is to introduce and describe the example manual, and to discuss some of the concepts addressed in the manual. However, it is not a detailed discussion of specific clauses in a given conformance standard.
The example quality manual (QM) is designed for a service-providing organization that wishes to demonstrate conformance to the requirements of ANSI/ISO/ASQ Q9001-2008 American National Standard: Quality management systems — Requirements.1 The example manual also demonstrates that a single manual can be used to show conformance or compliance to a number of additional requirements, such as government regulations. There is no need to have a separate QM for each, but it is advisable to have a matrix showing how the QM addresses each set of requirements. In this case, the example QM is for an imaginary US airline, so certain items of the Federal Aviation Regulations are addressed.
Examples of other different areas that could be addressed in a QM include health and safety, environmental concerns, financial accounting, corporate ethics, major customer requirements, and more. The idea is that the “quality manual” should not be a static document seen only by the “quality” department – it should be a dynamic business operating manual that describes “how we do business” everywhere in your organization.
The company and location described are completely fictitious, as is the organization of the fictitious company.
On the cover page of the QM you will see a reference to a digital signature. The example manual does not actually have a digital signature, but one could easily be applied. A digital signature is not a typed version of the person's name, nor is it an image of a person's signature. A true digital signature, using a computer method called public-key encryption, is a code that becomes invisibly embedded in the document. Alternative names are public-key cryptography or RSA encryption (which is defined in the QM). A digital signature created using this method has two parts: a “private” key known only to the user, and a “public” key available to the world. In use as a signature, a document is “signed” using the signers private key. The signature can be verified by anyone who has the signer's public key. This serves two purposes. First, it authenticates the person who signed the document, since only that person has the private key. Second, it authenticates the document, since if any part of the document has been changed since it was signed, the verification will fail. A digital signature, then, proves that neither the signature or the document is forged or altered. Typed names and graphic images cannot do either – and neither can ink on paper.
The degree of control for copies of the QM, and other documents in the quality system, varies from one organization to another. If the documents are electronic, control can be greatly simplified provided everyone who needs it has access to the computer system where and when needed. As shown on this manual, any printed copy is uncontrolled, and any electronic copy that is not on the organization's main file server is uncontrolled. On the main file server, of course, there only needs to be one copy of the current version. When your people have access to the QM and other documents on the computer system, the need for printed documents goes down. That simplifies document control and reduces the amount of paper consumed.
Page-Level Revision Control
With an electronic document, such as this one, there is no need for old-fashioned page-level revision control. There is also no requirement for page-level control in the ISO 9000 system. In this example case, the entire QM is a single document. By the nature of electronic documents, if a single character anywhere in it is changed, then the entire document is changed. Also, the concept of “page” varies with the publication format. The example QM was prepared in the United States using OpenOffice.org Writer, and assuming US standard letter size paper (216 x 279 mm). Everywhere else in the world it would normally be prepared for A4 paper (210 x 297 mm), which would change where page divisions occur. If the document is saved as an HTML file (for use on a web page), then it could potentially be one continuous scrolling screen with no page breaks. If the document is saved as a binary object in a database, random sections could be extracted and displayed in any format. Therefore, revision control should appropriately be at the document level and not the “page” level, because “pages” may not exist.
It is strongly suggested, though, that the QM and other controlled documents be published as searchable, tamper-resistant documents. It is never good practice to make modifiable documents available to people who have no need to modify them. The portable document format (ISO 32000-1, Document management – Portable document format – Part 1: PDF 1.7) is a good choice. Software tools for the PDF format are available for most computer operating systems, so users are not restricted to particular platforms. The PDF format also has other advantages, including security, tamper-resistance, searchability, indexing, and more.
Organization of a Quality Manual
There is no requirement that the quality manual mirror the conformance standard. If the QM is used to demonstrate conformance to a number of requirements, it is impossible to do in a single QM. The manual should be organized in a way that is suitable for your organization, because your people are the ones using it every day. A simple matrix can be used to reference parts of the QM to requirements in the conformance standards.
Any terms that are specific to your company or industry, and used in the QM, should always be defined in the QM. Never assume that “everyone knows” what is meant – your next auditor may come from outside your industry. For example, consider the acronym “CMM.” That can mean coordinate measuring machine, capability maturity model, controlled maintenance manual, color matching method, coal mine methane – and many more, depending on the specific industry. Sharp readers will discover at least one acronym in the example QM that is not defined: MRO, which in this case stands for maintenance, repair and overhaul.
Scope of the Quality Management System
If the entire organization operates under the defined quality management system (QMS), then there is little need to specifically define the scope. If the QMS applies to only part of an organization, then the scope must be explicitly stated. In the example QM, only the metrology department of the organization is covered by the QMS; the assumption is that the rest of the organization does not have a system that conforms to ISO 9001. In the example QM, the scope is defined in section 2.7.
Size of the Quality Manual
Ever since ISO 9001:2000 was released, there has been much discussion on how big or small the QM should be. Realistically, it should be the size that is “just right” for your organization. Do not try to force it into an arbitrary (small) number of pages, but do not be overly verbose, either. The QM should be a top-level overview of how the organization operates and does business. Policies, procedures, work instructions, proprietary information and the like belong in separate documents. While the QM must be reviewed regularly, if a clause or section is changed every time then that part may be a candidate to be pulled out to a separate document.
When deciding what goes into the QM, remember the two main phases of an audit. First, your QM is evaluated against the conformance standard(s) to make sure all requirements are addressed satisfactorily. Then, your organization's operations and records are evaluated against your QM to verify that you are doing what you say you are doing. In the second phase, anything in your QM is fair game for the auditor to look at.
References to Other Documents in the QMS
One advantage of electronic documents is that links to other documents, of any type, can be embedded in the document. In the example QM, links are represented by blue underlined text, but they are simulated. In your real document, each link would actually point to a real document on your file server.
This ability makes control of documents easier. Provided the “live” current version always has the same file name, you do not need to change the links in the QM. Therefore, whenever someone clicks on the link, they will always – and only – see the current version of the referenced document. The older version can be saved under a different name; the easiest way to do that is to simply add the revision date, in ISO 8601 format2, to the file name. For example, assume that procedure QP 7600 with the revision date of November 10, 2005 is being replaced with a new version revised today. The old version would be renamed from “QP 7600.pdf” to “QP 7600 20051110.pdf” and the new one saved as “QP 7600.pdf”. No links have to be changed, and the date added to the old version file name uniquely identifies it.
Sharp readers will also note that a version of ISO 8601 date format appears in a number of places in the example QM. The date is always written with the biggest time unit (year) on the left and the smallest time unit (day of month for dates) on the right. One advantage is that the format is unambiguous and culture-independent. Another is that a date in this format (as part of the file name) is always sorted in correct order by a computer.
Certain clauses of ISO 9001 may be excluded from the QMS if they do not apply. The most common permissible exclusion is clause 7.3, Design and Development. However, it is generally not a good idea to simply omit the excluded parts from the QM. It is much better to include reference to them, specifically state that they are excluded and why, and what the plans are if the current situation ever changes. Section 7.3 of the example QM demonstrates that.
Functions Performed By others
In some cases, such as the case of the example QM, the scope of the QMS is so tightly defined that functions normally part of the QMS are actually performed by organizational departments that are outside the defined QMS. In the case of Mythical True Value Metrology, purchasing is an example of that. The metrology organization only has limited authority for small purchases; all others must go through the corporate purchasing department, which is not part of the QMS. In cases like this, the organization should do two things. First, the QM should describe what they can do, including the limits on it. The QM should also state that other parts of the parent organization – the parts outside the boundary of the defined QMS – are treated as suppliers or customers, as appropriate. This is shown in section 7.4 of the example QM. In a situation like this, it is also important that the parent organization be on the approved supplier list! In the example system, Mythical True Value Metrology has to be sure Mythical Airlines is on the approved supplier list for relevant services and products. (Note that Mythical Airlines is also a customer of Mythical True Value Metrology.)
Section 7.5.3 talks about “traceability.” When dealing with a calibration organization, it is important to always draw a clear distinction between the two most common – and misused – meanings of this term. As used in 7.5.3 of the example QM, “traceability” refers to physical traceability of a physical product: being able to take a part or assembly and unambiguously determining its ultimate physical origins. In many industries, such as aviation, this is important to prevent the introduction of inferior counterfeit parts into the manufacturing or maintenance operations. As used by metrology (calibration) organizations and in section 7.6, “traceability” refers to measurement traceability: being able to document the uncertainty of a measurement result relative to the appropriate unit of measure in the International System of Units. These are similar concepts, but in the first case traceability refers to the origins of a physical item, and in the second case it refers to the documented uncertainty of a measurement result – a number.
Conformance to Other Requirements
The example QM is for an organization that is (hypothetically) registered to ISO 9001 and also operates in a regulated industry. This means that there are cases where regulatory requirements may need to be addressed in the QM. Section 7.6.1 is an example of this. A specific regulatory requirement has been added to the QM in a logical place. The same can be done for other requirements – add them to the QM in a location where it makes sense in the organization of the manual. For example, if Sarbanes-Oxley compliance is a requirement, the logical place to add it might be the Management Responsibility section of your QM.
The example quality manual for Mythical True Value Metrology, a service-providing organization, is presented as an example and training aid. It demonstrates several issues of a quality management system, especially issues that may arise in a regulated industry or in a small department that is registered separately from the rest of the parent organization. While this is written to demonstrate how the organization meets the requirements of ISO 9001, the concept can be extended to any conformance or compliance requirement, or simply as a recognized best business practice.
1 This standard is the United States’ legal equivalent of the ISO 9001:2008 international standard.
2 ISO 8601, Data elements and interchange formats – Information interchange – Representation of dates and times. The current version is dated 2004. A digest and explanation of the standard is available at http://www.iso.org/iso/date_and_time_format