Here’s a game I’ve played at every single QMS audit I’ve ever been involved with. I walk into a facility, pick a task at random — say, approving a supplier, or releasing a batch, or signing off on a design change — and ask the first three people I meet: “Who’s responsible for this?”
I have never once gotten three identical answers.
Typically it goes: “Well, Sam kind of handles that,” then “I think it goes through Purchasing, but QA has to sign off?” and then “Oh, that’s John — wait, no, John left in 2022. Maybe Marcela?” At which point someone runs off to find the org chart, which turns out to be a PowerPoint from two reorganizations ago featuring three people who no longer work there and one person who was apparently promoted to a title nobody can pronounce.
This, dear reader, is exactly what §5.5.1 is trying to prevent.
What §5.5.1 Actually Says
Section 5.5.1 — Responsibility and Authority — asks top management to do three small but non-negotiable things:
- Define responsibilities and authorities.
- Document them.
- Communicate them within the organization.
And then — this is the part everyone skips — top management must also document the interrelation of all personnel who manage, perform, or verify work affecting quality, and must ensure those people have the independence and authority they actually need to do their jobs.
Three verbs. One relationship map. One guarantee of real authority. The whole clause fits on a cocktail napkin. And yet it is the source of more audit findings in Section 5 than almost anything else.
Translation: What You Actually Have to Do
Let me spare you the monastic re-reading of the standard and tell you what this looks like in practice.
Define who does what. Every role that touches the QMS — from the CEO to the person who stamps the date on incoming inspection tags — needs a defined role. Not “we all kind of pitch in.” Defined. Specific enough that someone new to the job could read it and understand what is theirs, what isn’t, and what they’re allowed to decide without asking permission.
Document it somewhere findable. Job descriptions, an authority matrix, a RACI chart, the Quality Manual — whatever works. But it has to be a controlled document (hello, §4.2.4, old friend), and it has to be locatable in under fifteen minutes by someone who doesn’t work there. Auditors will test this. They will time you.
Communicate it. “Communicated” is not the same as “we posted it on SharePoint in 2019.” It means the people doing the job actually know what their authority and responsibilities are. If your receiving inspector thinks they can quietly release nonconforming material because “they probably meant to ship it anyway,” you have a communication problem. You also have an §8.3 problem, and frankly a career-ending problem sitting on a pallet somewhere.
Show how the roles connect. This is the interrelation piece. You need a visual — usually an org chart, sometimes supplemented by a process-role matrix — that shows how the personnel doing quality work relate to each other. Who reports to whom. Who hands off to whom. Who can veto whom. ISO doesn’t care whether your structure is a traditional hierarchy, a matrix, or something avant-garde and color-coded. But it must be documented, and it must be current.
Guarantee independence and authority for the people who verify quality. This is the sentence that matters most, and the one that gets finessed into irrelevance the fastest. The people performing QA, QC, internal audits, and nonconformance review must have the organizational authority to stop a shipment, flag a deviation, or halt a process — even when it inconveniences the VP of Operations. If your QA Manager reports to the head of Manufacturing and can be overruled on quality holds, you don’t have independence. You have a sock puppet in a lab coat.
Where This Falls Apart in Real Life
A few classics I see over and over:
- The phantom org chart. The version in your Quality Manual shows people who retired, moved on, or never worked there to begin with.
- The job description museum. Descriptions last updated when the company had half as many employees and a different ERP.
- The collapsed reporting line. QA reports to the COO, who also runs Production. Independence: gone. Objectivity: on life support.
- The “Everyone Is Responsible for Quality” poster. A lovely sentiment. Not a responsibility matrix.
- Authority without teeth. The QA Manager can put a hold on product — but only if Sales agrees. (Spoiler: Sales never agrees.)
What Auditors Actually Do
A good auditor will pick a task — say, “approving a design change” — and trace it through your QMS, asking four questions: Who does this? What is their authority? Who do they report to? Where is that documented? If you can answer all four consistently, with controlled documents in front of you, you pass. If three different people give three different answers, and the org chart shows a vice president named “TBD,” you don’t.
So do the unglamorous work. Update the org chart. Write the authority matrix. Walk around and ask your own people the questions an auditor will ask. Make sure the person in charge of quality can say “no” and have it stick.
Because if everyone owns quality, nobody does. And if nobody does, it’s your name on the box when the recall letter goes out.