ISO 9001 2008 Interpretation

Interpretations of The StandardISO 9001:2008

1 OF 31

This document is created to serve as a guidance tool for common understanding on the intentof the standard and providing clarification of the text.In order to claim conformity with ISO 9001: 2008, the organization has to be able to provideobjective evidence of the effectiveness of its processes and its quality management system.‘Objective evidence’ as is defined as ‘Data supporting the existence or verity of something’and notes that ‘Objective evidence may be obtained through observation, measurement, testor other means’. Objective evidence does not necessarily depend on the existence ofdocumented procedures, records or other documents, except where specifically mentioned inISO 9001:2008. In some cases, it is up to the organization to determine what records arenecessary in order to provide objective evidence.

ISO 9001:2008 InterpretationsElement 4: Quality Management System

4.1: General

Section 4.1 includes the general requirements that must be met in order to establish,implement and continually improve the effectiveness of a quality management systemmeeting the requirements of the standard. These requirements are referenced to and/orfurther defined in subsequent clauses of the standard. Table A, shown below, contains thecross-linked references.

Continual improvement of the effectiveness of the quality management system may bereflected in a number of different areas. These may include:

Quality objectives; Corrective and preventive actions; Internal audits; External audits; Review of customer satisfaction surveys and associated action items; Operation meetings producing improvement actions; Actions initiated by suggestion programs; Process Changes; Infrastructure and environment changes; Management Reviews

If continual improvement has become a way of life for a company, it is unlikely that ademonstration of company wide continual improvement will come from only a few sources.

System deterioration would not necessarily lead to non-conformity if all actions were positiveand the improvement path is still evident and logical. The system would be questionable ifthe company did not recognize it or had not reacted to the issues appropriately.

Note: It is the responsibility of the company to demonstrate improvement ratherthan the auditor to look for it.

4.1 a) Process identification – It is expected to see a process model that explains the keyprocesses of the business and how each relates and links to the others. The depth of processexplanation may be as detailed as the company chooses, but should be based on its customer


2 OF 31

and applicable regulations or statutory requirements, the nature of its activities and its overallcorporate strategy. In determining which processes should be documented the organizationmay wish to consider factors such as:

Effect on quality Risk of customer dissatisfaction Statutory and/or regulatory requirements Economic risk Effectiveness and efficiency Competence of personnel Complexity of processes

4.1 b) Sequence and interaction of these processes – The interactions of the processes mustsomehow be described in the quality manual (4.2.2 c). The organization is not required toproduce system maps, flow charts, lists of processes etc. as evidence to demonstrate that theprocesses and their sequence and interactions were identified. Such documents may be usedby organizations should they deem them useful, but are not mandatory. Graphicalrepresentation such as flow-charting is perhaps the most easily understandable method fordescribing interactions between processes. Other possible methods may include:documentation prepared for implementation of the product management system; deploymentflowcharts; and pictorial diagrams.

4.1 c) Criteria and methods needed to ensure that both the operation and control of theseprocesses are effective. This could be demonstrated with stated objectives, instructions and orprocedures as required for consistent output of the processes.

4.1 d) Ensure the availability of resources and information necessary to support theoperation and monitoring of these processes. This may be through Management Review orother methods for defining and determining resources.

4.1 e) Monitor, measure and analyze these processes - All identified processes are subject torequirements for monitoring, measurement, and analysis for needed improvement. Themethods employed and the timing of such analysis should be based upon prioritiesestablished by the organization. It is expected to set measurable objectives established foreach process. These objectives should support the organization’s overall objectives.

4.1 f) Implement actions necessary to achieve planned results and continual improvement ofthese processes – Same as described above. It is expected to see corrective action taken whenmeasurable objectives fall below target or defined action level.

Outsourced Processes: Outsourced processes must be controlled by the organization andthese controls must be defined/described within their system. Organizations are required toidentify the controls they apply for any outsourced processes. This does not necessarily haveto be documented in the quality manual or written documentation. Examples of someoutsourced processes are:

Process completed wholly or partially by a sister facility outside the scope ofregistration. Such as corporate performing design, purchasing or customer relatedprocesses. This may include the entire element or a subsection i.e. corporate


3 OF 31

completes supplier evaluation and re-evaluation of suppliers and the registered siteinitiates purchase orders.

Processes completed by an outside vendor or subcontractor such as heat treating,plating, calibration, painting, powder coating, etc.

Objective evidence must be ascertained to ensure that these processes are being controlledbeyond the basic purchasing requirements, which are focused on controlling products notprocesses. The organization is responsible to ensure that the outsourced process is meetingapplicable requirements to ISO9001:2008. Outsourced processes may be controlled throughsuch methods as (not limited to):

Internal Audits Internal Agreements between two sites where only the audited site is under the scope

of registration (Interface Agreements) Process performance data Purchasing Process

ISO/TC 176/SC 2/N 630R2 ISO 9000 Introduction and Support Package: Guidance on'Outsourced Processes: An outsourced process can be performed by a supplier that is totallyindependent from the organization, or which is part of the same parent organization (i.e. aseparate department or division that is not subject to the same quality management system).It may be provided within the physical premises or work environment of the organization, atan independent site, or in some other manner…… The organization has to demonstrate that itexercises sufficient control to ensure that this process is performed according to the relevantrequirements of ISO 9001:2008, and any other requirements of the organization’s qualitymanagement system. The nature of this control will depend, among other things, on theimportance of the outsourced process, the risk involved, and the competence of the supplierto meet the process requirements.

TABLE A: Cross-linked references4.1 General requirements Relevant further clausesa) Identify the processes, including

outsourcing, needed for the qualitymanagement system and their applicationthroughout the organization (see 1.2),

5.4.2 QMS planning7.1 Planning of product realization8.1 General

b) Determine the sequence and interaction ofthese processes,

5.4.2 QMS planning7.1 Planning of product realization4.2.2 (c)

c) Determine criteria and methods needed toensure that both the operation and controlof these processes are effective,

7.1 (c)7.3.3 (c)7.4.1 (Criteria for selection)7.5.2

d) Ensure the availability of resources andinformation necessary to support theoperation and monitoring of theseprocesses,

Whole of 6

e) Monitor, measure, and analyze theseprocesses, and,

Whole of 8.2

f) Implement actions necessary to achieve Whole of 5, 6, 7 and 8


4 OF 31

planned results and continualimprovement of these processes.

These processes shall be managed by theorganization in accordance with therequirements of this International Standard.

Where an organization chooses to outsourceany process that affects product conformitywith requirements, the organization shallensure control over such processes. Controlof such outsourced processes shall beidentified within the quality managementsystem.

4.2: Documentation Requirements

4.2.1: General

The Quality Management System (QMS) “documentation” shall include:

4.2.1 a) Statements showing the organization’s quality policy (see 5.3) and quality objectives(see 5.4.1).

4.2.1 b) A quality manual (see 4.2.2).

4.2.1 c) Procedures that this standard requires (see 4.2.3, 4.2.4, 8.2.2, 8.3, 8.5.2, 8.5.3).

4.2.1 d) Documents that the organization will need to ensure that the planning, operation, andcontrol of their processes is effective.

4.2.1 e) Records that this standard requires (see 5.6.1, 6.2.2, 7.1, 7.2.2, 7.3.2, 7.3.4, 7.3.5,7.3.6, 7.3.7, 7.4.1, 7.5.2, 7.5.3, 7.5.4, 7.6, 8.2.2, 8.2.4, 8.3, 8.5.2, and 8.5.3).

4.2.2: Quality Manual

Exclusions from the quality management system must be described and justified within thequality manual (see 4.2.2 a). The documented procedures established for the qualitymanagement system must be included or cross-referenced in the quality manual (see 4.2.2 b).A description of the interaction between the organization’s processes needs to be identified inthe quality manual (see 4.2.2 c).

The applicable processes might include those relating to four general categories: 1)Management Activities, 2) Resource Management, 3) Product Realization, and 4)Measurement and Monitoring.

Manual content and design - There are many ways of documenting the quality managementsystem and organizations should adopt the approach that is most useful for effectiveoperation of their system.


5 OF 31

Examples include:

Flowcharts; Written text; Diagrams; System maps; Process maps; Process Turtles.

The quality manual may have many forms. Although many organizations structure theirdocumentation in a typical pyramid, it is not the only, and not always the most suitable, way.A quality manual doesn't have to exist as a separate document. The quality manual may:

Be a direct collection of QMS documents including procedures; Be a grouping or a section of QMS documentation; Be more than one document or level; Be in one or more volumes; Be a stand alone document or otherwise; Be a collection of separate documents.

The ISO 9001:2008 standard offers companies a possibility to establish effective, user-friendly systems. This edition offers the current users a unique opportunity to streamline theirquality management system documentation.

A separate document "addressing" all the clauses of the standard is not required by thestandard - neither does the standard require the quality manual to "address" or "cover" therequirements of the standard. The manual may be documented specifically to theorganizations processes.

4.2.2 a) Scope – The organization may exclude portions of the standard that do not apply totheir quality management system due to the nature of the product or service that they supply.ISO 9001:2008 clearly limits and identifies which activities may be excluded. Thejustification for exclusion and those considered not applicable must be clearly documented inthe quality manual. If, for example, design does not apply to the quality management system,the standard stipulates (in section 1.2 Application) how a reduction in scope of the standardmay be justified and documented within the quality manual. The exclusion applicability shallbe within the clause Design and Development (7.3) only. All other potential exclusionswithin section 7 must be identified as not applicable or not applicable.

The scope of the QMS should be based on the nature of the organization's products and theirrealization processes, the result of risk assessment, commercial considerations, andcontractual, statutory and regulatory requirements.

If an organization chooses to implement a quality management system with a limited scope,this should be clearly defined in the organization's Quality Manual and any other publiclyavailable documents to avoid confusing or misleading customers and end users (this includes,for example, certification/registration documents and marketing material).

Note: For multi-site/corporate certifications, it is expected to see that one quality manual isapplicable for all sites and that any changes are centrally controlled (see 4.2.3)


6 OF 31

4.2.2 b) Documented Procedures – The manual must include reference to, at a minimum thesix required documented procedures (see 4.2.3, 4.2.4, 8.2.2, 8.3, 8.5.2, 8.5.3). The manualmay reference other documentation but must list those required documents in some format.This may be in the form of a link or other such reference.

The notes after sub clause 4.2.1 in ISO9001: 2008 make it clear that where the standardspecifically requires a ‘documented procedure’, the procedure has to be established,documented, implemented and maintained. It also emphasizes that the extent of the QMSdocumentation may differ from one organization to another due to:

The size of the organization and the type of activities; The complexity of processes and their interactions and The competence of personnel

4.2.2 c) Interaction between processes – This requirement ties closely to section 4.1 b), whichis discussed in the previous paragraphs. The interactions between the quality managementsystem processes do not have to be separately described, or illustrated, by charts, tables ormaps. Although many organizations may choose such a form, it is not a mandatorymethod. Interaction between processes may be described, for instance, by way of referencesand/or cross-references within the procedures, where the procedures form part of the QualityManual.

4.2.3: Control of Documents

A documented procedure is required for control of documents.

4.2.3 a) Approve documents – procedure must identify the approval process.

4.2.3 b) Review and update – All management system documentation must be covered bysome review strategy. The procedure must identify a period of time (at least annually) inwhich all documents are reviewed on an ongoing basis. A method must be in place to showreview was completed where there were no changes. Those documents that are updated mustbe put back through the organizations required approval process (4.2.3 a).

4.2.3 c) Changes and current revision status – The procedure must identify how changes andrevisions to documents are identified. These must be identifiable for each document. Howdoes the user know what the changes are?

4.2.3 d) Availability of documents – procedure must identify how documents are madeavailable to employees. Auditor will expect to see that documents are readily available toemployees through out the facility at their points of use.

4.2.3 e) Documents are legible and readily identifiable – auditor will expect to see thatdocuments are maintained and remain legible and easily identifiable.

4.2.3 f) Documents of external origin – Documents of external origin are those that areproduced from outside the organization that are used by the organization in support of thequality management system processes. The procedure must address if documents of externalorigin are applicable and if so how these documents are controlled by the facility. The auditor


7 OF 31

expects to see that controls are in place to ensure current versions are used and documents arecontrolled within the facility.

4.2.3 g) Obsolete documents – Procedure must address how obsolete documents arecontrolled to prevent unintended use and if retained how these documents are identified.

Note: For multi-site/corporate certifications the auditor will expect to see that Systemdocumentation and changes are centrally managed (usually performed at the headquarterslocation).

4.2.4: Control of Records

Records required by the organization may be in any format deemed suitable for theorganizations method of operation. A documented procedure must be in place and define thecontrols needed for:

Identification – the procedure must identify the system/process is in place to identifyrecords.

Storage – where records are stored – specific location i.e. Quality filing cabinet in theQC Laboratory.

Protection – how individual records are protected i.e. tape back up every 24 hours (forelectronic records), fireproof safe, filing cabinet etc.

Retrieval – any special requirements for retrieval. Generally dependant on locationand protection. May be a request process.

Retention time – identification of how long each record will be maintained. Disposition of records – method for disposing of records i.e. shredding, burned, trash

A spreadsheet or other document may be used to identify the above requirements.

Element 5: Management ResponsibilityThis section has nine references to top management. Top Management is “person or groupof people who directs or controls an organization at the highest level”. It is thereforeessential to examine top management’s commitment to, and support for, the QMS (and torecord objective evidence to support any conclusions reached).

5.1: Management CommitmentObjective evidence of management commitment can be obtained (and recorded) fromfollowing:

5.1 a) Evidence that top management has communicated to the organization theimportance of meeting customer requirements as well as statutory and regulatoryrequirements. This can be achieved through meetings, newsletters, bulletin boards,training records etc.

NOTE - statutory and regulatory requirements are broad based and include all applicablerequirements for processes, products and activities.


8 OF 31

5.1 b) Top Management’s establishment of and input into, and commitment to, the qualitypolicy (its definition, delivery and maintenance) through management review or othermeetings.

5.1 c) Documented quality objectives (for all processes).

5.1 d) Top Management’s active participation in management review meetings.

5.1 e) Evidence of a process for defining resource requirements and ensuring thatadequate resources are available.

In short, how well they address requirements 5.2 through 5.6.

5.2: Customer Focus

Customer requirements and customer satisfaction are directly linked with the processapproach concept in the standard. It is necessary to seek objective evidence to demonstratethat the customer requirements are indeed being met, whether the satisfaction is revealed incustomer survey results, repeat sales or any other type of mechanism that would reveal trendsand lead to improved customer satisfaction. Management review minutes might be a recordwhere Customer Focus is addressed. Quality plans and or product plans that include customerrelated requirements can also be looked as documents having customer focus.

5.3: Quality Policy

It is expected that there is evidence that Top Management fully back the quality policy. Thestandard identifies five specific points which requires that top management ensures that thepolicy;

5.3 a) Is appropriate to the purpose of the organization

5.3 b) Includes a commitment to meeting requirements and to continual improvement ofthe quality system

5.3 c) Provides framework for establishing and reviewing quality objectives

5.3 d) Is communicated and understood at appropriate levels in the organization

5.3 e) Is reviewed for continuing suitability.

It is important to determine that Quality Policy meets the intent and is understood, byinterviewing personnel at all levels. Although the exact policy does not need to be recited byinterviewees, the awareness of the quality policy and how their job affects the companyobjectives should be determined. If personnel interviewed do not know what their measurableobjectives are and/or do not know what the organizational objectives are that they have adirect effect on, further evaluation is required for management’s communication of the policyand objectives.

The Quality Policy must be documented (typically in the quality manual because it must becontrolled). The Quality Policy does not have to include objectives but should create a


9 OF 31

framework for establishing them. The Quality Policy should be stated in such a way that itaims toward continual improvement. It should be reviewed and possibly revised to meethigher aspirations.

To meet the intent of this clause, the auditor looks for a clearly defined Quality Policy that issufficiently detailed to provide a framework for quality objectives that can be monitored forcontinual improvement.

When interviewing top management, their input into, and commitment to, the quality policyneeds to be determined. Is it theirs, or have they clearly just signed something written forthem by the management representative?

Note: For multi-site/corporate certifications the quality policy must be applicable for all sites.

5.4: Planning

5.4.1 Quality Objectives

Auditor expects that the organization has developed measurable quality objectives forrelevant functions and levels of the organization. It is expected that overall objectives to beestablished at the facility/corporate level and objectives established for each identifiedprocess. Process objectives shall support the organization’s overall objectives.

The organization must establish what the “relevant functions” of the organization are,however at a minimum this will include all defined processes (reference 4.1 a, c, e).

If some functions or levels have been excluded, it may be necessary to explore, evaluate(and record) the reasons for such omissions (which might be quite acceptable at thatparticular stage in the continual improvement process).

The organization must identify quality objectives that can be measurable, such as “vendor on-time rating”, “on-time delivery”, “all employees will have completed an ISO 9001 awarenessclass” and “all machines will have clearly defined procedures on their usage.” If theobjectives were not measurable (including a time-based element where appropriate), theywould not meet the intent of the standard.

The objectives do not have to be defined in a specific document although the objectives arerequired to be documented (see 4.2.1 a). Objectives can either be defined in associatedprocedures or instructions, or could be recorded in meeting minutes such as managementreview records. The organization must have a process that ensures that all the objectives areclear and communicated to all employees who can influence the defined objective(s). Theorganization should be able to demonstrate that the objectives are being measured andreviewed (see 4.2.4 and 8.5.1).

5.4.2: Quality Planning

Auditors use their judgment in evaluating the entire collected audit evidence in order toassess effectiveness of planning activities. The auditor may also satisfy him/herself thatplanning was done, by interviewing the personnel involved in establishing or achievingspecific quality objectives.


10 OF 31

Auditors attribute such QMS deficiencies to relevant clause, requirements of which werecontravened, rather than to clause 5.4.2.

Determining effective and efficient planning may be found by evidence of:

All those planning activities undertaken to establish the QMS in accordance withclause 4.1.

The existence of an effective, documented, and implemented QMS that providescollective evidence demonstrating that these planning activities have beenperformed effectively.

Deficiencies in the quality system that may indicate that these planning activitieswere not quite effective.

The evidence and use of Strategic Plans, Business Plans, Management Reviewresults, Contingency Plans, Quality Objectives, any programs or plans,documented or not, such as Minutes of meetings, Memos, Internalcommunications.

Where there is lack of documented evidence, an auditor may satisfy him/herself throughinterviewing the personnel at those levels and functions involved in achieving particularobjectives to determine the level of planning.

Another methodology allowing audit of effective planning involves review of the progress inimplementation of such plans aimed at adhering to individual objectives.

5.5: Responsibility, Authority and Communication

5.5.1: Responsibility and authority

In order for the auditor to be satisfied that the intent of this element has been met, he/she mayreview organization charts, job descriptions or a responsibility matrix. Identification ofresponsibility and authority could be written into procedures and/or work instructions, aswell. The auditor may also use interviews of individuals to determine if responsibility andauthority has been communicated effectively.

5.5.2: Management Representative

Responsibilities to include:

5.5.2 a) Ensuring that the processes needed for the quality management system areestablished, implemented and maintained.

5.5.2 b) Reporting on the performance of the system to top management.

5.5.2 c) ensuring the promotion of awareness of customer requirements.

The resource designated as management representative may be from any part of theorganization or may be subcontracted (consultant) from outside the organization. TheAuditors determine that the Management Representative (employee or subcontractor) is a“member of management”. If the designated management representative, particularly if from


11 OF 31

outside the organization such as a consultant, operates in a part time mode, the managementsystem must ensure continuity in fulfilling the management representative responsibilities.

Promotion of customer awareness might include news releases, meetings, training,photographs, models; examples of products demonstrating required visual attributes. Welook for one individual to be the management representative in terms of definedresponsibility. However, implementation of those responsibilities may be in the form of adefined and delegated team.

Note: The management representative is responsible for ensuring it happens – not making ithappen, which is the job of line management.

Note: For multi-site/corporate certifications the auditor will expect to see that there is amanagement representative with overall responsibility across all sites for ensuring thatrequirements are established, implemented, maintained, and for reporting on performance.

5.5.3: Internal Communication

Although there is no mandate for documenting methods for communication, the auditor willexpect to find evidence of communication through interviews with employees. Evidencecould possibly include the employees understanding of process linkage and effectiveness,customer satisfaction levels, preventive and corrective action information, on time delivery,quality costs, returned material, non-conformances. This could be communicated by accessto the computer network, an information board, newsletters, or even process routers,checklists, and multifunctional meetings (see 6.2.2 d). The type and extent of thedocumentation will depend on the nature of the organization’s products and processes, thedegree of formality of communication systems and the level of communication skills withinthe organization and the organization culture.

5.6: Management Review

5.6.1: Management Review - General

IMPORTANT INITIAL CERTIFICATION REQUIREMENT: For a new/first timeregistration/certification, a full round of Management Review meeting(s), includingdocumented evidence of all required inputs and outputs, must be completed prior to theregistration/certification audit (note a full internal audit cycle must be completed prior to thisreview – see 8.2.2 Internal Audit). For multi-site/corporate certifications the review mustinclude inputs (as appropriate) from each site (see the standard 5.6.2 a – g). Normally, thereview process is conducted at the headquarters location.Top management shall review the quality management system at planned intervals not onlyfor continuing suitability and effectiveness, but also adequacy. Additionally, this reviewshall include assessing opportunities for improvement, the need for changes to the system, thequality policy, and quality objectives.

These words are more prescriptive which cause a more proactive expectation and approach tokeeping the system current and useful and maintaining improvement activities. The auditorcannot prescribe the intervals for reviews to occur, but can look for evidence that thefrequency is sufficient to accomplish the requirements of the standard. Although thedictionary would suggest that suitable and adequate are the same, the standard seeks to


12 OF 31

distinguish both the system from a global perspective of adequacy as well as the detailedsuitability of the many processes that comprise the system.

5.6.2: Management review input

The auditor will expect to see documented evidence that the (7) required inputs are discussedduring the review. Although a documented procedure for management review is not required,records of such reviews are required (see the standard - 5.6.1 General). The minimum (7)inputs are required in those records (see the standard 5.6.2 a – g). Evidence of crossfunctional input is also expected, which means one person alone could do the review, butthere would need to be evidence of multifunctional input in the evaluation of the system andits status and actions concluded.

5.6.3: Management review output

Output should focus on decisions and actions related to system improvement (5.6.3 a),product improvement for customer requirements (5.6.3 b), and resource needs (5.6.3 c).Auditors expect to see that some documented conclusions have been developed. The outputrecord must include evidence of action and progress for system improvement, customerrequirements, resource needs as it all relates to system health. It is important to note that adocumented procedure may or may not exist. It should also be noted that formal meetingsfor review may or may not happen and still be complaint - such as in the case of beingaccomplished in stages; on going process review; or by circulated documentation coveringthe system incrementally.

Element 6: Resource Management

6.1: Provision of Resources

The intent of this section is to ensure that adequate resources are provided to continuallyimprove the effectiveness of the quality management system (6.1 a) and to enhance customersatisfaction by meeting customer requirements (6.1 b). Auditor would expect to see a processfor evaluating and determining resource needs. This may be through management review,production planning, budget review, long range planning etc.

The auditors may determine that process activities are not prevented by a lack of resources.Auditors may review instances where customer requirements were not met and determine if alack, or insufficiency, of any resources was causation factors of these instances. Thisrequirement also ties to paragraphs 5.1 and 5.6.3, which address management’s responsibilityto determine and provide necessary resources. Additionally, any clear evidence of resourceproblems links directly to this section.

6.2: Human Resources

6.2.1: General

The standard requires that personnel be “competent”. This could be demonstrated by aperson being “qualified”. Competence may be based on appropriate education, training,skills, experience, and/or demonstrated performance.


13 OF 31

6.2.2: Competence, awareness and training

The intent of this section is to ensure that suitably competent people are performing theactivities as defined in the quality system. Evidence of the effectiveness of the training orother means of providing competent employees must be available. Employees must be awareof the impact that they have on the overall quality system. It is expected that employees to beable to verbalize how their job activities contribute to the achievement of the qualityobjectives.

6.2.2 a) Determine the necessary competence - The requirement is in emphasis towardvalidating training and other activities aimed at ensuring employee competence.Identification of competency is essentially a precursor to identification of training needs. Theorganization should determine knowledge and/or skills an employee would need to beconsidered competent, in their opinion, to perform a particular job. The company could thendetermine if the employee performing the job possesses that knowledge or skill and, if not,consider it a training need. Changes in the business and its environment may necessitate newcompetencies, which may not be available. Therefore the identification of competencies mayneed to be revisited. There is no requirement for any particular frequency of such re-review.Competency may be defined in a job description, position profile, or by any other method orassociated documents such as specific instructions or procedures. Usually competency isdetermined during performance reviews, if the organization does not perform reviews of thisnature, other methods for determining personnel competence would need to be defined andrecords maintained.

6.2.2 b) Provide training or take other actions - The requirement allows for options otherthan training to obtain competent personnel. Training includes all those activities where alearning opportunity needs to be satisfied. It may take a number of forms:

Classroom style, tutor led training; Hands on experience training; Shadowing Individual or group coaching; Mentoring; Briefings; Distance learning; Technology based training (CD ROMS, web based etc); Workshops.

Organizations will choose whichever form best suits their needs at any particular moment.Other actions to bridge competence gaps might include:

Recruitment; Outsourcing; Acquisitions; Use of experts and/or consultants. Documented procedures or work instructions

All such means are acceptable as long as an organization has ensured the availability of thecompetencies needed.


14 OF 31

6.2.2 c) Evaluate the effectiveness of the actions taken - The requirement is aimed at ensuringthat the training or other activity has produced the desired result. This requirement could bemet in a variety of ways, including, but are not limited to:

Observation of personnel performing their duties; Written or oral exams; Assessment of employee in achieving learning objectives during the course of

the training program; Audit of performance at work focusing, for example, on: Productivity; Reduction of rejects; Efficiency; Interviews with the persons; Annual appraisal. Performance reviews; Discussions; Evaluation of performance, quality or other indicators; Cost reviews; Customer satisfaction assessment

6.2.2 d) Ensure that its personnel are aware of the relevance and importance of theiractivities (perhaps by internal communication – see 5.5.3) and how they contribute to theachievement of the quality objectives - The requirement could be met in a variety of ways.Options include:

Training; Memos, and/or meetings regarding the impact of various individual or departmental

goals on quality objectives; Plant tours or briefings where an individual’s work and goals are shown as an integral

part of the larger processes; Cross functional teams working towards quality objectives and reporting their

progress to their departments.

Any activity that allows individuals to understand how their efforts affect quality objectivesmay satisfy this requirement. All personnel need to know the specific measurable objective(s)for the process that they work in; they should also know what organizational objective theirprocess effects. They should be able to demonstrate that they know what the actualmeasurable is, their progress towards that goal, what the plan is to achieve the goal. If they donot know the actual numbers, they should be able to communicate the topics of themeasurable and know where the actual measurements are maintained or posted.

6.2.2 e) Maintain appropriate records - The requirement expands record keepingrequirements to include education, skills and experience, in addition to training, whereappropriate. There are a great variety of ways to record and provide evidence of training,education, skills and experience. Records may include: Diplomas; Certificates; Training log; Annotations in shift logs; Toolbox meeting notes;


15 OF 31

Attendance lists; Resumes; Employment history; Test results.

Such records may be filed in any location as long as the Records remain legible, readilyidentifiable and retrievable.

6.3: Infrastructure

It is the organization’s management who determines the adequacy of the infrastructureprovided by the organization. Auditors will seek objective evidence to demonstrate that thenecessary infrastructure exists for the quality management system to be effectivelyimplemented, for improvement of its effectiveness, and for fulfilment of customerrequirements. Auditor would expect to see a process in place for maintenance of thebuilding(s), equipment and any other supporting services. This is generally the responsibilityof the maintence and IT departments.

6.4: Work Environment

The organization must identify and manage all those factors of the work environment that areneeded to supply a conforming product. These factors may include among others:

Human Factors Creative work methods; Opportunities for greater involvement of personnel; Safety rules and guidance; Ergonomics; Special facilities for people.

Physical Factors Heat; Noise; Light; Hygiene; Humidity; Cleanliness; Vibration; Pollution; Airflow.

Different types of businesses and industry sectors may vary dramatically with regard to anacceptable work environment, so it is the organization’s management who determines theadequacy of the work environment provided by the organization.

For instance;

A training provider may need to ensure the training area is adequately lighted andcontains appropriate seating and visual aid capabilities.


16 OF 31

Some manufacturing facilities may require “clean rooms” or humidity-controlledareas.

Companies handling items easily damaged by electrostatic discharge may requirespecial flooring or equipment, and chemical storage areas may require specialprotective barriers.

As an additional example, an employee might perform a particular function that requiresrepetitive wrist movements (i.e., tightening a screw). As the day wears on, it is possible thatthe overuse of the wrist could result in poorly torqued screws resulting in a possible qualitydefect. The company should identify such a situation and provide a means of eliminating thepotential defect (i.e., air-driven screwdrivers). Evidence could consist of records ofdecreased quality defects and/or medical problems related to that activity.

Element 7: Product Realization

Exclusions/non-applicability can be claimed with in element 7 only. “Exclusion” shouldonly be taken for clause 7.3 Design and Development and must be fully justified in thequality manual. Other sections within element 7 may be claimed as “not applicable” or“not applicable at this time”.

7.1: Planning of product realization

An organization needs to plan in advance for how they will manufacture their product ordeliver their service. The plans need to take into account the product requirements and anyquality objectives (7.1 a) that might be appropriate, resources and documents that may benecessary (7.1 b), what type of monitoring and/or inspection activities should be put in placeto ensure the product or service will meet the requirements (7.1 c), and what types of recordsshould be kept (7.1 d). While the sub-clause does not state that the output of this planningmust be documented, it does state that it must be in a form suitable for the organization’smethod of operations.

7.2: Customer Related Processes

7.2.1: Determination of requirements related to the product

This clause promotes an up-front determination of all requirements related to the product.

This includes requirements for “servicing” which are now included as “post-deliveryactivities”, which implies anything that is provided after the customer has received theproduct (i.e. repair and/or warranty work, installation, maintenance, etc.).

Specific to 7.2.1 (a)

Post delivery activities may include among others: Product support Servicing where applicable


17 OF 31

Specific to 7.2.1 (b)

Organization shall be proactive in evaluating if there were any additional requirements for theproduct or service’s intended use. If the organization determined there were not anyadditional requirements this should be evident in associated records, if there were additionalrequirements then evidence should be present how they were addressed in the affectedprocess i.e. design, purchasing, manufacturing.

The analogy that can be used here is a screwdriver, everyone knows the intended use of ascrewdriver, put in and take out screws. However with a screwdriver, there are requirementsthat are not stated but are intended for use, such as using a screw driver to open paint cans,could be used as a chisel, pry bar, magnetization might be an issue, also if used aroundelectricity the handle should be nonconductive, but none of these requirements might be statedby the customer, but the manufacturing organization would need to address these non-statedrequirements for the screwdriver’s intended use.

Specific to 7.2.1 (c)

The organization shall determine applicable Statutory and regulatory requirements related tothe product (i.e., taking these requirements into account when designing a product or service).This includes ensuring process control (i.e., ensuring that these requirements were met).

Statutory requirements are those that are stipulated by local/national governments that formpart of regional, national and international legislation.

Regulatory requirements are those imposed by regulatory bodies. In the UK the HSE (Health& Safety Executive) and in the USA, the EPA (Environmental Protection Agency) areexamples of these. These requirements are not necessarily part of national legislation.

Compliance with regulatory requirements issued by national regulators (i.e. by The RailAuthority) may be mandatory for those organizations to which they apply if a statutoryinstrument requires so.

Organizations are required to comply with a number of legal requirements to be allowed tooperate. Management must be aware of the requirements that apply to its products, processesand activities and should include these requirements as part of the quality managementsystem.

Organization has to be aware that as the national legislation may apply to product intendedfor the domestic market, in the case of export sales, organizations will be required to considerthe statutory and/or regulatory requirements in the target country that may apply to (a)product(s) supplied.

Organization is not required to maintain the lists of applicable statutory and/or regulatoryrequirements, nor need they maintain copies of these documents. Organization must ensurethat it has adequate access to / or knowledge of applicable statutory and regulatoryrequirements.


18 OF 31

7.2.2: Review of requirements related to the product

The sub-clause mandates that the organization shall not issue a quotation or accept an orderuntil it has been reviewed to ensure requirements are defined and the organization has thecapability to meet the defined requirements. It goes on to require that records of the reviewand any subsequent actions be maintained. If the customer does not provide theirrequirements in writing (i.e., telephone call), the requirements must be confirmedbefore they are accepted. If the requirements are changed, all documents must be amendedand relevant persons must be notified.A note is included that covers situations such as internet sales where a formal review of eachorder is impractical, stating, instead, that the review could cover the product informationprovided in catalogs and advertising material.

7.2.3: Customer communication

The organization must establish effective arrangements for providing the customer withproduct information (i.e., catalogs or advertising that adequately describe the product orservice), means of handling inquiries and orders, and a method for handling customercomments (both compliments and complaints).

7.3: Design and development

This clause addresses product/service development as well as (conceptual) design, soorganizations involved in product/service development will have to address some or all ofsection 7.3 of ISO 9001:2008.

Many companies perform some enhancements or minor reconfiguration of mature designs,and are able to use the guidance of ISO 9004:2008 in order to address some or all of section7.3 of ISO 9001:2008.

Some organizations subcontract design and have managed this via sections 4.1 and 7.4 of ISO9001:2008. Such organizations may have to introduce a comprehensive design system orprocess, however may have to address design and development as it is applicable to theorganization. They may have to address some or all sections of 7.3 to the extent that theyapply.

7.3.1 Design and development planning

Although the standard does not require a documented procedure, the design process needs todemonstrate how the process is controlled and planned. The organization, however, will needto provide some type of objective evidence as to what the planning activities include. Thiscan be accomplished with the use of time-lines, gant charts or any other planning methodsuch as Microsoft project manager. In addition the auditor see objective evidence of how theinterfaces between other processes are managed, either through statements in associatedprocedures, process mapping, matrix approach or in the time line planning.


19 OF 31

7.3.2 Design and development inputs

The auditor will review evidence that the inputs (7.3.2 a – d) have been addressed based onthe nature of the product being produced, that they have been reviewed for adequacy and thatrecords are maintained of the activity.

7.3.3 Design and development outputs

The auditor expects objective evidence that the outputs (7.3.3 a – d) have been verifiedagainst the design inputs. This can be accomplished by reviewing documents, plans, etc.interfacing with the customer or internal processes and by comparison with past provendesigns.

7.3.4 Design and development reviews

Reviews shall be conducted in accordance to the time line or plan established at thebeginning of the design activity. Reviews shall show evidence that all activities required ineach phase of the design have been addressed or adjustments made. Records should showwho attended the reviews and that all concerned parties were present and that all actions weresatisfied before proceeding forward with the design process.

7.3.5 Design and development verification

Design verification basically means that the product can be produced as designed and thatoutput meets the intended inputs. Additionally it should show that the organization has thecapability to produce the product with existing equipment and has the personnelcompetencies or has the ability to train or subcontract the required capabilities.

7.3.6 Design and development validation

Validation has to ensure capability of meeting “intended use where known” as well asspecified requirements, and has been completed prior to delivery and implementationwherever practicable (typically as a prototype or first article). In most organizations theycan’t rely on the customer to perform the validation, the lack of a negative response from thecustomer does not meet the intent of this clause. The organization should have records thatthe product designed will meet defined user needs prior to delivery of the product to thecustomer. Methods of validation could include simulation techniques, proto-type build andevaluation, comparison to similar proven designs, beta testing, field evaluations, etc.Irrespective of the methods used, the validation activity should be planned, executed withrecords maintained as defined in the planning activity in 7.3.1.

7.3.7 Design and development changes

Design and development changes (after the original verification and validation) have to be“verified and validated as appropriate” (as well as reviewed) and to “include evaluation of theeffect of changes on constituent parts and products already delivered”. If the organizationchooses not to perform re-verification and re-validation on every design change, then theauditors expect to see some very well defined criteria as to when the activity needs to occur.This includes any changes that do not affect fit, form or function.


20 OF 31

7.4: Purchasing

7.4.1 Purchasing Process

It would be extremely uncommon for purchasing to be excluded from the qualitymanagement system (i.e., perhaps applying to such situations as small consultancies using nosubcontractors, and using proprietary office materials and equipment that do not directlyimpact on product or service performance – but not to many other situations).

Where procurement is centrally controlled by a corporate procurement organization outsidethe scope of the QMS of the auditee organization, this is not justification for exclusion of 7.4in its entirety. The organization is certainly responsible for providing purchasing information(7.4.2) to the corporate procurement organization, and for verification of purchased product(7.4.3) – and perhaps participating in the re-evaluation process. In the event that a corporateoffice or other entity, outside the scope of registration, performs any sections of purchasingthis shall be considered an outsourced process per requirements identified in section 4.1. It isexpected to see a documented agreement in place (i.e. an Interface Agreement) between theorganization and the supplier.

It is expected to see a process is in place for evaluating and selecting suppliers as well as aprocess for ongoing re-evaluation of suppliers. While a written procedure for purchasing isnot required, records of evaluation and actions arising from the evaluation are required to bemaintained.

7.4.2 Purchasing Information

Purchasing information may take many forms however is generally a purchase order orrequisition. It is expected to see that the information clearly describes the product to bepurchased as well as any other requirements, including as appropriate:

7.4.2 a) the approval of products, procedures, processes and equipment.

7.4.2 b) the qualification requirements of personnel.

7.4.2 c) the QMS requirements.

7.4.3 Verification of Purchased Product

It is expected to see a process is in place to verify that purchased product meetsrequirements. This may take many forms depending on the product, these requirements shallbe known to concerned and being accomplished. This may include receiving inspection andtesting, visual inspection, receipt of certificates of conformance etc. In the event verificationwill take place at the suppliers premises the method for doing so must be stated in thepurchasing information.

7.5 Production and Service Provision

7.5.1: Control of product and service provision


21 OF 31

There is the possibility of defining sub-clauses 7.5.1 b) work instructions, 7.5.1 c) the use ofsuitable equipment, and 7.5.1 f) post delivery activities as not applicable to the scope of theirquality management system. The non-applicability of these items must be justified in thequality manual (4.2.2 a) and must not “affect the organization’s ability, or responsibility toprovide product that meets customer and applicable regulatory requirements” (1.2).

The auditor will expect to see that production activity is well defined and understood. This isgenerally ascertained through interviews with employees on the production floor, review ofdocumentation and observations. The auditor will verify the following at a minimum:

7.5.1 a) the information describing the characteristic of the product. This may be in the formof a work order, traveller, schedule etc.

7.5.1 b) the availability of work instructions or procedures as applicable. These may be inany format (electronic or paper); instructions may simply be included on the work order ortraveller. Instructions do not have to be documented and could simply be provided throughtraining. The auditor will review Control of Document, 4.2.3 as applicable.

7.5.1 c) the use of suitable equipment. The auditor will expect to see evidence that equipmentis suitable for the process and that it is maintained. The auditor will investigate howequipment is maintained and how malfunctions are handled. This may be in conjunction withInfrastructure 6.3.

7.5.1 d - e) the availability of suitable monitoring and measuring devices and theimplementation of monitoring and measurement. Measuring and monitoring may requirerecord keeping i.e. operator log sheets, inspection sheets, routers or other documentation.Documentation will be reviewed as applicable per Control of Records 4.2.4.

7.5.1 f) the release, delivery and post delivery activities. Whether in process or final theauditor will expect to see that release, delivery and post delivery activities are defined. Thismay include release to the next process or for shipment to customers.

7.5.2: Validation of processes for production and service provision

This clause applies exclusively to “special processes” – and not to all the processes of thequality management system in general.

This clause may be considered within the quality management system as not applicable. Anyorganization that does not have any “special processes” can clearly note this clause as notapplicable.

Where “special processes” have been identified, ISO 9001 Certification Auditors will expectto see that 7.5.2 a- e have been arranged as appropriate, which includes ensuring that:

7.5.2 a) the organization establishes arrangements to ensure that these processes are reviewedand approved.

7.5.2 b) the equipment used and the personnel involved are qualified.


22 OF 31

7.5.2 c) specific methods and procedures are used (may require documentation).

7.5.2 d) records are maintained.

7.5.2 e) re-validation is performed for those instances where, for example, a deficiency isfound. As an example, it may be determined that an individual is actually notqualified to perform a particular “special process”. Training may be provided toimprove the individual’s skills, following which the individual’s qualifications shouldbe re-validated to ensure they are capable of providing the planned results.

7.5.3: Identification and traceability

Organizations cannot completely exclude 7.5.3. Despite the phrase “where appropriate”, noorganization can wholly claim non-applicability for “identification”. However, traceabilitycan be identified as not applicable where it is not a requirement of the customer, the productregulatory requirements, or of the organization itself.

The auditor will expect to see that product is identified (as appropriate) and its status withregards to monitoring and measuring (conforming or not) is identified throughout the productrealization processes. Where traceability is a requirement, the auditor will expect to see thatthe organization is controlling and recording the unique identification of the product. Thisdocumentation is a required record per Control of Records 4.2.4.

7.5.4: Customer property

The auditor will expect to see that the organization has clearly identified any and all customerproperty. The auditor will verify that the organization has established a process to protectcustomer property. Further a process must be established for contacting the customer whenthese items are lost, damaged or otherwise found unsuitable for the process. Thiscommunication to the customer must be maintained as a Quality Record 4.2.4.

Customer property may include (not limited to):

Components supplied for inclusion into the product. Packaging material Transport Intellectual property – drawings, specifications etc. Equipment or tools

7.5.5: Preservation of product

Auditor will expect to see that adequate measures are taken to protect/preserve productduring internal processing and delivery to the intended destination. The preservation processmust include the following:

Identification - this is relative to 7.5.3 – Identification and Traceability however forpreservation of product it is a requirement and not “as applicable”. Auditor willexpect to see that all products are clearly identified.


23 OF 31

Handling - auditor will verify that suitable handling methods are implementedthroughout the processes. This may include bulk handing using moving equipment orphysical contact where handling may influence product conformity.

Packaging - auditor will expect to see that methods have been established forpackaging product to preserve integrity.

Storage - auditor will expect to see that product is stored in locations and in a mannerto safe guard product.

Protection – auditor will verify that appropriate measures are in place to protectproduct. This may vary widely depending on the product.

7.6: Control of monitoring and measuring devices

Companies with no measuring equipment can claim non-applicability for this (as addressedfrom paragraph 3 of section 7.6 of the standard onwards).

This clause addresses devices as well as equipment, and reconfirmation of computersoftware as necessary. The first two paragraphs address monitoring and measuring devices,and can be applicable to service companies as well as manufacturing organizations. Forexample, in a training organization, where consistency of evaluating and grading trainees (theproduct) needs to be assured, then calibration may be applicable.

The Standard requires that a process be established to ensure that monitoring andmeasurement is carried out in a manner consistent with measurement requirements. Auditorswill be looking for some process that ensures consistency of measurement outcome betweenall personnel who make acceptance decisions (for example, Gage R&R studies for key orcritical characteristics might be one such process).

The auditor will expect to see a process is in place to determine required measuring andmonitoring to be accomplished as well as the devices needed to provide evidence ofconformity. Many facilities use calibration software including a calibration master list of alldevices. While this is not required, all devices requiring calibration must be identified andshall:

7.6 a) be calibrated or verified at specific intervals or prior to use. Devices must becalibrated using measurement standards traceable to international or nationalmeasurement standards. Where there is no standard available for the device the basis forcalibration or verification must be recorded. Auditor expects to see that traceablestandards are used and where applicable have not expired. Where calibration iscompleted by an outsourced process (vendor), the records of traceability must bereviewed.

7.6 b) Adjusted or readjusted as necessary. Auditor will expect to see evidence that devicesfound to be out of calibration are adjusted/re-adjusted by qualified personnel and thevalidity of the previous measuring results are accessed when a device is found to be outof calibration and appropriate action is taken (may include recall of product). Auditorwill expect to see that a process is in place to provide traceability of each device to the


24 OF 31

process/product the device was used on. The results of calibration and verification arerequired to be maintained as quality records.

7.6 c) be identified to show calibration status. Auditor will expect to see that each device islabelled in such a way that the user can determine that the device has currentcalibration. Generally this is accomplished with a calibration sticker that provides aunique identification for the device, current calibration date and next calibration date.Other methods may be used however must clearly identify the calibration status.

7.6 d) Safeguarded from adjustments. Auditor would expect to see that a process is in placeto ensure that users outside the calibration process do not adjust devices. Devices maybe verified prior to use however any adjustments made to a device must meet allrequirements of this section.

7.6 e) be protected from damage during handling, maintenance and storage. Auditor willexpect to wee that measuring devices are handled and stored in a manner to protect thedevice from damage.

Clause 8: Measurement, Analysis and Improvement

8.1: General

The means (i.e. ‘processes’) and resources for accomplishing the three (3) requirements mustbe planned for and implemented. The processes must address four (4) different, but related,aspects:

1) Monitoring (i.e. examination, information and data collection, and reporting)2) Measurement (i.e. determination and comparison of ‘performance indicators’

against ‘actuals’ against ‘knowns’, or against expectations and requirements – i.e.inspections, tests, product and process audits, systems audits, SPC, etc.)

3) Analysis (review of data, evaluation of results and variances, causation analysis,application of statistical techniques, etc.)

4) Improvement (i.e. corrective and/or preventive action, refinement, enhancement,etc.)

The various techniques, methodologies, resources, tools (including statistical techniques), andapplicable procedures need to be determined for these Measurement, Analysis andImprovement ‘processes’. This is not for an organization to state that there is no need to usea statistical technique, if there is variability in their process or product characteristics, thenthere is a need for the use of a statistical technique.

Fulfillment of the requirements in Section 8 is important if the organization is to fullyembrace and effectively apply the principles of the “Process Model” and the “Plan Do CheckAct” model.

8.2: Monitoring and Measurement

8.2.1: Customer Satisfaction

It is recognized / understood that Customer Satisfaction is:


25 OF 31

A viable, effective (albeit partial) measurement of the performance (merits, benefits,adequacy, suitability, effectiveness, etc.) of the quality system.

An objective, goal, expectation of the quality system.

ISO 9000:2008, 3.3.5 defines the “Customer as the organization or person that receives aproduct.” The examples stated are; “consumer, client, end-user, retailer, beneficiary andpurchaser”. It is intended that the customer satisfaction measurements be focused on externalcustomer but in addition can include internal customers. Internal customer satisfactionmeasures can be contained in the establishment of the organizations defined internal processmeasurable objectives. Measuring only internal customer satisfaction would not meet theintent of this clause and must include all interested parties where appropriate.

Customer Satisfaction is determined by the organization measuring its customers perceptionas to whether they have satisfied their customers’ requirements – and may be somewhatsubjective or ‘qualitative’ as much as ‘quantitative’. Customer complaints are a commonindicator of low customer satisfaction but their absence does not necessarily imply highcustomer satisfaction. Simply capturing customer complaints and product returns will onlygauge ‘dis-satisfaction’ – which does not fully meet the intent of the clause and will notsatisfy these requirements. The organizations management should analyse the implications ofthe absence or existence of customer complaints.

Process definition is needed. The various techniques, methodologies, tools, resources, etc.(forms, surveys, frequency, targeted customers, responsibilities, external survey servicecompanies, benchmarking, etc.) and applicable procedures need to be determined for:

1) Obtaining customer satisfaction information (i.e. identifying, collecting,monitoring and reporting various data/information)

2) Using customer satisfaction information (analyzing, understanding andresponding to – i.e. making changes, corrections, enhancements andimprovements to the products/services/quality system)

The requirements in 8.2.1 interrelate closely with those in sub-clauses:

5.2 Customer Focus (…. with aim of enhancing customer satisfaction.) 8.4 a) Analysis of Data – customer satisfaction 8.5.1 Continual Improvement (via analysis of data) 5.6.2 b) Management Review Input – customer feedback 7.2.3 Customer Communication – customer feedback & complaints

8.2.2: Internal Audit

IMPORTANT INITIAL CERTIFICATION REQUIREMENT: For a new/first timeregistration/certification, a full round of internal audits, including documented evidence thatall processes and sections of the standard have been audited, must be completed “prior to” theregistration/certification audit being conducted. For multi-site/corporate certifications allprocesses performed at each site must be included in the initial round of internal audits. It isan expectation that internal audit planning and the evaluation of the internal audit resultsacross all sites will be performed by the headquarters location (i.e. centrally managed). Theresults of this evaluation are to be presented during the management review process (see 5.6).


26 OF 31

Auditor expects a documented procedure developed that defines responsibilities andrequirements for planning and conducting audits, reporting results and maintaining records(see 4.2.4). The Auditor makes a determination if the internal audit process is effective inmaintaining the integrity of the quality management system. A statement indicating the levelof effectiveness is normally included in the summary of the Certification audit report. In theevent the auditor cannot state that the audit process is effective, a nonconformance should beraised.

Internal audits should be planned based on the status and importance of the processesexecuted, in other words more emphasis (time audited) on those processes that have a director significant impact on the achievement of the organizational goals. In addition, previousaudit results must be considered in the scheduling of future internal audits. Auditor willexpect to see a schedule (plan) that has been developed considering the status and importanceof the processes, previous audit results, and selection/assignment of auditors to ensureobjectivity/impartiality (auditors can not audit their own work). It is expected that the internalaudit process and internal audit schedules reflect the process approach.

The auditor sees evidence that the audits include the requirements of ISO 9001:2008 as wellas the requirements established by the organization. Nonconformances raised during the auditmust be addressed without undue delay. The external auditor will expect to see that a processis in place to ensure that actions taken are implemented to eliminate the nonconformance andthe cause. A process must be in place for follow up to ensure that the action(s) taken wereeffective. The results must be recorded. Auditors would expect to see that nonconformancesfollow the requirements of 8.5.2. However, there is no requirement to have one correctiveaction system and therefore it is acceptable to have a separate process for auditnonconformances as long as requirements for corrective action 8.5.2. are being met.

Requirements of 8.2.2 interrelate closely with those in sub-clauses: 5.6.2 a) Management Review Input – results of audits 8.5.1 Continual Improvement (via use of audit results) 8.5.2 Corrective Action (to eliminate deficiencies found in the audit) 8.5.3 Preventive Action (resulting from audit, analysis and observations)

8.2.3: Monitoring and Measurement of Processes

Applicable processes need to be identified in the Quality Manual, along with a description ofthe interaction between those processes. The applicable processes might include thoserelating to four general categories: 1) Management Activities, 2) Resource Management, 3)Product Realization, and 4) Measurement and Monitoring, but most companies will prefer tofocus on their own particular COPS, MOPS, and SOPS.

Fulfillment of the requirements in this sub-clause is important if the organization is to fullyembrace and effectively apply the principles of the “Process Model”, the “Plan Do CheckAct” model.

The requirements of 8.2.3 interrelate closely with those in sub-clauses:

4.2.2 c) Quality Manual (include a description of interaction between processes) 5.6.2 a) Management Review Input (process performance)


27 OF 31

8.5.1 Continual Improvement (via analysis of data) 4.1 e & f) General Requirements – (to implement, measure, monitor, Analyze and

continually improve the processes).

The organization should identify monitoring, and, where appropriate, measurement methodsto evaluate process performance. The organization should incorporate these measurementsinto processes and use the measurements in process management. Measurements of processperformance should cover the needs and expectations of interested parties in a balancedmanner. Examples (from ISO 9004:2008) might include:

Process capability Reaction time Cycle time or throughput Measurable aspects of dependability Yield The effectiveness and efficiency of the organization’s people Utilization of technologies Waste reduction Cost allocation and reduction

8.2.4: Monitoring and Measurement of Product

The organization must show evidence that a process is in place to monitor and measure thecharacteristics of product to verify that requirements are being met. This must beaccomplished at appropriate stages of the product realization process and must be defined asrequired per Planning of Product Realization 7.1. Auditor will verify that records aremaintained to provide evidence of conformity and indicate the person(s) authorizing therelease of products. The release of product or delivery of service must not be completed untilthe planned requirements (7.1) have been met. For product release or service delivery, theplanning requirements may be waived, but must be approved by relevant authority and by thecustomer as appropriate.

8.3: Control of Nonconforming Product

The Auditor will verify that a documented procedure has been developed to define thecontrols, responsibilities and authorities for dealing with nonconforming product. Productthat does not meet requirements must be identified and controlled. The auditor will expect tosee that nonconforming product is clearly labelled and segregated to prevent unintended use.It is important to note that requirements may extend beyond delivery of product, and/or to thepoint or time of use (i.e. during shipment/transit, until received and accepted at the customer,while on consignment at customer’s facility, etc.) This also suggests that the organizationmay be responsible to “take action”, even after use of the product has begun. Appropriateobjective evidence (quality records) must be maintained.

Requirements of 8.3 interrelate with those in sub-clauses:

8.2.1 Customer Satisfaction (possible impact upon)


28 OF 31

8.4 b) Analysis of Data (information relating conformance to product requirements) 8.5.2 Corrective Action (take action to eliminate cause of nonconformities and the

action shall be appropriate to the effects)

There are only four possibilities auditors should see as dispositions of nonconformingproduct, 1- scrap, 2- rework or repair, 3- re-grading of the product, or 4 – use with theconcession of the customer and records maintained. Obviously reworked or repaired productrequires subsequent verification prior to release.

8.4: Analysis of Data

The Auditor will expect to see that the organization has developed a process to identify,collect and analyse various data and information from both internal and external sources (i.e.quality records, monitoring and measuring results, process performance results, qualityobjectives, internal audit findings, customer surveys and feedback, 2nd or 3rd-party auditresults, competitor and benchmarking information, product test results, complaints, supplierperformance information, etc., etc.). This ‘input’ (information and data) should reflect uponthe adequacy, suitability, and effectiveness of the Quality Management System and itsprocesses. The ‘output’ (result of the analysis) must provide information (understanding,insight, awareness, confidence, knowledge of, etc.) about:

Customer Satisfaction / Perception. Product Conformance Process performance Product / Process Characteristics Trends in Products / Processes Opportunities for Preventive Action Suppliers and subcontractors (i.e., all as defined in 8.4 a)-d))

Other potential or useful options might include:

Need for Corrective Action Opportunity for Improvement Competition

Requirements of 8.4 interrelate with those in sub-clauses:

5.6.2 Management Review Input 8.5.1 Continual Improvement 8.5.2 Corrective Action 8.5.3 Preventive Action

8.5: Improvement

8.5.1: Continual Improvement

Distinction must be made between ‘continual’ and ‘continuous’ improvement. Unlikecontinuous improvement (which must be constant, steady and always positive), continual


29 OF 31

improvement may show signs of dwells, momentary set-backs, delays or slight reversal –provided the overall trend is positive/improving.

The auditor will expect to see a process is in place for establishing and implementingcontinual improvement. Significant or sustained lack of improvement must be met withcorrective action (i.e. ‘get well plan’) – unless the undesirable condition is expected/predicted– resulting from a conscious/deliberate decision by management (i.e. willingness to accept atemporary setback in productivity while new equipment/ processes are introduced.)

Drivers, or impetus for continual improvement must come from the use of (as a minimum):

The quality policy Quality objectives Audit results Analysis of data Corrective actions Preventive actions Management review

Requirements of 8.5.1 interrelate with those in clauses / sub-clauses:

5.6.2 g) Management Review Input (recommendations for improvement) 5.6.3 a - b) Management Review Output (improvement of system, processes and

product) 8.4 Analysis of Data 8.5.2 Corrective Action 8.5.3 Preventive Action

Note: it is the responsibility of the company to demonstrate improvement rather than theauditor to look for it. Accordingly, it is useful audit practice to ask management to identifyany improvement initiatives taken since the previous visit, and also any planned for thefuture.

8.5.2: Corrective action

Corrective action is action taken to PREVENT the recurrence of actual problems. When aproblem occurs, organizations invariably take remedial or containment action, or implementCORRECTION to contain or fix the immediate problem. Corrective action (as addressed inISO 9001:2008 8.5.2) is any subsequent action to address the root cause and preventrecurrence.

The auditor will verify that a documented procedure is in place to define the requirements forcorrective action:

8.5.2 a) Reviewing nonconformities – auditor will expect to see a process is in place foridentifying nonconformities (types) and reviewing them to determine if the nonconformity


30 OF 31

requires corrective action. The section specifically identifies customer complaints howeverother sections such as internal audits, nonconforming product, monitoring and measurementof processes reference corrective action. Sources from ISO 9004:2008 include:

Customer complaints Nonconformity reports Internal audit reports Output from management review Output from data analysis Outputs from satisfaction measurements Relevant quality management system records The organizations people Process measurements Results of self assessment

8.5.2 b) Determining cause – auditor will expect to see a process is in place for determiningroot cause.

8.5.2 c) Evaluating action needed to prevent recurrence – auditor will expect to see evidencethat action(s) are evaluated and developed to prevent the nonconformance from recurring.

8.5.2 d) Implementing action – evidence that actions are implemented. There is norequirement for time however auditor will expect to see evidence that actions are taken in atimely manner.

8.5.2 e) Maintaining records - corrective actions are required to be maintained as qualityrecords per 4.2.4.

8.5.2 f) Reviewing action taken – auditor will expect to see a process in place for reviewingcompleted corrective action to ensure that the action taken was effective in correcting thenonconformity.

Note: The organization may choose to maintain one document for both corrective andpreventive action. While this is acceptable, external auditors believe that the processes areunique and should be documented separately.

Note: Organizations are free to use their own terminology (i.e., many define corrective actionas the fix and preventive action as the subsequent cure). There is no problem with this –provided they are not claiming that this “preventive action” (i.e., after the event) meets therequirements of 8.5.3 (action taken before the event).

Note: For multi-site/corporate certifications auditors will expect to see that evaluation ofcorrective actions across all sites is being performed and analyzed (usually from theheadquarters location). This would be an input to management review (see 5.6.2).

8.5.3: Preventive action

The auditor will verify that a documented procedure is in place to define the requirements forpreventive action:


31 OF 31

8.5.3 a) Determining potential nonconformities - auditor will expect to see evidence that aprocess is in place for determining potential nonconformities. This may include manymethods. Sources from ISO 9004:2008 include:

Use of risk analysis tools. Review of customer needs and expectation. Market analysis. Management review output. Output from data analysis. Satisfaction measurements. Process Measurements. Lessons learned from past experience. Results of self-assessment. Processes that provide early warning of approaching out-of-

control operating conditions.

8.5.3 b) Evaluating action needed to prevent occurrence – auditor will expect to see evidencethat action(s) are evaluated and develop to prevent the occurrence of potentialnonconformances.

8.5.3 c) Implementing action – evidence that actions are implemented. There is norequirement for time however auditor will expect to see evidence that actions are taken in atimely manner.

8.5.3 d) Maintaining records - preventive actions are required to be maintained as qualityrecords per 4.2.4.

8.5.3 e) Reviewing action taken – auditor will expect to see a process in place for reviewingcompleted preventive action to ensure that the action taken was effective.

Preventive action is action taken to PREVENT the occurrence of potential problems. Theorganization might welcome some auditor guidance on terminology. Many companies(especially small companies with simple systems) are struggling to identify opportunities tosatisfy 8.5.3, as most of the standard is, in fact, focused on prevention. Anything related toevaluation of risk and related actions, or action to prevent an early dip in a trend graphbecoming a problem can be accepted as objective evidence of compliance – as well as clearup-front preventive initiatives, of course.

ISO 9001 2008 Interpretation

Documents

Transcript of ISO 9001 2008 Interpretation