instructor: don wood, isomatrix senior specialist transitioning to iso 9001:2008 – considerations...

Instructor: Don Wood, ISOmatrix Senior Specialist

Transitioning to ISO 9001:2008 – Considerations for Internal Auditors

Review of Changes from ISO 9001:2000 to ISO 9001:2008

3

High-level summary of changes

Emphasis on “product conformity to requirements” as the focus of the QMS

Addition of “statutory and“ to clauses that previously only referenced “regulatory” requirements

Changes in terminology Measuring “equipment” vs.. “devices” – better alignment with ISO 9000:2005 “Determine” vs.. “identify” – implies that more review and analysis (especially

with regard to processes) should take place Increased use of “Where applicable..”, placing more onus on

organizations to use judgment in how requirements are applied within their QMS

Expanded use of notes to clarify the intent of requirements and provide more examples for organizations to use

Numerous changes to improve grammar, flow and ease of translation into other languages

Improved alignment with ISO 14001:2004 Updated references, both internally within ISO 9001:2008 and externally

to other management system and guidance standards

3Transitioning to ISO 9001:2008

4

What didn’t change

No new requirements for documented procedures No requirements for documented procedures removed, either

By most interpretations, no new requirements period, merely minor modifications to existing requirements Some of these modifications have implications for internal auditors

No changes in the certification process

No changes in the auditing process or auditing guidelines


5

Nov. 15, 2008 ISO 9001:2008 released

12 Months 24 Months

Nov. 15, 2009All NEW certificates mustbe issued against ISO 9001:2008

Nov. 15, 2010Existing ISO 9001:2009certificates no longer valid

Maximum 24 month Implementation from PublicationMaximum 24 month Implementation from Publication

Maximum AllowedTime to Upgrade

Transitioning to ISO9001:2008

6

Key to summary of changes

ISO 9001:2000 ISO 9001:2008

The present editions of ISO 9001 and ISO 9004 have been developed as a consistent pair of quality management system standards which have been designed to complement each other, but can also be used independently. Although the two International Standards have different scopes, they have similar structures in order to assist their application as a consistent pair.

ISO 9001 specifies requirements for a quality management system that can be used for internal application by organizations, or for certification, or for contractual purposes. It focuses on the effectiveness of the quality management system in meeting customer requirements.

ISO 9004 gives guidance on a wider range of objectives of a quality management system than does ISO 9001, particularly for the continual improvement of an organization's overall performance and efficiency, as well as its effectiveness. ISO 9004 is recommended as a guide for organizations whose top management wishes to move beyond the requirements of ISO 9001, in pursuit of continual improvement of performance. However, it is not intended for certification or for contractual purposes.

ISO 9001 and ISO 9004 are quality management system standards which have been designed to complement each other, but can also be used independently.

ISO 9001 specifies requirements for a quality management system that can be used for internal application by organizations, or for certification, or for contractual purposes. It focuses on the effectiveness of the quality management system in meeting customer requirements.

At the time of publication of this International Standard, ISO 9004 is under revision. The revised edition of ISO 9004 will provide guidance to management for achieving sustained success for any organization in a complex, demanding, and ever changing, environment. ISO 9004 provides a wider focus on quality management than ISO 9001; it addresses the needs and expectations of all interested parties and their satisfaction, by the systematic and continual improvement of the organization’s performance. However, it is not intended for certification, regulatory or contractual use.

Clause 0.3 Relationship with ISO 9004

Text added to ISO 9001:2008Text removed from ISO 9001:2000


7

Caution!

What follows is NOT a complete summary of changes from the 2000 to the 2008 version of ISO 9001

Rather, this is a listing of changes we feel are of greatest concern to internal auditors and their management

Internal auditors MUST review ISO 9001:2008 in detail and review ALL of the changes to ensure adequate competency as auditors

There are a number of excellent articles and summaries available online Major certification bodies Quality Digest ASQ ISO Whittington Group

8

Clause 4.1 General requirements

ISO 9001:2000 ISO 9001:2008

The organization shall establish, document, implement and maintain a quality management system and continually improve its effectiveness in accordance with the requirements of this International Standard.

The organization shall

a) identify the processes needed for the quality management system and their application throughout the organization (see 1.2),

b) determine the sequence and interaction of these processes,

c) determine criteria and methods needed to ensure that both the operation and control of these processes are effective,

d) ensure the availability of resources and information necessary to support the operation and monitoring of these processes,

e) monitor, measure and analyse these processes, and

f) implement actions necessary to achieve planned results and continual improvement of these processes.

These processes shall be managed by the organization in accordance with the requirements of this International Standard.

The organization shall establish, document, implement and maintain a quality management system and continually improve its effectiveness in accordance with the requirements of this International Standard.


a) determine the processes needed for the quality management system and their application throughout the organization (see 1.2),

b) determine the sequence and interaction of these processes,

c) determine criteria and methods needed to ensure that both the operation and control of these processes are effective,

d) ensure the availability of resources and information necessary to support the operation and monitoring of these processes,

e) monitor, measure where applicable, and analyse these processes, and

f) implement actions necessary to achieve planned results and continual improvement of these processes.

These processes shall be managed by the organization in accordance with the requirements of this International Standard.


9

Clause 4.1 General requirements (cont’d)

ISO 9001:2000 ISO 9001:2008

Where an organization chooses to outsource any process that affects product conformity with requirements, the organization shall ensure control over such processes. Control of such outsourced processes shall be identified within the quality management system.

NOTE Processes needed for the quality management system referred to above should include processes for management activities, provision of resources, product realization and measurement.

Where an organization chooses to outsource any process that affects product conformity to requirements, the organization shall ensure control over such processes. The type and extent of control to be applied to these outsourced processes shall be defined within the quality management system.

NOTE 1 Processes needed for the quality management system referred to above include processes for management activities, provision of resources, product realization, measurement, analysis and improvement.

NOTE 2 An “outsourced process” is a process that the organization needs for its quality management system and which the organization chooses to have performed by an external party.

NOTE 3 Ensuring control over outsourced processes does not absolve the organization of the responsibility of conformity to all customer, statutory and regulatory requirements. The type and extent of control to be applied to the outsourced process can be influenced by factors such as

a) the potential impact of the outsourced process on the organization's capability to provide product that conforms to requirements,

b) the degree to which the control for the process is shared,

c) the capability of achieving the necessary control through the application of 7.4.


10

Impact of changes – 4.1 General requirements

Effect of changes “Determine” vs.. “identify” processes – clearer intent, easier to translate Subclause e) – removes requirement to “measure” ALL QMS processes. Now

organizations can use judgment as to where measurement of a process (vs.. monitoring and analysis) is warranted

Note 1 – expands scope of required QMS processes to include processes for analysis and improvement

Outsourced processes Expands definition – can include QMS processes performed by other entities within an

organization (i.e. corporate HQ, design centers, distribution centers) as well as by third parties

Emphasizes point that organizations are held responsible for performance of outsourced processes

Lists factors that should be considered in defining controls on outsourced processes

Auditing Considerations Re: Subclause e) – The use of “Where applicable” here has implications for both

QMS design and auditing – more on this later in the presentation Re: Note 1 – Auditors should ensure that processes for analysis and improvement

are defined within the QMS, and documented where deemed necessary Re: Outsourced processes – Auditors should carefully review how their organization

has identified any outsourced processes, and how control of such processes is identified within their QMS.


11

Clause 4.2.1 (Documentation Requirements) General

ISO 9001:2000 ISO 9001:2008

The quality management system documentation shall include

a) documented statements of a quality policy and quality objectives,

b) a quality manual,

c) documented procedures required by this International Standard,

d) documents needed by the organization to ensure the effective planning, operation and control of its processes, and

e) records required by this International Standard (see 4.2.4).

NOTE 1 Where the term “documented procedure” appears within this International Standard, this means that the procedure is established, documented, implemented and maintained.

NOTE 2 The extent of the quality management system documentation can differ from one organization to another due to

a) the size of organization and type of activities,

b) the complexity of processes and their interactions, and

c) the competence of personnel.

NOTE 3 The documentation can be in any form or type of medium.

The quality management system documentation shall include

a) documented statements of a quality policy and quality objectives,

b) a quality manual,

c) documented procedures and records required by this International Standard, and

d) documents, including records, determined by the organization to be necessary to ensure the effective planning, operation and control of its processes.

NOTE 1 Where the term “documented procedure” appears within this International Standard, this means that the procedure is established, documented, implemented and maintained. A single document may address the requirements for one or more procedures. A requirement for a documented procedure may be covered by more than one document.

NOTE 2 The extent of the quality management system documentation can differ from one organization to another due to

a) the size of organization and type of activities,

b) the complexity of processes and their interactions, and

c) the competence of personnel.

NOTE 3 The documentation can be in any form or type of medium.


12

Impact of changes – 4.2.1 Documentation requirements - General

Effect of changes Emphasizes that both records required by ISO 9001:2008 AND

records deemed necessary by the organization are considered part of an organization’s QMS documentation

With regard to “documented procedures” required by ISO 9001:2008, clarifies the intent that organizations can structure their QMS documentation any way they choose – one procedure to address a requirement for a documented procedure, or many procedures, or one procedure to address multiple documented procedure requirements (i.e. Document AND Record Control, Corrective AND Preventive Action)

Auditing Considerations Re: Note 1 – Auditors now have clear direction from ISO concerning

their organization’s freedom to be flexible in how they structure their QMS documentation


13

Clause 4.2.3 Control of documents

ISO 9001:2000 ISO 9001:2008

Documents required by the quality management system shall be controlled. Records are a special type of document and shall be controlled according to the requirements given in 4.2.4.

A documented procedure shall be established to define the controls needed

a) to approve documents for adequacy prior to issue,

b) to review and update as necessary and re-approve documents,

c) to ensure that changes and the current revision status of documents are identified,

d) to ensure that relevant versions of applicable documents are available at points of use,

e) to ensure that documents remain legible and readily identifiable,

f) to ensure that documents of external origin are identified and their distribution controlled, and

g) to prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.

Documents required by the quality management system shall be controlled. Records are a special type of document and shall be controlled according to the requirements given in 4.2.4.

A documented procedure shall be established to define the controls needed

a) to approve documents for adequacy prior to issue,

b) to review and update as necessary and re-approve documents,

c) to ensure that changes and the current revision status of documents are identified,

d) to ensure that relevant versions of applicable documents are available at points of use,

e) to ensure that documents remain legible and readily identifiable,

f) to ensure that documents of external origin determined by the organization to be necessary for the planning and operation of the quality management system are identified and their distribution controlled, and

g) to prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.


14

Impact of changes – Control of documents

Effect of changes Subclause f) clarifies the intended scope of “external documents” Improves alignment of 4.2.3 f) with its corresponding requirement in

ISO 14001:2004 (4.4.5 f)

Auditing Considerations Auditors should review controls on external documents. The focus

of this requirement is clearly on external documents pertaining to “conformity to product requirements”. You may be over- (or under-) controlling these documents

Examples may include customer-supplied drawings, customer specifications and product standards, nationally-or-industry recognized standards (i.e. ASTM, ASME, commodity-specific), statutory/regulatory requirements (FMVSS, FAA, FDA)

Keep in mind – “documents” can be hard copy or electronic


15

Clause 6.2.1 (Human resources) General

ISO 9001:2000 ISO 9001:2008

Personnel performing work affecting product quality shall be competent on the basis of appropriate education, training, skills and experience.

Personnel performing work affecting conformity to product requirements shall be competent on the basis of appropriate education, training, skills and experience.

NOTE Conformity to product requirements can be affected directly or indirectly by personnel performing any task within the quality management system.


16

Impact of changes – Human resources - General

Effect of changes Emphasizes the definition of product quality as the degree of

conformance to product requirements

Clarifies the intended scope of competency, training and awareness

Auditing Considerations Ensure that this requirement is applied appropriately within your

organization: Employees that impact product quality, directly or indirectly Contract personnel that impact product quality, directly or indirectly Temporary personnel that impact product quality, directly or

indirectly


17

Clause 6.2.2 Competence, training and awareness ….(was Competence, awareness and training)

ISO 9001:2000 ISO 9001:2008


a) determine the necessary competence for personnel performing work affecting product quality,

b) provide training or take other actions to satisfy these needs,

c) evaluate the effectiveness of the actions taken,

d) ensure that its personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of the quality objectives, and

e) maintain appropriate records of education, training, skills and experience (see 4.2.4).


a) determine the necessary competence for personnel performing work affecting conformity to product requirements,

b) where applicable, provide training or take other actions to achieve the necessary competence,

c) evaluate the effectiveness of the actions taken,

d) ensure that its personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of the quality objectives, and

e) maintain appropriate records of education, training, skills and experience (see 4.2.4).


18

Impact of changes – Competence, training and awareness

Effect of changes Again, “conformity to product requirements” vs.. “product quality”

Subclause b) – “where applicable”, allows organizations to use judgment regarding the need for training or other actions Long-term employees Very simple tasks Keeps focus on competence

Auditing Considerations Subclause b) – “Where applicable” – more on this later “Competence” – “Demonstrated ability to apply knowledge and

skills” (ISO 9000:2005 3.1.6) – how is competence assessed? (vs. simple delivery of training). This is often fertile ground for auditing

Good technique – assess process/product performance to requirements, compare to training provided.


19

Clause 6.3 Infrastructure

ISO 9001:2000 ISO 9001:2008

The organization shall determine, provide and maintain the infrastructure needed to achieve conformity to product requirements. Infrastructure includes, as applicable

a) buildings, workspace and associated utilities,

b) process equipment (both hardware and software), and

c) supporting services (such as transport or communication).

The organization shall determine, provide and maintain the infrastructure needed to achieve conformity to product requirements. Infrastructure includes, as applicable,

a) buildings, workspace and associated utilities,

b) process equipment (both hardware and software), and

c) supporting services (such as transport, communication or information systems).


20

Impact of changes – 6.3 Infrastructure

Effect of changes Subclause c) – “such as” list now includes information systems

Auditing Considerations Assess the impact of information systems on conformance to

customer, statutory and regulatory requirements and ensure that 6.3 requirements are appropriately addressed (if they’re not already)


21

Clause 7.2.1 (Customer-related processes) Determination of requirements related to the product

ISO 9001:2000 ISO 9001:2008

The organization shall determine

a) requirements specified by the customer, including the requirements for delivery and post-delivery activities,

b) requirements not stated by the customer but necessary for specified or intended use, where known,

c) statutory and regulatory requirements related to the product, and

d) any additional requirements determined by the organization.

The organization shall determine

a) requirements specified by the customer, including the requirements for delivery and post-delivery activities,

b) requirements not stated by the customer but necessary for specified or intended use, where known,

c) statutory and regulatory requirements applicable to the product, and

d) any additional requirements considered necessary by the organization.

NOTE Post-delivery activities include, for example, actions under warranty provisions, contractual obligations such as maintenance services, and supplementary services such as recycling or final disposal.


22

Impact of changes – 7.2.1 Determination of requirements related to the product

Effect of changes Subclauses c) and d) – clarifies intent of requirement Note: Clarifies definition and gives examples of “post-delivery

services”; encourages consideration of entire product lifecycle

Auditing Considerations Ensure that any customer-required post-delivery services are

determined and reviewed during contract review/quotation processes (or their equivalent in your organization)


23

Clause 7.3.1 (Design and development) Design and development planning

ISO 9001:2000 ISO 9001:2008

The organization shall plan and control the design and development of product.

During the design and development planning, the organization shall determine

a) the design and development stages,

b) the review, verification and validation that are appropriate to each design and development stage, and

c) the responsibilities and authorities for design and development.

The organization shall manage the interfaces between different groups involved in design and development to ensure effective communication and clear assignment of responsibility.

Planning output shall be updated, as appropriate, as the design and development progresses.

The organization shall plan and control the design and development of product.

During the design and development planning, the organization shall determine

a) the design and development stages,

b) the review, verification and validation that are appropriate to each design and development stage, and

c) the responsibilities and authorities for design and development.

The organization shall manage the interfaces between different groups involved in design and development to ensure effective communication and clear assignment of responsibility.

Planning output shall be updated, as appropriate, as the design and development progresses.

NOTE Design and development review, verification and validation have distinct purposes. They can be conducted and recorded separately or in any combination, as suitable for the product and the organization.


24

Impact of changes – 7.3.1 Design and development planning

Effect of changes Emphasizes that organizations can structure the activities of review,

verification and validation in any means that suits them, so long as these activities “…are appropriate to each design and development stage…”

Auditing Considerations Auditors should ensure that the activities of design and development

review, verification and validation are suitable for their organization’s modes of operation (keep in mind, all 3 activities are required at some point in the design and development process).

This is especially important if you structured these activities around your perception (or a CB auditor’s perception) of ISO 9001:2000’s requirements, rather than what makes sense: To your organization For the products/services you provide For the level of responsibility your organization has for design and

development


25

Clause 7.3.3 (Design and development) Design and development outputs

ISO 9001:2000 ISO 9001:2008

The outputs of design and development shall be provided in a form that enables verification against the design and development input and shall be approved prior to release.

Design and development outputs shall

a) meet the input requirements for design and development,

b) provide appropriate information for purchasing, production and for service provision,

c) contain or reference product acceptance criteria, and

d) specify the characteristics of the product that are essential for its safe and proper use.

The outputs of design and development shall be in a form suitable for verification against the design and development input and shall be approved prior to release. Design and development outputs shall

a) meet the input requirements for design and development,

b) provide appropriate information for purchasing, production and service provision,

c) contain or reference product acceptance criteria, and

d) specify the characteristics of the product that are essential for its safe and proper use.

NOTE Information for production and service provision can include details for the preservation of product.


26

Impact of changes – 7.3.3 Design and development outputs

Effect of changes Grammatical Emphasizes that preservation of product should be considered during

design and development outputs

Auditing Considerations Auditors should ensure that consideration is given to preservation of

product during design and development Examples may include (as appropriate)

Storage areas Bins, totes transport methods used in process Handling methods Packaging and packaging methods Transport and logistics methods and services (inbound and outbound)


27

Clause 7.5.3 (Production and service provision) Identification and traceability

ISO 9001:2000 ISO 9001:2008

Where appropriate, the organization shall identify the product by suitable means throughout product realization.

The organization shall identify the product status with respect to monitoring and measurement requirements.

Where traceability is a requirement, the organization shall control and record the unique identification of the product (see 4.2.4).

NOTE In some industry sectors, configuration management is a means by which identification and traceability are maintained.

Where appropriate, the organization shall identify the product by suitable means throughout product realization.

The organization shall identify the product status with respect to monitoring and measurement requirements throughout product realization.

Where traceability is a requirement, the organization shall control the unique identification of the product and maintain records (see 4.2.4).

NOTE In some industry sectors, configuration management is a means by which identification and traceability are maintained.


28

Impact of changes – 7.5.3 Identification and traceability

Effect of changes Clarifies the intent that product shall be identified with respect to its

monitoring and measurement status during all phases of product realization

Grammatical

Auditing Considerations Ensure that product is identified with respect to monitoring and

measurement status during all stages of product realization, for example: Receiving Storage In-process Final inspection Shipping


29

Clause 7.5.4 (Production and service provision) Customer property

ISO 9001:2000 ISO 9001:2008

The organization shall exercise care with customer property while it is under the organization's control or being used by the organization. The organization shall identify, verify, protect and safeguard customer property provided for use or incorporation into the product. If any customer property is lost, damaged or otherwise found to be unsuitable for use, this shall be reported to the customer and records maintained (see 4.2.4).

NOTE Customer property can include intellectual property.

The organization shall exercise care with customer property while it is under the organization's control or being used by the organization. The organization shall identify, verify, protect and safeguard customer property provided for use or incorporation into the product. If any customer property is lost, damaged or otherwise found to be unsuitable for use, the organization shall report this to the customer and maintain records (see 4.2.4).

NOTE Customer property can include intellectual property and personal data.


30

Impact of changes – 7.5.4 Customer property

Effect of changes Grammatical Note – adds personal data. This is in response to increasing

concerns over identity theft and security

Auditing Considerations Auditors should review controls on customer’s personal data and

ensure that adequate safeguards and security provisions are in place. Access to this data is adequately controlled Procedures are in place to notify customers if this data is lost (or

presumably, stolen) Legal and customer requirements are addressed


31

Clause 7.6 Control of monitoring and measuring equipment (was Control of monitoring and measuring devices)

ISO 9001:2000 ISO 9001:2008

The organization shall determine the monitoring and measurement to be undertaken and the monitoring and measuring devices needed to provide evidence of conformity of product to determined requirements (see 7.2.1).

The organization shall establish processes to ensure that monitoring and measurement can be carried out and are carried out in a manner that is consistent with the monitoring and measurement requirements.

Where necessary to ensure valid results, measuring equipment shall

a) be calibrated or verified at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards; where no such standards exist, the basis used for calibration or verification shall be recorded;

b) be adjusted or re-adjusted as necessary;

c) be identified to enable the calibration status to be determined;

d) be safeguarded from adjustments that would invalidate the measurement result;

e) be protected from damage and deterioration during handling, maintenance and storage.

The organization shall determine the monitoring and measurement to be undertaken and the monitoring and measuring equipment needed to provide evidence of conformity of product to determined requirements.

The organization shall establish processes to ensure that monitoring and measurement can be carried out and are carried out in a manner that is consistent with the monitoring and measurement requirements.

Where necessary to ensure valid results, measuring equipment shall

a) be calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards; where no such standards exist, the basis used for calibration or verification shall be recorded (see 4.2.4);

b) be adjusted or re-adjusted as necessary;

c) have identification in order to determine its calibration status;

d) be safeguarded from adjustments that would invalidate the measurement result;

e) be protected from damage and deterioration during handling, maintenance and storage.


32

Clause 7.6 Control of monitoring and measuring equipment (was Control of monitoring and measuring devices) – cont’d

ISO 9001:2000 ISO 9001:2008

In addition, the organization shall assess and record the validity of the previous measuring results when the equipment is found not to conform to requirements. The organization shall take appropriate action on the equipment and any product affected. Records of the results of calibration and verification shall be maintained (see 4.2.4).

When used in the monitoring and measurement of specified requirements, the ability of computer software to satisfy the intended application shall be confirmed. This shall be undertaken prior to initial use and reconfirmed as necessary.

NOTE See ISO 10012-1 and ISO 10012-2 for guidance.

In addition, the organization shall assess and record the validity of the previous measuring results when the equipment is found not to conform to requirements. The organization shall take appropriate action on the equipment and any product affected.

Records of the results of calibration and verification shall be maintained (see 4.2.4).

When used in the monitoring and measurement of specified requirements, the ability of computer software to satisfy the intended application shall be confirmed. This shall be undertaken prior to initial use and reconfirmed as necessary.

NOTE Confirmation of the ability of computer software to satisfy the intended application would typically include its verification and configuration management to maintain its suitability for use.


33

Impact of changes - 7.6 Control of monitoring and measuring equipment

Effect of changes “Equipment” vs. “Device” – this change in terminology is now consistent throughout

ISO 9001:2008 Subclause a) – clarifies that in some cases, both calibration and verification may be

necessary in order to ensure that equipment provides valid results Subclause e) – intent is to further clarify that identification of calibration status need

not be physically present on measurement equipment (i.e. an ID number or serial number traceable to a calibration database has long been acceptable)

Note – clarifies the intent of software verification requirements

Auditing Considerations Review the definitions in ISO 9000:2005; the intent is that the definition of

“measuring equipment” encompasses “measuring instruments”, which includes measuring “devices”

Re: subclause a) – ensure that both calibration and verification are appropriately utilized in their organization

Re: software – If you use measuring equipment that relies on software to provide results, review the note and ensure that: Appropriate procedures are in place to verify the validity of the results the software

provides Appropriate configuration management procedures are in place (think version control, for

those of you not involved in aerospace or medical devices)


34

Clause 8.2.1 (Monitoring) – Customer satisfaction

ISO 9001:2000 ISO 9001:2008

As one of the measurements of the performance of the quality management system, the organization shall monitor information relating to customer perception as to whether the organization has met customer requirements. The methods for obtaining and using this information shall be determined.

As one of the measurements of the performance of the quality management system, the organization shall monitor information relating to customer perception as to whether the organization has met customer requirements. The methods for obtaining and using this information shall be determined.

NOTE Monitoring customer perception can include obtaining input from sources such as customer satisfaction surveys, customer data on delivered product quality, user opinion surveys, lost business analysis, compliments, warranty claims and dealer reports.


35

Impact of changes – 8.2.1 Customer satisfaction

Effect of changes Gives examples of potential sources of information regarding “…

customer perception as to whether the organization has met customer requirements.”

Auditing Considerations Ensure that your organization is using appropriate methods to

determine customer satisfaction. The note provides examples of data which may be reviewed.


36

Clause 8.2.2 (Monitoring) – Internal audit

ISO 9001:2000 ISO 9001:2008

The organization shall conduct internal audits at planned intervals to determine whether the quality management system

a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard and to the

quality management system requirements established by the organization, and

b) is effectively implemented and maintained.

An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods shall be defined. Selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.

The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records (see 4.2.4) shall be defined in a documented procedure.

The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results (see 8.5.2).

NOTE See ISO 10011-1, ISO 10011-2 and ISO 10011-3 for guidance.

The organization shall conduct internal audits at planned intervals to determine whether the quality management system

a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard and to

the quality management system requirements established by the organization, and

b) is effectively implemented and maintained.

An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods shall be defined. The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.

A documented procedure shall be established to define the responsibilities and requirements for planning and conducting audits, establishing records and reporting results.

Records of the audits and their results shall be maintained (see 4.2.4).

The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results (see 8.5.2).

NOTE See ISO 19011 for guidance.


37

Impact of changes – 8.2.2 Internal Audit

Effect of changes Better grammar and flow Updated reference to auditing guidance standards; better alignment

with ISO 14001:2004

Auditing Considerations ISO 19011:2002 provides guidance in auditing (1st, 2nd and 3rd party)

for both the ISO 9001 and ISO 14001 standards. Use of this document is STRONGLY recommended.


38

Clause 8.2.3 (Monitoring) – Monitoring and measurement of processes

ISO 9001:2000 ISO 9001:2008

The organization shall apply suitable methods for monitoring and, where applicable, measurement of the quality management system processes. These methods shall demonstrate the ability of the processes to achieve planned results. When planned results are not achieved, correction and corrective action shall be taken, as appropriate, to ensure conformity of the product.

The organization shall apply suitable methods for monitoring and, where applicable, measurement of the quality management system processes. These methods shall demonstrate the ability of the processes to achieve planned results. When planned results are not achieved, correction and corrective action shall be taken, as appropriate.

NOTE When determining suitable methods, it is advisable that the organization consider the type and extent of monitoring or measurement appropriate to each of its processes in relation to their impact on the conformity to product requirements and on the effectiveness of the quality management system.


39

Impact of changes – 8.2.3 Monitoring and measurement of processes

Effect of changes Clarifies the intent of the requirement; provides detail of the rationale

for monitoring and measurement of QMS processes

Auditing Considerations Auditors should review process monitoring and measurement to

ensure the appropriate application (don’t forget the changes in 4.1 concerning process monitoring and, where appropriate, measurement!)


40

Clause 8.5.2 (Improvement) Corrective action

ISO 9001:2000 ISO 9001:2008

The organization shall take action to eliminate the cause of nonconformities in order to prevent recurrence. Corrective actions shall be appropriate to the effects of the nonconformities encountered.

A documented procedure shall be established to define requirements for

a) reviewing nonconformities (including customer complaints),

b) determining the causes of nonconformities,

c) evaluating the need for action to ensure that nonconformities do not recur,

d) determining and implementing action needed,

e) records of the results of action taken (see 4.2.4), and

f) reviewing corrective action taken.

The organization shall take action to eliminate the causes of nonconformities in order to prevent recurrence. Corrective actions shall be appropriate to the effects of the nonconformities encountered.


a) reviewing nonconformities (including customer complaints),

b) determining the causes of nonconformities,

c) evaluating the need for action to ensure that nonconformities do not recur,

d) determining and implementing action needed,

e) records of the results of action taken (see 4.2.4), and

f) reviewing the effectiveness of the corrective action taken.


41

Impact of changes – 8.5.2 Corrective action

Effect of changes “Causes” vs.. “cause” – recognizes that nonconformities may have

multiple causes; better alignment with clause 8.5.3 Preventive action Subclause f) – clarifies intent that the effectiveness (was the

planned result achieved?) of corrective actions must be reviewed

Auditing Considerations Good opportunity to review the EFFECTIVENESS of corrective

actions – were the actions taken successful in eliminating the cause(s) of nonconformities?


42

Clause 8.5.3 (Improvement) Preventive action

ISO 9001:2000 ISO 9001:2008

The organization shall determine action to eliminate the causes of potential nonconformities in order to prevent their occurrence. Preventive actions shall be appropriate to the effects of the potential problems.


a) determining potential nonconformities and their causes,

b) evaluating the need for action to prevent occurrence of nonconformities,

c) determining and implementing action needed,

d) records of results of action taken (see 4.2.4), and

e) reviewing preventive action taken.

The organization shall determine action to eliminate the causes of potential nonconformities in order to prevent their occurrence. Preventive actions shall be appropriate to the effects of the potential problems.


a) determining potential nonconformities and their causes,

b) evaluating the need for action to prevent occurrence of nonconformities,

c) determining and implementing action needed,

d) records of results of action taken (see 4.2.4), and

e) reviewing the effectiveness of the preventive action taken.


43

Impact of changes – 8.5.3 Preventive action

Effect of changes Subclause f) – clarifies intent that the effectiveness (was the

planned result achieved?) of preventive actions must be reviewed

Auditing Considerations Good opportunity to review the EFFECTIVENESS of corrective

actions – were the actions taken successful in eliminating the cause(s) of POTENTIAL nonconformities?


44

Bibliography

Bibliography – now refers to current editions of referenced standards, new standards referenced and standards withdrawn since the publication of ISO 9001:2000.

New StandardsISO 10001:2007, Customer satisfaction - Guidelines for codes of conduct for organizationsISO 10002:2004, Customer satisfaction - Guidelines for complaints handling in organizationsISO 10003:2007, Customer satisfaction - Guidelines for dispute resolution external to organizationsISO 10019:2005, Guidelines for the selection of quality management system consultants and use of their servicesISO 19011:2002, Guidelines for quality and/or environmental management systems auditingIEC 61160:2006, Design reviewISO 90003:2004, Software engineering - Guidelines for the application of ISO 9001:2000 to computer softwareNew EditionsISO 9004:200x, Managing for the sustained success of an organization - A quality management approachISO 10005:2005, Quality management systems - Guidelines for quality plansISO 10006:2003, Quality management systems - Guidelines for quality management in projectsISO 10007:2003, Quality management systems - Guidelines for configuration managementISO 10012:2003, Requirements for measurement processes and measuring equipmentISO/TR 10013:2001, Guidelines for quality management system documentationISO 10014:2006, Quality management - Guidelines for realizing financial and economic benefitsISO/TR 10017:2003, Guidance on statistical techniques for ISO 9001:2000ISO 14001:2004, Environmental management systems - Requirements with guidance for useIEC 60300-1:2003, Dependability management - Part 1: Dependability management systemsWithdrawn StandardsISO 9000-3:1997 (replaced by ISO 90003:2004)ISO 10011-1: 1990 (replaced by ISO 19011:2002)ISO 10011-2: 1991 (replaced by ISO 19011:2002)ISO 10011-3:1991 (replaced by ISO 19011:2002)ISO 10012-1:1992 (replaced by ISO 10012:2003)ISO 10012-2:1997 (replaced by ISO 10012:2003)


45

Impact of changes - Bibliography

Effect of changes None

Auditing Considerations The referenced standards provide excellent guidance into the

intents of ISO 9001:2008. Auditors are strongly advised to understand these guidance documents – you’ll be a better auditor for it!


Auditing “Where Appropriate/Where

Applicable…”

47

Auditing “Where Appropriate/Where Applicable…” Clauses

Many auditors prefer “black and white” requirements – “where applicable” implies judgment. What to do? How do auditors assess applicability of and conformity with a requirement in the absence of a definite “shall”

The ISO 9000 Auditing Practices Group and the International Accreditation Forum (IAF), an affiliate organization of ISO, has published two relevant white papers on the subject. Determination of the “where appropriate” processes Auditing the “where appropriate” requirements

In ISOmatrix’s opinion, the same logic applies to “where applicable” as “where appropriate”

The source documents are available at http://isotc.iso.org/livelink/livelink/fetch/2000/2122/138402/138403/3541460/customview.html?func=ll&objId=3541460&objAction=browse&sort=name Keep in mind, these are guidance documents, NOT ISO 9001

requirements or standards

48

Auditing ““Where Appropriate/Where Applicable…” Clauses

“Determination of the “where appropriate” processes” – Summary

If there are conflicts between the auditee’s understanding of process applicability and the auditor’s, it’s the auditor’s responsibility to understand the auditee’s point of view.

Auditors should NOT impose their own point of view WITHOUT OBJECTIVE EVIDENCE TO SUPPORT THEIR POINT OF VIEW that a requirement is not met!!!

The issue may be conflicts in understanding the organization’s terminology vs. ISO’s – use ISO 9000:2005 as a reference to resolve these conflicts wherever possible

Don’t forget Clause 1.2 – Applicability! ISOmatrix suggests considering the impact of the process or

requirement on product conformity to requirements, statutory/regulatory compliance and customer satisfaction

49


“Auditing “where appropriate” requirements ” – Summary The organization should carefully consider the applicability of

the “where appropriate” requirements during implementation Impact on product conformity to requirements, statutory and

regulatory compliance and customer satisfaction (remember Clause 1.1?)

Auditors should look at these requirements in light of the organization’s QMS scope – how will these requirements impact the QMS’ ability to fulfill this scope? “Does this requirement add value to this element of

confidence, without the ‘where appropriate’ being addressed?”

“Does it increase the risk that the organisation cannot meet its customer requirements? (This may be more than a specific set of customer requirements, as it can include the demands and expectations of end users, consumers, or the supply chain).”

50


“Auditing “where appropriate” requirements ” – Summary (cont’d) Individuals responsible for the selection of internal auditors should

consider whether the auditor has the necessary technical competence to make these determinations – the use of “technical experts” per ISO 19011 may be necessary

Auditors should consider the impact of the “where appropriate” requirements on how processes are defined and implemented, and the process outputs. If the requirement is NOT considered “appropriate”, it’s recommended

that the audit provide objective evidence to support that the system is effective and customer requirements are consistently met.

ISOmatrix adds – consider the performance of the system and process. Review monitoring (and where applicable, measurement) of the associated process. Is the process effective and efficient in the absence of conformance to this requirement?

51

Listing of “Where Appropriate/Where Applicable…” Clauses

Where appropriate 7.4.2 Purchasing Information 7.5.3 Identification and traceability

Where applicable 4.1 e) General requirement (New for 2008) 6.2.2 b) Competence, training and awareness (New for

2008) 7.3.2 Design and development inputs 8.2.3 Monitoring and measurement of processes 8.2.4 Monitoring and measurement of product 8.3 Control of nonconforming product (New for 2008)

52

Questions and Answers


53

ISOmatrix

ISOmatrix, Inc.

www.isomatrix.com

805-435-1203

[email protected]

Transitioning to ISO 9001:2008 53

54

Thank You!!!


instructor: don wood, isomatrix senior specialist transitioning to iso 9001:2008 – considerations...

Documents

requirements of iso

existing iso

summary of changes iso

present editions of

existing requirements

intent of requirements

new requirements period

review of changes