student textbook - qualitywbt

4D4437A1-4C58-288D25.doc Lead Auditor Training

2003-2008 AQS Management System, Inc. and J.P. Russell & Assoc. of 84

Student Textbook

ISO 9001:2008 Requirements from A to Z By: AQS Management Systems, Inc. and Quality WBT Center for Education Note: The student textbook contains the text content of the class without interactive exercises, activities, glossary links, images, examples, key points, summaries, tests, or handouts. The student textbook can be used for off-line refresher and future reference after the class. The student textbook should not be used in place of the web-based training program.



Table of Contents CLASS RULES, FEATURES AND NAVIGATION......................................................................................... 4

LESSON A01: TERMINOLOGY AND DEFINITIONS ................................................................................... 5 NOTABLE ORGANIZATION CONCEPTS ................................................................................................................ 5 NOTABLE TERMS RELATED TO CONFORMITY ..................................................................................................... 6 NOTABLE TERMS RELATED TO PROCESS AND PRODUCT ...................................................................................... 6 NOTABLE TERMS RELATED TO AUDITING .......................................................................................................... 6 NOTABLE TERMS RELATED TO QUALITY............................................................................................................. 7 NOTABLE TERMS RELATED TO MANAGEMENT..................................................................................................... 7 NOTABLE TERMS RELATED TO DOCUMENTATION................................................................................................ 7 NOTABLE TERMS TO APPLY .............................................................................................................................. 8

LESSON B02: BACKGROUND, HISTORY AND RATIONALE OF QUALITY MANAGEMENT............ 10 A. HISTORY OF ASSURING QUALITY ................................................................................................................ 10 B. LACK OF CONSISTENCY .............................................................................................................................. 13 C. NEED FOR A COMMON APPROACH ............................................................................................................... 14 D. INTERNATIONAL ORGANIZATION FOR STANDARDIZATION ............................................................................ 14 E. CREATION OF ISO 9001.............................................................................................................................. 14 F. REGISTRATION AUDIT DRIVES QUALITY IMPROVEMENT ............................................................................... 15 G. IMPACT OF CONFORMANCE......................................................................................................................... 16

LESSON C03: INTRODUCTION TO ISO 9001 ........................................................................................... 18 A. QUALITY MANAGEMENT PRINCIPLES .......................................................................................................... 18 B. PURPOSE OF ISO 9001................................................................................................................................ 23 C. ISO 9001 DESIGN/ STRUCTURE.................................................................................................................. 23 D. FUTURE ..................................................................................................................................................... 24

LESSON D04: THE CONTENTS OF ISO 9001 - INTRODUCTION.......................................................... 26 0.2 PROCESS APPROACH ................................................................................................................................. 27 0.3 RELATIONSHIP TO ISO 9004...................................................................................................................... 29 0.4 COMPATIBILITY WITH OTHER MANAGEMENT SYSTEMS ................................................................................ 30

LESSON D05: SCOPE/ EXCLUDING CLAUSES/ DEFINITIONS ............................................................ 31 1.2 APPLICATION............................................................................................................................................ 32 2. NORMATIVE REFERENCE ............................................................................................................................. 33 3. TERMS AND DEFINITIONS ............................................................................................................................ 34

LESSON D06: GENERAL SYSTEM/DOCUMENTATION REQUIREMENTS.......................................... 35 4.1 GENERAL REQUIREMENTS ......................................................................................................................... 35 4.2.2 QUALITY MANUAL................................................................................................................................. 39 4.2.3 CONTROL OF DOCUMENTS...................................................................................................................... 39 4.2.4 CONTROL OF RECORDS........................................................................................................................... 40

LESSON D07: MANAGEMENT COMMITMENT/CUSTOMER FOCUS/QUALITY POLICY AND PLANNING REQUIREMENTS....................................................................................................................... 42

5.1 MANAGEMENT COMMITMENT.................................................................................................................... 42 5.2 CUSTOMER FOCUS .................................................................................................................................... 43 5.3 QUALITY POLICY ...................................................................................................................................... 43 5.4 PLANNING ................................................................................................................................................ 43

LESSON D08: MANAGEMENT RESPONSIBILITY/REVIEW (5.5 - 5.6).................................................. 46



5.5.1 RESPONSIBILITY AND AUTHORITY .......................................................................................................... 46 5.5.2 MANAGEMENT REPRESENTATIVE............................................................................................................ 46 5.5.3 INTERNAL COMMUNICATIONS................................................................................................................. 46 5.6 MANAGEMENT REVIEW............................................................................................................................. 47

LESSON D09: RESOURCE MANAGEMENT (6) ........................................................................................ 49 6.1 GENERAL ................................................................................................................................................. 49 6.2 HUMAN RESOURCES.................................................................................................................................. 49 6.3 INFRASTRUCTURE ..................................................................................................................................... 50 6.4 WORK ENVIRONMENT............................................................................................................................... 51

LESSON D10: PRODUCT REALIZATION (7.1 - 7.4) ................................................................................. 53 7.1 PLANNING OF REALIZATION PROCESSES ..................................................................................................... 53 7.2 CUSTOMER-RELATED PROCESSES............................................................................................................... 54 7.3 DESIGN AND DEVELOPMENT...................................................................................................................... 55 7.4 PURCHASING ............................................................................................................................................ 58

LESSON D11: PRODUCT AND SERVICE OPERATIONS (7.5-7.6) ........................................................ 62 7.5.1 PRODUCTION AND SERVICE PROVISION CONTROL.................................................................................... 62 7.5.2 VALIDATION PROCESS............................................................................................................................ 64 7.5.3 IDENTIFICATION AND TRACEABILITY ...................................................................................................... 65 7.5.4 CUSTOMER PROPERTY............................................................................................................................ 66 7.5.5 PRESERVATION OF PRODUCT .................................................................................................................. 67 7.6 CONTROL OF MEASURING AND MONITORING EQUIPMENT........................................................................... 67

LESSON D12: MEASUREMENT, ANALYSIS, AND IMPROVEMENT (8.1-8.5)...................................... 71 8.1 GENERAL ................................................................................................................................................. 71 8.2.1 CUSTOMER SATISFACTION ...................................................................................................................... 72 8.2.2 INTERNAL AUDIT ................................................................................................................................... 72 8.2.3 MONITORING AND MEASUREMENT OF PROCESSES ................................................................................... 74 8.2.4 MONITORING AND MEASUREMENT OF PRODUCT...................................................................................... 74 8.3 CONTROL OF NONCONFORMING PRODUCT ................................................................................................. 75 8.4 ANALYSIS OF DATA................................................................................................................................... 76 8.5 IMPROVEMENT.......................................................................................................................................... 76

LESSON D13: PROCESS APPROACH EXPLAINED ................................................................................ 80 END ............................................................................................................................................................... 84



Class Rules, Features and Navigation

Welcome! Please go online to view the web-based training program guidelines, features and navigation.



Lesson A01: Terminology and Definitions Objective of Part A To familiarize students with the terms that are associated with:

• the proper administration of the quality management systems • the proper auditing of quality management systems

Discussion: The ANSI/ISO/ASQ Q9000-2005 Quality management systems – Fundamentals and vocabulary (ISO 9000) standard defines selected terms and provides background information about quality fundamentals. When dictionary definitions are not sufficient to support the quality management (9000 series) and technical standards (10000 series), definitions are provided in ISO 9000-2005. Take out the ISO 9000 standard now and look through it. Turn to the table of contents and see how the standard is organized. Turn to clause 3, Terms and Definitions and read the first clause on how definitions can be nested and when special meanings apply. Notice that the terms are not in alphabetical order. Turn to Annex A to see how terms are grouped by concept diagrams. Turn to the alphabetical index; this is where you go to look up a word. You will need to reference the proper definition of some terms from time to time to fully understand quality management system (QMS) requirements and their intent. You will find that your knowledge of the definitions will be very useful in determining conformance or nonconformance to a requirement. The concept diagrams in Annex A are like a family tree. The diagrams link terms that are related to a particular concept or topic. ISO 9000 Terms and Definitions We do not have the time to discuss every word definition, so we have picked some that we think are especially important or have some aspect that you need to be aware of.

Notable Organization Concepts The word organization is used to indicate the user of the standard. The organization can be a manufacturer or service company, private or public, regulated or non-regulated, and small or large. The organization implements the management system and is audited by a registrar. In the United States, the term "stakeholder" has been used over the last two decades to reference individuals or groups that have a stake (something to lose or gain) in the outcome of a process or activity. Worldwide, the term 'stakeholder' does not translate well so the ISO 9001 and derivative standards use the term interested party to refer to



those interested in the performance or success of the organization. Normally a competitor is not considered an interested party since they seek the elimination of the organization. The term infrastructure is defined and used as the title of clause 6.3. The word "infrastructure" may be used when referencing an organization's facilities, utilities, and equipment.

Notable Terms Related to Conformity The definition of the term nonconformity is non-fulfillment of a requirement. Nonconformities result in other actions (see diagram a01concept1). The term correction refers to responses to nonconformities that only alleviate the specified nonconformity. Other popular terms for correcting are containment action or remedial action. Correcting must not be confused with corrective action or preventive action. Notable Terms Related to Process and Product A product is the result of a process. Therefore, a product can either be a service like housekeeping or something tangible like a paint can or a lawn mower. There are four product categories supported by the standard. The categories are:

• Hardware: The value added item for the customer is an item that has physical form, you can see it and touch it; it is produced with machines or assembled [nuts & bolts, automobiles, I beams, refrigerators, computers, etc.].

• Processed materials: The value added item for the customer is an item that normally undergoes a treatment, change of state or chemical reaction when produced [ chemicals, rubber, plastics, gasoline, pharmaceuticals, food]

• Software: The value added item for the customer is a code which gives instructions to hardware or other software.

• Service : The value added item for the customer is the execution of a process such as: retail sales, renting, personal service, and collective bank or insurance services.

Product is produced by a process. The technical definition for a process is that it is a set of interrelated or interacting activities which transforms inputs into outputs. Simply, a process is associated with some type of action or transformation such as stamping, rolling, designing or other actions that create value.

Notable Terms Related to Auditing As standards evolve, such as the auditing and environmental standards, so does our



need to understand the terminology used by the audit experts. The term quality audit is not in the ISO 9000 vocabulary standard and has been replaced with the generic term, audit . There is little difference between the "quality audit," “environmental audit,” and "audit" definition. The audit definition simply requires that audits determine the extent to which the audit criteria are fulfilled. The audit criteria may be determined on an audit-by-audit basis. There is an audit client, who is the person who has authority to request the audit. Audit evidence is collected and then evaluated objectively. An auditor collects audit evidence to determine audit findings. The term audit findings refer to the conformity or nonconformity to the audit criteria as well as any opportunities for improvement. The output of the audit process is the audit conclusion. Based on the findings, an auditor may recommend or not recommend registration. Notable terms related to Quality The definition of quality is short but somewhat technical in nature and not as simple as we would like for everyday use. In this group of quality-related terms, there is a definition for customer satisfaction . Since customer satisfaction is one of the primary aims of the standard, it is important to define this term. The definition for requirement (ISO 9000, 3.1.2) is very interesting because it goes beyond stated needs and expectations.

Notable Terms related to management Probably one of the most prominent and challenging of audit terms in the standard is effectiveness. One of the most recurring phrases is to continually improve the effectiveness of the quality management system. Other clauses in the standard require effective application, implementation, processes, planning, operation, control, arrangements and communication. Auditors will need to verify that effectiveness requirements are being met. The term system is in this same group of terms. A system is a collection of processes. There are some alternate definitions in the glossary to provide more background, but for conformity audits, only the ISO 9000 definitions apply. There is a quality management system that includes quality control, assurance, planning and improvement processes. It is important to know how quality control and quality assurance are related. The concept of quality planning and issuing quality plans should be well understood. The term for senior management, executives or high level management is top management. Top management is universally acceptable worldwide.

Notable Terms related to documentation



A document is information (meaningful data) and its supporting medium (paper, electronic, film, and so on). A document can be a record, specification, procedure, drawing, report or a standard. Set or collection of records or specifications can be called documentation. A procedure is a particular type of document that states a way to carry out an activity or process (determines how it will be done). A record is another type of document that states results or evidence of activities performed (determines what was done).

Notable Terms to Apply a. Review

According to the dictionary, reviewing is an act of inspecting or examining. Reviewing is looking over or examining with the intent to amend or improve. However, from the ISO 9001 view, review includes determining, suitability, adequacy and effectiveness of the matter under review. For a certified management system (MS ) that uses the ISO 9000 vocabulary (such as TS 16949. ISO 13485, AS 9001, ISO 14001), review is much more than studying material again. Other management system standards can opt out of the ISO 9000 definition if they create their own definition for review. Now it is clear that review of corrective actions includes determination of the effectiveness of the corrective actions taken.

b. Verification and validation

Standards require verification of products and activities to ensure control. It is part of the PDCA model. For example: The ISO 9001 uses the words verification and validation many times. Most verifications and validations are integrated into design, manufacturing or service delivery processes and are preformed by operators, inspectors, technicians, engineers or those performing the service. Verification methods include inspection, independent or alternate calculations, independent test services, simulations, modeling, prototype testing and product audit. Validation methods include testing the functionality of the product and/or delivery of the service for its intended use as part of a process audit.

For some products, validation is the next logical step after verification such as checking pump specifications and then turning it on to validate the rated capacity. In other cases, product quality can only be verified because of the nature of its use such as the lunar vehicle used on the Moon. Other product quality can only be validated because the physical specifications are not an indication of how it will function such as liquid absorbers. Cost versus risk are determining factors for verifying and validating. Outsourcing and globalization of businesses have made verification and validation important tactical methods to assure product quality and safety before use by the customer.



Auditors can verify processes and products/services. Verification audits may verify and validate: inspection methods, delivery of services, compliance with contracts, critical product or service characteristics, or process/product performance. c. Risk

The word risk is used in the standard and I think we will see this word used many times in the future. Not because this is the latest hot term or topic, but because the idea of implementing controls such as QMS controls, is to mitigate risk of undesirable outcomes. Therefore, it is in our best interest to better understand risk. This understanding will take place over the next decade, but we need to start thinking about it now. Risk is normally quantified relative to negative consequences or outcomes such as the possibility of loss, injury, disadvantage, or destruction and the degree of probability or amount of such loss, injury, disadvantage, or destruction. The draft ISO Guide 73 (Risk management - Vocabulary) describes risk as the combination of the probability of an event and its consequence.

Inherently, there is risk associated with all products/services and processes. It is a matter of quantifying (estimating) the risk and determining what amount of risk that is acceptable for you or your organization. Just like there is variability in all processes, it is a matter of quantifying the variability and determining what amount is acceptable. If the risk is unacceptable, action must be taken remove it, avoid it, or mitigate (minimize) it. Comments Studying word definitions (lexicology) can be very insightful. The ISO 9000 definitions are somewhat technical but will prove useful during an audit. Knowing the words will result in a sharper focus and better understanding when determining conformance to requirements. Using the correct words will improve communications between you and the organization representatives. In the next lesson we will discuss the basis and evolution of quality management. Knowing the history will help you understand how the standard has evolved to what it is today.



Lesson B02: Background, History and Rationale of Quality Management Knowing the history of standards and how we got to where we are today will help you be a better auditor. An understanding of history will put quality and the auditing profession into perspective. When you understand history you will understand why we do what we do and how we got to where we are with regard to our quality practices. You will also be able to explain the benefits of adopting a quality management system (QMS) to others. You also need this perspective to learn about misapplications of standards. History is only small part - but valuable part of this class.

A. History of Assuring Quality The quest for quality is not new. Going back 2000 years or more, there were master craftsmen and apprentices. In the very early years, products produced were used in the local community. They tended to be focused on survival and were often associated with farm tools and hunting equipment. As society progressed, products and the demands for products moved beyond providing the basics for survival. Many products such as silverware or furniture were produced upon demand by tradesmen such as a silversmith or cabinet maker. Products were produced in a small workshop environment where people were responsible for the business as well as quality. Craftsmen took pride in their work. One of the hallmarks of this era, was that products tended to be unique. It was the norm that no two products looked exactly alike, even when produced by the same craftsman. As customer demand increased, those producing products responded by producing higher volume products with higher quality. As we become more sophisticated at producing quality products we adapted many techniques to achieve results. With mass production came engineers and product standards. Products were produced to an increasingly well defined standard or specification. Companies were formed and products were produced in large shops or factories. To produce products in volume and at low cost, it became important for processes to be repeatable. Repeatability in processes and product drove down costs and drove up quality. The first product produced in the morning was the same as the last product produced in the afternoon. As organizations grew, it became necessary to hire people to supervise people and to assure the end result. As the demand for quality and increasingly complex products continued to grow, it became nearly impossible for supervisors or shop foremen to assure results. Customers such as the military wanted to make changes and they wanted products to function as designed. Defective mortar fuses reduced military effectiveness and caused friendly fire casualties. Placing all of these responsibilities on the shoulders of one person no longer achieved the results demanded by increasingly sophisticated customers. Inspection departments were formed to check products to make sure they met specifications.



The major event in the evolution that drove quality to a more reliable and more systematic endeavor was World War II. The United States had a very small military and was simply unprepared to fight a major conflict. The key component to overcoming these problems and winning the war was the unprecedented “ramp up” of production for war purposes. More people would be involved in producing more products and more sophisticated products than ever before in history. A way needed to be found to achieve the desired quality, productivity and reliability results demanded by a nation entering a major world conflict. The United States Navy undertook the problem with a systematic approach that changed the way organizations approach nearly everything they do. The Navy actually went out and studied those organizations that were already producing product and were doing it well. The question that the Navy wanted to answer was “what techniques are these organizations using that make them so successful?” The results of this study generated a “Best Practices” list that was eventually shared throughout all branches of the service and with our allies in the war. It contained those things that were associated with high levels of quality and productivity results. This list of Best Practices became the first written attempt at a generic quality standard and should be considered the grandfather of what eventually became ISO Quality Standards. This was the first formal attempt to study quality from a systems perspective. As countries and businesses responded to increasing global trade after World War II, generic standards started to appear. There were inspection standards (Mil I 45208), quality program standards (Mil Q 9858A) that required production control, quality assurance control, nonconformance controls and specialists in planning and metrology. As the world moved into even more global trade, it became evident that nations and industries needed to agree on the definition of quality. The lack of a clear definition resulted in disagreements and barriers to the free movement of goods and services across international borders. Standards began evolving from a list of rules for QMS into a philosophy backed by principles and quality management goals that were clearly documented. The first successes in this effort were clearly defined product standards. Product standards evolved for two reasons:

• Product standards brought consistency to issues impacting health, safety and the environment, such as safety standards for electrical components.

• Product standards brought uniformity that enabled products to be exchanged and used across international borders, such as photographic film.

Quality systems standards evolved so that purchasing organizations could have an increased level of trust in the vendor organizations they use.



Today we live in a world where quality management systems standards are accepted world wide. They help everyone follow a common model that is proven to represent best practices. They provide confidence to purchasers throughout the world and they help organizations demonstrate to themselves, their customers and other stakeholders that they are meeting the requirements that are considered necessary to do business in today’s competitive marketplace.

History of Assuring Quality Critical components of

achievement Time Significant characteristic/ Trends Quality System Pride Product

uniformity System

uniformity Pre-1850

Craftsmen Guilds X

1850- 1900

Mass production Initial use of standards

X

1900- 1950

Increased product complexity and consumer demand

Inspect in quality X

1950- 1970

Increasing global trade First use of generic standards

X X

1970- 1987

Focus on quality Use of various generic and product standard increases

X X

1987- Today

World trade ISO 9000 and harmonization product standards

X X

Future World quality focus World class TQM X X X Summary: On the chart above we watched the evolution from quality assurance to quality management. Pride and ownership was the primary assurance of quality in the early years. As organizations and their products became more sophisticated, we developed other means to assure product consistency. While this did not necessarily mean that pride and ownership were missing, it does mean that these attributes were not the central focus of achieving customer satisfaction and performance results. As we developed means to produce consistent products it became apparent that we needed systems to manage how people worked together to achieve desired results. This is what we today call Quality Management Systems. Quality Management Systems allow organizations to focus on product consistency through a defined system. The challenge for organizations today is that they will need to rely increasingly on their people to achieve necessary quality and performance results. Most experts agree this will only happen when people have personal ownership in the achievement of product and systems results. As we move to the future of quality, the challenge will be to increase pride and ownership on the part of every employee.



B. Lack of Consistency Prior to the introduction of ISO 9000 quality management series standards, people/ groups/ nations/ industries around the world all addressed quality in different ways. Many factors could influence how countries and industries addressed quality. Also the maturity of quality control and quality assurance varied from country to country and industry to industry. Some quality programs had evolved and others had stayed stagnant. And even given the same set of rules, there could be inconsistencies in methods of deployment and implementation. Formal standards for product quality are written. Informal standards are not. Nations and even industries differ in when, how and where these requirements are used. ISO 9001, ISO 13485, ISO/TS 16949 are formal QMS standards. Other formal standards would include the use of electronic circuit breakers on electronic equipment. Regulated requirements are driven by the force of law or regulation. Different industries and different cultures demand different levels of control in the way that some product or system quality activities are performed. For example Medical devices are built under a well defined regulation outlining quality management systems requirements. Light bulbs have clear product definition regarding the power consumed in watts. Specific standards are standards that drive product specifications. Generic standards don’t drive the product; they drive the way the product is produced. A standard such as ISO 9001 could be called a generic standard – it is not product specific This lack of agreement often led to trade barriers by nations, industries and special interest groups. For example: what types of ingredients can be put in the food we eat, and what types of control needs to be placed on the design of a product that may impact public safety. The artificial trade barriers created by these disagreements were not in the best interests of world economy. The trade barriers tended to benefit a select few and protected from outside competition. . Nearly every industrialized country on earth practices some level of protectionism that is enforced by building in requirements to product quality or quality management systems requirements. Something needed to be done. There was a need for a common approach to quality to resolve this issue. As early as the 1950's, the lack of uniform standards was recognized by political leaders and world economists as a barrier to growing international trade. The 1957 Treaty of Rome (signed by France, Germany, Italy, Belgium, the Netherlands and Luxembourg) established the European Economic Community. Evolution of the European Community in the 1970’s began to focus attention on the lack of uniform standards in quality.



C. Need for a Common Approach Something needed to be done to bring harmony to international trade. In the quality field many countries and industries had their own quality standards. To ship a product from France to Germany or US to Japan became a daunting task. There needed to be a set of standards that are universally accepted across international borders. Such a set of standards would enhance free movement of goods in Europe and around the world. The time had come to overcome international differences to seek common ground.

D. International Organization for Standardization ISO was originally derived from the Greek root word ISOS meaning equal. In some technical fields iso is used as a prefix meaning the same or “level”. Almost daily, meteorologists show isobars (lines that show the areas with the same barometric pressure) during the weather forecast. In the standards world ISO stands for the International Organization for Standardization. ISO is not an abbreviation of the organization’s name but is used as the logo to represent the organization. ISO is an international standards writing organization consisting of technical committees supported by a world-wide federation of national standards bodies. The U.S. is a member body (American National Standards Institute [ANSI] is the U.S. representative). ISO maintains thousands of different standards, such as those for photography, pressure vessels, quality management systems, environmental management systems, toys, screw threads and so on.

E. Creation of ISO 9001 The ISO 9001 standard was created from several standards. The roots of ISO 9001 can go back as far as world war II. Another important root document was created in 1963 when the US military issued Mil I 45208A (Inspection System Requirements) and MIL Q 9858A (Quality Program Requirements). MIL I 45208 was used when a contract required final inspection and testing and MIL Q 9858A was used when a comprehensive quality assurance program was required. In the 1970s there were efforts by several countries to issue national standards for quality inspection and quality programs. The British considered inputs from several standards to publish BS 5750 in 1979. The introduction of BS 5750 in the United Kingdom included a national third party certification scheme. Eventually, in 1987, the BS 5750 (with modifications from US and other standards) became the first issue of the ISO 9000 series of standards. The technical committee, TC 176, was formed in 1985. The ISO committees have a basic methodology for creating consensus standards. Standards are proposed and then there is a series of reviews by member nations until the final consensus standard is ready for publication. The review process can take several years. There is a vote at



each step to determine if the standard needs more work at that stage, or if it can be moved to the next stage or the work on the standard is discontinued. The ISO Technical Committees (TCs) create the standards with input from sector-specific interests. When the creation process is complete, member nations vote to accept the standards. International Standards exist to serve many diverse industry needs. Its goal was to create a generic standard for Quality Assurance Systems. The first revision of ISO 9000 series standards was in 1987 with a second revision published in 1994. Revisions are scheduled approximately every five year. The technical committee (TC 176) created goals for the ISO 9000 series documents. The document goals are:

• Outline commonly accepted requirements for quality assurance (established practices)

• Document a common sense approach (practical, not theoretical) • Not industry specific (be generic, applicable to all organizations) • Not intrusive (not too prescriptive in nature – can apply to nearly any

organization) • Organization-wide impact (affect nearly all functions) • Provided tools for, cost reduction, continual improvement and effective

management control (establish baseline for maturing the QMS)

F. Registration Audit Drives Quality Improvement ISO 9000 does not require or imply registration (sometimes called certification), however this is what most organizations do. Auditors and other quality practitioners should understand that ISO 9001 is good business whether the organization chooses to become registered or not. The combination of requirement standards and third party audits (registration audits) form the basis for the conformity assessment process. Registration/Certification audits verify conformity to requirements. Beside the obvious benefits of auditing, other benefits are derived from the audit process. The following are some advantages of being registered by a third party organization. Benefit of registration Explained Provides discipline

Knowing actions will be checked instills a discipline for an ongoing program

Establishes a baseline measurement

Audit data are input into the measurement process that can be used to assess progress

Causes an ongoing, organization-wide quality system analysis

Because of the scope of the standard and analytical requirements, there is better management oversight



Targets areas for corrective action

Findings may point to processes that need fixing

Provides feedback to management and demands management attention

Findings provide input to management review and help provide a basis for factual decisions by management review.

Causes continual improvement

Provides the basis for continually improving the quality management system

G. Impact of Conformance There are many proven advantages of conforming to ISO 9001 requirements. Benefits of conformance to ISO 9001 are: Benefit of conformance Explained Accepted internationally Reduces communication issues Verification of the QMS on a regular basis by the internal audit process

Ensures functions stay focused on QMS objectives

Documents practices Improves management control and consistency

Provides a benchmark for evaluating on-going QMS effectiveness

Enables the assessment of progress in a factual manner

Provides evidence of a documented QMS to show to customers

Tells customers you are organized and committed to quality

Enhances employee involvement within a clearly defined system

Makes employees aware of quality and how they can contribute

Better trained workforce Documented practices provide basis for a better training program.

A “preventive” attitude is instilled within the organization

Helps foster a mind-set of gauging the impact of actions on quality

Customers are more receptive to forming customer/supplier relationships

Customer know you have achieved some level of QMS maturity and have higher levels of confidence in ISO 9001 suppliers

That finishes the history of the standard. A story not normally told is that the ISO standards process has continually improved. Standard writers are more sensitive to user needs and processes have been established to seek, collect and analyze user feedback. The end result is an ongoing process of better and more effective standards. One common question that is often answered by this part of the class has to do with the vague language that is found throughout the ISO 9001 requirements. The answer to this question should now be clear. ISO 9001 was created to work for nearly any organization of any size producing any product anywhere in the world. To make it work in this broad context, it was necessary to leave the specifics of “how” to the organization that will be using the standard.



You are encouraged to get involved and volunteer your time to developing and modifying standards. To find out more about US efforts go to: http://standardsgroup.asq.org. For international information go to: http://www.bsi.org.uk/iso-tc176-sc2 or http://www.iso.ch. Another source of involvement is to join an ISO discussion list. To join the ISO 9000 internet discussion list e-mail ([email protected]) and enter ‘subscribe iso9000 your name.’ In the next lesson we are ready to start learning about the ISO 9000 family of standards and how they are to be used.

Lead Auditor Training


Lesson C03: Introduction to ISO 9001 ISO 9001 is part of a family of documents that work together to provide support for quality management systems. All 9000 numbered documents relate to quality management systems. All 10000 numbered documents relate to technical topics needed to support management systems. This lesson is about this family of documents. This material is presented so that you will know where to get additional guidance or direct others who need help.

A. Quality Management Principles A "Management Principle" is a comprehensive and fundamental rule or belief for leading and operating an organization. Quality management principles are aimed at quality and improving performance over the long term by focusing on customers.

"The principles were the basis for developing ISO 9001. Each principle has a place within ISO 9001 requirements, but the extent of application to ISO 9001 is quite limited compared to its application in the new ISO 9004." Jack West, Quality Progress, October 1999, page 78.

The quality management principles are fundamental to all quality initiatives and ISO 9001 is no exception. ISO 9001 is the baseline management system that can be leveraged to move advanced management systems such as ISO 9004 or a national quality award criterion such as the Baldrige Award.

It is important to note that the Quality Management Principles do not contain auditable requirements. Understanding the principles is important for determining if the intent of the principles is addressed in the design, deployment, maintenance and improvement of the QMS. Principle 1 - Customer-Focused Organization: Organizations depend on their customers and therefore should understand current and future customer needs, meet customer requirements, and strive to exceed customer expectations. Discussion This principle must be paramount within the QMS for

organizations to rise above an internal focus. Quality level targets, specifications and standards are minimum requirements and may have little to do with what the customer actually needs and wants. As the QMS model depicts, the process starts and ends with the customer. First, the organization must understand and define customer requirements. In the end, the organization must



be measured on its ability to satisfy the customer, not their audit score or quality levels. Benefits:

⇒ The organization stays focused on what is important (on the market and changes in the market or customer needs).

⇒ Customer loyalty and goodwill increases in value. (an intangible asset that may affect the market price of the stock or value of the organization).

⇒ The organization remains competitive with current customer offerings (the right product, service and features).

⇒ The organization experiences increased market share and revenue when customers switch from competitors.

Principle 2 - Leadership: Leaders establish unity of purpose and direction for the organization. They should create and maintain the internal environment in which people can become fully involved in achieving the organization's objectives.

Discussion An organization cannot achieve an effective Quality

Management System unless management takes an active role in its implementation, maintenance and improvement. Good leaders provide clear direction and enable others. They provide direction through a quality policy and quality objectives for functions within the organization. They can enable others by sharing responsibility and showering people with praise when praise is due. Leaders incorporate the eight Quality Management Principles into everyday decisions for a proactive style of management. Benefits:

⇒ Employees sense they are trusted and will take risks to benefit the organization.

⇒ Employees will be more productive when knowing what is expected and working in a positive environment.

⇒ Employees will be more willing to share and work in teams for the common good of the organization.

____________________________________________________



Principle 3 - Involvement of People: People at all levels are the essence of an organization and their full involvement enables their abilities to be used for the organization's benefit. Discussion People, not machines, create quality. When people are involved

they are more likely to contribute to the process and its ongoing improvement. Employees must be educated in the quality management principles and the quality management system. Employees must know what is expected of them and their ongoing role in the QMS. Quality cannot be achieved by a single individual, people must work together within processes and across process boundaries. Benefits:

⇒ People put aside their differences to come up with remarkable ideas.

⇒ A better informed and motivated workforce is more likely to ward off competition and attacks on the organization’s well being.

⇒ Involving people will increased employee loyalty to reduce turnover.

_____________________________________________________

Principle 4 - Process Approach: A desired result is achieved more efficiently when related resources and activities are managed as a process. Discussion The process approach is powerful because it is how we normally

perform an activity. Businesses can be more effective when activities are managed as processes instead of individual tasks. Process outputs must meet requirements and contribute to customer satisfaction to provide maximum value to the organization. Measurement of process outputs allows for adjusting processes for on-going improvement. Benefits:

⇒ Keeps processes streamlined for optimal efficiency. ⇒ Keeps the focus on organizational goals for achieving

customer satisfaction and profitability.



⇒ Promotes team accomplishments. _____________________________________________________

Principle 5 - System Approach to Management: Identifying, understanding, and managing a system of interrelated processes for a given objective improves the organization’s effectiveness and efficiency. Discussion A collection of interrelated processes must be managed as a

system for the overall good of the organization. The system allows for processes to be aligned and prioritized to achieve the organizational objectives. The system is managed by providing direction, training, planning, feedback, resources, and incentives. Benefits:

⇒ Individuals and process owners can see how they contribute to the overall goals.

⇒ The organization stays focused and avoids surprises that could be a risk to the system.

⇒ Instills confidence to interested parties external to the organization.

_____________________________________________________

Principle 6 - Continual Improvement: Continual improvement should be a permanent objective of the organization. Discussion Continual improvement is a business philosophy that imbeds that

attitude that there is nearly always a better way: never settle for the status quo. Continual improvement requires that the quality principles be constantly reinforced through ongoing communication and exchange of ideas throughout the organization. Continual improvement is accomplished through continuing education, feedback from assessments and management reviews, a preventive style of management (what can go wrong), and integration of all the principles throughout the organization. Benefits:



⇒ The organization will stay ahead of competition by reducing costs, better quality products and services tailored for the customer/ market.

⇒ Establishes a reputation of being a leader and innovator. ⇒ Gain customer loyalty through improved responsiveness

and follow-through. _____________________________________________________

Principle 7 - Factual Approach to Decision Making: Effective decisions are based on analysis data and information. Discussion Things happen for a reason. The cornerstone of a successful

QMS are when decisions are based on reliable and accurate data. Quality management principles must be advanced by comparing performance against measurable goals and objectives. People understand measures and can react and make informed decisions based on them. Benefits:

⇒ The organization can determine if there is improvement. ⇒ Informed decisions result in better management of

organizational resources ⇒ The organization can solve problems faster with a mature

information data base. _____________________________________________________

Principle 8 - Mutually Beneficial Supplier Relationships: An organization and its suppliers are interdependent and, a mutually beneficial relationship enhances the ability of both to create value. Discussion Supplier performance has never been more important than it is in

today’s world of out-sourcing. Supplier partnerships are critical for an organization to achieve the highest possible level of product or service quality. Suppliers should share a common vision with their customers to achieve mutual prosperity. Benefits:

⇒ Supplier partnerships will result in more flexibility in the



market place. ⇒ Working together with suppliers will help ensure the

organization’s products and services are competitive. ⇒ Organizations will have another source for benchmarking

and learning from others. _____________________________________________________

When organizations adopt the eight Quality Management principles, it will benefit the organization, their employees, customers, suppliers, the local community and our society.

B. Purpose of ISO 9001 Why ISO 9001? It is a tool to assist organizations in the establishment and achievement of sound quality practices. ISO 9001 is a worldwide consensus standard that contains fundamental and proven requirements. The standard provides a means for organizations to achieve and demonstrate quality performance to customers and other interested parties. Audits can be used to independently verify conformance to requirements in the standard. The standard is structured in such a way as to be a model for a management system that can be integrated with existing or future management systems (such as safety or environmental systems). ISO 9001 already shares management system principles with the ISO 14000 series of environmental standards. The ISO 9001 and ISO 14001 management model will likely provide the basis for future health and safety standards. Just as houses are designed for certain purposes, so is the ISO 9001 standard. The purpose of the ISO 9001 house include requirements for 1) establishing a basic system, 2) usability by registrars and customers, and 3) expandability. . The standard was to be used to address industry sector-specific requirements. Industry sectors such as automotive ISO/TS 16949, aerospace AS9100 and medical device ISO 13485 will have additional requirements that go beyond the basic ISO requirements. These additional requirements may describe a very different approach to quality that specifically relates to their industry.

C. ISO 9001 Design/ Structure The standard is written in such a way that it applies to all types and sizes of organizations. It was designed to be used by small and large organizations whether producing pacemakers, pencils or selling insurance. It is written to be independent of cultural, social or geographic conditions. The standard is generic and universal in nature. The standard is structured so that it can be used by independent organizations (third party) to assess and register an organization’s quality management system. Customers or market conditions may require organizations to seek registration of their quality management system. Although it is not intended to increase or change



the legal obligations of organizations, authorities (governments) may require compliance to ISO 9001 to operate. Also, it is not intended to create non-tariff trade barriers but authorities may require it for safety or other purposes. Design inputs to our ISO 9001 house (standard) includes requirements to ensure it is fit for its intended purpose. ISO 9001 does not:

• establish absolute requirements for quality performance. There may be exceptions to the requirements depending on the nature of the organization, the products or services they provide and the customers they serve.

• require or guarantee optimum quality outcomes. The standard establishes a baseline quality management system that can be used by the organization to meet customer requirements.

• work without management commitment to an internally generated and implemented quality policy. ISO 9001 is a management system that requires management commitment for implementation and on-going maintenance.

D. Future The ISO 9000 series of standards and associated documents will be revised over time.

• Future revisions of ISO 9001 and ISO 9004 are planned every 5 years to ensure standards stay current.

• ISO 19011 quality and environmental system auditing standard has taken the place of ISO 10011 quality system auditing standard to eliminate the need for separate auditing standards.

• Standards will be modified as necessary to meet the needs for ongoing compatibility between quality, environmental and other existing or future standards. Alignment and compatibility needs may necessitate changes in requirements and approaches.

Future revisions and additions to the ISO 9000 series of standards and associated documents are needed to address changing user needs.

• There is increased use of standards by non-manufacturing organizations. • The marketplace is demanding improved quality performance. • there are market and competitive reasons to raise the “bar” (more sophisticated

systems) with quality standards Quality auditors and ISO 9000 practitioners will need to keep themselves current with quality issues and resulting changes. As standards change and improve, auditors will need to stay current. It is important for auditors to stay up-to-date to act in the best interests of their organization and the organization they are auditing. The next lesson starts off with the actual ISO 9001 standard. It is the beginning of learning about the specific requirements and their application.



Lesson D04: The Contents of ISO 9001 - Introduction The next series of lessons (grouped as part D) and activities are very important for successful completion of this class. The material in the following lessons is paraphrased for instructional purposes. Only the actual language of the standard is the language that is to be used in a conformance audit. The ANSI/ISO/ASQ Q9001-2008 Quality management systems – Requirements standard is the source document and should be referenced regarding the need for interpretation of requirements. During the class you should follow along in your copy of the standard as we discuss each clause. Open your standard and turn to the introduction to start this lesson. 0.0 Introduction 0.1 General Discussion: 0.1 General This is the big picture clause. It does not contain any baseline auditable requirements but there is valuable information that will affect the quality management system (QMS). Adoption of ISO 9001 should be a strategic decision of the organization. The word strategic is used to represent the fact that top management will need to be involved in the use of ISO 9001. The design and implementation of the organization’s quality management system (QMS) is influenced by:

• Needs • Objectives • Products provided • Processes employed • Size and structure of the organization

Requirements in this standard are complementary to requirements for products/services. An effective QMS will result in product and service requirements being met. The standard is intended to be used internally and/or by organizations external to the user organization, such as an auditing organization (registrar or customer). External organizations can use it to assess the user organization's ability to meet customer and regulatory requirements. Additionally, the quality management principles discussed in the prior lesson was taken into account during the development of the ISO 9001 standard. Baseline: [by the book requirements]

• No baseline requirements are contained in this clause. However it is important to notice in the very first paragraph of the introduction that it is not the intent of the standard to imply uniformity in the structure of the QMS or uniformity of documentation. This opens the door for more effective alternatives for



structuring and documenting the QMS. Organizations that choose to use ISO 9001 are able to adjust the application to meet their own unique needs. Auditors of the ISO 9001 standard will need to be open to the many different approaches that organizations take when implementing the requirements.

The purpose of the quality management system should be the creation of a system of processes that produce internal and external results. The example below could be considered a purpose statement for effective QMS’s.

The quality management system should define the system and the processes contained within them to enable the systems and processes to be clearly understood, managed and improved. Management should ensure effective operation and control of processes and the measures and data used to determine satisfactory performance.

0.2 Process Approach Discussion: 0.2 Process Approach The ISO 9001 standard is based upon the use of the process approach. The standard promotes the adoption of a process approach when developing, implementing and improving the QMS.

• To function effectively, an organization must identify and manage numerous linked activities

• A process is an activity (using resources) that is managed to enable the transition of inputs to outputs

• Outputs from one process often provide inputs to the next process • Multiple processes create a system of processes

The aim of the process approach is to achieve customer satisfaction by fulfilling customer requirements. The systematic identification and management of processes employed and their interactions are referred to as the process approach. The process approach strings activities together that result in an output such as a product or service. The process approach provides ongoing control over:

• Linkages between processes • The system of processes • The combination and interaction of processes

When used within the QMS, the process approach emphasizes:

• The understanding and fulfillment of requirements • The need to consider processes in terms of added value • Obtaining results of process performance and effectiveness • Continual improvement of processes based on objective measurement



Simply, an organization’s management system is more effective if structured using the process approach as opposed to an element or department approach. A process represents action. The processes are normally collected under a system (clause 4) or subsystems to a bigger system.

The Process Model is the Basis for the Standard

ProductRealization

MeasurementAnalysis,

Improvement

ManagementResponsibility

ResourceManagement

Customers

ProductOutputOutput

Continual Improvement of thequality management system

Value Adding activitiesInformation flow

Customers

Satisfaction

Requirements

InputInput

Image: D04qmsmodel1 There are two types of processes: 1) product realization processes and 2) administration processes. Clause 4 of the standard introduces the idea of the system while clauses 5-8 are organized with the process approach in mind. The quality management system (QMS) requirements start in clause 4 and continue on to the end of the standard (clause 8). The next figure depicts the clause arrangement of the standard using the clause heading titles. Look over the clause titles. Do some titles look familiar? Do you see where purchasing requirements are located? Notice how the process starts with customer requirements and ends with customer satisfaction. This is an important clarification of the aim of the quality management system (QMS). First, the need for the product or service must be established (customer



requirements) before raw materials are acquired. Once there is a need, raw materials and services are acquired for the process to meet those needs.

As a handout, we have provided a model showing how ISO 9001 is organized. You may want to print this out and keep it handy as it will help you visualize how the standard is structured using the process approach. Baseline Requirements: [by the book requirements]

• None

0.3 Relationship to ISO 9004 0.3 Relationship to ISO 9004

Discussion: 0.3 Relationship with ISO 9004 and other QMS standards

a. Industry sector derivative standards

The relationship between ISO 9001 and industry sector derivative standards has not changed. Some industry sectors have reaffirmed their requirements (no changes) and others have made significant changes.

Users of specific sector derivative standards should contact the organization that is responsible for that sector for their status. For example, for:

• ISO/TS 16949 refer to the IATF,

• TL 9000 refer to the QuEST Forum

• AS 9000/ EN 9100 refer to the IAQG

b. ISO 9004

The ISO 9001 and ISO 9004 standards have been designed to complement each other, but can also be used independently.

ISO 9001 specifies requirements for a quality management system (QMS) that can be used for internal application, for certification, or for contractual purposes. It focuses on the effectiveness of the QMS in meeting customer requirements.

ISO 9004 goes beyond the ISO 9001 baseline conformity standard and gives guidance on continual improvement of an organization's overall performance and efficiency, as well as its effectiveness. ISO 9004 is recommended as a guide for organizations whose top management wishes to pursue continual improvement of performance. It is not a guideline for implementing ISO 9001 and is not intended for certification or contractual use.



0.4 Compatibility with other management systems Discussion: 0.4 Compatibility with other management systems

ISO 14001: The ISO 9001:2008 version is more compatible with ISO 14001 (environmental management system, EMS). The improved compatibility is for the benefit of the users of both standards. Some industry sectors require implementation of ISO 14001. The standard writers have provided an annex (Annex A) to show the alignment between ISO 9001 and ISO 14001.

Others: ISO 9001 does not include requirements specific to other management systems, such as those particular to environmental management, occupational health and safety management OHSAS 18001 , ISO/IEC 27001 , financial management or risk management. In Lesson D05, we will look at the actual standard scope and how organizations may customize the quality management system to fit their situations. Organizations are allowed to exclude the clauses that do not apply to them.



Lesson D05: Scope/ Excluding Clauses/ Definitions The scope and tailoring of the standard for an organization QMS are important to both auditors and users of the standard. For effective implementation users need to determine the products and services to be provided under the QMS and any non-applicable clauses. Auditors need to understand the rules for developing a scope to be able to verify proper determination by users. 1 Scope 1.1 General Principle Concept:

• Consistently provide products and services that satisfy the customer

• Continually improve the quality management system Discussion: 1.1 General This clause explains the scope of the standard in that it is a generic standard and may be used by all size and types of organizations. The standard should be implemented when an organization needs:

• to provide a product/service that consistently meets customer, statutory and regulatory requirements

• a system to enhance (achieve) customer satisfaction

• a system for continual improvement and prevention of nonconformities

A very important note in the standard states that the word "product" used in the standard is the product intended for or required by the customer and any intended output resulting from the product realization processes.

Sidebar: The 2000 version limited the QMS requirements to product/service intended or required by the customer. Auditors and management representatives need to review the scope of the ISO 9001 QMS and determine if there are other intended outputs of the realization process. There may be similar products/services provided to other markets and by-products or complementary services. If so, ISO 9001 requirements may apply to them as well. The test is: Does the QMS include all intended product/service? Unintended product/service of the realization process does not need to be included in the QMS scope. I think it is clear that if an organization provides a product/service, the QMS controls cannot be limited to one customer or industry. I think waste streams or material sold



for their energy value or other purposes such as reclamation are not intended product. The gray areas are by-products produced and sold to customers and complementary services provided by manufacturers and service organizations. You may want to seek clarification from your certification body. A note cannot be cited as reference for a nonconformity. Nor does this clause contain a specific QMS requirement. If there was a nonconformity as result of this clarification, the applicable controls in clauses 4 through 8 would be cited for any intended product/service of the realization process.

The emphasis of the standard is on customer satisfaction and improvement rather than on implementation of the system alone. It is important to note that it is the customer's perception that determines if requirements have been met and is not an internal quality level calculation. The organization will need to evaluate information relating to the customer's perception to determine if customer requirements are being met.

1.2 Application Principle Concept: The QMS can be tailored for the organization.

Discussion: 1.2 Application Users of the ISO 9001 standard must identify clauses that don't apply or may be excluded from their system. Only clause 7 (Product Realization) sub clauses can be excluded from the QMS. Registrars need to pay particular attention to defining the scope of the registration certificate issued to organizations registered to ISO 9001. For



an organization to maintain a valid registration of their quality management system, they must address all the requirements that apply to their organization.

Registrars should investigate the validity of exclusions claimed by the organization. Exclusions must be justified in the quality manual [ISO 9001, 4.2.2].

For those products that are included in the scope of the QMS, all requirements of ISO 9001 have to be met, unless it can be demonstrated that certain requirements of section 7 are not relevant to the particular situation of the organization.

First, determine the scope of the registered QMS. Determine the products/services and locations covered by the QMS registration.

Test Criteria for Granting Exclusion: Requirements can only be excluded if they do not affect the organization's ability or responsibility to provide products /services that meet customer and applicable regulatory requirements.

Note: An organization cannot claim an exclusion because a regulation doesn't require it. For example: If an organization designs products, it cannot claim an exclusion because the FAA (or other customer or regulatory body) granted them exclusion from design control.

The following are some of the more likely sub clauses that may be considered for exclusion to tailor the standard to the user needs.

7.3: Design and development 7.4: Purchasing 7.5.2 Validation of processes 7.5.4 Customer property 7.6: Control of measuring and monitoring equipment (for service organizations)

Important Note: Auditors need to be open to the idea that any part of clause 7 can be excluded provided the exclusion can be substantiated. Issues:

• Organizations must comply with requirements outside clause 7, even when processes such as training (clause 6) or testing (clause 8) are outsourced. [ISO 9001, clause 4.1].

2. Normative Reference Discussion: This clause is used to point out the existence of the new fundamentals and vocabulary standard, ISO 9000.



3. Terms and Definitions Discussion: A reminder that the ISO 9000 terms and definitions apply. In addition, the following terms are explained.

The standard uses the term organization for the user who implements and maintains an ISO 9001 QMS. The term supplier is used to describe companies that provide products and services to the organization. Other standards may use the terms contractor or subcontractor. The organization output goes to customers of the organization. Some standards have also referred to customers as purchasers. For purposes of the standard, the customer-supplier relationship is depicted as:

Clause 4 marks the start of the ISO 9001 QMS requirements. If you are not familiar with standard writing styles you may want to take a couple of minutes to review the information in the handout (Finding Requirements in Standards, D05verbs1). Most standards conform to a style that makes them more professional and improves their utility to the users (readers).

The next lesson will show the overall system view and set the stage for the clause-by-clause discussion.

supplier organization customer



Lesson D06: General System/Documentation Requirements Clause 4 marks the start of the ISO 9001 QMS auditable requirements. 4 Quality Management System 4.1 General Requirements 4.2 Documentation Requirements Principle Concepts:

• Establish a system to meet requirements • Manage processes to meet requirements • Document important processes • Establish a quality manual • Control important documents (issuing, distribution and updating) • Control quality records

4.1 General Requirements Discussion: The key points are that you must establish a system; then you must maintain it, and improve it. Management review (clause 5.6) can be used to attest to the maintenance and on-going improvement of the system.

Clause 4.1 contains a list of items that must be addressed as part of the quality management system. The list of items includes:

a. identify needed processes (such as processes for management activities, provision of resources, product realization and measurement, ISO 9001 note at the end of clause 4.1) b. determine order (sequence) and interaction of the processes identified c. determine controls (criteria, procedures, methods) for effective operation d. ensure data (information) and resources are available to operate and monitor the processes e. measure-monitor-analyze processes f. take action to achieve planned results and continual improvement

The key steps in the successful implementation (as well as auditing) of the new standard are found in the first three items on the list (a, b, and c), which are: a) identifying the processes (such as ordering, designing, providing, reviewing), b) determining the sequence (how processes connect), and c) determining the criteria (check against requirements) . The list should be used both during implementation and management review (as a means to identify shortcomings of the system) or used by an auditor for an overall check of the QMS.



In this clause there is an additional requirement for organizations to manage processes in such a way that they meet the requirements of the standard. Rewording the requirement using a Webster definition would be: "The organization shall handle or direct with a degree of skill these processes in accordance with the requirements of the standard." It is difficult to envision a nonconformity for this requirement unless there was a breakdown of the system.

You need to have a very good understanding of this clause (4.1) in order for all of the other clauses of your completed Quality Management System to come together and work as a complete system.

In the past, there has been some confusion about the control of outsourced or subcontracted processes. This clause makes it clear that if conformity of product is affected, the organization must control outsourced or subcontracted processes, and such processes must be defined within the quality management system.

Note 2: Outsourced processes

A definition for outsourced process has been defined in ISO 9001:2008, clause 4.1, Note 2. An outsourced process for QMS purposes is one that is needed for the organization’s QMS but performed by an external party. Auditors should look for some linkage between the process being outsourced and the organization’s QMS controls. Outsourced includes goods and services obtained from an entity other than QMS organization (such as supplier, division within the same company, corporate headquarters or other affiliate).

Our QualityWBT glossary also defines outsourcing . Auditors and management representatives must use good judgment when identifying which outsourced processes need to be controlled. One of the original reasons the control of outsourced processes was added to ISO 9001 was that when organizations outsourced key QMS processes they also avoided external (certification body, customer) auditing because the processes were not under management control of the QMS organization. Examples include: design, product testing, and product storage. Later we learned that many



product nonconformities could be traced back to lack of control of outsourced processes.

The flipside of this issue is when external auditors require control of outsourced processes with very questionable linkage for the need of controlling the QMS. I can think of three tests to help auditors or management representatives determine if outsourced processes need control. They are:

1. Could lack of the control of the outsourced process result in nonconforming product?

2. Is the outsourced process directly linked to ISO 9001 controls (linked to clause requirements)?

3. Is the outsourced process needed for effective planning, operation and control of the organization's QMS (linked to QMS documentation)?

The three tests are not all inclusive, but they provide a good starting foundation for determining which outsourced processes are subject to QMS controls.

Note 3: Outsourced processes The type and extent of control to be applied to these outsourced processes shall be defined within the QMS. Instead of just control, the standard requires type and extent of the controls to be defined. If not addressed in the documentation, it should be verified by an auditor during the performance of an audit. Note 3 states that the factors that can influence the extent of control includes:

• the potential impact of the outsourced process on the organization's capability to provide product/service that conforms to requirements (risk of nonconforming product/service)

• the degree to which the control for the process is shared (complexity)

• the capability of achieving the necessary control through the application of 7.4 (normal purchasing controls).

4.2 Documentation Requirements 4.2.1 General Discussion: The standard provides two test criteria as guidance for determining if documents are needed.

Documentation Criteria:



1. When the standard requires it.

• quality policy

• quality objective

• quality manual

• specified “documented procedures”

• specified records 2. When documents are needed to ensure effective planning, operation, and control of processes. The standard requires very few document procedures. The phrase for effective planning, operation, and control will be very important in determining when documents are needed. The word "control" is used throughout the new standard in reference to either process control or document control.

If a document is required per the two above criteria, the documents must be controlled under clause 4.2.3. There are 6 references to "documented procedures" in the standard

The extent of the documentation required is dependent on the organization; the size, type, complexity and interaction of processes; and the competence of personnel. One would expect that smaller organizations and organizations with highly proficient personnel would need fewer documents whereas high tech or complex operations and those with a lack of proficiency would require more.

A single document may address the requirements for one or more procedures. A requirement for a documented procedure may be covered by more than one document. The ISO 9001 standard requires documented procedures for 6 QMS processes. However, the documented control procedures may be combined for less than 6 documented procedures or divided up into more than 6 documented procedures. It depends on what is most effective for the organization. For example: It is acceptable to combine document and records control or to divide records control into several documents depending on the medium (electronic, paper) used to keep records.

I have classified this as important information you need to know. In some situations this could be an opportunity for improvement (OFI) if an organization was maintaining 6 documented procedures just because they were told to do so or they misinterpreted the requirement. If an auditor observes redundancy or waste as a result of this clarification, it could be reported as an OFI.



. Documents can be on any medium such as paper, magnetic, electronic, photographic, master example. Control of documents 4.2.3 Control of records 4.2.4 Internal audit 8.2.2 Nonconforming control 8.3 Corrective action 8.5.2 Preventive action 8.5.3 It is not up to auditors to specify the QMS structure (see clause 0.1) or the documents needed to adequately control the system. Auditors will need to know the documents the organization decided it needed to properly manage the QMS.

4.2.2 Quality Manual There must be a controlled quality manual. However, there is broad flexibility on what it contains, what it looks like, and what medium it is in. The manual is only required to contain four things. First, it must include the scope of the quality management system. The scope

clause (clause 1) should identify the QMS physical boundaries (facility). Second, there must be justification for exclusion of any ISO 9001

requirement/clause (clause 1.2). Third, the quality manual must include the documented procedures or reference to

them. Many registered organizations currently reference documented procedures as they describe their QMS. The documented procedures and other controlled documents may be compiled in a booklet (Quality Manual) or available as separate documents. Fourth, the quality manual must describe the interaction of processes. This is very

similar to the requirement in 4.1 to define the sequence and interaction of processes. To comply with this requirement an organization may use process flow diagrams (flow charting, process mapping techniques) to show processes of the system, their sequence, and interaction. Think "process approach" and the process model used in this course. The standard is not looking for an organizational chart. Organizational charts do not show interaction of processes that transform inputs into outputs.

4.2.3 Control of Documents Control required documents (in any medium or type) in accordance with a documented (in any medium) procedure. Except for the six required documented procedures, the



organization determines what documents are required to effectively manage the quality management system (clause 4.2). The specific document control requirements are:

• Documents must be approved for adequacy prior to release or issue (Any competent authority should be able to approve documents)

• Documents should be reviewed, updated and re-approved as necessary • Document versions must be identified • Documents must be available at points of use • Documents must be legible and easily identified • External documents must be identified and their distribution controlled • Identification or markings must be applied to prevent unintended use of obsolete

documents 4.2.4 Control of Records Control required records (in any medium or type) in accordance with a documented (in any medium) procedure. The organization must control records used as part of the quality management system ("control" meaning a process checked, tested, or verified by management). A record can be defined as any medium, soft or hard, that contains data, which gives an account of something that happened, and which is not normally subject to update.

When the standard requires a record, there must be a record. Records must be identified, legible and retrievable. If records are not accessible or available to an auditor to examine, there could be a nonconformity. If records are incomplete or data is missing, there could be a nonconformity.

Baseline: [by the book requirements]

• The requirement for clause 4.1 is to establish and manage a quality management system in accordance with the standard requirements.

• There must be an established, documented, implemented, and maintained procedure where the standard requires documented procedures.

• There must be documents to ensure effective planning, operation and control of processes. Note: Documents may be needed where the standard calls for planning, identifying, defining, arranging and establishing.

• The extent of the documentation must be consistent with the type of organization (simple or complex).

• Outsourced QMS processes should be Identified and controlled.

• A quality manual must be established that contains the system scope, justification for exclusions, the procedures or references to them, and a description of the interaction of processes. The manual must be controlled.



• A documented procedure must be established to control documents (see checklist for specifics).

• A documented procedure must be established to control records for identification, storage, protection, retrieval, retention time, and disposition.

• Records must be legible, readily identifiable, and retrievable. This lesson introduced the first "shall" requirement of the standard. As both a job-aid and guidance for this class, an ISO 9001 checklist has been provided. You may either download this handout now from this page or later from the class links box when it is most convenient for you. WARNING!! The checklist is a very large PDF file (400KB range) and could take a while to download. For every ‘shall’ statement in the ISO 9001 standard, the checklist has a corresponding question. Next, we will look at the management responsibilities and administration processes needed for control of the ISO 9001 QMS.



Lesson D07: Management Commitment/Customer Focus/Quality Policy and Planning Requirements 5 Management Responsibility 5.1 Management Commitment 5.2 Customer Focus 5.3 Quality Policy 5.4 Planning Principle Concepts:

• Top management must actively participate • Top management must aim for enhancing customer satisfaction • Top management must ensure there is a quality policy • Quality objectives must be defined • There must be a plan to achieve the quality objectives

5.1 Management Commitment Discussion: Top management must commit to the quality management system and show this commitment. The ISO 9001 requires top management to provide evidence of commitment by:

1. establishing a quality policy (clause 5.3) and ensuring there are quality related objectives (clause 5.4) for the organization.

2. communicating the importance of meeting customer requirements and regulatory and legal requirements. For example: Top management may distribute memos, make presentations, conduct one-on-one talks, etc. to get out the message.

3. conducting management reviews to close the loop on accountability for the quality system. For example: Top management may review poor customer satisfaction ratings and identify areas of the system that need to be improved.

4. making resources available to ensure the success of the quality system. For example: Customer satisfaction cannot be measured unless there is a budget and resources allocated to collect and analyze the data.

The top management we are discussing here, is the top management of the organization who implements and maintains the quality management system.



5.2 Customer Focus Discussion: Customer focus is a common thread throughout the standard. Meeting customer requirements must be aimed at enhancing customer satisfaction. This is a major difference in the ISO 9001 standard compared to most regulatory or compliance standards. The customer focus provides the linkage to "higher level" QMS standards such as ISO 9004 and quality award criteria.

5.3 Quality Policy Discussion: Clause 5.3 states that top management will ensure there is a quality policy. The requirement standard states that the policy should contain a commitment to meeting requirements and continual improvement . The policy should be appropriate for the organization and linked to organization objectives.

The policy must be communicated and understood within the organization. The policy must provide a framework for establishing and reviewing quality objectives. However, there is no specific guidance for what the policy should contain how is should be worded except that it should be relevant to the organization.

The policy must be reviewed for suitability and it must be controlled.

Sidebar: audit evidence: If the wording of the policy is such that it is irrelevant, un-checkable, or that when audited the evidence showed that it has not been effectively implemented, then there will be a nonconformity against the requirements of clause 5.3.

5.4 Planning 5.4.1 Quality Objectives 5.4.2 Quality Planning Discussion: Quality Objectives Attainment of a quality objective must be measurable and consistent with the quality policy or mission statement. There must be quality objectives for all relevant organization functions and levels. Relevant functions may be those functions that have 1) responsibilities for management of the quality management system, 2) responsibility for attainment of requirements (customer and ISO 9001 standard requirements), and 3) processes of the QMS (linkage to ISO 9001, 4.1). The organization must establish quality objectives and they must include those directives needed to meet product/ service requirements (see clause 7.1). Organizations may show auditors some type of business, operation or QMS plan. Business plans should give consideration to quality management system needs. Organizations should include how they plan to achieve their quality policy and how



their progress will be measured toward that goal. Inputs to quality planning may include results of management reviews of the quality system. Now that there is QMS (quality management system) planning, there needs to be resources to implement the outputs of the planning process. Funds or people may be needed for implementation. The planning outputs may identify the resources (clause 4.1) for executing the plan or plans. The scope of the planning process should include all processes within the quality management system. Next, an almost overlooked requirement for the organization is to ensure change is planned and implemented in such a manner that the integrity of the existing system is maintained (clause 5.4.2b). This is also known as management change control. The primary emphasis will be on identification of changes that can impact the finished products or services which will affect the external customer. A process should only be changed or modified with the full understanding of its potential impacts on quality, safety, health, and environment.*

If changes are not controlled, there is a nonconformity. Auditors may seek to determine if interested parties were notified of pending changes (i.e. start-up meeting, sign off).

*Russell, Quality Management Benchmark Assessment (QMBA), 1995, Quality Press and Quality Resources, page 87.

Sidebar: There is a difference between quality planning required by clause 5.4 and the use of quality plans. Quality planning or QMS plans are the big picture view that establishes the organization’s quality objectives. A quality plan is used as a tool to improve control of a particular project, product or process. More information about quality plans is available in ISO 10005.

Sidebar: If process flow charts, process maps or process flow diagrams were used to help satisfy clause 4.1, they may be considered quality plans for the organization.

Baseline: [by the book requirements]

• Top management must show commitment by participating in the quality management system.

• Top management must ensure the overall system of meeting requirements is aimed at enhancing customer satisfaction.



• Top management must ensure the quality policy is: 1) appropriate, 2) shows commitment to meeting requirements and continuous improvement, 3) can be linked to objectives, 4) is communicated to all that need to know, and 5) is reviewed for suitability.

• The organization must establish measurable quality objectives for all relevant quality management system functions (departments, units, subsystems, areas, etc.). Objectives for meeting the requirements of the product/service must be included.

• QMS Planning must be performed to achieve quality objectives and requirements in clause 4.1.

• Changes as a result of planning must be planned and implemented. This can be as simple as following procedures and measuring outcomes such as the impact of the change on the product, service, process, and customer.

The establishment of a quality policy leads to creating plans for achieving the quality policy and objectives. Next, we continue with management responsibilities and administrative processes such as communicating and reviewing.



Lesson D08: Management Responsibility/Review (5.5 - 5.6) 5.5 Responsibility, Authority, Communication 5.5.1 Responsibility and Authority 5.5.2 Management Representative 5.5.3 Internal Communications 5.6 Management Review Principle Concepts:

• Functions, responsibility, authority, and interactions are to be defined

• Responsibility and authority for the quality management system are to be assigned

• Organizational members must communicate to each other

• Measures are to be reviewed and improved

5.5.1 Responsibility and Authority Responsibility and authority may be in a document such as a manual, a procedure, or in job description (the exact means of communicating and defining is not specified in the standard). 5.5.2 Management Representative Clause 5.5.2 requires that top management appoint a member of the organization who has the responsibility and authority for the quality management system. This person may be a VP, a quality manager, or any member of management. The appointed representative has responsibility and authority for establishing, implementing, and maintaining the quality processes. The representative is also responsible for reporting quality system performance to top management. The report can be input for management review meetings or any other means to report performance as long as the information gets to top management.

There is a requirement for the representative to promote awareness of customer requirements. This may mean promoting the quality policy, linking training to customer requirements, authoring organization newsletter articles, speaking at department functions, and so on.

5.5.3 Internal Communications This clause is a broad overall system requirement to ensure that people at various levels and functions communicate (talk to each other) about the quality system processes and its effectiveness. This should not be a problem for most organizations. Organizations need to take a serious look at how they disseminate quality system



information to all levels. Not reporting on effectiveness of the QMS processes is a nonconformity. This is the third requirement where information about the QMS must be communicated. There is no requirement of how to communicate about the quality system and its effectiveness. One method is to publish a newsletter (monthly or quarterly); another is to use the internal telecommunications network (for example: bulletin boards, journals, magazines, team briefings, internal company radio station) or use focused feedback method where people could communicate directly to management or another department or function. 5.6 Management Review Discussion: The standard uses the words improvement and Effectiveness throughout the document. The meaning of the word "effectiveness" is not well understood or agreed upon, but the vocabulary standard (ISO 9000) has defined it (recall the earlier lesson). Just following the rules is not enough, there must be improvement and processes must be effective. Top management (the individual or group who directs and controls an organization at the highest level *) must review the system for continuing suitability, adequacy, and effectiveness on a scheduled basis (planned intervals). Top management must determine (evaluate) the need for changing (improving) the quality management system (i.e., change of policy, objectives, and processes). Note: *Taken from ISO 9000 QMS - Fundamentals and vocabulary The following process diagram shows the inputs, the process, and resulting outputs of the management review process. Reviews must be conducted at planned intervals and records must be maintained.

Review outputs must result in decisions and actions for improving the process, product, and providing resource needs. Management review is a significant indicator of management's commitment to quality. Baseline: [by the book requirements]

• Responsibilities and authorities for the quality management system must be defined and communicated.

• Top management must appoint a management representative. The representative must have responsibility and authority for the establishment, implementation, and maintenance of the quality management processes, reporting ongoing performance, and promoting awareness of customer requirements.

• The organization must ensure there are communication processes, and that information about the quality management system effectiveness is



communicated. Some organizations may tend to overlook the requirement to report effectiveness or not really know what that means.

• Management reviews must be scheduled for top management to evaluate measures (clause 8) to determine the need for improvement.

• Records of management reviews which should include evaluated inputs and determined outputs must be kept.

In the next lesson, we will move on to resource management. The standard will establish requirements for QMS resources in order to enhance customer satisfaction.



Lesson D09: Resource Management (6) 6 Resource Management 6.1 Provision of Resources 6.2 Human Resources 6.3 Infrastructure 6.4 Work Environment Principle Concepts:

• Resources shall be provided to improve the system and satisfy the customer(s). • Personnel with quality system responsibilities must be competent. • Competency needs must be determined and acted upon. • Training and other actions must be evaluated for effectiveness. • The organization must provide and maintain facilities to meet requirements. • The organization must control the work environment to meet requirements.

Discussion

6.1 General This clauses starts out with a broad overall system requirement for the organization to determine (identify), and provide resources needed. The resources are those needed to implement, maintain, and improve the quality management system (including bringing about customer satisfaction).

The organization must determine (identify) resource requirements of areas affecting the quality management system. For example: this could be done during the annual budgeting process.

Resources to be provided can include people, equipment, supplies, facilities, etc. If QMS controls are not being constantly applied due to lack of resources, auditors can issue a nonconformity citing this clause.

An audit thread is to ask about customer feedback. If customers are not satisfied, determine what was done. If resources were not provided to address customer feedback issues, a nonconformity could be reported.

6.2 Human Resources 6.2.1 Assignment of Personnel Personnel performing work affecting product quality must be competent . Competence denotes having acquired (and using) one's formal education, training, skills, and experience. This is an overall system requirement to ensure the organization takes responsibility for competency of people. When people are selected for a position, consideration should be given to individual education, training, skills, and experience necessary to carry out the duties of the position. Most organizations have position requirements or a position description that includes individual requirements (such as years of formal education and prior work experience).



6.2.2 Competence, Awareness, and Training There should be a comprehensive plan to meet competency needs for all positions supporting the quality system. The plan may require training; if so, its effectiveness must be evaluated. Other actions (other than training) may be necessary to meet competency needs. The plan may call for an individual to seek formal education or certain work or skill experience. The method to identify competency needs may be input from managers or from annual performance reviews. When considering training programs, management should give thought to the type and extent of skills, experience, and education of the personnel involved. The organization must keep records to verify that training or other actions were conducted. Auditors may check for auditor training and/or determination of training for all personnel performing work affecting product quality (6.2.1). The organization must evaluate the effectiveness of the training provided. Certifying associations such as IACET (International Association for Continuing Education and Training) stipulate that training is effective if the learning objectives were achieved. The organization must have evidence that training effectiveness is evaluated. The same is true of other actions. Other actions may be a reorganization, changing roles, changing the job, changing the technology, and so on. The effectiveness of these actions must be evaluated. Effectiveness can be evaluated by a pass mark in an examination at the end of a course, satisfactory attendance of the course with a completed survey, a practical test at the end, on-the-job training, acceptable workmanship over a number of hours on a machine, or a combination of these. Evidence can be in the form of certificates with authorized CEUs awarded, the supervisor's signature, annual reports, and so on. The effectiveness of other actions may be linked to performance data. Every individual working in the QMS must be aware of the relevance and importance of his/her job (activities) and how it supports (contributes) to the achievement of the quality objectives. This requirement could be a major challenge. It is not unusual for organizations to have difficulty communicating the quality policy and now they must also link the job function to what the organization is trying to achieve. An auditor may ask an individual how his/her job contributes to the achievement of quality objectives. 6.3 Infrastructure There is an overall requirement to determine, provide, and maintain an infrastructure needed to ensure conformity to product requirements. The facilities include: workspace,



equipment, hardware, software, and support services. Workspace may be buildings, office space, work stations. Equipment may be just about anything needed to complete a task. Hardware is equipment such as a computer and its attachments. Software is a program on some type of hardware. People also need to be provided with support services as part of the infrastructure. Support services could be bug spray, electricity, waste disposal, potable water, fire alarm testing, and security. 6.4 Work Environment There is a broad overall requirement to determine and manage the work environment to achieve conformity to product requirements. Work environment includes human and physical factors. Human factors are people’s involvement, safety attitudes and habits (rules, use of equipment), meeting special needs (exercise programs, stop smoking programs, etc.), and ergonomics . Physical factors are noise, cleanliness, vibrations, air quality, light, temperature, humidity, hygiene, and so on. The standard is very vague regarding the extent the organization must identify and manage the work environment. Most organizations do this (manage the work environment) to some degree. Organizations may have employee programs for self-improvement, programs to boost morale, and increase motivation, or they may accept suggestions for improvement of the workplace, and so on. Baseline: [by the book requirements]

• Provide resources for implementing, maintaining and improving the quality management system. Note: Resource limitations may be identified during management review (5.6).

• Individuals given responsibility for the quality management system must be competent.

• Identify competency needs and provide training or other actions to satisfy these needs. The training provided or other actions must be evaluated to determine effectiveness.

• Keep records of competency (i.e., training, qualifications, education, and experience).

• Provide and maintain the infrastructure and facilities needed to achieve conformity of the product.

• Provide the work environment (human and physical factors) needed to achieve conformity of the product.



This concludes the administrative and support requirements for the realization processes. In the next module, we will discuss the requirements for the value added processes for creating a product or providing a service. This concludes clauses 4, 5 and 6 of ISO 9001. Now, you may take the Lesson 4-9 Test before proceeding to lesson 10 that starts the discussion of clause 7.



Lesson D10: Product Realization (7.1 - 7.4) 7 Product Realization 7.1 Planning of Product Realization 7.2 Customer-Related Processes 7.3 Design and Development 7.4 Purchasing

Principle Concepts Planning and Customer-Relations: • Plan the activities needed to provide a product or service • Determine all the requirements for the product/service • Ensure the organization can meet the requirements • Keep customers informed • Listen to the customer

7.1 Planning of Realization Processes Discussion: The standard uses the term Product Realization to describe the steps for producing (or manufacturing) a product or going about providing a service. The term realization is used to balance manufacturing and service organizations’ needs and does not create a worldwide language problem.

There must be realization planning. The organization may document its plan in any form or medium. Examples may be a flow chart, quality plan, outline, a procedure, a process description, or any other means that shows the processes and sub-processes required to achieve the product or service There may be processes within processes and not all processes are equal in value or risk. The processes in the plan for realization of the product/service should meet the requirements of the customer and the management system. Some of the things that must be considered when developing the realization plans are:

• quality objectives for the product/service (project, contract)

• the need to establish (create) processes, documentation

• the need for resources

• verification, and validation activities and the acceptance criteria for them

• records to determine conformity of processes and product/service Organizations need to know the successful outcomes, they need to provide resources for the processes for them to work, they need to test and try out the processes, and



finally, they need to determine what records must be maintained for management control. It is still heard from time to time that the organization should keep records to satisfy the auditor. Closer to the truth is that organizations keep records in order to manage their businesses. A business cannot operate on hearsay. It must be able to verify important activities from time to time. 7.2 Customer-related Processes This clause is about identification of product/ service requirements. An agreement exists between a organization and a customer. It may be called a contract, order, or purchase order. Although most requirements are specified in the contract, some requirements are implied or assumed. The organization must determine all product/ service requirements. Requirements come from customers and other sources. Product/ Service Requirement Examples:

• product (color, size, weight, time, features, materials, options, etc.) • delivery (time, condition, markings, damage free, etc.) • post delivery (technical service, servicing, refills, etc.) • not stated, but necessary (traceability, clean, damage free, etc.) • regulatory or legal (safe, marked, notice, caution, etc.) • other requirements determined by the organization [internal specifications,

methods or techniques,] Before accepting the order or making an agreement, the organization must review all requirements. There can be one review or several reviews depending on the purpose of the review. The review can be a face-to-face meeting, exchanging e-mails, following a checklist, or whatever fits the situation. There must be a record of the review and actions taken as a result of the review. For record keeping purposes, an organization may require that order entry personnel initial and date the order as a record, another organization may require the completion of a checklist and signature, another may require that a box on a computer screen is checked to indicate the electronic record was verified, etc. It is important that there is a review process. The standard is more specific about what is expected of the review process. The review(s) must ensure:

1. product/service requirements are defined

2. contract or order issues are resolved

3. the organization has the ability/capability to meet/provide the requirements

If the customer does not provide a documented statement (order, purchase order, specification, etc.), the organization must confirm the customer requirements before acceptance. This may an internal self confirmation, asking the customer to confirm a statement about what the organization intends on providing and other similar actions.



When orders are changed or modified (different from previously agreed) all relevant documents must be changed and all relevant people must be informed (made aware of the change). Most of the time organizations follow a well thought-out process for the initial order but handle changes informally. Businesses put a strong emphasis on getting the order and closing the deal. Sometimes order changes are considered secondary unless there have been customer complaints and there is a possibility of losing the next order.

Most organizations have an order taking or a contracts department. Orders may come in by telephone (verbal), by fax, teletype, post, e-mail, etc. Even when there is an order department it is not unusual for occasional orders to be taken by field sales, marketing, operations, and development.

Organizations must first determine their method of communication (the best channels) If organizations don't keep their customers informed, then they may not receive what they were expecting, which may result in customer dissatisfaction and complaints. (8.2.1Customer feedback, including customer complaints, was added to the customer communication clause where they should have been all along.

7.3 Design and Development Principle Concepts of Design:

• The design project shall be planned and controlled • Design input shall be defined and documented • Design output, including crucial product characteristics, shall be documented • Design output shall be approved prior to release • Designs shall be reviewed • Designs shall be verified and validated for intended purpose • Design changes shall be controlled

Discussion: This clause may not apply to some organizations because they do not design and develop products or services. Here are some examples when design should be included in the organization's QMS.

1. If the customer requires (contract) design/development of a product, process or service

2. If the organization designs the product or service that is provided to the customer

3. If the organization believes that design and development play a key role in the quality management system

Note: permissible exclusions were discussed earlier.



The design and development clause is like a mini standard all on its own. It covers everything from inputs to the design process to the design output. It even has its own document change control requirements. 7.3.1 Design and Development Planning The design and development clause is organized into a plan it, do it, check it and improve it format. First, there must be a plan that determines: the design stages, review-verification-validation activities; plan and update responsibilities and authorities. Communication between groups must be managed to ensure it is effective. Once there is a plan, there can be design inputs. 7.3.2 Design and Development Inputs Design inputs include:

• Functional and performance requirements.

• Regulatory and legal requirements

• Essential information from similar (previous) designs. The inputs must be reviewed for adequacy and any ambiguities or conflicts resolved before design work starts. There must be evidence of this review. The design and development group may get inputs from sales or marketing (new product or service), order entry (special order) or operations (production requirements, issues, and interfaces). Ideas for new projects may also come from within the design group. Very little is said about the actual 'do' part of design because that varies from organization to organization. It is up to the design group to decide what documents will be needed to complete the design. Typically there are established methods for design of certain types of equipment or protocols for development methods. You may evaluate the controls within design to see if they are working as intended. You (as the auditor) may ask about the qualifications for designers and then check personal records to verify educational and experience requirements.

Image: D10deisign-1

Creating the design may be in the form of blue prints, models, specifications, drawings, pictures or cad files.

7.3.3 Design and Development Outputs You will need to verify that controls are effectively implemented by checking project files, notebooks, and various records called for in the design and development



procedures. Design outputs must be in a form that will allow comparing design outputs with design input requirements. Design outputs must meet design input requirements. Design outputs must include the following:

• acceptance criteria (included or referenced, performance parameters, tolerances, attributes, etc.)

• requirements for safe and proper use of the product or service Appropriate design information must be provided to purchasing, production, and service operations (7.5). Many organizations already have some type of transition or hand-off plan to the operations group. This is an important step to ensure successful project startup. 7.3.4 Design and Development Review For clarity, the standard writers have included what should take place during the reviews. The review shall include:

• evaluation of ability to meet requirements

• identification of problems

• proposed necessary (follow-up) actions

The requirements listed above are what typically takes place during design review meetings. Review must be performed systematically and according to planned arrangements. Records of reviews and follow-up action must be maintained. An auditor should examine the review records and verify appropriate attendance at the reviews.

7.3.5 Design and Development Verification The standard requires that there is a record of verification of results and necessary actions. There is no requirement for a documented procedure, but verification must be performed according to planned arrangements. Designs are verified by several means to include:

• Alternate calculations • Comparing to similar proven designs • Prototype testing and other tests • Verification of the same calculations by an independent body • Review of design documents prior to release

7.3.6 Design and Development Validation Designs must also be validated. Validation deals with evaluating the performance of the product to ensure it meets user needs and requirements. This may be a field test or a performance test during use in the actual environment it was intended. Validation results and necessary actions must be recorded. Validation is required (whenever practical) prior to the delivery or implementation of the product/ service. Validation activities must be performed according to planned arrangements.



7.3.7 Design and Development Changes The design changes must be identified, documented, and controlled. Auditors may check drawings or specifications to ensure changes are properly communicated and recorded. Design change control must include review of the effect of the change on the design (function and performance), constituent parts, and product already delivered. When appropriate, the design change must be verified and validated. Changes must be approved before implementation. There must be a record of the design change reviews and necessary actions. 7.4 Purchasing 7.4.1 Purchasing Process 7.4.2 Purchasing Information Principle Concepts for Purchasing:

• Purchases of important product/services shall be controlled • Suppliers shall be evaluated and selected • Requirements shall be clearly defined • Incoming material shall be inspected or verified

Discussion: The planning clause 7.1 applies to purchasing as well as all the other clause 7 sub-clauses. There should be a plan for the purchasing process. The standard does not require that there be a documented procedure, but the organization is required to ensure the purchased product conforms to requirements. Since there are no required procedures, the auditor must investigate how the organization's purchasing process is able to ensure purchased products and services conform to specified purchasing requirements. The organization must determine the extent of the control necessary to ensure conformity of the purchased product or service. The organization must establish criteria and evaluate, select, and re-evaluate suppliers. The standard does not require an approved supplier list, but most companies end up with one in order to identify selected (approved, certified) suppliers. Next, the results of evaluations and any necessary actions shall be recorded and maintained. 7.4.2 Purchasing Information Purchasing documents (such as purchase orders) must contain QMS requirements and approval and/or qualification requirements for the item or service being sought (when appropriate). Approval and qualification requirements may be needed for: product, procedures, processes, equipment, and personnel.

Before release of purchasing information (such as a purchase order) to a supplier, the organization must ensure the information is adequate. The objective is to provide sufficient information in the purchasing documents such that suppliers understand exactly what they need to provide. There is no requirement for a record but the organization must provide audit evidence that they ensure that the purchasing



information is adequate prior to communicating it to the supplier. Examples of audit evidence could be a signature associated with a criteria, a completed check sheet, initial and date on purchasing forms and so on.

7.4.3 Verification of Purchased Product This is the only place in the standard that requires assurance (inspection or other means) that purchased product meets purchase requirements. Many organizations have receiving and inspection departments that formally check and verify incoming parts and materials. When products are verified at the supplier's premises (if source inspection controls are appropriate for ensuring conformity of the purchased product), the organization must specify the arrangements for verification and the basis for release of product in the purchasing documents. Baseline: [by the book requirements] 7.1

• There must be a plan for realization of the product/service.

• The planning process must be consistent with QMS requirements. Some examples are: 1) quality objectives, 2) the need for creating processes and providing resources, 3) conducting verification and validation activities compared to acceptance criteria, and 4) the need for records to assure conformance of processes and the product/service.

7.2 • Customer (product/service) requirements must include: customer specified

requirements, availability, delivery, post delivery, support service, and those specification/performance requirements not stated but known to the provider organization.

• Requirements must be determined from obligations such as contracts, regulations, and statutes.

• Reviews of customer and other requirements shall be conducted prior to commitment to supply the product/service. Reviews shall ensure: requirements are defined, requirements are documented or otherwise confirmed, differences resolved, and that the organization has the ability to meet the requirements.

• Records of review(s) and actions (follow-up) shall be kept.

• When product/service requirements are changed, the organization must change applicable documents and inform appropriate people.

• Communication channels for transmitting as well as receiving information from the customer must be established. Communicate information related to: product



information, inquiries, contracts, order handling, amendments, and customer feedback

7.3

• Design planning must include: 1) project (design and develop) stages, 2) review, verification, validation points, and 3) responsibilities and authorities.

• Project plans must be updated as the design progresses.

• Inputs to design must be determined, recorded, and reviewed for adequacy. Inputs must be clear, unambiguous, and not in conflict with each other. (see list of inputs above or clause 7.3.2).

• Design outputs must be in a form that can be compared against inputs (requirements, parameters) and approved prior to release (see list of output requirement above or clause 7.3.3).

• Design reviews must be conducted according to planned arrangements. There must be a record of the review and subsequent necessary (follow-up) actions (as a result of the review).

• Design verifications must be conducted according to planned arrangements and recorded.

• Design validation must be conducted and recorded according to planned arrangements.

• Design changes must be defined. The effects of change must be evaluated, verified, validated, and approved prior to implementation. Design change reviews must be recorded. The effect of the changes on constituent parts and delivered product must be evaluated (determined).

7.4

• Purchasing processes must be planned and developed to ensure product conforms to purchase requirements.

• Purchasing controls must be varied based on needs (effect on realization processes and outputs).

• Suppliers must be evaluated and selected based on an established criteria.

• Records of evaluations and necessary (follow-up) actions must be kept.

• The requirements for approval, qualification, and QMS on purchasing documents must be described.

• The description on purchasing documents must be adequate. Check the description before documents are released.



• Activities (a process)must be established and implemented to ensure purchased product meets specified purchase requirements.

Now we are ready to review the requirements of the actual operation. This is the value-added activity for the organization.



Lesson D11: Product and Service Operations (7.5-7.6) 7.5 Product and Service Provision 7.5.1 Control of Product and Service Provision 7.5.2 Validation of Processes for Production and Service Provision 7.5.3 Identification and Traceability 7.5.4 Customer Property 7.5.5 Preservation of Product 7.6 Control of Monitoring and Measuring Equipment

Principle Concepts: • Control the processing (production) of the organization's products

or • Control the delivery (performance) of the organization's services • Processes whose outputs cannot be verified by measuring and monitoring must

be validated • Identify the product or service and know status • Trace the product or service when required • Identify and protect customer property from loss or damage • Protect product from damage • Ensure that accurate and reliable measuring equipment is used

7.5.1 Production and Service Provision Control Discussion: This clause addresses the activity of providing the product or service. Product is any intended output, tangible or intangible. Hardware, software, and process companies need to plan and develop processes for production and installation (reference 7.1). The standard identifies six actions that must be considered for control of the product realization process. 1) Specifying Product Characteristics Management must provide information that includes the acceptance criteria (characteristics of the product) for the process. For example: When is the job/process done right? What are the product or service specifications? What is desired? What is a success for that process? There are linkages from this clause to other clauses of the standard such as clause 4.1c and 4.1d, which also discuss providing information. 2) Using work instructions when needed



The standard calls for documents (procedures, work instructions) when needed to ensure effective planning, operation and control of its processes (4.2b). Auditors should check to ensure work instructions/procedures are being followed. The need for work instructions or other documents may depend on the organization’s size, type, complexity, interactions, and competency of personnel (4.2b). When it is important for an activity to be done a certain way every time to ensure quality, safety and other objectives (such as economic) are met, the organization may decide to issue a work instruction. Work instructions and other documents are management control tools. 3) Using and maintaining equipment The equipment must be suitable for the intended purpose. Equipment must be properly used and maintained (see clause 6.3) . An auditor may determine if there are instructions for the equipment, if operators know how to operate the equipment and if there is a preventive maintenance schedule. 4) Using measuring equipment

5) Monitoring the processes

Equipment for measuring and monitoring can be about anything needed to gauge and make adjustments to the process. They may be anything from gas chromatographs to tire gauges. When the organization needs equipment to control (pass-fail) the process, they should have them, use them, and maintain them. Monitoring can include: process control charts, measuring tolerances, testing samples, trend charts, conducting process audits, etc. Measuring equipment is used to test a product, resulting in a pass/fail decision. Monitoring equipment is used to control a process and may result in an operate/don't operate decision.

6) Implementing release, delivery and post delivery processes

To complete the product/service realization process, the organization must include a release process, delivery process, and when applicable, a post delivery process (such as installing or maintaining). The wording (such as release or post delivery) may seem strange to some, but most organizations already have these processes in place. Normally there is some type of final release, such as: it is okay to send to the warehouse or ship to the customer step (or both). In all cases for a product company, arrangements have been made to get the product to the customer. And finally, many organizations have some type of installation or technical service linked to the sale of the product. For a service organization, the release may come before the service is performed (i.e. a release that it is okay to perform the service). Or if a service (image i752 repairing) is performed on customer equipment, there may be a release prior to returning the equipment to the customer. It is important to note that delivery and post delivery processes are mentioned as part of the operations control clause. For a JIT (Just In Time) company, product may come off the line and be put on a truck or train without any storage. When service is provided



it is normally being delivered, but there may be post delivery processes such as an annual review of policies or equipment maintenance requirements.

7.5.2 Validation Process Discussion: In the past, processes that needed validation were called special processes. When a process output (product) cannot be verified by subsequent measurement and monitoring, the process must be validated.

In simpler terms, If you cannot check it before the customer receives it, you must validate the process that produced it. Examples include cases where (a) the characteristics of interest do not exist until further downstream in the process; (b) a method of measurement does not exist or is destructive; or (c) results within the process cannot be measured in later inspections (prior to customer receipt).

Processes needing validation have been associated with medical treatments, flying aircraft, metalworking, welding, nondestructive examination, and heat treating. These processes require the process itself to be validated, equipment approved, and operators qualified. For example, the process that produces a finished welded product must be validated even if the purchase or use of expensive x-ray inspection equipment are not practical. The weld strength cannot be measured unless the weld is broken (product must be destroyed to verify requirements). ` If part of the service includes engaging the customer, such as training courses, then the process must be validated.

There may be a considerable number of opinions concerning the identification of processes that need to be validated. While some experts say all services must be validated, one must go back to the exact wording in ISO 9001 to determine what to do. "The organization shall validate any processes for production and service provision where the resulting output cannot be verified by subsequent monitoring and measurement and, as a consequence deficiencies become apparent only after the product is in use or the service has been delivered." ISO 9001, clause 7.5.2. Processes must be validated if the output cannot be verified by subsequent measurement or monitoring AND, as a consequence, deficiencies become apparent only after the product is in use or the service delivered. Also, please note that the word deficiency is used here (deficiencies become apparent only after...) to link non-fulfilment of a requirement to requirements related to the intended or specified use of the product/service. One would expect to see linkages to clause 7.2, Customer-related processes (customer requirements).



Subsequent measurement and monitoring comes after the operation (production) but before customer receipt. For example one cannot argue that welding does not need to be validated because we can go back 20 years later to see if the bridge is still standing, or that ability to measure the safe arrival of the airplane precludes the need to validate the air carrier process. The validation process must verify that the process being validated can achieve planned (specified) results (objectives). Validation is demonstrating (verifying) that the process can achieve planned results. The organization must arrange for validation and must include the following (as applicable) for validation:

• qualification, or registration of processes (demonstrate performance)

• qualification, or certification of equipment or people/operator license

• use of specified procedures or techniques or work practices

• determine record requirements

o determine re-validation requirements This is the same type of validation discussed in 7.3.6, design and development control. Design and development validation would be the first-time use product validation. After the initial first time start-up validation, no other ongoing validation may be required by the design group (for example: performance testing of a pump or stamping machine after installation to validate the design). However, revalidation may be required from time to time to verify capacity, through-put, or safety.

7.5.3 Identification and Traceability

Discussion: Product identification, traceability and status are three separate processes but they must be compatible. If it is important to differentiate between similar products (parts, batches, lots, etc) or services (treatment, project, transaction, etc.), there must be some type of identification process.

Once there is an identification process, traceability may be required by the customer or a regulatory agency. One form of traceability is to be able to match the finished item with the incoming parts and materials. This is very useful for failure analysis. It is called backward traceability.

Traceability calls for identification of the finished product by stamp or serial number. Those warranty cards you fill out when you purchase a new microwave ask for a serial number. This allows the organization to trace the sale back to the factory and date of production. In the food processing and pharmaceutical industries, the organization



needs to be able to trace the distribution of the product, in case of recall. This is called forward traceability.

As an item or service progresses through the various steps of processing, an organization may need to know if it is ready for the next operation. For many processes it is important for organizations to know the status of a product or service. It helps organizations make good decisions, and in many cases it keeps the customer informed of production, performance, delivery progress.

Knowing the status of a product during production is one of the earliest forms of quality control. It allows fellow workers to know the quality of something before they work on it. More importantly, it allows the customer to know the quality before he or she buys it.

Product identification, status, and traceability are concepts that have withstood the test of time. They are 'good business practice.' No documented procedures are required by ISO 9001 for this clause.

The records associated with traceability, Be maintained, not just logging or recording the unique identification of product. When traceability is required, the organization must control the unique identification of the product and maintain records. This means that if there is other necessary information associated with traceability, such as dates, time, location, those records must be maintained, too. Auditors and management representatives should verify that the organization is maintaining records of all applicable information associated with product traceability controls.

A note states that some organizations use a configuration management process as a means by which identification and traceability are maintained.

7.5.4 Customer Property Discussion: Customer Property is property provided by the customer that the customer owns. Customer property may be tangible (has physical form), intellectual property or personal data.

The organization must exercise care in identifying, verifying, protecting and safeguarding customer property (e.g. equipment) that has been received. If the customer property is lost, unsuitable, damaged upon receipt, or in storage, the customer must be notified. The organization must keep records of lost, unsuitable, or damaged property. No documented procedures are required

A note includes personal data as an example of customer property. If an organization is not controlling personal data (private information) under the requirements of this clause, there could be a nonconformity.



Data* is defined as: 1) facts and/or statistics, used for reference or analysis; 2) information based on facts. Personal is not defined in the ISO 9000 vocabulary standard nor ISO 9001 support documents. However, dictionary definitions suggest that personal relates to a particular person or individual. Therefore if an organization has personal data under the organization's control or it is being used by the organization, the requirements of this clause apply. All organizations, especially service organizations, need to review this clarification to determine if there is a potential nonconformity. Examples personal data may be medical, financial, individual profiles, and personal preference records. . 7.5.5 Preservation of Product Discussion: Management must preserve the conformity of the product to customer requirements during internal processing stages and subsequent delivery to the intended destination (customer). This includes identification, handling, storage, packaging, and preservation. Protection of constituent parts (component parts) is included in the scope of this requirement. This clause may be very difficult to audit using the requirements approach because there are few requirements and the ones that exist are conceptual requirements. There is no requirement for a documented procedure or specific requirement for management control of this process. However, the general requirements in clause 7.1 apply to all realization processes to include preservation of product. Auditors can audit the preservation process defined by the organization, degree of implementation and achievement of desirable outcomes.

7.6 Control of Measuring and Monitoring Equipment Discussion:



This clause if very prescriptive. It is commonly thought of as the calibration clause but more importantly it deals with proper maintenance and control of measuring and monitoring equipment (test equipment). The clause requires that the organization determine (identify) the required product/service measurements. See clause 7.5.1a (product characteristics, acceptance criteria) and 8.2.4 (product measurement). Next, the organization must establish processes to use measuring and monitoring equipment consistent with device requirements. Other familiar terms may be measuring equipment , test instrument, test gauge, tool, and so on. In order to have confidence in the measurements taken to demonstrate control of processes or conformance of product to specifications, management must plan and then control all aspects of measurement. There must be equipment to test for the parameters and characteristics identified (acceptance criteria) in clause 7.5. The equipment used to conduct the test must be capable of providing a test result within specified ranges or tolerances. The measuring and monitoring equipment must be maintained in a proper environment. Test and calibration equipment and standards should be properly stored to protect from damage or deterioration. Some organizations have calibration laboratories and closely monitor the environment. The equipment must be calibrated and checked against national or international standards when they exist. When there are no national or international standards, the basis for calibration or verification must be recorded. For homemade tests, the organization will need to develop their own methods to calibrate the equipment. When measuring and monitoring equipment are found not to conforming to requirements appropriate action must be taken concerning the equipment and product affected. There must be a record of action taken. The calibration status of equipment must be known to the user of the equipment. This is normally a sticker with the next calibration due date indicated on the sticker. Other methods of calibration status notification are acceptable as long as they work. Clause 7.6 (last paragraph) requires the organization to confirm the ability of the computer software to satisfy the intended application when the software is used during monitoring and measuring. A note explains that confirmation of computer software ability (capability) would typically include its verification and configuration management to maintain its suitability for use. Failure to address this note could result in a nonconformity. The used of word configuration management in the note allows questions about configuration management during the audit process. Configuration management is much broader than document control. What process does the organization use to confirm computer software ability to satisfy the intended application?



There is a guideline standard titled ANSI/ISO/ASQ Q10007-2003: Quality management systems — Guidelines for configuration management that may be helpful. Configuration management is described as a management activity that applies technical and administrative direction over the life cycle of a product, its configuration items, and related product configuration information. It provides identification and traceability, the status of achievement of its physical and functional requirements, and access to accurate information in all phases of the life cycle. Baseline: [by the book requirements]

• Provide management control of production and service processes to include: needed information about the product characteristics, equipment to operate, work instructions, equipment for measuring and monitoring, and support processes (release, delivery, and post delivery).

• Validate processes by demonstrating that the process can achieve planned results.

• Define arrangements for validation and qualify processes, specify needed methods and procedures, determine required records, and define re-validation requirements as applicable.

• Identify the product throughout the realization process (when appropriate).

• When traceability is required, control identification method and keep records.

• Identify the product measurement (test) and monitoring status.

• The organization must exercise care with customer property.

• The customer property must be identified, verified, protected, and safeguarded.

• Lost, stolen, or damaged customer property must be reported to the customer.

• The organization must preserve (protect) its own product (and associated parts) from damage during all internal processing stages and delivery (includes: identification, handling, packaging, storage, and protection).

• To assure the conformity of the product/service, the organization must identify the measurements to be made and the equipment to make the measurements.

• Measuring equipment shall be used in a manner consistent with measuring and monitoring device requirements.

• Where applicable, establish an instrument calibration program. Keep records of calibration program checks (see clause 7.6 for prescriptive list).

• Confirm software prior to initial use and reconfirm as needed.



This ends the realization process controls. Next, we shall discuss measuring the outputs of the processes and how that information will be used for improvement.



Lesson D12: Measurement, Analysis, and Improvement (8.1-8.5) 8.1 General 8.2 Monitoring and Measurement 8.2.1 Customer Satisfaction 8.2.2 Internal Audit 8.2.3 Measurement and Monitoring of Processes 8.2.4 Measurement and Monitoring of Product 8.3 Control of Nonconforming Product 8.4 Analysis of Data 8.5 Improvement Principle Concepts:

• Plan, take measurements and improve processes • Monitor customer satisfaction • Plan and conduct internal audits of the quality management system in

accordance with documented procedures • Report audit results to management and take action • Measure and monitor processes • Measure and monitor products • Control nonconforming product by identifying and making arrangements for

continued processing or scrapping • Collect and analyze data to verify suitability and effectiveness of the system • Identify areas for system improvement • Eliminate the causes of nonconformities • Eliminate causes of potential nonconformities

8.1 General Discussion: Activities must be planned for measuring, monitoring, and analysis to meet requirements to conform to the QMS, and to continually improve. The organization is not required to have a procedure. This is the big picture view that matches up nicely with the sub-clauses for clause 8 [Measuring and monitoring, Analysis of data, and improvement]. The data and analysis must demonstrate conformity to product requirements, ensure conformity of the quality management system, and continually improve the effectiveness of the QMS.



The organization must ensure that the proper analysis methods are being used for each process and measurement. Methods can include statistical techniques such as SPC methods (statistical process control) or histograms or sampling. This is the only mention of statistical techniques in the standard.

8.2.1 Customer satisfaction Discussion: Customer satisfaction information must be monitored. Specifically, the standard requires the measurement of customer perception regarding meeting requirements as an indication of customer satisfaction. For customer satisfaction, the customer’s perception of the product or service is more important than a single metric such as on-time-delivery or defect free product. Customer perception is one of the key measures of QMS performance. The methods for gathering and using the information need to be thought out (determined). The customer's perception of satisfaction and dissatisfaction may be measured. For example: customer complaints are a measure of customer dissatisfaction; other measures, such as a survey or interview, may be needed to assess customer satisfaction. The approach for determining the level of customer satisfaction is a primary feedback loop for organizations. Sources of information that may directly or indirectly reflect customer satisfaction can be seen below. A value-added step is to link customer satisfaction data to key processes for future action. Customer satisfaction may be relative to competitors or competing products 8.2.2 Internal Audit Discussion: Audits must be conducted at planned intervals (scheduled) to determine if the quality management system conforms (are in compliance with) to planned arrangements, QMS requirements, and the requirements of ISO 9001, and that it has been effectively implemented and maintained. It is clear that auditors should audit against the ISO 9001 requirements, and the organization's QMS. Additionally, the implementation and ongoing maintenance of conformance to requirements must be assessed. The standard requires that the organization determines conformance of the QMS to planned arrangements. Even though "planned arrangements" is somewhat of an awkward term, most interpret it to mean the documents in a quality system (manual, procedures, plans, work instructions) and other non-ISO 9001 standards. The internal quality auditors should audit against all organizational QMS documents. Auditors are not required (by ISO 9001 requirements) to determine the effectiveness of the quality management system. The "effectiveness" wording is not included here due to potential product liability concerns in regulated industries.



The audit program plan must consider factors such as area status, importance, and results of prior audits when scheduling audits. An organization could receive a nonconformity if they only schedule audits of the ISO 9001 clauses and do not consider area status, importance and prior results. Auditors must be selected in ways that ensure impartiality and objectivity of the audit results. Internal auditors must have some level of independence or no invested interest in the area being audited. Practicality and the nature of the organization must be considered when determining the level of independence to ensure impartiality and objectivity. A small organization providing low risk products or services does not need the same level of independence as a large, complex organization that provides high risk products or services (law firm versus nuclear power plant). There must be a documented procedure for the internal auditing process. The clause contains several other checklist items as part of the baseline requirements, so you can cross check your checklist or read (or refer to )in the standard. Action must be taken by management on audit nonconformities without undue delay. The implementation of corrective actions must be verified and reported. Auditors can verify that follow-up actions were taken to address nonconformities. However, there is no requirement in this clause to verify the effectiveness of the action or corrective action as a result of the audit. The effectiveness of corrective actions should be addressed as part of the corrective action review (clause 8.5.2) and management review (clause 5.6). There must be a documented procedure for the internal auditing process. The clause contains several other checklist items as part of the baseline requirements, so you can crosscheck your checklist or read (or refer to) the standard. Action must be taken by management on audit nonconformities. The follow-up actions must be verified and reported. The concept that many nonconformities require correction or remedial action is included this clause. The requirement is: The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. This sentence seems awkward, yet is technically correct. Another way to phrase this requirement is: without undue delay, management should make necessary corrections (take remedial action) to eliminate the detected nonconformity and follow-up by taking corrective action to eliminate the cause of the nonconformity.

Auditors can verify that follow-up actions were taken to address nonconformities. However, there is no requirement in this clause to verify the effectiveness of the action or corrective action as a result of the audit. The effectiveness of corrective actions should be addressed as part of the corrective action review (clause 8.5.2) and management review (clause 5.6).



The standard states: records of the audits and their results shall be maintained. Auditors and management representatives should verify that auditing records include: 1) a record of the audit (proof that there was an audit) and 2) the audit results (such as findings). 8.2.3 Monitoring and Measurement of Processes Discussion: The QMS processes necessary to meet customer requirements must be measured and monitored to ensure their continued ability to meet planned results. When processes are found to be nonconforming, action should be taken to ensure the product or service conformance to requirements. If a process is not performing, immediate action may be required to keep product in conformance. The organization must identify the process performance measures. The idea is that quality is not achieved by end of the line testing before the product goes to the customer. The processes that create the product must be capable. Or at least the organization should know they are operating as intended. While organizations may monitor many processes, they only need to show the auditor evidence that verifies conformance to the standard. A note explains what is meant by suitable methods. The requirement is that organizations must apply suitable methods for monitoring and, where applicable, measurement of the quality management system processes.

The note explains that when determining suitable methods:

• it is advisable that the organization consider the type and extent of monitoring or measurement appropriate to each of its processes

• this must be done in relation to their impact on the conformity to product requirements

• the effectiveness of the quality management system must be considered.

This is an open-ended requirement that it is difficult to audit against. If an organization is not applying any methods for monitoring and measurement of processes, there will be an nonconformity. It is important that organizations determine what is suitable and be able to defend their position during an audit.

8.2.4 Monitoring and Measurement of Product Discussion: The organization must verify that requirements are being met by measuring and monitoring (testing, inspecting, analyzing) product characteristics in accordance with



planned arrangements (7.1). "Product" means the final intended products or services from the QMS (see ISO 9001, clause 1.1 note). "Product" can be hardware (bolt, machine, computer), processed materials (food, gasoline, juice), software (computer program) and services such as banking, insurance, retail sales, so on.

There must be a record of product conformity to requirements and the authority responsible for release of product for delivery to the customer. Product must meet all requirements (planned arrangements) prior to release and delivery to the customer unless otherwise approved by a relevant authority or by the customer (where applicable).

8.3 Control of Nonconforming Product Discussion: Nonconforming product must be identified to prevent unintended use or delivery. Once identified, the organization must take action choosing to scrap, rework, reclassify, repair, or receive permission to use "as is". The organization must define nonconforming control processes in a documented procedure. Normally, the procedure would describe how the nonconforming product is identified, dispositioned, and re-verified if corrected (rework, repair). The procedure must include responsibility and authority for reviewing and resolving nonconforming product. The three clauses that provide input to this clause are:

• 8.2.4: Measuring and monitoring of product [fails a test]

• 7.6: Control of measuring and monitoring equipment [equipment are found to be nonconforming that result in nonconforming product)

• 7.2.3: Product returned as a result of a customer complaint [customer determines product is unacceptable]

The standard proposes one or more of the following ways (where applicable) to deal with nonconforming product.

• Eliminate the nonconformity: repair, rework, blend (must re-verify conformance)

• Authorize its use "as is"

• Preclude its original intended use: re-grade, scrap

• Mitigate risks if the product/service has already been delivered or use has started

In cases where nonconforming product is discovered after it has been delivered or the customer has started to use it, the organization must respond relative to the consequences (effects or potential effects) of the situation (nonconformity). There are consequences if an X Bracket is returned because of a water mark, and another set of consequences if the X Bracket hole is in the wrong place causing the customer's



production line to be shut down or cause product failure when used. Action taken after the product or a service has already been delivered may be to mitigate safety, environmental, health and business risks.

The organization must maintain records of all nonconformities. The records must include the nature of the nonconformity (description), actions taken, and concessions made.

8.4 Analysis of Data Discussion: Collect and analyze data (from measuring and monitoring) to determine the suitability and effectiveness of the quality management system. The organization will need to show how data is collected and analyzed. An effective process is one that achieves the output goals and objectives.

"Suitability" is determining if the defined (designed) process is the right process for the organization. There may be a method, the organization may be following it, and the method may be efficient, but it may not be appropriate or may not meet requirements. The organization must collect and analyze data for the following:

• Customer satisfaction level (perception of meeting requirements) • Conformance to customer requirements • Characteristics of products, processes, and their trends • Suppliers

The data analysis may show trends and identify improvements (continual improvement) that can be made to the QMS. 8.5 Improvement Discussion: The introductory clause emphasizes the continual improvement linkages in the standard scope (1.1b), general requirements (4.1f), quality policy (5.3), quality objectives (5.4.1), quality planning (5.4.2), management review (5.6), audit results (8.2.2), analysis of data (8.4), and corrective and preventive action. If an organization does not continually improve the effectiveness of the QMS, a nonconformity could be issued referencing this clause. 8.5.2 Corrective Action and 8.5.3 Preventive Action. Discussion: The clauses require establishing a corrective action and a preventive action process. The corrective and preventive action sub clause steps are identical except that the preventive action clause does not require reviewing nonconformities as the initial input step.



The inputs for corrective action include: product nonconformities (8.3), customer complaints (7.2.3 and 8.5.2), results of audits (8.2.2), and other existing process and system nonconformities. The inputs to preventive action are the results of the analysis of data in 8.4 (measurements and monitoring). The clause requirements include:

1. a documented procedure

2. need to address cause

3. taking action appropriate to the magnitude of the problem (effects) 4. keeping records

The standard requires that the corrective and preventive action taken be reviewed. The review must include determination of the effectiveness of the action taken. The review can be linked to clause 5.6.2 for management review inputs. Customer complaints are mentioned and linked back to clause 7.2.3. Baseline: [by the book requirements]

• Plan and implement measuring and monitoring activities to meet requirements and for continual improvement.

• Monitor customer perception (satisfaction) and use as an indicator of QMS performance. Determine how the customer satisfaction information will be obtained and used.

• There must be a documented procedure for the audit process (program).

• Internal audits must confirm adherence to planned arrangements, QMS requirements, ISO 9001 requirements, their implementation, and ongoing maintenance.

• There must be an audit plan showing the audits to be performed. The plan must consider factors such as: area status, importance, and results of prior audits.

• The selection of auditors and audits must be conducted to ensure impartiality and objectivity.

• Action must be taken on audit results without undue delay and followed up to verify implementation.

• Audit results and follow-up actions must be reported/ recorded.



• Processes necessary to meet customer requirements must be measured and monitored to confirm ongoing ability to achieve planned results.

• Product must be measured and monitored to verify that requirements are being met through appropriate stages of the realization process.

• Product measuring and monitoring must be done in accordance with planned arrangements.

• There must be a record of product conformity to requirements.

• There must be a record of the authority responsible for release of product.

• Product must meet all requirements prior to release unless otherwise approved by the customer (or other relevant authority).

• Identify and control nonconforming product to prevent unintended use or delivery.

• Disposition the nonconforming product in accordance with documented procedures.

• Repaired or reworked product must be re-verified prior to release.

• The organization must respond to the consequences of nonconforming product discovered after delivery or use [e.g. product returns].

• Collect and analyze data to determine suitability and effectiveness of the quality management system.

• Collect and analyze data to identify areas for improvement.

• Analyze data for customer satisfaction, meeting customer requirements, key characteristics of products/processes, and suppliers.

• Take corrective action on nonconformities relative to the impact on the organization.

• There must be a documented procedure for corrective action (see list in standard or the steps on page 6).

• Take preventive action on potential nonconformities relative to the potential impact on the organization.

• There must be a documented procedure for preventive action (see list in standard or the steps on page 6).

This ends the clause-by-clause review of ISO 9001. Remember, when questions of interpretation come up, consult the standard first. The best



overall interpretation guideline is that common sense should prevail because the standard was written to create value for the users. In the next lesson we bring out information that will link process approach, business processes and the QMS.



Lesson D13: Process Approach Explained Before ending our discussion of ISO 9001 we need to connect the process approach, ISO 9001 requirements and the QMS. Recall the process model image below that we introduced in an earlier lesson.

The Process Model is the Basis for the Standard

ProductRealization

MeasurementAnalysis,

Improvement

ManagementResponsibility

ResourceManagement

Customers

ProductOutputOutput

Continual Improvement of thequality management system

Value Adding activitiesInformation flow

Customers

Satisfaction

Requirements

InputInput

Image: D04QMSmodel1 The process model starts and ends with the customer. The definition of customer sets the stage for understanding the process approach. The idea of an “internal” customer is included in the ‘customer’ definition and supports the linkages of the process approach. Before you can get the “outputs” and “inputs” right, you need to communicate the requirements (the criteria 4.1.c) within the organization. To ensure that the output meets input requirements, you will need a measurement. This measurement becomes a feedback tool and fulfills the requirements of 4.1.e.



Internal suppliers are providing products and services to internal customers. Internal customers define requirements to internal customers (see image). Remember clause ISO 9001, 4.1 establishes the framework for the process approach. To understand how ISO 9001 and the process approach really work, you need to understand selected requirements. You can see the linkage between the between the requirements.

0.2 Process Approach The application of a system (QMS) of processes within an organization, together with the identification and interactions of these processes, and their management, can be referred to as the “process approach”.

4.1 General Requirements The organization shall establish, document, implement and maintain a QMS and continually improve its effectiveness. The organization shall: a) identify the processes b) determine the sequence and interaction of these processes c) determine criteria and methods needed

4.2.2.c The Quality Manual Describe of the interaction between the processes of the QMS. 5.4.1 Quality Objectives Establish quality objectives, including those needed to meet

requirements for product [see 7.1 a) 5.4.2.a Quality Management System

Planning Planning of the QMS is carried out in order to meet the requirements given in 4.1, as well as the quality objectives.

7.1 Planning of Product Realization Planning of product realization shall be consistent with the requirements of the other processes of the QMS (see 4.1). In planning product realization, the organization shall determine quality objectives and requirements for the product.

8.2.3 Monitoring and Measurement of Processes

The organization shall apply suitable methods for monitoring and, where applicable, measurement of the QMS processes.

8.5.1 Continual Improvement The organization shall continually improve the effectiveness of the QMS through the use of the quality policy, and quality objectives.

There are linkages between the clauses and core business processes. First we can tie requirements for quality to the requirements for the business. Then we can build on the quality management principles of customer focus and continual improvement.



As organizations became larger or more complex, functions become specialized. The formation of departments is an effective way to manage function performance. Some have referred to the evolution of ‘silos’ as a tool to manage large and complex organizations. Silos serve a purpose by helping assign responsibility and accountability as well as helping people manage department (silo) results. However managing by department can create barriers and departments can lose focus of the overall business objectives. Departments within companies may act like they were silos, each independent of the other. Creating specialized departments benefits the organization in some ways but the silo effect creates other problems. How we normally think a business works is usually overly simplistic. The reality may be very different. The real operation of a business can be very complex. For Example: sales may be taking orders as well as accepting requests for quotes and creating quotes. The heartbeat of the business is not what goes on inside the silos but what is happening outside the silos. The process approach provides the linkages to the customer (5,2) through planning (5.4.1), internal auditing (8.2.2) and management review (5.6), and it helps to ensure continual improvement (8.5.1). The process approach supports the concept of teamwork between different “silos” and why it is important. The functions of an organization must work together to achieve objectives. The process approach helps the organization align with customer and organizational needs (customer focus). The standard promotes the adoption of the process approach when developing, implementing, and improving the effectiveness of the QMS to enhance customer satisfaction (ISO 9001, clause 0.2). Note that in the process model, in clause 7, the customers give input into the realization processes, and receive the output. Clause 7 plays a vital role in linking the process approach, QMS and customers. Understanding product realization (clause 7) is the first step in the successful application of the process approach. Clause 7 may involve several departments and functions such as:

• Sales • Customer Service • Design • Manufacturing • Manufacturing Engineering • Purchasing • Quality • Packaging • Shipping • Etc.



Each department or function must identify discrete “business” activities Involved in the realization process. Once all the realization processes are defined and connected, clause 8 is there to measure and monitor products and processes. The output of clause 8 is input to management responsibility (clause 5) for reviewing. Based on management review, resources are adjusted to support the realization processes in clause 7. The circle is complete and the process approach is working. The application of a system of processes within an organization, together with the identification and interactions of these processes and their management, can be referred to as the “process approach” (ISO 9001, clause 0.2).



End Congratulations you have completed all the lessons of the knowledge-based ISO 9001 Requirements from A to Z class. Upon successful completion of the post test and your assignment you will be able receive your certificate. The ISO 9001 knowledge-based training has covered:

ISO 9001 requirements, terminology, conformity assessment process, analyzing findings,

When you have successfully passed all Tests and assignments, you will find the class evaluation form and your certificate. Good Luck