2000 iso 9000 implementation guide - mission2mnc · please note that iso 9001:2000 does not in all...

60
Page 1 of 60 IsoQual, Inc. ISO 9001:2000 Requirements Checklist and Implementation Guide for use in conjunction with: ISO9001:2000 Checklist and Audit Guide Internal Auditor Training Package, and Process Assessment Worksheets for delivery of Internal Auditor Training and/or Management / ISO 9000 Implementation Team Training

Upload: others

Post on 05-Apr-2020

5 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 1 of 60

IsoQual, Inc.

ISO 9001:2000

Requirements Checklist and

Implementation Guide

for use in conjunction with:

ISO9001:2000 Checklist and Audit Guide

Internal Auditor Training Package, and

Process Assessment Worksheets

for delivery of Internal Auditor Training

and/or

Management / ISO 9000 Implementation Team Training

Page 2: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 2 of 60

4 QUALITY MANAGEMENT SYSTEM

Comply 4.1 General Requirements

Y N N/A

The organization shall establish, document, implement and maintain a quality management system and continually improve its effectiveness in accordance with the requirements of this International Standard.

The organization shall

a) identify the processes needed for the quality management system and their application throughout the organization (see 1.2);

b) determine the sequence and interaction of these processes;

c) determine criteria and methods to ensure that both the operation and control of these processes are effective;

d) ensure the availability of resources and information necessary to support the operation and monitoring of these processes;

e) monitor, measure and analyze these processes; and

f) implement actions necessary to achieve planned and results and continual improvement of these processes.

These processes shall be managed by the organization in accordance with the requirements of this international Standard. Where an organization chooses to outsource any process that affects product conformity with requirements, the organization shall ensure control over such processes. Control of such outsourced processes shall be identified within the quality management system.

Guidance 4.1 General Requirements The quality management system should:

a. Identify the processes needed for the quality management system (i.e. those processes

needed to address requirements of ISO 9001:2000) and identify all activities that

affect the quality of the products or services you are in the business of providing.

Start by defining key processes associated with YOUR organization’s business cycle

… from initial contact with a potential customer to final delivery of the products or

services you are in the business of providing. Do not overlook processes that you

outsource to others; they are still critical to your business success and you must

manage them as well. You will ultimately need to be able to demonstrate where you

address requirements of ISO 9001:2000 in your business cycle.

Page 3: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 3 of 60

4.1 General Requirements (guidance continued)

b. Determine the sequence and interaction of these processes. Again, the simplest thing

to do is to map out (in flow chart) format YOUR business cycle. Most business

cycles follow the same PLAN-DO-CHECK-ACT (PDCA) model advocated by the

ISO 9000 standards. The key here is to depict how these processes interrelate and

form a system. Managing the ‘white space’ between processes is critical to overall

system effectiveness.

c. Determine criteria and methods needed to ensure the effective operation and control

of these processes. The key here is to define how you are going to know when key

business processes are effective (i.e. they accomplish desired results) with the overall

objective being to achieve high levels of customer satisfaction. Process controls over

inputs, transformation activities and outputs can then be established as needed to

ensure consistent results.

d. Resources and information are key inputs to any process and must be planned and

controlled to ensure effectiveness. Further, the quality management system IS

dynamic and must be continually monitored for effectiveness and improved as

needed. Change requires new or different resources and information … hence the

need to continually evaluate how these are planned and delivered to meet an ever

changing set of requirements: customers change; markets change; organizations

change; technology changes, and the people in an organization change.

e. Monitor, measure and analyze these processes. Improvement is only possible if you

know where you are starting from and where you want to go. Hence, measures of

effectiveness for key QMS process should be established, baseline performance

determined, and improvement objectives established where such improvement is

needed or desired. This means that you will need to collect baseline data, set

improvement objectives where needed, and monitor performance to ensure desired

results are achieved; if not, action should be taken.

f. An important addition in ISO 9001:2000 is the requirement to improve the quality

management system. Improvement is a planned activity through the establishment

and monitoring of performance against desired results. However, without action, all

the data in the world is relatively worthless. But since you can not improve

everything at once (and it would probably not be advisable to try to do so) you should

identify and prioritize improvement initiatives based on the status and importance of

the activity and the real or potential impact of taking no action.

Page 4: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 4 of 60

4.1 General Requirements (guidance continued)

Guidance on the process approach:

Organizations should adopt the process approach and assess the quality management

system through its natural workflow. Of course, this requires understanding the business

and its process linkages. For each process, the organization should (use tools such as

‘turtle diagrams and/or process assessment worksheets’ to) identify:

Inputs: What, when, and from whom?

Resources: With what people, materials, equipment?

Methods: How done (procedures and instructions)?

Controls: How monitored and why?

Measures: What are performance indicators (and objectives)?

Outputs: What is delivered, when, and to whom?

A broader view addresses how interrelated processes work together (as a system or

subsystem) to accomplish desired results. We advocate development and use of

‘deployment flow charts (DFC)’ (to depict both sequence of process steps and interaction

of process participants through the process flow). Simply stated, a horizontal line on a

DFC follows a process trail across functional areas (shows interfaces clearly), while a

vertical line simply show process activities/steps within a functional area (shows

sequence). So, DFCs are excellent tools for both defining, managing and improving the

sequence and interaction of an organization’s processes.

Guidance on ‘outsourced processes’:

An “outsourced process” is a process that the organization has identified as being needed

for its quality management system, but one which it has chosen to be carried out by an

external party. An outsourced process can be performed by a supplier that is totally

independent from the organization, or which is part of the same parent organization (e.g.,

a separate department or division not subject to the same quality management system). It

may be provided within the physical premises or work environment of the organization or

at an independent site.

The acquisition of an outsourced process will normally be subject to the requirements of

both ISO 9001:2000 clause 7.4 (Purchasing) and clause 4.1 (General Requirements). In

some situations, the organization might not actually “purchase” the outsourced process. It

might receive the service from a corporate office or from another division, without a

monetary transaction taking place. Under these circumstances, however, ISO 9001:2000

Clauses 7.4 and 4.1 are still applicable.

Page 5: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 5 of 60

Comply

4.2 DOCUMENT REQUIREMENTS Y N

N/A

4.2.1 General

The quality management system documentation shall include

a) documented statements of a quality policy and quality objectives;

b) a quality manual;

c) documented procedures required by this International Standard;

d) documents needed by the organization to ensure the effective planning, operation and

control of its processes; and

e) records required by this International Standard (see 4.2.4).

Guidance:

4.2.1 Document Requirements – General

ISO 9001:2000 requires that you document your quality policy, quality objectives, a

quality manual, procedures, planning documents and quality records. The standard has

become quite a bit less ‘prescriptive’ regarding the ‘format’ or media used; the bottom

line is that, with a few exceptions, organizations can document the quality management

system in any format suitable to their business as long as they can prove the information

is effectively communicated … and that desired results are achieved.

Procedures describe what is being done in an organization, who is doing it, and how the

results are recorded; procedures are typically cross functional (versus work instructions

which typically apply to individuals or individual work groups). Procedures are

necessary if/when an organization wants to clarify responsibilities and authorities and/or

consistent practices. Flow charts, if constructed properly, can also be used to depict the

same information contained in a ‘traditional’ procedure format. Keep in mind that your

quality management system is not a set of procedures describing every minute detail of

an organization’s operation … rather it is a well defined, but appropriate and user-

friendly balance of procedures, flow charts, job descriptions, work instructions and

forms, which will assist personnel in their day-to-day work.

Page 6: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 6 of 60

4.2.1 Document Requirements – General (guidance continued)

The key is to define your processes in whatever form/format suits you best. Some

(recommended) flow charting programs include:

Visio at <www.microsoft.com/office/visio>

SmartDraw at <www.smartdraw.com>

TeamFlow at <www.teamflow.com>

Flowcharter at <www.igrafx.com>

allCLEAR at <www.allclearonline.com>

Note: We (obviously) prefer/use Visio; however any of the above products are excellent

tools. PowerPoint also has an Autoshapes menu for basic flowcharting symbols and

lines. The Autoshapes menu is located within the Picture option of the Insert menu.

Autoshapes is also an option on the Drawing toolbar. We provide Visio files that require

Visio to edit, but you can also view these in other formats (objects in PowerPoint, e.g.),

and then create your own flow charts in whatever program that suits you best.

The effectiveness of procedures depends on how they are applied to an organization. In

other words, they should be tailored to an organization. In a small organization with

relatively simple processes and activities, procedures should (accordingly) be limited and

simple. Larger organizations with more complicated activities should have more detailed

procedures, but in all cases the procedures should still be as practical as possible.

Please note that ISO 9001:2000 does not in all cases require documented procedures. In

some cases there is no need to document existing practices. However, there must still be

a ‘something’ in place to ensure work is performed in a consistent way.

Note: The following documented procedures are required by ISO 9001:2001.

• Control of Documents (clause 4.2.3)

• Corrective Action (clause 8.5.2)

• Control of Records (clause 4.2.4)

• Preventive Action (clause 8.5.3)

• Internal Audit (clause 8.2.2)

• Control of Nonconforming Product (clause 8.3)

Page 7: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 7 of 60

Comply

4.2 DOCUMENT REQUIREMENTS (continued) Y N

N/A

4.2.2 Quality Manual

The organization shall establish and maintain a quality manual that includes

a) the scope of the quality management system, including details of and justification for any exclusions (see 1.2);

b) the documented procedures established for the quality management system, or referenced to them; and

c) a description of the interaction between the processes of the quality management system.

Guidance:

4.2.2 Quality Manual

The quality manual is the “road map” of the quality management system. It should give

readers an overview of how the quality management system operates.

The quality manual must state the scope of the quality management system. This can be

communicated in a single sentence stating exactly what the organization does. For

example, "The design and manufacture of class 'A' widgets at our facility located at …"

Exclusions to the standard must be stated in the manual. Exclusions must be limited to

requirements within clause 7 and not affect the organization's ability, or responsibility, to

provide product that meets customer and applicable regulatory requirements. Clause 7 of

the standard is essentially the “DO” part of the PLAN-DO-CHECK-ACT (PDCA) cycle

… so … essentially, you can only ‘exclude’ what you do NOT DO!

The quality manual must include or reference the 6 documented procedures required by

ISO 9001:2000 as well as any other documented procedures utilized in the quality

management system. More importantly, the quality manual must describe (or depict) the

sequence and interaction of quality management system processes. This can be done

effectively in a flow chart, especially if it is a ‘deployment’ flow chart - which adds the

element of responsibility to the visual workflow depiction. However, any format is

acceptable as long as it describes the interaction between quality management system

processes required by ISO 9001:2000 (i.e. order handling, planning, purchasing, training,

design, product or service provision, inspection, monitoring and measuring, etc.).

Page 8: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 8 of 60

Comply

4.2 DOCUMENT REQUIREMENTS (continued) Y N

N/A

4.2.3 Control of Documents

Documents required by the quality management system shall be controlled. Records are a special type of document and shall be controlled according to the requirements given in 4.2.4.

A documented procedure shall be established to define the controls needed

a) to approve documents for adequacy prior to issue;

b) to review and update as necessary and re-approve documents;

c) to ensure that changes and the current revision status of documents are identified;

d) to ensure that relevant versions of applicable documents are available at points of use;

e) to ensure that documents remain legible and readily identifiable;

f) to ensure that documents of external origin are identified and their distribution controlled; and

g) to prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.

Guidance:

4.2.3 Control of Documents

The intent of document control is to ensure that people have easy access to and use the

correct versions of the correct documents. The use of incorrect or obsolete documents can

result in mistakes and, ultimately, in nonconforming product and/or service. New or

revised documents must be approved prior to issue; any approval method is acceptable as

long it clearly indicates what constitutes the evidence of approval. Once documents are

approved, the new or revised documents need to be available at the locations where they

are used or needed. Obsolete documents need to be removed or destroyed. If obsolete

documents are not destroyed, they should be identified as obsolete.

In order to control the use of documents, ISO 9001:2000 requires a method for

identifying the current revision status of documents. Since the key to control starts with

identification, a good place to begin is to create a master list that identifies all controlled

documents and their revision status (number, date, or equivalent). If documents are not

‘centrally controlled’, each person that controls documents will need to establish and

maintain there own master list. Any controlled document can be compared with this

master list to verify if the latest revision is in use. Another possible method that precludes

the use of obsolete documents is the use of a master file of original documents (such as

drawings). Master lists and master documents can (and probably should) be maintained

electronically wherever possible.

Page 9: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 9 of 60

4.2.3 Control of Documents (guidance continued)

Document control systems can be as simple or as sophisticated as you deem appropriate

and/or needed. Our templates utilize a simple ‘master list’ … and all our documents are

‘hyperlinked’ to help organizations created a ‘paper free’ document control system.

However, for larger organizations desiring more sophisticated systems, some of the more

popular tools are listed below:

ISO9 www.vintara.com

tQ Solutions <www.etq.com>

ISOQuest <www.globalquality.com>

Q&MIS Suite <www.pilgrimsoftware.com>

Powerway <www.powerwayinc.com>

Qpulse <www.qualityamerica.com>

Document control software may provide solutions that are Internet or Intranet based and

accessible through your web browser, MS Office, or Lotus Notes. Packages typically

provide storage and control of multiple document types.

Further document control guidance:

ISO 9004:2000 Guidance on Documentation (4.2)

The generation, use, and control of documentation should be evaluated with respect to the

effectiveness and efficiency of the organization against criteria such as:

• Functionality (e.g., speed of processing)

• User friendliness; Resources needed

• Policies and objectives

• Requirements for managing knowledge

• Benchmarking of documentation systems

• Interfaces used by customers, suppliers, and interested parties

And, access for people in the organization and others should be based on the

organization’s communication policy.

Page 10: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 10 of 60

4.2.3 Control of Documents (guidance continued)

ISO 90003:2004 Guidance on Document Control

The software guidance standard includes a note at clause 4.2.3 to refer to 7.5.3 for more

information on document control as part of configuration management. Clause 7.5.3.1

states that the configuration management discipline is applicable to related

documentation.

ISO/TR 10013:2001 Guidance on Document Control

(Clause 6.1)

1. Documents should be reviewed before issue to ensure their clarity, accuracy, adequacy,

and proper structure.

2. Users should have the opportunity to comment on usability and if documents reflect

actual practices.

3. Document release should be approved by managers responsible for their

implementation.

4. Copies should have evidence of release authorization.

5. Evidence of document approvals should be retained.

(Clauses 6.2, 6.3)

1. Distribution method should ensure pertinent issues are available to all personnel who

will need the information.

2. Distribution and control may be aided by using serial numbers of individual document

copies for recipients.

3. Document distribution may include external parties, e.g., customers, registrars, and

regulatory authorities.

4. A process for initiation, development, review, control, and incorporation of changes

should be provided.

5. The same approval process as for original documents should be applied when applying

changes.

(Clause 6.4)

1. Document issue and change control are essential to ensure document contents are

properly approved by authorized persons and approval is readily identifiable.

2. A process should be established to ensure that only the appropriate documents are in

use.

3. Revised documents should be replaced by latest revision.

4. A document master list may be used to assure users that they have the correct issue of

authorized documents.

5. Organization should consider recording change history for legal and/or knowledge

preservation reasons.

Page 11: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 11 of 60

4.2.3 Control of Documents – Guidance (continued)

Of all requirements of ISO 9001:2000, this is one that is most likely to be over-applied.

However, it is important to control the distribution of documents used to make sure work

is being carried out according to the correct set of instructions or information. Just ask

yourself: “What information/documents do competent people need to do their jobs?”

Then, identify and control that information/documentation and get rid of everything else.

There is also a risk of ending up with complex arrangements for updating and retrieving

documents. Just remember, that the standard requires information to be up-to-date, but

does not specify how this should be done … there is a lot of flexibility … so this is a

process only you can simplify (or complicate).

Comply 4.2 DOCUMENT REQUIREMENTS (continued)

Y N N/A

4.2.4 Control of Records

Records shall be established and maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system. Records shall remain legible, readily identifiable and retrievable. A documented procedure shall be established to define the controls needed for the identification, storage, protection, retrieval, retention time and disposition of records.

Guidance:

4.2.4 Control of Records

There is a difference between documents and records. Essentially, documents are used to

describe or control how things are to be done and records are used to prove they were

accomplished. Records also are THE primary source of data you will be using to

evaluate if (and to what degree) desired results are accomplished. Further, records cannot

be revised. For example: a form is a document used for ordering products and/or services

from vendors and a completed purchase order states what has been ordered from the

vendor. Other examples of records are:

- management review minutes;

- inspection records;

- quotes and proposals;

- customer orders;

- audit reports;

- training records;

- corrective/preventive action records;

- design review minutes;

- nonconformance reports.

Each organization should identify which records are used to provide the evidence needed

to demonstrate planned activities are accomplished and/or to provide the data needed to

evaluate their effectiveness. A documented procedure is needed to define how these

records are identified, where they are stored, how they are retrieved, how they are

protected, what their retention time is, and how they are disposed of.

Page 12: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 12 of 60

4.2.4 Control of Records (guidance continued)

Further guidance on record control:

ISO 9004:2000 Guidance on Documentation

The term “documentation” refers to both documents and records, so the ISO 9004

guidance covered earlier under document control also applies to record control.

ISO 90003:2004 Guidance on Record Control

(Clause 4.2.4.1)

Evidence of conformity to requirements may include:

• Documented test results

• Problem reports, including any related to tool problems

• Change requests

• Documents marked with comments

• Audit and assessment reports

• Review and inspection records (e.g., those for design reviews, code inspections,

and walkthroughs).

(Clause 4.2.4.2)

Examples of evidence of effective operation may include:

• Resource changes (people, software, and equipment)

• Estimates, e.g., project size and effort

• How and why tools, methods, and suppliers selected

• Software license agreements (procured and supplied)

• Minutes of meetings

• Software release records

Page 13: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 13 of 60

4.2.4 Control of Records (guidance continued)

(Clause 4.2.4.3)

1. Consider legal requirements when setting retention times

2. Retention and access of electronic records, should consider the rate of media

degradation, availability of devices, and software needed for access

3. Records may include information held in email systems

4. Protection from computer viruses, and unapproved or illegal access, should be

considered

5. Proprietary information in records should be assessed to determine erasure methods at

end of retention period

ISO 15489:2001 Guidance on Record Management

ISO 15489-1:2001 is an information and documentation standard on records

management. Its companion document, ISO/TR 15489-2:2001, provides further

explanation and guidance on implementation options.

1. Records are created and used to conduct business activities and should be authentic,

reliable, and usable.

2. Records should be preserved and made accessible.

3. Records should comply with policies, standards, and legal requirements.

A records management program should decide on:

• Records to create for each process

• Information to include in the records

• Form, structure, and technologies to be used

• Retrieval, use, and transmittal of the records

• Retention periods and the disposition process

• Organization of records to support their use

Records should be kept in a safe, secure environment only for as long as they are needed

or required.

ISO/TR 10013:2001 Guidance on Records (4.11)

1. Records should indicate conformity with system requirements and specified product

requirements

2. Responsibilities for preparation of records should be addressed as part of the system

documentation

Records are not generally under revision control since they are not subject to change.

Page 14: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 14 of 60

5 MANAGEMENT RESPONSIBILITY

Comply 5.1 MANAGEMENT COMMITMENT

Y N N/A

Top management shall provide evidence of its commitment to the development and implementation of the quality management system and continually improve its effectiveness by

a) communicating to the organization the importance of meeting customer as well as

statutory and regulatory requirements;

b) establishing the quality policy;

c) ensuring that quality objectives are established;

d) conducting management reviews; and

e) ensuring the availability of resources.

Guidance:

5.1 Management Commitment

Top management MUST BE the driving force for establishing, implementing,

maintaining, and improving the quality management system. What people do, and how

this affects customers, cannot be effectively managed without a clear commitment from

top management. Define who top management is, then define clear responsibilities for

taking leadership roles that demonstrate commitment; at a minimum, management must:

- communicate to the organization the importance of meeting customer as well as

regulatory requirements ;

- establish a quality policy and objectives;

- conduct management reviews ; and

- ensure the availability of resources.

Page 15: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 15 of 60

Comply

5.2 Customer Focus Y N

N/A

Top management shall ensure that customer requirements are determined and are met with the aim of enhancing customer satisfaction (see 7.2.1 and 8.2.1).

Guidance

5.2 Customer Focus

Every organization depends on its customers. Without satisfied customers, the

organization cannot exist. Therefore, this requirement of ISO 9001:2000 is the core of

the quality management system. Essentially, you must define how your organization

focuses on customers. Specifically: How do they know what you do? How do they

know who to contact with questions/concerns? How can they get involved in improving

the quality of your products and services? If your organization has the proper customer

focus it should be able to answer the following questions on a continual basis:

- What do customers need and what do they expect?

- What does this mean for the organization? What is the organization required to do in

order to meet these customer expectations?

- Does the organization understand customer requirements and are these requirements

actually met?

In order to maintain a proper customer focus, management needs to monitor customer

requirements (and expectations) at the ‘macro’ level; this can be by a variety of methods:

- carrying out market/customer surveys;

- reviewing sector/industry specific reports;

- identifying niche marketing opportunities.

Page 16: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 16 of 60

Comply

5.3 Quality Policy Y N

N/A

Top management shall ensure that the quality policy:

a) is appropriate to the purpose of the organization;

b) includes a commitment to comply with requirements and continually improve the effectiveness of the quality management system;

c) provides a framework for establishing and reviewing quality objectives;

d) is communicated and understood within the organization; and

e) is reviewed for continuing suitability.

Guidance

5.3 Quality Policy

Your quality manual, by definition, contains policy that governs or directs every aspect of

your quality management system … i.e. it contains policy governing interaction with

customers, accepting orders, purchasing needed materials and services, performing

planning functions, qualifying and training people, performing and verifying work, etc.

The quality policy statement is a ‘one-liner’ that embodies all of this into one concise

statement indicating the overriding emphasis of all lower level policies. The quality

policy statement should communicate to customers and employees:

- a commitment to quality;

- a commitment to continual improvement;

- what your business does;

- what your quality objectives are, and how they are reviewed.

It is important that the quality policy covers the whole organization and is relevant to the

expectations of all customers. Therefore, customer requirements should be determined

before the quality policy is established.

All employees need to understand the quality policy, how it affects them, and their role in

the quality system.

It is important to keep in mind that the quality policy may be suitable today, but may not

be suitable in the future due to changing circumstances. The quality policy must therefore

be regularly reviewed for suitability (usually during management review; see clause 5.6).

Page 17: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 17 of 60

Comply

5.4 Planning Y N

N/A

5.4.1 Quality Objectives

Top management shall ensure that quality objectives, including those needed to meet requirements for product (see 7.1 a), are established at relevant functions and levels within the organization. The quality objectives shall be measurable and consistent with the quality policy.

Guidance

5.4.1 Quality Objectives

While the quality policy statement indicates what is important for the organization in

general terms, quality objectives must specific goals to be achieved within a certain time

frame, and must be measurable. The establishment and monitoring of progress against

measurable quality objectives is the key to effective quality system planning at the

‘macro’ level. ISO 9001:2000 specifically requires that quality objectives at relevant

functions and levels within the organization. This means, for example, that an

organization with sales, design, purchasing, and production departments (or functions)

should have quality objectives for each department that are consistent with the quality

objectives established at the ‘macro’ level for the organization as a whole. Look for

objectives already in place at all levels in the organization and evaluate them for

consistency with the ‘macro’ level quality objectives you establish. Many organizations

establish performance goals (or objectives) for each key manager; you may discover that

such objectives are not consistent with the ‘macro’ quality objectives and should be

changed. You can use periodic functional/individual performance reviews to assess

progress and convey how achievement of lower level objectives contributes to the ‘big

picture’. Measurable improvement objectives are meaningless without a baseline

performance measure; examples are:

- reduce scrap by 10% within the next 6 months;

- reduce repeat problems by 90% within the next year;

- increase customer satisfaction by 10% within the next year;

- reduce number of nonconforming products by 15% within the next year;

- reduce the number of key vendors from 100 to 25 in the next three years, etc.

- Some organizations may also chose to establish some of their quality objectives based

on “YES/NO” criteria. Example “Achieve product certification for “xxxxxxx”

product by November 2006”; or “Develop a new product to meet the requirements of

the “YYYYY” market by March 2007.

Page 18: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 18 of 60

Comply

5.4 Planning (continued) Y N

N/A

5.4.2 Quality Management System Planning

Top management shall ensure that

a) the planning of the quality management system is carried out in order to meet the requirements given in 4.1, as well as the quality objectives; and

b) the integrity of the quality management system is maintained when changes to the quality management system are planned and implemented.

Guidance

5.4.2 Quality Management System Planning

Product quality planning is covered in detail under clause 7.1; job planning and control is

covered in detail under clause 7.5.1; planning for improvement is covered in detail under

clause 8.5. QMS planning activities related to clause 5.4.2 include identifying activities

and resources needed to establish and improve the quality system itself; such planning

does not have to be a sophisticated process. In fact, this requirement is met through

completion of other activities required by the standard: you plan to achieve the quality

objectives (see clause 5.4.1) and ensure continual improvement (see clause 8.5) through

the management review process (see clause 5.6). Outputs of quality planning include:

- the quality system itself (i.e. the quality manual and associated procedures);

- resources for establishing, maintaining and improving the quality system;

QMS planning should not only apply to achieving quality objectives, but also to

organizational change. Changes in an organization should be planned in order to

minimize the risk of negative effects on quality of product and/or service; this is normally

accomplished through a strategic planning process. In any case, changes and their impact

on the organization and the quality system should be an agenda item for every

management review meeting (see clause 5.6).

Page 19: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 19 of 60

Comply

5.5 Responsibility, Authority and Communication Y N

N/A

5.5.1 Responsibility and Authority

Top management shall ensure that responsibilities and authorities are defined and communicated within the organization.

Guidance

5.5.1 Responsibility and Authority

There can be no effective way of working if employees do not know their responsibilities

or if responsibilities and authorities are ‘vague’. Everyone should know what they are

expected to do (responsibilities) and what they are allowed to do (authorities). They

should know their role (position) in the organization and how this relates to other roles

(positions). Others in the organization (as well as customers) should be aware of these

relationships. Organization charts, job descriptions, deployment flow charts, and

procedures can be used to define organizational responsibilities and authorities … but

organization charts alone rarely define how things really get done in an organization.

Descriptions do not have to be elaborate or complex. It is important that descriptions

clearly reflect the “real life” situation and allow for flexibility. One method of

identifying responsibilities and authorities is to have a simple procedure or deployment

flow chart supplemented by a job description or training document. Also, placing an

organization chart in the quality manual will help customers identify key personnel and

delegated responsibilities and authorities in the organization.

Page 20: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 20 of 60

Comply

5.5 Responsibility, Authority and Communication Y N

N/A

5.5.2 Management Representative

Top management shall appoint a member of management who, irrespective of other responsibilities, shall have responsibility and authority that includes

a) ensuring that processes needed for the quality management system are established, implemented and maintained;

b) reporting to top management on the performance of the quality management system and any need for improvement; and

c) ensuring the promotion of awareness of customer requirements throughout the organization.

Guidance

5.5.2 Management Representative

Top management must delegate management authority to someone in the organization to

act as their representative for “quality management system issues”. This person must

have the necessary authority within the organization to ensure that the quality

management system is working. ISO 9001:2000 specifically requires this person to be a

member of management within the organization. People from outside the organization

(for example, consultants) cannot be the management representative unless they have a

management position within the organization. Obviously, the management representative

can have other responsibilities as well; however, regardless of other responsibilities, the

management representative should have direct access to top management on any issue

regarding the quality management system.

The authority of the management responsibility must include at least the duties as

described in clause 5.5.2 (a, b and c).

It is important to note that it is not the role of the management representative to “run" the

quality system ‘independent’ of top management. A quality system can only be effective

if it is carried out by all personnel in the organization, especially top management. The

management representative has a supportive role: ensuring that the necessary data is

collected and reported to top management for action as warranted. Again, the key is that

the management representative must have direct access to top management so quality

system issues requiring their attention are not impeded.

Page 21: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 21 of 60

Comply

5.5 Responsibility, Authority and Communication Y N

N/A

5.5.3 Internal Communication

Top management shall ensure that appropriate communication processes are established within the organization and that communication takes place regarding the effectiveness of the quality management system.

Guidance

5.5.3 Internal Communication

In order to establish an effective quality management system, it is not only necessary that

employees know their roles, responsibilities, and authorities, but there should also be

clear and effective ways for people within the organization to communicate.

Management should ensure that people have the information necessary in order to be able

to do their work, and ensure that quality requirements, objectives, and achievements are

communicated to all relevant personnel.

Most organizations already have a wide variety of internal communication systems in

place and need only describe them; communication systems/tools include any visible top

management activity, as well as:

- audio-visual and electronic media (kiosks, newsletters, notice boards, intranet);

- team meetings (staff, production and improvement team meetings);

- awareness/training programs (new customers, processes/systems, products/ services);

- employee performance reviews.

Page 22: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 22 of 60

Comply

5.6 Management Review Y N

N/A

5.6.1 General

Top management shall review the organization’s quality management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the quality management system, including the quality policy and quality objectives. Records from management reviews shall be maintained (see 4.2.4).

5.6.2 Review Input

The input to management review shall include information on

a) Results of audits;

b) Customer feedback;

c) Process performance and product conformity;

d) Status of preventative and corrective actions;

e) Follow-up actions from previous management reviews;

f) Changes that could affect the quality management system; and

g) Recommendations for improvement.

5.6.3 Review Output

The output from the management review shall include any decisions and actions related to

a) Improvement of the effectiveness of the quality management system and its processes;

b) Improvement of product related to customer requirements; and

c) Resource needs.

Guidance

5.6 Management Review

The complete quality management system should be reviewed by top management on a

regular basis. Management decides the frequency, but it should be frequent enough to

ensure the effectiveness of the system (usually once per year is adequate). Management

reviews are not implementation status meetings … they are system effectiveness review

sessions … looking a data over time to see if the desired results (objectives and plans) are

being achieved … and taking action if/when needed.

Management reviews make quality management systems dynamic. Without these

reviews, a system may become ineffective over time. Organizations change,

customers/markets change, and people change. These changes require modifications in

the quality management system. Regular management reviews ensure that the quality

management system is still suitable, adequate, and effective in a changed environment.

Page 23: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 23 of 60

5.6 Management Review – Guidance (continued)

In order to be effective, management reviews should be well prepared. This allows top

management to assess the effectiveness of the quality management system based on the

quality policy and the quality objectives, and to define the opportunities for improvement

and the need for changes. This means attendees must come with data/trends … know

what it means … and be prepared to offer related recommendations.

The results of management reviews should be in the form of specific actions, ensuring

that improvements are made in products/services and processes/systems, and that

resource needs are identified. Management review outputs can also set the direction for

the future (i.e. new/revised policy can be issued, improvement objectives can be

established, and/or specific improvement initiatives can be approved). The results of

management reviews should be recorded in some way; usually in meeting minutes,

checklists, or to-do lists.

A management review does not necessarily have to be conducted in one meeting (i.e.

once per year). A series of meetings can be held, each covering a part of the quality

management system, or a part of the organization.

6 RESOURCE MANAGEMENT

Comply 6.1 Provision of Resources

Y N N/A

The organization shall determine and provide the resources needed a) to implement and maintain the quality management system and continually improve

its effectiveness; and

b) to enhance customer satisfaction by meeting customer requirements.

Guidance

This section of ISO 9001:2000 covers the specific requirements for planning and

management of needed resources. These resources include human resources,

facilities, equipment, and work environment. This means that appropriate resources

are to be identified, planned, made available, used, monitored, and changed as

necessary by the organization.

It is important for the organization to evaluate past and present performance (e.g.,

using cost-benefit analysis and risk assessment) when deciding what resources are to

be allocated. In other words, the organization needs to ensure that human resources,

infrastructure (e.g., energy, water, facilities and equipment maintenance,

communications, and information technology), and the work environment (e.g.,

temperature, lighting, vibration, and noise) are provided and maintained in a way

consistent with the quality policy and objectives, as well as, contributing to

conformity to product requirements.

Page 24: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 24 of 60

Comply

6.2 Human Resources Y N

N/A

6.2.1 General

Personnel performing work affecting product quality shall be competent on the basis of appropriate education, training, skills and experience.

Guidance

6.2.1 General

Every person in an organization must be competent at what they do; this means that

qualification criteria should be established based on education, experience, and training.

Comply

6.2 Human Resources (continued) Y N

N/A

6.2.2 Competence, Awareness and Training

The organization shall

a) Determine the necessary competence for personnel performing work affecting product quality;

b) provide training or take other actions to satisfy these needs;

c) evaluate the effectiveness of the actions taken;

d) ensure that its personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of the quality objectives; and

e) maintain appropriate records of education, training, skills and experience (see 4.2.4).

Guidance

6.2.2 Competence, Awareness and Training

In order for an organization to have qualified/competent people, it should:

- Determine competency needs. Job requirements change, so employee qualifications

and training needs should be continually reviewed, not just upon employment. The

mechanism for identifying needs on a regular basis is most often tied to periodic

employee performance reviews but also may be the output of strategic planning.

- Provide training to address identified needs. Once the need for training is established,

the training should actually be provided.

- Evaluate the effectiveness of training. Training is never a goal in itself. On a regular

basis, organizations should ask: did the training accomplish desired results? It is up to

you to define how you plan to demonstrate “effectiveness of actions taken” to address

competency needs; it could be through test results, improved performance, reduced

failures or problems, or any other objective evidence you deem appropriate.

Page 25: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 25 of 60

Comply

6.3 Infrastructure Y N

N/A

The organization shall determine, provide and maintain the infrastructure needed to achieve conformity to product requirements. Infrastructure includes, as applicable a) buildings, workspace and associated utilities;

b) process equipment (both hardware and software); and

c) supporting services (such as transport or communication).

Guidance

6.3 Infrastructure

Failure of equipment (such as welding equipment in a machine shop), lack of facilities

(such as shortage of storage space in a warehouse), or lack of repair/maintenance

capability can have serious effects on the quality or timeliness of product and/or service.

It is therefore essential that infrastructure is identified and controlled.

The focus should be on the infrastructure that is most important for the type of

organization. For example, a manufacturer will probably focus on production equipment

and maintenance, while a software development firm will put more emphasis on

computer hardware and software, and a service organization will focus on workspace and

associated facilities. Similarly, if an organization has equipment that can easily be

replaced without affecting quality of product and/or service, maintenance activities can

be relatively simple and limited. More complex equipment that is difficult to replace

should have a more extensive maintenance program. Where ‘breakdown maintenance’ is

the core of the maintenance strategy, redundant systems and spare parts inventories for

long lead time or hard to get materials may be critical.

Comply 6.4 Work Environment Y N

N/A

The organization shall determine and manage the work environment needed to achieve conformity to product requirements.

Guidance

6.4 Work Environment

Resources must be provided to establish and control working conditions needed to assure

product/service quality or to ensure consistent process performance.

In addition, organizations must define how they manage achieve compliance with

applicable statutory or regulatory environmental requirements, and may include a

requirement for an organization to be compliant with ISO 14001 or other environmental

management system standard.

Page 26: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 26 of 60

7 PRODUCT REALIZATION Comply 7.1 Planning of Product Realization Y N

N/A

The organization shall plan and develop the processes needed for product realization. Planning of product realization shall be consistent with the requirements of the other processes of the quality management system (see 4.1).

In planning product realization, the organization shall determine the following, as appropriate: a) quality objectives and requirements for the product; b) the need to establish processes, documents and provide resources specific to the

product; c) require verification, validation, monitoring, inspection and test activities specific to

the product and the criteria for product acceptance; d) records needed to provide evidence that the realization processes and resulting

product meet requirements (see 4.2.4). The output of this planning shall be in a form suitable for the organization’s method of operations.

Guidance

7.1 Planning of Product Realization

Clause 7 relates to the “DO” portion of the PLAN-DO-CHECK-ACT (PDCA) cycle.

This requirement is about planning for whatever your organization ‘does’.

Therefore, plans for controlling what you ‘do’ need to be documented. First, it is only

important to document what you plan to ‘do’ if the absence of such documentation would

adversely affect quality. The degree of and reliance on training and employee

competence will often be the single most deciding factor in determining the level of

documentation (including planning documents) needed.

Product realization plans can take can take many forms: formal product control plans,

work instructions, operator instructions, specifications, flow charts, checklists, or even

pictures or videos. Each organization needs to determine which format(s) will meet its

needs best.

In many cases, the customer may also require you to develop and submit your product

realization plans to them for approval prior to commencing work. In most cases,

organizations have product realization ‘plans’ already in place and all they will need to

do is identify them and define responsibilities for their establishment, approval,

execution, and periodic review/update.

Page 27: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 27 of 60

Comply

7.2 Customer-Related Processes Y N

N/A

7.2.1 Determination of Requirements Related to the Product

The organization shall determine

a) requirements specified by the customer, including the requirements for delivery and post-delivery activities;

b) requirements not stated by the customer but necessary for specified or intended use, where known;

c) statutory and regulatory requirements related to the product; and d) any additional requirements determined by the organization.

Guidance 7.2.1 Determination of Requirements Related to the Product

In order to be able to provide a product that meets customers’ expectations, it is necessary

to know exactly what the customer’s requirements for the product are, as well as

statutory/regulatory requirements and requirements based on known/intended use of a

product that only you or other product experts know. Accordingly, you need to consider:

- the requirements that are specified by the customer (usually in a customer order,

including requirements after delivery of product is complete, such as servicing of

products or warranty activities). Note: contractual delivery dates of a product or

service are to be always considered as being part of the “requirements specified by

the customer”.

- the requirements not specified by the customer (usually based on known or intended

use). For example, the use of special coatings and coating techniques in order to

prevent rust.

- statutory and regulatory requirements (usually imposed by local, regional, national,

international and/or sector/industry specific environmental and/or safety statutory

requirements or regulatory agencies).

- other requirements determined by the organization (usually based on product/service

performance expectations and other customer expectations such as luxury and

convenience features, appearance, etc.

Page 28: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 28 of 60

Comply

7.2 Customer-Related Processes (continued) Y N

N/A

7.2.2 Review of Requirements Related to the Product

The organization shall review the requirements related to the product. This review shall be conducted prior to the organization’s commitment to supply a product to the customer (e.g. submission of tenders, acceptance or contracts of orders, acceptance of changes to contracts or orders) and shall ensure that a) product requirements are defined;

b) contract or order requirements differing from those previously expressed are resolved; and

c) the organization has the ability to meet the defined requirements. Records of the results of the review and actions arising from the review shall be maintained (see 4.2.4). Where the customer provides no documented statement of requirement, the customer requirements shall be confirmed by the organization before acceptance. Where product requirements are changed, the organization shall ensure that relevant documents are amended and that relevant personnel are made aware of the changed requirements.

Guidance

7.2.2 Review of Requirements Related to the Product

The intent of this requirement is to ensure that organizations understand and can meet

ALL requirements before promising the customer that the product or service can be

provided. In order to avoid misunderstandings about what the customer wants (and

expects), it is necessary to review all requirements identified per clause 7.2.1. At a

minimum, all quotes/proposals, customer orders (and subsequent changes) should be

reviewed.

A request for quotation that is received from a customer needs to be reviewed before a

quote is submitted. An organization must determine if:

- the information from the customer is clear and specific;

- it has the capability to provide the requested product.

Once a quotation is provided to the customer and the customer places an order (accepting

the quotation), the order and the quotation must be compared to determine if there are any

differences between them. Any differences need to be resolved with the customer.

Page 29: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 29 of 60

7.2.2 Review of Requirements Related to the Product – Guidance (continued)

If the customer places an order without having been previously quoted (as is the case in

many organizations with ‘standard’ products or services as advertised in brochures or

catalogues), the order still needs to be reviewed before it is accepted. An organization

must determine if:

- the order is clear and specific;

- it has the capability (and capacity) to provide the requested product or service.

Records of these reviews must be kept; the record can be as simple as a notation on the

request for quotation or the order with the initials of the reviewer and the date. If the

request for quotation or order is not accepted (for whatever reason) or needs clarification,

follow-up actions must also be recorded. For verbal orders (for example by telephone) it

is important to confirm the order before acceptance. This can be done, for example, by

reading it back to the customer, asking for confirmation. In general, verbal and electronic

orders need some special considerations to record the order. For example, the details of a

telephone order may be recorded on a pad, and an electronic order may be recorded by

printing it or saving it in the computer.

Once accepted, orders often need to be changed. If this is the case, it should be clear how

this change is to be handled. Many times the change only affects quantity or date of

delivery; however, in some cases technical aspects of the order will change. The type

and scope of review needed should be based on the nature of the change. Most

organizations handle changes in the same way as a new order. In any case, all changes

must be agreed to by the customer and communicated to all individuals who are affected

by them. Typically, the purchasing department, the scheduling department, and the

production department are affected, and should therefore be informed.

Page 30: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 30 of 60

Comply

7.2 Customer-Related Processes Y N

N/A

7.2.3 Customer Communication

The organization shall determine and implement effective arrangements for communicating with customers in relation to

a) product information;

b) enquiries, contracts or order handling, including amendments; and

c) customer feedback, including customer complaints.

Guidance

7.2.3 Customer Communication

The satisfaction of customers does not only depend on the quality of final product or

service, but also on the communication between the organization and its customers. Poor

communication, even if acceptable product or service is provided, can result in

dissatisfied customers.

Therefore, it should be clear who has the responsibility and authority to communicate

with the customers. It is important that the following questions are answered:

- Who provides product information to the customer, and how is it provided? How

does the organization ensure that this product information is correct and timely?

- Who is responsible for handling requests for quotations and customers’ orders?

- By whom and how is customer feedback received and handled? This includes both

planned feedback (for example, as a result of customer surveys), and unplanned

feedback (for example, customer complaints).

The organization’s systems for communicating with the customer needs to be readily

available to the customer; therefore the quality manual is usually the best place to discuss

customer communications … or at least lead customers to a location (i.e. brochure, web

site, etc.) where customer contact data is detailed.

Page 31: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 31 of 60

Comply

7.3 Design and Development Y N

N/A

7.3.1 Design and Development Planning

The organization shall plan and control the design and development of product.

During the design and development planning, the organization shall determine

a) the design and development stages;

b) the review, verification and validation that are appropriate to each design and development stage; and

c) the responsibilities and authorities for design and development.

The organization shall manage the interfaces between different groups involved in design and development to ensure effective communication and clear assignment of responsibility.

Planning output shall be updated, as appropriate, as the design and development progresses.

Guidance

7.3

This clause applies to you if you design the product/service that you well. It also applies

to you if you purchase a complete design, then manufacture a product to the design and

sell it under its you own brand name.

7.3.1 Design and Development Planning

The type and extent of the design plan should be dependent on the complexity of the

design and the number of people involved. In some cases, design plans can be as simple

as a short flow chart or checklist; in more complex designs, more sophisticated planning

techniques are necessary. The design plan should identify responsibilities/authorities and

specific timelines; it should describe which groups or individuals are involved (for

example: customers, subcontractors, regulatory bodies, etc.) and how. It should also

clearly identify the stages of the design process, including any checks and/or verifications

for each stage.

It is not uncommon for conditions to change during the design and development process.

A design and development plan only has value if it is being updated when these changes

occur.

Page 32: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 32 of 60

Comply

7.3 Design and Development (continued) Y N

N/A

7.3.2 Design and Development Inputs

Inputs related to product requirements shall be determined and records maintained (see 4.2.4).

These inputs shall include:

a) functional and performance requirements;

b) applicable statutory and regulatory requirements;

c) where applicable, information derived from previous similar designs; and

d) other requirements essential for design and development. These inputs shall be reviewed for adequacy. Requirements shall be complete, unambiguous and not in conflict with each other.

Guidance

7.3.2 Design and Development Inputs

In every design and development process, simple or complex, it is crucial to know what

is required. The design and development input is defined by all requirements that the

design must meet in order to be successful. In other words, it should be clear how the

final product is going to look and which conditions must be fulfilled.

Comply

7.3 Design and Development (continued) Y N

N/A

7.3.3 Design and Development Outputs

The outputs of design and development shall be provided in a form that enables verification against the design and development input and shall be approved prior to release. Design and development outputs shall

a) meet the input requirements for design and development;

b) provide appropriate information for purchasing, production and for service provision;

c) contain or reference product acceptance criteria; and

d) specify the characteristics of the product that are essential for its safe and proper use.

Page 33: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 33 of 60

Guidance

7.3.3 Design and Development Outputs

Design and development output is the result of the design and development process and

the design plan should describe what form output should be in. Whatever the format, it

is essential that the output meet the input requirements, that it contains clear criteria for

acceptance or rejection, and that it clearly defines the characteristics of the product.

Comply

7.3 Design and Development (continued) Y N

N/A

7.3.4 Design and Development Review At suitable stages, systematic reviews of design and development shall be performed in accordance with planned arrangements (see 7.3.1) a) to evaluate the ability of the results of design and development to meet

requirements; and b) to identify any problems and propose necessary actions. Participants in such reviews shall include representatives of functions concerned with the design and development stage(s) being reviewed. Records of the results of the reviews and any necessary actions shall be maintained (see 4.2.4).

Guidance

7.3.4 Design and Development Review

Design and development review is a check to determine if the design and development

activities are on track. More specifically, organizations need to verify if design is

adequate in meeting customer and other requirements (design and development input).

For simple designs it may be sufficient to have only one design review at the very end of

the design process; however, performing only one design review may be very risky for

more complex designs. If there are any problems identified as a result of the design

review, it may be very costly and in some cases too late to go back and redo some of the

design activities in order to correct the problems. Since thorough design reviews can

prevent problems in a later stage, all relevant parties should be involved, including

appropriate internal departments/functions, as well as customers and subcontractors.

The results of the design reviews, including any problems that are identified and their

solutions, must be recorded. This may be as simple as noting on the plan that the review

has been carried out, as well as any follow-up actions, signed off by the reviewer and

dated. However, more complex designs may be reviewed in a formal meeting, and the

minutes of this meeting would constitute the design review record.

Page 34: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 34 of 60

Comply

7.3 Design and Development (continued) Y N

N/A

7.3.5 Design and Development Verification Verification shall be performed in accordance with planned arrangements (see 7.3.1) to ensure that the design and development outputs have met the design and development input requirements. Records of the results of the verification and any necessary actions shall be maintained (see 4.2.4).

Guidance

7.3.5 Design and Development Verification

Design and development verification is the formal check that is done at the end of the

design and development process to see if the results meet the original requirements. For

example: does the drawing meet the customer’s, regulatory, and other requirements?

If the design and development output is approved, the organization will go ahead with

manufacturing the product or providing the service based on the design; therefore, it

should be clearly stated in the design plan who is authorized to perform the design and

development verification, how the verification is done, and where it is recorded.

Comply

7.3 Design and Development (continued) Y N

N/A

7.3.6 Design and Development Validation Design and development validation shall be performed in accordance with planned arrangements (see 7.3.1) to ensure that the resulting product is capable of meeting the requirements for the specified application or intended use, where know. Wherever practicable, validation shall be completed prior to the delivery or implementation of the product. Records of the results of validation and any necessary actions shall be maintained (see 4.2.4).

Guidance

7.3.6 Design and Development Validation

Design validation is checking that the actual product/service created performs as

intended. This is the final stage of the design and development process and is a valuable

opportunity to prevent serious financial loss. Design and development validation should

be performed before delivery of the product to the customer so that any problems can be

corrected.

Page 35: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 35 of 60

7.3.6 Design and Development Validation (continued)

Sometimes it is impractical to perform design and development validation before delivery

of the product to the customer; in such cases, the organization should perform checks of

the parts of the final product.

In other cases, performing design and development validation before introducing the new

product is required by law; for example, in the case of introducing a new medicine.

If the design and development output is, in itself, the actual product, then design and

development verification and validation are one and the same activity. This may be the

case, for example, for an engineering firm.

ISO 9001:2000 requires that the results of design and development validation activities

be recorded, including follow-up actions where applicable.

Comply

7.3 Design and Development (continued) Y N

N/A

7.3.7 Control of Design and Development Changes Design and development changes shall be identified and records maintained. The changes shall be reviewed, verified and validated, as appropriate, and approved before implementation. The review of design and development changes shall include evaluation of the effect of the changes on constituent parts and product already delivered. Records of the results of the review of changes and any necessary actions shall be maintained

Guidance

7.3.7 Control of Design and Development Changes

Stable designs are very rare. Most designs are subject to frequent changes sometimes

before the design process is finished. It is as important to control these changes as it is to

control the original design and development process. It should be clear how these

changes are handled and what effects they have on the product. Most organizations

choose to handle any changes to designs similar to the way new designs are handled.

Page 36: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 36 of 60

7.4 PURCHASING

Comply 7.4.1 Purchasing Process Y N

N/A

The organization shall ensure that purchased product conforms to specified purchase requirements. The type and extent of control applied to the supplier and the purchased product shall be dependent upon the effect of the purchased product on subsequent product realization or the final product. The organization shall evaluate and select suppliers based on their ability to supply product in accordance with the organization’s requirements. Criteria for selection, evaluation and re-evaluation shall be established. Records of the results of evaluations and any necessary actions arising from the evaluation shall be maintained (see 4.2.4).

Guidance

7.4.1 Purchasing Process

An organization can do an excellent job of controlling its own activities, but if suppliers

are not performing satisfactorily, the organization and its customers may be negatively

affected. It is crucial that suppliers are controlled, especially if they are particularly

important for the operation of an organization.

This requirement of ISO 9001:2000 is related to ensuring that organizations get good

products from their suppliers. Obviously not all suppliers are equally important. The

standard requires more energy to be spent on those suppliers that have the most impact on

the quality of the organization’s product/services. For example, a metal fabricator will

need to put emphasis on the control of the supplier of steel rather; while a repair service

will need to put emphasis on the control of the supplier of new and/or refurbished

replacement parts.

- Organizations need to identify which materials and services that they buy most affect

the quality of their products/services. Note: the requirements of Clause 7.4 also

apply to products that are acquired without any payment being made; this requirement

would probably be clearer this section referenced acquired products/services, rather

than purchased products/services.

- Then they need to establish criteria for the evaluation and selection of suppliers that

can provide these materials and services.

- Finally, they need to define a system for on-going supplier monitoring and periodic

re-evaluation to determine if/when improvement or other action is needed.

Page 37: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 37 of 60

7.4 PURCHASING (continued)

Comply 7.4.2 Purchasing Information Y N

N/A

Purchasing information shall describe the product to be purchased, including where appropriate: a) requirements for approval of product, procedures, processes and equipment; b) requirements for qualification of personnel; and c) quality management system requirements. The organization shall ensure the adequacy of specified purchase requirements prior to their communication to the supplier.

Guidance

7.4.2 Purchasing Information

While it is important that organizations are clear in ordering what they want, it is equally

important not to give unnecessary details in purchase orders. Purchase orders that are too

detailed can lead to confusion, and should therefore be avoided. Rather than describing

all the details of a product, it is often much better to limit the purchase order to simply

mentioning the catalogue number (as long as this is a unique number and the supplier has

the correct catalogue).

It is acceptable to give verbal instructions to a supplier, although this makes for ordering

complex products or services very difficult (for example, the services of an engineering

firm). In all cases, it is the intent of this requirement to avoid misunderstandings between

supplier and receiver. If an organization chooses to place a verbal order with a supplier, it

will need to keep a record of what was ordered. This enables the organization to verify

that it is actually getting what was asked for.

Finally, ISO 9001:2000 requires that the organization verify that purchasing information

is correct before communicating it to a supplier. This verification is usually done by the

purchasing manager or by the purchasing agent with input from quality or other technical

personnel. The effectiveness and efficiency of this process can be greatly enhanced

through automation, especially when integrated with other planning and resource

management processes.

Page 38: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 38 of 60

7.4 PURCHASING (continued)

Comply 7.4.3 Verification of Purchased Product

Y N

N/A

The organization shall establish and implement the inspection or other activities necessary for ensuring that purchased product meets specified purchase requirements.

Where the organization or its customer intends to perform verification at the supplier’s premises, the organization shall state the intended verification arrangements and method of product release in the purchasing information.

Guidance

7.4.3 Verification of Purchased Product

An organization needs to ensure that the product or service from the supplier meets its

requirements. In most cases, this means that organizations verify the adequacy of the

product or service upon receipt. Sometimes, however, an organization chooses to visit the

supplier and perform this verification on their premises.

It is important to realize that ISO 9001:2000 does not require that all received product is

verified in all cases. For example, it does not make sense to do a 100% inspection on all

shipments of bolts, especially if these bolts hardly affect the quality of products and if the

supplier has proven to have a good history. The type and extent of the verification of

purchased product (or service) should depend on:

- the type of product or service that is being ordered;

- the history of the supplier;

- the characteristics of the supplier (for example: does it have a quality system in

place?)

Note: most organizations define receiving inspection activities as part of clause

8.2.4, Monitoring and Measurement of Product.

If an organization or its customers want to verify purchased product on the premises of

the supplier, then the organization needs to clearly indicate in the purchasing

documentation:

- what is going to be verified;

- how it is going to be verified.

Page 39: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 39 of 60

Comply

7.5 Production and Service Provision Y N

N/A

7.5.1 Control of Production and Service Provision

The organization shall plan and carry out production and service provision under controlled conditions. Controlled conditions shall include, as applicable

a) the availability of information that describes the characteristics of the product;

b) the availability of work instructions, as necessary;

c) the use of suitable equipment;

d) the availability and use of monitoring and measuring devices;

e) the implementation of monitoring and measurement; and

f) the implementation of release, delivery and post-delivery activities.

Guidance

7.5.1 Control of Production and Service Provision

This clauses addresses general ‘job’ planning and control activities, including the

establishment of production plans/schedules and other information and resources needed

to carry out specific work assignments, including:

- The availability of information that specifies the characteristics of the products (for

example: drawings, specifications, and other product/service specific information).

- The availability of work instructions; includes only those needed by ‘competent’

personnel (clause 6.2.2) or where the absence of such instructions could adversely affect

the quality of the product, usually identified during product quality planning (clause 7.1).

- The use of suitable equipment for production and service operations, usually identified

during product quality planning (clause 7.1) and maintained per clause 6.3.

- The availability and use of monitoring and measuring devices and the implementation of

monitoring activities, usually identified during product quality planning (clause 7.1) and

controlled per clause 7.6.

- The release and storage/delivery of finished goods/services, and (where applicable) any

post-delivery activities. It must be clear how product is released and delivered to the

customer. For example, delivery can be done by the organization itself or by a

subcontractor; or the customer can pick up the product. In some cases there is a (written

or verbal) requirement for the organization to perform additional activities after the

delivery of the product to the customer; it should be clear how these activities are

performed, and there should be procedures in place for critical activities.

Page 40: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 40 of 60

Comply 7.5 Production and Service Provision (continued)

Y N N/A

7.5.2 Validation of Processes for Production and Service Provision

The organization shall validate any processes for production and service provision where the resulting output cannot be verified by subsequent monitoring or measurement. This includes any process where deficiencies become apparent only after the product is in use or the service has been delivered. Validation shall demonstrate the ability of these processes to achieve planned results. The organization shall establish arrangements for these processes including, as applicable:

a) defined criteria for review and approval of the processes;

b) approval of equipment and qualification of personnel;

c) use of specific methods and procedures;

d) requirements for records (see 4.2.4); and

e) revalidation.

Guidance

7.5.2 Validation of Processes for Production and Service Provision

Verification/inspection of products before they are provided to the customer is a valuable

opportunity to prevent delivery of product that does not meet customers’ requirements.

However, sometimes it is not possible to fully verify the quality of the product without

using or destroying it. For example, it is not possible to fully verify the strength of a

weld unless a destructive test is performed or the product is actually used. Similarly, for

many service industries, the service provided is instantaneous, which does not readily

allow verification before delivery of that service. For example, a lawyer who defends a

client in court is obviously not able to verify his services before delivery. Failure to

represent the client correctly will only be detected when the judge rules.

In these cases the activities can only be controlled (validated) with the use of qualified

personnel, qualified equipment, and qualified processes based on a set of specified

procedures or criteria. A process can be qualified, for example, by doing a destructive

test on a sample of the products. The results of this destructive test can then represent

other products with the same characteristics. ISO 9001:2000 requires that records be

maintained for activities that require validation.

It should be noted that validation is only necessary if there is a risk of providing product

that does not meet customers’ requirements. For example, esthetic welding may not have

to be validated if it does not affect the quality of the product.

Page 41: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 41 of 60

Comply

7.5 Production and Service Provision (continued) Y N

N/A

7.5.3 Identification and Traceability

Where appropriate, the organization shall identify the product by suitable means throughout product realization.

The organization shall identify the product status with respect to monitoring and measurement requirements.

Where traceability is a requirement, the organization shall control and record the unique identification of the product (see 4.2.4).

Guidance

7.5.3 Identification and Traceability

Activities can only be controlled if it is clear what the product is and where it is in the

product realization process (i.e. its status). Clear identification of the product can avoid

misunderstandings about what has happened to it and what still needs to happen.

For example, product in the receiving area of a manufacturing plant should be clearly

marked as to whether a required receiving inspection has taken place. If a receiving

inspection has taken place, it should be clear what the result of this inspection was (pass

or fail). Similarly, material that is used in a machine shop should be identifiable as to

which specific job it belongs, and in which stage of production it is. In the service

industry, this requirement may have similar importance. For example, a courier service

cannot function without clear identification on the packages as to which services are

required (delivery time, registration, etc.), and a warehouse/distributor will need to have

some way of identifying the product in stock.

There are several ways of identifying products. The most obvious is using tags or

stickers with part numbers, bar codes, job numbers, etc. The identification may be

engraved in the product itself, or the product may simply be marked by a color.

Sometimes it is more practical to identify a product by its location. For example,

deficient product may be identified as nonconforming by segregating it and placing it in a

specific area that is marked “nonconforming product”. In all cases ISO 9001:2000

requires that it is clear if the product has been verified/inspected and that the results of the

inspection are also clear.

Sometimes traceability is a customer specified requirement (and even regulated). For

example, in pressure vessel manufacturing, it is common for the identification of a given

material to be recorded and traced through all manufacturing stages. In this way, the

final components can be traced back to the original material certificate. If traceability is

required, ISO 9001:2000 states that the material be uniquely identified and that records

are maintained that show evidence of traceability to specified or other appropriate degree.

Page 42: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 42 of 60

Comply 7.5 Production and Service Provision (continued)

Y N N/A

7.5.4 Customer Property

The organization shall exercise care with customer property while it is under the organization’s control or being used by the organization. The organization shall identify, verify, protect and safeguard customer property provided for use or incorporation into the product. If any customer property is lost, damaged or otherwise found to be unsuitable for use, this shall be reported to the customer and records maintained (see 4.2.4).

Guidance

7.5.4 Customer Property

If there are any products, materials, or tools on an organization’s premises that are owned

by a customer, workers must exercise care with this property. This means that they must

ensure that the property is and remains suitable for use or processing. If it is lost or

damaged, this needs to be recorded and the customer needs to be notified.

Customer property should be identified and verified (for example, by performing a

receiving inspection). Examples of customer property are: motor vehicles left for service

or repair, clothing that a customer left at a laundry, customer-owned material in a

warehouse or proprietary information provided to aid in planning, design, manufacture,

installation or delivery.

At a minimum, customer property should be handled, stored and processed with the same

level of care and control as applies to the organization’s own property (see clause 7.5.5).

Page 43: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 43 of 60

Comply

7.5 Production and Service Provision Y N

N/A

7.5.5 Preservation of Product

The organization shall preserve the conformity of product during internal processing and delivery to the intended destination. This preservation shall include identification, handling, packaging, storage and protection. Preservation shall also apply to the constituent parts of a product.

Guidance

7.5.5 Preservation of Product

Obviously it is as important that an organization handle its own product/material with

care, as it is to protect customer’s property. Some common examples of where special

handling techniques are required are:

- Metals handling where stainless steel can have corrosion resistance impaired if the

stainless steel is handled with ordinary steel grips or chains. Covering the grips, chains,

and other handling tools with rubber, plastic, or similar materials is the usual practice.

Most copper-based metals are susceptible to corrosion from finger marks. Where

corrosion may affect performance, such as in printed circuit boards or decorative

applications, gloves need to be worn to prevent such marking.

- Food handling where cleaning of utensils after use is very necessary, for health reasons.

- Electrical and electronic equipment where safe handling practices are required to avoid

damage from electrostatic discharges.

Similarly, packing or packaging needs to be done in such a way that it does not adversely

affect product quality. Packaging should be appropriate to the product. For example,

bulk grain may be packed by filling the carrying container, provided the container does

not contaminate the product. On the other hand, the packaging of certain chemicals is

regulated to ensure that they do not spill or contact with water.

Also, unsuitable storage can deteriorate the condition of product. The organization

should define its system of inventory control (including the identification of various types

of storage areas and the applicable controls in place for each area of type of area).

Product in stock must be protected, especially if the product has a limited shelf life.

Checking the condition of product in stock regularly can do this.

Finally, the organization should describe its methods for delivering product/service to the

customer and for ensuring protection to final destination.

Page 44: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 44 of 60

Comply

7.6 Control of Monitoring and Measuring Devices Y N

N/A

The organization shall determine the monitoring and measurement to be undertaken and the monitoring and measuring devices needed to provide evidence of conformity of product to determined requirements (see 7.2.1).

The organization shall establish processes to ensure that monitoring and measurement can be carried out and are carried out in a manner that is consistent with the monitoring and measurement requirements.

Where necessary to ensure valid results, measuring equipment shall be:

a) calibrated or verified at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards; where no such standards exist, the basis used for calibration or verification shall be recorded;

b) adjusted or re-adjusted as necessary;

c) identified to enable the calibration status to be determined;

d) safeguarded from adjustments that would invalidate the measurement result;

e) protected from damage and deterioration during handling, maintenance and storage.

In addition, the organization shall assess and record the validity of the previous measuring results when the equipment is found not to conform to requirements. The organization shall take appropriate action on the equipment and any product affected. Records of the results of calibration and verification shall be maintained (see 4.2.4).

When used in the monitoring and measurement of specified requirements, the ability of computer software to satisfy the intended application shall be confirmed. This shall be undertaken prior to initial use and reconfirmed as necessary.

Guidance

7.6 Control of Monitoring and Measuring Devices

Verifications, inspections and tests are important ways to ensure that the product meets

the customer requirements and expectations. This can be done by monitoring and

measuring the characteristics of the product (see clause 8.2.4). For example, a pharmacist

measures the exact amount and weight of the medicine before providing it to the

customer. However, if his measuring device (an electronic scale) is measuring

incorrectly, or if it is not accurate enough, then the measurement is useless.

Therefore, this section of ISO 9001:2000 requires organizations to ensure that

measurement devices are capable (precise and accurate enough) and controlled so that

they consistently provide accurate measures. Examples of measurement and monitoring

devices are: scales, gages, thermometers, micrometers, calipers, and thickness meters.

Most monitoring and measurement devices will require periodic calibration. Calibration

is the act of comparing the measurement device against a reference standard to determine

how accurate it is and whether or not it is still capable of meeting the precision required

for the measurement made with it. Where necessary, the measuring device needs to be

adjusted.

Page 45: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 45 of 60

7.6 Control of Monitoring and Measuring Devices – Guidance (continued)

Organizations are free in determining the frequency of calibration, provided that the

frequency is consistent with the type of measurement device and the intensity of use.

For a reference standard to have validity, it must be traceable back to an appropriate

recognized accurate source. This is normally a national or international standard (such as

a meter or a kilogram). If an (inter)national standard does not exist, then the organization

needs to define the reference standard on its own.

It is important to determine how accurate the measurements need to be; this will depend

upon how much tolerance is permissible in what is being measured. A measuring device

usually has to be capable of measuring to a much closer tolerance than the tolerance

specified for the item being measured. Also, there is no point in having measurement

devices calibrated to unnecessarily high precision if that precision is not needed for the

operation. A pharmacist typically needs high accuracy equipment, while the accuracy of

a wire cutter used by a distributor is relatively low.

The results of the calibrations need to be recorded. If the measuring device appears to be

out of calibration, then it is necessary to look at the results of the measurements that were

previously taken with this device. For example, if a scale is out of calibration, someone

may need to re-inspect the product that was recently inspected with this device (provided

the product has not yet been shipped to the customer). Organizations need to decide

which corrective action is appropriate (see clause 8.5.2).

It is important to protect a measuring device from damage or deterioration. This means

that it must be suitably stored when not in use, and it must be correctly handled. Also,

adjustments may invalidate the calibration; a possible prevention method is to ensure that

only trained personnel are authorized to use the measuring device.

Sometimes computer software is used in the process of monitoring and measurement of

requirements. If this is the case, the software must be checked to verify that it performs

the required functions.

Page 46: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 46 of 60

8 MEASUREMENT, ANALYSIS AND IMPROVEMENT Comply

8.1 General Y N

N/A

The organization shall plan and implement the monitoring, measurement, analysis and improvement processes needed: a) to demonstrate conformity of the product; b) to ensure conformity of the quality management system; and c) to continually improve the effectiveness of the quality management system.

This shall include determination of applicable methods, including statistical techniques, and the extent of their use.

Guidance

8.1 General

The previous sections relate to organizing activities in such a way that customer

requirements and expectations are consistently met. An organization that has met those

requirements has the controls in place, but does not necessarily know if the controls are

working. In order for an organization to improve, it needs to have information on where

it stands today. How satisfied are the customers? Does the organization actually meet all

requirements? Are activities (processes) effectively and efficiently organized? Does the

product actually meet the expectations? And, what happens if the product does not meet

the expectations?

The answers to these questions are related to the requirements in this section.

Improvement will result from analyzing this information and taking the necessary

corrective, preventive and/or other improvement action.

The information that organizations need to plan for improvement does not have to be

sophisticated. Usually a few crucial pieces of information or a short summary can give

enough information to determine if action is necessary. Organizations should define

what is the crucial information that they need and how they will analyze it for decision-

making.

The organization should also discuss its plans for using statistical tools to monitor and

measure product and processes for effectiveness and/or improvement.

Page 47: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 47 of 60

8 MEASUREMENT, ANALYSIS AND IMPROVEMENT Comply

8.2 Monitoring and Measurement Y N

N/A

8.2.1 Customer Satisfaction As one of the measurements of the performance of the quality management system, the organization shall monitor information relating to customer perception as to whether the organization has met customer requirements. The methods for obtaining and using this information shall be determined.

Guidance

8.2.1 Customer Satisfaction

Probably one of the most crucial categories of information is the satisfaction of

customers. Since customers determine the future of organizations, it needs to be

determined how satisfied they are. In order to do this, organizations need to know which

issues are important for their customers and then define how they will measure the

customer’s perception of how well they’re doing with regards to these issues.

One way of getting information about how dissatisfied customers are is to monitor the

customer complaints. However, it is important to realize that this will give a very limited

picture. First, it is quite common that only a small portion of dissatisfied customers

actually complain. Second, customer complaints do not give any information about

satisfied customers or the level of customer satisfaction. Note: per notes contained in the

definition of customer satisfaction (see ISO 9000:2000) the absence of complaints/returns

does not necessarily mean there is a high level of customer satisfaction. Customer

satisfaction can be objective and subjective.

Examples of objective information are:

• Did the customer receive the product before 5:00 PM, as required?

• Was the shipment complete?

Examples of subjective information include:

• Is the customer satisfied with the way we answered their questions and concerns?

• Is the customer satisfied with the performance of a product or delivery of a

service?

Page 48: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 48 of 60

8.2.1 Customer Satisfaction (continued)

There are several ways of measuring customer satisfaction. Examples are:

• Questionnaires and surveys. This is a relatively cost effective way of measuring

customer satisfaction, but the downside is that the response may be low. A better

strategy is to periodically survey key customers or customer groups.

• Direct communication with customers. This is much more time consuming, but it

is an excellent way of getting to know the needs of customers, and the method

itself can contribute to raising customer satisfaction. However, very little ‘extra

time’ is needed if customer contact personnel conduct a ‘mini’ survey during their

‘routine’ customer contacts (i.e. phone calls, interviews, conferences, meetings)

and quantify/summarize results in a manner that will result in actionable data.

• Customer ratings and ‘report cards’ (typical in many industries, especially

automotive).

• Reports of consumer organizations. This information gives a good overview, but

is not always available and seldom gives information about individual customers.

Comply 8.2.2 Internal Audit

Y N N/A

The organization shall conduct internal audits at planned intervals to determine whether the quality management system: a) conforms to the planned arrangements (see 7.1), to the requirements of this

International Standard and to the quality management system requirements established by the organization; and

b) is effectively implemented and maintained. An audit program shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods shall be defined. Selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.

The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records (see 4.2.4) shall be defined in a documented procedure.

The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results

Page 49: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 49 of 60

Guidance

8.2.2 Internal Audit

A second source of information is a periodic self-assessment (internal audit). This allows

an organization to determine the strengths and weaknesses of the quality system in place.

It should become apparent whether or not the quality system meets the requirements of

this standard and if the system has been effectively maintained.

ISO 9001:2000 requires that the responsibilities and requirements for conducting internal

audits be documented in a procedure.

Audits should be planned and conducted based on the status and importance of the area,

function, process or system involved. Critical, new or changed processes/systems, and

departments (or functions) that have been recently reorganized should be audited more

frequently and/or more in-depth than others. Similarly, any data indicating a weakness

exists (i.e. customer complaints or previous audit findings) should be used to identify

processes or departments/functions that deserve more attention during internal audits.

Each organization should appoint an internal auditor who is qualified (see clause 6.2.1).

The audit process itself must be objective and impartial and auditors cannot audit their

own work. An auditor should look for evidence of compliance to the requirements. Are

the activities done as planned (i.e. as defined in quality system documents)? Do managers

have data that demonstrates process/system effectiveness? Are corrective, preventive or

other improvement actions taken as planned? Are actions taken effective? This is not an

exercise in finding mistakes. Rather, it is gathering information about the system so that

the organization knows its strengths and weaknesses and can therefore improve.

Evidence of compliance can be collected, for example, by interviewing people, observing

activities and looking at records and procedures.

Page 50: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 50 of 60

8.2.2 Internal Audit (guidance continued)

The process approach advocated by ISO 9001:2000 should also be applied to internal

auditing. Checklists should be ‘avoided’ as the ‘tool of choice’ because the tend to look

at things (quality system elements, etc.) in isolation. The key to conducting effective

process based audits begins in Clause 4.1 … i.e. how the organization defines its

processes and criteria for effectiveness. If properly defined, any process can be assessed

for effectiveness according to the following criteria:

Quality products are consistently provided to the (internal or external) customer

(based on stated objectives for product or process performance)

Risks to the (internal or external) customer are minimized (i.e. controls in place are

working to minimize a known or anticipated risk)

Interfaces are effective (process outputs meet input requirements at next stage of

processing and/or communications within or across organizations is effective)

Systems (or subsystems) are operating efficiently

'Value added' internal audits can be a great resource for improvement ideas, preventive

actions and data that managers can use to determine if/when a process is effective

(accomplishes desired results) and efficient (with a minimum amount of resources).

Value added internal audit activities should only be carried out with management’s

blessing; include them in the scope of each audit if/when desired by management.

Organizations need to keep records of the results of internal audits. This can be done on

a checklist or on a report. Either way, it should be clear which requirements have been

audited and which areas were or were not in compliance with the requirements.

These results then need to be reported to management so that timely corrective,

preventive or other improvement actions can be taken where necessary.

In assessing audit evidence, there also needs to be a decision-making process. Essentially

it is the responsibility of the internal auditor to clearly state the problem (or opportunity

for improvement) in a manner that facilities decision making. Management will view the

internal audit process as ‘non-value added’ if facts or conditions are misstated or If

additional data is needed to determine the extent of nonconformance (or poor

performance); in other words … more data is needed to make an informed decision.

Auditors should always view themselves are internal resources / consultants for

management and ask: “Is the condition clearly stated and put in context?”; if not, it is

probably best left unsaid.

Page 51: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 51 of 60

8.2.2 Internal Audit (guidance continued)

Audit results must also be followed up to ensure actions were taken and effective (keep in

mind that completion of an action does not mean it ‘worked’, or accomplished its stated

objective)

Clause 8.2.1.3 of ISO 9004:2000 states that top management should ensure the

establishment of an effective and efficient internal audit process to assess the strengths

and weaknesses of the quality management system. The internal audit process acts as a

management tool for independent assessment of any designated process or activity. The

internal audit process provides an independent tool for use in obtaining objective

evidence that the existing requirements have been met, since the internal audit evaluates

the effectiveness and efficiency of the organization. Management can influence the

quality of internal audits by clearly stating expectations (through in-briefs and/or other

pre-audit activities). Planning for internal audits should be flexible in order to permit

changes in emphasis based on findings and objective evidence obtained during the audit.

Relevant input from the area to be audited, as well as, from other interested parties,

should be considered in the development of internal audit plans. Examples of subjects

for consideration by internal auditing include:

Effective and efficient implementation of processes,

Opportunities for continual improvement,

Capability of processes,

Effective and efficient use of statistical techniques,

Use of information technology,

Analysis of quality cost data,

Effective and efficient use of resources,

Process and product performance results and expectations,

Adequacy and accuracy of performance measurement,

Improvement activities, and

Relationships with interested parties.

Internal audit reporting sometimes includes evidence of excellent performance in order to

provide opportunities for recognition by management and motivation of people.

While not required, management should also ensure actions are taken in response to

opportunities for improvement identified during internal audits.

Page 52: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 52 of 60

Comply 8.2.3 Monitoring and Measurement of Processes

Y N N/A

The organization shall apply suitable methods for monitoring and, where applicable, measurement of the quality management system processes. These methods shall demonstrate the ability of the processes to achieve planned results. When planned results are not achieved, correction and corrective action shall be taken, as appropriate, to ensure conformity of the product.

Guidance

8.2.3 Monitoring and Measurement of Processes

The third source of information is related to measurement of processes (activities).

Organizations need to determine how they are going to measure whether activities are

being adequately carried out. Examples of measurements of activities are:

- Timeliness. A certain operation may typically take 15 minutes. How often is this

operation being performed in 16 minutes or more?

- Efficiency. How much of a certain type of material is processed in one hour? How many

people were involved in producing one batch?

- Reaction time. What was the reaction time of people to special internal or external

requests/concerns (such as customer complaints)?

- Cost reduction. What was the reduction of costs related to not meeting the requirements?

An example of these costs is premium freight: extra costs of high-speed delivery because

of excessive production times.

Process monitoring and measurement activities are typically used to minimize the need

for or reliance on product inspection and test to ensure product quality.

Process monitoring activities can include operator process monitoring (usually defined in

work instructions established per clause 7.5.1).

In addition, the organization should define more ‘formal’ process monitoring activities

(including methods for monitoring process performance against established parameters or

other desired results) and define actions for process adjustment to minimize product or

service nonconformities.

Page 53: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 53 of 60

Comply

8.2.4 Monitoring and Measurement of Product Y N

N/A

The organization shall monitor and measure the characteristics of the product to verify that product requirements have been met. This shall be carried out at appropriate stages of the product realization process in accordance with the planned arrangements (see 7.1). Evidence of conformity with the acceptance criteria shall be maintained. Records shall indicate the person(s) authorizing release of product (see 4.2.4). Product release and service delivery shall not proceed until the planned arrangements (see 7.1) have been satisfactorily completed, unless otherwise approved by a relevant authority and, where applicable, by the customer.

Guidance

8.2.4 Monitoring and Measurement of Product

A fourth source of information is based on measurements of the characteristics of the

product (inspections and tests). This may be a verification of quantity, dimensions,

weight, thickness, hardness, etc. Basically, it covers any activity that determines whether

something is acceptable.

Each individual organization needs to decide where these inspections and tests should be

carried out. The general rule is that they should be performed at critical stages of

processes. Typically, this is the case when a product is passed on to the next production

stage or when there is a substantial risk of errors or deficiencies. A car manufacturer will

want to perform several in-process inspections and inspections of parts because without

these inspections a deficiency may not be detected later, or it may be very costly to

correct it.

Similarly, the types of inspections or tests performed should be dependent on the critical

nature of the product or the process. In some cases, such as a repair service center

receiving new or refurbished replacement parts, an inspection may be as simple as

checking the type and number of parts received.

Inspections of final products are always critical because there will not be opportunity to

correct any deficiencies after this point. At a minimum, a final ‘audit’ should be

performed to ensure all planned activities (including all key product/service realization

processes and related product/service inspections and tests) have been performed as

planned with satisfactory results.

Page 54: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 54 of 60

8.2.4 Monitoring and Measurement of Product – Guidance (continued)

In performing inspection and testing, 100% of the product does not have to be tested.

There are many products made where a sampling procedure is used and the batch passed

or rejected on the basis of the sample. The subsequent detection of nonconforming

product (see 8.3) does not mean that the sampling procedure is incorrect. However, a

continuing and perhaps higher than expected level of nonconformances may suggest that

the sampling plan or procedure needs investigating.

Obviously, an inspection or test is only useful if the acceptance criteria are known. The

result of the inspection or test is either a pass or a fail, based on these acceptance criteria.

Preferably, acceptance criteria should be measurable (such as in dimensions or

quantities), but they can also be subjective, for example criteria for visual inspections or

taste tests.

The results of inspections and tests need to be recorded. Examples of inspection records

are checklists, pick tickets, job cards, or work orders. In any case, it is wise to use the

records that are already in use by the organization as much as possible. For example, in

small machine shops with only a few employees, it is common practice for machine

operators to inspect their own work before passing it on to the next machining station.

Consecutive operators sign a job card as it follows the work in progress. This is a good

practice because the work of the next operator down the line is affected if the ‘incoming’

work is not correct. Also, the next operator can check the previous operator’s work.

The record should clearly state who performed the inspection and what the result of the

inspection was (pass/fail).

If an inspection or test needs to be performed, then product should not proceed to the next

activity or production stage until the inspection or test has been completed with positive

results. A product can only be released without inspection or test if there is an

appropriate approval, usually provided by the customer.

Page 55: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 55 of 60

Comply

8.3 Control of Nonconforming Product Y N

N/A

The organization shall ensure that product which does not conform to product requirements is identified and controlled to prevent its unintended use or delivery. The controls and related responsibilities and authorities for dealing with nonconforming product shall be defined in a documented procedure.

The organization shall deal with nonconforming product by one or more of the following ways:

a) by taking action to eliminate the detected nonconformity;

b) by authorizing its use, release or acceptance under concession by a relevant authority and, where applicable, by the customer;

c) by taking action to preclude its original intended use of application.

Records of the nature of nonconformities and any subsequent actions taken, including concessions obtained, shall be maintained (see 4.2.4).

When nonconforming product is corrected it shall be subject to re-verification to demonstrate conformity to the requirements.

When nonconforming product is detected after delivery or use has started, the organization shall take action appropriate to the effects, or potential effects, or the nonconformity.

Guidance

8.3 Control of Nonconforming Product

It is important that inspections are carried out; it is equally important that people know

what to do with the nonconforming (deficient) product if it fails the inspection. Most

importantly, organizations should ensure that nonconforming products are not treated as

conforming product and delivered to the customer. Control of nonconformity should be

done by clearly identifying the product as nonconforming. Segregation in designated

areas and marking of the product are the most obvious examples.

Someone in each organization should have the authority to decide what to do with

nonconforming product. The product may be corrected by repairing, reworking, or re-

grading for alternative applications. If all other approaches fail, the product can be

scrapped.

Unless it is scrapped, the nonconforming product (after repair, rework, etc.) should be re-

inspected. Sometimes it is an option to use nonconforming product and release it to the

customer. This is only allowed with a concession (approval) from the customer and/or

other parties.

Note: Nonconforming service cannot be segregated, regraded for alternate use or

scrapped, but it needs to be clearly identified and the disposition documented (usually

rework or other customer approved action).

Page 56: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 56 of 60

8.3 Control of Nonconforming Product – Guidance (continued)

In the event that a nonconformance is detected after delivery, appropriate actions need to

be taken. For example, if a catering company discovers that it has inadvertently used

processed meat that was past its ‘use-by-date’ (shelf life), a number of actions might be

required to fix the problem:

- investigate to find out the extent of the problem; / segregate and quarantine the

product;

- recall the product from retail outlets and customers; / involve regulatory authorities.

For service industries, it may be difficult or impossible to physically identify or segregate

nonconforming service. These organizations, however, are still required to ensure that

the nonconforming service does not reach the customer, where possible, and to correct

the problem.

ISO 9001:2000 requires that a documented procedure describe how nonconforming

products are controlled, as well as the related responsibilities and authorities.

Comply

8.4 Analysis of Data Y N

N/A

The organization shall determine, collect and analyse appropriate data to demonstrate the suitability and effectiveness of the quality management system and to evaluate where continual improvement of the effectiveness of the quality management system can be made. This shall include data generated as a result of monitoring and measurement and from other relevant sources.

The analysis of data shall provide information relating to

a) customer satisfaction (see 8.2.1);

b) conformity to product requirements (see 7.2.1);

c) characteristics and trends of processes and products including opportunities for preventive action; and

d) suppliers.

Guidance

8.4 Analysis of Data

ISO 9001:2000 requires the collection and analysis of a lot of data. Organizations rely on

this information to make important decisions. It is not enough for companies to sift

through data, looking for defects on a case-by-case basis (that's "firefighting, not fact

based decision making). However, before any amount of data is analyzed, it must be

proven reliable. Most organizations have plenty of data (maybe even too much), but it is

simply unfit for decision making because it is obsolete, duplicated, or just plain wrong,

What organizations need to do is to get serious with data, both in terms of quality and

quantity. Once (and only if) data is reliable, then it must be analyzed over time to

provide a sound basis for decision making.

Page 57: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 57 of 60

8.4 Analysis of Data (guidance continued)

Data is only valuable if it is analyzed and actionable. For example, the data may indicate

that there was an increase in the number of nonconforming products in a certain period.

However, it is only possible for an organization to take the necessary action (see 8.5) if it

is provided with an analysis of this data. For example: What was the type of

nonconforming product? What was the main cause of the nonconformances? Were there

any circumstances that were different from previous periods? Is this problem confirmed

by other sources of information, such as internal audits?

The results of the analysis should enable organizations to answer the following questions:

How satisfied are customers? Are customers’ requirements being met? Do processes

and products meet the requirements? How do suppliers perform?

Comply 8.5 Improvement

Y N N/A

8.5.1 Continual Improvement The organization shall continually improve the effectiveness of the quality management system through the use of the quality policy, quality objectives, audit results, analysis of data, corrective- and preventative actions and management review.

Guidance

8.5 (general)

General guidance on distinguishing different types of ‘management actions’,

including improvement actions, corrective actions and preventive actions.

Improvement actions are fairly straightforward: there will be a need to improve

performance to achieve desired results (usually individual or organizational performance

goals/targets; occasionally these are also defined by the customer). The decision to take

action should be based on priorities established to achieve the target … in view of the

anticipated costs/benefits. Effectiveness is achieved if desired results / benefits are

achieved within planned or anticipated costs and timeframes.

There is often confusion on the differences between correction, corrective action, and

preventive action. Correction is the action to eliminate a detected nonconformity, e.g.,

reworking or regrading a product so it becomes conforming. Corrective Action is the

action to eliminate the cause of a detected nonconformity to prevent its recurrence.

Preventive Action is the action to eliminate the cause of a potential nonconformity to

prevent its occurrence.

Page 58: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 58 of 60

8.5 (general guidance continued)

Assessing effectiveness of an organization’s correction and corrective action processes is

relatively straightforward, because the results and effectiveness of these processes are

usually well defined: i.e., if the organization has already identified a nonconformity, it

should be simple to evaluate the process the organization used (or is planning to use) to

correct it, and whether or not this will be effective in avoiding recurrence of the

nonconformity. However, if there is no nonconformity to start with, and if the preventive

action is effective, the status quo will be maintained. This raises the difficulty of

assessing effectiveness of actions resulting in maintenance of the ‘status quo’; more later.

8.5.1 Continual Improvement

Each organization should continually seek to improve, rather than wait for a problem to

reveal opportunities for improvement. Potential improvements can range from short

projects to long-term activities. Examples are:

- Sitting down with the most important suppliers in order to increase the effectiveness

of the communication and to reduce nonconformances;

- Making an action plan to reduce the reject from a certain type of machine;

- Finding opportunities to reduce the delivery time.

Continual improvement should be based on all relevant information available. Audit

results and other data should be analyzed and compared with the policy and objectives so

that corrective and preventive actions can be taken to ensure continual improvement.

Management reviews should be used as tools for enhancing this improvement process

itself and/or as a critical source for high level improvement initiatives driven by the

organization’s business plan, customer expectations, market research, etc.

Often, it is not practical or advisable to take all needed actions at once, so it becomes

necessary to prioritize improvement actions on the basis of their status and importance to

determine when action should be taken. The output of the continual improvement

planning process should be a list of improvement initiatives and anticipated results. The

effectiveness of these actions should be reviewed as a normal part of the

corrective/preventive action processes (see clause 8.5.2 and clause 8.5.3) or during

management reviews (see clause 5.6)

Page 59: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 59 of 60

Comply

8.5.2 Corrective Action Y N

N/A

The organization shall take action to eliminate the cause of nonconformities in order to prevent recurrence. Corrective actions shall be appropriate to the effects of the nonconformities encountered. A documented procedure shall be established to define requirements for

a) reviewing nonconformities (including customer complaints);

b) determining the causes of nonconformities;

c) evaluating the need for action to ensure that nonconformities do not recur;

d) determining and implementing action needed;

e) records of the results of action taken (see 4.2.4); and

f) reviewing corrective action taken

Guidance

8.5.2 Corrective Action

Every indication of a failure (i.e. complaint, rejection, audit finding, return, etc.) requires

an immediate correction. In addition, the organization needs to evaluate whether a

corrective action is needed to prevent (or minimize the likelihood of) the failure from

recurring.

This requirement is related to ensuring that corrective actions are identified, taken and

verified for timely and effective implementation.

This involves finding the cause of the problem, recording the results of the action taken

and verifying that the action was effective.

The intent of this requirement is to have a disciplined approach to problem solving (i.e.

identifying the root cause of the problem, the actual costs with the failure, and the

potential costs/risks associated with taking no action to prevent its recurrence.

Corrective actions are ineffective when they do not achieve desired results (usually

meaning, the problem/failure recurs).

Page 60: 2000 ISO 9000 Implementation Guide - MISSION2MNC · Please note that ISO 9001:2000 does not in all cases require documented procedures. In some cases there is no need to document

Page 60 of 60

Comply

8.5.3 Preventive Action Y N

N/A

The organization shall determine action to eliminate the causes of potential nonconformities in order to prevent their occurrence. Preventive actions shall be appropriate to the effects of the potential problems. A documented procedure shall be established to define requirements for a) determining potential nonconformities and their causes; b) evaluating the need for action to prevent occurrence of nonconformities; c) determining and implementing action needed; d) records of results of action taken (see 4.2.4); and e) reviewing preventive action taken.

Guidance

8.5.3 Preventive Action

It is better to prevent a problem from occurring than to correct a new or recurring

problem. Based on the information available to them, organizations must identify ways

of preventing problems from occurring in the first place. Examples of preventive actions

are:

- purchasing additional tools or machinery, because of an expected increase in

activities or production;

- checking computer systems to see if they are capable of handling information from a

new customer;

- introducing a new identification system for nonconforming product, so that any

potential misunderstandings can be avoided;

- providing training on new processes, equipment, customer requirements, etc.

Preventive actions are usually handled in the same way as corrective actions, just with a

different ‘focus’.

This involves finding the cause of the potential problem or failure, recording the

anticipated results of the action taken and verifying that the action was effective.

The intent of this requirement is to have a disciplined approach to risk analysis (i.e.

identifying the root cause of the potential problem and the potential costs/risks associated

with taking no action to prevent its occurrence.

Preventive actions are ineffective when they do not achieve desired results (usually

meaning, the problem/failure occurs or the risk of its occurrence actually increases).