2000 iso 9000 implementation guide - mission2mnc · please note that iso 9001:2000 does not in all...
TRANSCRIPT
Page 1 of 60
IsoQual, Inc.
ISO 9001:2000
Requirements Checklist and
Implementation Guide
for use in conjunction with:
ISO9001:2000 Checklist and Audit Guide
Internal Auditor Training Package, and
Process Assessment Worksheets
for delivery of Internal Auditor Training
and/or
Management / ISO 9000 Implementation Team Training
Page 2 of 60
4 QUALITY MANAGEMENT SYSTEM
Comply 4.1 General Requirements
Y N N/A
The organization shall establish, document, implement and maintain a quality management system and continually improve its effectiveness in accordance with the requirements of this International Standard.
The organization shall
a) identify the processes needed for the quality management system and their application throughout the organization (see 1.2);
b) determine the sequence and interaction of these processes;
c) determine criteria and methods to ensure that both the operation and control of these processes are effective;
d) ensure the availability of resources and information necessary to support the operation and monitoring of these processes;
e) monitor, measure and analyze these processes; and
f) implement actions necessary to achieve planned and results and continual improvement of these processes.
These processes shall be managed by the organization in accordance with the requirements of this international Standard. Where an organization chooses to outsource any process that affects product conformity with requirements, the organization shall ensure control over such processes. Control of such outsourced processes shall be identified within the quality management system.
Guidance 4.1 General Requirements The quality management system should:
a. Identify the processes needed for the quality management system (i.e. those processes
needed to address requirements of ISO 9001:2000) and identify all activities that
affect the quality of the products or services you are in the business of providing.
Start by defining key processes associated with YOUR organization’s business cycle
… from initial contact with a potential customer to final delivery of the products or
services you are in the business of providing. Do not overlook processes that you
outsource to others; they are still critical to your business success and you must
manage them as well. You will ultimately need to be able to demonstrate where you
address requirements of ISO 9001:2000 in your business cycle.
Page 3 of 60
4.1 General Requirements (guidance continued)
b. Determine the sequence and interaction of these processes. Again, the simplest thing
to do is to map out (in flow chart) format YOUR business cycle. Most business
cycles follow the same PLAN-DO-CHECK-ACT (PDCA) model advocated by the
ISO 9000 standards. The key here is to depict how these processes interrelate and
form a system. Managing the ‘white space’ between processes is critical to overall
system effectiveness.
c. Determine criteria and methods needed to ensure the effective operation and control
of these processes. The key here is to define how you are going to know when key
business processes are effective (i.e. they accomplish desired results) with the overall
objective being to achieve high levels of customer satisfaction. Process controls over
inputs, transformation activities and outputs can then be established as needed to
ensure consistent results.
d. Resources and information are key inputs to any process and must be planned and
controlled to ensure effectiveness. Further, the quality management system IS
dynamic and must be continually monitored for effectiveness and improved as
needed. Change requires new or different resources and information … hence the
need to continually evaluate how these are planned and delivered to meet an ever
changing set of requirements: customers change; markets change; organizations
change; technology changes, and the people in an organization change.
e. Monitor, measure and analyze these processes. Improvement is only possible if you
know where you are starting from and where you want to go. Hence, measures of
effectiveness for key QMS process should be established, baseline performance
determined, and improvement objectives established where such improvement is
needed or desired. This means that you will need to collect baseline data, set
improvement objectives where needed, and monitor performance to ensure desired
results are achieved; if not, action should be taken.
f. An important addition in ISO 9001:2000 is the requirement to improve the quality
management system. Improvement is a planned activity through the establishment
and monitoring of performance against desired results. However, without action, all
the data in the world is relatively worthless. But since you can not improve
everything at once (and it would probably not be advisable to try to do so) you should
identify and prioritize improvement initiatives based on the status and importance of
the activity and the real or potential impact of taking no action.
Page 4 of 60
4.1 General Requirements (guidance continued)
Guidance on the process approach:
Organizations should adopt the process approach and assess the quality management
system through its natural workflow. Of course, this requires understanding the business
and its process linkages. For each process, the organization should (use tools such as
‘turtle diagrams and/or process assessment worksheets’ to) identify:
Inputs: What, when, and from whom?
Resources: With what people, materials, equipment?
Methods: How done (procedures and instructions)?
Controls: How monitored and why?
Measures: What are performance indicators (and objectives)?
Outputs: What is delivered, when, and to whom?
A broader view addresses how interrelated processes work together (as a system or
subsystem) to accomplish desired results. We advocate development and use of
‘deployment flow charts (DFC)’ (to depict both sequence of process steps and interaction
of process participants through the process flow). Simply stated, a horizontal line on a
DFC follows a process trail across functional areas (shows interfaces clearly), while a
vertical line simply show process activities/steps within a functional area (shows
sequence). So, DFCs are excellent tools for both defining, managing and improving the
sequence and interaction of an organization’s processes.
Guidance on ‘outsourced processes’:
An “outsourced process” is a process that the organization has identified as being needed
for its quality management system, but one which it has chosen to be carried out by an
external party. An outsourced process can be performed by a supplier that is totally
independent from the organization, or which is part of the same parent organization (e.g.,
a separate department or division not subject to the same quality management system). It
may be provided within the physical premises or work environment of the organization or
at an independent site.
The acquisition of an outsourced process will normally be subject to the requirements of
both ISO 9001:2000 clause 7.4 (Purchasing) and clause 4.1 (General Requirements). In
some situations, the organization might not actually “purchase” the outsourced process. It
might receive the service from a corporate office or from another division, without a
monetary transaction taking place. Under these circumstances, however, ISO 9001:2000
Clauses 7.4 and 4.1 are still applicable.
Page 5 of 60
Comply
4.2 DOCUMENT REQUIREMENTS Y N
N/A
4.2.1 General
The quality management system documentation shall include
a) documented statements of a quality policy and quality objectives;
b) a quality manual;
c) documented procedures required by this International Standard;
d) documents needed by the organization to ensure the effective planning, operation and
control of its processes; and
e) records required by this International Standard (see 4.2.4).
Guidance:
4.2.1 Document Requirements – General
ISO 9001:2000 requires that you document your quality policy, quality objectives, a
quality manual, procedures, planning documents and quality records. The standard has
become quite a bit less ‘prescriptive’ regarding the ‘format’ or media used; the bottom
line is that, with a few exceptions, organizations can document the quality management
system in any format suitable to their business as long as they can prove the information
is effectively communicated … and that desired results are achieved.
Procedures describe what is being done in an organization, who is doing it, and how the
results are recorded; procedures are typically cross functional (versus work instructions
which typically apply to individuals or individual work groups). Procedures are
necessary if/when an organization wants to clarify responsibilities and authorities and/or
consistent practices. Flow charts, if constructed properly, can also be used to depict the
same information contained in a ‘traditional’ procedure format. Keep in mind that your
quality management system is not a set of procedures describing every minute detail of
an organization’s operation … rather it is a well defined, but appropriate and user-
friendly balance of procedures, flow charts, job descriptions, work instructions and
forms, which will assist personnel in their day-to-day work.
Page 6 of 60
4.2.1 Document Requirements – General (guidance continued)
The key is to define your processes in whatever form/format suits you best. Some
(recommended) flow charting programs include:
Visio at <www.microsoft.com/office/visio>
SmartDraw at <www.smartdraw.com>
TeamFlow at <www.teamflow.com>
Flowcharter at <www.igrafx.com>
allCLEAR at <www.allclearonline.com>
Note: We (obviously) prefer/use Visio; however any of the above products are excellent
tools. PowerPoint also has an Autoshapes menu for basic flowcharting symbols and
lines. The Autoshapes menu is located within the Picture option of the Insert menu.
Autoshapes is also an option on the Drawing toolbar. We provide Visio files that require
Visio to edit, but you can also view these in other formats (objects in PowerPoint, e.g.),
and then create your own flow charts in whatever program that suits you best.
The effectiveness of procedures depends on how they are applied to an organization. In
other words, they should be tailored to an organization. In a small organization with
relatively simple processes and activities, procedures should (accordingly) be limited and
simple. Larger organizations with more complicated activities should have more detailed
procedures, but in all cases the procedures should still be as practical as possible.
Please note that ISO 9001:2000 does not in all cases require documented procedures. In
some cases there is no need to document existing practices. However, there must still be
a ‘something’ in place to ensure work is performed in a consistent way.
Note: The following documented procedures are required by ISO 9001:2001.
• Control of Documents (clause 4.2.3)
• Corrective Action (clause 8.5.2)
• Control of Records (clause 4.2.4)
• Preventive Action (clause 8.5.3)
• Internal Audit (clause 8.2.2)
• Control of Nonconforming Product (clause 8.3)
Page 7 of 60
Comply
4.2 DOCUMENT REQUIREMENTS (continued) Y N
N/A
4.2.2 Quality Manual
The organization shall establish and maintain a quality manual that includes
a) the scope of the quality management system, including details of and justification for any exclusions (see 1.2);
b) the documented procedures established for the quality management system, or referenced to them; and
c) a description of the interaction between the processes of the quality management system.
Guidance:
4.2.2 Quality Manual
The quality manual is the “road map” of the quality management system. It should give
readers an overview of how the quality management system operates.
The quality manual must state the scope of the quality management system. This can be
communicated in a single sentence stating exactly what the organization does. For
example, "The design and manufacture of class 'A' widgets at our facility located at …"
Exclusions to the standard must be stated in the manual. Exclusions must be limited to
requirements within clause 7 and not affect the organization's ability, or responsibility, to
provide product that meets customer and applicable regulatory requirements. Clause 7 of
the standard is essentially the “DO” part of the PLAN-DO-CHECK-ACT (PDCA) cycle
… so … essentially, you can only ‘exclude’ what you do NOT DO!
The quality manual must include or reference the 6 documented procedures required by
ISO 9001:2000 as well as any other documented procedures utilized in the quality
management system. More importantly, the quality manual must describe (or depict) the
sequence and interaction of quality management system processes. This can be done
effectively in a flow chart, especially if it is a ‘deployment’ flow chart - which adds the
element of responsibility to the visual workflow depiction. However, any format is
acceptable as long as it describes the interaction between quality management system
processes required by ISO 9001:2000 (i.e. order handling, planning, purchasing, training,
design, product or service provision, inspection, monitoring and measuring, etc.).
Page 8 of 60
Comply
4.2 DOCUMENT REQUIREMENTS (continued) Y N
N/A
4.2.3 Control of Documents
Documents required by the quality management system shall be controlled. Records are a special type of document and shall be controlled according to the requirements given in 4.2.4.
A documented procedure shall be established to define the controls needed
a) to approve documents for adequacy prior to issue;
b) to review and update as necessary and re-approve documents;
c) to ensure that changes and the current revision status of documents are identified;
d) to ensure that relevant versions of applicable documents are available at points of use;
e) to ensure that documents remain legible and readily identifiable;
f) to ensure that documents of external origin are identified and their distribution controlled; and
g) to prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose.
Guidance:
4.2.3 Control of Documents
The intent of document control is to ensure that people have easy access to and use the
correct versions of the correct documents. The use of incorrect or obsolete documents can
result in mistakes and, ultimately, in nonconforming product and/or service. New or
revised documents must be approved prior to issue; any approval method is acceptable as
long it clearly indicates what constitutes the evidence of approval. Once documents are
approved, the new or revised documents need to be available at the locations where they
are used or needed. Obsolete documents need to be removed or destroyed. If obsolete
documents are not destroyed, they should be identified as obsolete.
In order to control the use of documents, ISO 9001:2000 requires a method for
identifying the current revision status of documents. Since the key to control starts with
identification, a good place to begin is to create a master list that identifies all controlled
documents and their revision status (number, date, or equivalent). If documents are not
‘centrally controlled’, each person that controls documents will need to establish and
maintain there own master list. Any controlled document can be compared with this
master list to verify if the latest revision is in use. Another possible method that precludes
the use of obsolete documents is the use of a master file of original documents (such as
drawings). Master lists and master documents can (and probably should) be maintained
electronically wherever possible.
Page 9 of 60
4.2.3 Control of Documents (guidance continued)
Document control systems can be as simple or as sophisticated as you deem appropriate
and/or needed. Our templates utilize a simple ‘master list’ … and all our documents are
‘hyperlinked’ to help organizations created a ‘paper free’ document control system.
However, for larger organizations desiring more sophisticated systems, some of the more
popular tools are listed below:
ISO9 www.vintara.com
tQ Solutions <www.etq.com>
ISOQuest <www.globalquality.com>
Q&MIS Suite <www.pilgrimsoftware.com>
Powerway <www.powerwayinc.com>
Qpulse <www.qualityamerica.com>
Document control software may provide solutions that are Internet or Intranet based and
accessible through your web browser, MS Office, or Lotus Notes. Packages typically
provide storage and control of multiple document types.
Further document control guidance:
ISO 9004:2000 Guidance on Documentation (4.2)
The generation, use, and control of documentation should be evaluated with respect to the
effectiveness and efficiency of the organization against criteria such as:
• Functionality (e.g., speed of processing)
• User friendliness; Resources needed
• Policies and objectives
• Requirements for managing knowledge
• Benchmarking of documentation systems
• Interfaces used by customers, suppliers, and interested parties
And, access for people in the organization and others should be based on the
organization’s communication policy.
Page 10 of 60
4.2.3 Control of Documents (guidance continued)
ISO 90003:2004 Guidance on Document Control
The software guidance standard includes a note at clause 4.2.3 to refer to 7.5.3 for more
information on document control as part of configuration management. Clause 7.5.3.1
states that the configuration management discipline is applicable to related
documentation.
ISO/TR 10013:2001 Guidance on Document Control
(Clause 6.1)
1. Documents should be reviewed before issue to ensure their clarity, accuracy, adequacy,
and proper structure.
2. Users should have the opportunity to comment on usability and if documents reflect
actual practices.
3. Document release should be approved by managers responsible for their
implementation.
4. Copies should have evidence of release authorization.
5. Evidence of document approvals should be retained.
(Clauses 6.2, 6.3)
1. Distribution method should ensure pertinent issues are available to all personnel who
will need the information.
2. Distribution and control may be aided by using serial numbers of individual document
copies for recipients.
3. Document distribution may include external parties, e.g., customers, registrars, and
regulatory authorities.
4. A process for initiation, development, review, control, and incorporation of changes
should be provided.
5. The same approval process as for original documents should be applied when applying
changes.
(Clause 6.4)
1. Document issue and change control are essential to ensure document contents are
properly approved by authorized persons and approval is readily identifiable.
2. A process should be established to ensure that only the appropriate documents are in
use.
3. Revised documents should be replaced by latest revision.
4. A document master list may be used to assure users that they have the correct issue of
authorized documents.
5. Organization should consider recording change history for legal and/or knowledge
preservation reasons.
Page 11 of 60
4.2.3 Control of Documents – Guidance (continued)
Of all requirements of ISO 9001:2000, this is one that is most likely to be over-applied.
However, it is important to control the distribution of documents used to make sure work
is being carried out according to the correct set of instructions or information. Just ask
yourself: “What information/documents do competent people need to do their jobs?”
Then, identify and control that information/documentation and get rid of everything else.
There is also a risk of ending up with complex arrangements for updating and retrieving
documents. Just remember, that the standard requires information to be up-to-date, but
does not specify how this should be done … there is a lot of flexibility … so this is a
process only you can simplify (or complicate).
Comply 4.2 DOCUMENT REQUIREMENTS (continued)
Y N N/A
4.2.4 Control of Records
Records shall be established and maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system. Records shall remain legible, readily identifiable and retrievable. A documented procedure shall be established to define the controls needed for the identification, storage, protection, retrieval, retention time and disposition of records.
Guidance:
4.2.4 Control of Records
There is a difference between documents and records. Essentially, documents are used to
describe or control how things are to be done and records are used to prove they were
accomplished. Records also are THE primary source of data you will be using to
evaluate if (and to what degree) desired results are accomplished. Further, records cannot
be revised. For example: a form is a document used for ordering products and/or services
from vendors and a completed purchase order states what has been ordered from the
vendor. Other examples of records are:
- management review minutes;
- inspection records;
- quotes and proposals;
- customer orders;
- audit reports;
- training records;
- corrective/preventive action records;
- design review minutes;
- nonconformance reports.
Each organization should identify which records are used to provide the evidence needed
to demonstrate planned activities are accomplished and/or to provide the data needed to
evaluate their effectiveness. A documented procedure is needed to define how these
records are identified, where they are stored, how they are retrieved, how they are
protected, what their retention time is, and how they are disposed of.
Page 12 of 60
4.2.4 Control of Records (guidance continued)
Further guidance on record control:
ISO 9004:2000 Guidance on Documentation
The term “documentation” refers to both documents and records, so the ISO 9004
guidance covered earlier under document control also applies to record control.
ISO 90003:2004 Guidance on Record Control
(Clause 4.2.4.1)
Evidence of conformity to requirements may include:
• Documented test results
• Problem reports, including any related to tool problems
• Change requests
• Documents marked with comments
• Audit and assessment reports
• Review and inspection records (e.g., those for design reviews, code inspections,
and walkthroughs).
(Clause 4.2.4.2)
Examples of evidence of effective operation may include:
• Resource changes (people, software, and equipment)
• Estimates, e.g., project size and effort
• How and why tools, methods, and suppliers selected
• Software license agreements (procured and supplied)
• Minutes of meetings
• Software release records
Page 13 of 60
4.2.4 Control of Records (guidance continued)
(Clause 4.2.4.3)
1. Consider legal requirements when setting retention times
2. Retention and access of electronic records, should consider the rate of media
degradation, availability of devices, and software needed for access
3. Records may include information held in email systems
4. Protection from computer viruses, and unapproved or illegal access, should be
considered
5. Proprietary information in records should be assessed to determine erasure methods at
end of retention period
ISO 15489:2001 Guidance on Record Management
ISO 15489-1:2001 is an information and documentation standard on records
management. Its companion document, ISO/TR 15489-2:2001, provides further
explanation and guidance on implementation options.
1. Records are created and used to conduct business activities and should be authentic,
reliable, and usable.
2. Records should be preserved and made accessible.
3. Records should comply with policies, standards, and legal requirements.
A records management program should decide on:
• Records to create for each process
• Information to include in the records
• Form, structure, and technologies to be used
• Retrieval, use, and transmittal of the records
• Retention periods and the disposition process
• Organization of records to support their use
Records should be kept in a safe, secure environment only for as long as they are needed
or required.
ISO/TR 10013:2001 Guidance on Records (4.11)
1. Records should indicate conformity with system requirements and specified product
requirements
2. Responsibilities for preparation of records should be addressed as part of the system
documentation
Records are not generally under revision control since they are not subject to change.
Page 14 of 60
5 MANAGEMENT RESPONSIBILITY
Comply 5.1 MANAGEMENT COMMITMENT
Y N N/A
Top management shall provide evidence of its commitment to the development and implementation of the quality management system and continually improve its effectiveness by
a) communicating to the organization the importance of meeting customer as well as
statutory and regulatory requirements;
b) establishing the quality policy;
c) ensuring that quality objectives are established;
d) conducting management reviews; and
e) ensuring the availability of resources.
Guidance:
5.1 Management Commitment
Top management MUST BE the driving force for establishing, implementing,
maintaining, and improving the quality management system. What people do, and how
this affects customers, cannot be effectively managed without a clear commitment from
top management. Define who top management is, then define clear responsibilities for
taking leadership roles that demonstrate commitment; at a minimum, management must:
- communicate to the organization the importance of meeting customer as well as
regulatory requirements ;
- establish a quality policy and objectives;
- conduct management reviews ; and
- ensure the availability of resources.
Page 15 of 60
Comply
5.2 Customer Focus Y N
N/A
Top management shall ensure that customer requirements are determined and are met with the aim of enhancing customer satisfaction (see 7.2.1 and 8.2.1).
Guidance
5.2 Customer Focus
Every organization depends on its customers. Without satisfied customers, the
organization cannot exist. Therefore, this requirement of ISO 9001:2000 is the core of
the quality management system. Essentially, you must define how your organization
focuses on customers. Specifically: How do they know what you do? How do they
know who to contact with questions/concerns? How can they get involved in improving
the quality of your products and services? If your organization has the proper customer
focus it should be able to answer the following questions on a continual basis:
- What do customers need and what do they expect?
- What does this mean for the organization? What is the organization required to do in
order to meet these customer expectations?
- Does the organization understand customer requirements and are these requirements
actually met?
In order to maintain a proper customer focus, management needs to monitor customer
requirements (and expectations) at the ‘macro’ level; this can be by a variety of methods:
- carrying out market/customer surveys;
- reviewing sector/industry specific reports;
- identifying niche marketing opportunities.
Page 16 of 60
Comply
5.3 Quality Policy Y N
N/A
Top management shall ensure that the quality policy:
a) is appropriate to the purpose of the organization;
b) includes a commitment to comply with requirements and continually improve the effectiveness of the quality management system;
c) provides a framework for establishing and reviewing quality objectives;
d) is communicated and understood within the organization; and
e) is reviewed for continuing suitability.
Guidance
5.3 Quality Policy
Your quality manual, by definition, contains policy that governs or directs every aspect of
your quality management system … i.e. it contains policy governing interaction with
customers, accepting orders, purchasing needed materials and services, performing
planning functions, qualifying and training people, performing and verifying work, etc.
The quality policy statement is a ‘one-liner’ that embodies all of this into one concise
statement indicating the overriding emphasis of all lower level policies. The quality
policy statement should communicate to customers and employees:
- a commitment to quality;
- a commitment to continual improvement;
- what your business does;
- what your quality objectives are, and how they are reviewed.
It is important that the quality policy covers the whole organization and is relevant to the
expectations of all customers. Therefore, customer requirements should be determined
before the quality policy is established.
All employees need to understand the quality policy, how it affects them, and their role in
the quality system.
It is important to keep in mind that the quality policy may be suitable today, but may not
be suitable in the future due to changing circumstances. The quality policy must therefore
be regularly reviewed for suitability (usually during management review; see clause 5.6).
Page 17 of 60
Comply
5.4 Planning Y N
N/A
5.4.1 Quality Objectives
Top management shall ensure that quality objectives, including those needed to meet requirements for product (see 7.1 a), are established at relevant functions and levels within the organization. The quality objectives shall be measurable and consistent with the quality policy.
Guidance
5.4.1 Quality Objectives
While the quality policy statement indicates what is important for the organization in
general terms, quality objectives must specific goals to be achieved within a certain time
frame, and must be measurable. The establishment and monitoring of progress against
measurable quality objectives is the key to effective quality system planning at the
‘macro’ level. ISO 9001:2000 specifically requires that quality objectives at relevant
functions and levels within the organization. This means, for example, that an
organization with sales, design, purchasing, and production departments (or functions)
should have quality objectives for each department that are consistent with the quality
objectives established at the ‘macro’ level for the organization as a whole. Look for
objectives already in place at all levels in the organization and evaluate them for
consistency with the ‘macro’ level quality objectives you establish. Many organizations
establish performance goals (or objectives) for each key manager; you may discover that
such objectives are not consistent with the ‘macro’ quality objectives and should be
changed. You can use periodic functional/individual performance reviews to assess
progress and convey how achievement of lower level objectives contributes to the ‘big
picture’. Measurable improvement objectives are meaningless without a baseline
performance measure; examples are:
- reduce scrap by 10% within the next 6 months;
- reduce repeat problems by 90% within the next year;
- increase customer satisfaction by 10% within the next year;
- reduce number of nonconforming products by 15% within the next year;
- reduce the number of key vendors from 100 to 25 in the next three years, etc.
- Some organizations may also chose to establish some of their quality objectives based
on “YES/NO” criteria. Example “Achieve product certification for “xxxxxxx”
product by November 2006”; or “Develop a new product to meet the requirements of
the “YYYYY” market by March 2007.
Page 18 of 60
Comply
5.4 Planning (continued) Y N
N/A
5.4.2 Quality Management System Planning
Top management shall ensure that
a) the planning of the quality management system is carried out in order to meet the requirements given in 4.1, as well as the quality objectives; and
b) the integrity of the quality management system is maintained when changes to the quality management system are planned and implemented.
Guidance
5.4.2 Quality Management System Planning
Product quality planning is covered in detail under clause 7.1; job planning and control is
covered in detail under clause 7.5.1; planning for improvement is covered in detail under
clause 8.5. QMS planning activities related to clause 5.4.2 include identifying activities
and resources needed to establish and improve the quality system itself; such planning
does not have to be a sophisticated process. In fact, this requirement is met through
completion of other activities required by the standard: you plan to achieve the quality
objectives (see clause 5.4.1) and ensure continual improvement (see clause 8.5) through
the management review process (see clause 5.6). Outputs of quality planning include:
- the quality system itself (i.e. the quality manual and associated procedures);
- resources for establishing, maintaining and improving the quality system;
QMS planning should not only apply to achieving quality objectives, but also to
organizational change. Changes in an organization should be planned in order to
minimize the risk of negative effects on quality of product and/or service; this is normally
accomplished through a strategic planning process. In any case, changes and their impact
on the organization and the quality system should be an agenda item for every
management review meeting (see clause 5.6).
Page 19 of 60
Comply
5.5 Responsibility, Authority and Communication Y N
N/A
5.5.1 Responsibility and Authority
Top management shall ensure that responsibilities and authorities are defined and communicated within the organization.
Guidance
5.5.1 Responsibility and Authority
There can be no effective way of working if employees do not know their responsibilities
or if responsibilities and authorities are ‘vague’. Everyone should know what they are
expected to do (responsibilities) and what they are allowed to do (authorities). They
should know their role (position) in the organization and how this relates to other roles
(positions). Others in the organization (as well as customers) should be aware of these
relationships. Organization charts, job descriptions, deployment flow charts, and
procedures can be used to define organizational responsibilities and authorities … but
organization charts alone rarely define how things really get done in an organization.
Descriptions do not have to be elaborate or complex. It is important that descriptions
clearly reflect the “real life” situation and allow for flexibility. One method of
identifying responsibilities and authorities is to have a simple procedure or deployment
flow chart supplemented by a job description or training document. Also, placing an
organization chart in the quality manual will help customers identify key personnel and
delegated responsibilities and authorities in the organization.
Page 20 of 60
Comply
5.5 Responsibility, Authority and Communication Y N
N/A
5.5.2 Management Representative
Top management shall appoint a member of management who, irrespective of other responsibilities, shall have responsibility and authority that includes
a) ensuring that processes needed for the quality management system are established, implemented and maintained;
b) reporting to top management on the performance of the quality management system and any need for improvement; and
c) ensuring the promotion of awareness of customer requirements throughout the organization.
Guidance
5.5.2 Management Representative
Top management must delegate management authority to someone in the organization to
act as their representative for “quality management system issues”. This person must
have the necessary authority within the organization to ensure that the quality
management system is working. ISO 9001:2000 specifically requires this person to be a
member of management within the organization. People from outside the organization
(for example, consultants) cannot be the management representative unless they have a
management position within the organization. Obviously, the management representative
can have other responsibilities as well; however, regardless of other responsibilities, the
management representative should have direct access to top management on any issue
regarding the quality management system.
The authority of the management responsibility must include at least the duties as
described in clause 5.5.2 (a, b and c).
It is important to note that it is not the role of the management representative to “run" the
quality system ‘independent’ of top management. A quality system can only be effective
if it is carried out by all personnel in the organization, especially top management. The
management representative has a supportive role: ensuring that the necessary data is
collected and reported to top management for action as warranted. Again, the key is that
the management representative must have direct access to top management so quality
system issues requiring their attention are not impeded.
Page 21 of 60
Comply
5.5 Responsibility, Authority and Communication Y N
N/A
5.5.3 Internal Communication
Top management shall ensure that appropriate communication processes are established within the organization and that communication takes place regarding the effectiveness of the quality management system.
Guidance
5.5.3 Internal Communication
In order to establish an effective quality management system, it is not only necessary that
employees know their roles, responsibilities, and authorities, but there should also be
clear and effective ways for people within the organization to communicate.
Management should ensure that people have the information necessary in order to be able
to do their work, and ensure that quality requirements, objectives, and achievements are
communicated to all relevant personnel.
Most organizations already have a wide variety of internal communication systems in
place and need only describe them; communication systems/tools include any visible top
management activity, as well as:
- audio-visual and electronic media (kiosks, newsletters, notice boards, intranet);
- team meetings (staff, production and improvement team meetings);
- awareness/training programs (new customers, processes/systems, products/ services);
- employee performance reviews.
Page 22 of 60
Comply
5.6 Management Review Y N
N/A
5.6.1 General
Top management shall review the organization’s quality management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the quality management system, including the quality policy and quality objectives. Records from management reviews shall be maintained (see 4.2.4).
5.6.2 Review Input
The input to management review shall include information on
a) Results of audits;
b) Customer feedback;
c) Process performance and product conformity;
d) Status of preventative and corrective actions;
e) Follow-up actions from previous management reviews;
f) Changes that could affect the quality management system; and
g) Recommendations for improvement.
5.6.3 Review Output
The output from the management review shall include any decisions and actions related to
a) Improvement of the effectiveness of the quality management system and its processes;
b) Improvement of product related to customer requirements; and
c) Resource needs.
Guidance
5.6 Management Review
The complete quality management system should be reviewed by top management on a
regular basis. Management decides the frequency, but it should be frequent enough to
ensure the effectiveness of the system (usually once per year is adequate). Management
reviews are not implementation status meetings … they are system effectiveness review
sessions … looking a data over time to see if the desired results (objectives and plans) are
being achieved … and taking action if/when needed.
Management reviews make quality management systems dynamic. Without these
reviews, a system may become ineffective over time. Organizations change,
customers/markets change, and people change. These changes require modifications in
the quality management system. Regular management reviews ensure that the quality
management system is still suitable, adequate, and effective in a changed environment.
Page 23 of 60
5.6 Management Review – Guidance (continued)
In order to be effective, management reviews should be well prepared. This allows top
management to assess the effectiveness of the quality management system based on the
quality policy and the quality objectives, and to define the opportunities for improvement
and the need for changes. This means attendees must come with data/trends … know
what it means … and be prepared to offer related recommendations.
The results of management reviews should be in the form of specific actions, ensuring
that improvements are made in products/services and processes/systems, and that
resource needs are identified. Management review outputs can also set the direction for
the future (i.e. new/revised policy can be issued, improvement objectives can be
established, and/or specific improvement initiatives can be approved). The results of
management reviews should be recorded in some way; usually in meeting minutes,
checklists, or to-do lists.
A management review does not necessarily have to be conducted in one meeting (i.e.
once per year). A series of meetings can be held, each covering a part of the quality
management system, or a part of the organization.
6 RESOURCE MANAGEMENT
Comply 6.1 Provision of Resources
Y N N/A
The organization shall determine and provide the resources needed a) to implement and maintain the quality management system and continually improve
its effectiveness; and
b) to enhance customer satisfaction by meeting customer requirements.
Guidance
This section of ISO 9001:2000 covers the specific requirements for planning and
management of needed resources. These resources include human resources,
facilities, equipment, and work environment. This means that appropriate resources
are to be identified, planned, made available, used, monitored, and changed as
necessary by the organization.
It is important for the organization to evaluate past and present performance (e.g.,
using cost-benefit analysis and risk assessment) when deciding what resources are to
be allocated. In other words, the organization needs to ensure that human resources,
infrastructure (e.g., energy, water, facilities and equipment maintenance,
communications, and information technology), and the work environment (e.g.,
temperature, lighting, vibration, and noise) are provided and maintained in a way
consistent with the quality policy and objectives, as well as, contributing to
conformity to product requirements.
Page 24 of 60
Comply
6.2 Human Resources Y N
N/A
6.2.1 General
Personnel performing work affecting product quality shall be competent on the basis of appropriate education, training, skills and experience.
Guidance
6.2.1 General
Every person in an organization must be competent at what they do; this means that
qualification criteria should be established based on education, experience, and training.
Comply
6.2 Human Resources (continued) Y N
N/A
6.2.2 Competence, Awareness and Training
The organization shall
a) Determine the necessary competence for personnel performing work affecting product quality;
b) provide training or take other actions to satisfy these needs;
c) evaluate the effectiveness of the actions taken;
d) ensure that its personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of the quality objectives; and
e) maintain appropriate records of education, training, skills and experience (see 4.2.4).
Guidance
6.2.2 Competence, Awareness and Training
In order for an organization to have qualified/competent people, it should:
- Determine competency needs. Job requirements change, so employee qualifications
and training needs should be continually reviewed, not just upon employment. The
mechanism for identifying needs on a regular basis is most often tied to periodic
employee performance reviews but also may be the output of strategic planning.
- Provide training to address identified needs. Once the need for training is established,
the training should actually be provided.
- Evaluate the effectiveness of training. Training is never a goal in itself. On a regular
basis, organizations should ask: did the training accomplish desired results? It is up to
you to define how you plan to demonstrate “effectiveness of actions taken” to address
competency needs; it could be through test results, improved performance, reduced
failures or problems, or any other objective evidence you deem appropriate.
Page 25 of 60
Comply
6.3 Infrastructure Y N
N/A
The organization shall determine, provide and maintain the infrastructure needed to achieve conformity to product requirements. Infrastructure includes, as applicable a) buildings, workspace and associated utilities;
b) process equipment (both hardware and software); and
c) supporting services (such as transport or communication).
Guidance
6.3 Infrastructure
Failure of equipment (such as welding equipment in a machine shop), lack of facilities
(such as shortage of storage space in a warehouse), or lack of repair/maintenance
capability can have serious effects on the quality or timeliness of product and/or service.
It is therefore essential that infrastructure is identified and controlled.
The focus should be on the infrastructure that is most important for the type of
organization. For example, a manufacturer will probably focus on production equipment
and maintenance, while a software development firm will put more emphasis on
computer hardware and software, and a service organization will focus on workspace and
associated facilities. Similarly, if an organization has equipment that can easily be
replaced without affecting quality of product and/or service, maintenance activities can
be relatively simple and limited. More complex equipment that is difficult to replace
should have a more extensive maintenance program. Where ‘breakdown maintenance’ is
the core of the maintenance strategy, redundant systems and spare parts inventories for
long lead time or hard to get materials may be critical.
Comply 6.4 Work Environment Y N
N/A
The organization shall determine and manage the work environment needed to achieve conformity to product requirements.
Guidance
6.4 Work Environment
Resources must be provided to establish and control working conditions needed to assure
product/service quality or to ensure consistent process performance.
In addition, organizations must define how they manage achieve compliance with
applicable statutory or regulatory environmental requirements, and may include a
requirement for an organization to be compliant with ISO 14001 or other environmental
management system standard.
Page 26 of 60
7 PRODUCT REALIZATION Comply 7.1 Planning of Product Realization Y N
N/A
The organization shall plan and develop the processes needed for product realization. Planning of product realization shall be consistent with the requirements of the other processes of the quality management system (see 4.1).
In planning product realization, the organization shall determine the following, as appropriate: a) quality objectives and requirements for the product; b) the need to establish processes, documents and provide resources specific to the
product; c) require verification, validation, monitoring, inspection and test activities specific to
the product and the criteria for product acceptance; d) records needed to provide evidence that the realization processes and resulting
product meet requirements (see 4.2.4). The output of this planning shall be in a form suitable for the organization’s method of operations.
Guidance
7.1 Planning of Product Realization
Clause 7 relates to the “DO” portion of the PLAN-DO-CHECK-ACT (PDCA) cycle.
This requirement is about planning for whatever your organization ‘does’.
Therefore, plans for controlling what you ‘do’ need to be documented. First, it is only
important to document what you plan to ‘do’ if the absence of such documentation would
adversely affect quality. The degree of and reliance on training and employee
competence will often be the single most deciding factor in determining the level of
documentation (including planning documents) needed.
Product realization plans can take can take many forms: formal product control plans,
work instructions, operator instructions, specifications, flow charts, checklists, or even
pictures or videos. Each organization needs to determine which format(s) will meet its
needs best.
In many cases, the customer may also require you to develop and submit your product
realization plans to them for approval prior to commencing work. In most cases,
organizations have product realization ‘plans’ already in place and all they will need to
do is identify them and define responsibilities for their establishment, approval,
execution, and periodic review/update.
Page 27 of 60
Comply
7.2 Customer-Related Processes Y N
N/A
7.2.1 Determination of Requirements Related to the Product
The organization shall determine
a) requirements specified by the customer, including the requirements for delivery and post-delivery activities;
b) requirements not stated by the customer but necessary for specified or intended use, where known;
c) statutory and regulatory requirements related to the product; and d) any additional requirements determined by the organization.
Guidance 7.2.1 Determination of Requirements Related to the Product
In order to be able to provide a product that meets customers’ expectations, it is necessary
to know exactly what the customer’s requirements for the product are, as well as
statutory/regulatory requirements and requirements based on known/intended use of a
product that only you or other product experts know. Accordingly, you need to consider:
- the requirements that are specified by the customer (usually in a customer order,
including requirements after delivery of product is complete, such as servicing of
products or warranty activities). Note: contractual delivery dates of a product or
service are to be always considered as being part of the “requirements specified by
the customer”.
- the requirements not specified by the customer (usually based on known or intended
use). For example, the use of special coatings and coating techniques in order to
prevent rust.
- statutory and regulatory requirements (usually imposed by local, regional, national,
international and/or sector/industry specific environmental and/or safety statutory
requirements or regulatory agencies).
- other requirements determined by the organization (usually based on product/service
performance expectations and other customer expectations such as luxury and
convenience features, appearance, etc.
Page 28 of 60
Comply
7.2 Customer-Related Processes (continued) Y N
N/A
7.2.2 Review of Requirements Related to the Product
The organization shall review the requirements related to the product. This review shall be conducted prior to the organization’s commitment to supply a product to the customer (e.g. submission of tenders, acceptance or contracts of orders, acceptance of changes to contracts or orders) and shall ensure that a) product requirements are defined;
b) contract or order requirements differing from those previously expressed are resolved; and
c) the organization has the ability to meet the defined requirements. Records of the results of the review and actions arising from the review shall be maintained (see 4.2.4). Where the customer provides no documented statement of requirement, the customer requirements shall be confirmed by the organization before acceptance. Where product requirements are changed, the organization shall ensure that relevant documents are amended and that relevant personnel are made aware of the changed requirements.
Guidance
7.2.2 Review of Requirements Related to the Product
The intent of this requirement is to ensure that organizations understand and can meet
ALL requirements before promising the customer that the product or service can be
provided. In order to avoid misunderstandings about what the customer wants (and
expects), it is necessary to review all requirements identified per clause 7.2.1. At a
minimum, all quotes/proposals, customer orders (and subsequent changes) should be
reviewed.
A request for quotation that is received from a customer needs to be reviewed before a
quote is submitted. An organization must determine if:
- the information from the customer is clear and specific;
- it has the capability to provide the requested product.
Once a quotation is provided to the customer and the customer places an order (accepting
the quotation), the order and the quotation must be compared to determine if there are any
differences between them. Any differences need to be resolved with the customer.
Page 29 of 60
7.2.2 Review of Requirements Related to the Product – Guidance (continued)
If the customer places an order without having been previously quoted (as is the case in
many organizations with ‘standard’ products or services as advertised in brochures or
catalogues), the order still needs to be reviewed before it is accepted. An organization
must determine if:
- the order is clear and specific;
- it has the capability (and capacity) to provide the requested product or service.
Records of these reviews must be kept; the record can be as simple as a notation on the
request for quotation or the order with the initials of the reviewer and the date. If the
request for quotation or order is not accepted (for whatever reason) or needs clarification,
follow-up actions must also be recorded. For verbal orders (for example by telephone) it
is important to confirm the order before acceptance. This can be done, for example, by
reading it back to the customer, asking for confirmation. In general, verbal and electronic
orders need some special considerations to record the order. For example, the details of a
telephone order may be recorded on a pad, and an electronic order may be recorded by
printing it or saving it in the computer.
Once accepted, orders often need to be changed. If this is the case, it should be clear how
this change is to be handled. Many times the change only affects quantity or date of
delivery; however, in some cases technical aspects of the order will change. The type
and scope of review needed should be based on the nature of the change. Most
organizations handle changes in the same way as a new order. In any case, all changes
must be agreed to by the customer and communicated to all individuals who are affected
by them. Typically, the purchasing department, the scheduling department, and the
production department are affected, and should therefore be informed.
Page 30 of 60
Comply
7.2 Customer-Related Processes Y N
N/A
7.2.3 Customer Communication
The organization shall determine and implement effective arrangements for communicating with customers in relation to
a) product information;
b) enquiries, contracts or order handling, including amendments; and
c) customer feedback, including customer complaints.
Guidance
7.2.3 Customer Communication
The satisfaction of customers does not only depend on the quality of final product or
service, but also on the communication between the organization and its customers. Poor
communication, even if acceptable product or service is provided, can result in
dissatisfied customers.
Therefore, it should be clear who has the responsibility and authority to communicate
with the customers. It is important that the following questions are answered:
- Who provides product information to the customer, and how is it provided? How
does the organization ensure that this product information is correct and timely?
- Who is responsible for handling requests for quotations and customers’ orders?
- By whom and how is customer feedback received and handled? This includes both
planned feedback (for example, as a result of customer surveys), and unplanned
feedback (for example, customer complaints).
The organization’s systems for communicating with the customer needs to be readily
available to the customer; therefore the quality manual is usually the best place to discuss
customer communications … or at least lead customers to a location (i.e. brochure, web
site, etc.) where customer contact data is detailed.
Page 31 of 60
Comply
7.3 Design and Development Y N
N/A
7.3.1 Design and Development Planning
The organization shall plan and control the design and development of product.
During the design and development planning, the organization shall determine
a) the design and development stages;
b) the review, verification and validation that are appropriate to each design and development stage; and
c) the responsibilities and authorities for design and development.
The organization shall manage the interfaces between different groups involved in design and development to ensure effective communication and clear assignment of responsibility.
Planning output shall be updated, as appropriate, as the design and development progresses.
Guidance
7.3
This clause applies to you if you design the product/service that you well. It also applies
to you if you purchase a complete design, then manufacture a product to the design and
sell it under its you own brand name.
7.3.1 Design and Development Planning
The type and extent of the design plan should be dependent on the complexity of the
design and the number of people involved. In some cases, design plans can be as simple
as a short flow chart or checklist; in more complex designs, more sophisticated planning
techniques are necessary. The design plan should identify responsibilities/authorities and
specific timelines; it should describe which groups or individuals are involved (for
example: customers, subcontractors, regulatory bodies, etc.) and how. It should also
clearly identify the stages of the design process, including any checks and/or verifications
for each stage.
It is not uncommon for conditions to change during the design and development process.
A design and development plan only has value if it is being updated when these changes
occur.
Page 32 of 60
Comply
7.3 Design and Development (continued) Y N
N/A
7.3.2 Design and Development Inputs
Inputs related to product requirements shall be determined and records maintained (see 4.2.4).
These inputs shall include:
a) functional and performance requirements;
b) applicable statutory and regulatory requirements;
c) where applicable, information derived from previous similar designs; and
d) other requirements essential for design and development. These inputs shall be reviewed for adequacy. Requirements shall be complete, unambiguous and not in conflict with each other.
Guidance
7.3.2 Design and Development Inputs
In every design and development process, simple or complex, it is crucial to know what
is required. The design and development input is defined by all requirements that the
design must meet in order to be successful. In other words, it should be clear how the
final product is going to look and which conditions must be fulfilled.
Comply
7.3 Design and Development (continued) Y N
N/A
7.3.3 Design and Development Outputs
The outputs of design and development shall be provided in a form that enables verification against the design and development input and shall be approved prior to release. Design and development outputs shall
a) meet the input requirements for design and development;
b) provide appropriate information for purchasing, production and for service provision;
c) contain or reference product acceptance criteria; and
d) specify the characteristics of the product that are essential for its safe and proper use.
Page 33 of 60
Guidance
7.3.3 Design and Development Outputs
Design and development output is the result of the design and development process and
the design plan should describe what form output should be in. Whatever the format, it
is essential that the output meet the input requirements, that it contains clear criteria for
acceptance or rejection, and that it clearly defines the characteristics of the product.
Comply
7.3 Design and Development (continued) Y N
N/A
7.3.4 Design and Development Review At suitable stages, systematic reviews of design and development shall be performed in accordance with planned arrangements (see 7.3.1) a) to evaluate the ability of the results of design and development to meet
requirements; and b) to identify any problems and propose necessary actions. Participants in such reviews shall include representatives of functions concerned with the design and development stage(s) being reviewed. Records of the results of the reviews and any necessary actions shall be maintained (see 4.2.4).
Guidance
7.3.4 Design and Development Review
Design and development review is a check to determine if the design and development
activities are on track. More specifically, organizations need to verify if design is
adequate in meeting customer and other requirements (design and development input).
For simple designs it may be sufficient to have only one design review at the very end of
the design process; however, performing only one design review may be very risky for
more complex designs. If there are any problems identified as a result of the design
review, it may be very costly and in some cases too late to go back and redo some of the
design activities in order to correct the problems. Since thorough design reviews can
prevent problems in a later stage, all relevant parties should be involved, including
appropriate internal departments/functions, as well as customers and subcontractors.
The results of the design reviews, including any problems that are identified and their
solutions, must be recorded. This may be as simple as noting on the plan that the review
has been carried out, as well as any follow-up actions, signed off by the reviewer and
dated. However, more complex designs may be reviewed in a formal meeting, and the
minutes of this meeting would constitute the design review record.
Page 34 of 60
Comply
7.3 Design and Development (continued) Y N
N/A
7.3.5 Design and Development Verification Verification shall be performed in accordance with planned arrangements (see 7.3.1) to ensure that the design and development outputs have met the design and development input requirements. Records of the results of the verification and any necessary actions shall be maintained (see 4.2.4).
Guidance
7.3.5 Design and Development Verification
Design and development verification is the formal check that is done at the end of the
design and development process to see if the results meet the original requirements. For
example: does the drawing meet the customer’s, regulatory, and other requirements?
If the design and development output is approved, the organization will go ahead with
manufacturing the product or providing the service based on the design; therefore, it
should be clearly stated in the design plan who is authorized to perform the design and
development verification, how the verification is done, and where it is recorded.
Comply
7.3 Design and Development (continued) Y N
N/A
7.3.6 Design and Development Validation Design and development validation shall be performed in accordance with planned arrangements (see 7.3.1) to ensure that the resulting product is capable of meeting the requirements for the specified application or intended use, where know. Wherever practicable, validation shall be completed prior to the delivery or implementation of the product. Records of the results of validation and any necessary actions shall be maintained (see 4.2.4).
Guidance
7.3.6 Design and Development Validation
Design validation is checking that the actual product/service created performs as
intended. This is the final stage of the design and development process and is a valuable
opportunity to prevent serious financial loss. Design and development validation should
be performed before delivery of the product to the customer so that any problems can be
corrected.
Page 35 of 60
7.3.6 Design and Development Validation (continued)
Sometimes it is impractical to perform design and development validation before delivery
of the product to the customer; in such cases, the organization should perform checks of
the parts of the final product.
In other cases, performing design and development validation before introducing the new
product is required by law; for example, in the case of introducing a new medicine.
If the design and development output is, in itself, the actual product, then design and
development verification and validation are one and the same activity. This may be the
case, for example, for an engineering firm.
ISO 9001:2000 requires that the results of design and development validation activities
be recorded, including follow-up actions where applicable.
Comply
7.3 Design and Development (continued) Y N
N/A
7.3.7 Control of Design and Development Changes Design and development changes shall be identified and records maintained. The changes shall be reviewed, verified and validated, as appropriate, and approved before implementation. The review of design and development changes shall include evaluation of the effect of the changes on constituent parts and product already delivered. Records of the results of the review of changes and any necessary actions shall be maintained
Guidance
7.3.7 Control of Design and Development Changes
Stable designs are very rare. Most designs are subject to frequent changes sometimes
before the design process is finished. It is as important to control these changes as it is to
control the original design and development process. It should be clear how these
changes are handled and what effects they have on the product. Most organizations
choose to handle any changes to designs similar to the way new designs are handled.
Page 36 of 60
7.4 PURCHASING
Comply 7.4.1 Purchasing Process Y N
N/A
The organization shall ensure that purchased product conforms to specified purchase requirements. The type and extent of control applied to the supplier and the purchased product shall be dependent upon the effect of the purchased product on subsequent product realization or the final product. The organization shall evaluate and select suppliers based on their ability to supply product in accordance with the organization’s requirements. Criteria for selection, evaluation and re-evaluation shall be established. Records of the results of evaluations and any necessary actions arising from the evaluation shall be maintained (see 4.2.4).
Guidance
7.4.1 Purchasing Process
An organization can do an excellent job of controlling its own activities, but if suppliers
are not performing satisfactorily, the organization and its customers may be negatively
affected. It is crucial that suppliers are controlled, especially if they are particularly
important for the operation of an organization.
This requirement of ISO 9001:2000 is related to ensuring that organizations get good
products from their suppliers. Obviously not all suppliers are equally important. The
standard requires more energy to be spent on those suppliers that have the most impact on
the quality of the organization’s product/services. For example, a metal fabricator will
need to put emphasis on the control of the supplier of steel rather; while a repair service
will need to put emphasis on the control of the supplier of new and/or refurbished
replacement parts.
- Organizations need to identify which materials and services that they buy most affect
the quality of their products/services. Note: the requirements of Clause 7.4 also
apply to products that are acquired without any payment being made; this requirement
would probably be clearer this section referenced acquired products/services, rather
than purchased products/services.
- Then they need to establish criteria for the evaluation and selection of suppliers that
can provide these materials and services.
- Finally, they need to define a system for on-going supplier monitoring and periodic
re-evaluation to determine if/when improvement or other action is needed.
Page 37 of 60
7.4 PURCHASING (continued)
Comply 7.4.2 Purchasing Information Y N
N/A
Purchasing information shall describe the product to be purchased, including where appropriate: a) requirements for approval of product, procedures, processes and equipment; b) requirements for qualification of personnel; and c) quality management system requirements. The organization shall ensure the adequacy of specified purchase requirements prior to their communication to the supplier.
Guidance
7.4.2 Purchasing Information
While it is important that organizations are clear in ordering what they want, it is equally
important not to give unnecessary details in purchase orders. Purchase orders that are too
detailed can lead to confusion, and should therefore be avoided. Rather than describing
all the details of a product, it is often much better to limit the purchase order to simply
mentioning the catalogue number (as long as this is a unique number and the supplier has
the correct catalogue).
It is acceptable to give verbal instructions to a supplier, although this makes for ordering
complex products or services very difficult (for example, the services of an engineering
firm). In all cases, it is the intent of this requirement to avoid misunderstandings between
supplier and receiver. If an organization chooses to place a verbal order with a supplier, it
will need to keep a record of what was ordered. This enables the organization to verify
that it is actually getting what was asked for.
Finally, ISO 9001:2000 requires that the organization verify that purchasing information
is correct before communicating it to a supplier. This verification is usually done by the
purchasing manager or by the purchasing agent with input from quality or other technical
personnel. The effectiveness and efficiency of this process can be greatly enhanced
through automation, especially when integrated with other planning and resource
management processes.
Page 38 of 60
7.4 PURCHASING (continued)
Comply 7.4.3 Verification of Purchased Product
Y N
N/A
The organization shall establish and implement the inspection or other activities necessary for ensuring that purchased product meets specified purchase requirements.
Where the organization or its customer intends to perform verification at the supplier’s premises, the organization shall state the intended verification arrangements and method of product release in the purchasing information.
Guidance
7.4.3 Verification of Purchased Product
An organization needs to ensure that the product or service from the supplier meets its
requirements. In most cases, this means that organizations verify the adequacy of the
product or service upon receipt. Sometimes, however, an organization chooses to visit the
supplier and perform this verification on their premises.
It is important to realize that ISO 9001:2000 does not require that all received product is
verified in all cases. For example, it does not make sense to do a 100% inspection on all
shipments of bolts, especially if these bolts hardly affect the quality of products and if the
supplier has proven to have a good history. The type and extent of the verification of
purchased product (or service) should depend on:
- the type of product or service that is being ordered;
- the history of the supplier;
- the characteristics of the supplier (for example: does it have a quality system in
place?)
Note: most organizations define receiving inspection activities as part of clause
8.2.4, Monitoring and Measurement of Product.
If an organization or its customers want to verify purchased product on the premises of
the supplier, then the organization needs to clearly indicate in the purchasing
documentation:
- what is going to be verified;
- how it is going to be verified.
Page 39 of 60
Comply
7.5 Production and Service Provision Y N
N/A
7.5.1 Control of Production and Service Provision
The organization shall plan and carry out production and service provision under controlled conditions. Controlled conditions shall include, as applicable
a) the availability of information that describes the characteristics of the product;
b) the availability of work instructions, as necessary;
c) the use of suitable equipment;
d) the availability and use of monitoring and measuring devices;
e) the implementation of monitoring and measurement; and
f) the implementation of release, delivery and post-delivery activities.
Guidance
7.5.1 Control of Production and Service Provision
This clauses addresses general ‘job’ planning and control activities, including the
establishment of production plans/schedules and other information and resources needed
to carry out specific work assignments, including:
- The availability of information that specifies the characteristics of the products (for
example: drawings, specifications, and other product/service specific information).
- The availability of work instructions; includes only those needed by ‘competent’
personnel (clause 6.2.2) or where the absence of such instructions could adversely affect
the quality of the product, usually identified during product quality planning (clause 7.1).
- The use of suitable equipment for production and service operations, usually identified
during product quality planning (clause 7.1) and maintained per clause 6.3.
- The availability and use of monitoring and measuring devices and the implementation of
monitoring activities, usually identified during product quality planning (clause 7.1) and
controlled per clause 7.6.
- The release and storage/delivery of finished goods/services, and (where applicable) any
post-delivery activities. It must be clear how product is released and delivered to the
customer. For example, delivery can be done by the organization itself or by a
subcontractor; or the customer can pick up the product. In some cases there is a (written
or verbal) requirement for the organization to perform additional activities after the
delivery of the product to the customer; it should be clear how these activities are
performed, and there should be procedures in place for critical activities.
Page 40 of 60
Comply 7.5 Production and Service Provision (continued)
Y N N/A
7.5.2 Validation of Processes for Production and Service Provision
The organization shall validate any processes for production and service provision where the resulting output cannot be verified by subsequent monitoring or measurement. This includes any process where deficiencies become apparent only after the product is in use or the service has been delivered. Validation shall demonstrate the ability of these processes to achieve planned results. The organization shall establish arrangements for these processes including, as applicable:
a) defined criteria for review and approval of the processes;
b) approval of equipment and qualification of personnel;
c) use of specific methods and procedures;
d) requirements for records (see 4.2.4); and
e) revalidation.
Guidance
7.5.2 Validation of Processes for Production and Service Provision
Verification/inspection of products before they are provided to the customer is a valuable
opportunity to prevent delivery of product that does not meet customers’ requirements.
However, sometimes it is not possible to fully verify the quality of the product without
using or destroying it. For example, it is not possible to fully verify the strength of a
weld unless a destructive test is performed or the product is actually used. Similarly, for
many service industries, the service provided is instantaneous, which does not readily
allow verification before delivery of that service. For example, a lawyer who defends a
client in court is obviously not able to verify his services before delivery. Failure to
represent the client correctly will only be detected when the judge rules.
In these cases the activities can only be controlled (validated) with the use of qualified
personnel, qualified equipment, and qualified processes based on a set of specified
procedures or criteria. A process can be qualified, for example, by doing a destructive
test on a sample of the products. The results of this destructive test can then represent
other products with the same characteristics. ISO 9001:2000 requires that records be
maintained for activities that require validation.
It should be noted that validation is only necessary if there is a risk of providing product
that does not meet customers’ requirements. For example, esthetic welding may not have
to be validated if it does not affect the quality of the product.
Page 41 of 60
Comply
7.5 Production and Service Provision (continued) Y N
N/A
7.5.3 Identification and Traceability
Where appropriate, the organization shall identify the product by suitable means throughout product realization.
The organization shall identify the product status with respect to monitoring and measurement requirements.
Where traceability is a requirement, the organization shall control and record the unique identification of the product (see 4.2.4).
Guidance
7.5.3 Identification and Traceability
Activities can only be controlled if it is clear what the product is and where it is in the
product realization process (i.e. its status). Clear identification of the product can avoid
misunderstandings about what has happened to it and what still needs to happen.
For example, product in the receiving area of a manufacturing plant should be clearly
marked as to whether a required receiving inspection has taken place. If a receiving
inspection has taken place, it should be clear what the result of this inspection was (pass
or fail). Similarly, material that is used in a machine shop should be identifiable as to
which specific job it belongs, and in which stage of production it is. In the service
industry, this requirement may have similar importance. For example, a courier service
cannot function without clear identification on the packages as to which services are
required (delivery time, registration, etc.), and a warehouse/distributor will need to have
some way of identifying the product in stock.
There are several ways of identifying products. The most obvious is using tags or
stickers with part numbers, bar codes, job numbers, etc. The identification may be
engraved in the product itself, or the product may simply be marked by a color.
Sometimes it is more practical to identify a product by its location. For example,
deficient product may be identified as nonconforming by segregating it and placing it in a
specific area that is marked “nonconforming product”. In all cases ISO 9001:2000
requires that it is clear if the product has been verified/inspected and that the results of the
inspection are also clear.
Sometimes traceability is a customer specified requirement (and even regulated). For
example, in pressure vessel manufacturing, it is common for the identification of a given
material to be recorded and traced through all manufacturing stages. In this way, the
final components can be traced back to the original material certificate. If traceability is
required, ISO 9001:2000 states that the material be uniquely identified and that records
are maintained that show evidence of traceability to specified or other appropriate degree.
Page 42 of 60
Comply 7.5 Production and Service Provision (continued)
Y N N/A
7.5.4 Customer Property
The organization shall exercise care with customer property while it is under the organization’s control or being used by the organization. The organization shall identify, verify, protect and safeguard customer property provided for use or incorporation into the product. If any customer property is lost, damaged or otherwise found to be unsuitable for use, this shall be reported to the customer and records maintained (see 4.2.4).
Guidance
7.5.4 Customer Property
If there are any products, materials, or tools on an organization’s premises that are owned
by a customer, workers must exercise care with this property. This means that they must
ensure that the property is and remains suitable for use or processing. If it is lost or
damaged, this needs to be recorded and the customer needs to be notified.
Customer property should be identified and verified (for example, by performing a
receiving inspection). Examples of customer property are: motor vehicles left for service
or repair, clothing that a customer left at a laundry, customer-owned material in a
warehouse or proprietary information provided to aid in planning, design, manufacture,
installation or delivery.
At a minimum, customer property should be handled, stored and processed with the same
level of care and control as applies to the organization’s own property (see clause 7.5.5).
Page 43 of 60
Comply
7.5 Production and Service Provision Y N
N/A
7.5.5 Preservation of Product
The organization shall preserve the conformity of product during internal processing and delivery to the intended destination. This preservation shall include identification, handling, packaging, storage and protection. Preservation shall also apply to the constituent parts of a product.
Guidance
7.5.5 Preservation of Product
Obviously it is as important that an organization handle its own product/material with
care, as it is to protect customer’s property. Some common examples of where special
handling techniques are required are:
- Metals handling where stainless steel can have corrosion resistance impaired if the
stainless steel is handled with ordinary steel grips or chains. Covering the grips, chains,
and other handling tools with rubber, plastic, or similar materials is the usual practice.
Most copper-based metals are susceptible to corrosion from finger marks. Where
corrosion may affect performance, such as in printed circuit boards or decorative
applications, gloves need to be worn to prevent such marking.
- Food handling where cleaning of utensils after use is very necessary, for health reasons.
- Electrical and electronic equipment where safe handling practices are required to avoid
damage from electrostatic discharges.
Similarly, packing or packaging needs to be done in such a way that it does not adversely
affect product quality. Packaging should be appropriate to the product. For example,
bulk grain may be packed by filling the carrying container, provided the container does
not contaminate the product. On the other hand, the packaging of certain chemicals is
regulated to ensure that they do not spill or contact with water.
Also, unsuitable storage can deteriorate the condition of product. The organization
should define its system of inventory control (including the identification of various types
of storage areas and the applicable controls in place for each area of type of area).
Product in stock must be protected, especially if the product has a limited shelf life.
Checking the condition of product in stock regularly can do this.
Finally, the organization should describe its methods for delivering product/service to the
customer and for ensuring protection to final destination.
Page 44 of 60
Comply
7.6 Control of Monitoring and Measuring Devices Y N
N/A
The organization shall determine the monitoring and measurement to be undertaken and the monitoring and measuring devices needed to provide evidence of conformity of product to determined requirements (see 7.2.1).
The organization shall establish processes to ensure that monitoring and measurement can be carried out and are carried out in a manner that is consistent with the monitoring and measurement requirements.
Where necessary to ensure valid results, measuring equipment shall be:
a) calibrated or verified at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards; where no such standards exist, the basis used for calibration or verification shall be recorded;
b) adjusted or re-adjusted as necessary;
c) identified to enable the calibration status to be determined;
d) safeguarded from adjustments that would invalidate the measurement result;
e) protected from damage and deterioration during handling, maintenance and storage.
In addition, the organization shall assess and record the validity of the previous measuring results when the equipment is found not to conform to requirements. The organization shall take appropriate action on the equipment and any product affected. Records of the results of calibration and verification shall be maintained (see 4.2.4).
When used in the monitoring and measurement of specified requirements, the ability of computer software to satisfy the intended application shall be confirmed. This shall be undertaken prior to initial use and reconfirmed as necessary.
Guidance
7.6 Control of Monitoring and Measuring Devices
Verifications, inspections and tests are important ways to ensure that the product meets
the customer requirements and expectations. This can be done by monitoring and
measuring the characteristics of the product (see clause 8.2.4). For example, a pharmacist
measures the exact amount and weight of the medicine before providing it to the
customer. However, if his measuring device (an electronic scale) is measuring
incorrectly, or if it is not accurate enough, then the measurement is useless.
Therefore, this section of ISO 9001:2000 requires organizations to ensure that
measurement devices are capable (precise and accurate enough) and controlled so that
they consistently provide accurate measures. Examples of measurement and monitoring
devices are: scales, gages, thermometers, micrometers, calipers, and thickness meters.
Most monitoring and measurement devices will require periodic calibration. Calibration
is the act of comparing the measurement device against a reference standard to determine
how accurate it is and whether or not it is still capable of meeting the precision required
for the measurement made with it. Where necessary, the measuring device needs to be
adjusted.
Page 45 of 60
7.6 Control of Monitoring and Measuring Devices – Guidance (continued)
Organizations are free in determining the frequency of calibration, provided that the
frequency is consistent with the type of measurement device and the intensity of use.
For a reference standard to have validity, it must be traceable back to an appropriate
recognized accurate source. This is normally a national or international standard (such as
a meter or a kilogram). If an (inter)national standard does not exist, then the organization
needs to define the reference standard on its own.
It is important to determine how accurate the measurements need to be; this will depend
upon how much tolerance is permissible in what is being measured. A measuring device
usually has to be capable of measuring to a much closer tolerance than the tolerance
specified for the item being measured. Also, there is no point in having measurement
devices calibrated to unnecessarily high precision if that precision is not needed for the
operation. A pharmacist typically needs high accuracy equipment, while the accuracy of
a wire cutter used by a distributor is relatively low.
The results of the calibrations need to be recorded. If the measuring device appears to be
out of calibration, then it is necessary to look at the results of the measurements that were
previously taken with this device. For example, if a scale is out of calibration, someone
may need to re-inspect the product that was recently inspected with this device (provided
the product has not yet been shipped to the customer). Organizations need to decide
which corrective action is appropriate (see clause 8.5.2).
It is important to protect a measuring device from damage or deterioration. This means
that it must be suitably stored when not in use, and it must be correctly handled. Also,
adjustments may invalidate the calibration; a possible prevention method is to ensure that
only trained personnel are authorized to use the measuring device.
Sometimes computer software is used in the process of monitoring and measurement of
requirements. If this is the case, the software must be checked to verify that it performs
the required functions.
Page 46 of 60
8 MEASUREMENT, ANALYSIS AND IMPROVEMENT Comply
8.1 General Y N
N/A
The organization shall plan and implement the monitoring, measurement, analysis and improvement processes needed: a) to demonstrate conformity of the product; b) to ensure conformity of the quality management system; and c) to continually improve the effectiveness of the quality management system.
This shall include determination of applicable methods, including statistical techniques, and the extent of their use.
Guidance
8.1 General
The previous sections relate to organizing activities in such a way that customer
requirements and expectations are consistently met. An organization that has met those
requirements has the controls in place, but does not necessarily know if the controls are
working. In order for an organization to improve, it needs to have information on where
it stands today. How satisfied are the customers? Does the organization actually meet all
requirements? Are activities (processes) effectively and efficiently organized? Does the
product actually meet the expectations? And, what happens if the product does not meet
the expectations?
The answers to these questions are related to the requirements in this section.
Improvement will result from analyzing this information and taking the necessary
corrective, preventive and/or other improvement action.
The information that organizations need to plan for improvement does not have to be
sophisticated. Usually a few crucial pieces of information or a short summary can give
enough information to determine if action is necessary. Organizations should define
what is the crucial information that they need and how they will analyze it for decision-
making.
The organization should also discuss its plans for using statistical tools to monitor and
measure product and processes for effectiveness and/or improvement.
Page 47 of 60
8 MEASUREMENT, ANALYSIS AND IMPROVEMENT Comply
8.2 Monitoring and Measurement Y N
N/A
8.2.1 Customer Satisfaction As one of the measurements of the performance of the quality management system, the organization shall monitor information relating to customer perception as to whether the organization has met customer requirements. The methods for obtaining and using this information shall be determined.
Guidance
8.2.1 Customer Satisfaction
Probably one of the most crucial categories of information is the satisfaction of
customers. Since customers determine the future of organizations, it needs to be
determined how satisfied they are. In order to do this, organizations need to know which
issues are important for their customers and then define how they will measure the
customer’s perception of how well they’re doing with regards to these issues.
One way of getting information about how dissatisfied customers are is to monitor the
customer complaints. However, it is important to realize that this will give a very limited
picture. First, it is quite common that only a small portion of dissatisfied customers
actually complain. Second, customer complaints do not give any information about
satisfied customers or the level of customer satisfaction. Note: per notes contained in the
definition of customer satisfaction (see ISO 9000:2000) the absence of complaints/returns
does not necessarily mean there is a high level of customer satisfaction. Customer
satisfaction can be objective and subjective.
Examples of objective information are:
• Did the customer receive the product before 5:00 PM, as required?
• Was the shipment complete?
Examples of subjective information include:
• Is the customer satisfied with the way we answered their questions and concerns?
• Is the customer satisfied with the performance of a product or delivery of a
service?
Page 48 of 60
8.2.1 Customer Satisfaction (continued)
There are several ways of measuring customer satisfaction. Examples are:
• Questionnaires and surveys. This is a relatively cost effective way of measuring
customer satisfaction, but the downside is that the response may be low. A better
strategy is to periodically survey key customers or customer groups.
• Direct communication with customers. This is much more time consuming, but it
is an excellent way of getting to know the needs of customers, and the method
itself can contribute to raising customer satisfaction. However, very little ‘extra
time’ is needed if customer contact personnel conduct a ‘mini’ survey during their
‘routine’ customer contacts (i.e. phone calls, interviews, conferences, meetings)
and quantify/summarize results in a manner that will result in actionable data.
• Customer ratings and ‘report cards’ (typical in many industries, especially
automotive).
• Reports of consumer organizations. This information gives a good overview, but
is not always available and seldom gives information about individual customers.
Comply 8.2.2 Internal Audit
Y N N/A
The organization shall conduct internal audits at planned intervals to determine whether the quality management system: a) conforms to the planned arrangements (see 7.1), to the requirements of this
International Standard and to the quality management system requirements established by the organization; and
b) is effectively implemented and maintained. An audit program shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods shall be defined. Selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.
The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records (see 4.2.4) shall be defined in a documented procedure.
The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results
Page 49 of 60
Guidance
8.2.2 Internal Audit
A second source of information is a periodic self-assessment (internal audit). This allows
an organization to determine the strengths and weaknesses of the quality system in place.
It should become apparent whether or not the quality system meets the requirements of
this standard and if the system has been effectively maintained.
ISO 9001:2000 requires that the responsibilities and requirements for conducting internal
audits be documented in a procedure.
Audits should be planned and conducted based on the status and importance of the area,
function, process or system involved. Critical, new or changed processes/systems, and
departments (or functions) that have been recently reorganized should be audited more
frequently and/or more in-depth than others. Similarly, any data indicating a weakness
exists (i.e. customer complaints or previous audit findings) should be used to identify
processes or departments/functions that deserve more attention during internal audits.
Each organization should appoint an internal auditor who is qualified (see clause 6.2.1).
The audit process itself must be objective and impartial and auditors cannot audit their
own work. An auditor should look for evidence of compliance to the requirements. Are
the activities done as planned (i.e. as defined in quality system documents)? Do managers
have data that demonstrates process/system effectiveness? Are corrective, preventive or
other improvement actions taken as planned? Are actions taken effective? This is not an
exercise in finding mistakes. Rather, it is gathering information about the system so that
the organization knows its strengths and weaknesses and can therefore improve.
Evidence of compliance can be collected, for example, by interviewing people, observing
activities and looking at records and procedures.
Page 50 of 60
8.2.2 Internal Audit (guidance continued)
The process approach advocated by ISO 9001:2000 should also be applied to internal
auditing. Checklists should be ‘avoided’ as the ‘tool of choice’ because the tend to look
at things (quality system elements, etc.) in isolation. The key to conducting effective
process based audits begins in Clause 4.1 … i.e. how the organization defines its
processes and criteria for effectiveness. If properly defined, any process can be assessed
for effectiveness according to the following criteria:
Quality products are consistently provided to the (internal or external) customer
(based on stated objectives for product or process performance)
Risks to the (internal or external) customer are minimized (i.e. controls in place are
working to minimize a known or anticipated risk)
Interfaces are effective (process outputs meet input requirements at next stage of
processing and/or communications within or across organizations is effective)
Systems (or subsystems) are operating efficiently
'Value added' internal audits can be a great resource for improvement ideas, preventive
actions and data that managers can use to determine if/when a process is effective
(accomplishes desired results) and efficient (with a minimum amount of resources).
Value added internal audit activities should only be carried out with management’s
blessing; include them in the scope of each audit if/when desired by management.
Organizations need to keep records of the results of internal audits. This can be done on
a checklist or on a report. Either way, it should be clear which requirements have been
audited and which areas were or were not in compliance with the requirements.
These results then need to be reported to management so that timely corrective,
preventive or other improvement actions can be taken where necessary.
In assessing audit evidence, there also needs to be a decision-making process. Essentially
it is the responsibility of the internal auditor to clearly state the problem (or opportunity
for improvement) in a manner that facilities decision making. Management will view the
internal audit process as ‘non-value added’ if facts or conditions are misstated or If
additional data is needed to determine the extent of nonconformance (or poor
performance); in other words … more data is needed to make an informed decision.
Auditors should always view themselves are internal resources / consultants for
management and ask: “Is the condition clearly stated and put in context?”; if not, it is
probably best left unsaid.
Page 51 of 60
8.2.2 Internal Audit (guidance continued)
Audit results must also be followed up to ensure actions were taken and effective (keep in
mind that completion of an action does not mean it ‘worked’, or accomplished its stated
objective)
Clause 8.2.1.3 of ISO 9004:2000 states that top management should ensure the
establishment of an effective and efficient internal audit process to assess the strengths
and weaknesses of the quality management system. The internal audit process acts as a
management tool for independent assessment of any designated process or activity. The
internal audit process provides an independent tool for use in obtaining objective
evidence that the existing requirements have been met, since the internal audit evaluates
the effectiveness and efficiency of the organization. Management can influence the
quality of internal audits by clearly stating expectations (through in-briefs and/or other
pre-audit activities). Planning for internal audits should be flexible in order to permit
changes in emphasis based on findings and objective evidence obtained during the audit.
Relevant input from the area to be audited, as well as, from other interested parties,
should be considered in the development of internal audit plans. Examples of subjects
for consideration by internal auditing include:
Effective and efficient implementation of processes,
Opportunities for continual improvement,
Capability of processes,
Effective and efficient use of statistical techniques,
Use of information technology,
Analysis of quality cost data,
Effective and efficient use of resources,
Process and product performance results and expectations,
Adequacy and accuracy of performance measurement,
Improvement activities, and
Relationships with interested parties.
Internal audit reporting sometimes includes evidence of excellent performance in order to
provide opportunities for recognition by management and motivation of people.
While not required, management should also ensure actions are taken in response to
opportunities for improvement identified during internal audits.
Page 52 of 60
Comply 8.2.3 Monitoring and Measurement of Processes
Y N N/A
The organization shall apply suitable methods for monitoring and, where applicable, measurement of the quality management system processes. These methods shall demonstrate the ability of the processes to achieve planned results. When planned results are not achieved, correction and corrective action shall be taken, as appropriate, to ensure conformity of the product.
Guidance
8.2.3 Monitoring and Measurement of Processes
The third source of information is related to measurement of processes (activities).
Organizations need to determine how they are going to measure whether activities are
being adequately carried out. Examples of measurements of activities are:
- Timeliness. A certain operation may typically take 15 minutes. How often is this
operation being performed in 16 minutes or more?
- Efficiency. How much of a certain type of material is processed in one hour? How many
people were involved in producing one batch?
- Reaction time. What was the reaction time of people to special internal or external
requests/concerns (such as customer complaints)?
- Cost reduction. What was the reduction of costs related to not meeting the requirements?
An example of these costs is premium freight: extra costs of high-speed delivery because
of excessive production times.
Process monitoring and measurement activities are typically used to minimize the need
for or reliance on product inspection and test to ensure product quality.
Process monitoring activities can include operator process monitoring (usually defined in
work instructions established per clause 7.5.1).
In addition, the organization should define more ‘formal’ process monitoring activities
(including methods for monitoring process performance against established parameters or
other desired results) and define actions for process adjustment to minimize product or
service nonconformities.
Page 53 of 60
Comply
8.2.4 Monitoring and Measurement of Product Y N
N/A
The organization shall monitor and measure the characteristics of the product to verify that product requirements have been met. This shall be carried out at appropriate stages of the product realization process in accordance with the planned arrangements (see 7.1). Evidence of conformity with the acceptance criteria shall be maintained. Records shall indicate the person(s) authorizing release of product (see 4.2.4). Product release and service delivery shall not proceed until the planned arrangements (see 7.1) have been satisfactorily completed, unless otherwise approved by a relevant authority and, where applicable, by the customer.
Guidance
8.2.4 Monitoring and Measurement of Product
A fourth source of information is based on measurements of the characteristics of the
product (inspections and tests). This may be a verification of quantity, dimensions,
weight, thickness, hardness, etc. Basically, it covers any activity that determines whether
something is acceptable.
Each individual organization needs to decide where these inspections and tests should be
carried out. The general rule is that they should be performed at critical stages of
processes. Typically, this is the case when a product is passed on to the next production
stage or when there is a substantial risk of errors or deficiencies. A car manufacturer will
want to perform several in-process inspections and inspections of parts because without
these inspections a deficiency may not be detected later, or it may be very costly to
correct it.
Similarly, the types of inspections or tests performed should be dependent on the critical
nature of the product or the process. In some cases, such as a repair service center
receiving new or refurbished replacement parts, an inspection may be as simple as
checking the type and number of parts received.
Inspections of final products are always critical because there will not be opportunity to
correct any deficiencies after this point. At a minimum, a final ‘audit’ should be
performed to ensure all planned activities (including all key product/service realization
processes and related product/service inspections and tests) have been performed as
planned with satisfactory results.
Page 54 of 60
8.2.4 Monitoring and Measurement of Product – Guidance (continued)
In performing inspection and testing, 100% of the product does not have to be tested.
There are many products made where a sampling procedure is used and the batch passed
or rejected on the basis of the sample. The subsequent detection of nonconforming
product (see 8.3) does not mean that the sampling procedure is incorrect. However, a
continuing and perhaps higher than expected level of nonconformances may suggest that
the sampling plan or procedure needs investigating.
Obviously, an inspection or test is only useful if the acceptance criteria are known. The
result of the inspection or test is either a pass or a fail, based on these acceptance criteria.
Preferably, acceptance criteria should be measurable (such as in dimensions or
quantities), but they can also be subjective, for example criteria for visual inspections or
taste tests.
The results of inspections and tests need to be recorded. Examples of inspection records
are checklists, pick tickets, job cards, or work orders. In any case, it is wise to use the
records that are already in use by the organization as much as possible. For example, in
small machine shops with only a few employees, it is common practice for machine
operators to inspect their own work before passing it on to the next machining station.
Consecutive operators sign a job card as it follows the work in progress. This is a good
practice because the work of the next operator down the line is affected if the ‘incoming’
work is not correct. Also, the next operator can check the previous operator’s work.
The record should clearly state who performed the inspection and what the result of the
inspection was (pass/fail).
If an inspection or test needs to be performed, then product should not proceed to the next
activity or production stage until the inspection or test has been completed with positive
results. A product can only be released without inspection or test if there is an
appropriate approval, usually provided by the customer.
Page 55 of 60
Comply
8.3 Control of Nonconforming Product Y N
N/A
The organization shall ensure that product which does not conform to product requirements is identified and controlled to prevent its unintended use or delivery. The controls and related responsibilities and authorities for dealing with nonconforming product shall be defined in a documented procedure.
The organization shall deal with nonconforming product by one or more of the following ways:
a) by taking action to eliminate the detected nonconformity;
b) by authorizing its use, release or acceptance under concession by a relevant authority and, where applicable, by the customer;
c) by taking action to preclude its original intended use of application.
Records of the nature of nonconformities and any subsequent actions taken, including concessions obtained, shall be maintained (see 4.2.4).
When nonconforming product is corrected it shall be subject to re-verification to demonstrate conformity to the requirements.
When nonconforming product is detected after delivery or use has started, the organization shall take action appropriate to the effects, or potential effects, or the nonconformity.
Guidance
8.3 Control of Nonconforming Product
It is important that inspections are carried out; it is equally important that people know
what to do with the nonconforming (deficient) product if it fails the inspection. Most
importantly, organizations should ensure that nonconforming products are not treated as
conforming product and delivered to the customer. Control of nonconformity should be
done by clearly identifying the product as nonconforming. Segregation in designated
areas and marking of the product are the most obvious examples.
Someone in each organization should have the authority to decide what to do with
nonconforming product. The product may be corrected by repairing, reworking, or re-
grading for alternative applications. If all other approaches fail, the product can be
scrapped.
Unless it is scrapped, the nonconforming product (after repair, rework, etc.) should be re-
inspected. Sometimes it is an option to use nonconforming product and release it to the
customer. This is only allowed with a concession (approval) from the customer and/or
other parties.
Note: Nonconforming service cannot be segregated, regraded for alternate use or
scrapped, but it needs to be clearly identified and the disposition documented (usually
rework or other customer approved action).
Page 56 of 60
8.3 Control of Nonconforming Product – Guidance (continued)
In the event that a nonconformance is detected after delivery, appropriate actions need to
be taken. For example, if a catering company discovers that it has inadvertently used
processed meat that was past its ‘use-by-date’ (shelf life), a number of actions might be
required to fix the problem:
- investigate to find out the extent of the problem; / segregate and quarantine the
product;
- recall the product from retail outlets and customers; / involve regulatory authorities.
For service industries, it may be difficult or impossible to physically identify or segregate
nonconforming service. These organizations, however, are still required to ensure that
the nonconforming service does not reach the customer, where possible, and to correct
the problem.
ISO 9001:2000 requires that a documented procedure describe how nonconforming
products are controlled, as well as the related responsibilities and authorities.
Comply
8.4 Analysis of Data Y N
N/A
The organization shall determine, collect and analyse appropriate data to demonstrate the suitability and effectiveness of the quality management system and to evaluate where continual improvement of the effectiveness of the quality management system can be made. This shall include data generated as a result of monitoring and measurement and from other relevant sources.
The analysis of data shall provide information relating to
a) customer satisfaction (see 8.2.1);
b) conformity to product requirements (see 7.2.1);
c) characteristics and trends of processes and products including opportunities for preventive action; and
d) suppliers.
Guidance
8.4 Analysis of Data
ISO 9001:2000 requires the collection and analysis of a lot of data. Organizations rely on
this information to make important decisions. It is not enough for companies to sift
through data, looking for defects on a case-by-case basis (that's "firefighting, not fact
based decision making). However, before any amount of data is analyzed, it must be
proven reliable. Most organizations have plenty of data (maybe even too much), but it is
simply unfit for decision making because it is obsolete, duplicated, or just plain wrong,
What organizations need to do is to get serious with data, both in terms of quality and
quantity. Once (and only if) data is reliable, then it must be analyzed over time to
provide a sound basis for decision making.
Page 57 of 60
8.4 Analysis of Data (guidance continued)
Data is only valuable if it is analyzed and actionable. For example, the data may indicate
that there was an increase in the number of nonconforming products in a certain period.
However, it is only possible for an organization to take the necessary action (see 8.5) if it
is provided with an analysis of this data. For example: What was the type of
nonconforming product? What was the main cause of the nonconformances? Were there
any circumstances that were different from previous periods? Is this problem confirmed
by other sources of information, such as internal audits?
The results of the analysis should enable organizations to answer the following questions:
How satisfied are customers? Are customers’ requirements being met? Do processes
and products meet the requirements? How do suppliers perform?
Comply 8.5 Improvement
Y N N/A
8.5.1 Continual Improvement The organization shall continually improve the effectiveness of the quality management system through the use of the quality policy, quality objectives, audit results, analysis of data, corrective- and preventative actions and management review.
Guidance
8.5 (general)
General guidance on distinguishing different types of ‘management actions’,
including improvement actions, corrective actions and preventive actions.
Improvement actions are fairly straightforward: there will be a need to improve
performance to achieve desired results (usually individual or organizational performance
goals/targets; occasionally these are also defined by the customer). The decision to take
action should be based on priorities established to achieve the target … in view of the
anticipated costs/benefits. Effectiveness is achieved if desired results / benefits are
achieved within planned or anticipated costs and timeframes.
There is often confusion on the differences between correction, corrective action, and
preventive action. Correction is the action to eliminate a detected nonconformity, e.g.,
reworking or regrading a product so it becomes conforming. Corrective Action is the
action to eliminate the cause of a detected nonconformity to prevent its recurrence.
Preventive Action is the action to eliminate the cause of a potential nonconformity to
prevent its occurrence.
Page 58 of 60
8.5 (general guidance continued)
Assessing effectiveness of an organization’s correction and corrective action processes is
relatively straightforward, because the results and effectiveness of these processes are
usually well defined: i.e., if the organization has already identified a nonconformity, it
should be simple to evaluate the process the organization used (or is planning to use) to
correct it, and whether or not this will be effective in avoiding recurrence of the
nonconformity. However, if there is no nonconformity to start with, and if the preventive
action is effective, the status quo will be maintained. This raises the difficulty of
assessing effectiveness of actions resulting in maintenance of the ‘status quo’; more later.
8.5.1 Continual Improvement
Each organization should continually seek to improve, rather than wait for a problem to
reveal opportunities for improvement. Potential improvements can range from short
projects to long-term activities. Examples are:
- Sitting down with the most important suppliers in order to increase the effectiveness
of the communication and to reduce nonconformances;
- Making an action plan to reduce the reject from a certain type of machine;
- Finding opportunities to reduce the delivery time.
Continual improvement should be based on all relevant information available. Audit
results and other data should be analyzed and compared with the policy and objectives so
that corrective and preventive actions can be taken to ensure continual improvement.
Management reviews should be used as tools for enhancing this improvement process
itself and/or as a critical source for high level improvement initiatives driven by the
organization’s business plan, customer expectations, market research, etc.
Often, it is not practical or advisable to take all needed actions at once, so it becomes
necessary to prioritize improvement actions on the basis of their status and importance to
determine when action should be taken. The output of the continual improvement
planning process should be a list of improvement initiatives and anticipated results. The
effectiveness of these actions should be reviewed as a normal part of the
corrective/preventive action processes (see clause 8.5.2 and clause 8.5.3) or during
management reviews (see clause 5.6)
Page 59 of 60
Comply
8.5.2 Corrective Action Y N
N/A
The organization shall take action to eliminate the cause of nonconformities in order to prevent recurrence. Corrective actions shall be appropriate to the effects of the nonconformities encountered. A documented procedure shall be established to define requirements for
a) reviewing nonconformities (including customer complaints);
b) determining the causes of nonconformities;
c) evaluating the need for action to ensure that nonconformities do not recur;
d) determining and implementing action needed;
e) records of the results of action taken (see 4.2.4); and
f) reviewing corrective action taken
Guidance
8.5.2 Corrective Action
Every indication of a failure (i.e. complaint, rejection, audit finding, return, etc.) requires
an immediate correction. In addition, the organization needs to evaluate whether a
corrective action is needed to prevent (or minimize the likelihood of) the failure from
recurring.
This requirement is related to ensuring that corrective actions are identified, taken and
verified for timely and effective implementation.
This involves finding the cause of the problem, recording the results of the action taken
and verifying that the action was effective.
The intent of this requirement is to have a disciplined approach to problem solving (i.e.
identifying the root cause of the problem, the actual costs with the failure, and the
potential costs/risks associated with taking no action to prevent its recurrence.
Corrective actions are ineffective when they do not achieve desired results (usually
meaning, the problem/failure recurs).
Page 60 of 60
Comply
8.5.3 Preventive Action Y N
N/A
The organization shall determine action to eliminate the causes of potential nonconformities in order to prevent their occurrence. Preventive actions shall be appropriate to the effects of the potential problems. A documented procedure shall be established to define requirements for a) determining potential nonconformities and their causes; b) evaluating the need for action to prevent occurrence of nonconformities; c) determining and implementing action needed; d) records of results of action taken (see 4.2.4); and e) reviewing preventive action taken.
Guidance
8.5.3 Preventive Action
It is better to prevent a problem from occurring than to correct a new or recurring
problem. Based on the information available to them, organizations must identify ways
of preventing problems from occurring in the first place. Examples of preventive actions
are:
- purchasing additional tools or machinery, because of an expected increase in
activities or production;
- checking computer systems to see if they are capable of handling information from a
new customer;
- introducing a new identification system for nonconforming product, so that any
potential misunderstandings can be avoided;
- providing training on new processes, equipment, customer requirements, etc.
Preventive actions are usually handled in the same way as corrective actions, just with a
different ‘focus’.
This involves finding the cause of the potential problem or failure, recording the
anticipated results of the action taken and verifying that the action was effective.
The intent of this requirement is to have a disciplined approach to risk analysis (i.e.
identifying the root cause of the potential problem and the potential costs/risks associated
with taking no action to prevent its occurrence.
Preventive actions are ineffective when they do not achieve desired results (usually
meaning, the problem/failure occurs or the risk of its occurrence actually increases).