as9100 interpretations

Bureau Veritas Certification Interpretations of The Standard. Guidance for Quality Management System Auditors.

Expectations for Companies Certifying to AS9100.

1 OF 61 AS Interpretation Rev. 0 - May 9, 2007

Bureau Veritas Certification has established certain minimum expectations for companies who

wish to register their Aerospace Quality Management Systems (AQMS) to AS9100. These

expectations are based upon our understanding of the requirements of the standard and the

requirements for third party registration/certification to the standard gained through our

collective experience in auditing quality management systems of many varied applications.

Additionally, The ISO Technical Committee (TC) has developed several guidance documents for

various requirements of ISO9001:2000 that are applicable to the requirements of AS9100. These

documents are available to the public via Internet website http://www.bsi.org.uk/iso-tc176-sc2.

These documents are referred to throughout this document.

Auditor Notes:

This document is not intended to add to, minimize, or in any way modify the requirements of the

standard and the requirements for accredited certification to the standard. It is meant to be a

guidance tool for Bureau Veritas Certification auditors providing common understanding on the

intent of the standard and certification requirements in addition to providing clarification of the

text. For organizations seeking registration/certification, this document provides insight as to the

expectations of Bureau Veritas Certification auditors.

In order to claim conformity with AS9100, the organization has to be able to provide objective

evidence of the effectiveness of its processes and its quality management system. Clause 3.8.1

of ISO 9000:2000 defines ‘Objective evidence’ as ‘Data supporting the existence or verity of

something’ and notes that ‘Objective evidence may be obtained through observation,

measurement, test or other means’. Objective evidence does not necessarily depend on the

existence of documented procedures, records or other documents, except where specifically

mentioned in AS9100. In some cases, (for example, in clause 7.1{d} Planning of product

realization, and clause 8.4 Monitoring and measurement of product), it is up to the organization

to determine what records are necessary in order to provide objective evidence.




AS9100 Interpretations

Element 4: Quality Management System

4.1: General

Section 4.1 includes the general requirements that must be met in order to establish, implement

and continually improve the effectiveness of a quality management system meeting the

requirements of the standard. These requirements are referenced to and/or further defined in

subsequent clauses of the standard. Table A, shown below, contains the cross-linked references.

Continual improvement of the effectiveness of the quality management system may be reflected

in a number of different areas. These may include:

� Quality objectives;

� Corrective and preventive actions;

� Internal audits;

� External audits;

� Review of customer satisfaction surveys and associated action items;

� Operation meetings producing improvement actions;

� Actions initiated by suggestion programs;

� Process Changes;

� Infrastructure and environment changes;

� Management Reviews

If continual improvement has become a way of life for a company, it is unlikely that a

demonstration of company wide continual improvement will come from only a few sources.

System deterioration would not necessarily lead to non-conformity if all actions were positive

and the improvement path is still evident and logical. The system would be questionable if the

company did not recognize it or had not reacted to the issues appropriately.

Note: It is the responsibility of the company to demonstrate improvement rather than the

auditor to look for it. Accordingly, it is useful audit practice to ask management to

identify any improvement initiatives taken since the previous visit, and any planned for

the future.

4.1 a) Process identification – Bureau Veritas Certification auditors will expect to see a process

model that explains the key processes of the business and how each relates and links to the

others. The depth of process explanation may be as detailed as the company chooses, but should




be based on its customer and applicable regulations or statutory requirements, the nature of its

activities and its overall corporate strategy. In determining which processes should be

documented the organization may wish to consider factors such as:

� Effect on quality

� Risk of customer dissatisfaction

� Statutory and/or regulatory requirements

� Economic risk

� Effectiveness and efficiency

� Competence of personnel

� Complexity of processes

Bureau Veritas Certification promotes the identification of Customer Oriented Processes

(COPS), Support Oriented Processes (SOPS) and Management Oriented Processes (MOPS)

while defining processes however, this is not a requirement. The auditor must see evidence that

the organization has identified and defined their processes.

The ISO TC document - ISO/TC 176/SC 2/N 544R - ISO 9000 Introduction and Support

Package: Guidance on the Concept and Use of the Process Approach for Management Systems,

provides basic information for understanding application of the process approach. The bulletin

defines a process as: A “Process” can be defined as a “Set of interrelated or interacting

activities, which transforms inputs into outputs”. These activities require allocation of resources

such as people and materials (http://www.bsi.org.uk/iso-tc176-sc2).

4.1 b) Sequence and interaction of these processes – The interactions of the processes must

somehow be described in the quality manual (4.2.2 c). The organization is not required to

produce system maps, flow charts, lists of processes etc. as evidence to demonstrate that the

processes and their sequence and interactions were identified. Such documents may be used by

organizations should they deem them useful, but are not mandatory. Graphical representation

such as flow-charting is perhaps the most easily understandable method for describing

interactions between processes. Other possible methods may include: documentation prepared

for implementation of the product management system (SAP, SYMIX, MRP, etc…); deployment

flowcharts; and pictorial diagrams.

The Completion of the Bureau Veritas Certification process matrix provides the relationship

between the organizations processes and the requirements of ISO9001:2000 however does not

show the interaction between the identified processes. If the organization chooses to use the

process matrix to show interaction, it must be supplemented with another method to show

process interaction. The Bureau Veritas Certification process matrix must be completed in order

to assist in the scheduling of the organizations audits.




4.1 c) Criteria and methods needed to ensure that both the operation and control of these

processes are effective. This could be demonstrated with stated objectives, instructions and or

procedures as required for consistent output of the processes.

4.1 d) Ensure the availability of resources and information necessary to support the operation

and monitoring of these processes. This may be through Management Review or other methods

for defining and determining resources.

4.1 e) Monitor, measure and analyze these processes - All identified processes are subject to

requirements for monitoring, measurement, and analysis for needed improvement. The methods

employed and the timing of such analysis should be based upon priorities established by the

organization. Auditor expects to see measurable objectives established for each process. These

objectives should support the organization’s overall objectives.

4.1 f) Implement actions necessary to achieve planned results and continual improvement of

these processes – Same as described above. Auditor expects to see corrective action taken when

measurable objectives fall below target or defined action level.

Outsourced Processes: Outsourced processes must be controlled by the organization and these

controls must be defined/described within their system. Organizations are required to identify the

controls they apply for any outsourced processes. The facility quality manual must identify if

outsource processes are applicable. In addition, the client shall have written documentation on

the methods used to control the outsourced process(es). Examples of some outsourced processes

are:

� Process completed wholly or partially by a sister facility outside the scope of registration.

Such as corporate performing design, purchasing or customer related processes. This may

include the entire element or a subsection i.e. corporate completes supplier evaluation and

re-evaluation of suppliers and the registered site initiates purchase orders.

� Processes completed by an outside vendor or subcontractor such as heat treating, plating,

calibration, painting, powder coating, etc.

Documented objective evidence must be ascertained to ensure that these processes are being

controlled beyond the basic purchasing requirements, which are focused on controlling products

not processes. The organization is responsible to ensure that the outsourced process is meeting

applicable requirements to ISO9001:2000. Outsourced processes may be controlled through such

methods as (not limited to):

� Internal Audits

� Internal Agreements between two sites where only the audited site is under the scope of

registration (Interface Agreements – Bureau Veritas Certification terminology)




� Process performance data

� Purchasing Process

ISO/TC 176/SC 2/N 630R2 ISO 9000 Introduction and Support Package: Guidance on

'Outsourced Processes: An outsourced process can be performed by a supplier that is totally

independent from the organization, or which is part of the same parent organization (i.e. a

separate department or division that is not subject to the same quality management system). It

may be provided within the physical premises or work environment of the organization, at an

independent site, or in some other manner…… The organization has to demonstrate that it

exercises sufficient control to ensure that this process is performed according to the relevant

requirements of ISO 9001:2000, and any other requirements of the organization’s quality

management system. The nature of this control will depend, among other things, on the

importance of the outsourced process, the risk involved, and the competence of the supplier to

meet the process requirements (http://www.bsi.org.uk/iso-tc176-sc2).

TABLE A: Cross-linked references

4.1 General requirements Relevant further clauses

a) Identify the processes, including

outsourcing, needed for the quality

management system and their application

throughout the organization (see 1.2),

5.4.2 QMS planning

7.1 Planning of product realization

8.1 General

b) Determine the sequence and interaction of

these processes,

5.4.2 QMS planning

7.1 Planning of product realization

4.2.2 (c)

c) Determine criteria and methods needed to

ensure that both the operation and control

of these processes are effective,

7.1 (c)

7.3.3 (c)

7.4.1 (Criteria for selection)

7.5.2

d) Ensure the availability of resources and

information necessary to support the

operation and monitoring of these

processes,

Whole of 6

e) Monitor, measure, and analyze these

processes, and,

Whole of 8.2

f) Implement actions necessary to achieve

planned results and continual

improvement of these processes.

These processes shall be managed by the

Whole of 5, 6, 7 and 8




organization in accordance with the

requirements of this International Standard.

Where an organization chooses to outsource

any process that affects product conformity

with requirements, the organization shall

ensure control over such processes. Control

of such outsourced processes shall be

identified within the quality management

system.

4.2: Documentation Requirements

4.2.1: General

The Quality Management System (QMS) “documentation” shall include:

4.2.1 a) Statements showing the organization’s quality policy (see 5.3) and quality objectives

(see 5.4.1).

4.2.1 b) A quality manual (see 4.2.2).

4.2.1 c) Procedures that this standard requires (see 4.2.3, 4.2.4, 8.2.2, 8.3, 8.5.2, 8.5.3).

4.2.1 d) Documents that the organization will need to ensure that the planning, operation, and

control of their processes is effective.

4.2.1 e) Records that this standard requires (see 5.6.1, 6.2.2, 7.1, 7.2.2, 7.3.2, 7.3.4, 7.3.5, 7.3.6,

7.3.7, 7.4.1, 7.5.2, 7.5.3, 7.5.4, 7.6, 8.2.2, 8.2.4, 8.3, 8.5.2, and 8.5.3).

4.2.1 f) quality system requirements imposed by the applicable regulatory authorities.

BV Certification: This requirements effectively invokes all pertinent requirements of the industry-

applicable regulatory agencies (e.g. FAA, CAA, JAA, etc.) such as those included in FAR Part 21,

145, etc. While the BV Certification auditor may not look for conformance to those specific

regulatory requirements – a nonconformance against a closely related requirement in Standard AS9100

may be cited.

The organization shall ensure that personnel have access to quality management system documentation

and are aware of relevant procedures. Customer and/or regulatory authorities representatives shall

have access to quality management system documentation.




BV Certification: It is expected that all personnel have access to relevant documentation, in any

appropriate format. Documentation can include procedures, work instructions, forms, travelers, drawings

and work standards. For complex operations, job packages should be at the workstation. In other

situations, it is sufficient for the co-worker to demonstrate knowledge of where the relevant

documentation is located.

The right of access by “customer and/or regulatory authorities” appears in several clauses throughout the

standard. A broad statement permitting right of access to quality documentation at the organization’s

facilities, coupled with flow down to suppliers and sub-tier suppliers (see section 7.4) is sufficient to

satisfy this requirement. See also the Interpretation comments under section 4.2.4, below.

4.2.2: Quality Manual

Exclusions from the quality management system must be described and justified within the

quality manual (see 4.2.2 a). The documented procedures established for the quality

management system must be included or cross-referenced in the quality manual (see 4.2.2 b). A

description of the interaction between the organization’s processes needs to be identified in the

quality manual (see 4.2.2 c).

The applicable processes might include those relating to four general categories: 1) Management

Activities, 2) Resource Management, 3) Product Realization, and 4) Measurement and

Monitoring. Most companies will prefer to focus on their own COPS, MOPS, and SOPS.

Manual content and design - There are many ways of documenting the quality management

system and organizations should adopt the approach that is most useful for effective operation of

their system.

Examples include:

� Flowcharts;

� Written text;

� Diagrams;

� System maps;

� Process maps;

� Process Turtles.




The quality manual may have many forms. Although many organizations structure their

documentation in a typical pyramid, it is not the only, and not always the most suitable, way. A

quality manual doesn't have to exist as a separate document. The quality manual may:

� Be a direct collection of QMS documents including procedures;

� Be a grouping or a section of QMS documentation;

� Be more than one document or level;

� Be in one or more volumes;

� Be a stand alone document or otherwise;

� Be a collection of separate documents.

The ISO 9001:2000 standard offers companies a possibility to establish effective, user-friendly

systems. This edition offers the current users a unique opportunity to streamline their quality

management system documentation.

A separate document "addressing" all the clauses of the standard is not required by the standard -

neither does the standard require the quality manual to "address" or "cover" the requirements of

the standard. The manual may be documented specifically to the organizations processes.

4.2.2 a) Scope – The organization may exclude portions of the standard that do not apply to their

quality management system due to the nature of the product or service that they supply. ISO

9001:2000 clearly limits and identifies which activities may be excluded. The justification for

exclusion and those considered not applicable must be clearly documented in the quality manual.

If, for example, design does not apply to the quality management system, the standard stipulates

(in section 1.2 Application) how a reduction in scope of the standard may be justified and

documented within the quality manual. Bureau Veritas Certification has defined exclusion

applicability to be within the clause Design and Development (7.3) only. All other potential

exclusions within section 7 must be identified as not applicable or not applicable at this time.

ISO TC Guidance - Document: ISO/TC 176/SC 2/N 524R3 ISO 9000 Introduction and Support

Package: Guidance on ISO 9001:2000 clause 1.2 'Application:

ISO 9001:2000 clause 1, Scope, defines the scope of the standard itself. This should not be

confused with the scope of the QMS, which is a term commonly used within the context of QMS

certification/registration to describe the organization and products to which the QMS applies

(http://www.bsi.org.uk/iso-tc176-sc2).

Auditor should discuss the difference between the scope of certification and the scope of the QMS

(i.e. what is on or will be on the organization’s certificate).

The scope of the QMS should be based on the nature of the organization's products and their

realization processes, the result of risk assessment, commercial considerations, and contractual,

statutory and regulatory requirements.




If an organization chooses to implement a quality management system with a limited scope, this

should be clearly defined in the organization's Quality Manual and any other publicly available

documents to avoid confusing or misleading customers and end users (this includes, for example,

certification/registration documents and marketing material).

Note: For multi-site/corporate certifications the auditor will expect to see that one quality manual

is applicable for all sites and that any changes are centrally controlled (see 4.2.3)

4.2.2 b) Documented Procedures – The manual must include reference to, at a minimum the six

required documented procedures (see 4.2.3, 4.2.4, 8.2.2, 8.3, 8.5.2, 8.5.3). The manual may

reference other documentation but must list those required documents in some format. This may

be in the form of a link or other such reference.

The notes after sub clause 4.2.1 in ISO9001: 2000 make it clear that where the standard

specifically requires a ‘documented procedure’, the procedure has to be established, documented,

implemented and maintained. It also emphasizes that the extent of the QMS documentation may

differ from one organization to another due to:

� The size of the organization and the type of activities;

� The complexity of processes and their interactions and

� The competence of personnel

- when referencing the documented procedures, the relationship between the requirements of

this International Standard [AS9100] and the documented procedures shall be clearly shown.

BV Certification: Points of reference may be throughout the manual when discussing pertinent

subjects (imbedded in the text). All of the referenced procedures may be listed together in an appendix

/ attachment to the manual. Or, the pertinent procedure(s) may be called out at the beginning or end of

each major section of the manual. A cross reference matrix is especially effective - linking specific

clauses in the Standard – to corresponding paragraphs in the quality manual – down to specific

paragraphs in the detailed procedure (or W/I as appropriate). Regardless of the approach, the intent of

the Standard is that there be a clear, unbroken, definitive trail from a particular requirement in the

Standard, into and through the quality manual, down to the procedural (and or work instruction) level

– such that users of the documentation can clearly and readily arrive at a description of how that

requirement in the Standard is satisfied / fulfilled in the organizations system documentation.

4.2.2 c) Interaction between processes – This requirement ties closely to section 4.1 b), which is

discussed in the previous paragraphs. The interactions between the quality management system

processes do not have to be separately described, or illustrated, by charts, tables or maps. If an

organization chooses to use a process map to show interaction, just using arrows is not sufficient




– a description or other depiction is required for interactions. An example might be an interaction

matrix listing COP’S across the top and SOP & MOP down the side.

Although many organizations may choose such a form, it is not a mandatory method.

Interaction between processes may be described, for instance, by way of references and/or cross-

references within the procedures, where the procedures form part of the Quality Manual. If the

procedures are not part of the Quality Manual, then the manual can not be consider acceptable to

the standard requirements, they can be in an appendix, addendum or hyper linked to the manual

if the system is electronic.

4.2.3: Control of Documents

A documented procedure is required for control of documents.

Guidance is given for documents and records in ISO/TC 176/SC 2/N 525R ISO 9000

Introduction and Support Package: Guidance on the Documentation Requirements of ISO

9001:2000 (http://www.bsi.org.uk/iso-tc176-sc2).

4.2.3 a) Approve documents – procedure must identify the approval process.

4.2.3 b) Review and update – All management system documentation must be covered by some

review strategy. The procedure must identify a period of time in which all documents are

reviewed on an ongoing basis. Different types / levels of documents may be reviewed at different

intervals / criteria and / or by different methods (i.e. – at each use, through internal audits, via

formal recalls and reviews, etc.), review should be conducted by personnel competent to do so.

Bureau Veritas auditors should assess whether review methodology demonstrates effective

document controls. Note – statutory / regulatory and customer / industry requirements may also

impact review methodology. A method must be in place to show review was completed where

there were no changes. Those documents that are updated must be put back through the

organizations required approval process (4.2.3 a).

4.2.3 c) Changes and current revision status – The procedure must identify how changes and

revisions to documents are identified. These must be identifiable for each document. How does

the user know what the changes are?

4.2.3 d) Availability of documents – procedure must identify how documents are made available

to employees. Auditor will expect to see that documents are readily available to employees

through out the facility at their points of use.

4.2.3 e) Documents are legible and readily identifiable – auditor will expect to see that

documents are maintained and remain legible and easily identifiable.




4.2.3 f) Documents of external origin – Documents of external origin are those that are produced

from outside the organization that are used by the organization in support of the quality

management system processes. The procedure must address if documents of external origin are

applicable and if so how these documents are controlled by the facility. The auditor expects to

see that controls are in place to ensure current versions are used and documents are controlled

within the facility.

4.2.3 g) Obsolete documents – Procedure must address how obsolete documents are controlled to

prevent unintended use and if retained how these documents are identified.

The organization shall coordinate document changes with customers and/or regulatory authorities in

accordance with contract or regulatory requirements.

BV Certification: The degree and type of documentation change “coordination” (if required at all)

will be defined by the customer and/or regulator agency. Additionally, the organization may add to

(but not contradict) details. “Coordination” may be as little as mere notification, to distributing

approved copies, up to and including formal approval by the customer / agency) prior to

implementation. Documents typically subject to this requirement include pre-approved contracts,

statements of work, inspection/test plans, “frozen” or “fixed” process plans and routings. The BV

Certification auditor will seek documented, objective evidence that such “coordination” has taken

place (as appropriate) and as prescribed in the organizations documented procedure.

Note: For multi-site/corporate certifications the auditor will expect to see that System

documentation and changes are centrally managed (usually performed at the headquarters

location).

4.2.4: Control of Records

Records required by the organization may be in any format deemed suitable for the organizations

method of operation. A documented procedure must be in place and define the controls needed

for:

� Identification – the procedure must identify the system/process is in place to identify

records. Have all required records been identified. Refer to Annex B of the ISO/TC

176/SC 2/N 525R - ISO 9000 Introduction and Support Package: Guidance on the

Documentation Requirements of ISO 9001:2000.

� Storage – where records are stored – specific location i.e. Quality filing cabinet in the QC

Laboratory.

� Protection – how individual records are protected i.e. tape back up every 24 hours (for

electronic records), fireproof safe, filing cabinet etc.




� Retrieval – any special requirements for retrieval. Generally dependant on location and

protection. May be a request process.

� Retention time – identification of how long each record will be maintained.

� Disposition of records – method for disposing of records i.e. shredding, burned, trash

A spreadsheet or other document may be used to identify the above requirements.

The documented procedure shall define the method for controlling records that are created by and/or

retained by suppliers.

BV Certification: The organization is ultimately responsible for all pertinent quality records that

apply to a given contract or order. Most such quality records are produced by the organization

themselves – but many are also created at the lower levels in the supply chain – at the organization’s

supplier(s) and at the supplier’s sub-tier sources. It is not uncommon for pertinent quality records to

exist at three or four levels down in the supply base. Typically, only the most significant records make

their way back to the organization. Those records that typically ‘bubble up’ are certifications and

inspection / test reports, nonconforming product concessions / waivers, etc. The majority of records

relating to the order / contract continue to reside at a level lower in the supply chain. Those records

retained by lower-level sources must still be subject to the organizations control. This control is often

managed and asserted by / through purchase order “flowdown” requirements – from the organization

to the lowest level supplier / subcontractor involved. Such “flowdown” requirements may specify

record retention periods, protection, disposition, disposal – and may describe the conditions under

which the record holder must forward the records to the organization.

Records shall be available for review by the customer and regulatory authorities in accordance with

contract or regulatory requirements.

BV Certification: This requirement most obviously applies to records maintained by the

organization. It equally applies to pertinent quality records retained by the organization’s suppliers

and by the supplier’s sub-tier sources. Pertinent records (at any level in the supply chain) may be kept

on-site, or at an off-site repository or by a remote records management service. In any event, retrieval

of such records should be relatively convenient and timely – so as not to impede “availability” to

customers and regulatory authorities. Compliance to this requirement is often managed and assured by

/ through purchase order “flowdown” requirements – from the organization to the lowest level supplier

/ subcontractor involved. Such “flowdown” typically invokes the “right of access” to all pertinent

quality records that may exist at any/all levels in the supply chain.

4.3 Configuration Management: The organization shall establish, document and maintain a

configuration management process appropriate to the product. NOTE: Guidance on

configuration management is given in ISO 10007.




BV Certification: Requirements for a Configuration Management (CM) process apply to virtually all

companies and products / services – and especially to those organizations performing Design and

Development activity – and to those responsible for the design of the product / deliverable. The

formality and complexity of the CM process will vary depending on the product. CM can be applied

to products, processes and processed materials (including individual components as well as

assemblies). A configuration is most often described in terms of its integral “configuration items”.

Fundamental “building blocks” of a CM process typically include: design change control, document

change control, process change control, product identification and traceability. Changes in any of

those disciplines might translate into “configuration” change. Documentation that helps define a

specific configuration might include drawings, specifications, bills of materials, routings/travellers,

change requests, First Article Inspection Reports, nonconforming product documents (including

deviations and waivers), “where used” listings, etc. Configuration “baselines” must be established,

and any subsequent changes must be identified and controlled. After a significant number of changes,

a new baseline (model, part number, etc.) may be established.

Element 5: Management Responsibility

Note that this section has nine references to top management. This is defined in ISO

9000:2000, 3.2.7 as “person or group of people who directs or controls an organization at the

highest level”. It is therefore essential to examine top management’s commitment to, and

support for, the QMS (and to record objective evidence to support any conclusions reached).

5.1: Management Commitment

It is necessary for auditors to obtain (and record) objective evidence of management

commitment.

This would include:

5.1 a) Evidence that top management has communicated to the organization the importance

of meeting customer requirements as well as statutory and regulatory requirements. This can

be achieved through meetings, newsletters, bulletin boards, training records etc.

NOTE - statutory and regulatory requirements are broad based and include all applicable

requirements for processes, products and activities.

5.1 b) Top Management’s establishment of and input into, and commitment to, the quality

policy (its definition, delivery and maintenance) through management review or other

meetings.

5.1 c) Documented quality objectives (for all processes).




5.1 d) Top Management’s active participation in management review meetings.

5.1 e) Evidence of a process for defining resource requirements and ensuring that adequate

resources are available.

In short, how well they address requirements 5.2 through 5.6.

5.2: Customer Focus

Customer requirements and customer satisfaction are directly linked with the process approach

concept in the standard. Auditors will seek objective evidence to demonstrate that the customer

requirements are indeed being met, whether the satisfaction is revealed in customer survey

results, repeat sales or any other type of mechanism that would reveal trends and lead to

improved customer satisfaction. Management review minutes might be a record where

Customer Focus is addressed. You might also look at Quality plans and or product plans that

include customer related requirements.

5.3: Quality Policy

It is expected that there is evidence that Top Management fully back the quality policy. The

standard identifies five specific points which requires that top management ensures that the

policy;

5.3 a) Is appropriate to the purpose of the organization

5.3 b) Includes a commitment to meeting requirements and to continual improvement of the

quality system

5.3 c) Provides framework for establishing and reviewing quality objectives

5.3 d) Is communicated and understood at appropriate levels in the organization

5.3 e) Is reviewed for continuing suitability.

Auditors must determine if the Quality Policy meets the intent and is understood, by

interviewing personnel at all levels. Although the exact policy does not need to be recited by

interviewees, the awareness of the quality policy and how their job affects the company

objectives should be determined. If personnel interviewed do not know what their measurable

objectives are and/or do not know what the organizational objectives are that they have a direct




effect on, the auditor would be further directed to evaluate managements communication of the

policy and objectives.

The Quality Policy must be documented (typically in the quality manual because it must be

controlled). The Quality Policy does not have to include objectives but should create a

framework for establishing them. The Quality Policy should be stated in such a way that it aims

toward continual improvement. It should be reviewed and possibly revised to meet higher

aspirations.

Bureau Veritas Certification does not require that the policy include the words “continual

improvement” in the written policy, however it must be ascertained that it is implied and known

through out the organization.

To meet the intent of this clause, the auditor would be looking for a clearly defined Quality

Policy that is sufficiently detailed to provide a framework for quality objectives that can be

monitored for continual improvement. An auditor would not want to see a vague policy, such as

“Our Policy is to Maintain Status Quo”.

When interviewing top management, their input into, and commitment to, the quality policy

needs to be determined. Is it theirs, or have they clearly just signed something written for them

by the management representative?

Note: For multi-site/corporate certifications the quality policy must be applicable for all sites.

5.4: Planning

5.4.1 Quality Objectives

Auditor must determine that the organization has developed measurable quality objectives for

relevant functions and levels of the organization. Bureau Veritas Certification expects overall

objectives to be established at the facility/corporate level and objectives established for each

identified process. Process objectives shall support the organization’s overall objectives.

The organization must establish what the “relevant functions” of the organization are, however at

a minimum this will include all defined processes (reference 4.1 a, c, e). Sub-processes, projects,

or individual objectives would be at the discretion of organization. The auditor may want to ask

what criteria were used to determine if functions are relevant or not. It would be left up to the

company to determine if a cost or added value benefit would result from including or not

including functions of the operation when establishing quality objectives.




If some functions or levels have been excluded, it may be necessary to explore, evaluate (and

record) the reasons for such omissions (which might be quite acceptable at that particular stage

in the continual improvement process).

The organization must identify quality objectives that can be measurable, such as “vendor on-

time rating”, “on-time delivery”, “all employees will have completed an ISO 9001 awareness

class” and “all machines will have clearly defined procedures on their usage.” If the objectives

were not measurable (including a time-based element where appropriate), they would not meet

the intent of the standard.

The objectives do not have to be defined in a specific document although the objectives are

required to be documented (see 4.2.1 a). Objectives can either be defined in associated

procedures or instructions, or could be recorded in meeting minutes such as management review

records. The organization must have a process that ensures that all the objectives are clear and

communicated to all employees who can influence the defined objective(s). The organization

should be able to demonstrate that the objectives are being measured and reviewed (see 4.2.4 and

8.5.1).

5.4.2: Quality Planning

Auditors have to use their judgment in evaluating the entire collected audit evidence in order to

assess effectiveness of planning activities. The auditor may also satisfy him/herself that planning

was done, by interviewing the personnel involved in establishing or achieving specific quality

objectives.

Auditors are recommended to attribute such QMS deficiencies to relevant clause, requirements

of which were contravened, rather than to clause 5.4.2.

Determining effective and efficient planning may be found by evidence of:

� All those planning activities undertaken to establish the QMS in accordance with

clause 4.1.

� The existence of an effective, documented, and implemented QMS that provides

collective evidence demonstrating that these planning activities have been performed

effectively.

� Deficiencies in the quality system that may indicate that these planning activities

were not quite effective.

� The evidence and use of Strategic Plans, Business Plans, Management Review

results, Contingency Plans, Quality Objectives, any programs or plans, documented

or not, such as Minutes of meetings, Memos, Internal communications.




Where there is lack of documented evidence, an auditor may satisfy him/herself through

interviewing the personnel at those levels and functions involved in achieving particular

objectives to determine the level of planning.

Another methodology allowing audit of effective planning involves review of the progress in

implementation of such plans aimed at adhering to individual objectives.

5.5: Responsibility, Authority and Communication

5.5.1: Responsibility and authority

In order for the auditor to be satisfied that the intent of this element has been met, he/she may

review organization charts, job descriptions or a responsibility matrix. Identification of

responsibility and authority could be written into procedures and/or work instructions, as well.

The auditor may also use interviews of individuals to determine if responsibility and authority

has been communicated effectively.

5.5.2: Management Representative

Responsibilities to include:

5.5.2 a) Ensuring that the processes needed for the quality management system are established,

implemented and maintained.

5.5.2 b) Reporting on the performance of the system to top management.

5.5.2 c) ensuring the promotion of awareness of customer requirements, and

5.5.2 d) the organizational freedom to resolve matters pertaining to quality.

BV Certification: The Management Representative (MR) need not be a member of the Quality

organization, though this is most often the case. Any management-level individual from any

organization / discipline is acceptable. Of utmost importance is that the MR has freedom within the

company’s organizational, political, cultural and communication arenas. This freedom necessitates

that the MR have access mobility, both vertically and horizontally, and especially across departmental

boundaries. It is expected that the MR have at least a dotted-line relationship with executive

management that may be exercised on an exception basis – if/when internal “influences” impede the

MR’s normal “freedom”. It is sometimes difficult to observe / demonstrate the MR’s organizational

freedom. More apparent are situations where this freedom is limited, restricted or even nonexistent.

This problem may be evident in cases of unresolved Quality problems, recurring problems,




ineffective/untimely corrective action responses, low customer satisfaction and perception, ineffective

internal audits, lack of system/process improvement, etc.

Promotion of customer awareness might include news releases, meetings, training, photographs,

models; examples of products demonstrating required visual attributes. We look for one

individual to be the management representative in terms of defined responsibility. However,

implementation of those responsibilities may be in the form of a defined and delegated team.

Note: The management representative is responsible for ensuring it happens – not making it

happen, which is the job of line management.

Note: For multi-site/corporate certifications the auditor will expect to see that there is a

management representative with overall responsibility across all sites for ensuring that

requirements are established, implemented, maintained, and for reporting on performance.

5.5.3: Internal Communication

Although there is no mandate for documenting methods for communication, the auditor will

expect to find evidence of communication through interviews with employees. Evidence could

possibly include the employees understanding of process linkage and effectiveness, customer

satisfaction levels, preventive and corrective action information, on time delivery, quality costs,

returned material, non-conformances. This could be communicated by access to the computer

network, an information board, newsletters, or even process routers, checklists, and

multifunctional meetings (see 6.2.2 d). The type and extent of the documentation will depend on

the nature of the organization’s products and processes, the degree of formality of

communication systems and the level of communication skills within the organization and the

organization culture.

5.6: Management Review

5.6.1: Management Review - General

IMPORTANT INITIAL CERTIFICATION REQUIREMENT: For a new/first time

registration/certification, a full round of Management Review meeting(s), including documented

evidence of all required inputs and outputs, must be completed prior to the

registration/certification audit (note a full internal audit cycle must be completed prior to this

review – see 8.2.2 Internal Audit). For multi-site/corporate certifications the review must

include inputs (as appropriate) from each site (see the standard 5.6.2 a – g). Normally, the review

process is conducted at the headquarters location.

Top management shall review the quality management system at planned intervals not only for

continuing suitability and effectiveness, but also adequacy. Additionally, this review shall




include assessing opportunities for improvement, the need for changes to the system, the quality

policy, and quality objectives.

These words are more prescriptive which cause a more proactive expectation and approach to

keeping the system current and useful and maintaining improvement activities. The auditor

cannot prescribe the intervals for reviews to occur, but can look for evidence that the frequency

is sufficient to accomplish the requirements of the standard. Although the dictionary would

suggest that suitable and adequate are the same, the standard seeks to distinguish both the system

from a global perspective of adequacy as well as the detailed suitability of the many processes

that comprise the system.

5.6.2: Management review input

The auditor will expect to see documented evidence that the (7) required inputs are discussed

during the review. Although a documented procedure for management review is not required,

records of such reviews are required (see the standard - 5.6.1 General). The minimum (7) inputs

are required in those records (see the standard 5.6.2 a – g). Evidence of cross functional input is

also expected, which means one person alone could do the review, but there would need to be

evidence of multifunctional input in the evaluation of the system and its status and actions

concluded.

5.6.3: Management review output

Output should focus on decisions and actions related to system improvement (5.6.3 a), product

improvement for customer requirements (5.6.3 b), and resource needs (5.6.3 c). Auditors expect

to see that some documented conclusions have been developed. The output record must include

evidence of action and progress for system improvement, customer requirements, resource needs

as it all relates to system health. It is important to note that a documented procedure may or may

not exist. It should also be noted that formal meetings for review may or may not happen and

still be complaint - such as in the case of being accomplished in stages; on going process review;

or by circulated documentation covering the system incrementally.

Element 6: Resource Management

6.1: Provision of Resources

The intent of this section is to ensure that adequate resources are provided to continually improve

the effectiveness of the quality management system (6.1 a) and to enhance customer satisfaction

by meeting customer requirements (6.1 b). Auditor would expect to see a process for evaluating




and determining resource needs. This may be through management review, production planning,

budget review, long range planning etc.

The auditor should determine that process activities are not prevented by a lack of resources.

Auditors may review instances where customer requirements were not met and determine if a

lack, or insufficiency, of any resources was causation factors of these instances. This

requirement also ties to paragraphs 5.1 and 5.6.3, which address management’s responsibility to

determine and provide necessary resources. Additionally, any clear evidence of resource

problems links directly to this section.

6.2: Human Resources

6.2.1: General

The standard requires that personnel be “competent”. This could be demonstrated by a person

being “qualified”. Competence may be based on appropriate education, training, skills,

experience, and/or demonstrated performance.

6.2.2: Competence, awareness and training

The intent of this section is to ensure that suitably competent people are performing the activities

as defined in the quality system. Evidence of the effectiveness of the training or other means of

providing competent employees must be available. Employees must be aware of the impact that

they have on the overall quality system. The auditor would expect employees to be able to

verbalize how their job activities contribute to the achievement of the quality objectives.

6.2.2 a) Determine the necessary competence - The requirement is in emphasis toward validating

training and other activities aimed at ensuring employee competence. Identification of

competency is essentially a precursor to identification of training needs. The organization should

determine knowledge and/or skills an employee would need to be considered competent, in their

opinion, to perform a particular job. The company could then determine if the employee

performing the job possesses that knowledge or skill and, if not, consider it a training need.

Changes in the business and its environment may necessitate new competencies, which may not

be available. Therefore the identification of competencies may need to be revisited. There is no

requirement for any particular frequency of such re-review. Competency may be defined in a job

description, position profile, or by any other method or associated documents such as specific

instructions or procedures. Usually competency is determined during performance reviews, if the

organization does not perform reviews of this nature, other methods for determining personnel

competence would need to be defined and records verified.




6.2.2 b) Provide training or take other actions - The requirement allows for options other than

training to obtain competent personnel. Training includes all those activities where a learning

opportunity needs to be satisfied. It may take a number of forms:

� Classroom style, tutor led training;

� Hands on experience training;

� Shadowing

� Individual or group coaching;

� Mentoring;

� Briefings;

� Distance learning;

� Technology based training (CD ROMS, web based etc);

� Workshops.

Organizations will choose whichever form best suits their needs at any particular moment. Other

actions to bridge competence gaps might include:

� Recruitment;

� Outsourcing;

� Acquisitions;

� Use of experts and/or consultants.

� Documented procedures or work instructions

All such means are acceptable as long as an organization has ensured the availability of the

competencies needed.

6.2.2 c) Evaluate the effectiveness of the actions taken - The requirement is aimed at ensuring

that the training or other activity has produced the desired result. This requirement could be met

in a variety of ways, including, but are not limited to:

� Observation of personnel performing their duties;

� Written or oral exams;

� Assessment of employee in achieving learning objectives during the course of the

training program;

� Audit of performance at work focusing, for example, on:

� Productivity;

� Reduction of rejects;

� Efficiency;

� Interviews with the persons;

� Annual appraisal.

� Performance reviews;




� Discussions;

� Evaluation of performance, quality or other indicators;

� Cost reviews;

� Customer satisfaction assessment (see 8.2.1).

6.2.2 d) Ensure that its personnel are aware of the relevance and importance of their activities

(perhaps by internal communication – see 5.5.3) and how they contribute to the achievement of

the quality objectives - The requirement could be met in a variety of ways. Options include:

� Training;

� Memos, and/or meetings regarding the impact of various individual or departmental goals

on quality objectives;

� Plant tours or briefings where an individual’s work and goals are shown as an integral

part of the larger processes;

� Cross functional teams working towards quality objectives and reporting their progress to

their departments.

Any activity that allows individuals to understand how their efforts affect quality objectives may

satisfy this requirement. All personnel need to know the specific measurable objective(s) for the

process that they work in; they should also know what organizational objective their process

effects. They should be able to demonstrate that they know what the actual measurable is, their

progress towards that goal, what the plan is to achieve the goal. If they do not know the actual

numbers, they should be able to communicate the topics of the measurable and know where the

actual measurements are maintained or posted.

6.2.2 e) Maintain appropriate records - The requirement expands record keeping requirements to

include education, skills and experience, in addition to training, where appropriate. There are a

great variety of ways to record and provide evidence of training, education, skills and

experience. Records may include:

� Diplomas;

� Certificates;

� Training log;

� Annotations in shift logs;

� Toolbox meeting notes;

� Attendance lists;

� Resumes;

� Employment history;

� Test results.

Such records may be filed in any location as long as the requirements of 4.2.4 are observed.




6.3: Infrastructure

It is the organization’s management who determines the adequacy of the infrastructure provided

by the organization. Auditors will seek objective evidence to demonstrate that the necessary

infrastructure exists for the quality management system to be effectively implemented, for

improvement of its effectiveness, and for fulfilment of customer requirements. Auditor would

expect to see a process in place for maintenance of the building(s), equipment and any other

supporting services. This is generally the responsibility of the maintence and IT departments.

6.4: Work Environment

The organization must identify and manage all those factors of the work environment that are

needed to supply a conforming product. These factors may include among others:

Human Factors � Creative work methods;

� Opportunities for greater involvement of personnel;

� Safety rules and guidance;

� Ergonomics;

� Special facilities for people.

Physical Factors � Heat;

� Noise;

� Light;

� Hygiene;

� Humidity;

� Cleanliness;

� Vibration;

� Pollution;

� Airflow.

Different types of businesses and industry sectors may vary dramatically with regard to an

acceptable work environment, so it is the organization’s management who determines the

adequacy of the work environment provided by the organization.

For instance;

� A training provider may need to ensure the training area is adequately lighted and

contains appropriate seating and visual aid capabilities.

� Some manufacturing facilities may require “clean rooms” or humidity-controlled areas.




� Companies handling items easily damaged by electrostatic discharge may require special

flooring or equipment, and chemical storage areas may require special protective barriers.

As an additional example, an employee might perform a particular function that requires

repetitive wrist movements (i.e., tightening a screw). As the day wears on, it is possible that the

overuse of the wrist could result in poorly torqued screws resulting in a possible quality defect.

The company should identify such a situation and provide a means of eliminating the potential

defect (i.e., air-driven screwdrivers). Evidence could consist of records of decreased quality

defects and/or medical problems related to that activity.

Element 7: Product Realization

Exclusions/non-applicability can be claimed with in element 7 only. “Exclusion” should

only be taken for clause 7.3 Design and Development and must be fully justified in the

quality manual. Other sections within element 7 may be claimed as “not applicable” or “not

applicable at this time”.

7.1: Planning of product realization

An organization needs to plan in advance for how they will manufacture their product or deliver

their service. The plans need to take into account the product requirements and any quality

objectives (7.1 a) that might be appropriate, resources and documents that may be necessary (7.1

b), what type of monitoring and/or inspection activities should be put in place to ensure the

product or service will meet the requirements (7.1 c), and what types of records should be kept

(7.1 d). While the sub-clause does not state that the output of this planning must be documented,

it does state that it must be in a form suitable for the organization’s method of operations.

7.1 e) the identification of resources to support operation and maintenance of the product.

BV Certification: The resources to support operation and maintenance of the product may include

tech manuals, tooling, fixtures, lubricants, etc. This requirement is aimed at operational and

maintenance organizations, not at manufacturing organizations. The intent is for the operational and

maintenance organizations to positively identify the resources that they require to perform the

operational and maintenance activities related to the product in the field.

7.2: Customer Related Processes

7.2.1: Determination of requirements related to the product

This clause promotes an up-front determination of all requirements related to the product.




This includes requirements for “servicing” which are now included as “post-delivery activities”,

which implies anything that is provided after the customer has received the product (i.e. repair

and/or warranty work, installation, maintenance, etc.).

Specific to 7.2.1 (a)

Post delivery activities may include among others:

� Product support

� Servicing where applicable

Specific to 7.2.1 (b)

Auditors should determine how the organization was proactive in evaluating if there were any

additional requirements for the product or service’s intended use. If the organization determined

there were not any additional requirements this should be evident in associated records, if there

were additional requirements then evidence should be present how they were addressed in the

affected process i.e. design, purchasing, manufacturing.

The analogy that can be used here is a screwdriver, everyone knows the intended use of a

screwdriver, put in and take out screws. However with a screwdriver, there are requirements that

are not stated but are intended for use, such as using a screw driver to open paint cans, could be

used as a chisel, pry bar, magnetization might be an issue, also if used around electricity the

handle should be nonconductive, but none of these requirements might be stated by the customer,

but the manufacturing organization would need to address these non-stated requirements for the

screwdriver’s intended use.

Specific to 7.2.1 (c)

The organization shall determine applicable Statutory and regulatory requirements related to the

product (i.e., taking these requirements into account when designing a product or service). This

includes ensuring process control (i.e., ensuring that these requirements were met).

Statutory requirements are those that are stipulated by local/national governments that form part

of regional, national and international legislation.

Regulatory requirements are those imposed by regulatory bodies. In the UK the HSE (Health &

Safety Executive) and in the USA, the EPA (Environmental Protection Agency) are examples of

these. These requirements are not necessarily part of national legislation.




Compliance with regulatory requirements issued by national regulators (i.e. by The Rail

Authority) may be mandatory for those organizations to which they apply if a statutory

instrument requires so.

Organizations are required to comply with a number of legal requirements to be allowed to

operate. Management must be aware of the requirements that apply to its products, processes

and activities and should include these requirements as part of the quality management system

(ISO 9004:2000 – 5.2.3). Auditor must verify that these requirements are identified.

Auditors have to be aware that as the national legislation may apply to product intended for the

domestic market, in the case of export sales, organizations will be required to consider the

statutory and/or regulatory requirements in the target country that may apply to (a) product(s)

supplied.

Organizations are not required to maintain the lists of applicable statutory and/or regulatory

requirements, nor need they maintain copies of these documents except as required by clause

7.3.2(b). Organizations must ensure that they have adequate access to / or knowledge of

applicable statutory and regulatory requirements.

7.2.2: Review of requirements related to the product The sub-clause mandates that the organization shall not issue a quotation or accept an order until

it has been reviewed to ensure requirements are defined and the organization has the capability to

meet the defined requirements. It goes on to require that records of the review and any

subsequent actions be maintained. If the customer does not provide their requirements in writing

(i.e., telephone call), the requirements must be confirmed before they are accepted. If the

requirements are changed, all documents must be amended and relevant persons must be

notified. A note is included that covers situations such as internet sales where a formal review of

each order is impractical, stating, instead, that the review could cover the product information

provided in catalogs and advertising material.

d) risks (e.g. new technology, short delivery time scale) have been evaluated.

BV Certification: The potential for “risks” exists in virtually every contract or order. The

Standard mentions only two of the most obvious examples (i.e. new technology and short

delivery time scales). Types of potential risks vary greatly depending upon contractual

requirements, requirements of regulatory authorities, design responsibility, product requirements,

safety and airworthiness considerations, production processes, operational constraints, business

conditions / limitations, materials, procurement sources, outsourcing, etc., etc. Just a few

extreme examples that may pose ‘risk’ include: potential labor strikes, facilities relocations or




shutdowns, environmental or climatic factors, production capacity limitations, availability of

materials, adequacy of procurement sources, absence of key personnel, outage of vital

equipment, etc. To a reasonable and practical extent, any and all such potential risks should be

identified and their impact evaluated before accepting the contract or order. Records of contract

reviews should demonstrate / document some level of deliberate, thoughtful “risk evaluation”

activity, delineation of identified risks (if any), and resultant actions taken to mitigate or

eliminate the risks.

7.2.3: Customer communication

The organization must establish effective arrangements for providing the customer with product

information (i.e., catalogs or advertising that adequately describe the product or service), means

of handling inquiries and orders, and a method for handling customer comments (both

compliments and complaints).

There is no potential for excluding section 7.2, as every organization has external customers.

Where an organization with a stand-alone QMS is part of a larger group or corporation, and is

taking orders solely from a central Group or Corporate Sales Organization outside its certified

scope and delivering them to a central Group or Corporate Distributor outside its certified scope,

then the Sales and Distribution organizations are technically external customers, invoking 7.2

routines.

7.3: Design and development

This clause addresses product/service development as well as (conceptual) design, so

organizations involved in product/service development will have to address some or all of

section 7.3 of ISO 9001:2000.

Many companies perform some enhancements or minor reconfiguration of mature designs, and

are able to use the guidance of ISO 9004:2000 in order to address some or all of section 7.3 of

ISO 9001:2000.

Some organizations subcontract design and have managed this via sections 4.1 and 7.4 of ISO

9001:2000. Such organizations may have to introduce a comprehensive design system or

process, however may have to address design and development as it is applicable to the

organization. They may have to address some or all sections of 7.3 to the extent that they apply.

Document: ISO/TC 176/SC 2/N 524R3 ISO 9000 Introduction and Support Package:

Guidance on ISO 9001:2000 clause 1.2 'Application' provides excellent guidance and examples

on this topic (http://www.bsi.org.uk/iso-tc176-sc2).




7.3.1 Design and development planning

Although the standard does not require a documented procedure, the design process needs to

demonstrate how the process is controlled and planned. The organization, however, will need to

provide some type of objective evidence as to what the planning activities include. This can be

accomplished with the use of time-lines, gant charts or any other planning method such as

Microsoft project manager. In addition the auditor should see objective evidence of how the

interfaces between other processes are managed, either through statements in associated

procedures, process mapping, matrix approach or in the time line planning.

- in respect of organization, task sequence, mandatory steps, significant stages and method of

configuration control

BV Certification: The organization is responsible for the identification the design and

development stages. AS9100 imposes some additional and specific clarification of the

information required: which elements of the organization are involved, where in the task

sequence the stages begin/terminate, significant stages and configuration control. These

additional requirements may be recorded in formal project plans, Gantt charts, checklists or in

similar documentation.

Where appropriate, due to complexity, the organization shall give consideration to the following

activities:

- structuring the design effort into significant elements;

- for each element, analyzing the tasks and the necessary resources for its design and

development. This analysis shall consider an identified responsible person, design content,

input data, planning constraints, and performance conditions. The input data specific to each

element shall be reviewed to ensure consistency with requirements.

BV Certification: Even though this section begins “where appropriate”, all except the very smallest

design and development projects will have defined stages and the stages usually will contain multiple

tasks. It is clear that the records need to demonstrate some level of planning. It is important that the

process owners are identified and that the required technical personnel are indeed available to work on

the project. Although not specifically required, a table of engineering manpower allocation (projects

with associated engineering hours) would be helpful to ensure that sufficient technical manpower is

available. It is important to note that should be evidence of a review of input data to ensure

consistency of requirements.

The different design and development tasks to be carried out shall be defined according to specified

safety or functional objectives of the product in accordance with customer and/or regulatory authority

requirements.




BV Certification: This is a check at the planning stage to ensure that the design and development

activity actually will address all customer and regulatory requirements. The auditor will expect to see

evidence of this check. Refer also to Interpretation for section 4.2.1f, above, for a discussion of

regulatory requirements.

7.3.2 Design and development inputs

The auditor will need to review evidence that the inputs (7.3.2 a – d) have been addressed based

on the nature of the product being produced, that they have been reviewed for adequacy and that

records are maintained of the activity.

7.3.3 Design and development outputs

The auditor should expect to see objective evidence that the outputs (7.3.3 a – d) have been

verified against the design inputs. This can be accomplished by reviewing documents, plans, etc.

interfacing with the customer or internal processes and by comparison with past proven designs.

e) identify key characteristics, when applicable, in accordance with design or contract requirements.

BV Certification: As noted in Definitions (section 3, above), key characteristics may be identified by

the customer (and/or regulatory authorities), as well as by the organization. Once key characteristics

have been identified, usually at the Planning and/or Design and Development (D&D) Input stage, they

must be then addressed also as part of D&D Output. The organization must show that the developed

product specifically satisfies the input requirements for key characteristics.

All pertinent data required to allow the product to be identified, manufactured, inspected, used and

maintained shall be defined by the organization; for example:

- drawings, part lists, specifications;

- a listing of those drawings, part lists, and specifications necessary to define the

configuration and the design features of the product;

- information on material, processes, type of manufacturing and assembly of the

product necessary to ensure the conformity of the product.

BV Certification: The standard is clear; all documentation relating to the developed product must be

identified as part of the D&D output. These may be included in a summary report or as part of a

design review.

7.3.4 Design and development reviews




Reviews shall be conducted in accordance to the time line or plan established at the beginning of

the design activity. Reviews shall show evidence that all activities required in each phase of the

design have been addressed or adjustments made. Records should show who attended the

reviews and that all concerned parties were present and that all actions were satisfied before

proceeding forward with the design process.

c) to authorize progression to the next stage.

BV Certification: Design and development (D&D) reviews may vary in terms of purpose, frequency,

complexity, formality, attendance and associated output documentation / review records. Regardless,

there must be clearly documented evidence that an authorized individual(s) has reviewed the results /

progress / status of each prescribed D&D stage / activity. Before the D&D plan can proceed to the

next stage – a responsible/authorized person (or personnel) must provide documented, objective

evidence of progression approval (signatures being preferred). Progression authorization may appear

as a specific signoff on a review checklist, in review minutes, in evaluation reports, on D&D plans,

timeline charts, etc. An undocumented, passive agreement or consensus of opinion will not

sufficiently meet the intent of this requirement.

7.3.5 Design and development verification

Design verification basically means that the product can be produced as designed and that output

meets the intended inputs. Additionally it should show that the organization has the capability to

produce the product with existing equipment and has the personnel competencies or has the

ability to train or subcontract the required capabilities.

NOTE: Design and/or development verification may include activities such as:

- performing alternative calculations,

- comparing the new design with a similar proven design, if available,

- undertaking tests and demonstrations, and - reviewing the design stage documents before release.

BV Certification: No interpretation necessary.

7.3.6 Design and development validation

Validation has to ensure capability of meeting “intended use where known” as well as specified

requirements, and has been completed prior to delivery and implementation wherever practicable

(typically as a prototype or first article). In most organizations they can’t rely on the customer to




perform the validation, the lack of a negative response from the customer does not meet the

intent of this clause. The organization should have records that the product designed will meet

defined user needs prior to delivery of the product to the customer. Methods of validation could

include simulation techniques, proto-type build and evaluation, comparison to similar proven

designs, beta testing, field evaluations, etc. Irrespective of the methods used, the validation

activity should be planned, executed with records maintained as defined in the planning activity

in 7.3.1.

NOTES:

- Design and/or development validation follows successful design and/or development

verification.

- Validation is normally performed under defined operating conditions.

- Validation is normally performed on the final product, but may be necessary in

earlier stages prior to product completion.

- Multiple validations may be performed if there are different intended uses.


7.3.6.1 Documentation of Design and/or Development Verification and Validation: At the completion

of design and/or development, the organization shall ensure that reports, calculations, test results, etc.,

demonstrate that the product definition meets the specification requirements for all identified

operational conditions.

BV Certification: This is added check to ensure, at the conclusion of the D&D effort that

documentation and supporting data that was generated during the design and subsequent

verification/validation does in fact meet all the input requirements. This clause supports the

conclusions that should have been reached at Design Review. The auditor would expect to see

evidence that verification and validation satisfy the input requirements.

7.3.6.2 Design and/or Development Verification and Validation Testing: Where tests are necessary for

verification and validation, these tests shall be planned, controlled, reviewed, and documented to ensure

and prove the following:

a) test plans or specifications identify the product being tested and the resources being used,

define test objectives and conditions, parameters to be recorded, and relevant acceptance

criteria;

b) test procedures describe the method of operation, the performance of the test, and the

recording of the results;

c) the correct configuration standard of the product is submitted for the test;

d) the requirements of the test plan and the test procedures are observed;




e) the acceptance criteria are met.

BV Certification: When testing is used to support verification and validation, the test results must

meet the requirements presented in this clause.

7.3.7 Design and development changes

Design and development changes (after the original verification and validation) have to be

“verified and validated as appropriate” (as well as reviewed) and to “include evaluation of the

effect of changes on constituent parts and products already delivered”. If the organization

chooses not to perform re-verification and re-validation on every design change, then the auditor

should expect to see some very well defined criteria as to when the activity needs to occur. This

includes any changes that do not affect fit, form or function.

The organization’s change control process shall provide for customer and/or regulatory authority

approval of changes, when required by contract or regulatory requirement.

BV Certification: The degree and type of the D&D change will often dictate the degree of

approval required. Other conditions for “approval” will be defined by the customer and/or

regulator agency. Additionally, the organization may add to (but not contradict) details.

“Approval” may be as little as mere notification, to distributing approved copies, up to and

including formal approval by the customer / agency) prior to implementation of the change.

Documents typically subject to this requirement include pre-approved drawings. The BV

Certification auditor will seek documented, objective evidence that such “coordination” has

taken place (as appropriate) and as prescribed in the organization’s documented procedure.

7.4: Purchasing

7.4.1 Purchasing Process

It would be extremely uncommon for purchasing to be excluded from the quality management

system (i.e., perhaps applying to such situations as small consultancies using no subcontractors,

and using proprietary office materials and equipment that do not directly impact on product or

service performance – but not to many other situations).

Where procurement is centrally controlled by a corporate procurement organization outside the

scope of the QMS of the auditee organization, this is not justification for exclusion of 7.4 in its

entirety. The audited organization is certainly responsible for providing purchasing information

(7.4.2) to the corporate procurement organization, and for verification of purchased product

(7.4.3) – and perhaps participating in the re-evaluation process. In the event that a corporate

office or other entity, outside the scope of registration, performs any sections of purchasing this




shall be considered an outsourced process per requirements identified in section 4.1. Bureau

Veritas Certification auditors would expect to see a documented agreement in place (i.e. an

Interface Agreement) between the organization and the supplier.

Auditor will expect to see a process is in place for evaluating and selecting suppliers as well as a

process for ongoing re-evaluation of suppliers. While a written procedure for purchasing is not

required, records of evaluation and actions arising from the evaluation are required to be

maintained.

The organization shall be responsible for the quality of all products purchased from suppliers,

including customer-designated sources.

BV Certification: In the context of this and other requirements of the Standard, “product” includes

parts, materials, process services, etc. It is readily apparent that an organization is ultimately

responsible for the quality of product purchased from its own suppliers / subcontractors. This

requirement extends the scope of the organization’s responsibility to include that for product

purchased from customer-designated and/or customer-designated sources. The type and extent of

control exercised over customer-designated or customer-approved sources may be justifiably different

than that exercised over sources chosen / approved by the organization themselves. Regardless,

customer-approval and/or customer-designation of sources does not relieve the organization of the

responsibility to procure conforming “product”.

The organization shall

a) maintain a register of approved suppliers that includes the scope of the approval.

BV Certification: A “register” could be in most any format and media – hardcopy, electronic, a paper

listing, an electronic file as part of a procurement software program, or even a manual card file. The

register must be a complete, finite compilation of all approved suppliers / vendors / subcontractors -

including those that are customer-designated / approved. The register must include sources that

provide goods, products and services that relate to the organization’s products, processes and Quality

management system. Compiling the register(s) is a relatively simple and direct task. The second part

of this requirement – “ . . . that includes the scope of the approval.” involves more thought. The

“scope of approval” should describe the extent (or limitation) on what the source can (or can’t) provide

or perform. The description of the “scope” can be narrative or coded. Some examples:

− Acme Machining – conventional metal machining except for chemical milling and wire EDM.

− Acme Hardware Distributors – all metal, mechanical fasteners except for rivets.

− Acme Metal Distributors – all ferrous and non-ferrous metals except for titanium and inconel.

− Acme Heat Treating – heat treating processes

.




b) periodically review supplier performance; records [results] of these reviews shall be used as the basis

for establishing the level of controls to be implemented.

BV Certification: The periodicity of supplier performance reviews may vary across the

organization’s supply base. That is, all suppliers may not have the same review frequency. Also, the

type and extent / scrutiny of the review may vary from one supplier to another. These performance

reviews should be planned and meaningful - often involving cross-functional involvement (i.e.

Quality, Purchasing, Manufacturing, Engineering). The reviews must be based on factual input data.

Recorded results are to be used to determine ongoing / future levels or control over the supplier.

Favorable performance results might justify relaxing / reducing the type/extent of control – while

unfavorable results would suggest the need to “tighten-up” on the supplier.

c) define the necessary actions to take when dealing with suppliers that do not meet requirements.

BV Certification: This requirement relates closely to the requirement above (7.4.1 b) regarding

supplier performance reviews. Conditions / events that indicate that a supplier is not meeting

requirements might include: poor results from performance reviews, occurrences and repetition of

nonconformances, corrective action inadequacy and lateness, incoming inspection failures, untimely

delivery performance, etc. The organization needs to define / describe specific actions they will take if

the supplier is not meeting expectations / requirements. This usually includes an “escalation” process

– beginning with simple documented notification, followed by corrective action requests, then possibly

special on-site audits and increased controls up to and including removal from the approved supplier

listing. The auditor will expect to see documented, objective evidence of actions taken.

d) ensure where required that both the organization and all suppliers use customer-approved special

process sources.

BV Certification: The intent of this requirement includes customer-approved and customer-

designated sources as well. The requirement applies not only to the organization and their immediate

suppliers – but also to all lower-level, sub-tier sources involved in the contract or order. Compliance

to this requirement usually begins with thorough review of customer requirements, identifying those

sources that are customer-designated and customer-approved, then “flowing-down” (via purchasing

documents) the requirement to all applicable lower-level sources. It is not unusual for this requirement

to apply to sources that are 3-4 levels down in the supply chain.

e) ensure that the function having responsibility for approving supplier quality systems has the

authority to disapprove the use of sources.

BV Certification: The “function” having approval responsibility might not be confined to a single

person of department. Often, approval is a cross-functional or multi-functional event – involving

Quality, Purchasing Engineering, Manufacturing, etc. – as appropriate. If any or all of those




“functions” (entities, personnel, departments, etc.) have been given approval responsibility, then they

must have disapproval authority as well.

7.4.2 Purchasing Information

Purchasing information may take many forms however is generally a purchase order or

requisition. The auditor will expect to see that the information clearly describes the product to be

purchased as well as any other requirements, including as appropriate:

7.4.2 a) the approval of products, procedures, processes and equipment.

7.4.2 b) the qualification requirements of personnel.

7.4.2 c) the QMS requirements.

7.4.2 d) the name or other positive identification, and applicable issues of specifications, drawings,

process requirements, inspection instructions and other relevant technical data

BV Certification: Describing the “applicable issues” is the essence of this requirement. “Issues”

refers to the revision level (number, letter, date, etc.) of the document / data that is being invoked on

the supplier. “Applicable” infers that the version being invoked is not necessarily the latest / current

revision – an earlier version may be desired. Even if the organization does indeed wish to invoke the

latest / current version – they must identify the specific revision. It is not sufficient for them to simply

state “latest revision”. Doing so gives the supplier insufficient, ambiguous information. The supplier

may not have the wherewithal to determine what the latest revision is – and may mistakenly /

ignorantly use the “latest” (though outdated) version in their possession.

7.4.2 e) requirements for design, test, examination, inspection and related instructions for acceptance

by the organization

BV Certification: as applicable. When the purchased product is clearly defined (e.g. by

specifications, drawings, etc.), an understanding needs to be in place to ensure that the supplier

understands that the product must in fact meet requirements. Further, the supplier must understand

that correction and/or corrective action will be expected if the delivered products do not meet the

purchase requirements. This understanding is normally achieved through a statement to that effect in

the purchase order or in the terms and conditions (T&Cs).

7.4.2 f) requirements for test specimens (e.g., production method, number, storage conditions) for

design approval, inspection, investigation or auditing




BV Certification: this clause applies, if applicable.

7.4.2 g) requirements relative to

− supplier notification to organization of nonconforming product and

− arrangements for organization approval of supplier nonconforming material

BV Certification: The organization must communicate these requirements to their suppliers. For

some reason, many organizations fail to communicate these requirements. Evidence of notification is

required.

7.4.2 h) requirements for the supplier to notify the organization of changes in product and/or process

definition and, where required, obtain organization approval

BV Certification: Same as notification of nonconforming product (above). Evidence of notification

is required.

7.4.2 i) right of access by the organization, their customer, and regulatory authorities to all facilities

involved in the order and to all applicable records

BV Certification: As above, evidence of notification is required.

7.4.2 j) requirements for the supplier to flow down to sub-tier suppliers the applicable

requirements in the purchasing documents, including key characteristics where required

BV Certification: As above, evidence of notification is required.

7.4.3 Verification of Purchased Product

Auditor will expect to see a process is in place to verify that purchased product meets

requirements. This may take many forms depending on the product. Auditor will verify that these

requirements are known and being accomplished. This may include receiving inspection and

testing, visual inspection, receipt of certificates of conformance etc. In the event verification will

take place at the suppliers premises the method for doing so must be stated in the purchasing

information.

Verification activities may include

a) obtaining objective evidence of the quality of the product from suppliers (e.g.,

accompanying documentation, certificate of conformity, test reports, statistical records,

process control),

b) inspection and audit at supplier’s premises,




c) review of the required documentation,

d) inspection of products upon receipt, and

e) delegation of verification to the supplier, or supplier certification

BV Certification: The standard provides some guidance here with respect to the type of verification

activities. Quite obviously, the auditor needs to determine which activities apply to the organization

and to then audit accordingly.

Purchased product shall not be used or processed until it has been verified as conforming to specified

requirements unless it is released under positive recall procedure.

BV Certification: It is expected product is only rarely “released under positive recall” prior to

verification of conformance. The organization has the responsibility of defining what verification

activities are necessary to determine conformance. Typically, this is embodied in the “type and

extent” of control that the organization exercises over purchased product.

Where the organization utilizes test reports to verify purchased product, the data in those reports shall

be acceptable per applicable specifications. The organization shall periodically validate test reports for

raw material.

BV Certification: When using test report to verify purchased product, the organization must be able

to substantiate that the data in the test reports is indeed acceptable. Commonly, assigned personnel

(often an individual associated with the Quality function) will review the certificates of test against the

applicable specifications, placing a check (√) next to the acceptable values. Initials or quality stamp

would be evidence of the review. Merely placing the certificates in a file folder is not evidence of

review.

The test reports must be validated “periodically”. The organization needs to define the periodicity.

Validation of the first test report each year is often used. This would be acceptable if there are no

nonconformities associated with a product. In the case of bar stock that is produced by a given mill

but purchased from several distributors, validation of the product from a single distributor would be

considered to be acceptable. The auditor needs to make a judgment with respect to the interval

between validations. Typically volume and criticality would be important considerations.

Where the organization delegates verification activities to the supplier, the requirements for delegation

shall be defined and a register of delegations maintained.


Where specified in the contract, the customer or the customer’s representative shall be afforded the

right to verify at the supplier’s premises and the organization’s premises that subcontracted product

conforms to specified requirements.




BV Certification: This is another example of right of entry. The organization needs a documented

statement permitting right of entry.

Verification by the customer shall not be used by the organization as evidence of effective control of

quality by the supplier and shall not absolve the organization of the responsibility to provide acceptable

product, nor shall it preclude subsequent rejection by the customer.


7.5 Production and Service Provision

7.5.1: Control of product and service provision

There is the possibility of defining sub-clauses 7.5.1 b) work instructions, 7.5.1 c) the use of

suitable equipment, and 7.5.1 f) post delivery activities as not applicable to the scope of their

quality management system. The non-applicability of these items must be justified in the quality

manual (4.2.2 a) and must not “affect the organization’s ability, or responsibility to provide

product that meets customer and applicable regulatory requirements” (1.2).

The auditor will expect to see that production activity is well defined and understood. This is

generally ascertained through interviews with employees on the production floor, review of

documentation and observations. The auditor will verify the following at a minimum:

Planning shall consider, as applicable,

- the establishment of process controls and development of control plans where key characteristics

have been identified,

- the identification of in-process verification points when adequate verification of conformance

cannot be performed at a later stage of realization,

- the design, manufacture, and use of tooling so that variable measurements can be taken,

particularly for key characteristics, and - special processes (see 7.5.2).

BV Certification: These requirements generally reflect good planning. Objective evidence might

include detailed work instructions, set-up sheets, shop travellers and instructions for in-process/ final

inspection.




7.5.1 a) the information describing the characteristic of the product. This may be in the form of a

work order, traveller, schedule etc.

7.5.1 b) the availability of work instructions or procedures as applicable. These may be in any

format (electronic or paper); instructions may simply be included on the work order or traveller.

Instructions do not have to be documented and could simply be provided through training. The

auditor will review Control of Document, 4.2.3 as applicable.

7.5.1 c) the use of suitable equipment. The auditor will expect to see evidence that equipment is

suitable for the process and that it is maintained. The auditor will investigate how equipment is

maintained and how malfunctions are handled. This may be in conjunction with Infrastructure

6.3.

7.5.1 d - e) the availability of suitable monitoring and measuring devices and the implementation

of monitoring and measurement. Measuring and monitoring may require record keeping i.e.

operator log sheets, inspection sheets, routers or other documentation. Documentation will be

reviewed as applicable per Control of Records 4.2.4.

7.5.1 f) the release, delivery and post delivery activities. Whether in process or final the auditor

will expect to see that release, delivery and post delivery activities are defined. This may include

release to the next process or for shipment to customers.

7.5.1 g) accountability for all product during manufacture (e.g., parts quantities, split orders,

nonconforming product)

BV Certification: The organization needs to demonstrate a process of accountability for manufactured

product. This is often accomplished through the use of travelers or through bar coding at the

workstations. The effectiveness of the process for ensuring accountability needs to be verified during

the audit. Sometimes parts are physically lost, either internally or during outside processing.

Whenever there are issues surrounding product accountability, the organization needs to demonstrate

appropriate corrective action.

7.5.1 h) evidence that all manufacturing and inspection operations have been completed as planned,

or as otherwise documented and authorized

BV Certification: Many organizations control manufacturing and inspection operations through use

of shop travellers with operator initials after each operation has been completed. A similar result can

be achieved through the use of bar codes that are scanned at each workstation. Whatever method is

used, the auditor should verify that all manufacturing and inspection operations for representative jobs

have been completed. If evidence of completion for all operations is lacking, the reason needs to be

“documented and authorized”.




7.5.1 i) provision for the prevention, detection, and removal of foreign objects,

BV Certification: The organization must have a process for eliminating foreign objects. The extent

of control will vary widely, dependent upon the nature of the product. Service industry, for example,

would not be concerned with foreign objects. Manufacturers of solid parts without cavities might

control foreign objects by simple cleaning and packaging. Manufacturers of complex parts and

assemblies (i.e. with enclosed or deep cavities) would be expected to have more proactive processes.

Examples of measures taken to control F.O.D include detailed work instructions, shadow boards (to

identify missing tools) and F.O.D training programs.

7.5.1 j) monitoring and control of utilities and supplies such as water, compressed air, electricity

and chemical products to the extent they affect product quality

BV Certification: The key words here are “to the extent necessary”. Many manufacturing companies

control the quality of compressed air through the use of filters and routine maintenance of this

equipment. Organizations with sophisticated analytical instrumentation may monitor and control

power sources. Other organizations may need no special control of the utilities and supplies. The

bottom line is that if there are processes where such control is important, there must be evidence of

adequate control.

7.5.1 k) criteria for workmanship, which shall be stipulated in the clearest practical manner (e.g.,

written standards, representative samples or illustrations)


7.5.1.1 Production Documentation: Production operations shall be carried out in accordance with

approved data. This data shall contain as necessary

a) drawings, parts lists, process flow charts including inspection operations, production

documents (e.g., manufacturing plans, traveler, router, work order, process cards); and

inspection documents (see 8.2.4.1), and

b) a list of specific or non-specific tools and numerical control (NC) machine programs

required and any specific instructions associated with their use.


7.5.1.2 Control of Production Process Changes: Persons authorized to approve changes to production

processes shall be identified.




BV Certification: The auditor would expect to see a procedure or a documented statement that

identifies those individuals authorized to approve changes to production processes. Engineering input

is usually required for such process changes.

The organization shall identify and obtain acceptance of changes that require customer and/or

regulatory authority approval in accordance with contract or regulatory requirements.


Changes affecting processes, production equipment, tools and programs shall be documented.

Procedures shall be available to control their implementation. The results of changes to production

processes shall be assessed to confirm that the desired effect has been achieved without adverse effects

to product quality.

BV Certification: A process should be in place to ensure that changes to not affect product quality.

Many manufacturing companies run a first piece prior to running a job. This is especially important if

there have been changes to the production process. Verification may be through operator checks or

more formal inspection. If the change is determined to be a process change, customer notification

and/or first article inspection may be necessary.

7.5.1.3 Control of Production Equipment, Tools and Numerical Control (NC) Machine Programs:

Production equipment, tools and programs shall be validated prior to use and maintained and inspected

periodically according to documented procedures. Validation prior to production use shall include

verification of the first article produced to the design data/specification.

BV Certification: see section 7.5.1.3 above.

Storage requirements, including periodic preservation/condition checks, shall be established for

production equipment or tooling in storage.


7.5.1.4 Control of Work Transferred, on a Temporary Basis, Outside the Organization’s Facilities:

When planning to temporarily transfer work to a location outside the Organization’s facilities, the

organization shall define the process to control and validate the quality of the work.

BV Certification: It is incumbent on the organization to demonstrate that work transferred outside,

even on a temporary basis, is performed to the requirements of this AS9100 standard. Generally, the

level of control should be more than a purchase order. Examples of such control could be approval of




the supplier’s quality system through third party certification or by a second party audit of the

supplier’s facility. In some instances, there may be an outsourcing agreement per section 4.1.

7.5.1.5 Control of Service Operations: Where servicing is a specified requirement, service operation

processes shall provide for

a) a method of collecting and analyzing in-service data,

b) actions to be taken where problems are identified after delivery, including investigation,

reporting activities, and actions on service information consistent with contractual and/or

regulatory requirements,

c) the control and updating of technical documentation,

d) the approval, control, and use of repair schemes, and

e) the controls required for off-site work (e.g., organization’s work undertaken at the

customer’s facilities).

BV Certification: Clearly this section applies to organizations with off-site field service functions.

This section also applies to those organizations that assist customers with end use applications for

delivered products or have in-house repair operations. Merely addressing customer product related

complaints does not constitute service. It is important to verify collection and analysis of in-service

data. It is important also that service data are disseminated within the organization and included in the

corrective action process, as appropriate. Organizations that are strictly “make-to-print” shops may be

able to justify exclusion of this section.

7.5.2: Validation of processes for production and service provision

This clause applies exclusively to “special processes” – and not to all the processes of the quality

management system in general.

This clause may be considered within the quality management system as not applicable. Any

organization that does not have any “special processes” can clearly note this clause as not

applicable.

Where “special processes” have been identified, Bureau Veritas Certification auditors will expect

to see that 7.5.2 a- e have been arranged as appropriate, which includes ensuring that:

7.5.2 a) the organization establishes arrangements to ensure that these processes are reviewed

and approved.

− qualification and approval of special processes prior to use




BV Certification: Since special processes are, by definition, those processes where “the resulting

output cannot be verified by subsequent monitoring and measurement”, the auditor would expect to

see evidence that the special processes were indeed qualified and approved prior to use.

7.5.2 b) the equipment used and the personnel involved are qualified.

7.5.2 c) specific methods and procedures are used (may require documentation).

− control of the significant operations and parameters of special processes in accordance with documented

process specifications and changes thereto,


7.5.2 d) records are maintained.

7.5.2 e) re-validation is performed for those instances where, for example, a deficiency is found.

As an example, it may be determined that an individual is actually not qualified to

perform a particular “special process”. Training may be provided to improve the

individual’s skills, following which the individual’s qualifications should be re-validated

to ensure they are capable of providing the planned results.

7.5.3: Identification and traceability

Organizations cannot completely exclude 7.5.3. Despite the phrase “where appropriate”, no

organization can wholly claim non-applicability for “identification”. However, traceability can

be identified as not applicable where it is not a requirement of the customer, the product

regulatory requirements, or of the organization itself.

The auditor will expect to see that product is identified (as appropriate) and its status with

regards to monitoring and measuring (conforming or not) is identified throughout the product

realization processes. Where traceability is a requirement, the auditor will expect to see that the

organization is controlling and recording the unique identification of the product. This

documentation is a required record per Control of Records 4.2.4.

The organization shall maintain the identification of the configuration of the product in order to

identify any differences between the actual configuration and the agreed configuration.

BV Certification: This section relates directly to Configuration Management, see detailed explanation

under section 4.3.




When acceptance authority media are used (e.g., stamps, electronic signatures, passwords), the

organization shall establish and document controls for the media.


According to the level of traceability required by contract, regulatory, or other established requirement,

the organization’s system shall provide for:

a) identification to be maintained throughout the product life

b) all the products manufactured from the same batch of raw material or from the

same manufacturing batch to be traced, as well as the destination (delivery, scrap)

of all products of the same batch

c) for an assembly, the identity of its components and those of the next higher assembly to

be traced

BV Certification: The main issue here is the nature of the “identification”. The organization that is

manufacturing to customer specifications or drawings cannot add unauthorized identification to

manufactured product. However, depending upon the product, the organization may record

manufacturing job numbers and lot numbers of subassemblies and purchased components.

According to the level of traceability required by contract, regulatory, or other established requirement,

the organization’s system shall provide for:

d) for a given product, a sequential record of its production (manufacture, assembly, inspection) to

be retrieved.

BV Certification: Job travelers or electronic bar codes provide a sequential record of production.

Production documentation are quality records and should be controlled in accordance with section

4.2.4

7.5.4: Customer property

The auditor will expect to see that the organization has clearly identified any and all customer

property. The auditor will verify that the organization has established a process to protect

customer property. Further a process must be established for contacting the customer when these

items are lost, damaged or otherwise found unsuitable for the process. This communication to the

customer must be maintained as a Quality Record 4.2.4.

Customer property may include (not limited to):

� Components supplied for inclusion into the product.




� Packaging material

� Transport

� Intellectual property – drawings, specifications etc including customer furnished data used

for design, production and/or inspection.

BV Certification: The aerospace community makes extensive use of proprietary blueprints, drawings,

specifications and similar documents, in electronic and/or hard copy format. The documents themselves

often indicate the confidential nature of these documents. The organization must have evidence of a

process for proper disposition of obsolete documents. “Dumpster” does not demonstrate adequate

control.

� Equipment or tools

7.5.5: Preservation of product

Auditor will expect to see that adequate measures are taken to protect/preserve product during

internal processing and delivery to the intended destination. The preservation process must

include the following:

� Identification - this is relative to 7.5.3 – Identification and Traceability however for

preservation of product it is a requirement and not “as applicable”. Auditor will expect to

see that all products are clearly identified.

� Handling - auditor will verify that suitable handling methods are implemented throughout

the processes. This may include bulk handing using moving equipment or physical

contact where handling may influence product conformity.

� Packaging - auditor will expect to see that methods have been established for packaging

product to preserve integrity.

� Storage - auditor will expect to see that product is stored in locations and in a manner to

safe guard product.

� Protection – auditor will verify that appropriate measures are in place to protect product.

This may vary widely depending on the product.

Preservation of product shall also include, where applicable in accordance with product specifications

and/or applicable regulations, provisions for:

a) cleaning;

b) prevention, detection and removal of foreign objects;

c) special handling for sensitive products;




d) marking and labelling including safety warnings;

e) shelf life control and stock rotation;

f) special handling for hazardous materials.

BV Certification: Preservation of product should be observed throughout the product realization

process. In a manufacturing environment, parts may, for example, be separated to prevent surface

damage and covered to prevent contamination. There should be a process for controlling shelf life

sensitive products. A good practice would be to have a system for the positive recall of shelf life

sensitive products – before the expiration date.

The organization shall ensure that documents required by the contract/order to accompany the product

are present at delivery and are protected against loss and deterioration.

BV Certification: Organizations generally take precautions to ensure that the proper documents are

present at shipping. It is considerably more difficult to ensure that they are present at delivery. Some

companies fax duplicate documents to their customers. The auditor might check records of customer

complaints to determine whether there have been complaints relating to missing documents and to

review any subsequent actions.

7.6: Control of monitoring and measuring devices

Companies with no measuring equipment can claim non-applicability for this (as addressed

from paragraph 3 of section 7.6 of the standard onwards).

The clause addresses devices as well as equipment, and reconfirmation of computer software as

necessary. The first two paragraphs address monitoring and measuring devices, and can be

applicable to service companies as well as manufacturing organizations. For example, in a

training organization, where consistency of evaluating and grading trainees (the product) needs

to be assured, then calibration may be applicable.

The organization shall maintain a register of these monitoring and measuring devices, and define the

process employed for their calibration including details of equipment type, unique identification,

location, frequency of checks, check method and acceptance criteria.

BV Certification: The “register” could be in most any format and media – hardcopy, electronic, a

paper listing, an electronic file as part of a calibration software program, or even a manual card file.

The register must be a complete, finite compilation of all devices under calibration control - including

those owned by the company, by its employees (if used for conformity acceptance), and those that are




customer-supplied. Company-owned devices that are on loan to suppliers are to be included as well.

Even if a device is calibrated by an‘outside’ service provider – it must be on the list. Inactive devices

(though not currently under calibration control) should be on the list (with its status so noted). The

register must also include pertinent data described by the Standard (e.g. device type and identification

number, location, calibration frequency, check method, acceptance criteria, etc.).

NOTE: Monitoring and measuring devices include, but are not limited to: test hardware, test software,

automated test equipment (ATE) and plotters used to produce inspection data. It also includes

personally owned and customer supplied equipment used to provide evidence of product conformity.


The organization shall ensure that environmental conditions are suitable for the calibrations,

inspections, measurements and tests being carried out.

BV Certification: The auditor should verify that the suitable environmental conditions are defined

and that calibration, monitoring and measuring activities have been performed in accordance with

these defined conditions. Sending measuring and test equipment to an outside laboratory does relieve

the organization of controlling this requirement.

7.6 a) be calibrated or verified at specific intervals or prior to use. Devices must be calibrated

using measurement standards traceable to international or national measurement standards.

Where there is no standard available for the device the basis for calibration or verification

must be recorded. Auditor expects to see that traceable standards are used and where

applicable have not expired. Where calibration is completed by an outsourced process

(vendor), the records of traceability must be reviewed.

7.6 b) Adjusted or readjusted as necessary. Auditor will expect to see evidence that devices

found to be out of calibration are adjusted/re-adjusted by qualified personnel and the

validity of the previous measuring results are accessed when a device is found to be out of

calibration and appropriate action is taken (may include recall of product). Auditor will

expect to see that a process is in place to provide traceability of each device to the

process/product the device was used on. The results of calibration and verification are

required to be maintained as quality records.

7.6 c) be identified to show calibration status. Auditor will expect to see that each device is

identified in such a way that the user can determine that the device has current calibration.

Generally this is accomplished with a calibration sticker that provides a unique

identification for the device, current calibration date and next calibration date. Other

methods may be used however must clearly identify the calibration status. Where the




environment is not contusive to the use of stickers, status may identified by color coding,

identification number with associated calibration record, and/or calibrated prior to very use.

7.6 d) Safeguarded from adjustments. Auditor would expect to see that a process is in place to

ensure that users outside the calibration process do not adjust devices. Devices may be

verified prior to use however any adjustments made to a device must meet all requirements

of this section.

7.6 e) be protected from damage during handling, maintenance and storage. Auditor will expect

to wee that measuring devices are handled and stored in a manner to protect the device

from damage.

7.6 f) be recalled to a defined method when requiring calibration.

BV Certification: Typically there is a spreadsheet or database that lists the date that calibration was

due for calibration and the dates when the calibration was actually performed. A review of

instruments past due for calibration should provide an indication of the effectiveness of the recall

process.

The auditor will expect to see a process is in place to determine required measuring and

monitoring to be accomplished as well as the devices needed to provide evidence of conformity.

Many facilities use calibration software including a calibration master list of all devices. While

this is not required, all devices requiring calibration must be identified and shall:

Clause 8: Measurement, Analysis and Improvement

8.1: General

The means (i.e. ‘processes’) and resources for accomplishing the three (3) requirements must be

planned for and implemented. The processes must address four (4) different, but related,

aspects:

1) Monitoring (i.e. examination, information and data collection, and reporting)

2) Measurement (i.e. determination and comparison of ‘performance indicators’ against

‘actuals’ against ‘knowns’, or against expectations and requirements – i.e.

inspections, tests, product and process audits, systems audits, SPC, etc.)

3) Analysis (review of data, evaluation of results and variances, causation analysis,

application of statistical techniques, etc.)

4) Improvement (i.e. corrective and/or preventive action, refinement, enhancement,

etc.)




The various techniques, methodologies, resources, tools (including statistical techniques), and

applicable procedures need to be determined for these Measurement, Analysis and Improvement

‘processes’. This is not for an organization to state that there is no need to use a statistical

technique, if there is variability in their process or product characteristics, then there is a need for

the use of a statistical technique.

Fulfillment of the requirements in Section 8 is important if the organization is to fully embrace

and effectively apply the principles of the “Process Model” and the “Plan Do Check Act”

model.

8.2: Monitoring and Measurement

8.2.1: Customer Satisfaction

It is recognized / understood that Customer Satisfaction is:

� A viable, effective (albeit partial) measurement of the performance (merits, benefits,

adequacy, suitability, effectiveness, etc.) of the quality system.

� An objective, goal, expectation of the quality system.

ISO 9000:2000, 3.3.5 defines the “Customer as the organization or person that receives a

product.” The examples stated are; “consumer, client, end-user, retailer, beneficiary and

purchaser”. It is intended that the customer satisfaction measurements be focused on external

customer but in addition can include internal customers. Internal customer satisfaction measures

can be contained in the establishment of the organizations defined internal process measurable

objectives. Measuring only internal customer satisfaction would not meet the intent of this clause

and must include all interested parties where appropriate.

Customer Satisfaction is determined by the organization measuring its customers perception as to

whether they have satisfied their customers’ requirements – and may be somewhat subjective or

‘qualitative’ as much as ‘quantitative’. Customer complaints are a common indicator of low

customer satisfaction but their absence does not necessarily imply high customer satisfaction.

Simply capturing customer complaints and product returns will only gauge ‘dis-satisfaction’ –

which does not fully meet the intent of the clause and will not satisfy these requirements. The

organizations management should analyse the implications of the absence or existence of

customer complaints.

Process definition is needed. The various techniques, methodologies, tools, resources, etc.

(forms, surveys, frequency, targeted customers, responsibilities, external survey service

companies, benchmarking, etc.) and applicable procedures need to be determined for:




1) Obtaining customer satisfaction information (i.e. identifying, collecting, monitoring

and reporting various data/information)

2) Using customer satisfaction information (analyzing, understanding and responding to

– i.e. making changes, corrections, enhancements and improvements to the

products/services/quality system)

The requirements in 8.2.1 interrelate closely with those in sub-clauses:

� 5.2 Customer Focus (…. with aim of enhancing customer satisfaction.)

� 8.4 a) Analysis of Data – customer satisfaction

� 8.5.1 Continual Improvement (via analysis of data)

� 5.6.2 b) Management Review Input – customer feedback

� 7.2.3 Customer Communication – customer feedback & complaints

8.2.2: Internal Audit

IMPORTANT INITIAL CERTIFICATION REQUIREMENT: For a new/first time

registration/certification, a full round of internal audits, including documented evidence that all

processes and sections of the standard have been audited, must be completed “prior to” the

registration/certification audit being conducted. For multi-site/corporate certifications all

processes performed at each site must be included in the initial round of internal audits. It is an

expectation that internal audit planning and the evaluation of the internal audit results across all

sites will be performed by the headquarters location (i.e. centrally managed). The results of this

evaluation are to be presented during the management review process (see 5.6). The organization

shall have documented conclusions based on the outcomes of all process, product and system

audits in terms of the effectiveness of the QMS based on audit results. This may be in a stand-

alone document (e.g. Annual Audit Report) or be a part of the management review records. The

conclusions should be based on the audit team leaders conclusions along with the audit team.

Auditor will expect to see a documented procedure developed that defines responsibilities and

requirements for planning and conducting audits, reporting results and maintaining records (see

4.2.4). The Auditor must make a determination if the internal audit process is effective in

maintaining the integrity of the quality management system. A statement indicating the level of

effectiveness must be included in the summary section of the Bureau Veritas Certification audit

report. In the event the auditor cannot state that the audit process is effective, a nonconformance

should be raised.

Internal audits shall be planned based on the status and importance of the processes executed, in

other words more emphasis (time audited) on those processes that have a direct or significant

impact on the achievement of the organizational goals. In addition, previous audit results must be




considered in the scheduling of future internal audits. Auditor will expect to see a schedule (plan)

that has been developed considering the status and importance of the processes, previous audit

results, and selection/assignment of auditors to ensure objectivity/impartiality (auditors can not

audit their own work). Bureau Veritas Certification expects the internal audit process and

internal audit schedules will reflect the process approach. If the organization only has an audit

schedule based on the clauses of the standard, then this will not be considered acceptable, would

not be reflective of the process approach, not based on the status and importance of the processes

or reflect previous audit results. In all likelihood this will result in a nonconformance to the

standard against 8.2.2.

The auditor must see evidence that the audits include the requirements of ISO 9001:2000 as well

as the requirements established by the organization. Nonconformances raised during the audit

must be addressed without undue delay. The auditor will expect to see that a process is in place

to ensure that actions taken are implemented to eliminate the nonconformance and the cause. A

process must be in place for follow up to ensure that the action(s) taken were effective. The

results must be recorded. Auditors would expect to see that nonconformances follow the

requirements of 8.5.2. However, there is no requirement to have one corrective action system and

therefore it is acceptable to have a separate process for audit nonconformances as long as

requirements for corrective action 8.5.2. are being met.

Requirements of 8.2.2 interrelate closely with those in sub-clauses:

� 5.6.2 a) Management Review Input – results of audits

� 8.5.1 Continual Improvement (via use of audit results)

� 8.5.2 Corrective Action (to eliminate deficiencies found in the audit)

� 8.5.3 Preventive Action (resulting from audit, analysis and observations)

Detailed tools and techniques shall be developed such as check sheets, process flowcharts, or any

similar method to support audit of the quality management system requirements. The acceptability of

the selected tools will be measured against the effectiveness of the internal audit process and overall

organization performance.

Internal audits shall also meet contract and/or regulatory requirements.

BV Certification: Although the organization needs to demonstrate the use of “detailed tools and

techniques”, there is considerable latitude with respect to what those might be. An important point

here is that the audit process must provide an accurate reflection of the effectiveness of the audit

process and the organization’s performance. If the internal audit process has indicated few areas for

corrective action while the third party audit has identified numerous areas of nonconformance, the a

formal corrective action request may be justified.

8.2.3: Monitoring and Measurement of Processes




Applicable processes need to be identified in the Quality Manual, along with a description of the

interaction between those processes. The applicable processes might include those relating to

four general categories: 1) Management Activities, 2) Resource Management, 3) Product

Realization, and 4) Measurement and Monitoring, but most companies will prefer to focus on

their own particular COPS, MOPS, and SOPS.

Fulfillment of the requirements in this sub-clause is important if the organization is to fully

embrace and effectively apply the principles of the “Process Model”, the “Plan Do Check Act”

model.

The requirements of 8.2.3 interrelate closely with those in sub-clauses:

� 4.2.2 c) Quality Manual (include a description of interaction between processes)

� 5.6.2 a) Management Review Input (process performance)

� 8.5.1 Continual Improvement (via analysis of data)

� 4.1 e & f) General Requirements – (to implement, measure, monitor, Analyze and

continually improve the processes).

The organization should identify monitoring, and, where appropriate, measurement methods to

evaluate process performance. The organization should incorporate these measurements into

processes and use the measurements in process management. Measurements of process

performance should cover the needs and expectations of interested parties in a balanced manner.

Examples (from ISO 9004:2000) might include:

� Process capability

� Reaction time

� Cycle time or throughput

� Measurable aspects of dependability

� Yield

� The effectiveness and efficiency of the organization’s people

� Utilization of technologies

� Waste reduction

� Cost allocation and reduction

In the event of process nonconformity, the organization shall

a) take appropriate action to correct the nonconforming process,

b) evaluate whether the process nonconformity has resulted in product nonconformity, and

c) identify and control the nonconforming product in accordance with clause 8.3.

BV Certification: Processes need to be monitored, measured and analyzed (section 4.1). If the

process metrics indicate an area of nonconformance, the nonconformity must be corrected, i.e. as part




of continual improvement. It is anticipated that section 8.2.3 can be audited together with section 4.1.

If the process nonconformity has resulted in a product nonconformity, the audit trail could lead to

corrective action (section 8.5.2) and control of nonconforming product (section 8.3).

8.2.4: Monitoring and Measurement of Product

The organization must show evidence that a process is in place to monitor and measure the

characteristics of product to verify that requirements are being met. This must be accomplished

at appropriate stages of the product realization process and must be defined as required per

Planning of Product Realization 7.1. Auditor will verify that records are maintained to provide

evidence of conformity and indicate the person(s) authorizing the release of products. The

release of product or delivery of service must not be completed until the planned requirements

(7.1) have been met. For product release or service delivery, the planning requirements may be

waived, but must be approved by relevant authority and by the customer as appropriate.

When key characteristics have been identified, they shall be monitored and controlled.


When the organization uses sampling inspection as a means of product acceptance, the plan shall be

statistically valid and appropriate for use. The plan shall preclude the acceptance of lots whose samples

have known nonconformities. When required, the plan shall be submitted for customer approval.

BV Certification: The requirement for statistically valid sampling applies when the organization

chooses to use sampling inspection. If the organization has had the use of a sampling plan imposed on

it by a customer or through the requirements of a product specification, then the organization is

expected to follow those requirements.

When an organization chooses to use sampling inspection it must be based on a statistically valid plan

in which the acceptance number is zero and the reject number is one. The use of any plan that allows

the acceptance number other than zero shall result in a major nonconformity by the Bureau Veritas

Certification auditor, as such a plan allows nonconforming product to enter the supply chain.

Product shall not be used until it has been inspected or otherwise verified as conforming to specified

requirements, except when product is released under positive-recall procedures pending completion of

all required measurement and monitoring activities.

BV Certification: Although it is anticipated that product is only rarely “released under positive

recall” prior to verification of conformance, the organization has the responsibility of defining the

necessary controls.




8.2.4.1 Inspection Documentation: Measurement requirements for product or service acceptance shall

be documented. This documentation may be part of the production documentation, but shall include

a) criteria for acceptance and/or rejection,

b) where in the sequence measurement and testing operations are performed,

c) a record of the measurement results, and

d) type of measurement instruments required and any specific instructions associated with their use.

BV Certification: No interpretation necessary

Test records shall show actual test results data when required by specification or acceptance test plan.


Where required to demonstrate product qualification the organization shall ensure that records provide

evidence that the product meets the defined requirements.


8.2.4.2 First Article Inspection: The organization’s system shall provide a process for the inspection,

verification, and documentation of a representative item from the first production run of a new part, or

following any subsequent change that invalidates the previous first article inspection result.

NOTE: See (AS) (EN) (SJAC) 9102 for guidance.

BV Certification: First article inspection, as opposed to first piece inspection, is performed in

response to contract requirements. The auditor would expect to see evidence of representative first

article inspection and customer acceptance (e.g. stamp or signature).

8.3: Control of Nonconforming Product

The Auditor will verify that a documented procedure has been developed to define the controls,

responsibilities and authorities for dealing with nonconforming product. Product that does not

meet requirements must be identified and controlled. The auditor will expect to see that

nonconforming product is clearly labelled and segregated to prevent unintended use.

It is important to note that requirements may extend beyond delivery of product, and/or to the

point or time of use (i.e. during shipment/transit, until received and accepted at the customer,

while on consignment at customer’s facility, etc.) This also suggests that the organization may

be responsible to “take action”, even after use of the product has begun. Appropriate objective

evidence (quality records) must be maintained.




NOTE: The term “nonconforming product” includes nonconforming product returned from a

customer.

BV Certification: Clearly returned goods need to be controlled in accordance with the organization’s

nonconforming product procedures. The auditor should check to verify that returned goods are clearly

identified and that records are in place to demonstrate control and ultimate disposition.

The organization’s documented procedure shall define the responsibility for review and authority for

the disposition of nonconforming product and the process for approving personnel making these

decisions.

BV Certification: The organization needs to define both the responsibility for review and authority

for the disposition of nonconforming product. This definition needs to be quite specific. Merely

saying “MRB”, “Quality” or “Engineering” is insufficient. If the responsibility and authority for

addressing nonconforming product rest jointly with the Plant Manager and Director of Quality, for

example, the procedure should state that. If the responsibilities are delegated, there should be evidence

of the delegation and the credentials of those selected for the delegated functions. There should be

evidence that documents detailing disposition of nonconforming product have been signed by the

authorized agents. That is, those individuals who actually disposition nonconforming product must be

those designated in the procedure.

Requirements of 8.3 interrelate with those in sub-clauses:

� 8.2.1 Customer Satisfaction (possible impact upon)

� 8.4 b) Analysis of Data (information relating conformance to product requirements)

� 8.5.2 Corrective Action (take action to eliminate cause of nonconformities and the

action shall be appropriate to the effects)

There are only four possibilities auditors should see as dispositions of nonconforming product, 1-

scrap, 2- rework or repair, 3- re-grading of the product, or 4 – use with the concession of the

customer and records maintained. Obviously reworked or repaired product requires subsequent

verification prior to release.

The organization shall not use dispositions of use-as-is or repair, unless specifically authorized by the

customer, if

- the product is produced to customer design, or

- the nonconformity results in a departure from the contract requirements.

Certification: No interpretation necessary.




Unless otherwise restricted in the contract, organization-designed product which is controlled via a

customer specification may be dispositioned by the organization as use-as-is or repair, provided the

nonconformity does not result in a departure from customer-specified requirements.


Product dispositioned for scrap shall be conspicuously and permanently marked, or positively

controlled, until physically rendered unusable.

BV Certification: Red Dyekem, reject tags and locked quarantine storage are commonly used to

control product dispositioned for scrap. The organization’s procedure that addresses control of

nonconforming product should include a description of the method used.

In addition to any contract or regulatory authority reporting requirements, the organization's system

shall provide for timely reporting of delivered nonconforming product that may affect reliability or

safety. Notification shall include a clear description of the nonconformity, which includes as necessary

parts affected, customer and/or organization part numbers, quantity, and date(s) delivered.

BV Certification: Since “Control of Nonconforming Product” is a required procedure, all notification

criteria must be listed. Of course, notification of any instances of delivered nonconforming product

must include all required information.

NOTE: Parties requiring notification of nonconforming product may include suppliers, internal

organizations, customers, distributors, and regulatory authorities.


8.4: Analysis of Data

The Auditor will expect to see that the organization has developed a process to identify, collect

and analyse various data and information from both internal and external sources (i.e. quality

records, monitoring and measuring results, process performance results, quality objectives,

internal audit findings, customer surveys and feedback, 2nd

or 3rd

-party audit results, competitor

and benchmarking information, product test results, complaints, supplier performance

information, etc., etc.). This ‘input’ (information and data) should reflect upon the adequacy,

suitability, and effectiveness of the Quality Management System and its processes. The ‘output’

(result of the analysis) must provide information (understanding, insight, awareness, confidence,

knowledge of, etc.) about:

� Customer Satisfaction / Perception.

� Product Conformance




� Process performance

� Product / Process Characteristics

� Trends in Products / Processes

� Opportunities for Preventive Action

� Suppliers and subcontractors (i.e., all as defined in 8.4 a)-d))

Other potential or useful options might include:

� Need for Corrective Action

� Opportunity for Improvement

� Competition

Requirements of 8.4 interrelate with those in sub-clauses:

� 5.6.2 Management Review Input

� 8.5.1 Continual Improvement

� 8.5.2 Corrective Action

� 8.5.3 Preventive Action

8.5: Improvement

8.5.1: Continual Improvement

Distinction must be made between ‘continual’ and ‘continuous’ improvement. Unlike

continuous improvement (which must be constant, steady and always positive), continual

improvement may show signs of dwells, momentary set-backs, delays or slight reversal –

provided the overall trend is positive/improving.

The auditor will expect to see a process is in place for establishing and implementing continual

improvement. Significant or sustained lack of improvement must be met with corrective action

(i.e. ‘get well plan’) – unless the undesirable condition is expected/predicted – resulting from a

conscious/deliberate decision by management (i.e. willingness to accept a temporary setback in

productivity while new equipment/ processes are introduced.)

Drivers, or impetus for continual improvement must come from the use of (as a minimum):

� The quality policy

� Quality objectives

� Audit results

� Analysis of data

� Corrective actions




� Preventive actions

� Management review

Requirements of 8.5.1 interrelate with those in clauses / sub-clauses:

� 5.6.2 g) Management Review Input (recommendations for improvement)

� 5.6.3 a - b) Management Review Output (improvement of system, processes and

product)

� 8.4 Analysis of Data

� 8.5.2 Corrective Action

� 8.5.3 Preventive Action

Note: it is the responsibility of the company to demonstrate improvement rather than the auditor

to look for it. Accordingly, it is useful audit practice to ask management to identify any

improvement initiatives taken since the previous visit, and also any planned for the future.

8.5.2: Corrective action

Corrective action is action taken to PREVENT the recurrence of actual problems. When a

problem occurs, organizations invariably take remedial or containment action, or implement

CORRECTION to contain or fix the immediate problem. Corrective action (as addressed in ISO

9001:2000 8.5.2) is any subsequent action to address the root cause and prevent recurrence.

The auditor will verify that a documented procedure is in place to define the requirements for

corrective action:

8.5.2 a) Reviewing nonconformities – auditor will expect to see a process is in place for

identifying nonconformities (types) and reviewing them to determine if the nonconformity

requires corrective action. The section specifically identifies customer complaints however other

sections such as internal audits, nonconforming product, monitoring and measurement of

processes reference corrective action. Sources from ISO 9004:2000 include:

• Customer complaints

• Nonconformity reports

• Internal audit reports

• Output from management review

• Output from data analysis

• Outputs from satisfaction measurements

• Relevant quality management system records

• The organizations people




• Process measurements

• Results of self assessment

8.5.2 b) Determining cause – auditor will expect to see a process is in place for determining root

cause.

8.5.2 c) Evaluating action needed to prevent recurrence – auditor will expect to see evidence that

action(s) are evaluated and developed to prevent the noncoformance from recurring.

8.5.2 d) Implementing action – evidence that actions are implemented. There is no requirement

for time however auditor will expect to see evidence that actions are taken in a timely manner.

8.5.2 e) Maintaining records - corrective actions are required to be maintained as quality records

per 4.2.4.

8.5.2 f) Reviewing action taken – auditor will expect to see a process in place for reviewing

completed corrective action to ensure that the action taken was effective in correcting the

nonconformity.

8.5.2 g) flow down of the corrective action requirement to a supplier, when it is determined that the

supplier is responsible for the root cause, and

BV Certification: Suppliers need to undertake corrective action to address nonconformities that they

have caused. The Supplier Corrective Action Request (SCAR), although not specifically required as

such, is commonly used. The organization needs to obtain evidence from the supplier of corrective

action that meets the corrective action protocol as defined by the AS9100 standard. Organizations

often claim that is difficult to get a meaningful corrective action response from a supplier.

Nevertheless, when a nonconformity requires more than simple correction, the auditor would expect to

see evidence that the organization is working with the supplier to achieve effective corrective action.

This could include the organization’s assistance. In some cases, the organization’s quality and

engineering may support of the supplier’s corrective action initiatives.

A documented procedure shall be established to define requirements for

8.5.2 h) specific actions where timely and/or effective corrective actions are not achieved.

BV Certification: The client’s procedure that controls corrective action must define those specific

actions that the organization takes “where timely and/or effective corrective actions are not achieved”.

There are many types of actions that might be taken. These include discussion of open corrective

actions at management review meetings, e-mail reminders to the responsible individual(s) and

escalation of notification, often up to the ranking site executive. The auditor would expect to see

evidence that the “specific actions” were indeed taken. The auditor may want to review also the




corrective action history to verify that the actions are “timely” and “effective”. It should be noted that

this is a somewhat gray area in that complex corrective action may take considerable time to complete

and verify. Nevertheless, if multiple corrective actions remain open after say six months, there is

likely a broken process.

Note: The organization may choose to maintain one document for both corrective and preventive

action. While this is acceptable, Bureau Veritas Certification believes that the processes are

unique and should be documented separately.

Note: Organizations are free to use their own terminology (i.e., many define corrective action as

the fix and preventive action as the subsequent cure). There is no problem with this – provided

they are not claiming that this “preventive action” (i.e., after the event) meets the requirements of

8.5.3 (action taken before the event).

Note: For multi-site/corporate certifications auditors will expect to see that evaluation of

corrective actions across all sites is being performed and analyzed (usually from the headquarters

location). This would be an input to management review (see 5.6.2).

8.5.3: Preventive action

The auditor will verify that a documented procedure is in place to define the requirements for

preventive action:

8.5.3 a) Determining potential nonconformities - auditor will expect to see evidence that a

process is in place for determining potential nonconformities. This may include many methods.

Sources from ISO 9004:2000 include:

• Use of risk analysis tools.

• Review of customer needs and expectation.

• Market analysis.

• Management review output.

• Output from data analysis.

• Satisfaction measurements.

• Process Measurements.

• Lessons learned from past experience.

• Results of self-assessment.

• Processes that provide early warning of approaching out-of-control

operating conditions.




8.5.3 b) Evaluating action needed to prevent occurrence – auditor will expect to see evidence that

action(s) are evaluated and develop to prevent the occurrence of potential nonconformances.

8.5.3 c) Implementing action – evidence that actions are implemented. There is no requirement

for time however auditor will expect to see evidence that actions are taken in a timely manner.

8.5.3 d) Maintaining records - preventive actions are required to be maintained as quality records

per 4.2.4.

8.5.3 e) Reviewing action taken – auditor will expect to see a process in place for reviewing

completed preventive action to ensure that the action taken was effective.

Preventive action is action taken to PREVENT the occurrence of potential problems. The

organization might welcome some auditor guidance on terminology. Many companies

(especially small companies with simple systems) are struggling to identify opportunities to

satisfy 8.5.3, as most of the standard is, in fact, focused on prevention. Anything related to

evaluation of risk and related actions, or action to prevent an early dip in a trend graph becoming

a problem can be accepted as objective evidence of compliance – as well as clear up-front

preventive initiatives, of course.

Reviewed By Authorized By Rev Date Rev # Location Change History Ralph

McLouth Zach Pivarnik New – May 9,

2007 0 BMS

as9100 interpretations

Automotive