Professional Documents
Culture Documents
Clause-by-
clause
Interpretation
Transitioning to ISO 9001:2015
Clause-by-clause Interpretation
Transitioning to ISO 9001:2015
8.2.4 Changes to Requirements for Products & Services .................. 24 9.2 Internal Audit ................................................................................................ 32
8.3 Design and Development of Products & Services ......................... 24 9.3 Management Review ................................................................................. 33
8.3.1 General ........................................................................................................ 24 9.3.1 General ........................................................................................................ 33
8.3.2 Design and Development Planning ................................................. 24 9.3.2 Management Review Inputs ............................................................... 34
8.3.3 Design and Development Inputs ...................................................... 24 9.3.3 Management Review Outputs ........................................................... 34
8.3.4 Design and Development Controls ................................................. 24 10.0 IMPROVEMENT ....................................................................................................... 35
8.3.5 Design and Development Outputs .................................................. 24 10.1 General ............................................................................................................ 35
8.3.6 Design and Development Changes ................................................. 25 10.2 Nonconformity and Corrective Action ................................................ 35
8.4 Externally Provided Processes, Products & Services ..................... 25 Dealing with Corrective Action........................................................................ 35
8.4.1 General ........................................................................................................ 25 Define the Problem .............................................................................................. 36
8.4.2 Type and Extent of Control ................................................................. 25 Select an Interim Containment Action ......................................................... 36
8.4.3 Information for External Providers ................................................... 25 Verify an Interim Containment Action.......................................................... 36
8.5 Production and service provision ......................................................... 25 Implement an ICA ................................................................................................. 37
8.5.1 Control of Production and Service Provision............................... 25 Identifying the Root-Cause............................................................................... 37
8.5.2 Identification and Traceability ........................................................... 26 Complete a Comparative Analysis ................................................................. 37
8.5.3 Property Belonging to Customers or External Providers ........ 26 Develop Root-cause Theories.......................................................................... 38
8.5.4 Preservation .............................................................................................. 26 Test the Theories ................................................................................................... 38
8.5.5 Post-delivery Activities ......................................................................... 27 Verify the Root-Cause ......................................................................................... 39
8.5.6 Control of Changes ................................................................................ 27 Determine and Verify the Escape Point ....................................................... 39
8.6 Release of Products and Services ......................................................... 27 Implementing & Validating Permanent Corrective Actions ................ 40
8.7 Non-conforming Process Outputs, Products & Services ............ 28 Preventing Recurrence ....................................................................................... 40
Controlling Product and Process Non-conformities .............................. 28 10.3 Continual Improvement ............................................................................ 41
Controlling Service-based Non-conformities ........................................... 29
9.0 PERFORMANCE EVALUATION ............................................................................... 30
9.1 Monitoring, Measurement, Analysis and Evaluation ..................... 30
9.1.1 General ........................................................................................................ 30
9.1.2 Customer Satisfaction ........................................................................... 31
9.1.3 Analysis and Evaluation ........................................................................ 32
relevant interested parties that impact the QMS. If this differs from the
Clause-by-Clause Interpretation
perception, you should be prepared to challenge this. Look for evidence
4.0 Context of the Organization that the organization has undergone a process to initially identify these
groups, and then to identify any of their requirements that are relevant to
4.1 The Organization and its Context
your organization’s quality management system.
The ‘Context of the Organization’ is a new requirement. You should allow
additional time to prepare for each audit in order to establish a suitable You should also determine whether these groups’ requirements are
understanding of the circumstances, and the market in which your reviewed and updated as changes in their requirements occur, or when
organization operates. To be compliant, evidence should be obtained that changes to your organization’s QMS are planned.
proves that your organization is reviewing all pertinent internal and 4.3 Determining the Scope of the QMS
external issues at periodic intervals. This requirement is comparable to ISO 9001:2008 Clause 4.2.2 – Quality
Although there is no requirement for documented information to define Manual. You will need to verify that your organization’s scope exists as
the context of the organization, your organization will find it helpful to documented information (which may be in the form of a Quality Manual)
retain the types of documented information listed below to help justify in accordance with Clause 7.5.1a. Look for confirmation that your
compliance: organization has determined the boundaries and applicability of the QMS
to establish its scope with reference to any external and internal issues
1. Business plans and strategy reviews;
referred to in 4.1 and the requirements of relevant interested parties
2. Competitor analysis; referred to in 4.2.
3. Economic reports from business sectors or consultant’s reports;
Check that this has been done in consideration of your organization’s
4. SWOT analysis; context and your products. You should review any exclusions previously
5. Minutes of meetings (Management and design review minutes); noted under ISO 9001:2008 for ongoing suitability. Check that legacy
issues which limited scope and omitted activities do not affect product
6. Process maps, tables, spreadsheets, mind mapping diagrams;
conformity. Check that they are recorded and that the rationale for the
4.2 The needs and Expectations of Interested Parties
exclusion is stated and justified.
‘Understanding the Needs and Expectations of Interested Parties’ is a new
4.4 The QMS and its Processes
requirement. You should allow additional time to prepare for each audit
in order to establish a suitable understanding of the relevant interests of This requirement is comparable to ISO 9001:2008 Clause 4 - Quality
Management System and Clause 4.1 – General Requirements. You should
review how your organization has designed its process-based Identifying Key Processes
management system. Key processes are steps that you go through to give the customer what
Existing operational procedures, work instructions and flow charts are valid they want, e.g. from order acceptance to design through to delivery.
examples of documented information and can be used to evidence the Whereas support processes do not contribute directly to what the
requirement for ‘documented information to support the operation of customer wants but do help the key processes to achieve it. Support
processes is being met’. processes include often human resources, finance, document control,
training and facilities maintenance, etc.
Check that process inputs and outputs are defined and review how each of
the processes are sequenced and how they interact. Look for evidence that A good way to do this is to think about how workflows through your
your organization has: organization. Consider how the inputs and outputs to the key processes
flow from one process to the next, what sub-processes might exist within it
1. Assigned duties/process owners; (Clause 5.3)
and how the support processes link in. For now, ignore the standard, in
2. Assessed risks and opportunities; (Clause 6.1) fact put it in a draw and forget it exists. Instead focus on your key
3. Provided resources; (Clause 7.1) processes and how the departments interface with each other.
4. Maintained and retained documented information. (Clause 7.5.1) Once you have defined the processes and interfaces; go back to the
5. Implemented measurement criteria; (Clause 9.0) standard and determine which processes are responsible for meeting
which requirements. When defining your organization’s processes, think
6. Improved its processes and the QMS; (Clause 10.0)
about each process and department and assign try to define those
Most of the requirements from Clause 4.4 are comparable to those found processes around the current organizational model and not around the
in ISO 9001:2008 Clauses 4.1 and 8.1 - General Requirements and Clause requirements of the standard.
8.2.3 - Monitoring and Measurement of Processes.
Certification auditors will expect to see a process model that explains the
Based upon the extent of your organization’s QMS and processes, you key processes of the business and how each relates and links to the others.
should seek and record evidence that your organization has maintained The depth of process explanation may be as detailed as the company
documented information to support the operation of its processes; and chooses, but should be based on its customer and applicable regulations
that it has retained documented information to provide confidence that or statutory requirements, the nature of its activities and its overall
the processes are being carried out as planned. corporate strategy. In determining which processes should be determined
and documented the organization may wish to consider factors such as:
Customer oriented processes affect or interact with the customer: Data analysis;
Design and development; You should expect to see evidence that your organization has determined
their processes and interactions. If your organization calls it a ‘process’, it
Storage and dispatch.
must be monitored for effectiveness and improved.
Support oriented processes support other process:
Sequence and Interaction
Calibration;
The auditor must see evidence that the organization has determined their
Maintenance; processes and that the interactions are also defined, all within the IMS
I.T. and document control,; manual. Subsequently, this includes the actual and technical inputs and
Finance and accounts; outputs of the processes to show their inter-relationship. This requires the
description of the interactions between the processes and should include
Human resources and training.
process names, process inputs and process outputs in order define their
Management oriented processes are normally conducted by Top interactions. Interaction means how one influences the other. Auditors
management: commonly agree that the description of the interactions of the processes
Business, operational and resource planning; cannot be done if the processes are not determined (names).
The organization is not required to produce system maps, flow charts, lists your customer’s requirements, statutory and regulatory requirements, or
of processes etc. as evidence to demonstrate that the processes and their those which might adversely affect customer satisfaction, are identified
sequence and interactions were determined. Such documents may be used and addressed.
by organizations should they deem them useful, but they are not
You are likely to find that there is a good focus on risk, which may even be
mandatory. Graphical representation such as flow-charting is perhaps the
formally documented via risk assessments, but you should also ensure that
most easily understandable method for describing the interaction between
opportunities are also considered.
processes.
We suggest that you use the familiar Plan-Do-Check-Act (PDCA)
5.0 Leadership methodology to manage your organization’s transition from the old to the
5.1 Leadership and Commitment new requirements using the PDCA approach:
5.2 Policy Note that there is no longer a requirement for your organization to have a
5.2.1 Establishing the Quality Policy Management Representative; you should determine how Top management
has assigned the responsibility and authority for preserving the integrity of
This requirement is comparable to the requirements of ISO 9001:2008
the organization’s QMS during revisions or updates. Determine whether
Clause 5.1 – Quality Policy. You should check that there is evidence that
Top management has assigned the responsibility and authority for
Top management have participated in the creation of the quality policy,
determining opportunities for improvement, refer to Clause 10.1.
and are reviewing and maintaining it.
You should review the quality policy to determine whether the quality 6.0 Planning
policy is appropriate to the context of the organization and its purpose, 6.1 Actions to Address Risks and Opportunities
that there is a commitment to continually improving the QMS, and the
Clause 6.1.1 is a new requirement, so you should allow additional time to
quality objectives are consistent with the quality policy. Top management
prepare for each audit in order to establish a suitable understanding of the
should demonstrate that the quality policy is compatible with the strategic
new requirements and how it should be implemented. You should seek
direction and context of the organization, as required by Clause 5.1.1b.
and record evidence that your organization has planned and implemented
5.2.2 Communicating the Quality Policy a process to effectively identify risks and opportunities with respect to
This is a new requirement. ISO 9001:2015 requires the policy to be QMS planning. Reference to risk-based thinking is present in the following
maintained as documented information, refer to Clause 7.5.1a. You should clauses:
check whether the quality policy has been applied throughout the 1. Determine and address risks (Clause 4.4.1);
organization and that the quality policy is available to any relevant
2. Promote risk-based thinking (Clause 5.1.1);
interested parties.
3. Ensure risks determined and addressed (Clause 5.1.2);
5.3 Organizational Roles, Responsibilities and Authorities
4. Determine risks that need to be addressed to achieve intended
This requirement is comparable to the requirements of ISO 9001:2008 results (Clause 6.1.1);
Clause 5.5 – Responsibility, Authority and Communication. You should seek
5. Plan actions to address risks; integrate into processes; evaluate
and record evidence that your organization’s personnel have not only
effectiveness of actions (Clause 6.1.2);
been advised of their QMS duties and authorities but that they also
6. Control those risks identified (Clause 8.1);
understand their duties and authorities in the context of what the QMS is
intended to achieve. 7. Evaluate effectiveness of actions on risks (Clause 9.1.3);
2. Strategic direction of the organization; 10. Production inspections and service reviews;
3. Interested parties, related to its QMS, and their requirements; 11. Corrective actions;
Clause 6.1.2 is a new requirement, so you should allow additional time to 14. Risk determination or evaluation records.
prepare for each audit in order to establish a suitable understanding of the Why is Risk Management Important?
new requirement and how it should be implemented. The concept of risk in the context of ISO 9001:2015 relates to the
You should seek and record evidence that your organization has taken a uncertainty in achieving these objectives. Risk will influence every aspect of
planned approach to addressing risks and accomplishing opportunities to your organization’s operations and by understanding the risks you face,
the benefit of the QMS and the organization. Check that any actions taken managing them appropriately will enhance your ability to make better
to address the risks and opportunities are recorded, and ensure that the decisions and to achieve your objectives.
effectiveness of each action was effective at addressing the issue, and that Your organization should begin to view the management of risks to its
the action taken was proportionate to the risk or opportunity. Objective people, assets and all aspects of its operations as an important
evidence could be in the following various forms:
responsibility. Implement and maintain a risk management process to 2. Assure consistency of quality of goods and services;
protect and support your organization’s responsibilities. 3. Establishes a proactive culture of prevention and improvement;
An effective risk management approach is not only good business practice 4. Intuitively take a risk-based approach.
but provides organizational resilience, confidence and benefits, including:
We suggest that you use the familiar Plan-Do-Check-Act (PDCA)
1. Provides a rigorous decision-making and planning process; methodology to manage your organization’s transition to risk-based
2. Provides the flexibility to respond to unexpected threats; thinking; using this approach:
3. Takes advantage of opportunities and provides competitive •Act: Implement any •Plan: Gain
advantage; changes to your leadership
approach, commitment,
4. Equips managers with tools to anticipate changes and threats, and continually review identify and assess
to allocate appropriate resources; opportunities for risks. Create a plan
improvement to address risks and
5. Provides assurance to Top management and stakeholders that opportunities.
critical risks are being managed appropriately;
6. Enables better business resilience and compliance management.
Act Plan
Risk Management Methodology
Documented information resulting from risk management activities such Your organization might outsource the provision of some processes or the
as risk management processes, plans and reports, etc. should be manufacture of components, subassemblies or entire units. In order to
maintained or referenced in either a risk management file or other maintain control over the processes, your organization should incorporate
appropriate sources: appropriate risk management activities for these processes and products
by planning and by ensuring risk control measures are appropriately
1. Design history file;
applied.
2. Technical file/documentation;
Before the approval and implementation of a change to any outsourced
3. Device master record;
process or product, your organization should:
4. Device history record;
1. Review the change;
5. Process validation files.
2. Assess if new risks have been discovered; and,
Your organization should consider the benefits of integrating the risk
3. Determine if current and/or new individual residual risks and/or
management processes, documents and records directly into your quality
the overall risk is acceptable according to the predetermined
management system. The advantage of this could be a single document
existing acceptability criteria.
control system, ease of use and review, accessibility, retention, etc.
If risk control measures are applied to outsourced process or products, the
Document controls, including document change controls, for risk risk control measures and their importance should be documented within
management system documentation should be the same as the controls the purchasing data or information and clearly communicated to the
for quality management system documentation. This documentation can supplier.
be in any form or type of medium.
Design & Development
Communication of Risks
Risk management activities should begin as early as possible in the design
Within your quality management system, consideration needs to be given and development phase, when it is easier to prevent problems rather than
to internal and external communication of risk. Internal communication is correcting them later.
necessary for all appropriate personnel to be aware of the remaining risks
For each identified hazard, the risk in both normal and fault conditions is
even after implementing risk control measures.
estimated. In risk evaluation, you should decide whether risk reduction is
needed. The results from this risk evaluation such as the need for risk 4. Severity of effect which provides an assessment of the impact that
control measures then become part of the design input. the occurrence of this risk would have on the project;
1. Clause 4.4.1 requires your organization to determine the risks effective manner to manage opportunities and threats. Risk evaluation can
which can affect its ability to meet the system objectives. Risk- be represented as a seven step, cyclical process:
based thinking means considering risk quantitatively as well as
qualitatively, depending on the business context.
2. Clauses 5.1.1 and 5.1.2 require Top management demonstrate Plan Identify
leadership and commit to ensuring that risks and opportunities
that can affect the conformity of a product or service are
determined and addressed.
3. Clauses 6.1.1 and 6.1.2 require your organization take action to
identify risks and opportunities, and plan how to address the
identified risks and opportunities.
Monitor Risk Assess
Risk evaluation should become embedded into your organization’s day-to- Your organization should develop and document a plan that briefly
day operations and should be undertaken at all levels throughout your describes how and when risk, in the form of strengths, weaknesses,
organization. The overall aim of risk evaluation is to ensure that opportunities and threats, will be assessed, and who will be involved. This
organizational capabilities and resources are employed in an efficient and should reflect the scope (including its complexity, interfaces, etc.), policies
and objectives.
Having identified all hazards and associated risks which could impact on
Risk identification involves the relationship between your organization and
occupational health and safety, the process of rating the risks for
the broader, external environment or community. A range of issues should
significance can be carried out. This crucial process, together with a
be considered in examining the strategic content, including:
thorough knowledge of legal and other similar requirements, provide the
1. Opportunities and threats associated with the local, regional, state foundations of the management system.
and global economic, social, political, cultural, environmental,
regulatory and competitive environments; This assessment process is vital in determining the need for controls aimed
at either reducing risk to levels deemed to be tolerable, or meeting the
2. Key thrusts of stakeholder strategies;
requirements of legislation. The significance level (or risk rating) should
3. Strengths and weaknesses of in attaining objectives.
then be used to prioritise actions. Remember that the importance of this
Operational risk identification involves gaining an understanding of the process cannot be overestimated. If you get this process wrong, the whole
organisation’s capabilities, goals, objectives, strengths and weaknesses by system will be suspect.
considering:
The assessment of the severity of a risk should drive management
1. Organisational structure and culture; attention and supports the planning for risk mitigation. Quantitative risk
2. Geographical/demographical; assessments (QRA) can be undertaken to provide an improved
understanding of the risk profile and derive a more detailed understanding
3. The identity and nature of interaction with key internal or external
stakeholders; of certain cost and time risks. The output of QRA can also support decision
making and monitoring of risk management activities.
4. The existence of any operational constraints;
Risk Quantification – Risks should be assessed in terms of their probability Quality of a product on critical path does not meet
to impact on objectives: 4 Major quality criteria for product acceptance, and specified
quality is not achievable.
Score Likelihood Description Percentage Probability Quality of more than one product on critical path does
Catastroph
May only occur in 5 not meet quality criteria for product acceptance, and
1 Rare <0.1% 1 in 1,000 ic
exceptional circumstances specified quality is not achievable.
Could occur during a
2 Unlikely 1% 1 in 100 Risk Exposure & Control Action
specified time period
Might occur within a given The purpose of prioritising the risk is to determine the level of action
3 Possible 10% 1 in 10
time period needed for the identified and assessed risks.
Will probably occur in most
4 Likely 50% 1 in 2 Score Colour Management Control Action (MCA)
circumstances
No mitigation or action is required, the risk is considered
Almost Expected to occur in most
5 >95% 1 in 1 1 to 4 Very Low ALARP. Monitor to ensure that the risk remains tolerable
Certain circumstances
at this level.
Impact & Consequence Criteria Maintain assurance that risk remains tolerable. Monitor
Risk Quantification – Risks should be assessed in terms of the consequence 5 to 8 Low and manage by routine procedures, unlikely to need
specific application of resources (managers and key staff).
of their impact on objectives:
Tolerable if the cost of reduction would exceed the
Score Impact Quality 9 to
Medium improvement gained. Mitigate by managing specific
12
Quality of one or more products not on critical path does reviews and ensuring regular monitoring occurs.
1 Negligible not meet quality criteria for product acceptance, but Tolerable only if risk reduction is impractical or if cost is
specified quality is achievable. disproportionate to the improvement. Mitigate by
13 to
Quality of a product on critical path does not meet High implementing controls to reduce the risk so far as is
15
2 Minor quality criteria for product acceptance, but specified reasonably practicable. Where this cannot happen,
quality is achievable. continual monitoring should occur.
Quality of more than one product on critical path does Intolerable, the risk cannot be justified, expect in
16 to
3 Moderate not meet quality criteria for product acceptance, but Very High extraordinary circumstances. Mitigate by ceasing all
25
specified quality is achievable. related activities.
Step 6: Reporting Quality objectives should be measurable and are likely to have their own
metrics by which levels of attainment can be ascertained. Check that the
Regular reports are necessary to inform and provide assurance to Top
quality objectives are communicated throughout the organization and that
management and other key stakeholders, that risks are being appropriately
they are updated to ensure relevance to changing business needs.
managed. Reporting must be based on current process data, which must
be updated and reviewed in good time for the reporting cycle (see Step 5 You should seek and record evidence that effective planning was
above). undertaken in support of the organization’s quality objectives and their
achievement. You should ensure that this planning activity takes into
On occasion, it may be appropriate to escalate a risk to ensure it is
considerations of Clause 6.2.1, as well as the following points:
assessed and/or managed by the person or party best placed to do so
(able and with appropriate authority). For example where a more 1. Identification of processes, resources, and skills needed to achieve
substantial or coordinated response is required than the current owner can quality;
authorise or implement, or where the risk severity or its effects on the 2. Identification of suitable verification criteria at appropriate stages;
wider project justify higher level assessment and/or management. 3. Compatibility of design, production, inspection and testing;
Step 7: Monitoring 4. The confirmation of criteria of acceptability for all features and
Continuous systematic and formal monitoring of implementation of the requirements;
risk process and outputs will take place against appropriate performance
5. Details of calibration of any special measuring or test equipment 1. Risk management policy;
to be used.
2. Job/position descriptions;
Training & Communication
3. Internet/intranet;
Your organization should ensure that it has documented and clarified the
4. Project/process/product/service documentation;
roles, responsibilities, accountabilities and authorities at all levels of the
5. Performance planning and review documentation;
business to address risk management. This ensures that a risk
management approach is embedded your operations through a number of 6. Risk registers.
communication, training and support systems, including: 6.3 Planning of Changes
Training This is a new requirement. You should seek and record evidence that your
To ensure that adequate risk management competency levels are achieved organization has retained documented information relating to planning
and maintained, your organization should provide training in the risk and implementing changes that impact upon the QMS.
management process and their application. Specific risk management Ensure that the organization has planned how to integrate and implement
training sessions should be held on an annual basis, aimed at providing an the changes into their QMS processes. Check that your organization has
overview of the risk management process. Instruments providing training considered:
on appropriate controls include:
1. The purpose of the changes and their potential consequences;
1. Job descriptions, contracts;
2. The integrity of the quality management system;
2. Inductions;
3. The availability of resources;
3. Policies;
4. The allocation or reallocation of responsibilities and authorities.
4. Procedures, process maps;
5. Terms of reference;
7.0 Support
7.1 Resources
6. Performance planning;
There requirements in Clause 7.1 are comparable to ISO 9001:2008 Clause
Communication of Responsibilities & Accountabilities
6.0 - Resource Management, Clause 6.1 - Provision of Resources, Clause
Risk management responsibilities, accountabilities and authorities should 6.3 - Infrastructure and Clause 6.4 - Work Environment.
be set out in the following documented information:
7.1.2 People 4. Devices are safeguarded from adjustment, which may invalidate
results;
You should seek and record evidence to confirm that your organization
5. Devices are protected from damage during handling, maintenance
has provided the staff necessary for the effective implementation of the
or storage;
QMS and for the operation and control of its processes.
6. The validity of results from a non-confirming device are re-
7.1.3 Infrastructure checked with a conforming device;
You should seek and record evidence to confirm that your organization 7. Devices are calibrated by external providers certified to ISO 17025;
has provided the infrastructure necessary for the effective implementation
8. Records of calibration and verification are maintained;
of the QMS and for the operation and control of its processes.
9. Computer software which is used for monitoring/measuring is
7.1.4 Environment for the operation of processes
validated prior to initial use;
You should seek and record evidence to confirm that your organization 10. Computer software used for monitoring and measuring is re-
has identified, provided and maintained the infrastructure necessary for validated where necessary;
achieving product conformance.
If measurement traceability is not required, verify that those monitoring
7.1.5 Monitoring and Measuring and measuring resources used by your organization are suitable. You
This requirement is comparable to ISO 9001:2008 Clause 7.6 - Control of should ensure that documented information is maintained in order to
Monitoring and Measuring Equipment. You should seek and record demonstrate suitability of monitoring and measuring equipment.
evidence to confirm that where measurement traceability is a requirement 7.1.6 Organizational Knowledge
that instruments used for measurement are subject to the following
‘Organizational Knowledge’ is a new requirement. You should seek and
controls:
record evidence that your organization has taken steps to identify the
internal and external knowledge necessary to ensure the continued 5. Sharing organizational knowledge with relevant interested parties
product conformity. to ensure sustainability of the organization;
Check that organizational knowledge is communicated as necessary and 6. Updating the necessary organizational knowledge based on the
results of improvement;
that it is maintained and retained in accordance with Clause 7.5. Check that
organizational knowledge is reviewed before changes to QMS are made in 7. Knowledge from conferences, attending trade fairs, networking
when responding to change. seminars, or other external events.
7.2 Competence
Sources of internal knowledge often include the organization’s intellectual
property; knowledge gained from experience; lessons learned from failures This requirement is comparable to ISO 9001:2008 Clause 6.2.1 - Human
and successes; capturing and sharing undocumented knowledge and Resources and Clause 6.2.2 - Competence, training and awareness but
experience; the results of improvements in processes, products and additionally, you should check whether your organization takes action to
services. Sources of external knowledge often include other ISO standards; address competency issues whilst checking that they were effective.
research papers; conferences; or knowledge gathered from customers or Your organization should establish a process for assessing existing staff
external parties. competencies against changing business needs and prevailing trends.
You should seek to evidence to confirm how your organization has Check for evidence that all staff which work under your organization’s
determined and made available the knowledge needed to keep up to date control are competent, and that evidence continuing competence is
with changing situations and knowledge related to new products and maintained as documented information in accordance Clause 7.5.
services. You determine whether your organization has considered internal 7.3 Awareness
and external sources, such as:
This requirement is comparable to ISO 9001:2008 Clause 6.2.2 -
1. Lesson learnt from non-conformities and corrective actions, near Competence, training and awareness which was limited to the
miss situations and successes; organization’s own personnel. You seek evidence to confirm that this
2. Gathering knowledge from customers, suppliers and partners; requirement has been applied by your organization to ensure that the
people who need to be made aware now include all the people who work
3. Capturing knowledge that exists within the organization, e.g.
through mentoring, succession planning; on your organization’s behalf that affect the conformity of your
organization’s QMS or products. You ensure that these people are aware
4. Benchmarking against competitors;
of:
3. Their contribution to the effectiveness of the quality management All well as briefing employees during introductory presentations, try using
system, including the benefits of improved performance; a combination of other methods to promote awareness, such as posters
4. New requirement. The implications of not conforming to the placed on notice boards and leaflets with pay-slips, etc. Use training
quality management system requirements. sessions to inform employees of the plan, how they will be expected to
The awareness training does not need to follow the format of long contribute. Issues pertaining to the quality management system that could
classroom sessions. Training techniques can include short training be communicated include:
segments supplemented with videos and hands-on demonstrations that Day-to-day operations and general awareness;
address key elements of the QMS.
Information on achieving objectives and targets;
Other methods to promote and reinforce the environmental awareness Risk and opportunities.
training sessions include communication via electronic bulletin boards,
Auditors will wish to determine if the policies meet the intent and are
posters, newsletters and informational meetings.
understood, by interviewing personnel at all levels. Although the exact
7.4 Communication content of the policies does not need to be recited by interviewees, the
This requirement is comparable to ISO 9001:2008 Clause 5.5.3 – awareness of the policies and how their job affects the company objectives
Communication but it now includes the new requirement to also should be determined. This does not require your employees to memorize
communicate with external parties, e.g. those previously defined in Clause the policies but it does mean they should be aware of it, know where it
4.2. You should seek evidence to confirm that your organization has may be found and be able to paraphrase, or give an interpretation as it
identified the necessary internal and external communications that are applies to them.
required for the operation of the QMS. You should confirm how your If the personnel interviewed do not know what their measurable objectives
organization has determined: are and/or do not know what the organizational objectives are that they
1. What it needs to communicate; have a direct effect upon, the auditor would be further directed to evaluate
top management’s communication of the policies and objectives.
2. When it will communicate;
3. With whom it will communicate; Inferred awareness through knowledge of procedures is not considered
sufficient; otherwise why have the requirement in the first place? A quick
4. How it will communicate.
and convenient way to promote and communicate the policy might be to
create a shortened version of main policy; try condensing it to five key improved employee morale and increased market exposure, either of
words or even a couple of short sentences. This can be posted on bulletin which can lead to increased profits.
boards in each department.
7.5 Documented Information
You could even add it to the reverse side of staff security passes or ID 7.5.1 General
badges. If an auditor asks an employee whether they are aware of the
This requirement is identical to the requirements from ISO 9001:2008
policy; they can point to the bulletin board, or point to it on their badge.
Clause 4.2.3 – Document Control. It should be noted that there is no need
The employee can further elaborate to the auditor, what the policy means
to maintain a documented procedure but your organization may still chose
to them and how it influences their work.
to operate one.
External Communications
You should ensure that you organization’s QMS includes documented
In most instances, external interested parties (such as consumers, information required to be maintained and retained by ISO 9001:2015, and
stockholders, neighboring communities, etc.) are the main driving forces the documented information identified by your organization to
for organizations to implement a QMS. The appropriate external demonstrate the effective operation of its QMS as defined in 7.5.3 below.
communications may establish environmental and safety credibility and
7.5.2 Creating & Updating
satisfy stakeholder requests by presenting objective information on the
organization’s significant aspects, its QMS, or its performance. The various This requirement is comparable to the requirements from ISO 9001:2008
processes or means of external communication may include: Clause 4.2.3 – Document Control. You should seek to confirm that when
documented information is created or updated, your organization has
Annual reports or newsletters of performance sent to external
ensured that it is appropriately identified and described (e.g. title, date,
stakeholders;
author, reference number).
Open house meetings for interested parties and focus groups;
It must be in an appropriate format (e.g. language, software version,
Availability of regulatory submissions, or results of audits;
graphics) and on appropriate media (e.g. paper, electronic). Confirm that
Policies published in the media and industry association documented information is reviewed and approved for suitability and
publications and press releases;
adequacy.
The various means of such communication are endless. Such
7.5.3 Control of Documented Information
communication may benefit your organization in several ways, including
This requirement is comparable to the requirements from ISO 9001:2008
Clause 4.2.4 – Control of Records. A robust document control process
invariably lies at the heart of any compliant management system; almost Maintain the following as documented information: Clause
every aspect of auditing and compliance verification is determined through Information necessary to support the operation of processes 4.4
the scrutiny of documented information. With this in mind, it becomes
The quality policy 5.2
apparent that the on-going maintenance of an efficient document
The quality objectives 6.2
management system must not be overlooked.
Documented information required by ISO 9001:2015 7.5.1a
Your organization must control the documented information required by
the QMS. A suitable process must be implemented to define the controls
Retain the following as documented information: Clause
needed to; approve, review, update, identify changes, identify revision
Documented information to the extent necessary to have confidence
status and provide access. The documented information process should 4.4
that the processes are being carried out as planned
define the scope, purpose, method and responsibilities required to
Evidence of fitness for purpose of monitoring and measuring
implement these parameters. 7.1.5.1
resources
In order to comply with the documented information requirements, it is Evidence of the basis used for calibration of the monitoring and
essential that all personnel understand what types of information that measurement resources (when no international or national standards 7.1.5.2
exist)
should be controlled and more importantly, how this control should be
exercised. To get the most out of your documented information process, it Evidence of competence of people doing work under the control of
the organization that affects the performance and effectiveness of the 7.2
must communicated to ensure that staff and other users of the
QMS
documentation information understand what they must do in order to
manage that information effectively and efficiently. Documented information required by the QMS 7.5.1b
responsible for their retention and disposal in line with legislative Records of design and development inputs 8.3.3
requirements and organizational needs.
Records of the activities of design and development controls 8.3.4
Maintain the following as documented information: Clause
The scope of the quality management system 4.3
tangible product or effective service that conforms to specified 2. Quotations and order forms;
requirements and expectations. Control product realization planning by: 3. Confirmation of authorized orders and amended orders;
Determining quality objectives for the product; 4. Delivery notes and certificates of conformity;
Determining requirements for the product; 5. Invoices and credit notes;
Identifying processes required to achieve conformance; 6. E-mail and general correspondence;
Establishing processes required to achieve conformance; 7. Site visit reports or notes to/from customer;
Identifying documents to demonstrate conformance; 8. Customer feedback and complaints management process.
Identifying resources required to achieve conformance; 8.2.2 Determination of Requirements for Products & Services
Maintaining and retaining documented information. This new requirement replaces ISO 9001:2008 Clause 7.2.1 -
Your organization needs to plan in advance for how they will manufacture Determination of Requirements Related to Product Requirements. You
their product or deliver their service. The plans need to take into account should seek and record evidence that your organization has implemented
the product requirements and any quality objectives that might be a process to determine the requirements for the products and services that
appropriate, resources and documents that may be necessary, what type of it intends to offer to customers.
monitoring and/or inspection activities should be put in place to ensure This may also include the requirements from interested parties and also
the product or service will meet the requirements, and what types of statutory and regulatory requirements relating to the product.
records should be kept.
8.2.3 Review of the Requirements for Products & Services
8.2 Requirements for Products and Services
This requirement is comparable to ISO 9001:2008 Clause 7.2.1 -
8.2.1 Customer Communication
Determination of Requirements Related to Product and Clause 7.2.2 -
This requirement is directly comparable to the requirements of ISO Review of Requirements Related to Product.
9001:2008 Clause 7.2.3 – Customer Communication. It has been expanded
The requirement states that your organization should now include a review
to include new requirements to obtain ‘customer views and perceptions’
of the requirements arising from any relevant interested parties. You
instead of ‘customer feedback’. Some or all of the following specific
should seek and record evidence that these requirements are considered
customer communication should be observed and evidenced:
during product and service reviews.
1. Marketing information;
8.2.4 Changes to Requirements for Products & Services 8.3.3 Design and Development Inputs
This is a new requirement. You should seek and record evidence that your This requirement expands upon the requirements from ISO 9001:2008
organization has ensured that all relevant documented information; Clause 7.3.2 - Design and Development Inputs 7.3.1. You should seek and
relating to changed product or service requirements, is amended and record evidence that your organization has documented and retained
those relevant design personnel are made aware of the changed information concerning the need for internal and external resources and
requirements. the potential consequences of design or development failure.
8.3 Design and Development of Products & Services 8.3.4 Design and Development Controls
8.3.1 General This requirement is comparable to the requirements from ISO 9001:2008
This is a new requirement that mandates the introduction of a design and Clauses 7.3.3, 7.3.4, 7.3.5 and 7.3.6. You should seek and record evidence
development process where this activity is required. You should seek and that your organization has applied the necessary controls to its design and
record evidence that, where applicable, your organization has development process in order to ensure that:
implemented a design and development process to allow effective product 1. The results from undertaking the design and development process
or service provision, where the requirements for products and services are are clearly defined;
not defined by the customer or interested parties. 2. The design and development reviews take place in accordance
8.3.2 Design and Development Planning with planned arrangements;
This requirement expands upon the requirements from ISO 9001:2008 3. The design and development outputs meet the design and
development inputs (verification);
Clause 7.3.1 – Design and Development Planning. It is likely that if your
organization already complies with ISO 9001:2008, you will already be 4. The resulting products and services are fit for their intended use or
undertaking the activities required by this clause. specified application where this is known to the organization
(validation).
You should seek and record evidence that your organization has
8.3.5 Design and Development Outputs
considered the explicitly referenced considerations relating to the design
and development process set out above. You should also ensure that your This requirement is comparable to the requirement from ISO 9001:2008
organization has retained documented information to confirm the Clauses 7.3.3 – Design Development Outputs. You should seek and record
identified design and development requirements were met and that design evidence that the additional requirement to retain documented
reviews were undertaken. information concerning design outputs. You should also check the need
for design outputs to reference monitoring and measuring requirements.
8.3.6 Design and Development Changes specified requirements. Confirm that your organization has established
This requirement is directly comparable to ISO 9001:2008 Clause 7.3.7 - and implement a process of inspection to ensure that purchased products
Control of Design and Development Changes. It is important to control conform to:
design changes throughout the design and development process and it 1. Purchase orders;
should be clear how these changes are handled and what affects they have
2. Delivery notes;
on the product. You should seek and record evidence that your
3. Product specifications;
organization has retained documented information concerning:
4. National or international standards.
1. Design and development changes;
8.4.3 Information for External Providers
2. The results of reviews;
This requirement is again comparable to the requirements from ISO
3. The authorization of changes;
9001:2008 Clause 7.4.2 – Purchasing Information. You should seek and
4. Actions taken to prevent adverse impacts. record evidence that your organization has, where appropriate,
8.4 Externally Provided Processes, Products & Services communicated not just the products or services they wish to receive, but
8.4.1 General also any processes they want the external provider to undertake on their
behalf, as well as any interactions with your organization’s QMS. You
This requirement is comparable to the requirement from ISO 9001:2008
should also check that the requirement for competency of external
Clauses 7.4.1 – Purchasing Process and Clause 7.4.3 - Verification of
personnel is communicated.
Purchased Product. You should seek and record evidence that your
organization has retained documented information that records not only 8.5 Production and service provision
the criteria by which suppliers were selected, but also the results of the 8.5.1 Control of Production and Service Provision
selection activities, and the results from the monitoring of their
This requirement is comparable to the requirements from ISO 9001:2008
performance.
Clause 7.5.1 - Control of Production and Service Provision and Clause 7.5.2
8.4.2 Type and Extent of Control Validation of Processes from Production and Service Provision. You should
This requirement is comparable to the requirements from ISO 9001:2008 seek and record evidence that your organization has controlled the
Clauses 7.4.1 – Purchasing Process and Clause 7.4.3 - Verification of conditions by which products or services are provided, ensuring that:
Purchased Product. You should seek and record evidence you’re your 1. Documented information that defines the characteristics of the
organization has ensured that the supplied product or service meets the product or service is available;
2. Documented information that defines the activities that need to be 8.5.3 Property Belonging to Customers or External Providers
performed to produce the product or deliver the service is
This requirement is comparable to the requirements from ISO 9001:2008
available, and that this specifies the results that are to be achieved;
Clause 7.5.4 – Customer Property but it has now been expanded to cover
3. Monitoring and measurement takes place at appropriate points in property belonging to external providers that your organization intends to
the production process to ensure that both the processes
incorporate into its own products and services. You should seek and record
themselves and the process outputs meet the organization’s
evidence that your organization has extended their treatment of customer
acceptance criteria;
property to include that of external providers.
4. The process environment and infrastructure are suitable;
Check that your organization communicates with its customers in regard
5. Suitable monitoring and measurement resources are made
to the handling and treatment of their property. You should also check
available;
that contingency plans and, where relevant, actions are undertaken when
6. Personnel are competent and, where necessary, appropriately
non-conformities occur with customer property. Good sources of
qualified;
information often include the following examples:
7. For processes where the results cannot be verified by subsequent
monitoring or measurement, 1. Goods returned by the customer;
8. The process itself is initially validated and then periodically re- 2. Warranty claims;
evaluated; 3. Revised invoices;
9. Product and service release, delivery and post-delivery activities 4. Credit notes;
are implemented.
5. Articles in the media;
8.5.2 Identification and Traceability
6. Consumer websites;
This requirement is comparable to the requirements from ISO 9001:2008
7. Direct observation of, or communication with, the customer.
Clause 7.5.3 - Identification and traceability. You should seek and record
evidence that product is identified (as appropriate) and its status with 8.5.4 Preservation
regards to monitoring and measuring (conforming or not) is identified This is a new requirement. The auditor will expect to see that adequate
throughout the manufacturing processes. Where traceability is a measures are taken to protect/preserve the product during internal
requirement, you should expect to see that your organization is controlling processing and delivery to the intended destination. The preservation
and recording the unique identification of the product. process must include the following: Preservation, packaging and other
product specific handling methods are likely to an output of the product 4. Customer requirements;
design process. 5. Customer feedback.
1. Identification – this is relative to Identification and Traceability Post-delivery activities can include actions under warranty provisions,
however for preservation of product it is a requirement and not ‘as contractual obligations such as maintenance services, and supplementary
applicable’. The auditor will expect to see that all products are
services such as recycling or final disposal.
clearly identified;
8.5.6 Control of Changes
2. Handling – the auditor will verify that suitable handling methods
are implemented throughout the processes. This may include bulk This is a new requirement for the organization to implement a process for
handing using moving equipment or physical contact where responding to unplanned changes that are considered essential in order to
handling may influence product conformity; ensure that products or services continue to meet their specified
3. Packaging – the auditor will expect to see that methods have been requirements, in such a way that conformity with requirements is
established for packaging the product to preserve its integrity; maintained. Changes should be documented and information retained
4. Storage – the auditor will expect to see that product is stored in a about the changes, including who authorized the change and the actions
manner to safe guard product; arising from the change.
5. Protection – the auditor will verify that appropriate measures are You seek objective evidence that your organization has implemented a
in place to protect product. This will vary depending on the process to control unplanned changes in accordance with the
product.
requirements set out above.
8.5.5 Post-delivery Activities
8.6 Release of Products and Services
This is a new requirement. Your organization must meet requirements for
This requirement is comparable to ISO 9001:2008 Clause 8.2.4 Monitoring
post-delivery activities associated with the products and services. In
and Measurement of Processes. Your organization must show evidence
determining the extent of post-delivery activities that are required, the
that a process (method, techniques, formats, etc.) is in place to monitor
organization shall consider:
and measure the characteristics of product to verify that requirements are
1. Statutory and regulatory requirements; being met. This must be accomplished at appropriate stages of the design
2. The potential undesired consequences associated with its products and development process. The auditor will verify that records are
and services; maintained to provide evidence of conformity and indicate the person(s)
3. The nature, use and intended lifetime of its products and services; authorizing the release of products.
The release of product or delivery of service must not be completed until By keeping records of your non-conformities it is easier to spot negative
the planned requirements (7.1) have been met. ‘Release’ of product may trends and examine the root cause, and eliminate the cause of your
include, according to product planning and the verification stages, release problems. This, in turn, should result in fewer defective products or process
to the next operation, release to an internal customer, release to final outputs and could lead to more satisfied customers.
customer, etc.
If you have manufactured a product, inspected it and found it to be out of
For product release or service delivery, the planning requirements may be specification, it is most likely to be deemed nonconforming product. In
waived, but must be approved by relevant authority and by the customer some instances you will have to scrap the defective product but in other
as appropriate. Monitor and measure product characteristics to ensure situations you may be able to do some remedial work and bring it back
they are able to demonstrate: into specification.
1. Product characteristics are continually met; What the clause is telling us is that the product should then be subject to
2. Evidence of conformity with product requirements. further inspection to verify that it is now correct. As for records, if you
documented the non-conforming product there should normally be
8.7 Non-conforming Process Outputs, Products & Services
somewhere to verify that you successfully (or not) cured the problem and
This requirement is comparable to the requirements from ISO 9001:2008 that it is now conforming.
Clause 8.3 – Control of Non-conforming Product but it now includes as a
Re-verification simply means that you cannot assume that because
new requirement, the terms ‘process outputs’ and ‘services’ as well as
someone tells you they have corrected the problem then it is ok. The
products. It should be noted that there is no need to maintain a
clause is asking you to re-verify by whatever means you originally chose. If
documented procedure but your organization may still chose to operate
you used inspection as a method of verification then re-inspect in the
one. You should seek and record evidence that your organization has
same method. If not, use whatever method suits you (or your customer).
retained documented information concerning non-conformities and the
Just make sure it is ok before it leaves!
actions arising.
Controlling Product and Process Non-conformities The re-verification after remedial work might involve testing as well as
inspection. The reason is not just to verify that the defect has been
No matter how you resolve a non-conformance, you must keep records of
removed, but also to assure that fresh defects have not been introduced
each non-conformance and how it was dealt with. Records of product non-
by the rework.
conformity should be periodically reviewed to determine if a chronic
problem exists with the production process, it’s all about improvement! Records would be as appropriate for the re-inspection or re-testing
performed. Re-verification is equivalent to re-inspection and records could
include a signature of approval or a more formal test report. Whichever 6. Providing evidence that corrected products and processes now
format is chosen, it must defined Control of Non-conformance procedure. conform to requirements;
Generally, you could take two routes. If you have an internal non- 7. Keeping records that catalogue non-conforming products and
processes.
conformance then depending on your NCR documentation, your
verification could be documented on your non-conformance report. If your Controlling non-conformances applies to services just as much as it does
non-conformance is external, you should supply evidence of conformance to tangible goods. Reports, data, test results and intellectual property, to
to your customer. name just a few service outputs, can all be potentially non-conforming, in
which case all the disciplines of this process apply. It is the company’s
You may need to supply new evidence of conformance to your customer
policy is to detect, control and rectify any aspect of non-conformance as
along with corrective action documentation if requested. The method that
quickly and efficiently as possible.
you use in either of these situations should be defined in your IMS and
procedures, that way you relieve yourself and your auditor from guessing Controlling Service-based Non-conformities
how you would address them. In the case of service processes that directly involve the customer, the
Where necessary, any product or process outputs that do not conform to control of non-conforming outputs is the way the organization deals with
specified requirements should be properly identified and controlled to non-conformities in the service provision until the appropriate corrective
prevent unintended use or delivery. Improvements are then implemented action can be defined and implemented. When non-conformities are
to ensure the non-conformance does not reoccur. Control non-conforming identified, you should examine whether the personnel involved are
products by: sufficiently empowered with the authority to decide the disposition of the
service, for example:
1. Defining how non-conforming products and processes are
identified; 1. To immediately terminate the service;
2. Defining how non-conforming products and processes are dealt 2. To replace the service provided;
with; 3. To offer an alternative.
3. Removing or correcting non-conformities; You should also examine:
4. Preventing the delivery or use of non-conforming products and
1. Your organization's customer claims and complaints processes;
processes;
2. Any temporary corrections that are implemented to mitigate the
5. Verifying how non-conforming products and processes were
effect of the Non-conformity (e.g. refund, credit, upgrade, etc.)
corrected;
3. The identification, segregation and replacement of the service 3. Process performance results;
4. Equipment, service providers and environment. 4. Meeting objectives;
This will enable you to judge whether the control of such non-conforming 5. Internal audit findings;
services are effective. In such situations the quality management system 6. Customer surveys and feedback;
should have provisions to capture data on the non-conformities and to
7. 2nd or 3rd party audit results;
feedback information, at the appropriate management level, for the
effective definition and implementation of corrective actions. Evidence will 8. Competitor and benchmarking information;
need to be sought to justify effective implementation of these techniques. 9. Product test results;
10. Supplier performance information.
9.0 Performance Evaluation
This ‘input’ (information and data) should reflect upon the adequacy,
9.1 Monitoring, Measurement, Analysis and Evaluation
suitability and effectiveness of the integrated management system and its
9.1.1 General
processes. The ‘output’ (result of the analysis) must provide information
You should note the additional requirement for your organization to (understanding, insight, awareness, confidence, knowledge of, etc.). The
evidence evaluation of the results of monitoring and measurement, not analysis output must provide insight to:
just their analysis. They should confirm that the organization has
Customer satisfaction and perception;
considered what, how and when to measure and that the outcomes from
Product conformance;
this decision result are ensuring appropriate process control.
Process performance;
They should also note a new requirement to monitor the quality
performance and effectiveness of the organization’s quality management Product and process characteristics;
system. You should expect to see that the organization has developed a Trends in products and processes;
process (method, techniques, format, etc.) to identify, collect and analyze Opportunities for preventive action;
various data and information from both internal and external sources,
Suppliers and subcontractors.
including:
Other potential or useful options might include:
1. Quality records;
Need for corrective action;
2. Monitoring and measuring results;
Opportunity for improvement;
Competition. organization must now solicit customer’s perception about the your
Documented information and organizational knowledge that records organization, and its products and services. You should seek and record
process data should be considered for analysis. Records are evidence of evidence that your organization has implemented a consistent and
system performance and should be analyzed for potential improvements. systematic approach to dealing with customer feedback and is obtaining
information on customer perception.
Monitoring and measuring QMS operations and activities will establish a
mechanism to ensure that your organization is meeting its policies, Just collecting data on customer perceptions is not sufficient, you should
seek and record evidence that your organization has analyzed and
objectives and targets. In order to meet this requirement, your
evaluated customer data and that conclusions have been made with
organization must perform six steps:
regard to the effectiveness of the QMS.
Step 1 - Identify the activities that can have a significant impacts 1. Are there any trends?
and risks;
2. Is the situation stable, improving, or deteriorating?
Step 2 - Determine key characteristics of the activity to be
monitored; 3. Are customer needs and expectations changing?
Step 3 - Select the best way to measure the key characteristics; Both internal and external auditors will look for proof that a consistent and
systematic approach has been implemented to deal with customer
Step 4 - Record data on performance, controls and conformance
complaints. This approach would typically include defined responsibilities
with objectives and targets;
for logging and tracking complaints, clearing technical issues, determining
Step 5 - Determine the frequency with which to measure the key
problem causes and actions to address them. Specific examples of
characteristics;
complaints must be sampled.
Step 6 - Establish management review and reporting.
The link between the customer complaint process and corrective action
Establish the monitoring and tracking criteria for each activity that has a
also requires special scrutiny. Determine appropriate methods for
significant impact or risk and review the action plan. You should
monitoring and measuring customer satisfaction by:
incorporate any monitoring and measurement information to cover these
same activities. 1. Using customer satisfaction surveys;
9.1.2 Customer Satisfaction 2. Providing methods for receiving and dealing with customer
feedback;
This requirement is comparable to the requirements from ISO 9001:2008
3. Providing suitable processes to monitoring trends in, and
Clause 8.2.1 – Customer Satisfaction, the change being that your
reviewing customer data.
2. Plan your audits; to effectively carry out this evaluation. Information that must be reviewed
3. Assign audit duties; includes:
4. Review and amend the audit checklist; 1. Minutes from previous management reviews;
6. Prepare and submit audit report; 3. Results of QMS and process audits;
7. Obtain feedback from auditees. 4. The extent to which objectives and the numeric targets were met.
Auditors should not necessarily expect to find a documented internal audit Suitability and effectiveness of the QMS based possible changing
procedure in place. However, they must be able to access documented circumstances that may include:
information confirming the implementation of an audit programme by the 1. New or proposed legislation or regulations;
organization. Documented information must also be available to evidence
2. Changing expectations/requirements of relevant interested parties;
the results of audits.
3. New or modified activities, products, or services;
When determining how the audit programme has been designed, auditors
4. Advances in technology and science;
should ensure that customer feedback, organizational changes, and risks
and opportunities have been brought into consideration. 5. Changing market preferences of buyers.
9.3 Management Review All management reviews must be documented. Observations, conclusions,
and recommendations for further necessary action from the review must
9.3.1 General
be recorded. If any corrective action must be taken, Top management
The management review process is comparable to ISO 9001:2008 Clause should follow up to ensure that the action was effectively implemented.
5.6 – Management Review and requires that top management periodically
review the QMS to ensure its continuing suitability, adequacy, and The purpose and final outcome of the management review should be
effectiveness. The frequency or intervals of the top management review continual improvement of the IMS. As your organization’s IMS increases in
must be defined in the QMS. The management review must address the its effectiveness and efficiency, your environmental performance will
possible need for changes to policy, objectives, targets, and other likewise increase.
elements of the QMS. The management review process must ensure that Here's what ISO 9001:2015 is really all about: defining a policy, creating a
the necessary information is collected ahead of time to allow management plan devising with relevant objectives. You then implement the system
according to the plan. You then begin auditing, monitoring and measuring
performance against the plan and reacting to your findings. Bi-annual internal and external issue changes, and its potential effect on the strategic
management reviews are insufficient in frequency to be able react to any direction of your organization. Your organization’s management review
issues effectively. process must also include discussion of external provider’s, and other
supplier’s performance. It must also include an assessment of risk
Performance metrics should be monitored with varying frequencies, some
management actions.
hourly, some daily, some weekly and some monthly. Management cannot
wait for six months to respond, if they do, it will be too late. Every time Auditors should expect to evidence the same outputs from management
management convenes to review and react to performance, it is reviews as at present. However, they should note that the results of
considered as a management review. Whether they are reviewing an management reviews can now be held in any format that the organization
individual's performance, departmental programmes and projects, etc., this chooses. The management review process should focus on the following
should be considered as valid management review. inputs:
Some companies have multiple review levels, whereby, each review may 1. Risks and opportunities (Clause 6.1);
require multiple subjects and rely upon multiple metrics as inputs. 2. Possible changes that might affect the system (Clause 6.3);
Sometimes subjects are reviewed at more than one level, e.g. production
3. External provider and suppliers performance (Clause 8.4);
numbers might be reviewed by the Production teams during daily
production meetings and then by senior management, possibly weekly. 4. Customer satisfaction and perception (Clause 9.1.2);
5. Audit results (Clause 9.2);
Top management might conduct weekly meetings in which they review
metrics and objectives to determine if any corrective action is required. The 6. Non-conformity and corrective actions (Clause 10.2).
process owner is then responsible for reporting close out progress in the 9.3.3 Management Review Outputs
meeting a week later. Undertake management reviews in order to:
The management review process is comparable to ISO 9001:2008 Clause
1. Determine and evaluate QMS performance; 5.6.3 – Management Review Outputs. You should seek and record
2. Determine the need for change and improvement; evidence of outputs from the management review process, there should
be evidence of decisions regarding:
3. Determine the suitability of the policies and the objectives.
9.3.2 Management Review Inputs 1. Process improvement actions;
2. QMS improvement actions;
This now includes additional requirements for your organization to have
a structured management review process that includes discussion of 3. Product improvement actions;
4. Resource provision actions; If Top management has set realistic process objectives, and there is no
5. Revised business plans and budgets; evidence of improvement, this information should fed back via the audit
report to allow Top management to determine what type of action is
6. Changes to quality objectives and policies
appropriate.
7. Management meeting minutes.
10.2 Nonconformity and Corrective Action
Management review meeting minutes should be retained as documented
The requirements of Clause 10.2.1 are comparable to Clause 8.3 - Control
information.
of Non-conforming Product and Clause 8.5.2 - Corrective Action. There is
10.0 Improvement an additional requirement for your organization to determine whether
other similar non-conformances exist or have the potential to exist that
10.1 General
may affect product, process or QMS conformity. There is also a new
Organizations should note the new requirements to consider requirement for your organisation to determine whether changes to the
improvement with respect to its processes, products and services, and the QMS are required to prevent a reoccurrence.
performance of the quality management system overall. You should
Regarding Clause 10.2.2, auditors should no longer expect to find a
continue to seek objective evidence that improvement is taking place. They
documented corrective action procedure. Your organization should be able
should note, however, that while improvement does not need to be
to provide evidence that it is fulfilling the requirements of this sub-clause
continual, it does need to be evidenced as occurring.
by other means, e.g. by the use of computer-based records.
Auditors should look for evidence that the organization is considering
Note the new requirement to record the nature of non-conformities as
improvement in respect of its processes, products and services, and the
well as the subsequent action(s) undertaken. You should ensure that your
performance of the quality management system overall.
organization is meeting this additional requirement.
In the case of products and services, this is to meet not just known but
Dealing with Corrective Action
predicted requirements. They should note that there is no longer a
requirement to audit preventive action as a distinct entity. A corrective action should be considered as a reactive response to a
problem since it is taken when a non-conformance is detected or upon
Auditors should also note the removal of the explicit requirement for the
receipt of a customer complaint. Your organization should first contain the
organization to improve its quality management system through the
problem and then determine its root cause in order to take appropriate
review of the quality policy, quality objectives, audit results, analysis of
corrective action to prevent the problem’s recurrence.
data and corrective actions, and management review.
Recording corrective actions using the forms provided; Skill in the required technical disciplines;
Performing an initial review; A designated Team Leader.
Determining causes and the need to take action; Define the Problem
Implementing action where required; Describe the internal/external customer problem by identifying what is
Preventing recurrence; wrong and detail the problem in quantifiable terms Define, verify and
implement the interim containment action to isolate the effects of the
Evaluating effectiveness;
problem from any internal/external customer until permanent corrective
Recording the results using the forms provided; actions (PCA) are implemented. Validate the effectiveness of the
Examine the effectiveness of corrective actions; containment actions.
In response to a symptom, evaluate the need for initiating the problem Select an Interim Containment Action
solving process. If necessary, provide an emergency response action to
An interim containment action is kept in place until a verified permanent
protect the customer and initiate the process.
corrective action can be implemented. In some cases, the interim
Application criteria: containment action may be the same as or similar to the emergency
The symptom(s) has been defined and quantified; response action. However, an emergency response action is implemented
with minimal supporting data. An interim containment action provides
The customer(s) who experienced the problem(s)/symptom(s) are
more opportunity for investigation.
identified;
Verify an Interim Containment Action
Measurements taken to quantify the problem(s)/symptom(s);
Any interim containment action you implement must protect the customer
Look for a performance gap;
from the problem without the introduction any new problems. Also, a
The cause is unknown;
single interim containment action may not be enough. You may need to
Symptom complexity exceeds the ability of one person to resolve. implement more than one interim containment action to fully protect the
Establish an investigation team with: customer.
Process and/or product knowledge; An interim containment action can be any action that protects the
Allocated time; customer from the problem. However, before you implement an interim
containment action, you need to verify that the interim containment action containment action is planning how you will implement the action. To
will work. To verify the interim containment action: implement an interim containment action, follow this management cycle:
Prove before implementation it protects the customer from the Plan (Re-plan);
problem; Do (Implement);
Provide a before-and-after comparison; Check (Monitor);
Prove that the interim containment action will not introduce any Act (Evaluate);
new problems. Identifying the Root-Cause
Methods of verification may include: Isolate and verify the root-cause by testing each possible cause against the
A test to determine the desired performance level; problem description and test data. Also isolate and verify the place in the
process where the effect of the root-cause should have been detected and
A demonstration that changes eliminated the issue without
creating a new problem; contained (escape point).
A comparison between the interim containment action and similar Complete a Comparative Analysis
proven actions; The problem description should describe the problems in terms of what,
A review to evaluate whether the interim containment action was where, when, and how big. The description should contain facts; such as
effective; observations and documentary evidence and not assumptions. All
Assurance that the interim containment action did not introduce a information must be gathered before identifying the root-cause can begin.
new problem. Make sure both of the above factors are true before you move to the next
Implement an ICA step. Consider any new information that the team may have gathered since
completing the initial problem description.
Conduct trial runs whenever possible. However, in some situations, your
verification may simply be a matter of common sense. For example, if an Once you have reviewed the problem description, you can begin a
interim containment action involves stopping the shipment of all products, comparative analysis. A comparative analysis will help you identify relevant
you can be sure that customers will stop experiencing the problem. changes in a change-induced situation. Then you can reduce the number
of possibilities that you must consider to determine root-cause. To
You and your team must consider all of the trade-offs connected to your
complete a comparative analysis:
interim containment action. An important part of implementing an interim
Ask yourself; what is unique, peculiar, different, or unusual about statements that describe how a change may have created the problem. To
the symptoms? develop root-cause theories:
Consider features such as people, processes, materials, machines Use brainstorming techniques to generate ideas;
and the environment;
Ask: ‘how could this change have caused the problem?’
List all facts without prejudice as to the possible cause.
Continue to ask the question until all possible theories are
Consider each difference you listed, and look for changes, ask yourself: developed;
What has changed to give rise to this difference? List at least one theory for each change;
Keep in mind that each difference may not have a corresponding List each theory individually on a worksheet;
change;
List every possibility, no matter how strange or unlikely;
List the changes next to the difference;
Don't reject or qualify any theory;
Look at the dates each change occurred;
Start with the simplest single change theory first;
Eliminate some changes if they occurred after the problem started;
Then work up to more complex theories;
Consider categories of people, machines, processes or
Be specific; don't use generalities such as ‘poor quality’ or ‘doesn't
measurements;
work’.
If the problem is change-induced, the root-cause must be the result of a
Test the Theories
change relative to one or more of the identified changes. It is important to
remember that you have not yet moved from the ‘observations’ phase of To test the theory, do the following:
the process. Any information you develop during the comparative analysis Ask, ‘Does this theory explain the symptoms and data, if so how?’
must be fact based, not opinion based and must be true only for the
Test the theory against each individual condition.
symptoms information. Do not rule out any facts that might be valid
answers. If it is a fact and it answers the question, write it down. If a theory explains the problem, but lacks information necessary to explain
why it happened, gather more data:
Develop Root-cause Theories
Gather more data to prove or disprove these theories;
Now that you have narrowed down the possible root-causes, you need to
develop theories about how the problem occurred. Theories are Test simple (single change) theories first;
Test highly complex or interactive theories last.
The root-cause must explain all known data. Any theories that pass the Determine and Verify the Escape Point
trial run are the most likely causes. If only one theory passes the trial run After you have determined and verified the root-cause, you need to
then verify this theory as the root-cause. However, more than one theory determine the escape point of the problem. An escape point is the point
may pass the trial run. In those cases (and when practical and feasible), closest to the root-cause at which the problem could have been detected
collect and analyze any missing data for uncertain theories and re-examine but was not.
information to resolve uncertainties.
A control system is a system deployed to monitor the product/process and
If additional information reveals that a theory cannot fully explain why the ensure compliance to quality requirements. A control system consists of
problem happened eliminate it from consideration. If it is not feasible to responsibilities, procedures, and resources. A control point is a location
gather and evaluate additional information, try to verify each remaining within the control system at which the product/process is checked for
theory. Start verification with the theory that best explains the symptoms. compliance to the quality standards.
Verify the Root-Cause
A product or process may have more than one control point within the
Once you have determined the most likely cause(s), verify that it actually system. When you identify the escape point, you can work to improve or
causes the problem. Verification is the proof you need to confirm that you establish a system to ensure that if problems occur, they will not go
have identified the root-cause. Verification is done passively and actively. undetected. To understand how the problem escaped and to identify the
Passive verification is done by observation: escape point:
Look for the presence of the root-cause without changing Review the process; focus on the part of the process where the
anything; root-cause occurred;
If you cannot prove root-cause, then the identified cause is not the Determine if a control system exists to detect the problem.
root-cause.
If none exists, the development of a new control system must be
Active verification is done by manipulating the root-cause variable: considered as part of the problem solution. If a control system currently
Implement and remove the root-cause variable to make the exists:
problem ‘come and go’;
Identify the control point closest to the root-cause;
Both ‘coming’ and ‘going’ are essential tests to confirm the root-
Determine if the control point is capable of detecting the problem.
cause;
If the control system is not capable, the development of an improved
There can be more than one verified root-cause.
system must be part of the problem solution. If the control point is capable
of detecting the problem, then the control point is the verified escape Preventing Recurrence
point. Choose and verify permanent corrective actions for the root-cause Modify the necessary systems, policies, practices and procedures to
and the escape point. prevent recurrence of this problem and similar ones. Make
Select the best permanent corrective action to remove the root-cause and recommendations for systemic improvements as necessary:
select the best permanent corrective action to eliminate the escape point. Review the history of the problem;
Verify that both decisions will be successful when implemented without
Analyze how the problem occurred and escaped;
causing undesirable effects. Steps for permanent corrective actions (PCA)
selection: Identify affected parties;
Identify opportunities for similar problems to occur and escape;
Establish decision criteria, e.g. what is feasible;
Identify practices and procedures that allowed the problem to
Identify possible actions;
occur;
Choose the most appropriate permanent corrective action (PCA);
Identify practices/procedures that allowed the problem to escape
Test and verify the permanent corrective action; to the customer;
Re-evaluate the ICA & PCA for the escape point. Analyze how similar problems could be addressed;
Implementing & Validating Permanent Corrective Actions Identify and choose appropriate preventive actions;
Plan and implement selected permanent corrective actions. Remove the Verify preventive action and its effectiveness;
interim containment action and monitor the long-term results. Steps for
Develop action plan;
PCA implementation:
Implement preventive actions;
Develop Action Plan for PCA;
Present systemic preventive recommendations to the process
Implement the PCA Plan; owner.
Remove the ICA; Serious consequences may occur when the underlying symptoms are not
Evaluate the PCA for escape point; addressed, when the quick fix is accepted as a final, permanent solution.
Excessive reliance on containment or emergency response action will
Perform validation;
create a repeating cycle. Problem containment is an addiction that will only
Confirm with the customer that the symptom has been eliminated.
get worse until root-causes are found and addressed.
You should seek objective that your organization has implemented a It is the responsibility of the company to demonstrate improvement rather
process, with appropriate methods, techniques, and formats for identifying than the auditor to look for it. Accordingly, it is a useful audit practice to
areas of underperformance or opportunities for improvement. You should ask management to identify any improvement initiatives taken since the
expect to evidence that your organization has selected the appropriate previous visit, and also any planned for the future.
tools and techniques to investigate the causes and thereby establishing
Processes can always be made more efficient and effective, even when
and implementing a process for continual improvement. The impetus for
they are producing conforming products. The aim of a continual
continual improvement must come from the use of (as a minimum):
improvement programme is to increase the odds of satisfying customers
1. Quality policy (Clause 5.2); by identifying areas that need improvement. It requires the organization to
2. Risks and opportunities (Clause 6.1); plan improvement systems and to take into account many other activities
that can be used in the improvement process.
3. Quality objectives (Clause 6.2);
You will be required to ensure that you continually improve the degree to
4. Analysis and evaluation of data (Clause 9.1);
which your products and services meet customer requirements and to
5. Audit results (Clause 9.2); measure effectiveness of your processes. To this end the continual
6. Management review (Clause 9.3). improvement principle implies that you should adopt the attitude that
7. Non-conformity and corrective action (Clause 10.2); improvement is always possible and your organizations should develop the
skills and tools necessary to drive improvement.
Requirements for continual improvement interrelate with the following
clauses: The PDCA cycle is a perfect way of introducing continual improvement to
your organization’s activities. Each step to improvement can be defined by
1. QMS planning (Clause 4.4);
four sub steps, Plan, Do, Check and Act: